diff --git a/docker-compose.yml b/docker-compose.yml
index 0e0c9167d..8d5cebab6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,6 +6,9 @@
 # ⚠️  First deploy: `docker compose up -d` creates the DB from scratch with
 #     all Supabase roles/schemas via the image's built-in init scripts, then
 #     runs app migrations from the mounted volume.
+#
+# 🔒  Port bindings are intentionally omitted — in Dokploy, Traefik handles
+#     external routing. Services communicate via the Docker network.
 
 services:
   # =====================================================
@@ -24,15 +27,16 @@ services:
     environment:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
       POSTGRES_DB: postgres
-    ports:
-      - '${DB_PORT:-5432}:5432'
     healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U postgres -d postgres']
+      test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
       interval: 10s
       timeout: 5s
       retries: 10
 
-  # Run app migrations, seed, and dev patches after DB is healthy
+  # Run app migrations, seed, and dev patches after DB is healthy.
+  # Also ensures role passwords are set (idempotent) — covers the case
+  # where the DB volume already existed from a previous deployment and
+  # /docker-entrypoint-initdb.d/ scripts didn't re-run.
   supabase-db-migrate:
     image: supabase/postgres:15.8.1.060
     depends_on:
@@ -44,9 +48,13 @@ services:
       - ./docker/db/dev-bootstrap.sh:/app-seed/dev-bootstrap.sh:ro
     environment:
       PGPASSWORD: ${POSTGRES_PASSWORD}
-    entrypoint: ['/bin/sh', '-c']
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    entrypoint: ["/bin/sh", "-c"]
     command:
       - |
+        echo "🔑 Ensuring role passwords are set (idempotent)..."
+        psql -h supabase-db -U supabase_admin -d postgres -v ON_ERROR_STOP=0 -c "ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD}';" -c "CREATE SCHEMA IF NOT EXISTS _realtime;" -c "GRANT ALL ON SCHEMA _realtime TO supabase_admin;" -c "GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;" 2>&1 || true
+        echo ""
         echo "Running app migrations..."
         for sql in /app-migrations/*.sql; do
           echo "  → $$sql"
@@ -55,7 +63,7 @@ services:
         echo "✅ App migrations complete."
         echo ""
         sh /app-seed/dev-bootstrap.sh
-    restart: 'no'
+    restart: "no"
 
   # =====================================================
   # Supabase Auth (GoTrue)
@@ -66,6 +74,8 @@ services:
     depends_on:
       supabase-db:
         condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
     environment:
       GOTRUE_API_HOST: 0.0.0.0
       GOTRUE_API_PORT: 9999
@@ -92,15 +102,7 @@ services:
       GOTRUE_MAILER_URLPATHS_RECOVERY: /auth/v1/verify
       GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: /auth/v1/verify
     healthcheck:
-      test:
-        [
-          'CMD',
-          'wget',
-          '--no-verbose',
-          '--tries=1',
-          '--spider',
-          'http://localhost:9999/health',
-        ]
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9999/health"]
       interval: 10s
       timeout: 5s
       retries: 5
@@ -114,21 +116,20 @@ services:
     depends_on:
       supabase-db:
         condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
     environment:
       PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@supabase-db:5432/postgres
       PGRST_DB_SCHEMAS: public,storage,graphql_public
       PGRST_DB_ANON_ROLE: anon
       PGRST_JWT_SECRET: ${JWT_SECRET}
-      PGRST_DB_USE_LEGACY_GUCS: 'false'
+      PGRST_DB_USE_LEGACY_GUCS: "false"
     healthcheck:
-      test:
-        [
-          'CMD-SHELL',
-          'wget --no-verbose --tries=1 --spider http://localhost:3000/ || exit 1',
-        ]
+      test: ["CMD-SHELL", "head -c0 </dev/tcp/localhost/3000 || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 5
+      start_period: 15s
 
   # =====================================================
   # Supabase Realtime
@@ -139,6 +140,8 @@ services:
     depends_on:
       supabase-db:
         condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
     environment:
       PORT: 4000
       DB_HOST: supabase-db
@@ -146,20 +149,20 @@ services:
       DB_USER: supabase_admin
       DB_PASSWORD: ${POSTGRES_PASSWORD}
       DB_NAME: postgres
-      DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime'
+      DB_AFTER_CONNECT_QUERY: "SET search_path TO _realtime"
       DB_ENC_KEY: supabaserealtime
       API_JWT_SECRET: ${JWT_SECRET}
       SECRET_KEY_BASE: ${SECRET_KEY_BASE:-UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq}
-      ERL_AFLAGS: '-proto_dist inet_tcp'
+      ERL_AFLAGS: "-proto_dist inet_tcp"
       DNS_NODES: "''"
-      RLIMIT_NOFILE: '10000'
+      RLIMIT_NOFILE: "10000"
       APP_NAME: realtime
-      SEED_SELF_HOST: 'true'
+      SEED_SELF_HOST: "true"
       REPLICATION_MODE: RLS
       REPLICATION_POLL_INTERVAL: 100
-      SECURE_CHANNELS: 'true'
+      SECURE_CHANNELS: "true"
       SLOT_NAME: supabase_realtime_rls
-      TEMPORARY_SLOT: 'true'
+      TEMPORARY_SLOT: "true"
       MAX_RECORD_BYTES: 1048576
 
   # =====================================================
@@ -171,6 +174,8 @@ services:
     depends_on:
       supabase-db:
         condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
       supabase-rest:
         condition: service_started
       supabase-imgproxy:
@@ -191,14 +196,11 @@ services:
       GLOBAL_S3_BUCKET: stub
       IMGPROXY_URL: http://supabase-imgproxy:8080
     healthcheck:
-      test:
-        [
-          'CMD-SHELL',
-          'wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 1',
-        ]
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 5
+      start_period: 15s
 
   # =====================================================
   # Supabase imgproxy (image transformations)
@@ -207,10 +209,10 @@ services:
     image: darthsim/imgproxy:v3.8.0
     restart: unless-stopped
     environment:
-      IMGPROXY_BIND: ':8080'
+      IMGPROXY_BIND: ":8080"
       IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
-      IMGPROXY_USE_ETAG: 'true'
-      IMGPROXY_ENABLE_WEBP_DETECTION: 'true'
+      IMGPROXY_USE_ETAG: "true"
+      IMGPROXY_ENABLE_WEBP_DETECTION: "true"
 
   # =====================================================
   # Supabase pg_meta (DB introspection for Studio)
@@ -221,6 +223,8 @@ services:
     depends_on:
       supabase-db:
         condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
     environment:
       PG_META_PORT: 8080
       PG_META_DB_HOST: supabase-db
@@ -238,8 +242,6 @@ services:
     depends_on:
       - supabase-meta
       - supabase-kong
-    ports:
-      - '${STUDIO_PORT:-54323}:3000'
     environment:
       STUDIO_PG_META_URL: http://supabase-meta:8080
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
@@ -250,19 +252,14 @@ services:
       SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
       SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
       AUTH_JWT_SECRET: ${JWT_SECRET}
-      NEXT_PUBLIC_ENABLE_LOGS: 'true'
+      NEXT_PUBLIC_ENABLE_LOGS: "true"
       NEXT_ANALYTICS_BACKEND_PROVIDER: postgres
     healthcheck:
-      test:
-        [
-          'CMD',
-          'node',
-          '-e',
-          "require('http').get('http://localhost:3000/api/profile', (r) => r.statusCode === 200 ? process.exit(0) : process.exit(1))",
-        ]
+      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/api/profile', (r) => r.statusCode === 200 ? process.exit(0) : process.exit(1))"]
       interval: 10s
       timeout: 5s
       retries: 5
+      start_period: 30s
 
   # =====================================================
   # Supabase Inbucket (Email testing)
@@ -270,8 +267,6 @@ services:
   supabase-inbucket:
     image: inbucket/inbucket:3.0.4
     restart: unless-stopped
-    ports:
-      - '${INBUCKET_PORT:-54324}:9000'
     volumes:
       - supabase-inbucket-data:/storage
 
@@ -286,14 +281,10 @@ services:
       - supabase-rest
       - supabase-storage
       - supabase-realtime
-    ports:
-      - '${KONG_HTTP_PORT:-8000}:8000'
-      - '${KONG_HTTPS_PORT:-8443}:8443'
-      - '${APP_PORT:-3000}:3000'
     entrypoint: >
       sh -c "sed 's|\$${SUPABASE_ANON_KEY}|'\"$$SUPABASE_ANON_KEY\"'|g; s|\$${SUPABASE_SERVICE_KEY}|'\"$$SUPABASE_SERVICE_KEY\"'|g' /var/lib/kong/kong.yml.tpl > /tmp/kong.yml && KONG_DECLARATIVE_CONFIG=/tmp/kong.yml /docker-entrypoint.sh kong docker-start"
     environment:
-      KONG_DATABASE: 'off'
+      KONG_DATABASE: "off"
       KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
       KONG_DNS_ORDER: LAST,A,CNAME
       KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
@@ -304,7 +295,7 @@ services:
     volumes:
       - ./docker/kong.yml:/var/lib/kong/kong.yml.tpl:ro
     healthcheck:
-      test: ['CMD', 'kong', 'health']
+      test: ["CMD", "kong", "health"]
       interval: 10s
       timeout: 5s
       retries: 5
@@ -316,32 +307,33 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
+      args:
+        NEXT_PUBLIC_SITE_URL: ${SITE_URL:-https://myeasycms.de}
+        # Browser-side Supabase URL — goes through external domain (Traefik → Kong)
+        NEXT_PUBLIC_SUPABASE_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
+        NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
     restart: unless-stopped
     depends_on:
       supabase-kong:
         condition: service_healthy
       supabase-db-migrate:
         condition: service_completed_successfully
-    # App shares Kong's network namespace — localhost:8000 inside the container
-    # reaches Kong directly. This keeps the same URL for browser AND server,
-    # so Supabase cookie names match without any code changes.
-    network_mode: 'service:supabase-kong'
     environment:
       NODE_ENV: production
       NEXT_PUBLIC_SITE_URL: ${SITE_URL:-http://localhost:3000}
-      NEXT_PUBLIC_SUPABASE_URL: http://localhost:8000
-      NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
+      # NEXT_PUBLIC_ vars are baked at build time — runtime values only apply
+      # to middleware/API routes. Don't override with Docker-internal URLs.
       SUPABASE_SECRET_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
       SUPABASE_DB_WEBHOOK_SECRET: ${DB_WEBHOOK_SECRET:-webhooksecret}
       EMAIL_SENDER: ${EMAIL_SENDER:-noreply@myeasycms.de}
       NEXT_PUBLIC_PRODUCT_NAME: MyEasyCMS
       NEXT_PUBLIC_DEFAULT_LOCALE: de
-      NEXT_PUBLIC_ENABLE_THEME_TOGGLE: 'true'
-      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS: 'true'
-      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_CREATION: 'true'
-      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_BILLING: 'false'
-      NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_BILLING: 'false'
-      NEXT_PUBLIC_ENABLE_NOTIFICATIONS: 'true'
+      NEXT_PUBLIC_ENABLE_THEME_TOGGLE: "true"
+      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS: "true"
+      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_CREATION: "true"
+      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_BILLING: "false"
+      NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_BILLING: "false"
+      NEXT_PUBLIC_ENABLE_NOTIFICATIONS: "true"
 
 volumes:
   supabase-db-data: