diff --git a/.claude/reference/authentik-state.md b/.claude/reference/authentik-state.md
index 31fb102c..1adb9176 100644
--- a/.claude/reference/authentik-state.md
+++ b/.claude/reference/authentik-state.md
@@ -14,7 +14,6 @@
 | Kubernetes | OAuth2/OIDC (public) | implicit consent |
 | Kubernetes Dashboard | OAuth2/OIDC (confidential) | implicit consent |
 | linkwarden | OAuth2/OIDC | explicit consent |
-| Matrix | OAuth2/OIDC | ⚠️ orphaned — Matrix migrated to tuwunel 2026-06-08 (native password auth); this OAuth app is unused |
 | wrongmove | OAuth2/OIDC | implicit consent |
 
 > **Kubernetes Dashboard** (TF-managed in `stacks/k8s-dashboard/authentik.tf`):
diff --git a/docs/architecture/authentication.md b/docs/architecture/authentication.md
index bd0b5941..6806cd35 100644
--- a/docs/architecture/authentication.md
+++ b/docs/architecture/authentication.md
@@ -102,7 +102,6 @@ Authentik provides OIDC for 10 applications:
 | Kubernetes | OIDC (public client) | K8s API authentication (kubectl / kubelogin CLI) |
 | Kubernetes Dashboard | OIDC (confidential) | Built for dashboard SSO — currently **idle** (apiserver OIDC blocked; dashboard uses forward-auth + token-paste) |
 | Linkwarden | OIDC | Bookmark manager SSO |
-| Matrix | OIDC | ⚠️ Legacy/orphaned — Synapse→tuwunel migration 2026-06-08; tuwunel uses native password auth, OIDC SSO not wired |
 | Wrongmove | OIDC | Real estate app SSO |
 
 ### Kubernetes API authentication (OIDC) — CURRENTLY NON-FUNCTIONAL
diff --git a/docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md b/docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md
index e8633886..2eb894ee 100644
--- a/docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md
+++ b/docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md
@@ -48,9 +48,10 @@ RocksDB dir.
 
 ## Residual / follow-up items (flagged to user)
 
-- **Authentik Matrix OAuth2 app is now orphaned** — tuwunel uses native password
-  auth (OIDC SSO not wired). Harmless; can be removed from the authentik stack
-  later if desired.
+- **Authentik Matrix OAuth2 app — REMOVED 2026-06-08** (user-confirmed). It was
+  UI-managed (NOT in the authentik TF stack), so it was deleted via the Authentik
+  API: application `matrix` + OAuth2 provider `pk=6`. tuwunel uses native password
+  auth, so nothing consumed it.
 - **Pre-existing drift in `stacks/vault`**: `vault_jwt_auth_backend.oidc` shows a
   `tune` diff (explicit `768h` default/max lease TTLs being dropped). This
   predates this migration and was **not** applied. Resolve separately.