diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 4dd58f4..c0458ea 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -124,8 +124,11 @@ jobs:
             -p 8015:3000 \
             --restart unless-stopped \
             --name nextjs-app \
+            --network 1panel-network \
             -e NODE_ENV=production \
             -e DATABASE_URL=${{ secrets.DATABASE_URL }} \
+            -e NEXTAUTH_SECRET=${{ secrets.NEXTAUTH_SECRET }} \
+            -e NEXTAUTH_URL=${{ secrets.NEXTAUTH_URL }} \
             -e NEXT_TELEMETRY_DISABLED=1 \
             nextjs-app
 
diff --git a/ARCHITECTURE.md b/docs/ARCHITECTURE.md
similarity index 100%
rename from ARCHITECTURE.md
rename to docs/ARCHITECTURE.md
diff --git a/src/app/(dashboard)/dashboard/page.tsx b/src/app/(dashboard)/dashboard/page.tsx
index 484b2ec..ecc3ac2 100644
--- a/src/app/(dashboard)/dashboard/page.tsx
+++ b/src/app/(dashboard)/dashboard/page.tsx
@@ -3,11 +3,17 @@ import { auth } from "@/auth"
 
 export const dynamic = "force-dynamic"
 
+const normalizeRole = (value: unknown) => {
+  const role = String(value ?? "").trim().toLowerCase()
+  if (role === "admin" || role === "student" || role === "teacher" || role === "parent") return role
+  return "student"
+}
+
 export default async function DashboardPage() {
   const session = await auth()
   if (!session?.user) redirect("/login")
 
-  const role = String(session.user.role ?? "teacher")
+  const role = normalizeRole(session.user.role)
 
   if (role === "admin") redirect("/admin/dashboard")
   if (role === "student") redirect("/student/dashboard")
diff --git a/src/proxy.ts b/src/proxy.ts
index ea1a71d..e46643f 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -3,6 +3,12 @@ import type { NextAuthRequest } from "next-auth"
 
 import { auth } from "./auth"
 
+function normalizeRole(value: unknown) {
+  const role = String(value ?? "").trim().toLowerCase()
+  if (role === "admin" || role === "student" || role === "teacher" || role === "parent") return role
+  return "student"
+}
+
 function roleHome(role: string) {
   if (role === "admin") return "/admin/dashboard"
   if (role === "student") return "/student/dashboard"
@@ -21,7 +27,7 @@ export default auth((req: NextAuthRequest) => {
     return NextResponse.redirect(url)
   }
 
-  const role = String(session.user.role ?? "teacher")
+  const role = normalizeRole(session.user.role)
 
   if (pathname.startsWith("/admin/") && role !== "admin") {
     return NextResponse.redirect(new URL(roleHome(role), req.url))
@@ -42,4 +48,3 @@ export default auth((req: NextAuthRequest) => {
 export const config = {
   matcher: ["/dashboard", "/admin/:path*", "/teacher/:path*", "/student/:path*", "/parent/:path*", "/settings/:path*", "/profile"],
 }
-