diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 53ff2c1..8cb8d75 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -1,7 +1,4 @@
-# CI/CD Pipeline - NixOS VM Tests Only
-# All tests run in isolated NixOS VMs with native services (no Docker)
-
-name: CI/CD
+name: CI/CD Pipeline
 
 on:
   push:
@@ -13,51 +10,45 @@ jobs:
   # NixOS VM integration tests (PostgreSQL + MinIO native services)
   nixos-vm-tests:
     name: VM Test - ${{ matrix.test }}
-    runs-on: nix
+    runs-on: nixos
     strategy:
       fail-fast: false
       matrix:
         test:
-          - backend-integration    # Backend + PostgreSQL + MinIO
-          - full-stack            # Complete API stack
-          - performance           # Benchmarks
-          - security              # Security suite
+          - backend-integration
+          - full-stack
+          - performance
+          - security
     
     steps:
-      # Repository is automatically cloned by Gitea Actions
-      
-      # Configure Attic binary cache
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Configure Attic cache
         run: |
           attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
-          attic use lan:webref
       
-      # Run NixOS VM test
-      - name: Run ${{ matrix.test }}
+      - name: Run NixOS VM test
         run: |
-          echo "🚀 Starting NixOS VM test: ${{ matrix.test }}"
+          echo "Running ${{ matrix.test }} test..."
           nix build .#checks.${{ matrix.test }} -L --accept-flake-config
-          echo "✅ Test passed"
       
-      # Push to Attic cache
       - name: Push to Attic cache
         if: success()
         run: |
-          attic push lan:webref result
+          nix build .#checks.${{ matrix.test }} --print-out-paths | attic push lan:webref --stdin
 
-  # Quick checks (no VM needed)
+  # Quick checks (linting & formatting)
   lint:
     name: Linting & Formatting
-    runs-on: nix
+    runs-on: nixos
     
     steps:
-      # Repository is automatically cloned by Gitea Actions
-      
-      # Configure Attic cache
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Configure Attic cache
-        run: |
-          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
-          attic use lan:webref
+        run: attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
       
       - name: Backend - Ruff check
         run: nix develop --command bash -c "cd backend && ruff check app/"
@@ -65,8 +56,8 @@ jobs:
       - name: Backend - Ruff format check
         run: nix develop --command bash -c "cd backend && ruff format --check app/"
       
-      - name: Frontend - Install deps (if needed)
-        run: nix develop --command bash -c "cd frontend && [ -d node_modules ] || npm ci"
+      - name: Frontend - Install deps
+        run: nix develop --command bash -c "cd frontend && npm ci"
       
       - name: Frontend - ESLint
         run: nix develop --command bash -c "cd frontend && npm run lint"
@@ -80,19 +71,17 @@ jobs:
       - name: Nix - Flake check
         run: nix flake check --accept-flake-config
 
-  # Unit tests (fast, no services needed)
+  # Unit tests
   unit-tests:
     name: Unit Tests
-    runs-on: nix
+    runs-on: nixos
     
     steps:
-      # Repository is automatically cloned by Gitea Actions
-      
-      # Configure Attic cache
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Configure Attic cache
-        run: |
-          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
-          attic use lan:webref
+        run: attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
       
       - name: Backend unit tests
         run: |
@@ -105,49 +94,51 @@ jobs:
               --cov-fail-under=80
           "
       
-      - name: Frontend - Install deps (if needed)
-        run: nix develop --command bash -c "cd frontend && [ -d node_modules ] || npm ci"
+      - name: Frontend - Install deps
+        run: nix develop --command bash -c "cd frontend && npm ci"
       
       - name: Frontend unit tests
         run: nix develop --command bash -c "cd frontend && npm run test:coverage"
 
-  # Verify packages build
+  # Build packages
   build:
     name: Build Packages
-    runs-on: nix
+    runs-on: nixos
     
     steps:
-      # Repository is automatically cloned by Gitea Actions
-      
-      # Configure Attic cache
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Configure Attic cache
-        run: |
-          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
-          attic use lan:webref
+        run: attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
       
       - name: Build backend package
-        run: nix build .#backend -L --accept-flake-config
+        run: |
+          echo "Building backend package..."
+          nix build .#backend -L --accept-flake-config
       
       - name: Push backend to Attic
         if: success()
-        run: attic push lan:webref result
+        run: nix build .#backend --print-out-paths | attic push lan:webref --stdin
       
-      - name: Build frontend package  
-        run: nix build .#frontend -L --accept-flake-config
+      - name: Build frontend package
+        run: |
+          echo "Building frontend package..."
+          nix build .#frontend -L --accept-flake-config
       
       - name: Push frontend to Attic
         if: success()
-        run: attic push lan:webref result
+        run: nix build .#frontend --print-out-paths | attic push lan:webref --stdin
 
   # Summary
   summary:
     name: CI Summary
-    runs-on: nix
+    runs-on: nixos
     needs: [nixos-vm-tests, lint, unit-tests, build]
     if: always()
     
     steps:
-      - name: Results
+      - name: Check results
         run: |
           echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
           echo "📊 CI Pipeline Results"