diff --git a/.env.example b/.env.example
index 29672d7..fd45835 100644
--- a/.env.example
+++ b/.env.example
@@ -58,3 +58,15 @@
 
 # ── Eval system (optional) ─────────────────────────────────────────────────────
 # EVAL_DATA_DIR=debug/eval
+
+# ── gnexus-auth OAuth ────────────────────────────────────────────────────────────
+GNAUTH_BASE_URL=https://auth.your-domain.com
+GNAUTH_CLIENT_ID=
+GNAUTH_CLIENT_SECRET=
+GNAUTH_REDIRECT_URI=https://navi.your-domain.com/auth/callback
+
+# ── Auth encryption ──────────────────────────────────────────────────────────────
+# Fernet key for encrypting tokens in DB. Generate once with:
+#   python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+# Must stay constant — changing it invalidates all stored sessions.
+NAVI_AUTH_ENCRYPTION_KEY=
diff --git a/navi/auth/_ddl.py b/navi/auth/_ddl.py
index 53f2ae9..8430136 100644
--- a/navi/auth/_ddl.py
+++ b/navi/auth/_ddl.py
@@ -1,5 +1,6 @@
 """Auth DDL — table creation for navi_users and user_auth_sessions."""
 
+import asyncpg
 
 _DDL = """
 CREATE TABLE IF NOT EXISTS navi_users (
@@ -28,9 +29,10 @@
 
 async def _ensure_auth_tables() -> None:
     """Create auth tables if they don't exist."""
-    from navi.api.deps import get_session_store
+    from navi.config import settings
 
-    store = get_session_store()
-    pool = await store._get_pool()
-    async with pool.acquire() as conn:
+    conn = await asyncpg.connect(settings.database_url)
+    try:
         await conn.execute(_DDL)
+    finally:
+        await conn.close()
diff --git a/navi/main.py b/navi/main.py
index a7c6007..1f2a53c 100644
--- a/navi/main.py
+++ b/navi/main.py
@@ -63,11 +63,12 @@
     from navi.content_store import ensure_tables
     from navi.session_files import cleanup_loop
     from navi.auth import _ensure_auth_tables
-    # Ensure content store and auth tables exist (retry for race with Docker compose)
+    # Ensure auth tables first (navi_users is referenced by other DDL).
+    # Retry for race with Docker compose.
     for attempt in range(1, 6):
         try:
-            await ensure_tables()
             await _ensure_auth_tables()
+            await ensure_tables()
             break
         except Exception as e:
             log = structlog.get_logger()
diff --git a/navi/memory/_ddl.py b/navi/memory/_ddl.py
index c59a1ce..fbb3444 100644
--- a/navi/memory/_ddl.py
+++ b/navi/memory/_ddl.py
@@ -16,7 +16,7 @@
         "ALTER TABLE memory_summary ADD COLUMN IF NOT EXISTS user_id TEXT REFERENCES navi_users(id) ON DELETE CASCADE",
         # Migrate unique constraint from (category, key) to (user_id, category, key)
         "DO $$ BEGIN IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'memory_facts_category_key_key') THEN ALTER TABLE memory_facts DROP CONSTRAINT memory_facts_category_key_key; END IF; END $$;",
-        "ALTER TABLE memory_facts ADD CONSTRAINT IF NOT EXISTS memory_facts_user_cat_key UNIQUE (user_id, category, key)",
+        "DO $$ BEGIN IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'memory_facts_user_cat_key') THEN ALTER TABLE memory_facts ADD CONSTRAINT memory_facts_user_cat_key UNIQUE (user_id, category, key); END IF; END $$;",
         """CREATE TABLE IF NOT EXISTS memory_facts (
             id          TEXT PRIMARY KEY,
             user_id     TEXT REFERENCES navi_users(id) ON DELETE CASCADE,