diff --git a/.gitignore b/.gitignore
index b4be5a0..24928ba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -376,3 +376,6 @@ files/
 
 /docker-compose/.env.production
 /docker-compose/.env.staging
+
+# local infra access notes (secrets) — never commit
+ACCESS.md
diff --git a/CLAUDE.md b/CLAUDE.md
index a7786c6..0b8bc91 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -34,11 +34,15 @@ This applies to both the staging and production repos as appropriate.
 - .NET 10, ASP.NET Core, Worker Service
 - Entity Framework Core + SQL Server (multi-schema)
 - Refit for typed HTTP clients between services
-- Serilog (JSON structured logging, Console + File + Email sinks)
+- Serilog — Compact JSON logs to stdout (+ optional email sink); see Observability
 - MailKit for SMTP (used exclusively in `email-api`)
 - Docker Compose for local and production deployment
 - Watchtower for automatic container updates in production
 
+## Observability (central stack on monitoring host 10.0.0.156)
+- **Logs**: every service uses `ConfigureJsonSerilog(ServiceName, appVersion)` (startup-helpers) → Serilog **Compact JSON** to stdout, enriched `Application`/`Environment`/`AppVersion`. The host's Grafana **Alloy** agent ships stdout → **Loki**; view/query in Grafana. No file sink; optional email sink only if `SerilogEmail:*` is configured.
+- **No app metrics/traces** — these are simple/minimal services, so (unlike easyDent) they don't expose Prometheus metrics or OTLP traces. Container/host metrics still come from the host's cAdvisor/node_exporter.
+
 ## Project taxonomy
 
 | Category | Naming | Contains | EF dependency |