diff --git a/docs/SESSION-2026-03-18.md b/docs/SESSION-2026-03-18.md
new file mode 100644
index 00000000..88e87374
--- /dev/null
+++ b/docs/SESSION-2026-03-18.md
@@ -0,0 +1,56 @@
+# Session 2026-03-18 — Resume Guide
+
+## What Was Done
+
+### Rootless Podman Migration (TASK-11 DONE)
+- .228: 30 containers running rootless with full security hardening
+- All `sudo podman` removed from Rust backend (9 files) + deploy script
+- UID mapping: container UID N → host UID (100000 + N - 1)
+- Deploy script auto-fixes ownership + sysctl + linger on every deploy
+
+### .198 Migration (IN PROGRESS)
+- Root containers stopped, UID ownership fixed, IndeedHub images migrated
+- `/etc/hosts` fixed to 644 (rootless podman needs read access)
+- **Only 2 containers running — needs full container recreation**
+- Next: run container setup (Bitcoin, LND, ElectrumX, all apps)
+- The `--both` deploy only copies binary+frontend, doesn't create containers
+
+### Security Hardening (TASK-8 — 9/12 pentest findings fixed)
+- C1: /lnd-connect-info requires session auth
+- C3: DEV_MODE removed from production service
+- H1: node-message verifies ed25519 signatures
+- M1: content.add rejects `..` path traversal
+- M2: NIP-07 postMessage uses specific origin
+- M3: AIUI nginx checks session_id cookie
+- L2: Strict v3 onion validation
+- **Still open**: H2/H3 (federation signature verification), H4 (bind ports to 127.0.0.1)
+
+### UI/UX Fixes
+- Mesh serial: auto-detect, backoff, udev rule, Connect button
+- External iframes: CSP https: added
+- Container startup: "Checking..." shimmer, marketplace sort
+- Port mapping: all nginx+frontend+backend synced
+- ElectrumX: shows index size during indexing
+- Fedimintd → "Fedimint Guardian"
+- IndeedHub Studio version
+- On-Chain first in receive modals
+- Tab-launch icons, iframe error screen, CPU alert threshold
+- Mesh mobile: header hidden, overflow fixed
+- Federation/Cloud: DID on hover
+
+### Git Tags
+- v1.2.0-alpha.1 through v1.2.0-alpha.8 (current)
+
+## Resume Checklist
+1. **Finish .198 containers** — create Bitcoin, LND, ElectrumX, MariaDB, Mempool, BTCPay, Grafana, etc.
+2. **H2/H3** — federation peer-joined/address-changed signature verification
+3. **H4** — bind service ports to 127.0.0.1
+4. **BUG-1** — CSRF mismatch (P0 critical)
+5. **Many /task items** in MASTER_PLAN.md from testing session
+6. **Tailscale migration** for other nodes (preserve auth state)
+
+## Key Facts
+- Rootless subnet: 10.89.0.0/16
+- Bitcoin RPC: rpcallowip=0.0.0.0/0, password in /var/lib/archipelago/secrets/
+- .198 /etc/hosts must be 644
+- Deploy --both only copies, --live creates containers