diff --git a/nomad/jobs/chat.hcl b/nomad/jobs/chat.hcl
index ead8e71..7d6fd71 100644
--- a/nomad/jobs/chat.hcl
+++ b/nomad/jobs/chat.hcl
@@ -93,13 +93,14 @@ job "chat" {
         # tmpfs /tmp for runtime files (64MB)
         # pids_limit 128 (prevent fork bombs)
         # ReadonlyRootfs enforced via entrypoint script (fails if running as root)
-        cap_drop   = ["ALL"]
-        tmpfs      = ["/tmp:size=64m"]
-        pids_limit = 128
         # Security options for sandbox hardening
         # apparmor=unconfined needed for Claude CLI ptrace access
         # no-new-privileges prevents privilege escalation
+        cap_drop    = ["ALL"]
+        pids_limit  = 128
         security_opt = ["apparmor=unconfined", "no-new-privileges"]
+        # tmpfs mount via volumes config (Nomad Docker driver)
+        volumes = ["tmpfs:/tmp:size=64m"]
       }
 
       # ── Volume mounts ──────────────────────────────────────────────────────