diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 4847ff3..5d7acb1 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: check-secrets
     timeout-minutes: 30
-    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' }}
+    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }}
     env:
       GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
       ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
@@ -90,7 +90,6 @@ jobs:
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
       - name: Run database migrations
-        if: ${{ needs.check-secrets.outputs.db_secret_ok == 'true' }}
         env:
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
         run: bun run db:migrate
@@ -186,6 +185,18 @@ jobs:
       - name: Print configuration hint
         run: |
           echo "CD skipped: configure required GitHub secrets."
-          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT"
-          echo "Optional for auto-migrations: DATABASE_URL"
+          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT, DATABASE_URL"
           echo "Optional repo/service vars: GCP_REGION, ARTIFACT_REPOSITORY, CLOUD_RUN_SERVICE_BOT, CLOUD_RUN_SERVICE_MINI"
+
+  deploy-blocked-db:
+    name: Deploy blocked (missing DATABASE_URL)
+    runs-on: ubuntu-latest
+    needs: check-secrets
+    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok != 'true' }}
+
+    steps:
+      - name: Fail fast on missing DATABASE_URL
+        run: |
+          echo "CD blocked: DATABASE_URL GitHub secret is required."
+          echo "This workflow now refuses to deploy without running migrations against the target database."
+          exit 1
diff --git a/apps/miniapp/nginx.conf b/apps/miniapp/nginx.conf
index 2dd7a67..db5f351 100644
--- a/apps/miniapp/nginx.conf
+++ b/apps/miniapp/nginx.conf
@@ -10,6 +10,11 @@ server {
     return 200 '{"ok":true}';
   }
 
+  location = /config.js {
+    add_header Cache-Control "no-store, no-cache, must-revalidate" always;
+    try_files $uri =404;
+  }
+
   location / {
     try_files $uri $uri/ /index.html;
   }
diff --git a/docs/runbooks/dev-setup.md b/docs/runbooks/dev-setup.md
index cf33352..01f16d5 100644
--- a/docs/runbooks/dev-setup.md
+++ b/docs/runbooks/dev-setup.md
@@ -82,7 +82,7 @@ bun run review:coderabbit
   - `GCP_PROJECT_ID`
   - `GCP_WORKLOAD_IDENTITY_PROVIDER`
   - `GCP_SERVICE_ACCOUNT`
-  - optional for automated migrations: `DATABASE_URL`
+  - `DATABASE_URL`
 - Optional GitHub variables for deploy:
   - `GCP_REGION` (default `europe-west1`)
   - `ARTIFACT_REPOSITORY` (default `household-bot`)
diff --git a/docs/runbooks/first-deploy.md b/docs/runbooks/first-deploy.md
index 8d914ab..a9b35f8 100644
--- a/docs/runbooks/first-deploy.md
+++ b/docs/runbooks/first-deploy.md
@@ -62,7 +62,7 @@ Required for CD:
 - `GCP_WORKLOAD_IDENTITY_PROVIDER`
 - `GCP_SERVICE_ACCOUNT`
 
-Recommended:
+Required for a real deploy:
 
 - `DATABASE_URL`
 
@@ -152,7 +152,7 @@ Populate GitHub repository secrets with the Terraform outputs:
 - `GCP_PROJECT_ID`
 - `GCP_WORKLOAD_IDENTITY_PROVIDER`
 - `GCP_SERVICE_ACCOUNT`
-- optional `DATABASE_URL`
+- `DATABASE_URL`
 
 If you prefer the GitHub CLI:
 
@@ -177,7 +177,7 @@ You have two safe options:
 
 The workflow will:
 
-- optionally run `bun run db:migrate` if `DATABASE_URL` secret is configured
+- run `bun run db:migrate` before deploy
 - build and push bot and mini app images
 - deploy both Cloud Run services
 
diff --git a/docs/runbooks/migrations.md b/docs/runbooks/migrations.md
index 7a2efc7..ebcf761 100644
--- a/docs/runbooks/migrations.md
+++ b/docs/runbooks/migrations.md
@@ -47,8 +47,8 @@ bun run build
 
 ## CD behavior
 
-- CD deploy can run migrations before deploy **if** `DATABASE_URL` secret is present.
-- If `DATABASE_URL` is not set, deploy continues without auto-migration.
+- CD deploy runs migrations before deploy and now requires the `DATABASE_URL` GitHub secret.
+- If `DATABASE_URL` is missing, CD fails fast instead of deploying schema-dependent code without migrations.
 
 ## Safety rules
 
diff --git a/docs/specs/HOUSEBOT-062-first-deploy-runbook.md b/docs/specs/HOUSEBOT-062-first-deploy-runbook.md
index 2576c88..642f84d 100644
--- a/docs/specs/HOUSEBOT-062-first-deploy-runbook.md
+++ b/docs/specs/HOUSEBOT-062-first-deploy-runbook.md
@@ -45,7 +45,7 @@ Document the exact first-deploy sequence so one engineer can provision, deploy,
 ## Edge Cases and Failure Modes
 
 - First Terraform apply may not know the final mini app URL; runbook includes a second apply to set allowed origins.
-- Missing `DATABASE_URL` in GitHub secrets skips migration automation.
+- Missing `DATABASE_URL` in GitHub secrets blocks CD entirely so schema-dependent deploys cannot ship without migrations.
 - Scheduler jobs remain paused and dry-run by default to prevent accidental sends.
 
 ## Test Plan