diff --git a/docs/how-to/authentik/authentik-python-backend-derivation.md b/docs/how-to/authentik/authentik-python-backend-derivation.md
index 6704f6f..47b3ed8 100644
--- a/docs/how-to/authentik/authentik-python-backend-derivation.md
+++ b/docs/how-to/authentik/authentik-python-backend-derivation.md
@@ -1,7 +1,6 @@
 ---
 title: Build Authentik Python Backend
-modified: 2026-02-28
-status: active
+modified: 2026-03-01
 requires:
   - mirror-authentik-build-deps
 tags:
@@ -52,7 +51,7 @@ Nix builds are sandboxed with no network access. The pattern is:
 - The 4 in-tree packages are installed from monorepo source, not PyPI
 - Standard `djangorestframework` 3.16.1 from PyPI (no longer forked as of 2026.2.0)
 
-## Lessons Learned (WIP)
+## Lessons Learned
 
 Build issues encountered and resolved:
 
@@ -62,10 +61,14 @@ Build issues encountered and resolved:
 | gssapi `gss_acquire_cred_impersonate_name` undeclared | `NIX_CFLAGS_COMPILE="-include gssapi/gssapi_ext.h"` — function is in `gssapi_ext.h`, not auto-included |
 | xmlsec linker error `-lltdl` | Add `pkgs.libtool` to buildInputs (provides libltdl) |
 | psycopg-c needs `libpq` | Add `pkgs.libpq` to buildInputs |
-| FOD references 19 store paths | Strip with `remove-references-to`, delete `bin/` and `.pyc` files, placeholder `pyvenv.cfg` |
-| Still 6 residual store refs | Need to add `glibc.dev` and other `-dev` outputs to `refTargets` list — WIP |
+| Static `refTargets` list missed 6 store refs | Replaced with dynamic discovery: `grep -aohE '/nix/store/...'` finds all refs, `remove-references-to` strips them |
+| `xargs grep` exit code 123 under `pipefail` | Wrap pipeline in `{ ... \|\| true; }` — grep returning 1 (no match) causes xargs to return 123 |
+| `grep -aoE` includes filename prefix in output | Use `grep -aohE` (`-h` suppresses filenames) to get clean store paths |
+| autoPatchelfHook can't find libraries | `buildInputs` in main derivation must include all libraries that `.so` files link against |
 
-The `uv sync` completes in ~3.5 minutes. Reference stripping reduced 19 → 6 remaining store refs. Next iteration needs to capture all remaining dev/lib output paths in the `refTargets` list.
+The `uv sync` completes in ~3.5 minutes. Dynamic reference discovery finds 19 unique store paths and strips all of them. After stripping, `remove-references-to` mangles hashes to `eeee...` bytes — about 40 files still "contain" `/nix/store/` strings but with invalid hashes, which is expected and harmless. `autoPatchelfHook` in the main derivation resolves all NEEDED entries with 0 unsatisfied dependencies.
+
+Build verified: `$out/bin/python3.14 -c "import authentik"` succeeds, along with all key dependencies (django 5.2.11, lxml, xmlsec, psycopg, guardian, opencontainers).
 
 ## Related