diff --git a/docs/presentations/2026-06-28-tappaas-vps-publishing.md b/docs/presentations/2026-06-28-tappaas-vps-publishing.md
index b4eaa8c..776dac5 100644
--- a/docs/presentations/2026-06-28-tappaas-vps-publishing.md
+++ b/docs/presentations/2026-06-28-tappaas-vps-publishing.md
@@ -6,12 +6,20 @@ paginate: true
---
# Routing TaPPaaS through the VPS
@@ -120,17 +128,24 @@ After this, **new services need zero VPS change** — exposure is decided at Cad
---
-## Phasing — five verifiable steps
+## Phasing — VPS edge (steps 1–3)
-1. **Tunnel** — FLOSSFirewall up as `wg1` peer; ping `10.13.0.1 ↔ 10.13.0.9`.
+1. **Tunnel** — FLOSSFirewall up as `wg1` peer; ping
+ `10.13.0.1 ↔ 10.13.0.9`.
2. **Caddy backend** — from the VPS,
- `curl -H 'Host: .tappaas.makerfloss.eu' http://10.13.0.9:80`.
+ `curl -H 'Host: …tappaas…' 10.13.0.9:80`.
3. **VPS edge** — add cert + route + DNS; off-site
- `curl https://.tappaas.makerfloss.eu` with a valid cert.
-4. **Internal DNS** — add `*.tappaas` override; a cluster node resolves to
- Caddy's local IP and gets Caddy's own cert.
-5. **(Later)** makerspace LAN view — conditional-forward + firewall pinhole on
- the OrangeMakers router.
+ `curl https://.tappaas.makerfloss.eu` returns a valid cert.
+
+---
+
+## Phasing — internal & later (steps 4–5)
+
+4. **Internal DNS** — add the `*.tappaas` override on the FLOSSFirewall; a
+ cluster node resolves to Caddy's local IP and gets Caddy's own cert (no
+ VPS round-trip).
+5. **(Later)** makerspace LAN view — conditional-forward + firewall pinhole
+ on the OrangeMakers router.
---
@@ -167,4 +182,3 @@ After this, **new services need zero VPS change** — exposure is decided at Cad
and execute phases 1–4.
_Design: `MakerFLOSS_Troubleshooting/docs/superpowers/specs/2026-06-28-tappaas-vps-publishing-design.md`_
-