diff --git a/Agents.md b/Agents.md
index e6937b5..b28e814 100644
--- a/Agents.md
+++ b/Agents.md
@@ -154,6 +154,15 @@ Push to main → Argo CD syncs within ~30 seconds.
 | PyPI registry | https://pypi.neuralplatform.ai | devpi |
 | Docker Registry | https://registry.neuralplatform.ai | Push images here |
 | Registry UI | https://docker.neuralplatform.ai | Docker registry browser |
+| Headscale VPN | https://vpn.neuralplatform.ai | Tailscale control plane (direct TLS, not CF-proxied) |
+| Grafana | https://grafana.neuralplatform.ai | Metrics + logs dashboards |
+| Prometheus | https://prometheus.neuralplatform.ai | Metrics (kube-prometheus-stack) |
+| Alertmanager | https://alertmanager.neuralplatform.ai | Alert routing → Slack |
+| Alloy | — | OTLP ingest for Loki/Tempo (internal only) |
+
+### VPN (Headscale / Tailscale)
+
+Headscale runs at `vpn.neuralplatform.ai` (DNS-only, no CF proxy — required for Tailscale TS2021 WebSocket upgrades). Magic DNS base domain: `ts.neuralplatform.ai`. DNS resolvers: `192.168.68.77` (AdGuard) + `1.1.1.1`.
 
 ### NodePort services (direct to Legion IP)
 
@@ -181,9 +190,19 @@ kubectl get pods -A
 kubectl logs -n neuron deployment/neuron
 ```
 
-### Gitea API
+### Gitea CLI (tea)
 
-CF Access blocks direct calls from Mac. Always use Legion cluster IP via SSH:
+Use `tea` (installed on both Mac and Legion, default login: `neuralplatform`):
+
+```bash
+tea repo ls                      # list repos
+tea pr ls --repo will/infrastructure
+tea issue ls --repo neural-platform/neuron
+```
+
+### Gitea API (direct)
+
+CF Access blocks direct calls from Mac. Use `tea` or SSH to Legion:
 
 ```bash
 TOKEN=$(vault kv get -field=api_token secret/gitea)
@@ -228,18 +247,19 @@ Runner labels: `self-hosted,linux,x64,legion`
 
 | Namespace | What |
 |-----------|------|
-| `dns` | AdGuard |
+| `dns` | AdGuard (DNS + ad-blocking, port 53) |
 | `git` | Gitea |
 | `neuron` | Neuron + cloudflared |
-| `ollama` | Ollama |
-| `ci` | GitHub runner |
-| `packages` | Verdaccio + devpi |
+| `ollama` | Ollama (GPU inference) |
+| `ci` | GitHub Actions runner |
+| `packages` | Verdaccio (npm) + devpi (PyPI) |
 | `registry` | Docker registry + UI |
 | `platform` | Postgres, Redis |
-| `monitoring` | Prometheus, Grafana, Loki, Tempo, Alloy |
+| `monitoring` | kube-prometheus-stack (Prometheus, Grafana, Alertmanager) + Loki + Tempo + Alloy |
+| `headscale` | Headscale VPN control plane |
 | `vault` | HashiCorp Vault |
 | `argocd` | Argo CD |
-| `cert-manager` | cert-manager |
+| `cert-manager` | cert-manager (Let's Encrypt via HTTP-01) |
 
 ---