diff --git a/.claude/agents/doc-reviewer.md b/.claude/agents/doc-reviewer.md
index 7e73f8b..5ab941d 100644
--- a/.claude/agents/doc-reviewer.md
+++ b/.claude/agents/doc-reviewer.md
@@ -11,11 +11,12 @@ You are a documentation reviewer for the BlumeOps homelab infrastructure project
 ## Workflow
 
 1. Run `mise run docs-review` to see the staleness table and identify the most stale doc
-2. Read the identified doc thoroughly
-3. Perform the review checklist (below)
-4. Check your agent memory for notes from past reviews of this doc or related docs
-5. Present your findings as a structured report
-6. Update your agent memory with anything you learned
+2. **Review exactly ONE document** — the single most stale doc from the table. Do not review multiple docs in one cycle. The main conversation will invoke you again if more reviews are needed.
+3. Read the identified doc thoroughly
+4. Perform the review checklist (below)
+5. Check your agent memory for notes from past reviews of this doc or related docs
+6. Present your findings as a structured report
+7. Update your agent memory with anything you learned
 
 ## Review Checklist
 
diff --git a/docs/changelog.d/+doc-review-march-2026.doc.md b/docs/changelog.d/+doc-review-march-2026.doc.md
new file mode 100644
index 0000000..40cbc7f
--- /dev/null
+++ b/docs/changelog.d/+doc-review-march-2026.doc.md
@@ -0,0 +1 @@
+Review and update 12 reference docs: fix stale image references to point at kustomization manifests instead of hardcoded tags, correct Prometheus scrape target, expand external-secrets stub, add cross-references between backup/disaster-recovery docs, and remove misleading `.ts.net` URLs from Quick Reference tables.
diff --git a/docs/reference/kubernetes/external-secrets.md b/docs/reference/kubernetes/external-secrets.md
index 8efcbaf..3a1e08e 100644
--- a/docs/reference/kubernetes/external-secrets.md
+++ b/docs/reference/kubernetes/external-secrets.md
@@ -1,6 +1,7 @@
 ---
 title: External Secrets
-modified: 2026-02-07
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - kubernetes
   - secrets
@@ -8,4 +9,18 @@ tags:
 
 # External Secrets
 
-See [[1password]] in Services.
+The [External Secrets Operator](https://external-secrets.io/) syncs secrets from 1Password into Kubernetes Secrets. It runs in the `1password-connect` namespace alongside the 1Password Connect server.
+
+## How It Works
+
+Each service that needs secrets defines an `ExternalSecret` resource referencing a 1Password item and field. The operator polls 1Password Connect and creates/updates native Kubernetes Secrets.
+
+## Manifests
+
+- **Operator + Connect server:** `argocd/manifests/1password-connect/`
+- **Per-service ExternalSecrets:** in each service's manifest directory (e.g., `argocd/manifests/grafana-config/external-secret-*.yaml`)
+
+## Related
+
+- [[1password]] - Credential management
+- [[security-model]] - Secrets flow architecture
diff --git a/docs/reference/operations/backup.md b/docs/reference/operations/backup.md
index 5403d13..50d8daa 100644
--- a/docs/reference/operations/backup.md
+++ b/docs/reference/operations/backup.md
@@ -1,6 +1,7 @@
 ---
 title: Backup
-modified: 2026-02-07
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - operations
 ---
@@ -13,4 +14,5 @@ Daily automated backups of BlumeOps data.
 
 - [[borgmatic]] - Backup orchestration
 - [[sifaka|Sifaka]] - Backup target (NAS)
-- [[backups|backup-policy]] - What gets backed up and retention
+- [[backups]] - What gets backed up and retention
+- [[disaster-recovery]] - Recovery procedures
diff --git a/docs/reference/operations/disaster-recovery.md b/docs/reference/operations/disaster-recovery.md
index 475cf1c..b144aaf 100644
--- a/docs/reference/operations/disaster-recovery.md
+++ b/docs/reference/operations/disaster-recovery.md
@@ -1,6 +1,7 @@
 ---
 title: Disaster Recovery
-modified: 2026-02-10
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - operations
 ---
@@ -18,6 +19,7 @@ Recovery procedures for BlumeOps infrastructure.
 
 ## Components
 
+- [[backup]] - Backup overview
 - [[borgmatic]] - Backup restoration
 - [[1password]] - Credential recovery (backed up via `mise run op-backup`)
 - [[forgejo]] - Source of truth for infrastructure code
diff --git a/docs/reference/services/devpi.md b/docs/reference/services/devpi.md
index 74a05a3..c6493fe 100644
--- a/docs/reference/services/devpi.md
+++ b/docs/reference/services/devpi.md
@@ -1,6 +1,7 @@
 ---
 title: Devpi
-modified: 2026-02-07
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - service
   - python
@@ -18,7 +19,7 @@ PyPI caching proxy and private package index.
 | **Namespace** | `devpi` |
 | **ArgoCD App** | `devpi` |
 | **Storage** | 50Gi PVC |
-| **Image** | `registry.ops.eblu.me/blumeops/devpi:latest` |
+| **Image** | `registry.ops.eblu.me/blumeops/devpi` (see `argocd/manifests/devpi/kustomization.yaml` for current tag) |
 
 ## Indices
 
diff --git a/docs/reference/services/docs.md b/docs/reference/services/docs.md
index 6c3bd21..1361d02 100644
--- a/docs/reference/services/docs.md
+++ b/docs/reference/services/docs.md
@@ -1,6 +1,7 @@
 ---
 title: Docs
-modified: 2026-02-08
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - service
   - documentation
@@ -17,7 +18,7 @@ Documentation site built with [Quartz](https://quartz.jzhao.xyz/) and served via
 | **Public URL** | https://docs.eblu.me |
 | **Private URL** | `docs.ops.eblu.me` (tailnet only, via [[caddy]]) |
 | **Namespace** | `docs` |
-| **Container** | `registry.ops.eblu.me/blumeops/quartz:v1.0.0` |
+| **Image** | `registry.ops.eblu.me/blumeops/quartz` (see `argocd/manifests/docs/kustomization.yaml` for current tag) |
 | **Source** | `docs/` directory in blumeops repo |
 | **Build** | Forgejo workflow `build-blumeops.yaml` |
 | **Public proxy** | [[flyio-proxy]] (Fly.io → Tailscale tunnel) |
@@ -31,13 +32,12 @@ Documentation site built with [Quartz](https://quartz.jzhao.xyz/) and served via
 
 ## Release Process
 
-Documentation is automatically built and released when changes are pushed to main:
+Documentation is built and released via the `build-blumeops` Forgejo workflow (manual dispatch):
 
-1. Workflow detects changes in `docs/` directory
-2. Quartz builds static HTML/CSS/JS
-3. Assets uploaded as release attachment
-4. ArgoCD deployment updated with new `DOCS_RELEASE_URL`
-5. Pod restarts and downloads new bundle
+1. Quartz builds static HTML/CSS/JS
+2. Assets uploaded as Forgejo release attachment
+3. Workflow updates `DOCS_RELEASE_URL` in `argocd/manifests/docs/deployment.yaml` and commits to main
+4. ArgoCD syncs the updated deployment; new pod downloads the release bundle at startup
 
 ## Configuration
 
diff --git a/docs/reference/services/immich.md b/docs/reference/services/immich.md
index 915bbed..740dfa4 100644
--- a/docs/reference/services/immich.md
+++ b/docs/reference/services/immich.md
@@ -1,6 +1,7 @@
 ---
 title: Immich
 modified: 2026-02-07
+last-reviewed: 2026-03-23
 tags:
   - service
   - media
diff --git a/docs/reference/services/jellyfin.md b/docs/reference/services/jellyfin.md
index 85040fc..bbdfafd 100644
--- a/docs/reference/services/jellyfin.md
+++ b/docs/reference/services/jellyfin.md
@@ -1,6 +1,7 @@
 ---
 title: Jellyfin
 modified: 2026-02-07
+last-reviewed: 2026-03-23
 tags:
   - service
   - media
diff --git a/docs/reference/services/loki.md b/docs/reference/services/loki.md
index cbdc573..2b3b44e 100644
--- a/docs/reference/services/loki.md
+++ b/docs/reference/services/loki.md
@@ -1,6 +1,7 @@
 ---
 title: Loki
-modified: 2026-02-08
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - service
   - observability
@@ -15,9 +16,8 @@ Log aggregation system for BlumeOps infrastructure.
 | Property | Value |
 |----------|-------|
 | **URL** | https://loki.ops.eblu.me |
-| **Tailscale URL** | https://loki.tail8d86e.ts.net |
 | **Namespace** | `monitoring` |
-| **Image** | `grafana/loki:3.4.2` |
+| **Image** | `registry.ops.eblu.me/blumeops/loki` (see `argocd/manifests/loki/kustomization.yaml` for current tag) |
 | **Storage** | 50Gi PVC |
 | **Retention** | 31 days |
 
diff --git a/docs/reference/services/miniflux.md b/docs/reference/services/miniflux.md
index 70c1ff2..c34e5f7 100644
--- a/docs/reference/services/miniflux.md
+++ b/docs/reference/services/miniflux.md
@@ -1,6 +1,7 @@
 ---
 title: Miniflux
-modified: 2026-02-07
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - service
   - rss
@@ -15,9 +16,8 @@ Minimalist RSS/Atom feed reader.
 | Property | Value |
 |----------|-------|
 | **URL** | https://feed.ops.eblu.me |
-| **Tailscale URL** | https://feed.tail8d86e.ts.net |
 | **Namespace** | `miniflux` |
-| **Image** | `ghcr.io/miniflux/miniflux:latest` |
+| **Image** | `registry.ops.eblu.me/blumeops/miniflux` (see `argocd/manifests/miniflux/kustomization.yaml` for current tag) |
 | **Database** | [[postgresql]] |
 
 ## Features
diff --git a/docs/reference/services/prometheus.md b/docs/reference/services/prometheus.md
index eaf48b1..4d23588 100644
--- a/docs/reference/services/prometheus.md
+++ b/docs/reference/services/prometheus.md
@@ -1,6 +1,7 @@
 ---
 title: Prometheus
-modified: 2026-02-08
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - service
   - observability
@@ -15,9 +16,8 @@ Metrics storage and querying for BlumeOps infrastructure.
 | Property | Value |
 |----------|-------|
 | **URL** | https://prometheus.ops.eblu.me |
-| **Tailscale URL** | https://prometheus.tail8d86e.ts.net |
 | **Namespace** | `monitoring` |
-| **Image** | `prom/prometheus:v3.2.1` |
+| **Image** | `registry.ops.eblu.me/blumeops/prometheus` (see `argocd/manifests/prometheus/kustomization.yaml` for current tag) |
 | **Storage** | 50Gi PVC |
 | **Manifests** | `argocd/manifests/prometheus/` |
 
@@ -33,7 +33,7 @@ Metrics storage and querying for BlumeOps infrastructure.
 | Target | Metrics |
 |--------|---------|
 | `sifaka:9100` | [[sifaka|Sifaka]] NAS (node_exporter) |
-| `cnpg-metrics.tail8d86e.ts.net:9187` | [[postgresql|CloudNativePG]] metrics |
+| `blumeops-pg-metrics-tailscale.databases.svc.cluster.local:9187` | [[postgresql|CloudNativePG]] metrics |
 | `kube-state-metrics.monitoring.svc:8080` | Kubernetes resource metrics |
 
 ## Related
diff --git a/docs/reference/services/teslamate.md b/docs/reference/services/teslamate.md
index a891255..f02e979 100644
--- a/docs/reference/services/teslamate.md
+++ b/docs/reference/services/teslamate.md
@@ -1,6 +1,7 @@
 ---
 title: TeslaMate
-modified: 2026-02-07
+modified: 2026-03-23
+last-reviewed: 2026-03-23
 tags:
   - service
   - vehicle
@@ -8,16 +9,15 @@ tags:
 
 # TeslaMate
 
-Self-hosted Tesla data logger collecting vehicle telemetry from the Tesla Owner API.
+Self-hosted Tesla data logger collecting vehicle telemetry from the Tesla API.
 
 ## Quick Reference
 
 | Property | Value |
 |----------|-------|
 | **URL** | https://tesla.ops.eblu.me |
-| **Tailscale URL** | https://tesla.tail8d86e.ts.net |
 | **Namespace** | `teslamate` |
-| **Image** | `teslamate/teslamate:2.2.0` |
+| **Image** | `registry.ops.eblu.me/blumeops/teslamate` (see `argocd/manifests/teslamate/kustomization.yaml` for current tag) |
 | **Database** | [[postgresql]] |
 
 ## Data Collected
diff --git a/docs/reference/storage/sifaka.md b/docs/reference/storage/sifaka.md
index a994923..31fe90a 100644
--- a/docs/reference/storage/sifaka.md
+++ b/docs/reference/storage/sifaka.md
@@ -1,6 +1,7 @@
 ---
 title: Sifaka
 modified: 2026-02-09
+last-reviewed: 2026-03-23
 tags:
   - storage
 ---