diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index d6a21765..9423afba 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -346,6 +346,8 @@ jobs:
             SITE_DIR="/home/deploy/sites/klz-cables.com"
           elif [[ "$TARGET" == "testing" ]]; then
             SITE_DIR="/home/deploy/sites/testing.klz-cables.com"
+          elif [[ "$TARGET" == "staging" ]]; then
+            SITE_DIR="/home/deploy/sites/staging.klz-cables.com"
           else
             SITE_DIR="/home/deploy/sites/branch.klz-cables.com/${SLUG:-unknown}"
           fi
diff --git a/Dockerfile b/Dockerfile
index f0363222..9d2f5524 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -41,6 +41,8 @@ CMD ["pnpm", "dev:local"]
 # Build application
 # Stage 3: Builder (Production)
 FROM base AS builder
+# Limit memory to 2GB to prevent ResourceExhausted on 4GB runner
+ENV NODE_OPTIONS="--max-old-space-size=2048"
 RUN pnpm build
 
 # Stage 3: Runner
diff --git a/docker-compose.yml b/docker-compose.yml
index 0292f145..f9625253 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -66,6 +66,22 @@ services:
       - "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.authResponseHeaders=X-Auth-User"
       - "traefik.docker.network=infra"
 
+      # Gatekeeper Public Router (Login/Auth UI)
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && PathRegexp(`^/(login|gatekeeper)(/.*)?`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls=${TRAEFIK_TLS:-false}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.service=${PROJECT_NAME:-klz}-gatekeeper-svc"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.priority=2001"
+
+      # Gatekeeper Public Router (Login/Auth UI)
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && PathRegexp(`^/(login|gatekeeper)(/.*)?`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls=${TRAEFIK_TLS:-false}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.service=${PROJECT_NAME:-klz}-gatekeeper-svc"
+      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.priority=2001"
+
   klz-db:
     image: postgres:15-alpine
     restart: unless-stopped
diff --git a/next.config.mjs b/next.config.mjs
index 71e293a6..2b30c137 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -14,7 +14,6 @@ const nextConfig = {
   experimental: {
     optimizePackageImports: ['lucide-react', 'framer-motion', '@/components/ui'],
   },
-  swcMinify: false,
   reactStrictMode: false,
   productionBrowserSourceMaps: false,
   logging: {
@@ -75,14 +74,11 @@ const nextConfig = {
         key: 'Permissions-Policy',
         value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
       },
-    ];
-
-    if (isProd) {
-      secureHeaders.push({
+      {
         key: 'Strict-Transport-Security',
         value: 'max-age=63072000; includeSubDomains; preload',
-      });
-    }
+      },
+    ];
 
     return [
       {