diff --git a/base/devtools/vault-secrets.yaml b/base/devtools/vault-secrets.yaml
index 5da8bdb..3bd065e 100644
--- a/base/devtools/vault-secrets.yaml
+++ b/base/devtools/vault-secrets.yaml
@@ -21,7 +21,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/gitea
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: StatefulSet
       name: gitea
diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml
index aa64b99..890e91b 100644
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -53,7 +53,7 @@ data:
       # Real-time collaboration WebSocket (y-provider / Hocuspocus).
       [[routes.paths]]
       prefix    = "/collaboration/ws/"
-      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:4444"
+      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:443"
       websocket = true
 
     [[routes]]
diff --git a/base/lasuite/docs-values.yaml b/base/lasuite/docs-values.yaml
index 4050ae1..138c426 100644
--- a/base/lasuite/docs-values.yaml
+++ b/base/lasuite/docs-values.yaml
@@ -118,11 +118,18 @@ backend:
       secretKeyRef:
         name: docs-django-secret
         key: DJANGO_SECRET_KEY
-    DJANGO_CONFIGURATION:        Production
-    ALLOWED_HOSTS:               docs.DOMAIN_SUFFIX
-    DJANGO_ALLOWED_HOSTS:        docs.DOMAIN_SUFFIX
-    DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.DOMAIN_SUFFIX
-    LOGIN_REDIRECT_URL:          /
+    DJANGO_CONFIGURATION:             Production
+    ALLOWED_HOSTS:                    docs.DOMAIN_SUFFIX
+    DJANGO_ALLOWED_HOSTS:             docs.DOMAIN_SUFFIX
+    DJANGO_CSRF_TRUSTED_ORIGINS:      https://docs.DOMAIN_SUFFIX
+    LOGIN_REDIRECT_URL:               /
+    LOGOUT_REDIRECT_URL:              /
+    FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
+    # Low cache timeout so theme changes propagate without pod restarts.
+    THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    # Lockout window: disabled identity cannot re-auth within 1h of expiry.
+    SESSION_COOKIE_AGE: "3600"
 
     # ── Y-Provider ────────────────────────────────────────────────────────────
     # Shared secret for backend ↔ y-provider auth.
@@ -132,12 +139,31 @@ backend:
         key: secret
     COLLABORATION_SERVER_URL:    http://docs-y-provider.lasuite.svc.cluster.local:4444
 
+  themeCustomization:
+    enabled: true
+    # La Gaufre v2: point at our self-hosted integration service.
+    # DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
+    file_content:
+      header:
+        logo: {}
+        icon:
+          src: "/assets/icon-docs.svg"
+          style:
+            width: "32px"
+            height: "auto"
+          alt: ""
+          withTitle: true
+      waffle:
+        apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
+        widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
+        label: "O Estúdio"
+        closeLabel: "Fechar"
+        newWindowLabelSuffix: " · nova janela"
+
 frontend:
   envVars:
     NEXT_PUBLIC_API_URL:              https://docs.DOMAIN_SUFFIX
     NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/
-    # La Gaufre app launcher — served from our self-hosted integration service.
-    GAUFREJS_URL:                     https://integration.DOMAIN_SUFFIX/api/v1/gaufre.js
 
 yProvider:
   envVars:
diff --git a/base/lasuite/integration-deployment.yaml b/base/lasuite/integration-deployment.yaml
index 2d367c5..84abd63 100644
--- a/base/lasuite/integration-deployment.yaml
+++ b/base/lasuite/integration-deployment.yaml
@@ -21,7 +21,7 @@ data:
     {
       "services": [
         {
-          "name": "Documentos",
+          "name": "Docs",
           "url": "https://docs.DOMAIN_SUFFIX",
           "logo": "https://integration.DOMAIN_SUFFIX/logos/docs.svg"
         },
diff --git a/base/lasuite/oidc-clients.yaml b/base/lasuite/oidc-clients.yaml
index f3b45fb..8507901 100644
--- a/base/lasuite/oidc-clients.yaml
+++ b/base/lasuite/oidc-clients.yaml
@@ -20,6 +20,8 @@ spec:
   scope: openid email profile
   redirectUris:
     - https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
+  postLogoutRedirectUris:
+    - https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
   tokenEndpointAuthMethod: client_secret_post
   secretName: oidc-docs
   skipConsent: true
@@ -120,6 +122,8 @@ spec:
   scope: openid email profile
   redirectUris:
     - https://people.DOMAIN_SUFFIX/api/v1.0/callback/
+  postLogoutRedirectUris:
+    - https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
   tokenEndpointAuthMethod: client_secret_post
   secretName: oidc-people
   skipConsent: true
diff --git a/base/lasuite/people-values.yaml b/base/lasuite/people-values.yaml
index c525981..6590bda 100644
--- a/base/lasuite/people-values.yaml
+++ b/base/lasuite/people-values.yaml
@@ -125,8 +125,11 @@ backend:
     ALLOWED_HOSTS:             people.DOMAIN_SUFFIX
     DJANGO_ALLOWED_HOSTS:      people.DOMAIN_SUFFIX
     DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
-    # Redirect to frontend SPA root after successful OIDC login.
+    # Redirect to frontend SPA root after successful OIDC login/logout.
     LOGIN_REDIRECT_URL:        /
+    LOGOUT_REDIRECT_URL:       /
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    SESSION_COOKIE_AGE: "3600"
 
 # celeryWorker and celeryBeat intentionally have no envVars here.
 # The desk chart template automatically injects backend.envVars into all
diff --git a/base/lasuite/vault-secrets.yaml b/base/lasuite/vault-secrets.yaml
index 7c958aa..651f76a 100644
--- a/base/lasuite/vault-secrets.yaml
+++ b/base/lasuite/vault-secrets.yaml
@@ -44,7 +44,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/hive
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: hive
@@ -91,7 +92,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/people
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: people-backend
@@ -140,7 +142,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/docs
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: docs-backend
diff --git a/base/ory/hydra-values.yaml b/base/ory/hydra-values.yaml
index 3a3df77..a172b02 100644
--- a/base/ory/hydra-values.yaml
+++ b/base/ory/hydra-values.yaml
@@ -15,6 +15,14 @@ hydra:
       logout: https://auth.DOMAIN_SUFFIX/logout
       error: https://auth.DOMAIN_SUFFIX/error
 
+    ttl:
+      # Short access tokens — API-level auth window is tight.
+      access_token: 5m
+      id_token: 5m
+      # Refresh tokens last 30 days; Kratos session carries silent re-auth.
+      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
+      refresh_token: 720h
+
     serve:
       cookies:
         same_site_mode: Lax
diff --git a/base/ory/vault-secrets.yaml b/base/ory/vault-secrets.yaml
index 4ab996a..e39008d 100644
--- a/base/ory/vault-secrets.yaml
+++ b/base/ory/vault-secrets.yaml
@@ -73,7 +73,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/kratos
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: kratos
@@ -123,7 +124,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/hydra
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: hydra