diff --git a/docs/RELEASE_POLICY.md b/docs/RELEASE_POLICY.md
index 675765c..47261cb 100644
--- a/docs/RELEASE_POLICY.md
+++ b/docs/RELEASE_POLICY.md
@@ -1,4 +1,28 @@
-Release policy issue 23
-- Tag only after successful deploy
-- Changelog reference required
-- No deploy while tester active
+# Release policy (Issue #23)
+
+## Formål
+Sikre at release-tags altid repræsenterer faktisk deployet software.
+
+## Hård regel
+- **Ingen release-tag før staging deploy er succesfuld.**
+- **Ingen release-tag uden changelog-reference.**
+- **Ingen deploy hvis tester er i gang med smoke-run.**
+
+## Release-flow
+1. Bekræft architect-gate (`issue #17`) er release-approved.
+2. Bekræft tester ikke er aktiv.
+3. Deploy kandidat til staging (`infra/staging/deploy_staging.sh`).
+4. Verificér `/healthz` + smoke-resultat.
+5. Tilføj changelog-entry i `CHANGELOG.md`.
+6. Opret release-tag i Gitea (annotated), og referér changelog-sektion i release-notes.
+
+## Minimum release-notes template
+```markdown
+## Changelog
+- Ref: CHANGELOG.md#<sektion>
+
+## Deploy
+- Environment: staging
+- Status: success
+- Healthz: ok
+```
diff --git a/infra/staging/DB_SETUP.md b/infra/staging/DB_SETUP.md
new file mode 100644
index 0000000..a615c4c
--- /dev/null
+++ b/infra/staging/DB_SETUP.md
@@ -0,0 +1,32 @@
+# DB setup runbook (Issue #21)
+
+> Credentials ligger i Secrets-repo, ikke i applikationsrepo.
+
+## Databaser
+- `wpp_test`
+- `wpp_prod`
+
+## Brugere
+- `wpp_test_user` (least privilege på `wpp_test`)
+- `wpp_prod_user` (least privilege på `wpp_prod`)
+
+## Secrets placering
+I Secrets-repo:
+- `wpp/wpp_test.env`
+- `wpp/wpp_prod.env`
+
+Forventede felter:
+- `DB_HOST`
+- `DB_PORT`
+- `DB_NAME`
+- `DB_USER`
+- `DB_PASSWORD`
+
+## Verifikation (eksempel)
+Kør fra staging-CT eller anden tilladt klient:
+
+```bash
+mysql -h <DB_HOST> -u <DB_USER> -p<DB_PASSWORD> -e "SELECT 1" <DB_NAME>
+```
+
+Alle forbindelser skal returnere `1`.
diff --git a/infra/staging/README.md b/infra/staging/README.md
index af826b6..489d646 100644
--- a/infra/staging/README.md
+++ b/infra/staging/README.md
@@ -1,4 +1,41 @@
-Staging runbook issue 20
-CT 143 wpp-staging
-Service: wpp-staging.service
-Health: /healthz
+# Staging runbook (Issue #20)
+
+## Mål
+Staging-miljø for WPP i Proxmox LXC, så release-klar kode kan deployes og smoke-testes sikkert.
+
+## Miljø
+- LXC: `CT 143` (`wpp-staging`)
+- App path: `/opt/wpp-staging/app`
+- Service: `wpp-staging.service`
+- Health endpoint: `GET /healthz`
+
+## Verifikation
+Kør fra devops-shell med Proxmox-adgang:
+
+```bash
+ssh proxmox-lan "sudo -n pct status 143"
+ssh proxmox-lan "sudo -n pct exec 143 -- systemctl is-active wpp-staging.service"
+ssh proxmox-lan "sudo -n pct exec 143 -- curl -fsS http://127.0.0.1:8000/healthz"
+```
+
+Forventet:
+- CT er `running`
+- service er `active`
+- healthz returnerer JSON med `ok: true`
+
+## Deploy
+Script: `infra/staging/deploy_staging.sh`
+
+```bash
+# deploy main
+./infra/staging/deploy_staging.sh
+
+# deploy bestemt tag/branch
+./infra/staging/deploy_staging.sh v0.3.0
+```
+
+## Policy-kobling
+Før deploy:
+1. Bekræft at tester **ikke** er aktiv (ingen aktiv smoke-run).
+2. Deploy til staging skal lykkes.
+3. Først derefter må release-tag oprettes (se `docs/RELEASE_POLICY.md`).
diff --git a/infra/staging/deploy_staging.sh b/infra/staging/deploy_staging.sh
index 22740d0..e28da61 100755
--- a/infra/staging/deploy_staging.sh
+++ b/infra/staging/deploy_staging.sh
@@ -1,6 +1,28 @@
 #!/usr/bin/env bash
 set -euo pipefail
-CT_ID="143"
-ARCHIVE_URL="https://gitea.weircon.dk/wpp/weirsoe-party-protocol/archive/main.tar.gz"
-sudo -n pct exec "" -- bash -lc "set -euo pipefail; mkdir -p /opt/wpp-staging/releases/src; cd /opt/wpp-staging/releases; curl -fsSL -o main.tar.gz ; rm -rf src && mkdir src; tar -xzf main.tar.gz -C src --strip-components=1; rm -rf /opt/wpp-staging/app/*; cp -a src/. /opt/wpp-staging/app/; cd /opt/wpp-staging/app; runuser -u wpp -- python3 -m venv .venv; runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null; runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null; runuser -u wpp -- .venv/bin/python manage.py migrate --noinput; systemctl restart wpp-staging.service; curl -fsS http://127.0.0.1:8000/healthz"
-echo "OK: staging deploy complete for CT ."
+
+CT_ID="${CT_ID:-143}"
+REF_NAME="${1:-main}"
+ARCHIVE_URL="https://gitea.weircon.dk/wpp/weirsoe-party-protocol/archive/${REF_NAME}.tar.gz"
+
+echo "[deploy] CT_ID=${CT_ID} REF=${REF_NAME}"
+
+echo "[deploy] extracting source + installing deps + migrate + restart"
+sudo -n pct exec "${CT_ID}" -- bash -lc "set -euo pipefail
+mkdir -p /opt/wpp-staging/releases/src
+cd /opt/wpp-staging/releases
+curl -fsSL -o app.tar.gz 
+rm -rf src && mkdir src
+tar -xzf app.tar.gz -C src --strip-components=1
+rm -rf /opt/wpp-staging/app/*
+cp -a src/. /opt/wpp-staging/app/
+cd /opt/wpp-staging/app
+runuser -u wpp -- python3 -m venv .venv
+runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null
+runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null
+runuser -u wpp -- .venv/bin/python manage.py migrate --noinput
+systemctl restart wpp-staging.service
+curl -fsS http://127.0.0.1:8000/healthz
+"
+
+echo "[deploy] OK: staging deploy complete for CT ${CT_ID} (${REF_NAME})"