diff --git a/docker-compose.yml b/docker-compose.yml
index 510004f..624a681 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -42,6 +42,7 @@ volumes:
   erpnext_sites:
   erpnext_logs:
   # Services
+  voice_session_data:
   embedding_models:
 
 services:
@@ -78,8 +79,6 @@ services:
     depends_on:
       vault-agent:
         condition: service_started
-    extra_hosts:
-      - "breakpilot-edu-search:host-gateway"
     restart: unless-stopped
     networks:
       - breakpilot-network
@@ -89,19 +88,20 @@ services:
   # =========================================================
   vault:
     image: hashicorp/vault:1.15
+    entrypoint: ["vault"]
+    command: server -config=/vault/config/config.hcl
     container_name: bp-core-vault
     ports:
       - "8200:8200"
     volumes:
       - vault_data:/vault/data
+      - ./vault/config.hcl:/vault/config/config.hcl:ro
     cap_add:
       - IPC_LOCK
     environment:
-      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN:-breakpilot-dev-token}
-      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
       VAULT_ADDR: "http://127.0.0.1:8200"
     healthcheck:
-      test: ["CMD", "vault", "status"]
+      test: ["CMD-SHELL", "vault status; test $? -le 2"]
       interval: 10s
       timeout: 5s
       retries: 3
@@ -113,14 +113,16 @@ services:
     image: hashicorp/vault:1.15
     container_name: bp-core-vault-init
     volumes:
-      - ./vault/init-pki.sh:/init-pki.sh:ro
+      - ./vault/init-vault.sh:/vault/scripts/init-vault.sh:ro
+      - ./vault/init-pki.sh:/vault/scripts/init-pki.sh:ro
+      - ./vault/init-secrets.sh:/vault/scripts/init-secrets.sh:ro
+      - vault_data:/vault/data
       - vault_agent_config:/vault/agent/data
       - vault_certs:/vault/certs
     environment:
       VAULT_ADDR: "http://vault:8200"
-      VAULT_TOKEN: ${VAULT_TOKEN:-breakpilot-dev-token}
     entrypoint: /bin/sh
-    command: /init-pki.sh
+    command: /vault/scripts/init-vault.sh
     depends_on:
       vault:
         condition: service_healthy
@@ -444,7 +446,7 @@ services:
       - "8099:8099"
     environment:
       PORT: 8099
-      CHECK_SERVICES: "postgres:5432,valkey:6379,qdrant:6333,minio:9000,backend-core:8000,rag-service:8097,embedding-service:8087"
+      CHECK_SERVICES: "postgres:5432,valkey:6379,qdrant:6333,minio:9000,backend-core:8000,rag-service:8097,embedding-service:8087,voice-service:8091"
     depends_on:
       postgres:
         condition: service_healthy
@@ -733,7 +735,7 @@ services:
       WOODPECKER_HOST: ${WOODPECKER_HOST:-http://macmini:8090}
       WOODPECKER_ADMIN: ${WOODPECKER_ADMIN:-pilotadmin}
       WOODPECKER_GITEA: "true"
-      WOODPECKER_GITEA_URL: http://gitea:3003
+      WOODPECKER_GITEA_URL: http://macmini:3003
       WOODPECKER_GITEA_CLIENT: ${WOODPECKER_GITEA_CLIENT:-}
       WOODPECKER_GITEA_SECRET: ${WOODPECKER_GITEA_SECRET:-}
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-woodpecker-secret}
@@ -837,6 +839,48 @@ services:
     networks:
       - breakpilot-network
 
+  # =========================================================
+  # VOICE SERVICE
+  # =========================================================
+  voice-service:
+    build:
+      context: ./voice-service
+      dockerfile: Dockerfile
+    container_name: bp-core-voice-service
+    platform: linux/arm64
+    expose:
+      - "8091"
+    volumes:
+      - voice_session_data:/app/data/sessions
+    environment:
+      PORT: 8091
+      DATABASE_URL: postgresql://${POSTGRES_USER:-breakpilot}:${POSTGRES_PASSWORD:-breakpilot123}@postgres:5432/${POSTGRES_DB:-breakpilot_db}
+      VALKEY_URL: redis://valkey:6379/0
+      KLAUSUR_SERVICE_URL: http://bp-lehrer-klausur-service:8086
+      OLLAMA_BASE_URL: ${OLLAMA_BASE_URL:-http://host.docker.internal:11434}
+      OLLAMA_VOICE_MODEL: ${OLLAMA_VOICE_MODEL:-llama3.2}
+      ENVIRONMENT: ${ENVIRONMENT:-development}
+      JWT_SECRET: ${JWT_SECRET:-your-super-secret-jwt-key-change-in-production}
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    depends_on:
+      postgres:
+        condition: service_healthy
+      valkey:
+        condition: service_started
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8091/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 60s
+      retries: 3
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
+  # =========================================================
+  # NIGHT SCHEDULER
+  # =========================================================
   night-scheduler:
     build:
       context: ./night-scheduler
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
index a06c2db..8a84f76 100644
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -198,7 +198,57 @@ server {
         proxy_set_header X-Forwarded-Proto https;
     }
 
-    # Admin Lehrer Frontend
+    # SDK pages & API proxy → Compliance Admin
+    location /sdk/ {
+        set $upstream_compliance bp-compliance-admin:3000;
+        proxy_pass http://$upstream_compliance;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+
+    location /api/sdk/ {
+        set $upstream_compliance bp-compliance-admin:3000;
+        proxy_pass http://$upstream_compliance;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300s;
+        proxy_connect_timeout 60s;
+    }
+
+    # Next.js static assets for SDK pages
+    location /_next/ {
+        set $upstream_admin_lehrer bp-lehrer-admin:3000;
+        proxy_pass http://$upstream_admin_lehrer;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        # Try compliance admin as fallback for SDK chunks
+        proxy_intercept_errors on;
+        error_page 404 = @compliance_next;
+    }
+
+    location @compliance_next {
+        set $upstream_compliance bp-compliance-admin:3000;
+        proxy_pass http://$upstream_compliance;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+
+    # Admin Lehrer Frontend (fallback for everything else)
     location / {
         set $upstream_admin_lehrer bp-lehrer-admin:3000;
         proxy_pass http://$upstream_admin_lehrer;
@@ -533,7 +583,7 @@ server {
     ssl_prefer_server_ciphers off;
 
     location / {
-        set $upstream_edu_search breakpilot-edu-search:8088;
+        set $upstream_edu_search bp-lehrer-edu-search:8088;
         proxy_pass http://$upstream_edu_search;
         proxy_http_version 1.1;
         proxy_set_header Host $host;