diff --git a/cc-ci-plan/upstream/matrix-synapse.md b/cc-ci-plan/upstream/matrix-synapse.md
new file mode 100644
index 0000000..dcd06ba
--- /dev/null
+++ b/cc-ci-plan/upstream/matrix-synapse.md
@@ -0,0 +1,21 @@
+# Upstream sources — matrix-synapse
+
+| service | image | source repo | releases / changelog |
+|---------|-------|-------------|----------------------|
+| app | matrixdotorg/synapse | https://github.com/element-hq/synapse | https://github.com/element-hq/synapse/releases |
+| mas | ghcr.io/element-hq/matrix-authentication-service | https://github.com/element-hq/matrix-authentication-service | https://github.com/element-hq/matrix-authentication-service/releases |
+| signalbridge | dock.mau.dev/mautrix/signal | https://github.com/mautrix/signal | https://github.com/mautrix/signal/releases |
+| telegrambridge | dock.mau.dev/mautrix/telegram | https://github.com/mautrix/telegram | https://github.com/mautrix/telegram/releases |
+| discordbridge | halfshot/matrix-appservice-discord | https://github.com/matrix-org/matrix-appservice-discord | https://github.com/matrix-org/matrix-appservice-discord/releases |
+| web | nginx | https://github.com/nginx/nginx | https://nginx.org/en/CHANGES |
+| db | pgautoupgrade/pgautoupgrade | https://github.com/pgautoupgrade/docker-pgautoupgrade | https://github.com/pgautoupgrade/docker-pgautoupgrade/releases |
+| signaldb / telegramdb / discorddb | postgres | https://github.com/docker-library/postgres | https://www.postgresql.org/docs/release/ |
+
+## Standing notes
+
+- **pgautoupgrade (main db):** performs in-place `pg_upgrade` on first start of a new major image — no manual dump/restore needed, but always take a DB backup before deploying a major version bump. Current: 17-alpine → 18-alpine in this PR.
+- **signalbridge calver scheme change:** mautrix/signal moved from semver (v0.x) to calver (v26.xx.x) after v0.8.7. The v26.x series requires a fresh install or manual Postgres 13→17+ dump/restore for the signaldb sidecar. Deferred to a separate PR.
+- **telegrambridge calver scheme change:** mautrix/telegram moved from v0.15.x to v0.2605.x (calver). Deferred to a separate PR.
+- **signaldb / telegramdb (postgres:13-alpine → 17-alpine):** plain postgres (not pgautoupgrade), so major upgrades require manual dump/restore. Deferred along with the bridge upgrades.
+- **MAS 1.18.0:** `device_code_grant_enabled` is now `false` by default — existing deployments using device code grants should set this explicitly in config.
+- **Bridges are optional overlays** (compose.signal.yml, compose.telegram.yml, compose.discord.yml) — only include them in COMPOSE_FILE when actively using bridges.