diff --git a/MEMORY.md b/MEMORY.md
index f727f0c..568c1fe 100644
--- a/MEMORY.md
+++ b/MEMORY.md
@@ -1,3 +1,4 @@
-- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS migration IN PROGRESS. 2026-06-13: OpenProject removed permanently (EE license required). Oracle ARM A1 4OCPU/24GB Chicago $8.50/mo — capacity issues, provisioning pending. OSticket needs QEMU binfmt (x86-only image). Forgejo SSO button renamed to Authentik. kscloud1 Forgejo has wrong ROOT_URL + only 1 repo — fix during Oracle migration.
+- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS migration STALLED (capacity). 2026-06-13/14: osTicket live at tasks.kitestacks.com on both hosts, DB unified onto kscloud1 (100.123.254.52:3306, Tailscale), new private repo kenpat/osticket-capstone created. Forgejo SSO button renamed to Authentik. kscloud1 Forgejo has wrong ROOT_URL + only 1 repo — fix during Oracle migration.
 - [Forgejo doc redaction rule](feedback-forgejo-redaction.md) — always redact IPs, ports, and passwords in any homelab Forgejo repo files before committing.
 - [A+ Core 2 study plan](project-a-plus-core2.md) — exam goal June 28 2026, started 2026-06-11 9:15 PM, Professor Messer diagnostic first, CertMaster next week.
+- [Per Scholas IT Support Capstone](project_per_scholas_capstone.md) — 5-phase migration/ticketing team challenge, connected to osTicket+MariaDB on kscloud1. AI=junior assistant, must verify with evidence.
diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md
index d7a7f6d..c411ffe 100644
--- a/project-kitestacks-migration.md
+++ b/project-kitestacks-migration.md
@@ -505,3 +505,49 @@ NOTE: same active-active pattern as kscloud1 — shared Authentik Postgres+Redis
 Tailscale, same TUNNEL_TOKEN, fresh DBs for stateful apps except identity (authentik/kavita).
 IMPORTANT Oracle gotcha: Ubuntu on Oracle has iptables rules that block all traffic at boot
 even after Security List rules are opened. Must flush iptables as part of initial setup.
+
+## osTicket deployed on monk + kscloud1 (found 2026-06-13/14, installed ~2026-06-12)
+osTicket (campbellsoftwaresolutions/osticket image, x86 - runs natively on both hosts,
+no QEMU needed) + nginx proxy + MariaDB 10.11, under
+`~/kitestacks-live/docker/osticket/` (monk) and `/opt/kitestacks/docker/osticket/`
+(kscloud1). `tasks.kitestacks.com` -> "KiteStacks Help Desk", verified HTTP 200.
+Admin: kenpat7177 / kenpat7177@gmail.com. Host ports: monk 8092:8080, kscloud1 8090:8080
+(both nginx -> osticket-app:80). .env (OSTICKET_DB_PASS/ROOT/ADMIN_PASS/INSTALL_SECRET)
+is IDENTICAL on both hosts.
+
+### DB unification (2026-06-13/14) - same pattern as Authentik shared-DB fix
+Both hosts originally had their OWN osticket-db (drift risk like pre-fix Kavita). Per
+user request ("database should be accessible from any computer"), unified onto
+kscloud1's osticket-db as canonical:
+- kscloud1 osticket-db: added `ports: - "100.123.254.52:3306:3306"` (Tailscale-only,
+  matches authentik-postgres/redis pattern) to
+  `/opt/kitestacks/docker/osticket/docker-compose.yml`, `docker compose up -d`.
+- monk: `docker compose stop osticket-db` (left stopped, NOT removed - rollback data
+  intact in its volume). Edited `~/kitestacks-live/docker/osticket/docker-compose.yml`:
+  removed osticket-db service block, changed osticket-app's `MYSQL_HOST=osticket-db`
+  -> `MYSQL_HOST=100.123.254.52`, removed `depends_on: osticket-db`. `docker compose
+  up -d osticket-app`.
+- GOTCHA: after recreating osticket-app, the `osticket` nginx proxy container on monk
+  returned 502 (cached stale upstream IP for osticket-app from its old container) -
+  fixed with `docker restart osticket`. Apply this same restart on kscloud1's `osticket`
+  nginx if its osticket-app is ever recreated.
+- Verified: both DBs had identical data before merge (1 ticket, 1 staff/kenpat7177) so
+  no data loss either way. tasks.kitestacks.com returns 200 consistently post-merge.
+- Backups: `docker-compose.yml.bak` left in both hosts' osticket dirs.
+
+### osticket-capstone Forgejo repo (created 2026-06-13/14)
+New private repo `kenpat/osticket-capstone` on gitforge (created via API using a
+scoped token `claude-capstone-osticket` generated via
+`docker exec -u git forgejo /app/gitea/gitea admin user generate-access-token` on
+monk's forgejo container - token has write:repository,write:user scopes). Holds
+redacted osTicket deployment config + Per Scholas capstone docs/evidence - see
+[[project-per-scholas-capstone]]. NOTE: gitforge.kitestacks.com is also
+active-active load-balanced (monk/kscloud1 separate forgejo DBs) - API calls
+against the public hostname can hit the wrong DB; use monk's local
+`http://localhost:3006` for API operations tied to monk's forgejo data.
+
+### Remaining osTicket work
+- Authentik SSO plugin for osTicket staff/agent login (osTicket has no native OIDC,
+  needs 3rd-party OAuth2/SAML plugin) - NOT YET DONE.
+- End-user ticket submission uses osTicket's native client portal signup (works
+  out of the box, no SSO needed).
diff --git a/project_per_scholas_capstone.md b/project_per_scholas_capstone.md
new file mode 100644
index 0000000..326cbd6
--- /dev/null
+++ b/project_per_scholas_capstone.md
@@ -0,0 +1,47 @@
+---
+name: project-per-scholas-capstone
+description: "Per Scholas \"IT Support Capstone: Migration & Stabilization\" team challenge - connected to the osTicket/kscloud1 deployment work"
+metadata: 
+  node_type: memory
+  type: project
+  originSessionId: 1676d7da-0a11-47f0-b4b5-1dc606389531
+---
+
+kenpat is doing the Per Scholas "IT Support Capstone: Migration & Stabilization -
+Team Challenge" (Version 2.0, Jan 2026), source PDF: `Downloads/CAP 129.2.1 - IT
+Support.pdf`. Team-based workplace simulation: respond to a migration event,
+investigate user-reported tickets, stabilize systems, report findings.
+
+**5 phases (sequential):** 1) Environment & Baseline (build VirtualBox Windows
+Server + Windows Client VMs), 2) Migration Event, 3) Incident Response
+(investigate user tickets), 4) Stabilization & Recovery, 5) Reporting &
+Presentation.
+
+**AI usage rules (per the assignment):**
+- AI = "junior assistant", not authority - draft scripts/docs/troubleshooting
+  suggestions only.
+- Every AI-assisted recommendation must be MANUALLY VERIFIED by kenpat with
+  evidence (screenshots, command output, config views) - I should not present
+  conclusions as final without prompting verification.
+- "Individual Environment Requirement": each learner builds/operates their OWN
+  VirtualBox VMs - I cannot do this hands-on work for them, only advise/guide.
+- Final deliverables: team Capstone Technical Report + Executive Summary, plus
+  an Individual Evidence Appendix labeled per learner.
+
+**Why:** kenpat confirmed (2026-06-13) the capstone and the real osTicket +
+Authentik SSO deployment on kscloud1 are CONNECTED - the capstone's
+incident-response/ticketing workflow is meant to be practiced using the real
+osTicket instance being stood up on kscloud1 (Hetzner). Decisions made so far:
+- osTicket + its required MariaDB will be deployed on kscloud1 NOW (not waiting
+  on the stalled Oracle VPS migration, see [[project-kitestacks-migration]]).
+- Both end-user ticket submission (osTicket's native client portal) AND
+  staff/agent SSO via Authentik (needs a 3rd-party OAuth2/SAML plugin, unlike
+  Kavita's built-in OIDC) are needed.
+
+**How to apply:** When helping with capstone phases, give guidance/explanations
+the user can act on themselves and remind them to capture evidence - don't
+narrate AI work as if it satisfies the assignment's verification requirement.
+When deploying osTicket/MariaDB on kscloud1, follow the same patterns as the
+existing kscloud1 stack documented in [[project-kitestacks-migration]] (one
+dir per app under /opt/kitestacks/docker/, joined to the `kitestacks` docker
+network, shared Authentik Postgres/Redis over Tailscale for SSO).