diff --git a/CLAUDE.md b/CLAUDE.md
index 4f4c732..cf0c30d 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -38,8 +38,15 @@
 | Netbird | `/opt/stacks/netbird/` | 3479/udp STUN |
 | Caddy (Netbird sidecar) | `/opt/stacks/caddy-netbird/` | 8443/tcp — gRPC proxy for Netbird clients |
 | Plane | `/opt/stacks/plane/` | 8095 (HTTP, via NPM) |
-| Flowise | `/opt/stacks/flowise/` | 3010 — AI agent/flow GUI, login: admin / admin@nxm |
 | Gitea | `/opt/stacks/gitea/` | 3000 (web), 2222 (SSH git) — self-hosted git, infrastructure docs |
+| Open WebUI | `/opt/stacks/open-webui/` | 3010 — Chat UI for Ollama + MCP (replaced Flowise 2026-05-01) |
+| agent-sites | `/opt/stacks/sites/` | internal only (proxy network) — nginx:alpine serving /opt/sites/ at agents.nxm.co.za |
+| hodor-gateway | `/opt/stacks/hodor-gateway/` | 8200 — FastAPI agent gateway, POST /ask → Ollama |
+| bran-changelog | `/opt/stacks/bran-changelog/` | one-shot container, run.sh + cron 06:00 daily |
+| citadel-mcp | `/opt/stacks/citadel-mcp/` | 8300 — MCP SSE+HTTP server, tools: list_agents/get_agent_status/get_agent_output/web_search |
+| varys-monitor | `/opt/stacks/varys-monitor/` | one-shot container, run.sh + cron every 15 min |
+| sam-research | `/opt/stacks/sam-research/` | 8500 — Research agent, POST /research → SearXNG + Ollama |
+| searxng | `/opt/stacks/searxng/` | 8600 — Self-hosted search backend (internal only, used by sam + citadel) |
 
 ## Public Subdomains (via NPM + Let's Encrypt)
 | Subdomain | Internal Target |
@@ -136,3 +143,5 @@ If a subdomain isn't resolving internally, check:
 - NPM (OpenResty) has no gRPC module — Caddy sidecar is the workaround until Traefik migration
 - Netbird config.yaml contains authSecret + encryptionKey — back this file up, losing it breaks all peers
 - Servers running Tailscale must run `sudo tailscale set --accept-dns=false` before joining Netbird (Tailscale DNS overrides Unbound and resolves via public IP, breaking gRPC hairpin)
+- Open WebUI → Citadel MCP: auth_type must be `none` — empty bearer key generates an illegal header and the connection silently fails
+- Open WebUI connects via Streamable HTTP POST at `http://citadel-mcp:8300/mcp` — do NOT use /sse (Open WebUI 0.9+ only supports POST-based transport)