diff --git a/CLAUDE.md b/CLAUDE.md
index 07381ce..213c3a4 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -72,7 +72,10 @@ export TALOSCONFIG=./talos/talosconfig
 - **Namespace race condition**: First `kubectl apply` of a new app often fails because namespace isn't ready. Re-apply once.
 - **Traefik DaemonSet updates**: Requires `updateStrategy.rollingUpdate.maxSurge: 0` because hostPort conflicts prevent surge.
 - **Forgejo Ingress API version**: Chart renders `extensions/v1beta1`, fixed via `ytt/ingress-fix.ytt.yaml` overlay to `networking.k8s.io/v1`.
-- **ArgoCD Phase 3**: Repo not yet pushed to Forgejo, ArgoCD not yet wired.
+- **ArgoCD**: Fully wired to Forgejo via App of Apps. Root Application in `default` project syncs `rendered/argocd/production/`. Deploy key provisioned automatically by `argocd-deploy-key-init` Job in forgejo namespace.
+
+## Container Images
+- **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead.
 
 ## Secrets (not in git)
 - `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated)