diff --git a/argocd/manifests/tailscale-operator-base/kustomization.yaml b/argocd/manifests/tailscale-operator-base/kustomization.yaml
index 4519af6..9d117ef 100644
--- a/argocd/manifests/tailscale-operator-base/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml
@@ -6,8 +6,11 @@ namespace: tailscale
 
 # Upstream Tailscale operator manifest from forge mirror.
 # To upgrade: update the ref in the URL AND the newTag below.
+# Must use the tailnet host forge.ops.eblu.me — the public forge.eblu.me
+# black-holes /mirrors/ at the Fly edge (AI-scraper mitigation), which the
+# in-cluster ArgoCD repo-server would otherwise hit and fail with a 403.
 resources:
-  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
+  - https://forge.ops.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
   - proxyclass.yaml
   - dnsconfig.yaml
 
diff --git a/docs/changelog.d/+tailscale-operator-mirror-tailnet-url.bugfix.md b/docs/changelog.d/+tailscale-operator-mirror-tailnet-url.bugfix.md
new file mode 100644
index 0000000..cc29cf7
--- /dev/null
+++ b/docs/changelog.d/+tailscale-operator-mirror-tailnet-url.bugfix.md
@@ -0,0 +1 @@
+Fixed the `tailscale-operator` and `tailscale-operator-ringtail` ArgoCD apps showing `Unknown` sync status. Their shared base kustomization fetched the upstream operator manifest from the public `forge.eblu.me/mirrors/...`, which the AI-scraper mitigation now black-holes (403). Pointed the remote resource at the tailnet host `forge.ops.eblu.me` instead, which the in-cluster repo-server can reach.