diff --git a/sesiones/260118_database_keys_endpoints.md b/sesiones/260118_database_keys_endpoints.md
new file mode 100644
index 0000000..7cf283f
--- /dev/null
+++ b/sesiones/260118_database_keys_endpoints.md
@@ -0,0 +1,102 @@
+# Sesión 260118 - Reorganización BD: Keys y Endpoints
+
+## Resumen
+Continuación de reorganización de base de datos PostgreSQL. Creación de tablas `keys` y `endpoints` en los tres servidores (DECK, HST, ARCHITECT) con FK para restringir endpoints válidos.
+
+## Cambios realizados
+
+### DECK (72.62.1.113) - BD: tzzr
+
+#### tzzr_system.keys (9 servicios)
+| service | endpoint |
+|---------|----------|
+| addy | alias.tzzrdeck.me |
+| cloudflare_r2 | r2.cloudflarestorage.com |
+| cloudflare_r2_personal | r2.cloudflarestorage.com |
+| directus | directus.tzzrdeck.me |
+| mailcow | mail.tzzrdeck.me |
+| mindlink | mindlink.tzzrdeck.me |
+| nextcloud | cloud.tzzrdeck.me |
+| shlink | short.tzzrdeck.me |
+| vaultwarden | key.tzzrdeck.me |
+
+#### tzzr_system.endpoints (9 servicios)
+| service | endpoint | type |
+|---------|----------|------|
+| directus | directus.tzzrdeck.me | api |
+| mindlink | mindlink.tzzrdeck.me | api |
+| postgrest | api.tzzrdeck.me | api |
+| shlink | short.tzzrdeck.me | api |
+| addy | alias.tzzrdeck.me | mail |
+| mailcow | mail.tzzrdeck.me | mail |
+| vaultwarden | key.tzzrdeck.me | security |
+| nextcloud | cloud.tzzrdeck.me | storage |
+| r2_deck | r2.cloudflarestorage.com | storage |
+
+- FK: `keys.endpoint → endpoints.endpoint`
+- Eliminadas tablas `keys_architect` y `keys_hst` (cada servidor lo suyo)
+
+### HST (72.62.2.84) - BD: hst_images
+
+#### tzzr_system.keys (2 servicios)
+| service | endpoint |
+|---------|----------|
+| directus | hst.tzrtech.org |
+| postgresql | localhost:5432 |
+
+#### tzzr_system.endpoints (2 servicios)
+| service | endpoint | type |
+|---------|----------|------|
+| directus | hst.tzrtech.org | api |
+| postgresql | localhost:5432 | database |
+
+- FK: `keys.endpoint → endpoints.endpoint`
+
+### ARCHITECT (69.62.126.110) - BD: architect (puerto 5433)
+
+**Instalación PostgreSQL via Docker:**
+```bash
+docker run -d --name postgres-architect -p 5433:5432 \
+  -e POSTGRES_USER=architect \
+  -e POSTGRES_PASSWORD=architect_local_2026 \
+  postgres:15
+```
+
+#### tzzr_system.keys (4 servicios)
+| service | endpoint | credenciales |
+|---------|----------|--------------|
+| cloudflare | api.cloudflare.com | API key + email |
+| cloudflare_r2 | r2.cloudflarestorage.com | access_key + secret |
+| runpod | api.runpod.io | API key + user_id |
+| postgresql | localhost:5433 | architect / architect_local_2026 |
+
+#### tzzr_system.endpoints (6 servicios)
+| service | endpoint | type |
+|---------|----------|------|
+| cloudflare | api.cloudflare.com | api |
+| cloudflare_r2 | r2.cloudflarestorage.com | storage |
+| runpod | api.runpod.io | gpu |
+| gitea | git.tzr.systems | git |
+| nextcloud | cloud.tzzrarchitect.me | storage |
+| postgresql | localhost:5433 | database |
+
+- FK: `keys.endpoint → endpoints.endpoint`
+
+## Verificaciones
+
+### hst_rules (idéntica en DECK y HST)
+14 reglas. Solo `tzzr_core_hst.hst` tiene restricción:
+- Permitidos: spe, hst, vue, vsn, msn
+
+### atc_status
+CHECK constraint: `status IN ('enable', 'disable', 'deleted')`
+
+## Documentación actualizada
+- `TZZR_SCHEMA.mm` (FreeMind) - Mapa mental completo del sistema
+- `CLAUDE.md` - Reglas de Nextcloud y formato de nombres
+
+## Principios establecidos
+1. **Cada servidor lo suyo**: keys solo contiene credenciales del propio servidor
+2. **Endpoints restringidos**: FK de keys a endpoints
+3. **Nextcloud separados**: ARCHITECT → cloud.tzzrarchitect.me, DECK → cloud.tzzrdeck.me
+4. **Documentos en "documentos adjuntos"**: sin subcarpetas