diff --git a/scripts/publish-gate b/scripts/publish-gate
index 1d6ff6db..0bbb6fb5 100755
--- a/scripts/publish-gate
+++ b/scripts/publish-gate
@@ -47,7 +47,7 @@ say ""; say "-- PII heuristics (tracked files) --"
 cd "$CLONE"
 EMAILS=$(git grep -hoiE '[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}' -- ':!*.lock' ':!package-lock.json' ':!pnpm-lock.yaml' ':!.beads' 2>/dev/null \
   | grep -viE '@(viktorbarzin\.me|meta\.com|example\.(com|org|test)|test\.(com|local)|localhost|users\.noreply\.github\.com|googlegroups\.com)' \
-  | grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*)@' \
+  | grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*|licensing|legal|security|sales)@' \
   | sort -u | head -20)
 if [ -n "$EMAILS" ]; then say "real-looking emails found:"; say "$EMAILS"; say "(review: PII?)"; DIRTY=1; else say "emails: none beyond allowlist"; fi
 KEYS=$(git grep -l 'BEGIN.*PRIVATE KEY' 2>/dev/null | head -5)
diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf
index e48d5fff..7ef9d6a0 100644
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@@ -847,7 +847,7 @@ resource "kubernetes_config_map" "beads_metadata" {
 
 locals {
   # Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
-  claude_agent_service_image = "forgejo.viktorbarzin.me/viktor/claude-agent-service:${var.claude_agent_service_image_tag}"
+  claude_agent_service_image = "ghcr.io/viktorbarzin/claude-agent-service:${var.claude_agent_service_image_tag}"
   beadboard_internal_url     = "http://${kubernetes_service.beadboard.metadata[0].name}.${kubernetes_namespace.beads.metadata[0].name}.svc.cluster.local"
 
   beads_script_prelude = <<-EOT
diff --git a/stacks/ci-pipeline-health/main.tf b/stacks/ci-pipeline-health/main.tf
index 0356d180..31b3b475 100644
--- a/stacks/ci-pipeline-health/main.tf
+++ b/stacks/ci-pipeline-health/main.tf
@@ -30,7 +30,7 @@ variable "image_tag" {
 
 locals {
   namespace = "ci-pipeline-health"
-  image     = "forgejo.viktorbarzin.me/viktor/claude-agent-service:${var.image_tag}"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service:${var.image_tag}"
   labels = {
     app = "ci-pipeline-health"
   }
diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf
index 5b840346..7e3f3111 100644
--- a/stacks/claude-agent-service/main.tf
+++ b/stacks/claude-agent-service/main.tf
@@ -11,7 +11,7 @@ data "vault_kv_secret_v2" "viktor_secrets" {
 locals {
   namespace = "claude-agent"
   # Phase 3 cutover 2026-05-07 — see infra/docs/plans/2026-05-07-forgejo-registry-consolidation-plan.md.
-  image     = "forgejo.viktorbarzin.me/viktor/claude-agent-service"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service"
   image_tag = "latest"
   labels = {
     app = "claude-agent-service"
diff --git a/stacks/claude-breakglass/main.tf b/stacks/claude-breakglass/main.tf
index e13af628..7a02a838 100644
--- a/stacks/claude-breakglass/main.tf
+++ b/stacks/claude-breakglass/main.tf
@@ -20,7 +20,7 @@ locals {
   namespace = "claude-breakglass"
   # Same image as claude-agent-service — the breakglass code lives in that repo
   # under app/breakglass/, and the deployment below overrides the command.
-  image     = "forgejo.viktorbarzin.me/viktor/claude-agent-service"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service"
   image_tag = "latest"
   labels = {
     app = "claude-breakglass"
diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf
index e91592aa..21d11427 100644
--- a/stacks/k8s-version-upgrade/main.tf
+++ b/stacks/k8s-version-upgrade/main.tf
@@ -25,7 +25,7 @@
 #   - infra/scripts/update_k8s.sh (per-node upgrade body)
 
 variable "schedule" {
-  type    = string
+  type = string
   # Daily 12:00 UTC — outside kured window (kured runs 02:00-06:00
   # London). Was weekly Sunday until 2026-05-18; daily picks up upstream
   # patch releases the same day they land. Concurrency is bounded by the
@@ -44,7 +44,7 @@ variable "enabled" {
 # ssh-client, curl, jq, envsubst — everything the upgrade Jobs need.
 variable "image_tag" {
   type    = string
-  default = "2fd7670d"
+  default = "latest"
 }
 
 # When true, detection runs but does NOT spawn the preflight Job.
@@ -55,7 +55,7 @@ variable "detection_dry_run" {
 
 locals {
   namespace = "k8s-upgrade"
-  image     = "forgejo.viktorbarzin.me/viktor/claude-agent-service:${var.image_tag}"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service:${var.image_tag}"
   labels = {
     app = "k8s-version-upgrade"
   }
@@ -67,7 +67,7 @@ resource "kubernetes_namespace" "k8s_upgrade" {
   metadata {
     name = local.namespace
     labels = {
-      tier = local.tiers.cluster
+      tier               = local.tiers.cluster
       "keel.sh/enrolled" = "true"
     }
   }