diff --git a/README.md b/README.md
index 8cb694b..a04ce32 100644
--- a/README.md
+++ b/README.md
@@ -25,13 +25,18 @@ uvlava is **store/infra only** — it never serves adult content to the public
 
 ## What's live
 
-| Service | Host | Endpoint (bare for now; named later) |
+| Service | Host | Endpoint |
 |---|---|---|
-| Forgejo (git canonical) | `lilith-forge` droplet | `134.199.243.61:3000` → `forge.uvlava.com` (planned) |
-| Verdaccio (`@lilith/*` npm) | same droplet | `134.199.243.61:4873` → `npm.uvlava.com` (planned) |
+| Forgejo (git canonical) | ct-forge droplet | `https://forge.ct.uvlava.com` (live, Caddy + LE) |
+| Verdaccio (`@lilith/*` npm) | same droplet | `https://npm.ct.uvlava.com` |
 
 DO account `ct` / project `ct:prod` / region `nyc3`. `uvlava.com` is registered
-(joker.com) but not yet pointed — DNS + TLS deferred until the store tier lands.
+(joker.com) and **delegated to DigitalOcean** — joker.com publishes
+`ns1/ns2/ns3.digitalocean.com` at the `.com` registry (verified 2026-06-30).
+DNS resolves publicly and Caddy auto-provisions Let's Encrypt certs per
+hostname: `forge.ct.uvlava.com` serves `HTTP/2 200` with a valid LE cert
+(`CN=forge.ct.uvlava.com`). Only hostnames explicitly in the zone resolve —
+there is **no wildcard**, so each new subdomain needs its own A record.
 
 ## Layout
 
diff --git a/terraform/do/dns.tf b/terraform/do/dns.tf
index 8289922..a866345 100644
--- a/terraform/do/dns.tf
+++ b/terraform/do/dns.tf
@@ -6,9 +6,10 @@
 #   ct.uvlava.com  -> this account (TransQuinnFTW / ct:prod) — store + infra tier
 #   mc.uvlava.com  -> magic-civilization account (separate PAT) — wired later
 #
-# DELEGATION: these records are INERT until the registrar (joker.com) delegates
+# DELEGATION: LIVE as of 2026-06-30. The registrar (joker.com) delegates
 # uvlava.com NS to DigitalOcean (ns1/ns2/ns3.digitalocean.com — see the
-# `uvlava_nameservers` output). Until then nothing here resolves publicly.
+# `uvlava_nameservers` output), verified at the .com registry. These records
+# resolve publicly; forge.ct.uvlava.com serves HTTP/2 200 with a valid LE cert.
 #
 # TLS: forge.ct / npm.ct are A records to the cocotte-forge (ct-forge) droplet,
 # which runs a reverse proxy (Caddy/LE) terminating HTTPS in front of Forgejo
@@ -139,3 +140,22 @@ resource "digitalocean_record" "ct_sales" {
     ignore_changes = [value]
   }
 }
+
+# --- mc.uvlava.com : magic-civilization's namespace --------------------------
+# mc's forge is consolidated onto the shared services droplet (the same box that
+# co-locates ct/quinn forges). The live magicciv repo lives there at
+# http://forge.mc.uvlava.com:3001/applications/magicciv.git (Forgejo on :3001).
+# Durable name mirrors forge.ct.uvlava.com so the git remote stops using a bare
+# IP. Literal IP (services droplet is provisioned out of this state); ignore_changes
+# lets the dns-updater retarget it without a TF fight.
+resource "digitalocean_record" "mc_forge" {
+  domain = digitalocean_domain.uvlava.name
+  type   = "A"
+  name   = "forge.mc"
+  value  = "165.227.191.38" # services droplet (shared forges host)
+  ttl    = 300
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}