diff --git a/CLAUDE.md b/CLAUDE.md
index 5fd80a9..93c5c72 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -21,6 +21,7 @@
 | Ubuntu Server | 172.27.40.3 | Docker host, Headscale |
 | TrueNAS | 172.27.40.5 | NAS storage |
 | Home Assistant | 172.27.10.6 | Home automation (IoT10) |
+| Kubuntu (NxM-AI) | 172.27.40.20 | Ollama inference host |
 
 ## Docker Stacks & Ports
 | Stack | Path | Port |
@@ -50,7 +51,8 @@
 | monitoring | `/opt/stacks/monitoring/` | 8086 (InfluxDB), 3020 (Grafana) — metrics from Telegraf/OPNsense, alerts → Raven |
 | qyburn-coder | `/opt/stacks/qyburn-coder/` | 8700 — LLM coding agent, POST /task → qwen2.5-coder:14b, approve/reject via dashboard |
 | netbox | `/opt/stacks/netbox/` | 8100 — IPAM, network documentation, client site discovery |
-| bni-scheduler | `/opt/stacks/bni-scheduler/` | no host port (proxy only) — React SPA at bni.nexum.co.za, BNI Ignite speaker rotation |
+| bni-scheduler | `/opt/stacks/bni-scheduler/` | no host port (proxy only, internal port 3000) — Node.js/Express + SQLite at bni.nxm.co.za, BNI Ignite speaker rotation |
+| nocodb | `/opt/stacks/nocodb/` | 8150 — No-code DB, rvd.nxm.co.za, birthday/client database |
 
 ## Public Subdomains (via NPM + Let's Encrypt)
 | Subdomain | Internal Target |
@@ -66,7 +68,8 @@
 | grafana.nxm.co.za | 172.27.40.3:3020 |
 | netbox.nxm.co.za | 172.27.40.3:8100 |
 | agents.nxm.co.za | agent-sites:80 via NPM — static files from /opt/sites/ |
-| bni.nexum.co.za | bni-scheduler:80 via NPM (Cloudflare gray-cloud CNAME) |
+| bni.nxm.co.za | bni-scheduler:3000 via NPM |
+| rvd.nxm.co.za | 172.27.40.3:8150 |
 | rmm.nxm.co.za | 172.27.40.4:443 |
 | api.nxm.co.za | 172.27.40.4:443 |
 | mesh.nxm.co.za | 172.27.40.4:4430 |
@@ -153,3 +156,18 @@ If a subdomain isn't resolving internally, check:
 - Servers running Tailscale must run `sudo tailscale set --accept-dns=false` before joining Netbird (Tailscale DNS overrides Unbound and resolves via public IP, breaking gRPC hairpin)
 - Open WebUI → Citadel MCP: auth_type must be `none` — empty bearer key generates an illegal header and the connection silently fails
 - Open WebUI connects via Streamable HTTP POST at `http://citadel-mcp:8300/mcp` — do NOT use /sse (Open WebUI 0.9+ only supports POST-based transport)
+
+## Project Registry
+Say "let's work on [project name]" to load context. I will read the project CLAUDE.md from the path below.
+
+| Project | Path | Status | Next |
+|---|---|---|---|
+| **agent-os** | `/opt/agent-os/memory/active-projects.md` + `/opt/agent-os/skills/infra-monitor/` | Phases 1-2 done | Phase 3: infra-monitor skill |
+| **infra-monitor** | `/opt/agent-os/skills/infra-monitor/skill.md` | Not built | Update spec, then implement |
+| **nxm-infrastructure** | `/home/nxm/Documents/NxM Linux Server/CLAUDE.md` | Active maintenance | Grafana alert rules, maester docs |
+| **monitoring** | `/opt/stacks/monitoring/` | Alert rules partial | CPU/mem/WAN/ping rules pending |
+| **maester-reports** | not yet created | Planned (port 8800) | NIST CSF agent, primary business goal |
+| **nexum-portal** | not yet created | Planned (port 8900) | Phase 1: Authelia stack |
+| **nexum-csf** | not yet created | Planned (Gitea repo) | Import NIST CSF 2.0 framework docs |
+| **bni-scheduler** | `/opt/stacks/bni-scheduler/` | Live | Minor updates only |
+| **nexum-projects** | Kubuntu: `/home/nxm/Documents/Nexum Projects/` | Active | Client project tracking |
diff --git a/memory/active-projects.md b/memory/active-projects.md
index 995f00b..612dd9d 100644
--- a/memory/active-projects.md
+++ b/memory/active-projects.md
@@ -1,23 +1,48 @@
 # Active Projects
 
 Current in-flight work. Update at the end of each session.
-Last updated: 2026-04-30
+Last updated: 2026-05-16
 
 ---
 
-## Agent OS — Phase 1 (NEXT)
-Complete the foundation before building skills.
-- [ ] Set up NFS export on 172.27.40.3 + mount on Kubuntu at /mnt/agent-os
-- [ ] Run identity interview with Claude → populate identity.md
-- [ ] Seed brain.md review and confirm accuracy
-- [ ] Clone this repo to /opt/agent-os/ on server
+## Agent OS — Phase 3: infra-monitor skill (NEXT)
 
-## Agent OS — Phase 3 (PENDING Phase 1)
-- [ ] Build infra-monitor skill
-- [ ] Set up cron schedule (hourly heartbeat, daily digest)
-- [ ] Wire up Home Assistant notifications
+Phases 1 (NFS + mount) and 2 (identity interview) are complete.
 
-## Gitea documentation
-- [x] nxm-infrastructure repo — Obsidian vault imported
-- [x] nexum-projects repo — Obsidian vault imported
-- [x] agent-os repo — scaffolding created
+**Phase 3 goal:** Docker container state monitoring + system resources. Complements Varys (HTTP reachability) — do not duplicate.
+
+Pre-work before implementing:
+- [ ] Update `skills/infra-monitor/skill.md` — container list is stale (has Flowise, missing Open WebUI + all new agents: citadel, varys, bran, sam, raven, qyburn, hodor, searxng, monitoring, bni-scheduler, nocodb)
+- [ ] Correct Ollama URL in skill.md: now `http://172.27.40.20:11434` (moved from 172.27.6.139)
+- [ ] Decide implementation: Docker one-shot container (consistent with bran/varys pattern) vs host cron + shell script
+
+Implementation tasks:
+- [ ] Build infra-monitor (Docker container or shell script)
+- [ ] Output: `/opt/sites/infra-monitor/index.html` + `/opt/agent-os/logs/infra-monitor/last-run.json`
+- [ ] Wire Raven alert on critical findings
+- [ ] Set up cron: hourly heartbeat (Docker + Ollama only) + daily 07:00 full digest
+
+## Agent OS — Phase 4: Cron Scheduling (Pending Phase 3)
+- [ ] Hourly heartbeat cron on 172.27.40.3
+- [ ] Daily 07:00 full digest cron
+- [ ] Notification channel: Raven (confirmed live at http://raven-notify:8400)
+- [ ] Home Assistant integration (172.27.10.6) — optional, revisit after Phase 3
+
+## Agent OS — Phase 5: Future Skills (Future)
+- backup-monitor: pending TrueNAS dedicated server migration
+- Netbird/Headscale peer health: Netbird API at http://172.22.0.11:80/api/
+- Daily log digest: summarise /opt/agent-os/logs/ via Ollama
+
+---
+
+## Gitea Documentation Repos
+- [x] nxm-infrastructure repo — Obsidian vault imported, CLAUDE.md added 2026-05-16
+- [x] nexum-projects repo — Obsidian vault imported (on Kubuntu)
+- [x] agent-os repo — scaffolding created, CLAUDE.md is global symlink
+
+---
+
+## Pending: Gitea SSH Key (security debt)
+Server remote uses HTTP with embedded token. Before rotating:
+1. Add SSH key for `nxm@172.27.40.3` to Gitea (Admin → Settings → SSH Keys)
+2. `cd /opt/agent-os && git remote set-url origin gitea-local:admin/agent-os.git`