diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf
index abde491c..598572ee 100644
--- a/stacks/claude-agent-service/main.tf
+++ b/stacks/claude-agent-service/main.tf
@@ -78,6 +78,25 @@ resource "kubernetes_manifest" "external_secret" {
             property = "claude_oauth_token"
           }
         },
+        {
+          # Consumed by service-upgrade agent to poll ci.viktorbarzin.me
+          # per-workflow status. Pod has no Vault CLI auth, so the old
+          # `vault kv get` path is dead — see bd code-3o3.
+          secretKey = "WOODPECKER_API_TOKEN"
+          remoteRef = {
+            key      = "ci/global"
+            property = "woodpecker_api_token"
+          }
+        },
+        {
+          # Consumed by service-upgrade agent for Start/Success/Failure
+          # notifications. Same shared webhook as alertmanager.
+          secretKey = "SLACK_WEBHOOK_URL"
+          remoteRef = {
+            key      = "viktor"
+            property = "alertmanager_slack_api_url"
+          }
+        },
       ]
     }
   }