diff --git a/deploy-k3s/manifests/kratos/configmap.yaml b/deploy-k3s/manifests/kratos/configmap.yaml
index f50a37a..c70246e 100644
--- a/deploy-k3s/manifests/kratos/configmap.yaml
+++ b/deploy-k3s/manifests/kratos/configmap.yaml
@@ -5,9 +5,10 @@
 # kratos-secrets Secret (see kratos.yaml). Kratos is configured natively via
 # env vars, so this is the idiomatic split — only non-secret config here.
 #
-# OPERATOR: replace the GOOGLE_OAUTH_CLIENT_ID / APPLE_* client-id placeholders
-# below with the real (non-secret) OAuth client identifiers once the Apple and
-# Google OAuth apps exist. The matching secrets go in kratos-secrets.
+# OIDC scope: Apple-only as of 2026-06-03. Google is intentionally absent;
+# adding it later is additive — append a `- id: google` block under
+# selfservice.methods.oidc.config.providers (it becomes index 1) and bind a
+# matching CLIENT_SECRET env in kratos.yaml.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -18,9 +19,9 @@ metadata:
     app.kubernetes.io/part-of: honeydue
 data:
   kratos.yml: |
-    # version must track the Kratos image tag — confirm against the deployed
-    # Kratos release (Ory uses CalVer, e.g. v26.x). See kratos/README.md.
-    version: v1.3.0
+    # version must track the Kratos image tag — kratos.yaml + migrate-job.yaml
+    # both pin oryd/kratos:v26.2.0 (2026-06-03). See kratos/README.md.
+    version: v1.3.0  # internal config schema version; do not change unless Kratos release notes require it
 
     serve:
       public:
@@ -57,20 +58,16 @@ data:
           enabled: true
           config:
             providers:
-              # index 0 — Google. client_secret is injected via env var
-              # SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_CLIENT_SECRET.
-              - id: google
-                provider: google
-                client_id: GOOGLE_OAUTH_CLIENT_ID
-                mapper_url: file:///etc/kratos/oidc.google.jsonnet
-                scope: [openid, email, profile]
-              # index 1 — Apple. apple_private_key is injected via env var
-              # SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_1_APPLE_PRIVATE_KEY.
+              # index 0 — Apple Sign In. apple_private_key (.p8 contents) is
+              # injected via env SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_APPLE_PRIVATE_KEY.
+              # client_id is the Apple Services ID (here: the bundle ID, which
+              # was configured as a Services ID with Sign In with Apple
+              # capability — see operator notes in README.md §5).
               - id: apple
                 provider: apple
-                client_id: APPLE_SERVICES_ID
-                apple_team_id: APPLE_TEAM_ID
-                apple_private_key_id: APPLE_PRIVATE_KEY_ID
+                client_id: com.myhoneydue.honeyDue
+                apple_team_id: X86BR9WTLD
+                apple_private_key_id: HQD3NCF99C
                 mapper_url: file:///etc/kratos/oidc.apple.jsonnet
                 scope: [openid, email, name]
 
diff --git a/deploy-k3s/manifests/kratos/kratos.yaml b/deploy-k3s/manifests/kratos/kratos.yaml
index d1621a7..775fac8 100644
--- a/deploy-k3s/manifests/kratos/kratos.yaml
+++ b/deploy-k3s/manifests/kratos/kratos.yaml
@@ -1,14 +1,17 @@
 # Ory Kratos — identity service for honeyDue.
 #
-# Deployed only once the operator has completed the prerequisites in
-# kratos/README.md (Neon `kratos` database, auth.myhoneydue.com DNS, Apple +
-# Google OAuth apps, and the kratos-secrets Secret). Until then 03-deploy.sh
-# skips the Kratos apply, so the existing stack is unaffected.
+# Deployed once the operator has completed the prerequisites in kratos/README.md
+# (Neon `kratos` database, auth.myhoneydue.com DNS, Apple Sign In OIDC client,
+# and the kratos-secrets Secret). Until then 03-deploy.sh skips the Kratos
+# apply, so the existing stack is unaffected.
 #
-# IMAGE: oryd/kratos uses CalVer (v25.x / v26.x). The tag below is a
-# fail-loud placeholder — set the current stable tag and pin a @sha256:
-# digest (like redis/vmagent) before deploying. See kratos/README.md.
-# The schema-migration Job is in migrate-job.yaml (run before this).
+# IMAGE: pinned to oryd/kratos v26.2.0 (CalVer current stable as of 2026-06-03)
+# with the linux/amd64 digest. The schema-migration Job is in migrate-job.yaml
+# and runs before this Deployment rolls.
+#
+# OIDC: currently Apple-only (configmap.yaml providers[0]). Google was scoped
+# out at deploy time; adding it later is additive — append to providers[] in
+# configmap.yaml and add the matching CLIENT_SECRET env binding here.
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -41,7 +44,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: kratos
-          image: oryd/kratos:REPLACE_WITH_CURRENT_STABLE_TAG
+          image: oryd/kratos:v26.2.0@sha256:92eedc292ff8e1a918ac442c88ed0abe44610c75121700963114549908a45ac3
           imagePullPolicy: IfNotPresent
           args:
             - serve
@@ -65,10 +68,8 @@ spec:
             - name: COURIER_SMTP_CONNECTION_URI
               valueFrom: { secretKeyRef: { name: kratos-secrets, key: smtp_connection_uri } }
             # OIDC provider secrets — index must match the providers list
-            # order in configmap.yaml (0 = google, 1 = apple).
-            - name: SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_CLIENT_SECRET
-              valueFrom: { secretKeyRef: { name: kratos-secrets, key: google_client_secret } }
-            - name: SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_1_APPLE_PRIVATE_KEY
+            # order in configmap.yaml. Apple-only for now (index 0).
+            - name: SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_APPLE_PRIVATE_KEY
               valueFrom: { secretKeyRef: { name: kratos-secrets, key: apple_private_key } }
           volumeMounts:
             - name: config
diff --git a/deploy-k3s/manifests/kratos/migrate-job.yaml b/deploy-k3s/manifests/kratos/migrate-job.yaml
index 03c61ff..d497137 100644
--- a/deploy-k3s/manifests/kratos/migrate-job.yaml
+++ b/deploy-k3s/manifests/kratos/migrate-job.yaml
@@ -2,8 +2,8 @@
 # database before the Kratos Deployment rolls. 03-deploy.sh applies this,
 # waits for completion, then applies kratos.yaml.
 #
-# IMAGE: set the same oryd/kratos tag as kratos.yaml (Ory CalVer v25.x/v26.x);
-# pin a @sha256: digest. See kratos/README.md.
+# IMAGE: pinned to oryd/kratos v26.2.0 (CalVer current stable as of 2026-06-03)
+# with the linux/amd64 digest. Bump in sync with kratos.yaml's image.
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: kratos-migrate
-          image: oryd/kratos:REPLACE_WITH_CURRENT_STABLE_TAG
+          image: oryd/kratos:v26.2.0@sha256:92eedc292ff8e1a918ac442c88ed0abe44610c75121700963114549908a45ac3
           imagePullPolicy: IfNotPresent
           args: ["migrate", "sql", "-e", "--yes"]
           env:
diff --git a/deploy-k3s/manifests/network-policies.yaml b/deploy-k3s/manifests/network-policies.yaml
index 41c571f..6e02744 100644
--- a/deploy-k3s/manifests/network-policies.yaml
+++ b/deploy-k3s/manifests/network-policies.yaml
@@ -140,6 +140,20 @@ spec:
       ports:
         - protocol: TCP
           port: 6379
+    # Kratos (in-cluster). The auth middleware validates every session via
+    # http://kratos:4433/sessions/whoami; the AuthService also uses :4434
+    # for account deletion (DELETE /admin/identities/{id}). k3s evaluates
+    # egress rules AFTER kube-proxy DNAT (runbook §9.2), so this podSelector
+    # rule covers Service ClusterIP traffic correctly.
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: kratos
+      ports:
+        - protocol: TCP
+          port: 4433
+        - protocol: TCP
+          port: 4434
     # External services: Neon DB (5432), SMTP (587), HTTPS (443 — APNs, FCM, B2, PostHog)
     - to:
         - ipBlock: