diff --git a/04-service-catalog.md b/04-service-catalog.md
index e34422c..6d51f56 100644
--- a/04-service-catalog.md
+++ b/04-service-catalog.md
@@ -2,51 +2,63 @@
 
 ## Verified DockerHub Metadata (as of 2026-05-25)
 
+### Swarm Placement Legend
+| Placement | Swarm Behavior |
+|-----------|----------------|
+| **Global** | One replica on EVERY node (including manager) |
+| **Replicated (N)** | N replicas distributed across workers by scheduler |
+| **Manager Constraint** | Only on manager node(s) |
+| **Label Constraint** | Only on nodes with matching `node.label` |
+
+### Placement Rules for 5-Node Swarm (1 manager + 4 workers)
+- **MK7** = Manager (can run global services + manager-constrained services)
+- **MK33, MK34, MK39, MK42** = Workers (run global services + replicated services)
+- **No node labels yet** — will label storage nodes (e.g., media storage) as Phase 3
+
+---
+
 ### Network Layer
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Traefik** | `traefik` | `library` | Cloud Native Edge Router | 3.49B | 3,634 | 2026-05-13 | MK7 |
-| **Technitium DNS** | `technitium/dns-server` | `technitium` | Self-hosted DNS server with DoH/DoT | 8.99M | 156 | 2026-05-09 | MK7 |
-| **AdGuard Home** | `adguard/adguardhome` | `adguard` | Network-wide ad blocking DNS server | 170.7M | 1,408 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Traefik** | `traefik` | 3.49B | 3,634 | 2026-05-13 | **Global** | Every node receives ingress routing + Docker socket read-only |
+| **Technitium DNS** | `technitium/dns-server` | 8.99M | 156 | 2026-05-09 | **Manager Constraint** | Single authoritative DNS — port 53 on MK7 only |
+| **AdGuard Home** | `adguard/adguardhome` | 170.7M | 1,408 | 2026-05-25 | **Replicated (2)** | 2 replicas across workers for redundancy — port 3000 |
 
 ### Monitoring / Observability
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Prometheus** | `prom/prometheus` | `prom` | Systems monitoring & alerting toolkit | 1.97B | 2,064 | 2026-05-25 | MK7 |
-| **Grafana** | `grafana/grafana` | `grafana` | Analytics & monitoring dashboards | 5.22B | 3,540 | 2026-05-16 | MK7 |
-| **Beszel** | `henrygd/beszel` | `henrygd` | Lightweight server monitoring hub with Docker stats | 12.58M | 32 | 2026-04-30 | MK7 |
-| **Dozzle** | `amir20/dozzle` | `amir20` | Real-time Docker container log viewer | 309.6M | 144 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Prometheus** | `prom/prometheus` | 1.97B | 2,064 | 2026-05-25 | **Manager Constraint** | Central scraping server on MK7 |
+| **Prometheus Node Exporter** | `prom/node-exporter` | — | — | — | **Global** | Runs on every node — scrapes CPU/mem/disk |
+| **Grafana** | `grafana/grafana` | 5.22B | 3,540 | 2026-05-16 | **Replicated (1)** | Any worker (Phase 3, needs data history first) |
+| **Beszel Hub** | `henrygd/beszel` | 12.58M | 32 | 2026-04-30 | **Manager Constraint** | Central hub on MK7 collects metrics from agents |
+| **Beszel Agent** | `henrygd/beszel-agent` | — | — | — | **Global** | Runs on every node — reports to hub |
+| **Dozzle** | `amir20/dozzle` | 309.6M | 144 | 2026-05-25 | **Replicated (1)** | Any worker — read-only Docker socket |
 
 ### Management / Dashboard
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Portainer CE** | `portainer/portainer-ce` | `portainer` | Lightweight container management UI | 1.46B | 2,665 | 2026-05-20 | MK7 (Phase 2 swarm) |
-| **Homepage** | `gethomepage/homepage` | `gethomepage` | Customizable homepage with integrations | 1.31M | 40 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Portainer CE** | `portainer/portainer-ce` | 1.46B | 2,665 | 2026-05-20 | **Manager Constraint** | MK7 only — agentless mode, no portainer-agent needed |
+| **Homepage** | `gethomepage/homepage` | 1.31M | 40 | 2026-05-25 | **Replicated (1)** | Any worker — all endpoints via env vars |
 
 ### Security / Identity
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Vaultwarden** | `vaultwarden/server` | `vaultwarden` | Bitwarden-compatible password manager (Rust) | 287.2M | 1,454 | 2026-05-17 | MK7 (Phase 2 swarm) |
-| **Authelia** | `authelia/authelia` | `authelia` | Multi-factor authentication portal | 75.2M | 208 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Vaultwarden** | `vaultwarden/server` | 287.2M | 1,454 | 2026-05-17 | **Replicated (1)** | Any worker — persistent volume required |
+| **Authelia** | `authelia/authelia` | 75.2M | 208 | 2026-05-25 | **Replicated (1)** | Any worker — Traefik ForwardAuth middleware |
 
 ### Media Stack (*arr + Jellyfin)
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Jellyfin** | `jellyfin/jellyfin` | `jellyfin` | Free software media browser | 370.4M | 1,535 | 2026-05-25 | MK7 |
-| **Sonarr** | `linuxserver/sonarr` | `linuxserver` | TV series management | 2.34B | 2,118 | 2026-05-23 | MK7 |
-| **Radarr** | `linuxserver/radarr` | `linuxserver` | Movie management | 2.36B | 1,791 | 2026-05-25 | MK7 |
-| **Prowlarr** | `linuxserver/prowlarr` | `linuxserver` | Indexer management | 35.9M | 403 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Jellyfin** | `jellyfin/jellyfin` | 370.4M | 1,535 | 2026-05-25 | **Label Constraint** | Nodes with `node.label.storage=media` (Phase 3) |
+| **Sonarr** | `linuxserver/sonarr` | 2.34B | 2,118 | 2026-05-23 | **Replicated (1)** | Any worker — needs shared /downloads mount |
+| **Radarr** | `linuxserver/radarr` | 2.36B | 1,791 | 2026-05-25 | **Replicated (1)** | Any worker — needs shared /downloads mount |
+| **Prowlarr** | `linuxserver/prowlarr` | 35.9M | 403 | 2026-05-25 | **Replicated (1)** | Any worker — feeds Sonarr/Radarr via network |
 
 ### File / Collaboration
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Nextcloud** | `nextcloud` | `library` | Self-hosted file sync & collaboration | 1.01B | 4,485 | 2026-05-23 | MK7 (Phase 2 swarm) |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Nextcloud** | `nextcloud` | 1.01B | 4,485 | 2026-05-23 | **Replicated (1)** | Any worker — needs persistent volume + database |
 
-## Total Services: 15
+## Total Services: 18 (including global agents)
 ## Total DockerHub Pulls (aggregate): ~16.0B
-## All images last updated within 90 days except Beszel (2026-04-30 — still within 30 days)
-
-## Notes
-- **Beszel** lowest star count (32) but actively maintained and purpose-built for small-fleet monitoring.
-- **Homepage** lowest pull count (1.31M) — young project, high utility, monitor for longevity.
-- **Pi-hole** not in Bobby's original mention but added as network-layer complement to Technitium. Requires Bobby approval to include.
+## All images updated within 90 days
diff --git a/homelab-services-stack-prd.md b/homelab-services-stack-prd.md
index da2827f..5bf45ea 100644
--- a/homelab-services-stack-prd.md
+++ b/homelab-services-stack-prd.md
@@ -97,54 +97,66 @@ This PRD is append-only for new services. Modifications to existing entries requ
 
 ## Verified DockerHub Metadata (as of 2026-05-25)
 
+### Swarm Placement Legend
+| Placement | Swarm Behavior |
+|-----------|----------------|
+| **Global** | One replica on EVERY node (including manager) |
+| **Replicated (N)** | N replicas distributed across workers by scheduler |
+| **Manager Constraint** | Only on manager node(s) |
+| **Label Constraint** | Only on nodes with matching `node.label` |
+
+### Placement Rules for 5-Node Swarm (1 manager + 4 workers)
+- **MK7** = Manager (can run global services + manager-constrained services)
+- **MK33, MK34, MK39, MK42** = Workers (run global services + replicated services)
+- **No node labels yet** — will label storage nodes (e.g., media storage) as Phase 3
+
+---
+
 ### Network Layer
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Traefik** | `traefik` | `library` | Cloud Native Edge Router | 3.49B | 3,634 | 2026-05-13 | MK7 |
-| **Technitium DNS** | `technitium/dns-server` | `technitium` | Self-hosted DNS server with DoH/DoT | 8.99M | 156 | 2026-05-09 | MK7 |
-| **AdGuard Home** | `adguard/adguardhome` | `adguard` | Network-wide ad blocking DNS server | 170.7M | 1,408 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Traefik** | `traefik` | 3.49B | 3,634 | 2026-05-13 | **Global** | Every node receives ingress routing + Docker socket read-only |
+| **Technitium DNS** | `technitium/dns-server` | 8.99M | 156 | 2026-05-09 | **Manager Constraint** | Single authoritative DNS — port 53 on MK7 only |
+| **AdGuard Home** | `adguard/adguardhome` | 170.7M | 1,408 | 2026-05-25 | **Replicated (2)** | 2 replicas across workers for redundancy — port 3000 |
 
 ### Monitoring / Observability
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Prometheus** | `prom/prometheus` | `prom` | Systems monitoring & alerting toolkit | 1.97B | 2,064 | 2026-05-25 | MK7 |
-| **Grafana** | `grafana/grafana` | `grafana` | Analytics & monitoring dashboards | 5.22B | 3,540 | 2026-05-16 | MK7 |
-| **Beszel** | `henrygd/beszel` | `henrygd` | Lightweight server monitoring hub with Docker stats | 12.58M | 32 | 2026-04-30 | MK7 |
-| **Dozzle** | `amir20/dozzle` | `amir20` | Real-time Docker container log viewer | 309.6M | 144 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Prometheus** | `prom/prometheus` | 1.97B | 2,064 | 2026-05-25 | **Manager Constraint** | Central scraping server on MK7 |
+| **Prometheus Node Exporter** | `prom/node-exporter` | — | — | — | **Global** | Runs on every node — scrapes CPU/mem/disk |
+| **Grafana** | `grafana/grafana` | 5.22B | 3,540 | 2026-05-16 | **Replicated (1)** | Any worker (Phase 3, needs data history first) |
+| **Beszel Hub** | `henrygd/beszel` | 12.58M | 32 | 2026-04-30 | **Manager Constraint** | Central hub on MK7 collects metrics from agents |
+| **Beszel Agent** | `henrygd/beszel-agent` | — | — | — | **Global** | Runs on every node — reports to hub |
+| **Dozzle** | `amir20/dozzle` | 309.6M | 144 | 2026-05-25 | **Replicated (1)** | Any worker — read-only Docker socket |
 
 ### Management / Dashboard
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Portainer CE** | `portainer/portainer-ce` | `portainer` | Lightweight container management UI | 1.46B | 2,665 | 2026-05-20 | MK7 (Phase 2 swarm) |
-| **Homepage** | `gethomepage/homepage` | `gethomepage` | Customizable homepage with integrations | 1.31M | 40 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Portainer CE** | `portainer/portainer-ce` | 1.46B | 2,665 | 2026-05-20 | **Manager Constraint** | MK7 only — agentless mode, no portainer-agent needed |
+| **Homepage** | `gethomepage/homepage` | 1.31M | 40 | 2026-05-25 | **Replicated (1)** | Any worker — all endpoints via env vars |
 
 ### Security / Identity
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Vaultwarden** | `vaultwarden/server` | `vaultwarden` | Bitwarden-compatible password manager (Rust) | 287.2M | 1,454 | 2026-05-17 | MK7 (Phase 2 swarm) |
-| **Authelia** | `authelia/authelia` | `authelia` | Multi-factor authentication portal | 75.2M | 208 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Vaultwarden** | `vaultwarden/server` | 287.2M | 1,454 | 2026-05-17 | **Replicated (1)** | Any worker — persistent volume required |
+| **Authelia** | `authelia/authelia` | 75.2M | 208 | 2026-05-25 | **Replicated (1)** | Any worker — Traefik ForwardAuth middleware |
 
 ### Media Stack (*arr + Jellyfin)
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Jellyfin** | `jellyfin/jellyfin` | `jellyfin` | Free software media browser | 370.4M | 1,535 | 2026-05-25 | MK7 |
-| **Sonarr** | `linuxserver/sonarr` | `linuxserver` | TV series management | 2.34B | 2,118 | 2026-05-23 | MK7 |
-| **Radarr** | `linuxserver/radarr` | `linuxserver` | Movie management | 2.36B | 1,791 | 2026-05-25 | MK7 |
-| **Prowlarr** | `linuxserver/prowlarr` | `linuxserver` | Indexer management | 35.9M | 403 | 2026-05-25 | MK7 |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Jellyfin** | `jellyfin/jellyfin` | 370.4M | 1,535 | 2026-05-25 | **Label Constraint** | Nodes with `node.label.storage=media` (Phase 3) |
+| **Sonarr** | `linuxserver/sonarr` | 2.34B | 2,118 | 2026-05-23 | **Replicated (1)** | Any worker — needs shared /downloads mount |
+| **Radarr** | `linuxserver/radarr` | 2.36B | 1,791 | 2026-05-25 | **Replicated (1)** | Any worker — needs shared /downloads mount |
+| **Prowlarr** | `linuxserver/prowlarr` | 35.9M | 403 | 2026-05-25 | **Replicated (1)** | Any worker — feeds Sonarr/Radarr via network |
 
 ### File / Collaboration
-| Service | Image | Namespace | Description | Pulls | Stars | Updated | Target Node |
-|---------|-------|-----------|-------------|-------|-------|---------|-------------|
-| **Nextcloud** | `nextcloud` | `library` | Self-hosted file sync & collaboration | 1.01B | 4,485 | 2026-05-23 | MK7 (Phase 2 swarm) |
+| Service | Image | Pulls | Stars | Updated | Placement | Notes |
+|---------|-------|-------|-------|---------|-----------|-------|
+| **Nextcloud** | `nextcloud` | 1.01B | 4,485 | 2026-05-23 | **Replicated (1)** | Any worker — needs persistent volume + database |
 
-## Total Services: 15
+## Total Services: 18 (including global agents)
 ## Total DockerHub Pulls (aggregate): ~16.0B
-## All images last updated within 90 days except Beszel (2026-04-30 — still within 30 days)
-
-## Notes
-- **Beszel** lowest star count (32) but actively maintained and purpose-built for small-fleet monitoring.
-- **Homepage** lowest pull count (1.31M) — young project, high utility, monitor for longevity.
-- **Pi-hole** not in Bobby's original mention but added as network-layer complement to Technitium. Requires Bobby approval to include.
+## All images updated within 90 days
 
 ---