diff --git a/db/atlas/stripe_invoice/migrations/0001_init.sql b/db/atlas/stripe_invoice/migrations/0001_init.sql
new file mode 100644
index 0000000..22d8741
--- /dev/null
+++ b/db/atlas/stripe_invoice/migrations/0001_init.sql
@@ -0,0 +1,5 @@
+CREATE TABLE users (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  email TEXT NOT NULL UNIQUE,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
diff --git a/db/atlas/stripe_invoice/migrations/0002_auth.sql b/db/atlas/stripe_invoice/migrations/0002_auth.sql
new file mode 100644
index 0000000..41fa9fb
--- /dev/null
+++ b/db/atlas/stripe_invoice/migrations/0002_auth.sql
@@ -0,0 +1,6 @@
+CREATE TABLE sessions (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  expires_at TIMESTAMPTZ NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
diff --git a/db/atlas/stripe_invoice/migrations/0003_stripe_xero.sql b/db/atlas/stripe_invoice/migrations/0003_stripe_xero.sql
new file mode 100644
index 0000000..b4ad422
--- /dev/null
+++ b/db/atlas/stripe_invoice/migrations/0003_stripe_xero.sql
@@ -0,0 +1,13 @@
+CREATE TABLE stripe_accounts (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES users(id),
+  stripe_account_id TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE TABLE xero_connections (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES users(id),
+  tenant_id TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
diff --git a/db/k8s/pgadmin/deployment.yaml b/db/k8s/pgadmin/deployment.yaml
new file mode 100644
index 0000000..6618da2
--- /dev/null
+++ b/db/k8s/pgadmin/deployment.yaml
@@ -0,0 +1,87 @@
+# ==================================================
+# pgAdmin Secret
+# ==================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgadmin-secret
+type: Opaque
+stringData:
+  PGADMIN_DEFAULT_EMAIL: admin@juntekim.com
+  PGADMIN_DEFAULT_PASSWORD: PersonAppleWinter938
+
+---
+# ==================================================
+# pgAdmin Deployment (STATELESS)
+# ==================================================
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgadmin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pgadmin
+  template:
+    metadata:
+      labels:
+        app: pgadmin
+    spec:
+      containers:
+        - name: pgadmin
+          image: dpage/pgadmin4:latest
+          ports:
+            - containerPort: 80
+          envFrom:
+            - secretRef:
+                name: pgadmin-secret
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 30
+            periodSeconds: 20
+
+---
+# ==================================================
+# pgAdmin Service
+# ==================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: pgadmin
+spec:
+  type: ClusterIP
+  selector:
+    app: pgadmin
+  ports:
+    - port: 80
+      targetPort: 80
+
+---
+# ==================================================
+# Traefik IngressRoute
+# ==================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pgadmin
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pgadmin.juntekim.com`)
+      kind: Rule
+      services:
+        - name: pgadmin
+          port: 80
+  tls:
+    certResolver: myresolver
+
diff --git a/github_runner/install/rbac.yaml b/github_runner/install/rbac.yaml
new file mode 100644
index 0000000..9107fcf
--- /dev/null
+++ b/github_runner/install/rbac.yaml
@@ -0,0 +1,132 @@
+# =========================================================
+# ClusterRole: Infra Deployer
+#
+# Used by:
+# - GitHub ARC runners
+# - Infrastructure deployment workflows
+#
+# Allows managing:
+# - Postgres
+# - Jobs / CronJobs (migrations, backups)
+# - Traefik resources
+# - Storage primitives
+#
+# Extend this file when infra needs grow.
+# =========================================================
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: infra-deployer-role
+rules:
+
+  # -----------------------------------------------------
+  # Core Kubernetes resources
+  # -----------------------------------------------------
+  - apiGroups: [""]
+    resources:
+      - pods
+      - services
+      - endpoints
+      - configmaps
+      - secrets
+      - namespaces
+      - serviceaccounts
+      - persistentvolumes
+      - persistentvolumeclaims
+      - nodes
+    verbs: ["*"]
+
+  # -----------------------------------------------------
+  # Apps (Deployments, StatefulSets, etc.)
+  # -----------------------------------------------------
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - replicasets
+    verbs: ["*"]
+
+  # -----------------------------------------------------
+  # Batch workloads (THIS FIXES YOUR ISSUE)
+  # Jobs + CronJobs for:
+  # - DB backups
+  # - Atlas migrations
+  # -----------------------------------------------------
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["*"]
+
+  # -----------------------------------------------------
+  # Networking & Ingress
+  # -----------------------------------------------------
+  - apiGroups: ["networking.k8s.io", "extensions"]
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs: ["*"]
+
+  # -----------------------------------------------------
+  # Traefik CRDs (v1 + v2)
+  # -----------------------------------------------------
+  - apiGroups: ["traefik.containo.us"]
+    resources: ["*"]
+    verbs: ["*"]
+
+  - apiGroups: ["traefik.io"]
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - traefikservices
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+    verbs: ["*"]
+
+  # -----------------------------------------------------
+  # CRD management (required for Traefik & others)
+  # -----------------------------------------------------
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources:
+      - customresourcedefinitions
+    verbs: ["*"]
+
+---
+# =========================================================
+# ClusterRoleBinding: Bind Infra Deployer to ARC runners
+# =========================================================
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: infra-deployer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: infra-deployer-role
+subjects:
+  - kind: ServiceAccount
+    name: mealcraft-runners-gha-rs-no-permission
+    namespace: arc-systems
+
+---
+# =========================================================
+# ClusterRoleBinding: Bind same role to Traefik
+# (Traefik needs wide read/watch permissions)
+# =========================================================
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: infra-deployer-traefik-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: infra-deployer-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default