diff --git a/catalog/catalog.yaml b/catalog/catalog.yaml
index d7413f1..b3f851c 100644
--- a/catalog/catalog.yaml
+++ b/catalog/catalog.yaml
@@ -1,4 +1,4 @@
-generated_at: "2026-05-28T15:34:12Z"
+generated_at: "2026-06-25T12:56:50Z"
 generator_version: "1.0"
 catalog_description: '(Tech-Preview) Additional patterns can be found here: <a href="https://validatedpatterns.io">validatedpatterns.io</a>'
 catalog_logo: "https://validatedpatterns.io/images/logo.png"
diff --git a/catalog/layered-zero-trust/values-secret.yaml.template b/catalog/layered-zero-trust/values-secret.yaml.template
index a5b715c..8261b16 100644
--- a/catalog/layered-zero-trust/values-secret.yaml.template
+++ b/catalog/layered-zero-trust/values-secret.yaml.template
@@ -219,17 +219,54 @@ secrets:
   # Used by: supply-chain pipeline (push), qtodo (pull) when registry enabled
   # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*)
   #
-  # Uncomment and replace REPLACE_WITH_REGISTRY_TOKEN with your registry
-  # token/password in your local ~/values-secret-layered-zero-trust.yaml.
+  # Store your registry token in a local file to avoid plaintext in YAML:
+  #   echo -n "your-registry-token" > ~/.config/validated-patterns/registry-token
   # ===========================================================================
   #- name: registry-user
   #  vaultPrefixes:
   #  - hub/infra/registry
   #  fields:
   #  - name: registry-password
-  #    value: "REPLACE_WITH_REGISTRY_TOKEN"
+  #    path: ~/.config/validated-patterns/registry-token
   #    onMissingValue: error
 
+  # ===========================================================================
+  # SUPPLY CHAIN GIT CREDENTIALS (hub/supply-chain/)
+  # Credentials for cloning protected Git repositories in Tekton pipelines
+  # Policy: hub-supply-chain-jwt-secret (read access to hub/supply-chain/*)
+  #
+  # Choose ONE of the two options below depending on your auth type:
+  #   Option A: HTTPS basic auth (username + PAT)
+  #   Option B: SSH key auth (ssh-privatekey + known_hosts)
+  # ===========================================================================
+  # Option A: HTTPS basic auth (uncomment for HTTPS protected repositories)
+  # Store your Git username and PAT in local files to avoid plaintext in YAML:
+  #   echo -n "your-git-username" > ~/.config/validated-patterns/git-username
+  #   echo -n "your-personal-access-token" > ~/.config/validated-patterns/git-token
+  #- name: git-credentials
+  #  vaultPrefixes:
+  #  - hub/supply-chain
+  #  fields:
+  #  - name: username
+  #    path: ~/.config/validated-patterns/git-username
+  #    onMissingValue: error
+  #  - name: password
+  #    path: ~/.config/validated-patterns/git-token
+  #    onMissingValue: error
+
+  # Option B: SSH key auth (uncomment for SSH protected repositories)
+  # The private key must NOT be password-protected (passphrase-less).
+  # Generate a passwordless key: ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_ztvp -N ""
+  # Generate known_hosts: ssh-keyscan github.com > ~/.ssh/known_hosts_github
+  #- name: git-credentials
+  #  vaultPrefixes:
+  #  - hub/supply-chain
+  #  fields:
+  #  - name: ssh-privatekey
+  #    path: ~/.ssh/id_ed25519_ztvp     # Replace with your SSH private key path
+  #  - name: known_hosts
+  #    path: ~/.ssh/known_hosts_github  # Replace with your known_hosts file path
+
   # ===========================================================================
   # COCO (CONFIDENTIAL CONTAINERS) SECRETS
   # Uncomment the secrets below when deploying with CoCo support.
@@ -397,3 +434,69 @@ secrets:
   #  fields:
   #  - name: content
   #    path: ~/.kube/kubeconfig-ztvp-spoke-2
+
+# ===========================================================================
+# BOOTSTRAP SECRETS - Private Repository Access
+# ===========================================================================
+# Uncomment ONE of the sections below if deploying this pattern from a
+# private git repository.  These secrets are created directly as Kubernetes
+# Secrets (not via Vault) so that ArgoCD can authenticate to the private
+# repository before any other component is deployed.
+#
+# After uncommenting and filling in the values, deploy with:
+#   ./pattern.sh make TOKEN_SECRET=private-repo TOKEN_NAMESPACE=openshift-operators install
+#
+# See docs/private-repos.md for full instructions.
+# ===========================================================================
+
+# --- OPTION A: SSH key authentication ---
+# Generate a passwordless deploy key:
+#   ssh-keygen -t ed25519 -f ~/.ssh/ztvp-deploy-key -N ""
+# Add the public key (~/.ssh/ztvp-deploy-key.pub) as a deploy key in
+# your Git hosting provider (GitHub, GitLab, etc.)
+#
+# insecureIgnoreHostKey is required because the ArgoCD repo-server runs
+# in a container that does not have the Git host's SSH fingerprint in its
+# known_hosts file.  Without this flag, SSH connections fail with
+# "knownhosts: key is unknown".
+#
+# The VP operator copies this secret as vp-private-repo-credentials into
+# vp-gitops (its managed ArgoCD namespace).  The ACM chart (0.2.x+) reads
+# global.vpArgoNamespace which the VP operator sets automatically.
+
+#bootstrap_secrets:
+#- name: private-repo
+#  targetNamespaces:
+#  - openshift-operators
+#  labels:
+#    argocd.argoproj.io/secret-type: repository
+#  fields:
+#  - name: type
+#    value: git
+#  - name: url
+#    value: git@github.com:YOUR-ORG/layered-zero-trust.git
+#  - name: insecureIgnoreHostKey
+#    value: "true"
+#  - name: sshPrivateKey
+#    path: ~/.ssh/ztvp-deploy-key
+
+# --- OPTION B: HTTPS with Personal Access Token (PAT) ---
+# Create a PAT with read access to your repository.
+# For GitHub: Settings -> Developer settings -> Personal access tokens
+# For GitLab: Settings -> Access Tokens (username must be "oauth2")
+
+#bootstrap_secrets:
+#- name: private-repo
+#  targetNamespaces:
+#  - openshift-operators
+#  labels:
+#    argocd.argoproj.io/secret-type: repository
+#  fields:
+#  - name: type
+#    value: git
+#  - name: url
+#    value: https://github.com/YOUR-ORG/layered-zero-trust.git
+#  - name: username
+#    value: YOUR-USERNAME
+#  - name: password
+#    path: ~/.config/validated-patterns/git-pat
diff --git a/catalog/multicloud-gitops/pattern.yaml b/catalog/multicloud-gitops/pattern.yaml
index bb7472f..598184d 100644
--- a/catalog/multicloud-gitops/pattern.yaml
+++ b/catalog/multicloud-gitops/pattern.yaml
@@ -60,6 +60,12 @@ extra_features:
   hypershift_support: true
   spoke_support: true
 external_requirements: null
+variants:
+  - name: hub
+    default: true
+    description: Default multicluster hub/spoke Multicloud Gitops variant
+  - name: standalone
+    description: Single cluster Multicloud Gitops (no ACM) variant
 org: validatedpatterns
 spoke: null
 clustergroupname: hub
diff --git a/catalog/rag-llm-gitops/values-secret.yaml.template b/catalog/rag-llm-gitops/values-secret.yaml.template
index d38e970..7e5f48f 100644
--- a/catalog/rag-llm-gitops/values-secret.yaml.template
+++ b/catalog/rag-llm-gitops/values-secret.yaml.template
@@ -2,15 +2,8 @@
 # https://github.com/validatedpatterns/common/tree/main/ansible/roles/vault_utils#values-secret-file-format
 
 version: "2.0"
-# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are
-# automatically generated inside the vault this should not really matter)
-
-# In order to use huggingface models, you will need to
-# provide your token as a value for hftoken below.
-
-# EDB Postgres Operator requires authentication to pull images from docker.enterprisedb.com
-# Register for a free trial at: https://www.enterprisedb.com/accounts/register
-# Get your token from: https://www.enterprisedb.com/repos-downloads
+# Do not update sensitive secrets (db credentials) in this file and commit to git.
+# Copy this template file to ~/values-secret-rag-llm-gitops and update secrets in your home directory
 
 backingStore: vault
 
@@ -22,15 +15,37 @@ vaultPolicies:
     rule "charset" { charset = "0123456789" min-chars = 1 }
 
 secrets:
+  # This must be set to use models requiring huggingface authentication
+  # The default model (ibm-granite/granite-3.3-8b-instruct) does not require authentication
   - name: hfmodel
     fields:
     - name: hftoken
       value: null
+
+  # Only used when .global.db is set to PGVECTOR in values-global.yaml
+  - name: pgvector
+    fields:
+    - name: username
+      value: postgres
+    - name: password
+      onMissingValue: generate
+      override: true
+      vaultPolicy: basicPolicy
+    - name: dbname
+      value: rag_blueprint
+
+  # Only used when .global.db is set to EDB in values-global.yaml
+  # EDB Postgres Operator requires authentication to pull images from docker.enterprisedb.com
+  # Register for a free trial at: https://www.enterprisedb.com/accounts/register
+  # Get your token from: https://www.enterprisedb.com/repos-downloads
   - name: edb
     fields:
     - name: token
       value: null
       description: EDB subscription token for pulling certified operator images
+
+  # Only used when .global.db is set to MSSQL in values-global.yaml
+  # The pattern creates a local SQL Server deployment. To use an existing SQL Server DB on Azure, use secret below.
   - name: mssql
     fields:
     - name: sa-pass
@@ -38,6 +53,9 @@ secrets:
       override: true
       vaultPolicy: basicPolicy
       description: mssql password for sa user
+
+  # Only used when .global.db is set to AZURESQL in values-global.yaml
+  # The Azure SQL Server database needs to be created outside of the pattern.
   - name: azuresql
     fields:
     - name: user