diff --git a/README.md b/README.md
index a8e9256..23121a0 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,21 @@ The API is split between admin routes, account self-service routes, internal eve
 
 The following are notes for future Brad.
 
+## Bring-up dependencies
+
+Ariadne is not first-wave recovery software. Bring it up after the cluster can already run normal in-cluster services.
+
+It needs:
+
+- Kubernetes API, service DNS, and Ariadne's service account/RBAC
+- the Ariadne database, plus the portal database if portal/account sync is enabled
+- Vault or the Kubernetes secrets that Vault normally feeds it
+- Keycloak/OIDC, because auth and profile sync assume it exists
+- ingress/proxy plumbing if humans are going to use it through the portal
+- the services for whatever jobs are enabled: Mailu, Nextcloud, Vaultwarden, Wger, Firefly, Jenkins, Metis, OpenSearch, and the comms/game-mode pieces
+
+It can start before every integration is perfect, but the matching scheduled jobs will fail or no-op until their service is actually alive. In a total bring-up, wait for storage, Flux, Postgres, Vault, Keycloak, and ingress first; then Ariadne becomes useful glue.
+
 Useful routes:
 
 - `GET /health`