diff --git a/docs/deploy.md b/docs/deploy.md
index 6f43045..6900828 100644
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -48,7 +48,7 @@ services:
     environment:
       HOME: /tmp
     volumes:
-      - /srv/configs/<workspace>/<project>:/app/config:ro  # (2)!
+      - /srv/config/<workspace>/<project>:/app/config:ro  # (2)!
       - /srv/logs/<workspace>/<project>:/app/logs          # (3)!
       - yourapp-data:/app/data                             # (4)!
 
@@ -76,11 +76,14 @@ Everything host-side follows one shape: `/srv/<kind>/<workspace>/<project>/`.
 
 | What | Where | How |
 | --- | --- | --- |
-| Configs | `/srv/configs/<workspace>/<project>/` | bind mount, host-managed, read-only |
+| Repo + compose | `/srv/docker/<workspace>/<project>/` | created by the git clone, not pre-provisioned |
+| Config | `/srv/config/<workspace>/<project>/` | bind mount, host-managed, read-only |
 | Logs | `/srv/logs/<workspace>/<project>/` | bind mount; live + rolled, scraped |
 | Mounts (other host-visible data) | `/srv/mounts/<workspace>/<project>/` | bind mount, host-managed |
 | Caches, profiles, scratch | named volume | Docker manages ownership |
 
+All `/srv/...` paths are owned by the `services` user (uid/gid **1337**).
+
 !!! note "If your service won't start or its logs aren't persisting"
     That's usually a host-side bind-mount **ownership** thing — the kind of detail
     **we sort out at deploy time**, not something you need to chown or provision.
@@ -143,13 +146,13 @@ services:
 
 !!! warning "Secrets never go in the image"
     We do **not** commit secrets (usually, lol). They stay **gitignored**, live on
-    the host at `/srv/configs/<workspace>/<project>/`, and are bind-mounted
+    the host at `/srv/config/<workspace>/<project>/`, and are bind-mounted
     **read-only** at runtime. Add them to `.dockerignore` so a `COPY . .` can't
     sweep them into a layer.
 
 Rotating a secret = edit the host file and restart. No rebuild.
 
 ```bash
-vim /srv/configs/<workspace>/<project>/secrets.env   # edit on the host
+vim /srv/config/<workspace>/<project>/secrets.env   # edit on the host
 docker compose restart yourapp                       # pick up the change — no rebuild
 ```
diff --git a/docs/workflow.md b/docs/workflow.md
index c647626..ae49de5 100644
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -56,7 +56,7 @@ with the right one per project.
 
 We solve that with **per-repo local git config** — run a small alias inside a repo
 to set its local user and the SSH key it pushes with (see
-[per-project git identity](#per-project-git-identity) below). No global identity
+[per-project git identity](#handy-shell-setup) below). No global identity
 juggling.
 
 Our conventions, in short: