diff --git a/docs/PRODUCTION-MASTER-PLAN.md b/docs/PRODUCTION-MASTER-PLAN.md
index bf506558..06136a39 100644
--- a/docs/PRODUCTION-MASTER-PLAN.md
+++ b/docs/PRODUCTION-MASTER-PLAN.md
@@ -150,6 +150,25 @@ phases 2–6 (`dual-ecash-design.md`).
 ## 8b. SESSION STATE + RESUME (2026-06-21, live)
 
 **Landed + committed on main this session (newest first):**
+- `b1eea8c0` indeedhub (#20) **phase 3 — CODE COMPLETE, unit-tested; NOT yet
+  live-verified.** 7 manifests (apps/indeedhub-{postgres,redis,minio,relay,api,
+  ffmpeg} + apps/indeedhub frontend) + install_indeedhub_stack orchestrator-first
+  (immich pattern). Data-preserving by construction = ADOPTION on .228: exact live
+  hyphen container names, named volumes indeedhub-*-data, dedicated indeedhub-net +
+  network_aliases [postgres|redis|minio|relay|api], generated_secrets reuse live
+  /var/lib/archipelago/secrets values (ensure_one no-ops on existing). Frontend
+  carries the post_install nginx hook (replaces patch_indeedhub_nostr_provider;
+  defensive since indeedhub:1.0.0 already bakes it). .228 GROUND TRUTH captured:
+  7 containers Up, volumes indeedhub-{postgres,redis,minio,relay}-data, network
+  indeedhub-net; frontend nginx upstreams api:4000/minio:9000/relay:8080; image
+  already bakes X-Frame strip + nostr-provider.js (6347B) + sub_filter.
+  **NEXT = live verify on .228:** build+sideload binary, restart, package.install
+  indeedhub → expect adoption (NoOp, no data touch), then full lifecycle. Risk:
+  service restart SIGKILL-cascade if Quadlet not fully shipped on .228.
+- `b94b61f6` `network_aliases` manifest field (ContainerConfig) + podman_client &
+  quadlet rendering + DNS-label validation; also fixed 4 pre-existing from_manifest
+  test failures (network_policy: archy-net invalid; bind sources outside
+  /var/lib/archipelago). Enables indeedhub's short aliases on indeedhub-net.
 - `955c54b7` hook capability (#20) **phase 2** — `container::hooks::run_post_install`
   executor (podman exec + copy_from_host w/ allowlist canonicalise + symlink-escape
   prefix check; best-effort/idempotent) wired into `install_fresh` after container