# SOP — "Zee Ops Terminal": cloud VM as your always-on Claude Code host

**Generated:** Thursday, June 25, 2026 · ~2:40 PM EDT (NY) · 📈 MIS session
**Tightened** per Z's-world governance review. **One runbook · one tmux session · one owner.**
**Goal:** a ~$5–12/mo box running Claude Code 24/7, reachable from phone/laptop anywhere, your home PC **off**. Reversible.
**Scope:** brain host ONLY. Cannot see home cameras (LAN devices → separate home-box job). Does NOT absorb the MIS data pipeline until the acceptance test passes.

---

## ⚖️ GOVERNANCE GUARDRAILS (read before executing — these are the point)
| Risk | Guardrail |
|---|---|
| Claude gets too much access | Repo **read/write only**. **No production deploys. No secret edits.** |
| Push freeze violated | VM may inspect/build/test but **commit-LOCAL only — NO push to master** while the master→ops-api clobber is unfixed. The VM is not a freeze-bypass. |
| Becomes a "pet server" | One runbook, one tmux session, one owner. **Delete if unused after 7 days.** |
| Secrets leak/drift | Never store raw secret VALUES in git or chat. Names in config, values in the provider's secret store. |
| Scope creep | Host only. No MIS pipeline / no new lanes until the 10-point test passes. |
| Recovery | **Snapshot the VM after a clean setup** so a rebuild is one click. |

---

## Time: ~45–90 min, one-time. YOU = account/payment/logins; rest = copy-paste.

## Step 1 — Provider + plan *(YOU, ~5 min)*
- **Hetzner (best value).** Pick by SPEC, not SKU name (Hetzner refreshed pricing Jun 15 2026 and CX22 vs CX23 is in flux): the **~2 vCPU / 4 GB shared-x86 plan, ~€4/mo**. Headroom → **CX32 (4 vCPU / 8 GB, ~€6.80)**.
  - 💶→💵 **Why euros:** Hetzner is a German company, so it *quotes* EUR — but it bills your US card fine (auto-converts; ~€4 ≈ ~$4.50) and runs **US data centers (Ashburn VA, Hillsboro OR)**, so no latency hit for a US user.
- **USD-native alternatives (if you'd rather not see euros at all):** **DigitalOcean — $12/mo (2 GB)** or **Vultr — ~$6/mo (1–2 GB)**, both priced in dollars. Use either if Hetzner signup/UI is friction — execution reliability beats saving a few dollars.

## Step 2 — Create the server *(YOU, ~3 min)*
- Image **Ubuntu 24.04 LTS** → the plan above → add your SSH key if you have one. Copy the public IP.

## Step 3 — First login + a non-root sudo user *(copy-paste)*
```bash
ssh root@SERVER_IP
adduser sam                      # set a password
usermod -aG sudo sam
# (optional) copy your SSH key to the new user, then use 'sam' from here on
su - sam
```

## Step 4 — Secure remote access (Tailscale) + runtime *(copy-paste; one YOU step)*
```bash
sudo apt update && sudo apt -y upgrade
sudo apt -y install curl git tmux

# Tailscale — private encrypted reach, NO public SSH port needed
curl -fsSL https://tailscale.com/install.sh | sudo sh
sudo tailscale up                # << YOU: open the printed URL, log in, approve this device
tailscale ip -4                  # note the 100.x.y.z — that's how you reach the box

# (lock the door) deny inbound except over the tailnet:
sudo apt -y install ufw && sudo ufw allow in on tailscale0 && sudo ufw --force enable

# Node LTS + Claude Code
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash -
sudo apt -y install nodejs
sudo npm install -g @anthropic-ai/claude-code   # if it errors, check the current install cmd in the Claude Code docs
```

## Step 5 — Claude Code in a session that survives disconnect *(copy-paste + YOU login)*
```bash
tmux new -s zee                  # the one session
claude                           # << YOU: complete the login
# detach: Ctrl-b then d   ·   reattach later: tmux attach -t zee
```

## Step 6 — Reach it from your phone/laptop *(YOU, ~5 min)*
- Install the **Tailscale app** on phone + laptop, same login.
- From a laptop: `ssh sam@100.x.y.z` → `tmux attach -t zee`. Same feel as now, machine always on.

## Step 7 — Snapshot + done *(YOU, ~2 min)*
- In the provider dashboard, **take a snapshot** ("zee-clean-base"). Then **stop** — no expansion until acceptance passes.

---

## ✅ VM ACCEPTANCE TEST (all 10 must pass — else it's "set up," not "done")
1. Ubuntu 24.04 VM created.
2. Non-root sudo user created.
3. Tailscale connected + device approved.
4. No public SSH dependency (reachable over tailnet; inbound locked via ufw).
5. Node installed.
6. Claude Code installed + logged in.
7. Claude Code runs inside tmux.
8. Disconnect/reconnect from phone/laptop → the session survives.
9. No production deploys performed.
10. No production secret edits performed.
**+ snapshot taken. Kill switch: delete the VM if unused after 7 days.**

## Kill / cost
- ~€4 (Hetzner) to $12 (DO)/mo, billed for time used. Delete in the dashboard → billing stops.

## Out of scope (on purpose)
- Cameras (LAN → home box). MIS data pipeline (lives on Cloudflare; folds in later, only after this passes).

*Source trail: 📈 MIS session 2026-06-25, tightened per Z's-world. Local file, NOT pushed (push freeze). `outputs/2026-06-25_sop_cloud-vm-claude-host.md`. SKU note: Hetzner pricing refreshed 2026-06-15; verify the exact plan label at signup, pick by spec (~2vCPU/4GB ~€4).*
