diff --git a/.gitignore b/.gitignore
index 3359b7b..f79d08d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,5 @@
 node_modules/
 k8s/secrets.local.yaml
+
+# Internal Claude Code skills
+.claude/
diff --git a/k8s/data/minio-secret.yaml b/k8s/data/minio-secret.yaml
index 3dc6e8f..c62f605 100644
--- a/k8s/data/minio-secret.yaml
+++ b/k8s/data/minio-secret.yaml
@@ -1,4 +1,8 @@
-# MinIO root credentials — local dev only.
+# MinIO root credentials — legacy local-dev path (in-cluster MinIO retired
+# 2026-05-20). Operators MUST replace placeholders before applying. Local-dev
+# convenience values were here historically; OSS publication requires
+# placeholders so a fresh clone cannot accidentally come up with the same
+# credentials as every other clone.
 # Apply: kubectl apply -f data/minio-secret.yaml
 # The API pod reads these same values from instant-secrets (instant namespace).
 apiVersion: v1
@@ -8,5 +12,5 @@ metadata:
   namespace: instant-data
 type: Opaque
 stringData:
-  MINIO_ROOT_USER: "minioadmin"
-  MINIO_ROOT_PASSWORD: "minioadmin123"
+  MINIO_ROOT_USER: "CHANGE_ME"
+  MINIO_ROOT_PASSWORD: "CHANGE_ME"
diff --git a/k8s/data/mongodb.yaml b/k8s/data/mongodb.yaml
index ca68a40..64b23f4 100644
--- a/k8s/data/mongodb.yaml
+++ b/k8s/data/mongodb.yaml
@@ -72,3 +72,21 @@ spec:
   ports:
     - port: 27017
       targetPort: 27017
+
+---
+# Secret consumed by provisioner deployment as MONGO_ADMIN_URI (added 2026-05-21
+# for OSS prep — was previously inlined in provisioner/deployment.yaml).
+# Operators MUST replace placeholders. The URI format is:
+#   mongodb://<user>:<password>@mongodb.instant-data.svc.cluster.local:27017
+# where <user>/<password> match MONGO_INITDB_ROOT_USERNAME/PASSWORD set on
+# the mongodb StatefulSet (see the env vars above in this same file once you
+# template them).
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mongodb-admin
+  namespace: instant-data
+type: Opaque
+stringData:
+  MONGO_ADMIN_URI: "CHANGE_ME"
+
diff --git a/k8s/provisioner/deployment.yaml b/k8s/provisioner/deployment.yaml
index dcf9249..0b39001 100644
--- a/k8s/provisioner/deployment.yaml
+++ b/k8s/provisioner/deployment.yaml
@@ -116,8 +116,16 @@ spec:
               value: "k8s"
             - name: REDIS_PROVISION_HOST
               value: "redis-provision.instant-data.svc.cluster.local:6379"
+            # MONGO_ADMIN_URI was historically inlined here as
+            # `mongodb://root:root@...` for local-dev convenience. For OSS
+            # publication it is sourced from a Secret so the manifest contains
+            # no credentials. Operators MUST create the secret before applying;
+            # see infra/k8s/data/mongodb.yaml for the matching Secret template.
             - name: MONGO_ADMIN_URI
-              value: "mongodb://root:root@mongodb.instant-data.svc.cluster.local:27017"
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-admin
+                  key: MONGO_ADMIN_URI
             - name: MONGO_HOST
               value: "mongodb.instant-data.svc.cluster.local:27017"
             - name: PROVISIONER_SECRET
diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml
index db8c2ef..78bfb85 100644
--- a/k8s/secrets.yaml
+++ b/k8s/secrets.yaml
@@ -13,8 +13,10 @@ metadata:
   namespace: instant
 type: Opaque
 stringData:
-  PLATFORM_DB_PASSWORD: instant
-  CUSTOMER_DB_PASSWORD: instant_cust
+  # Local-dev convenience values were here historically. For OSS publication
+  # every credential is CHANGE_ME — operators MUST replace before applying.
+  PLATFORM_DB_PASSWORD: "CHANGE_ME"
+  CUSTOMER_DB_PASSWORD: "CHANGE_ME"
   # New Relic license key — rotate via kubectl patch (see comment at top of file).
   # Empty/CHANGE_ME means the Go agent fails open and logs a warning at startup.
   NEW_RELIC_LICENSE_KEY: "CHANGE_ME"
@@ -49,9 +51,11 @@ stringData:
   R2_API_TOKEN: "CHANGE_ME"
   R2_ENDPOINT: "CHANGE_ME"
   R2_BUCKET_NAME: "CHANGE_ME"
-  # MinIO credentials (same values as in infra/k8s/data/minio-secret.yaml)
-  MINIO_ROOT_USER: "minioadmin"
-  MINIO_ROOT_PASSWORD: "minioadmin123"
+  # MinIO credentials (same values as in infra/k8s/data/minio-secret.yaml).
+  # Used only by the legacy self-hosted MinIO Deployment, which was retired
+  # 2026-05-20 in favour of DigitalOcean Spaces. Operators MUST replace.
+  MINIO_ROOT_USER: "CHANGE_ME"
+  MINIO_ROOT_PASSWORD: "CHANGE_ME"
   # Comma-separated list of admin user emails (case-insensitive). Empty
   # / unset → admin endpoints reject every caller (closed-by-default).
   # Read by api/internal/middleware/admin.go on every request, no app