diff --git a/.woodpecker.yml b/.woodpecker.yml
index 2bf6f3d..084a4db 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,19 +1,73 @@
 ---
 kind: pipeline
 type: docker
-name: staging-promotion
+name: prod-promotion
 
 steps:
-  - name: security-scan
+  - name: promote-tag-and-mirror
     image: google/cloud-sdk:latest
     entrypoint:
       - bash
       - -c
       - |
         set -euo pipefail
-        if [ "${PROMOTE:-}" = "prod" ]; then echo "⏭  staging path skipped during prod promotion"; exit 0; fi
-        IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)
-        REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
+        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+
+        # Dev is the single source of truth for IMG_TAG
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
+        SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
+        DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
+
+        apt-get update -qq
+        apt-get install -y -qq docker.io
+        gcloud auth configure-docker us-central1-docker.pkg.dev -q
+
+        for svc in server1 server2 server3 nginx; do
+          docker pull "$SRC/$svc:$IMG_TAG"
+          docker tag  "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
+          docker push "$DST/$svc:$IMG_TAG"
+        done
+
+        # Publish the exact tag to prod SM so deploy & scan read the same value
+        printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
+        echo "🏷  Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
+
+  - name: verify-sync
+    depends_on: [promote-tag-and-mirror]
+    image: google/cloud-sdk:latest
+    entrypoint:
+      - bash
+      - -c
+      - |
+        set -euo pipefail
+        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
+        prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
+        [[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; }
+        echo "✅ Tag parity confirmed: $IMG_TAG"
+        # Ensure images truly exist in PROD AR
+        DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
+        apt-get update -qq && apt-get install -y -qq docker.io
+        gcloud auth configure-docker us-central1-docker.pkg.dev -q
+        for svc in server1 server2 server3 nginx; do
+          docker pull "$DST/$svc:$IMG_TAG" >/dev/null
+        done
+        echo "✅ Prod AR has all images at :$IMG_TAG"
+
+  - name: security-scan
+    depends_on: [verify-sync]
+    image: google/cloud-sdk:latest
+    entrypoint:
+      - bash
+      - -c
+      - |
+        set -euo pipefail
+        # Guard so this file doesn't run unless you explicitly set PROMOTE=prod in the UI
+        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+
+        # Scan the images that WILL be deployed: pull IMG_TAG from PROD
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
+        REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
 
         apt-get update -qq
         apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io
@@ -23,13 +77,12 @@ steps:
 
         gcloud auth configure-docker us-central1-docker.pkg.dev -q
 
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
 
-
-  - name: staging-deploy
+  - name: prod-deploy
     depends_on: [security-scan]
     image: google/cloud-sdk:latest
     entrypoint:
@@ -37,134 +90,93 @@ steps:
       - -c
       - |
         set -euo pipefail
-        if [ "${PROMOTE:-}" = "prod" ]; then echo "⏭  staging path skipped during prod promotion"; exit 0; fi
+        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+
         mkdir -p ~/.ssh
 
-        # ── Inject known-hosts and SSH key ───────────────────────────────
-        gcloud secrets versions access latest \
-          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
-          | base64 -d > ~/.ssh/known_hosts
-        chmod 644 ~/.ssh/known_hosts
+        # Pull SSH materials for PROD from aptivaai-dev SM (same pattern as staging)
 
         gcloud secrets versions access latest \
-          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
+          --secret=PROD_SSH_KEY --project=aptivaai-dev \
           | base64 -d > ~/.ssh/id_ed25519
         chmod 600 ~/.ssh/id_ed25519
 
+        PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
+
+        # single source of truth for deploy as well
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
+ 
+
         echo "🔑 SSH prerequisites installed"
 
-        # ── SSH into staging and deploy ──────────────────────────────────
-        ssh -o StrictHostKeyChecking=yes \
-            -i ~/.ssh/id_ed25519 \
-            jcoakley@10.128.0.12 \
-            'set -euo pipefail; \
-             PROJECT=aptivaai-dev; \
-             ENV=staging; \
-             IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
-             export IMG_TAG; \
-             JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); \
-             export JWT_SECRET; \
-             OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); \
-             export OPENAI_API_KEY; \
-             ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); \
-             export ONET_USERNAME; \
-             ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); \
-             export ONET_PASSWORD; \
-             STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); \
-             export STRIPE_SECRET_KEY; \
-             STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); \
-             export STRIPE_PUBLISHABLE_KEY; \
-             STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); \
-             export STRIPE_WH_SECRET; \
-             STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); \
-             export STRIPE_PRICE_PREMIUM_MONTH; \
-             STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); \
-             export STRIPE_PRICE_PREMIUM_YEAR; \
-             STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); \
-             export STRIPE_PRICE_PRO_MONTH; \
-             STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); \
-             export STRIPE_PRICE_PRO_YEAR; \
-             DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); \
-             export DB_NAME; \
-             DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); \
-             export DB_HOST; \
-             DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); \
-             export DB_PORT; \
-             DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); \
-             export DB_USER; \
-             DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); \
-             export DB_PASSWORD; \
-             DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); \
-             export DB_SSL_CA; \
-             DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); \
-             export DB_SSL_CERT; \
-             DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); \
-             export DB_SSL_KEY; \
-             TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); \
-             export TWILIO_ACCOUNT_SID; \
-             TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); \
-             export TWILIO_AUTH_TOKEN; \
-             TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); \
-             export TWILIO_MESSAGING_SERVICE_SID; \
-             KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); \
-             export KMS_KEY_NAME; \
-             DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); \
-             export DEK_PATH; \
-             SUPPORT_SENDGRID_API_KEY=$(gcloud secrets versions access latest --secret=SUPPORT_SENDGRID_API_KEY_$ENV --project=$PROJECT); \
-             export SUPPORT_SENDGRID_API_KEY; \
-             GOOGLE_MAPS_API_KEY=$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project=$PROJECT); \
-             export GOOGLE_MAPS_API_KEY; \
-             SERVER1_PORT=$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project=$PROJECT); \
-             export SERVER1_PORT; \
-             SERVER2_PORT=$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project=$PROJECT); \
-             export SERVER2_PORT; \
-             SERVER3_PORT=$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project=$PROJECT); \
-             export SERVER3_PORT; \
-             ENV_NAME=$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project=$PROJECT); \
-             export ENV_NAME; \
-             CORS_ALLOWED_ORIGINS=$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project=$PROJECT); \
-             export CORS_ALLOWED_ORIGINS; \
-             APTIVA_API_BASE=$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project=$PROJECT); \
-             export APTIVA_API_BASE; \
-             TOKEN_MAX_AGE_MS=$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project=$PROJECT); \
-             export TOKEN_MAX_AGE_MS; \
-             COOKIE_SECURE=$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project=$PROJECT); \
-             export COOKIE_SECURE; \
-             COOKIE_SAMESITE=$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project=$PROJECT); \
-             export COOKIE_SAMESITE; \
-             ACCESS_COOKIE_NAME=$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project=$PROJECT); \
-             export ACCESS_COOKIE_NAME; \
-             export FROM_SECRETS_MANAGER=true; \
-             \
-             # ── DEK sync: copy dev wrapped DEK into staging volume path ── \
-             if gcloud secrets describe WRAPPED_DEK_dev --project=$PROJECT >/dev/null 2>&1; then \
-               echo "🔁 Syncing dev DEK into staging volume"; \
-               gcloud secrets versions access latest --secret=WRAPPED_DEK_dev --project=$PROJECT > /tmp/dev_dek.enc; \
-               if [ -s /tmp/dev_dek.enc ]; then \
-                 sudo docker volume ls -q | grep -qx aptiva_dek_staging || sudo docker volume create aptiva_dek_staging >/dev/null; \
-                 sudo docker run --rm -v aptiva_dek_staging:/v -v /tmp:/host busybox sh -lc "set -e; mkdir -p /v/staging; cp -f /host/dev_dek.enc /v/staging/dek.enc; chown 1000:1000 /v/staging/dek.enc; chmod 400 /v/staging/dek.enc; rm -f /v/staging/dek.fpr; echo -n \"staging dek.enc bytes: \"; wc -c </v/staging/dek.enc; ls -l /v/staging"; \
-               else \
-                 echo "⚠️ WRAPPED_DEK_dev returned empty; skipping copy"; \
-               fi; \
-             else \
-               echo "ℹ️ WRAPPED_DEK_dev not found; leaving existing staging DEK alone"; \
-             fi; \
-             \
-             cd /home/jcoakley/aptiva-staging-app; \
-             sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
-               docker compose pull; \
-             sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
-               docker compose up -d --force-recreate --remove-orphans; \
-             echo "✅ Staging stack refreshed with tag $IMG_TAG"'
+        # ── SSH into PROD and deploy (NO DEK SYNC) ────────────────────────
+        ssh -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
+          --project=aptivaai-prod --zone=us-central1-a \
+          --listen-on-stdin --verbosity=error" \
+          -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_ed25519 \
+          "$PROD_SSH_TARGET" \
+          'set -euo pipefail; \
+            PROJECT=aptivaai-prod; \
+            ENV=prod; \
+            export IMG_TAG='"$IMG_TAG"'; \
+            # sanity: ensure prod SM matches the single source (dev) before pull
+            prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
+            [ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \
+            \
+            # Pull all runtime secrets from aptivaai-prod
+            JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
+            OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \
+            ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); export ONET_USERNAME; \
+            ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); export ONET_PASSWORD; \
+            STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); export STRIPE_SECRET_KEY; \
+            STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); export STRIPE_PUBLISHABLE_KEY; \
+            STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); export STRIPE_WH_SECRET; \
+            STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); export STRIPE_PRICE_PREMIUM_MONTH; \
+            STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); export STRIPE_PRICE_PREMIUM_YEAR; \
+            STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); export STRIPE_PRICE_PRO_MONTH; \
+            STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); export STRIPE_PRICE_PRO_YEAR; \
+            DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); export DB_NAME; \
+            DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); export DB_HOST; \
+            DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); export DB_PORT; \
+            DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); export DB_USER; \
+            DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); export DB_PASSWORD; \
+            DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); export DB_SSL_CA; \
+            DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); export DB_SSL_CERT; \
+            DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); export DB_SSL_KEY; \
+            TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); export TWILIO_ACCOUNT_SID; \
+            TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); export TWILIO_AUTH_TOKEN; \
+            TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); export TWILIO_MESSAGING_SERVICE_SID; \
+            KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); export KMS_KEY_NAME; \
+            DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); export DEK_PATH; \
+            SUPPORT_SENDGRID_API_KEY=$(gcloud secrets versions access latest --secret=SUPPORT_SENDGRID_API_KEY_$ENV --project=$PROJECT); export SUPPORT_SENDGRID_API_KEY; \
+            GOOGLE_MAPS_API_KEY=$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project=$PROJECT); export GOOGLE_MAPS_API_KEY; \
+            SERVER1_PORT=$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project=$PROJECT); export SERVER1_PORT; \
+            SERVER2_PORT=$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project=$PROJECT); export SERVER2_PORT; \
+            SERVER3_PORT=$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project=$PROJECT); export SERVER3_PORT; \
+            ENV_NAME=$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project=$PROJECT); export ENV_NAME; \
+            CORS_ALLOWED_ORIGINS=$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project=$PROJECT); export CORS_ALLOWED_ORIGINS; \
+            APTIVA_API_BASE=$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project=$PROJECT); export APTIVA_API_BASE; \
+            TOKEN_MAX_AGE_MS=$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project=$PROJECT); export TOKEN_MAX_AGE_MS; \
+            COOKIE_SECURE=$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project=$PROJECT); export COOKIE_SECURE; \
+            COOKIE_SAMESITE=$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project=$PROJECT); export COOKIE_SAMESITE; \
+            ACCESS_COOKIE_NAME=$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project=$PROJECT); export ACCESS_COOKIE_NAME; \
+            export FROM_SECRETS_MANAGER=true; \
+            \
+            APP_DIR="/home/jcoakley_aptivaai_com"; \
+            cd "$APP_DIR"; \
+            gcloud auth configure-docker us-central1-docker.pkg.dev -q; \
+            sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
+              docker compose pull; \
+            sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
+              docker compose up -d --force-recreate --remove-orphans; \
+            echo "✅ Prod stack refreshed with tag $IMG_TAG"'
 
     secrets:
-      - STAGING_SSH_KEY
-      - STAGING_KNOWN_HOSTS
+      - PROD_SSH_KEY
+      - PROD_SSH_TARGET
 
 when:
   event:
-    - push
     - manual
   branch:
     - master
-    - dev-master