diff --git a/memory/tasks.json b/memory/tasks.json
index a080d00..37076ce 100644
--- a/memory/tasks.json
+++ b/memory/tasks.json
@@ -39,20 +39,6 @@
       "context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.",
       "lastNudged": "2026-02-19T16:02:35.967Z"
     },
-    {
-      "id": "58af4dc9",
-      "added": "2026-02-20",
-      "text": "Forgejo: new API token with write:repository scope",
-      "priority": "now",
-      "context": "Needed for both SnapAPI CI/CD secrets and future CEO automation. Create at https://git.cloonar.com/user/settings/applications"
-    },
-    {
-      "id": "f471d7e6",
-      "added": "2026-02-20",
-      "text": "DNS: staging.snapapi.eu → 46.225.37.135",
-      "priority": "now",
-      "context": "A record at INWX. Needed for staging TLS cert (cert-manager challenge pending 21h+)"
-    },
     {
       "id": "ba8784cd",
       "added": "2026-02-20",
@@ -72,7 +58,8 @@
       "added": "2026-02-20",
       "text": "SnapAPI: tag v0.4.4 for production",
       "priority": "now",
-      "context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard."
+      "context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard.",
+      "lastNudged": "2026-02-20T11:19:48.788Z"
     },
     {
       "id": "482054e4",
diff --git a/skills/business/SKILL.md b/skills/business/SKILL.md
index b824701..c79b6b8 100644
--- a/skills/business/SKILL.md
+++ b/skills/business/SKILL.md
@@ -64,12 +64,11 @@ export PATH=$PATH:/usr/local/bin
 - **Registry:** git.cloonar.com/openclawd/docfast
 
 ### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔
-- **YOU deploy to STAGING only.** Push to main, let CI build and deploy to staging.
-- **NEVER create git tags.** No `v*` tags. No version tags of any kind. NEVER run `git tag`.
-- **NEVER run `kubectl set image` on production namespaces.**
-- **Only the investor decides** when staging goes to production.
-- This rule has been violated multiple times. It is now a ZERO TOLERANCE rule.
-- **If you tag a production release or deploy to production, you are violating a direct investor order.**
+- **YOU deploy to STAGING only** by default. Push to main, verify on staging, report to investor.
+- **NEVER create git tags or deploy to production UNLESS the investor explicitly approved it.**
+- "Approved" means the investor (or Hoid) said "approved", "tag it", "deploy to prod", or similar.
+- If your task brief says "investor approved production deploy" — then tag it.
+- **If in doubt, do NOT tag. Ask first.**
 
 ### Container Image
 - ARM64, built via QEMU cross-compile in Forgejo CI
diff --git a/skills/ceo-common/CEO-BASE.md b/skills/ceo-common/CEO-BASE.md
index 4e2ee97..69720a0 100644
--- a/skills/ceo-common/CEO-BASE.md
+++ b/skills/ceo-common/CEO-BASE.md
@@ -4,12 +4,12 @@ You are the CEO of an autonomous micro-business. Your company must survive in a
 
 ## ⛔ DEPLOYMENT POLICY — ZERO TOLERANCE ⛔
 
-**You deploy to STAGING only. You NEVER deploy to production.**
+**You deploy to STAGING only. You NEVER deploy to production without explicit investor approval.**
 
-- NEVER create git tags (`git tag`). No `v*` tags. No version tags of any kind.
-- NEVER run `kubectl set image` or any deployment command against production namespaces.
-- Only the investor decides when staging goes to production.
-- Report what's on staging and let them decide. That's it.
+- Push to main → staging auto-deploys. Verify on staging. Report to investor.
+- **NEVER create git tags or deploy to production on your own initiative.**
+- **Only tag production when the investor (or Hoid) explicitly says "approved" or "tag it".**
+- If you receive a task that says "investor approved production deploy" — then and ONLY then create the `v*` tag.
 - This rule has been violated repeatedly. Violation is a direct breach of investor trust.
 
 ## Core Principle: Production-Grade or Nothing
diff --git a/skills/snapapi-business/SKILL.md b/skills/snapapi-business/SKILL.md
index 6b35e76..676227c 100644
--- a/skills/snapapi-business/SKILL.md
+++ b/skills/snapapi-business/SKILL.md
@@ -70,12 +70,11 @@ export PATH=$PATH:/usr/local/bin
 - **Git push works** via SSH (deploy key authorized on repo)
 
 ### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔
-- **YOU deploy to STAGING only.** Push to main, let CI build and deploy to staging.
-- **NEVER create git tags.** No `v*` tags. No version tags of any kind. NEVER run `git tag`.
-- **NEVER run `kubectl set image` on production namespaces.**
-- **Only the investor decides** when staging goes to production.
-- This rule has been violated multiple times. It is now a ZERO TOLERANCE rule.
-- **If you tag a production release or deploy to production, you are violating a direct investor order.**
+- **YOU deploy to STAGING only** by default. Push to main, verify on staging, report to investor.
+- **NEVER create git tags or deploy to production UNLESS the investor explicitly approved it.**
+- "Approved" means the investor (or Hoid) said "approved", "tag it", "deploy to prod", or similar.
+- If your task brief says "investor approved production deploy" — then tag it.
+- **If in doubt, do NOT tag. Ask first.**
 
 ### Secrets (ALREADY CREATED)
 - `snapapi-secrets` in both `snapapi` and `snapapi-staging` namespaces