diff --git a/.gitea/workflows/01-deploy-proxmox-infra.yaml b/.gitea/workflows/01-deploy-proxmox-infra.yaml
index 2ff07f5..20494c5 100644
--- a/.gitea/workflows/01-deploy-proxmox-infra.yaml
+++ b/.gitea/workflows/01-deploy-proxmox-infra.yaml
@@ -80,57 +80,17 @@ jobs:
         run: pulumi package add terraform-provider marshallford/pfsense 0.22.0
         working-directory: 01-proxmox-infra
 
-      - name: Shutdown VMs
+      - name: Refresh State
         run: |
           pulumi login "$PULUMI_BACKEND_URL"
-          PVE1=$(pulumi stack output --stack dev --show-secrets pve1Endpoint)
-          TOKEN1=$(pulumi stack output --stack dev --show-secrets pve1ApiToken)
-          PVE2=$(pulumi stack output --stack dev --show-secrets pve2Endpoint)
-          TOKEN2=$(pulumi stack output --stack dev --show-secrets pve2ApiToken)
-          IDS=$(pulumi stack output --stack dev --json vmIds)
-          M1=$(echo "$IDS" | jq -r .master1)
-          M2=$(echo "$IDS" | jq -r .master2)
-          W1=$(echo "$IDS" | jq -r .worker1)
-          M3=$(echo "$IDS" | jq -r .master3)
-          W2=$(echo "$IDS" | jq -r .worker2)
-
-          for id in $M1 $M2 $W1; do
-            curl -sf -k -X POST "$PVE1/api2/json/nodes/pve/qemu/$id/status/shutdown" \
-              -H "Authorization: PVEAPIToken=$TOKEN1" || true
-          done
-          for id in $M3 $W2; do
-            curl -sf -k -X POST "$PVE2/api2/json/nodes/pve-bckp/qemu/$id/status/shutdown" \
-              -H "Authorization: PVEAPIToken=$TOKEN2" || true
-          done
-
-          wait_stopped() {
-            local ep=$1 tok=$2 node=$3 id=$4
-            for i in $(seq 1 36); do
-              status=$(curl -sf -k "$ep/api2/json/nodes/$node/qemu/$id/status/current" \
-                -H "Authorization: PVEAPIToken=$tok" | jq -r .data.status)
-              [ "$status" = "stopped" ] && return 0
-              sleep 5
-            done
-            echo "Timeout: VM $id did not stop within 3 minutes" && exit 1
-          }
-
-          for id in $M1 $M2 $W1; do wait_stopped "$PVE1" "$TOKEN1" pve "$id"; done
-          for id in $M3 $W2; do wait_stopped "$PVE2" "$TOKEN2" pve-bckp "$id"; done
+          pulumi refresh --yes --stack dev \
+            --target 'urn:pulumi:dev::proxmox-infra::proxmoxve*' \
+            --target 'urn:pulumi:dev::proxmox-infra::tls*'
         working-directory: 01-proxmox-infra
         env:
           PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
           PULUMI_BACKEND_URL: ${{ secrets.PULUMI_BACKEND_URL }}
 
-      - name: Refresh State
-        uses: pulumi/actions@v5
-        with:
-          command: refresh
-          stack-name: dev
-          work-dir: 01-proxmox-infra
-          cloud-url: ${{ secrets.PULUMI_BACKEND_URL }}
-        env:
-          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
-
       - name: Deploy
         uses: pulumi/actions@v5
         with:
diff --git a/01-proxmox-infra/CLAUDE.md b/01-proxmox-infra/CLAUDE.md
index e1c92b5..7182cc2 100644
--- a/01-proxmox-infra/CLAUDE.md
+++ b/01-proxmox-infra/CLAUDE.md
@@ -16,11 +16,9 @@ npm install
 pulumi preview
 
 # Sync Pulumi state with actual Proxmox state (run before up if resources were changed manually)
-# Note: shut down all k3s VMs in Proxmox first — refresh is slow against running VMs
 pulumi refresh --yes
 
 # Deploy infrastructure
-# Note: shut down all k3s VMs in Proxmox first, then run:
 pulumi refresh --yes && pulumi up --yes
 
 # Destroy infrastructure