docs: add Cloudflare Zero Trust documentation for self-hosted instances

[ezkemboi]

Summary

This PR adds Zero Trust access documentation for self-hosters who need to expose Open Chat Studio — including webhook endpoints for WhatsApp, Telegram, Slack, and Twilio — without opening inbound ports on their server. No application code changes.

Changes

Added docs/concepts/zero_trust_access.md with:

• Vendor-neutral overview of the Zero Trust tunnel pattern
• When to use it vs. a standard reverse proxy
• Supported provider comparison table (Cloudflare implemented; Tailscale, ngrok, frp noted)
• Webhook path requirements that must bypass Access policies
• Maintenance warning prompting developers to update the list when new channels are added

Added docs/how-to/cloudflare_tunnel.md with:

• Step-by-step Cloudflare Tunnel setup: tunnel creation, docker-compose.cloudflare.yml override, Django settings
• Access policy configuration (Allow + Bypass policies) with policy order warning
• WARP device enrolment and posture rules
• Mermaid diagrams for webhook integration flow and full WARP Zero Trust trust chain
• Troubleshooting and upgrade procedure

Added docs/how-to/zero_trust_admin.md with:

• Ongoing administration guide for NGO administrators
• Adding and removing users (device serial → posture rule → Access policy)
• Device replacement workflow and lost/stolen device response
• Session duration settings with WARP/app session ordering warning
• Reading Access and Gateway audit logs, Logpush export
• Common situations: can't connect checklist, tunnel down, OTP not arriving
• Quick reference table for all admin tasks

Updated mkdocs.yml:

• zero_trust_access.md placed under Concepts
• cloudflare_tunnel.md and zero_trust_admin.md placed under How-to Guides
• No Self-Hosting section added

Background

The existing docs had no guidance for self-hosters who need remote team access without a public IP or open firewall ports. This PR fills that gap with a three-document set: a conceptual overview, a developer setup guide, and an admin operations guide targeting NGO administrators managing day-to-day access.

Review Notes

• docker-compose.cloudflare.yml is strictly opt-in; the main stack is unchanged
• Bypass policies are marked required with an explicit policy order warning
• The admin guide is intentionally non-technical — written for NGO staff, not DevOps

[lisa-jwayela]

@ezkemboi can you move these tech docs to the "Tech Hub" section ?

This is where articles that engineers will refer to and it keeps them separate from OCS users who will not need to understand self hosting.

Simon and I discussed and came up with this structure for the menus - dimagi/open-chat-studio#3010 (comment)

https://github.com/dimagi/open-chat-studio-docs/blob/main/docs/tech-hub/index.md

Let me know if you have concerns or questions

[ezkemboi]

@lisa-jwayela should I move these into dimagi/open-chat-studio#3190?

Or move to
https://github.com/dimagi/open-chat-studio-docs/tree/main/docs/tech-hub

cc. @snopoke

[ezkemboi]

@lisa-jwayela I have been able to get the answer, I will leave this inside this repo, but move into the Tech Hub section.
Well noted and thank you for review.

[snopoke]

@ezkemboi this seems to overlap with the docs in dimagi/open-chat-studio#3190. I haven't fully reviewed either but in general I think the self hosting docs should be in the developer docs (https://developers.openchatstudio.com/hosting/). It's fine to mention it here but we probably just want a single page about self hosting that points to the other docs.

@lisa-jwayela what do you think?

[ezkemboi]

@snopoke I agree with that feedback. It makes sense to keep the self-hosting documentation in a single place (the Developer Docs) and reference it from here.

I’ll take some time to review both areas of change and share my thoughts and any suggestions afterward.

cc. @lisa-jwayela

[ezkemboi]

@lisa-jwayela and @snopoke , I have moved the technical and administrative reference to developer docs.
I only have reference here

[snopoke]

Thanks for the changes. Let's make this even more generic and just link to the main 'hosting' page in the dev docs: https://developers.openchatstudio.com/hosting/

didn't mean to approve