diff --git a/.gemini/GEMINI.md b/.gemini/GEMINI.md
index 6f8ccfa..7ec8724 100644
--- a/.gemini/GEMINI.md
+++ b/.gemini/GEMINI.md
@@ -96,7 +96,7 @@ Use `/slash-command` to trigger these workflows. Always prefer spec-driven devel
 ## 🚫 Forbidden Actions
 
 - DO NOT use SQL Triggers (Business logic must be in NestJS services).
-- DO NOT use `.env` files for production configuration (Use Docker environment variables).
+- DO NOT use `.env` files for production deployment — QNAP Container Station requires secrets directly in `docker-compose.yml` environment section.
 - DO NOT run database migrations — modify the schema SQL file directly.
 - DO NOT invent table names or columns — use ONLY what is defined in the schema SQL file.
 - DO NOT generate code that violates OWASP Top 10 security practices.
diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index e56cc00..0c21919 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -46,8 +46,6 @@ jobs:
             echo "🔄 Updating Containers..."
             # Sync compose file จาก repo → app directory
             cp /share/np-dms/app/source/lcbp3/specs/04-Infrastructure-OPS/04-00-docker-compose/docker-compose-app.yml /share/np-dms/app/docker-compose-app.yml
-            # ⚠️ .env ต้องมีค่าจริงอยู่บน QNAP แล้ว (ไม่ sync จาก repo เพราะ repo มีแค่ template)
-            # ถ้ายังไม่มี: cp .env.example .env แล้วตั้งค่าจริง
             cd /share/np-dms/app
             # ⚠️ ลบ container เดิมที่อาจสร้างจาก Container Station
             docker rm -f backend frontend 2>/dev/null || true
diff --git a/AGENTS.md b/AGENTS.md
index e0d75f9..da5e8b6 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -68,7 +68,7 @@ You value **Data Integrity**, **Security**, and **Clean Architecture**.
 ## 🚫 Forbidden Actions
 
 - DO NOT use SQL Triggers (Business logic must be in NestJS services).
-- DO NOT use `.env` files for production configuration (Use Docker environment variables).
+- DO NOT use `.env` files for production deployment — QNAP Container Station requires secrets directly in `docker-compose.yml` environment section.
 - DO NOT run database migrations — modify the schema SQL file directly.
 - DO NOT invent table names or columns — use ONLY what is defined in the schema SQL file.
 - DO NOT generate code that violates OWASP Top 10 security practices.
diff --git a/CLAUDE.md b/CLAUDE.md
index ce2ee15..7b11cf5 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -70,7 +70,7 @@ Adhere to all ADRs in `specs/06-Decision-Records/`:
 ## 🚫 Forbidden Actions
 
 - DO NOT use SQL Triggers (Business logic must be in NestJS services).
-- DO NOT use `.env` files for production configuration (Use Docker environment variables).
+- DO NOT use `.env` files for production deployment — QNAP Container Station requires secrets directly in `docker-compose.yml` environment section.
 - DO NOT run database migrations — modify the schema SQL file directly.
 - DO NOT invent table names or columns — use ONLY what is defined in the schema SQL file.
 - DO NOT generate code that violates OWASP Top 10 security practices.
diff --git a/specs/04-Infrastructure-OPS/04-00-docker-compose/docker-compose-app.yml b/specs/04-Infrastructure-OPS/04-00-docker-compose/docker-compose-app.yml
index 86009ad..df14189 100644
--- a/specs/04-Infrastructure-OPS/04-00-docker-compose/docker-compose-app.yml
+++ b/specs/04-Infrastructure-OPS/04-00-docker-compose/docker-compose-app.yml
@@ -9,8 +9,8 @@
 #     - search  (services)
 #     - npm     (lcbp3-npm)
 # ============================================================
-# 🔒 SECURITY: ห้าม commit ค่า secrets จริงที่นี่
-#              ใช้ Environment Variables ใน Container Station UI
+# 🔒 SECURITY: Secrets ใส่ตรงใน environment section เพราะ QNAP Container Station
+#              ไม่รองรับ .env file — Repo ต้องเป็น Private เท่านั้น
 # ============================================================
 
 name: lcbp3
@@ -56,18 +56,18 @@ services:
       DB_PORT: '3306'
       DB_DATABASE: 'lcbp3'
       DB_USERNAME: 'center'
-      DB_PASSWORD: '${DB_PASSWORD}'
+      DB_PASSWORD: 'Center#2025'
       # --- Redis ---
       REDIS_HOST: 'cache'
       REDIS_PORT: '6379'
-      REDIS_PASSWORD: '${REDIS_PASSWORD}'
+      REDIS_PASSWORD: 'Center2025'
       # --- Elasticsearch ---
       ELASTICSEARCH_HOST: 'search'
       ELASTICSEARCH_PORT: '9200'
       # --- JWT ---
-      JWT_SECRET: '${JWT_SECRET}'
+      JWT_SECRET: 'eebc122aa65adde8c76c6a0847d9649b2b67a06db1504693e6c912e51499b76e'
       JWT_EXPIRATION: '8h'
-      JWT_REFRESH_SECRET: '${JWT_REFRESH_SECRET}'
+      JWT_REFRESH_SECRET: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2'
       # --- Numbering ---
       NUMBERING_LOCK_TIMEOUT: '5000'
       NUMBERING_RESERVATION_TTL: '300'
@@ -113,7 +113,7 @@ services:
       HOSTNAME: '0.0.0.0'
       PORT: '3000'
       # --- NextAuth ---
-      AUTH_SECRET: '${AUTH_SECRET}'
+      AUTH_SECRET: 'eebc122aa65adde8c76c6a0847d9649b2b67a06db1504693e6c912e51499b76e'
       AUTH_URL: 'https://lcbp3.np-dms.work'
     networks:
       - lcbp3