diff --git a/AGENTS.md b/AGENTS.md
index 664fc6c..a8d49c8 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -62,3 +62,7 @@ Repository Guidelines
   4) Add Traefik forward-auth (oauth2-proxy) in front of Zot and any other services needing headers-based auth.
   5) Deploy Jellyfin OpenID plugin; map Keycloak users to existing Jellyfin usernames; communicate password reset path.
 - Migration caution: do not delete existing local creds until SSO validated; keep Pegasus working via Jellyfin tokens during transition.
+
+## Postgres centralization (2025-12-03)
+- Prefer a shared in-cluster Postgres deployment with per-service databases to reduce resource sprawl on Pi nodes. Use it for services that can easily point at an external DB.
+- Candidates to migrate to shared Postgres: Keycloak (realm DB), Gitea (git DB), Nextcloud (app DB), possibly Grafana (if persistence needed beyond current provisioner), Jitsi prosody/JVB state (if external DB supported). Keep tightly-coupled or lightweight embedded DBs as-is when migration is painful or not supported.