diff --git a/charts/galust-ai-layer/Chart.lock b/charts/galust-ai-layer/Chart.lock
index 58857a2..40b6f4d 100644
--- a/charts/galust-ai-layer/Chart.lock
+++ b/charts/galust-ai-layer/Chart.lock
@@ -1,4 +1,7 @@
 dependencies:
+- name: strapi
+  repository: oci://oci.trueforge.org/truecharts
+  version: 18.9.0
 - name: base
   repository: https://dasmeta.github.io/helm
   version: 0.3.30
@@ -11,5 +14,5 @@ dependencies:
 - name: base
   repository: https://dasmeta.github.io/helm
   version: 0.3.30
-digest: sha256:3ae019b1c079a7732bc63cfa018197047452b090f2e5e1cc07ab1fb43b283f8c
-generated: "2026-05-13T14:31:30.015306+04:00"
+digest: sha256:9254d4312b54d6c0960468538a451fb3e6a0f9e5d0a7cc29d121a906263021e1
+generated: "2026-05-15T12:22:19.073404+04:00"
diff --git a/charts/galust-ai-layer/Chart.yaml b/charts/galust-ai-layer/Chart.yaml
index 01adcb4..8f5d404 100644
--- a/charts/galust-ai-layer/Chart.yaml
+++ b/charts/galust-ai-layer/Chart.yaml
@@ -2,14 +2,14 @@ apiVersion: v2
 name: galust-ai-layer
 description: Galust AI layer umbrella chart for Kubernetes clusters
 type: application
-version: 0.1.2
-appVersion: "0.1.2"
+version: 0.1.3
+appVersion: "0.1.3"
 
 dependencies:
-  - name: base
+  - name: strapi
     alias: backend
-    version: 0.3.30
-    repository: https://dasmeta.github.io/helm
+    version: 18.9.0
+    repository: oci://oci.trueforge.org/truecharts
     condition: backend.enabled
   - name: base
     alias: mcp
diff --git a/charts/galust-ai-layer/charts/strapi-18.9.0.tgz b/charts/galust-ai-layer/charts/strapi-18.9.0.tgz
new file mode 100644
index 0000000..4b4e134
Binary files /dev/null and b/charts/galust-ai-layer/charts/strapi-18.9.0.tgz differ
diff --git a/charts/galust-ai-layer/templates/NOTES.txt b/charts/galust-ai-layer/templates/NOTES.txt
index 193f80a..b38406d 100644
--- a/charts/galust-ai-layer/templates/NOTES.txt
+++ b/charts/galust-ai-layer/templates/NOTES.txt
@@ -2,7 +2,7 @@ Galust AI layer chart rendered for namespace {{ .Release.Namespace }}.
 
 Enabled components:
 {{- if .Values.backend.enabled }}
-- backend: {{ .Values.backend.fullnameOverride | default "backend" }}
+- strapi (backend): {{ .Values.backend.fullnameOverride | default "ai-layer-strapi" }}
 {{- end }}
 {{- if .Values.mcp.enabled }}
 - mcp: {{ .Values.mcp.fullnameOverride | default "mcp" }}
diff --git a/charts/galust-ai-layer/values.yaml b/charts/galust-ai-layer/values.yaml
index ee6b829..1b81273 100644
--- a/charts/galust-ai-layer/values.yaml
+++ b/charts/galust-ai-layer/values.yaml
@@ -1,19 +1,22 @@
 imagePullSecret:
   create: false
-  name: &imagePullSecretName ecr-secret
+  name: ecr-secret
   annotations: {}
   dockerConfigJson: ""
   dockerConfigJsonBase64: ""
 
-imagePullSecrets: &galustImagePullSecrets
-  - name: *imagePullSecretName
+# Do not use YAML anchors for this list. Helm stores release values as JSON;
+# a shared anchor makes every component point at the same slice and install fails with:
+# "json: unsupported value: encountered a cycle via map[string]interface {}".
+imagePullSecrets:
+  - name: ecr-secret
 
 ecrCredentialsRefresh:
   enabled: false
   schedule: "0 */6 * * *"
   registry: 565580475168.dkr.ecr.eu-central-1.amazonaws.com
   region: eu-central-1
-  secretName: *imagePullSecretName
+  secretName: ecr-secret
   image:
     repository: alpine
     tag: "3.20"
@@ -46,46 +49,63 @@ gatewayApi:
 zeroTrustMesh:
   enabled: false
 
+# Strapi backend (TrueCharts: oci://oci.trueforge.org/truecharts/strapi)
 backend:
   enabled: true
-  gatewayApi:
-    enabled: false
-  zeroTrustMesh:
-    enabled: false
-    allowTo: []
-  fullnameOverride: ai-layer-strapi
-  version: 0.1.0
-  appVersion: 0.1.0
+  global:
+    fullnameOverride: ai-layer-strapi
   image:
     repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-backend
     tag: latest
     pullPolicy: Always
-  imagePullSecrets: *galustImagePullSecrets
-  replicaCount: 1
-  containerPort: 1337
+  imagePullSecrets:
+    - name: ecr-secret
   service:
-    type: ClusterIP
-    port: 1337
+    main:
+      ports:
+        main:
+          port: 1337
   persistence:
-    uploads:
+    data:
       enabled: true
-      claimName: ai-layer-strapi-uploads
-      size: 20Gi
-      accessModes:
-        - ReadWriteOnce
-      storageClassName: ""
-      keepPvc: true
-  storage:
-    - persistentVolumeClaimName: ai-layer-strapi-uploads
-      accessModes:
-        - ReadWriteOnce
-      requestedSize: 20Gi
-      keepPvc: true
-  volumes:
-    - name: strapi-uploads
-      persistentVolumeClaim:
-        claimName: ai-layer-strapi-uploads
       mountPath: /opt/app/public/uploads
+  cnpg:
+    main:
+      enabled: true
+      user: strapi
+      database: strapi
+      monitoring:
+        enablePodMonitor: true
+      cluster:
+        instances: 2
+        resources:
+          requests:
+            cpu: 500m
+            memory: 2Gi
+          limits:
+            cpu: 2000m
+            memory: 4Gi
+        storage:
+          size: "20Gi"
+        walStorage:
+          size: "20Gi"
+        postgresql:
+          max_connections: "300"
+          logging_collector: "on"
+          log_min_duration_statement: "500ms"
+          log_statement: "none"
+          shared_buffers: "1GB"
+          work_mem: "8MB"
+          effective_cache_size: "4GB"
+          maintenance_work_mem: "128MB"
+          bgwriter_lru_maxpages: "1000"
+          bgwriter_lru_multiplier: "4.0"
+          checkpoint_timeout: "15min"
+          max_wal_size: "2GB"
+          checkpoint_completion_target: "0.9"
+          autovacuum_max_workers: "3"
+          autovacuum_naptime: "30s"
+          autovacuum_vacuum_cost_limit: "2000"
   resources:
     limits:
       cpu: 1500m
@@ -93,57 +113,52 @@ backend:
     requests:
       cpu: 1000m
       memory: 1000Mi
+  portal:
+    open:
+      enabled: true
   securityContext:
-    readOnlyRootFilesystem: false
-    runAsNonRoot: false
-    runAsUser: 0
-    runAsGroup: 0
-  envFrom:
-    secret: ai-layer-strapi
-  config:
-    PORT: "1337"
-    DATABASE_CLIENT: postgres
-    DATABASE_PORT: "5432"
-    DATABASE_NAME: strapi
-    DATABASE_USERNAME: strapi
-    STRAPI_DISABLE_UPDATE_NOTIFICATION: "true"
-    FAST_REFRESH: "false"
-    EXTRA_ARGS: ""
-    ADMIN_URL: *adminUrl
-    APP_HOST: 0.0.0.0
-    APP_URL: *adminUrl
-    BACKEND_URL: *apiUrl
-    ENV: production
-    HOST: 0.0.0.0
-    NODE_ENV: production
-    PUBLIC_URL: *apiUrl
-    STRAPI_ADMIN_BACKEND_URL: *apiUrl
-  extraEnv:
-    DATABASE_HOST:
-      secretKeyRef:
-        name: db-ai-layer-strapi
-        key: host
-    DATABASE_PASSWORD:
-      secretKeyRef:
-        name: db-ai-layer-strapi
-        key: password
-  ingress:
-    enabled: true
-    class: nginx
-    annotations:
-      kubernetes.io/tls-acme: "true"
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-      - host: *apiHost
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              servicePort: 1337
-    tls:
-      - secretName: com-galust-api-tls2
-        hosts:
-          - *apiHost
+    container:
+      readOnlyRootFilesystem: false
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 0
+  workload:
+    main:
+      podSpec:
+        containers:
+          main:
+            envFrom:
+              - secretRef:
+                  name: ai-layer-strapi
+                  expandObjectName: false
+            env:
+              PORT: "{{ .Values.service.main.ports.main.port }}"
+              DATABASE_CLIENT: postgres
+              DATABASE_PORT: 5432
+              DATABASE_NAME: "{{ .Values.cnpg.main.database }}"
+              DATABASE_HOST:
+                secretKeyRef:
+                  name: db-ai-layer-strapi
+                  key: host
+                  expandObjectName: false
+              DATABASE_USERNAME: "{{ .Values.cnpg.main.user }}"
+              DATABASE_PASSWORD:
+                secretKeyRef:
+                  name: db-ai-layer-strapi
+                  key: password
+                  expandObjectName: false
+              STRAPI_DISABLE_UPDATE_NOTIFICATION: true
+              FAST_REFRESH: false
+              EXTRA_ARGS: ""
+              ADMIN_URL: *adminUrl
+              APP_HOST: 0.0.0.0
+              APP_URL: *adminUrl
+              BACKEND_URL: *apiUrl
+              ENV: production
+              HOST: 0.0.0.0
+              NODE_ENV: production
+              PUBLIC_URL: *apiUrl
+              STRAPI_ADMIN_BACKEND_URL: *apiUrl
 
 mcp:
   enabled: true
@@ -159,7 +174,8 @@ mcp:
     repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-mcp
     tag: latest
     pullPolicy: Always
-  imagePullSecrets: *galustImagePullSecrets
+  imagePullSecrets:
+    - name: ecr-secret
   replicaCount: 1
   labels:
     version:
@@ -178,23 +194,6 @@ mcp:
     DEBUG_MCP_HEADER_FLOW: "true"
     OPENAPI_BASE_URL: *openapiBaseUrl
     OPENAPI_SPEC_URL: *openapiSpecUrl
-  ingress:
-    enabled: true
-    class: nginx
-    annotations:
-      kubernetes.io/tls-acme: "true"
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-      - host: *mcpHost
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              servicePort: 4002
-    tls:
-      - secretName: com-galust-mcp-tls2
-        hosts:
-          - *mcpHost
 
 mcpUseCase:
   enabled: true
@@ -210,7 +209,8 @@ mcpUseCase:
     repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-mcp-use-case
     tag: latest
     pullPolicy: Always
-  imagePullSecrets: *galustImagePullSecrets
+  imagePullSecrets:
+    - name: ecr-secret
   replicaCount: 1
   labels:
     version:
@@ -247,7 +247,8 @@ mcpProducts:
     repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-mcp-products
     tag: latest
     pullPolicy: Always
-  imagePullSecrets: *galustImagePullSecrets
+  imagePullSecrets:
+    - name: ecr-secret
   replicaCount: 1
   labels:
     version:
@@ -283,7 +284,8 @@ orchestrator:
     repository: 565580475168.dkr.ecr.eu-central-1.amazonaws.com/ai-layer-orchestrator
     tag: latest
     pullPolicy: Always
-  imagePullSecrets: *galustImagePullSecrets
+  imagePullSecrets:
+    - name: ecr-secret
   replicaCount: 1
   labels:
     version: