diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8f8ec72..27f2f9e 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -54,7 +54,12 @@ jobs:
             --name "/miti99bot/${STACK_ENV}/cron-shared-secret" \
             --with-decryption --query Parameter.Value --output text)
           echo "::add-mask::$CRON_SECRET"
-          OVERRIDES="CronSharedSecret=$CRON_SECRET"
+          # Extract non-secret deploy params from samconfig.toml so it stays
+          # the single source of truth (CI's --parameter-overrides replaces,
+          # not merges with, samconfig.toml values).
+          BOT_OWNER_ID=$(sed -n 's/.*BotOwnerID=\\"\\([^\\]*\\)\\".*/\1/p' samconfig.toml)
+          ADMIN_USER_IDS=$(sed -n 's/.*AdminUserIDs=\\"\\([^\\]*\\)\\".*/\1/p' samconfig.toml)
+          OVERRIDES="CronSharedSecret=$CRON_SECRET BotOwnerID=$BOT_OWNER_ID AdminUserIDs=$ADMIN_USER_IDS"
           if [ -n "$ALERT_EMAIL" ]; then
             OVERRIDES="$OVERRIDES AlertEmail=$ALERT_EMAIL"
           fi
diff --git a/samconfig.toml b/samconfig.toml
index 7c98baa..14c7fc3 100644
--- a/samconfig.toml
+++ b/samconfig.toml
@@ -13,7 +13,7 @@ resolve_s3 = true
 s3_prefix = "miti99bot"
 # Secrets MUST live in SSM Parameter Store (see aws/README.md). Never put
 # them here — this file is committed.
-parameter_overrides = "StackEnv=\"prod\" ModulesCSV=\"util,misc,wordle,loldle,lolschedule,twentyq,trading\" BotOwnerID=\"1064111334\" AdminUserIDs=\"1064111334\" LambdaAdapterLayerArn=\"arn:aws:lambda:ap-southeast-1:753240598075:layer:LambdaAdapterLayerArm64:25\" AlertEmail=\"minhtienit99@gmail.com\""
+parameter_overrides = "StackEnv=\"prod\" ModulesCSV=\"util,misc,wordle,loldle,lolschedule,twentyq,trading,stats\" BotOwnerID=\"1064111334\" AdminUserIDs=\"1064111334\" LambdaAdapterLayerArn=\"arn:aws:lambda:ap-southeast-1:753240598075:layer:LambdaAdapterLayerArm64:25\" AlertEmail=\"minhtienit99@gmail.com\""
 image_repositories = []
 
 [default.validate.parameters]