--- id: surface.infotech.ops-bridge.tunnel-config name: ops-bridge SSH tunnel configuration kind: infra-state summary: Declares the reverse SSH tunnels (local/remote port maps) that expose State Hub and MCP services to remote machines. owner: ops-bridge status: active scope: allowed_layers: [company, environment, installation] default_layer: installation mutability: deploy-time security_class: operational schema: type: object validator: ~/ops-bridge/schemas/tunnel.schema.yaml sources: - repo: ops-bridge path: config/tunnels.yaml role: installation-overlay relations: consumed_by: - service.ops-bridge overrides: [] depends_on_secret: - ops-bridge/ssh-cert related_to: - surface.infotech.state-hub.api-config evidence: last_seen: '2026-06-26' discovery_method: manual change_log_ref: ATLAS-WP-0002-T03 --- # ops-bridge SSH tunnel configuration ops-bridge maintains reverse SSH tunnels that expose the State Hub API and MCP endpoints to remote machines (the remote port map: State Hub API `:18000`, MCP `:18001`). This surface maps that tunnel configuration as **infra-state**. - **Source of truth:** the `ops-bridge` repo tunnel config; SSH certs are a secret reference (`depends_on_secret`), signed by ops-warden, never stored here. - **Relation:** exposes `surface.infotech.state-hub.api-config` to remote workers. - **Mutability:** deploy-time — tunnel changes are brought up via `bridge up`.