diff --git a/docs/agent-handoff.md b/docs/agent-handoff.md
new file mode 100644
index 0000000..4a4c291
--- /dev/null
+++ b/docs/agent-handoff.md
@@ -0,0 +1,84 @@
+# Agent Handoff Notes
+
+Last updated: 2026-05-23
+
+## Current Identity
+
+- Product name: OrbitalWard
+- Local repository path: `/home/ksmith/projects/OrbitalWard`
+- Git remote: `https://git.firebugit.com/ksmith/OrbitalWard.git`
+- Main branch: `main`
+- Latest pushed commit at last update: `3b75075 Rename project to OrbitalWard`
+
+The project was previously named InfraPulse. Do not reintroduce the old name in product copy, package names, environment variables, service names, or docs unless explicitly discussing historical context.
+
+## Gitea Access
+
+- Gitea API base: `https://git.firebugit.com/api/v1`
+- Repository API path: `/repos/ksmith/OrbitalWard`
+- Access token file: `/home/ksmith/.codex_security/gitea_token`
+
+Never print the token value. Read it only inside commands that call the Gitea API.
+
+## Current Product State
+
+OrbitalWard is a secure monitoring appliance focused on the v0.1 vertical slice:
+
+- Authenticated FastAPI backend with SQLAlchemy, Alembic, Pydantic, and JWT auth.
+- React, TypeScript, Vite, and Tailwind frontend.
+- Docker Compose development stack with PostgreSQL, Redis, backend, worker, and frontend.
+- Website monitor create/edit/delete flow.
+- HTTP status and expected-text checks.
+- Optional TLS certificate expiry checks for HTTPS monitors.
+- Alert rules, incident opening/resolution, acknowledge, silence, and webhook notifications.
+- Generic webhook, Mattermost, and Zoom Team Chat notification channels.
+- Saved webhook URLs encrypted at rest and not returned to the UI.
+
+## Verification State
+
+After the rename and TLS expiry work, these checks passed in Docker:
+
+- `docker compose -f docker-compose.dev.yml up -d --build`
+- `docker compose -f docker-compose.dev.yml exec -T backend python -m pytest tests`
+- `docker compose -f docker-compose.dev.yml exec -T frontend npm run typecheck`
+- `docker compose -f docker-compose.dev.yml exec -T worker python -m compileall app`
+- Backend health returned `{"status":"ok","service":"orbitalward-backend"}`.
+
+The final Compose project uses `orbitalward-*` containers, images, network, and volumes.
+
+## Important Implementation Notes
+
+- `ORBITALWARD_SECRET_KEY` is the encryption/JWT secret environment variable.
+- `DATABASE_URL` now defaults to the `orbitalward` database/user in Compose.
+- The frontend local storage key is `orbitalward_token`.
+- Notification default username is `OrbitalWard`.
+- The TLS expiry check lives in `worker/app/collectors/website.py` and is enabled per monitor through JSON config fields:
+  - `check_tls_expiry`
+  - `tls_warning_days`
+
+## Issue Tracker Workflow
+
+Use the Gitea API with the token file above. Useful endpoints:
+
+- List issues: `GET /repos/ksmith/OrbitalWard/issues?state=all`
+- Create issue: `POST /repos/ksmith/OrbitalWard/issues`
+- Update issue: `PATCH /repos/ksmith/OrbitalWard/issues/{index}`
+- List milestones: `GET /repos/ksmith/OrbitalWard/milestones`
+- List labels: `GET /repos/ksmith/OrbitalWard/labels`
+
+Issue source docs:
+
+- `docs/gitea-issues.md`
+- `docs/progress.md`
+- `docs/roadmap.md`
+
+Current completed items include TLS expiry monitor support, HTTP/website checks, basic alert evaluation, incident actions, and webhook notification channels. Next recommended work starts with ping and TCP port monitors.
+
+## Guardrails
+
+- Keep monitoring separate from alerting.
+- Do not expose raw SNMP OIDs in the normal UI.
+- Use friendly names, profiles, and guided setup instead of raw configuration.
+- Do not include LANCache in product scope.
+- Avoid broad NMS features until the v0.1 vertical slice is stable.
+- Never log secrets or return saved secret values after creation.