Standalone plan for the TaPPaaS operator's Claude Code: WireGuard client
(peer 10.13.0.9, split-tunnel), Caddy plain-HTTP backend on 10.13.0.9:80,
firewall lock to 10.13.0.1, internal split-horizon DNS. Bakes in the
verified VPS-side contract (hub endpoint/pubkey, preserved Host, *.tappaas
wildcard, public DNS) and the key-exchange handshake. Flags the internal-TLS
decision (internal CA vs Gandi DNS-01 vs no internal TLS).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>