diff --git a/.claude/settings.local.json b/.claude/settings.local.json
deleted file mode 100644
index 73ebce0..0000000
--- a/.claude/settings.local.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(php artisan test:*)",
-      "Bash(php artisan:*)",
-      "Bash(./vendor/bin/phpunit:*)",
-      "Bash(cat:*)",
-      "Bash(npm run build:*)",
-      "WebFetch(domain:dev-tools.online)",
-      "WebSearch",
-      "Bash(curl:*)",
-      "Bash(git add:*)",
-      "Bash(git cherry-pick:*)"
-    ],
-    "deny": [],
-    "ask": []
-  }
-}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 10c5af9..15fc180 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,6 +10,13 @@ jobs:
     runs-on: ubuntu-latest
     name: Deploy via SFTP
 
+    env:
+      # Required at build time only: composer install runs package:discover,
+      # which boots the visitor-tracker package and trips its dashboard guard
+      # if no auth method is configured. The runner has no .env, so set this
+      # here to match prod posture (server's .env handles the actual setting).
+      VISITOR_TRACKER_ALLOW_UNPROTECTED: true
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4