diff --git a/.dockerignore b/.dockerignore
index a99fe65..6c23e5a 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,6 @@
+# Build descriptors (not application code)
+Dockerfile*
+
 # Version control
 .git
 .gitea
diff --git a/.gitea/workflows/docker-publish.yml b/.gitea/workflows/docker-publish.yml
index d5c77f0..20ce3e4 100644
--- a/.gitea/workflows/docker-publish.yml
+++ b/.gitea/workflows/docker-publish.yml
@@ -73,10 +73,30 @@ jobs:
           username: ${{ gitea.actor }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
+      # Build a single-arch image locally so Trivy can inspect it before the real push.
+      - name: Build local image for scanning
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: final
+          platforms: linux/amd64
+          load: true
+          tags: scan-target:${{ inputs.tag }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ gitea.repository }}:buildcache
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: scan-target:${{ inputs.tag }}
+          format: table
+          exit-code: '1'
+          severity: CRITICAL,HIGH
+
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           context: .
+          target: final
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
diff --git a/Dockerfile b/Dockerfile
index 4e66383..31bd56e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM dunglas/frankenphp:1-php8.4-alpine AS base
 
 RUN apk add --no-cache icu-dev libzip-dev \
-    && docker-php-ext-install -j$(nproc) intl \
+    && docker-php-ext-install -j$(nproc) intl zip \
     && apk del icu-dev libzip-dev \
     && apk add --no-cache curl icu-libs libzip
 
@@ -25,21 +25,6 @@ RUN composer dump-autoload --optimize --no-dev --no-interaction && \
     mkdir -p var/cache var/log && \
     APP_ENV=prod APP_SECRET=placeholder php bin/console cache:warmup --no-debug
 
-# ── dev stage (all deps + Xdebug, source is mounted at runtime) ───────────────
-FROM base AS dev
-COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
-RUN apk add --no-cache ${PHPIZE_DEPS} linux-headers \
-    && pecl install xdebug \
-    && docker-php-ext-enable xdebug \
-    && apk del ${PHPIZE_DEPS}
-COPY docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-xdebug.ini
-COPY docker/frankenphp/Caddyfile.dev /etc/caddy/Caddyfile
-COPY composer.json composer.lock* ./
-RUN composer install --no-scripts --no-interaction --prefer-dist
-EXPOSE 8080
-ENV APP_ENV=dev APP_DEBUG=1
-CMD ["frankenphp", "run", "--config", "/etc/caddy/Caddyfile"]
-
 # ── final (prod) stage — no composer binary ────────────────────────────────────
 FROM base AS final
 
@@ -47,7 +32,11 @@ RUN addgroup -S app && adduser -S -G app app
 
 COPY --from=build /app/vendor /app/vendor
 COPY --from=build /app/var/cache/prod /app/var/cache/prod
-COPY . .
+COPY bin/ ./bin/
+COPY config/ ./config/
+COPY public/ ./public/
+COPY src/ ./src/
+COPY composer.json composer.lock ./
 COPY docker/frankenphp/Caddyfile /etc/caddy/Caddyfile
 
 RUN mkdir -p var/cache/prod/pools var/log && chown -R app:app /app
diff --git a/Dockerfile.dev b/Dockerfile.dev
new file mode 100644
index 0000000..ed18145
--- /dev/null
+++ b/Dockerfile.dev
@@ -0,0 +1,24 @@
+FROM dunglas/frankenphp:1-php8.4-alpine
+
+RUN apk add --no-cache icu-dev libzip-dev \
+    && docker-php-ext-install -j$(nproc) intl zip \
+    && apk del icu-dev libzip-dev \
+    && apk add --no-cache curl icu-libs libzip
+
+COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
+
+RUN apk add --no-cache ${PHPIZE_DEPS} linux-headers \
+    && pecl install xdebug \
+    && docker-php-ext-enable xdebug \
+    && apk del ${PHPIZE_DEPS}
+
+WORKDIR /app
+
+COPY docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-xdebug.ini
+COPY docker/frankenphp/Caddyfile.dev /etc/caddy/Caddyfile
+COPY composer.json composer.lock* ./
+RUN composer install --no-scripts --no-interaction --prefer-dist
+
+EXPOSE 8080
+ENV APP_ENV=dev APP_DEBUG=1
+CMD ["frankenphp", "run", "--config", "/etc/caddy/Caddyfile"]
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index bce0fb4..78852c5 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -3,7 +3,7 @@
 services:
   graph:
     build:
-      target: dev
+      dockerfile: Dockerfile.dev
     volumes:
       - .:/app
       - /app/vendor        # keeps vendor from the dev image, not your local dir
diff --git a/docker-compose.yml b/docker-compose.yml
index bda6f6f..81d382c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,6 +28,7 @@ services:
       interval: 30s
       timeout: 5s
       retries: 3
+      start_period: 10s
 
 volumes:
   cache: