diff --git a/backlog/tasks/task-4 - Migrate-all-r-Ecosystem-secrets-to-Infisical.md b/backlog/tasks/task-4 - Migrate-all-r-Ecosystem-secrets-to-Infisical.md
new file mode 100644
index 0000000..6333f6f
--- /dev/null
+++ b/backlog/tasks/task-4 - Migrate-all-r-Ecosystem-secrets-to-Infisical.md	
@@ -0,0 +1,25 @@
+---
+id: TASK-4
+title: Migrate all r*Ecosystem secrets to Infisical
+status: Done
+assignee: []
+created_date: '2026-02-25 05:02'
+labels:
+  - infisical
+  - secrets
+  - infrastructure
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Migrated secrets from all running Docker containers into self-hosted Infisical (secrets.jeffemmett.com). Created 17 projects covering shared secrets, 4 Postiz spaces, 11 r*Apps, and Twenty CRM. Machine Identity configured for API access.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Created 17 Infisical projects and imported secrets from all running containers via API migration script. Projects: rspace-shared, postiz-crypto-commons, postiz-p2pfoundation, postiz-bondingcurve, postiz-votc, rspace-online, rsocials-app, rnotes-online, rinbox-online, rcart-online, rcart-backend, rswag-online, rfiles-online, rmaps-online, rauctions-online, rpubs-online, twenty-votc-crm.
+<!-- SECTION:FINAL_SUMMARY:END -->
diff --git a/backlog/tasks/task-5 - Centralized-spaces-config-with-Sablier-OAuth-support.md b/backlog/tasks/task-5 - Centralized-spaces-config-with-Sablier-OAuth-support.md
new file mode 100644
index 0000000..57ec616
--- /dev/null
+++ b/backlog/tasks/task-5 - Centralized-spaces-config-with-Sablier-OAuth-support.md	
@@ -0,0 +1,25 @@
+---
+id: TASK-5
+title: Centralized spaces config with Sablier + OAuth support
+status: Done
+assignee: []
+created_date: '2026-02-25 05:02'
+labels:
+  - config
+  - postiz
+  - infrastructure
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Updated spaces.yml, docker-compose.template.yml, and generate.sh to match all 3 deployed Postiz instances with correct slugs (cc, p2pf, bcrg), Sablier auto-sleep labels, Pocket ID OAuth, and multi-host routing.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+Generator now produces server-matching compose files for all 3 active spaces. Template supports dynamic Sablier labels, Pocket ID OAuth blocks, and multi-host Traefik routing. Adding a new space is a single edit to spaces.yml + run generate.sh.
+<!-- SECTION:FINAL_SUMMARY:END -->
diff --git a/backlog/tasks/task-6 - Remove-plaintext-.env-files-from-server.md b/backlog/tasks/task-6 - Remove-plaintext-.env-files-from-server.md
new file mode 100644
index 0000000..6fb3071
--- /dev/null
+++ b/backlog/tasks/task-6 - Remove-plaintext-.env-files-from-server.md	
@@ -0,0 +1,26 @@
+---
+id: TASK-6
+title: Remove plaintext .env files from server
+status: To Do
+assignee: []
+created_date: '2026-02-25 05:02'
+labels:
+  - security
+  - infisical
+  - cleanup
+dependencies: []
+priority: medium
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Now that all secrets are stored in Infisical, remove the plaintext .env files from /opt/postiz/*/  and other r*App directories on Netcup. Requires updating docker-compose files to pull from Infisical at startup (entrypoint wrapper pattern).
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 All Postiz spaces pull secrets from Infisical at container startup
+- [ ] #2 No plaintext .env files with secrets remain on server
+- [ ] #3 Containers use entrypoint wrapper or infisical run for secret injection
+<!-- AC:END -->
diff --git a/backlog/tasks/task-7 - Clean-up-duplicate-rsocials-online-Infisical-project.md b/backlog/tasks/task-7 - Clean-up-duplicate-rsocials-online-Infisical-project.md
new file mode 100644
index 0000000..9392cb0
--- /dev/null
+++ b/backlog/tasks/task-7 - Clean-up-duplicate-rsocials-online-Infisical-project.md	
@@ -0,0 +1,18 @@
+---
+id: TASK-7
+title: Clean up duplicate rsocials-online Infisical project
+status: To Do
+assignee: []
+created_date: '2026-02-25 05:02'
+labels:
+  - infisical
+  - cleanup
+dependencies: []
+priority: low
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+There's a pre-existing rsocials-online project in Infisical (slug: rsocials) that the app container points to, plus a newer rsocials-app project created during migration. Consolidate into one project and update container config to match.
+<!-- SECTION:DESCRIPTION:END -->