diff --git a/.env.example b/.env.example
index f99f5d5..7dcfb4f 100644
--- a/.env.example
+++ b/.env.example
@@ -2,12 +2,12 @@
 # fill in FORGE_GITEA_USERNAME. `.env` is gitignored.
 
 # --- Gitea -----------------------------------------------------------
-FORGE_GITEA_URL="https://gitea.cvgitea.ddns.net:6006"
+FORGE_GITEA_URL="https://gitea.cvgitea.ddns.net"
 FORGE_GITEA_ORG="codevalet"
 FORGE_GITEA_USERNAME=""
 
 # --- Orchestrator ----------------------------------------------------
-FORGE_ORCHESTRATOR_REPO_URL="https://gitea.cvgitea.ddns.net:6006/codevalet/forge-stack-orchestrator.git"
+FORGE_ORCHESTRATOR_REPO_URL="https://gitea.cvgitea.ddns.net/codevalet/forge-stack-orchestrator.git"
 # Leave empty for the repo's default branch.
 FORGE_ORCHESTRATOR_BRANCH=""
 # "." clones into ./forge-stack-orchestrator (gitignored by this repo).
diff --git a/README.md b/README.md
index d34b09d..ea8573f 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
 # welcome-to-codevalet-as-a-contributor
 
 Onboarding for new contributors to the codevalet Gitea instance.
+The production Gitea host is published through the Pangolin HTTPS edge at
+`https://gitea.cvgitea.ddns.net`.
 Produces an authenticated local checkout of
 `forge-stack-orchestrator` with git operations against Gitea
 authenticated silently through an OAuth2 (PKCE) token shared with the
@@ -37,6 +39,7 @@ recipe runs `sudo` or installs anything system-wide.
 
 A Gitea account on `FORGE_GITEA_URL` with membership in the
 `codevalet` organisation is also required.
+Current production value: `https://gitea.cvgitea.ddns.net`.
 
 ## Configuring `.env`
 
@@ -45,9 +48,9 @@ edit is `FORGE_GITEA_USERNAME`. Defaults:
 
 | Variable | Default | Change when |
 | --- | --- | --- |
-| `FORGE_GITEA_URL` | `https://gitea.cvgitea.ddns.net:6006` | different Gitea instance |
+| `FORGE_GITEA_URL` | `https://gitea.cvgitea.ddns.net` | different Gitea instance |
 | `FORGE_GITEA_ORG` | `codevalet` | fork or sibling org |
-| `FORGE_ORCHESTRATOR_REPO_URL` | `.../codevalet/forge-stack-orchestrator.git` | different fork |
+| `FORGE_ORCHESTRATOR_REPO_URL` | `https://gitea.cvgitea.ddns.net/codevalet/forge-stack-orchestrator.git` | different fork |
 | `FORGE_ORCHESTRATOR_BRANCH` | *(empty: default branch)* | branch pin |
 | `FORGE_WORKSPACE_ROOT` | `.` (clone at `./forge-stack-orchestrator`, gitignored) | clone elsewhere |
 | `FSDGG_CLI_CLIENT_ID` | registered PKCE CLI client | never |
@@ -63,6 +66,11 @@ loopback is not a meaningful option. On a shared or remote host,
 SSH-forward the port (see *Headless and SSH hosts*) rather than
 trying to publish the callback over the network.
 
+`FORGE_GITEA_URL` is the canonical public HTTPS endpoint. Do not append
+`:6006`; Pangolin terminates TLS on the public edge and the onboarding
+repo, orchestrator clone URL, and global git credential scope all assume
+the standard portless form.
+
 `.env` is gitignored. OAuth client IDs are public by design; PKCE
 requires no client secret.
 
@@ -205,7 +213,7 @@ with a browser to populate a valid refresh token before running
 | --- | --- |
 | `just doctor` reports a missing tool | Run the `fix:` command printed beside it. |
 | `~/.local/bin` not on `PATH` | Add `export PATH="$HOME/.local/bin:$PATH"` to the shell rc and reopen. |
-| `just check-gitea` → connection refused | Verify `FORGE_GITEA_URL` and network access. |
+| `just check-gitea` → connection refused | Verify `FORGE_GITEA_URL`, confirm it is `https://gitea.cvgitea.ddns.net` for production, and do not append `:6006`. |
 | `just login` → browser does not open | Run `just login-headless`. |
 | `just login` → timed out waiting for OAuth callback | Consent was not completed in the browser; re-run. |
 | `just login` → cannot bind `127.0.0.1:38111` | Another `just login` is running; wait or kill it. |