diff --git a/README.md b/README.md
index 8b2f26b..1e05e59 100644
--- a/README.md
+++ b/README.md
@@ -4,29 +4,26 @@ Custom OpenClaw Gateway build for ARM64 with Google Workspace tools.
 
 ## What's in Here
 
-- `stack.yml` - Docker Swarm stack for Dokploy
+- `stack.yml` - Docker Swarm stack for Dokploy (pure named volumes)
 - `docker/` - Custom image build (ARM64 + gog + gcloud)
-- `config/` - Runtime configs (volume-mounted)
-- `secrets/` - Credentials (volume-mounted, gitignored)
 - `AGENTS.md` - Full deployment guide
 
 ## Quick Start
 
 ```bash
-# 1. Put your Google OAuth client secret in place
-cp /path/to/client_secret.json secrets/google-client-secret.json
-
-# 2. Build the custom image
+# 1. Build the custom image
 cd docker && ./build-arm64.sh
 
-# 3. Push to your registry
+# 2. Push to your registry
 docker tag openclaw:custom-arm64 registry.lan/openclaw:latest
 docker push registry.lan/openclaw:latest
 
-# 4. Deploy
-export OPENCLAW_IMAGE=registry.lan/openclaw:latest
+# 3. Deploy
 docker stack deploy -c stack.yml openclaw
 
+# 4. Copy in your Google client secret
+docker cp /path/to/client_secret.json $(docker ps -q -f name=openclaw-gateway):/home/node/.openclaw/google-client-secret.json
+
 # 5. Setup gog (Google Workspace)
 docker exec -it $(docker ps -q -f name=openclaw-gateway) setup-gog.sh
 docker exec -it $(docker ps -q -f name=openclaw-gateway) gog auth add you@gmail.com --services gmail,calendar,drive
@@ -39,14 +36,24 @@ docker exec -it $(docker ps -q -f name=openclaw-gateway) gog auth add you@gmail.
 - `jq`, `curl`, `htop`, `tree` - General utilities
 - SSH key persistence in named volume
 
-## Volumes
+## Volumes (Named Only)
 
 | Volume | Mount | Purpose |
 |--------|-------|---------|
-| `openclaw-config` | `/home/node/.openclaw` | OpenClaw runtime data |
+| `openclaw-config` | `/home/node/.openclaw` | Configs, secrets, SSH keys, gog tokens |
 | `openclaw-workspace` | `/home/node/.openclaw/workspace` | Agent workspace |
-| `gog-data` | `/data/gog` | gog OAuth tokens |
-| Host `./config` | `/data/config` | Config files (ro) |
-| Host `./secrets` | `/data/secrets` | Secrets (ro) |
+| `gog-data` | `/home/node/.openclaw/gog` | gog OAuth tokens (separate for clarity) |
+
+**To access files in volumes:**
+```bash
+# Copy in
+docker cp localfile.txt container:/home/node/.openclaw/
+
+# Copy out
+docker cp container:/home/node/.openclaw/file.txt .
+
+# Or exec in
+docker exec -it container bash
+```
 
 See `AGENTS.md` for full deployment details.
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 3e09213..3aaac3a 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,6 +1,6 @@
 # OpenClaw Gateway - Custom ARM64 Build
 # Platform: linux/arm64
-# Configs are volume-mounted at runtime, not baked into image
+# All configs via named volumes - copy files in with docker cp
 
 FROM --platform=linux/arm64 ghcr.io/openclaw/openclaw:latest
 
@@ -25,7 +25,6 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.
     && rm -rf /var/lib/apt/lists/*
 
 # Install gog (Google Workspace CLI) for ARM64
-# Using direct binary install since brew may not be available
 RUN GOG_VERSION=$(curl -s https://api.github.com/repos/steipete/gog/releases/latest | jq -r .tag_name) \
     && curl -L "https://github.com/steipete/gog/releases/download/${GOG_VERSION}/gog_Linux_arm64.tar.gz" \
     | tar -xz -C /usr/local/bin/ \
@@ -36,25 +35,13 @@ COPY docker/tools/* /usr/local/bin/
 COPY docker/bin/* /usr/local/bin/
 RUN chmod +x /usr/local/bin/*
 
-# Create directories for volume-mounted configs
-# These will be mounted at runtime with your secrets and configs
-RUN mkdir -p /data/config /data/secrets /data/gog \
-    && chown -R node:node /data
+# Create directories in the persistent volume location
+RUN mkdir -p /home/node/.openclaw/ssh /home/node/.openclaw/gog \
+    && chown -R node:node /home/node/.openclaw
 
-# Set environment for config paths
-ENV OPENCLAW_CONFIG_DIR=/data/config
-ENV GOG_CONFIG_DIR=/data/gog
-ENV GOOGLE_APPLICATION_CREDENTIALS=/data/secrets/google-credentials.json
-
-# Link gog config to persistent location
-RUN ln -sf /data/gog /home/node/.config/gog
-
-# SSH keys will be stored in persistent volume
-# Create directory and symlink for SSH
-RUN mkdir -p /home/node/.openclaw/ssh \
+# Link gog config and ssh to standard locations
+RUN ln -sf /home/node/.openclaw/gog /home/node/.config/gog \
     && ln -sf /home/node/.openclaw/ssh /home/node/.ssh
 
 # Switch back to node user
 USER node
-
-# Default entrypoint from base image
diff --git a/docker/tools/setup-gog.sh b/docker/tools/setup-gog.sh
index 9c3f2c2..69f115a 100755
--- a/docker/tools/setup-gog.sh
+++ b/docker/tools/setup-gog.sh
@@ -1,14 +1,15 @@
 #!/bin/bash
 # setup-gog.sh - Initialize gog with credentials from volume
-# Run this after container starts and secrets are mounted
+# Usage: docker cp client_secret.json container:/home/node/.openclaw/
+#        docker exec container setup-gog.sh
 
 set -e
 
-CREDS_FILE="/data/secrets/google-client-secret.json"
+CREDS_FILE="/home/node/.openclaw/google-client-secret.json"
 
 if [ ! -f "$CREDS_FILE" ]; then
     echo "ERROR: Google client secret not found at $CREDS_FILE"
-    echo "Mount your secrets JSON to /data/secrets/google-client-secret.json"
+    echo "Copy it in first: docker cp client_secret.json \$(docker ps -q -f name=openclaw):/home/node/.openclaw/google-client-secret.json"
     exit 1
 fi
 
diff --git a/stack.yml b/stack.yml
index 762aa27..4aa5a7e 100644
--- a/stack.yml
+++ b/stack.yml
@@ -8,18 +8,11 @@ services:
       TERM: xterm-256color
       OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
       MOONSHOT_API_KEY: ${MOONSHOT_API_KEY}
-      OPENCLAW_CONFIG_DIR: /data/config
-      GOG_CONFIG_DIR: /data/gog
-      GOOGLE_APPLICATION_CREDENTIALS: /data/secrets/google-credentials.json
       GOG_ACCOUNT: ${GOG_ACCOUNT:-}
     volumes:
       - openclaw-config:/home/node/.openclaw
       - openclaw-workspace:/home/node/.openclaw/workspace
-      # Mount configs and secrets from host (not baked into image)
-      - ./config:/data/config:ro
-      - ./secrets:/data/secrets:ro
-      # gog OAuth tokens persist here
-      - gog-data:/data/gog
+      - gog-data:/home/node/.openclaw/gog
     ports:
       - target: 18789
         published: ${OPENCLAW_GATEWAY_PORT:-18789}
@@ -37,9 +30,6 @@ services:
           - node.hostname == tpi-n1
     networks:
       - dokploy-network
-    # Add Gitea SSH access (if needed for git operations)
-    extra_hosts:
-      - "gitea.bendtstudio.com:192.168.2.130"
     command:
       [
         "node",