diff --git a/memory/memories.db b/memory/memories.db
index eba9a4ac7..fc3976c1c 100644
Binary files a/memory/memories.db and b/memory/memories.db differ
diff --git a/skills/mac-server-setup/SKILL.md b/skills/mac-server-setup/SKILL.md
index b3e987031..2c88476af 100644
--- a/skills/mac-server-setup/SKILL.md
+++ b/skills/mac-server-setup/SKILL.md
@@ -103,6 +103,8 @@ before running. The script is idempotent — safe to re-run. Structure:
 - Shell aliases + starship init in .zshrc (idempotent)
 
 **Part 2 — Server hardening** (details: [references/hardening.md](references/hardening.md))
+- FileVault: disable (blocks unattended boot)
+- Auto-login: enable for server user (kcpassword + loginwindow pref)
 - Power: no sleep, auto-restart on power loss
 - App firewall: on, allow signed, stealth mode
 - SMB: disable guest access
@@ -302,7 +304,8 @@ full checklist.
 
 - SSH MCP servers typically can't sudo — generate script, user runs it
 - `launchctl disable gui/$UID/<label>` is SIP-safe and persists reboots
-- Never disable SIP or FileVault
+- Never disable SIP
+- **FileVault must be OFF** for headless servers — see Gotchas
 - Keep software update auto-check, just defer auto-install
 - Add `set -ga terminal-overrides ",*:Tc,*:kbs=\177"` to tmux.conf for
   backspace fix over SSH
@@ -366,3 +369,20 @@ full checklist.
   is fully running, which can exceed the MCP SSH timeout. Background it
   with `& disown` or just let it timeout — check `signet status` after
   to confirm it started.
+- **FileVault blocks unattended boot**: FileVault disk encryption
+  requires a password at the pre-boot screen BEFORE macOS loads. With
+  FileVault on, the machine will sit at the unlock screen indefinitely
+  after any reboot (power loss, kernel panic, update). No software fix
+  exists — the OS isn't running yet. **Disable FileVault on headless
+  servers**: `sudo fdesetup disable` (pass credentials via
+  `-inputplist` for non-interactive use through MCP). Decryption runs
+  in the background and the machine stays usable.
+- **Auto-login requires kcpassword**: Setting `autoLoginUser` in
+  loginwindow prefs is not enough — macOS also needs `/etc/kcpassword`
+  with the XOR-obfuscated password (key: `7d 89 52 23 d2 bc dd ea a3
+  b9 1f`). Use `python3 -c` to generate it. File must be mode 600,
+  owned by root. Auto-login cannot work while FileVault is enabled.
+- **fdesetup disable needs non-interactive auth**: `fdesetup disable`
+  prompts for username/password interactively. Through MCP, pipe a
+  plist via `-inputplist`:
+  `printf '<plist>...<key>Username</key><string>USER</string><key>Password</key><string>PASS</string>...</plist>' | sudo fdesetup disable -inputplist`
diff --git a/skills/mac-server-setup/references/hardening.md b/skills/mac-server-setup/references/hardening.md
index dd20e2763..ee9bd5b1a 100644
--- a/skills/mac-server-setup/references/hardening.md
+++ b/skills/mac-server-setup/references/hardening.md
@@ -2,6 +2,53 @@
 
 Template for Part 2 of the setup script. All sudo commands.
 
+## FileVault (MUST DISABLE)
+
+FileVault disk encryption blocks unattended boot — the machine sits
+at a pre-boot unlock screen waiting for a password before macOS even
+loads. This is incompatible with headless server operation.
+
+```bash
+# Check status
+fdesetup status
+
+# Disable non-interactively (for MCP/scripted use)
+printf '<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0"><dict>
+<key>Username</key><string>USERNAME</string>
+<key>Password</key><string>PASSWORD</string>
+</dict></plist>' | sudo fdesetup disable -inputplist
+
+# Monitor decryption progress (runs in background, machine stays usable)
+fdesetup status
+```
+
+## Auto-Login
+
+Required for headless operation — ensures the GUI session starts on
+boot so user-level LaunchAgents (Tailscale, Signet, etc.) can run.
+Cannot work while FileVault is enabled.
+
+```bash
+# Set auto-login user
+sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser "USERNAME"
+
+# Create kcpassword (XOR-obfuscated password file)
+python3 -c "
+password = 'PASSWORD'
+key = [0x7d, 0x89, 0x52, 0x23, 0xd2, 0xbc, 0xdd, 0xea, 0xa3, 0xb9, 0x1f]
+encoded = bytearray()
+for i, c in enumerate(password + chr(0)):
+    encoded.append(ord(c) ^ key[i % len(key)])
+while len(encoded) % 12 != 0:
+    encoded.append(0)
+with open('/etc/kcpassword', 'wb') as f:
+    f.write(encoded)
+"
+sudo chmod 600 /etc/kcpassword
+```
+
 ## Power Management
 
 ```bash