diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..8666df5
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,9 @@
+target/
+**/node_modules/
+**/dist/
+.git/
+*.db
+*.db-wal
+*.db-shm
+.claude/
+docs/
diff --git a/infra/colony/docker-compose.yml b/infra/colony/docker-compose.yml
index 1868e83..3240ee2 100644
--- a/infra/colony/docker-compose.yml
+++ b/infra/colony/docker-compose.yml
@@ -9,23 +9,30 @@ services:
       - DATABASE_URL=sqlite:/data/colony.db?mode=rwc
     volumes:
       - colony_data:/data
-    ports:
-      - "3001:3001"
+    # No ports exposed — Caddy reverse proxies on internal network
+    expose:
+      - "3001"
     restart: always
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/api/health"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
 
   caddy:
-    image: caddy:latest
+    image: caddy:2.11
     container_name: colony-caddy
     ports:
       - "80:80"
       - "443:443"
     volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - caddy_data:/data
       - caddy_config:/config
     restart: always
     depends_on:
-      - colony
+      colony:
+        condition: service_healthy
 
 volumes:
   colony_data: