diff --git a/TODO.md b/TODO.md
deleted file mode 100644
index 4d06164..0000000
--- a/TODO.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# TODO
-
-## ✅ Caddy Migration - COMPLETED
-- [x] Migrate from nginx + ModSecurity to Caddy
-- [x] Automatic HTTPS certificate provisioning
-- [x] All sites working with proper IP restrictions
-- [x] Remove migration_mode logic - Caddy is now default
-
-## Infrastructure Cleanup Tasks
-
-### ✅ Phase 1: System LetsEncrypt to Caddy Migration - COMPLETED
-- [x] ~~Create dedicated Caddy certificates volume~~ - Not needed, Caddy manages in /data
-- [x] ~~Copy existing system LetsEncrypt certificates~~ - Not needed, Caddy generated new ones
-- [x] ~~Set proper permissions~~ - Already correct, Caddy runs as podman user
-- [x] Remove LetsEncrypt cron jobs from Ansible (cleanup.yml created)
-- [x] Remove LetsEncrypt cron jobs from remote host (both weekly + 5min jobs removed)
-- [x] Disable ssl role tasks and certificate generation (disabled in deploy_home.yml)
-- [x] ~~Remove certbot installation from common role~~ - Not installed there
-- [x] Uninstall certbot/letsencrypt packages from remote host (removed via dnf)
-- [x] Stop any running LetsEncrypt services (certbot.timer not running)
-- [x] Backup and remove /etc/letsencrypt directory (backup created, directory removed)
-- [x] Remove /srv/http/letsencrypt directory (webroot removed)
-
-### ✅ Phase 2: nginx + ModSecurity Cleanup - COMPLETED
-- [x] Remove nginx container configuration and tasks (deleted all conf-nginx*.yml, nginx.yml)
-- [x] Remove nginx configuration templates and files (removed entire templates/nginx/ directory)
-- [x] Remove ModSecurity rules and configuration (removed from defaults/main.yml variables)
-- [x] Remove nginx/ModSecurity volume mounts and directories (nginx volume backed up and removed)
-- [x] Clean up nginx-related variables from defaults/main.yml (nginx_path removed)
-- [x] ~~Remove firewall rules for nginx~~ - Not needed, Caddy uses same ports
-- [x] Remove nginx systemd services from remote host (container-nginx service removed)
-- [x] ~~Uninstall nginx/ModSecurity packages~~ - Were never system-installed, container-only
-- [x] Clean up nginx log directories and files (/var/log/nginx, /var/log/modsecurity removed)
-- [x] Remove ModSecurity installation directories (/usr/share/modsecurity, /usr/share/coreruleset removed)
-- [x] Create backup of nginx configuration (nginx-backup-{timestamp}.tar.gz created)
-
-### ✅ Phase 3: Final Cleanup - COMPLETED
-- [x] Remove Drone CI infrastructure and ci.bdebyl.net host
-  - [x] Remove Drone container from podman configuration (drone.yml deleted)
-  - [x] Remove ci.bdebyl.net from Caddyfile (site configuration removed)
-  - [x] Clean up drone-related volumes and data (drone volume backed up and removed)
-  - [x] Update firewall rules to remove CI ports (ports were not explicitly opened)
-- [x] Review and remove unused variables and templates
-  - [x] Removed ci_server_name variable
-  - [x] Removed drone-related variables (drone_path, drone_server_proto, etc.)
-  - [x] Cleaned up nginx handler in handlers/main.yml
-  - [x] Updated firewall.yml comments
-- [x] Update documentation to reflect Caddy as web server
-  - [x] Updated CLAUDE.md container organization section
-  - [x] Updated tagging strategy (nginx→caddy, drone marked decommissioned)
-  - [x] Updated target environment description (nginx→Caddy)
-- [x] Verify all services working after cleanup (sites tested and working)
\ No newline at end of file
diff --git a/ansible/roles/gitea-actions/tasks/esp-idf.yml b/ansible/roles/gitea-actions/tasks/esp-idf.yml
deleted file mode 100644
index dc64ecc..0000000
--- a/ansible/roles/gitea-actions/tasks/esp-idf.yml
+++ /dev/null
@@ -1,92 +0,0 @@
----
-- name: install ESP-IDF build dependencies
-  become: true
-  ansible.builtin.dnf:
-    name:
-      - git
-      - wget
-      - flex
-      - bison
-      - gperf
-      - python3
-      - python3-pip
-      - cmake
-      - ninja-build
-      - ccache
-      - libffi-devel
-      - libusb1-devel
-    state: present
-  tags: gitea-actions
-
-- name: check if ESP-IDF is installed
-  ansible.builtin.stat:
-    path: "{{ esp_idf_path }}"
-  register: esp_idf_dir
-  tags: gitea-actions
-
-- name: clone ESP-IDF repository
-  become: true
-  ansible.builtin.git:
-    repo: https://github.com/espressif/esp-idf.git
-    dest: "{{ esp_idf_path }}"
-    version: "{{ esp_idf_version }}"
-    recursive: true
-    force: false
-  when: not esp_idf_dir.stat.exists
-  tags: gitea-actions
-
-- name: add ESP-IDF to git safe.directory
-  become: true
-  ansible.builtin.command:
-    cmd: git config --global --add safe.directory {{ esp_idf_path }}
-  changed_when: false
-  tags: gitea-actions
-
-- name: ensure ESP-IDF submodules are initialized
-  become: true
-  ansible.builtin.command:
-    cmd: git submodule update --init --recursive
-    chdir: "{{ esp_idf_path }}"
-  changed_when: false
-  tags: gitea-actions
-
-- name: set ESP-IDF directory ownership
-  become: true
-  ansible.builtin.file:
-    path: "{{ esp_idf_path }}"
-    owner: "{{ gitea_runner_user }}"
-    group: "{{ gitea_runner_user }}"
-    recurse: true
-  tags: gitea-actions
-
-- name: set SELinux context for ESP-IDF directory
-  become: true
-  community.general.sefcontext:
-    target: "{{ esp_idf_path }}(/.*)?"
-    setype: usr_t
-    state: present
-  when: ansible_selinux.status == "enabled"
-  notify: restore esp-idf selinux context
-  tags: gitea-actions
-
-- name: create ESP-IDF tools directory for runner user
-  become: true
-  ansible.builtin.file:
-    path: "{{ gitea_runner_home }}/.espressif"
-    state: directory
-    owner: "{{ gitea_runner_user }}"
-    group: "{{ gitea_runner_user }}"
-    mode: "0755"
-  tags: gitea-actions
-
-- name: install ESP-IDF tools for runner user
-  become: true
-  become_user: "{{ gitea_runner_user }}"
-  ansible.builtin.shell: |
-    export IDF_TOOLS_PATH="{{ gitea_runner_home }}/.espressif"
-    {{ esp_idf_path }}/install.sh esp32
-  args:
-    creates: "{{ gitea_runner_home }}/.espressif/python_env"
-  environment:
-    HOME: "{{ gitea_runner_home }}"
-  tags: gitea-actions
diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index 74e08b3..3c9fba3 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -78,9 +78,15 @@
 
 - import_tasks: containers/debyltech/fulfillr.yml
   vars:
-    image: git.debyl.io/debyltech/fulfillr:20260603.0222
+    image: git.debyl.io/debyltech/fulfillr:20260605.2021
   tags: debyltech, fulfillr
 
+# Staging back-office (fulfillr-dev.debyltech.com) — same image, staging Turso config.
+- import_tasks: containers/debyltech/fulfillr-dev.yml
+  vars:
+    image: git.debyl.io/debyltech/fulfillr:20260606.0357
+  tags: debyltech, fulfillr-dev
+
 - import_tasks: containers/debyltech/uptime-kuma.yml
   vars:
     image: docker.io/louislam/uptime-kuma:2.3.2