diff --git a/SECURITY_SECRETS_INVENTORY.md b/SECURITY_SECRETS_INVENTORY.md
index 3f06a34..9d5d47e 100644
--- a/SECURITY_SECRETS_INVENTORY.md
+++ b/SECURITY_SECRETS_INVENTORY.md
@@ -1,31 +1,40 @@
-# Credential Inventory (apps/, core/, monitoring/)
+# Security Secrets Inventory
 
-## apps/
-- `apps/nextcloud/docker-compose.yml`
-  - `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
-  - `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
-  - `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
-  - `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
-  - Redis `--requirepass` inline value -> read from Docker secret at runtime.
-- `apps/passbolt/docker-compose.yml`
-  - `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
-- `apps/gramps/docker-compose.yml`
-  - `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
-  - `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
+This inventory is aligned with `secrets/.env.secrets.example` and documents only the values that are expected to be set in the non-committed secrets env file (`secrets/stack-secrets.env`).
 
-## core/
-- `core/authelia/configuration.yml`
-  - `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
-  - `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
-  - `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
-- `core/traefik/dynamic.yml`
-  - `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
+## Secrets expected in `secrets/.env.secrets.example`
 
-## monitoring/
-- `monitoring/gotify/docker-compose.yml`
-  - `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
-- `monitoring/prometheus/docker-compose.yml`
-  - `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
-  - `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
-- `monitoring/prometheus/prometheus.yml`
-  - Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.
+| Variable | Used by | Purpose / Notes |
+|---|---|---|
+| `NEXTCLOUD_DB_USER` | `apps/nextcloud/docker-compose.yml` | Nextcloud database username (non-secret identifier but environment-specific). |
+| `NEXTCLOUD_ADMIN_USER` | `apps/nextcloud/docker-compose.yml` | Initial Nextcloud admin username. |
+| `NEXTCLOUD_SMTP_FROM_ADDRESS` | `apps/nextcloud/docker-compose.yml` | SMTP sender local-part for outbound mail configuration. |
+| `NEXTCLOUD_SMTP_DOMAIN` | `apps/nextcloud/docker-compose.yml` | SMTP sender domain for outbound mail configuration. |
+| `NEXTCLOUD_SMTP_NAME` | `apps/nextcloud/docker-compose.yml` | Derived from address + domain in the example file. |
+| `PASSBOLT_DB_NAME` | `apps/passbolt/docker-compose.yml` | Passbolt database name. |
+| `PASSBOLT_DB_USER` | `apps/passbolt/docker-compose.yml` | Passbolt database username. |
+| `PASSBOLT_GPG_SERVER_KEY_FINGERPRINT` | `apps/passbolt/docker-compose.yml` | Passbolt server GPG key fingerprint. |
+| `GRAMPS_DB_NAME` | `apps/gramps/docker-compose.yml` | Gramps database name. |
+| `GRAMPS_DB_USER` | `apps/gramps/docker-compose.yml` | Gramps database username. |
+| `GRAMPS_DB_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps database password. |
+| `GRAMPS_INITIAL_ADMIN` | `apps/gramps/docker-compose.yml` | Gramps initial admin username/email (deployment-specific). |
+| `GRAMPS_INITIAL_ADMIN_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps initial admin password. |
+| `GRAMPS_DB_URI` | `apps/gramps/docker-compose.yml` | Derived connection string in the example file. |
+| `GOTIFY_DEFAULTUSER_NAME` | `monitoring/gotify/docker-compose.yml` | Gotify default username. |
+| `GOTIFY_DEFAULTUSER_PASS` | `monitoring/gotify/docker-compose.yml` | Gotify default user password. |
+| `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. |
+| `PIHOLE_PASSWORD` | `monitoring/prometheus/docker-compose.yml` | Exporter auth / Pi-hole integration password. |
+
+## Managed outside `.env.secrets.example`
+
+The following sensitive values are intentionally not duplicated in `secrets/.env.secrets.example` because they are provided via Docker secrets (`*_FILE`) or other mounted secret files:
+
+- Database/root passwords for Nextcloud, Passbolt, and supporting services that are wired through Docker secrets.
+- Redis runtime password (`--requirepass`) loaded from a Docker secret.
+- `DOCKER_INFLUXDB_INIT_PASSWORD` loaded from Docker secret in monitoring.
+- Uptime Kuma basic auth password loaded via `password_file` in Prometheus config.
+- Core stack secrets injected via env substitution in committed config files, such as:
+  - `AUTHELIA_JWT_SECRET`
+  - `AUTHELIA_SESSION_SECRET`
+  - `AUTHELIA_STORAGE_ENCRYPTION_KEY`
+  - `CROWDSEC_LAPI_KEY`