diff --git a/docker-compose.local.yml b/docker-compose.local.yml
new file mode 100644
index 000000000..6bcef2d68
--- /dev/null
+++ b/docker-compose.local.yml
@@ -0,0 +1,357 @@
+# MyEasyCMS v2 — Docker Compose for LOCAL DEVELOPMENT
+#
+# Usage: docker compose -f docker-compose.local.yml up -d
+#
+# Differences from production docker-compose.yml:
+#   - App URL is http://localhost:3000 (no HTTPS requirement)
+#   - All ports exposed on localhost for debugging
+#   - NEXT_PUBLIC_CI=true bypasses HTTPS validation in build
+#   - Supabase Studio accessible at http://localhost:54323
+#   - Inbucket (email) accessible at http://localhost:54324
+#   - Kong API Gateway at http://localhost:8000
+
+services:
+  # =====================================================
+  # Supabase Postgres
+  # =====================================================
+  supabase-db:
+    image: supabase/postgres:15.8.1.060
+    restart: unless-stopped
+    ports:
+      - '54322:5432'
+    volumes:
+      - supabase-db-data:/var/lib/postgresql/data
+      - ./docker/db/zzz-role-passwords.sh:/docker-entrypoint-initdb.d/zzz-role-passwords.sh:ro
+      - ./apps/web/supabase/migrations:/app-migrations:ro
+    environment:
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: postgres
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U postgres -d postgres']
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
+  # Run app migrations + seed
+  supabase-db-migrate:
+    image: supabase/postgres:15.8.1.060
+    depends_on:
+      supabase-db:
+        condition: service_healthy
+    volumes:
+      - ./apps/web/supabase/migrations:/app-migrations:ro
+      - ./apps/web/supabase/seed.sql:/app-seed/seed.sql:ro
+      - ./docker/db/dev-bootstrap.sh:/app-seed/dev-bootstrap.sh:ro
+    environment:
+      PGPASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+    entrypoint: ['/bin/sh', '-c']
+    command:
+      - |
+        echo "🔑 Ensuring role passwords are set..."
+        psql -h supabase-db -U supabase_admin -d postgres -v ON_ERROR_STOP=0 -c "ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD:-postgres}';" -c "ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD:-postgres}';" -c "ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD:-postgres}';" -c "ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD:-postgres}';" -c "ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD:-postgres}';" -c "CREATE SCHEMA IF NOT EXISTS _realtime;" -c "GRANT ALL ON SCHEMA _realtime TO supabase_admin;" -c "GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;" 2>&1 || true
+        echo ""
+        echo "Running app migrations..."
+        for sql in /app-migrations/*.sql; do
+          echo "  → $$sql"
+          psql -h supabase-db -U supabase_admin -d postgres -v ON_ERROR_STOP=0 -f "$$sql" 2>&1 || true
+        done
+        echo "✅ App migrations complete."
+        echo ""
+        sh /app-seed/dev-bootstrap.sh
+    restart: 'no'
+
+  # =====================================================
+  # Supabase Auth (GoTrue)
+  # =====================================================
+  supabase-auth:
+    image: supabase/gotrue:v2.172.1
+    restart: unless-stopped
+    depends_on:
+      supabase-db:
+        condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
+    environment:
+      GOTRUE_API_HOST: 0.0.0.0
+      GOTRUE_API_PORT: 9999
+      API_EXTERNAL_URL: http://localhost:8000
+      GOTRUE_DB_DRIVER: postgres
+      GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD:-postgres}@supabase-db:5432/postgres?search_path=auth
+      GOTRUE_SITE_URL: http://localhost:3000
+      GOTRUE_URI_ALLOW_LIST: ''
+      GOTRUE_DISABLE_SIGNUP: 'false'
+      GOTRUE_JWT_ADMIN_ROLES: service_role
+      GOTRUE_JWT_AUD: authenticated
+      GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
+      GOTRUE_JWT_EXP: 3600
+      GOTRUE_JWT_SECRET: ${JWT_SECRET:-super-secret-jwt-token-with-at-least-32-characters-long}
+      GOTRUE_EXTERNAL_EMAIL_ENABLED: true
+      GOTRUE_MAILER_AUTOCONFIRM: 'true'
+      GOTRUE_SMTP_HOST: supabase-inbucket
+      GOTRUE_SMTP_PORT: 2500
+      GOTRUE_SMTP_USER: ''
+      GOTRUE_SMTP_PASS: ''
+      GOTRUE_SMTP_ADMIN_EMAIL: admin@localhost
+      GOTRUE_MAILER_URLPATHS_INVITE: /auth/v1/verify
+      GOTRUE_MAILER_URLPATHS_CONFIRMATION: /auth/v1/verify
+      GOTRUE_MAILER_URLPATHS_RECOVERY: /auth/v1/verify
+      GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: /auth/v1/verify
+    healthcheck:
+      test:
+        [
+          'CMD',
+          'wget',
+          '--no-verbose',
+          '--tries=1',
+          '--spider',
+          'http://localhost:9999/health',
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # =====================================================
+  # Supabase REST (PostgREST)
+  # =====================================================
+  supabase-rest:
+    image: postgrest/postgrest:v12.2.8
+    restart: unless-stopped
+    depends_on:
+      supabase-db:
+        condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
+    environment:
+      PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD:-postgres}@supabase-db:5432/postgres
+      PGRST_DB_SCHEMAS: public,storage,graphql_public
+      PGRST_DB_ANON_ROLE: anon
+      PGRST_JWT_SECRET: ${JWT_SECRET:-super-secret-jwt-token-with-at-least-32-characters-long}
+      PGRST_DB_USE_LEGACY_GUCS: 'false'
+    healthcheck:
+      test: ['CMD-SHELL', 'head -c0 </dev/tcp/localhost/3000 || exit 1']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 15s
+
+  # =====================================================
+  # Supabase Realtime
+  # =====================================================
+  supabase-realtime:
+    image: supabase/realtime:v2.33.70
+    restart: unless-stopped
+    depends_on:
+      supabase-db:
+        condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
+    environment:
+      PORT: 4000
+      DB_HOST: supabase-db
+      DB_PORT: 5432
+      DB_USER: supabase_admin
+      DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      DB_NAME: postgres
+      DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime'
+      DB_ENC_KEY: supabaserealtime
+      API_JWT_SECRET: ${JWT_SECRET:-super-secret-jwt-token-with-at-least-32-characters-long}
+      SECRET_KEY_BASE: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq
+      ERL_AFLAGS: '-proto_dist inet_tcp'
+      DNS_NODES: "''"
+      RLIMIT_NOFILE: '10000'
+      APP_NAME: realtime
+      SEED_SELF_HOST: 'true'
+      REPLICATION_MODE: RLS
+      REPLICATION_POLL_INTERVAL: 100
+      SECURE_CHANNELS: 'true'
+      SLOT_NAME: supabase_realtime_rls
+      TEMPORARY_SLOT: 'true'
+      MAX_RECORD_BYTES: 1048576
+
+  # =====================================================
+  # Supabase Storage
+  # =====================================================
+  supabase-storage:
+    image: supabase/storage-api:v1.22.7
+    restart: unless-stopped
+    depends_on:
+      supabase-db:
+        condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
+      supabase-rest:
+        condition: service_started
+      supabase-imgproxy:
+        condition: service_started
+    volumes:
+      - supabase-storage-data:/var/lib/storage
+    environment:
+      ANON_KEY: ${SUPABASE_ANON_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0}
+      SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU}
+      POSTGREST_URL: http://supabase-rest:3000
+      PGRST_JWT_SECRET: ${JWT_SECRET:-super-secret-jwt-token-with-at-least-32-characters-long}
+      DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD:-postgres}@supabase-db:5432/postgres
+      FILE_SIZE_LIMIT: 52428800
+      STORAGE_BACKEND: file
+      FILE_STORAGE_BACKEND_PATH: /var/lib/storage
+      TENANT_ID: stub
+      REGION: local
+      GLOBAL_S3_BUCKET: stub
+      IMGPROXY_URL: http://supabase-imgproxy:8080
+    healthcheck:
+      test:
+        [
+          'CMD-SHELL',
+          'wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 1',
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 15s
+
+  # =====================================================
+  # Supabase imgproxy
+  # =====================================================
+  supabase-imgproxy:
+    image: darthsim/imgproxy:v3.8.0
+    restart: unless-stopped
+    environment:
+      IMGPROXY_BIND: ':8080'
+      IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
+      IMGPROXY_USE_ETAG: 'true'
+      IMGPROXY_ENABLE_WEBP_DETECTION: 'true'
+
+  # =====================================================
+  # Supabase pg_meta (for Studio)
+  # =====================================================
+  supabase-meta:
+    image: supabase/postgres-meta:v0.84.2
+    restart: unless-stopped
+    depends_on:
+      supabase-db:
+        condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
+    environment:
+      PG_META_PORT: 8080
+      PG_META_DB_HOST: supabase-db
+      PG_META_DB_PORT: 5432
+      PG_META_DB_NAME: postgres
+      PG_META_DB_USER: supabase_admin
+      PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+
+  # =====================================================
+  # Supabase Studio (Dashboard) — localhost:54323
+  # =====================================================
+  supabase-studio:
+    image: supabase/studio:latest
+    restart: unless-stopped
+    ports:
+      - '54323:3000'
+    depends_on:
+      - supabase-meta
+      - supabase-kong
+    environment:
+      STUDIO_PG_META_URL: http://supabase-meta:8080
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      DEFAULT_ORGANIZATION_NAME: MyEasyCMS
+      DEFAULT_PROJECT_NAME: MyEasyCMS v2 (Local)
+      SUPABASE_URL: http://supabase-kong:8000
+      SUPABASE_PUBLIC_URL: http://localhost:8000
+      SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0}
+      SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU}
+      AUTH_JWT_SECRET: ${JWT_SECRET:-super-secret-jwt-token-with-at-least-32-characters-long}
+      NEXT_PUBLIC_ENABLE_LOGS: 'true'
+      NEXT_ANALYTICS_BACKEND_PROVIDER: postgres
+
+  # =====================================================
+  # Supabase Inbucket (Email testing) — localhost:54324
+  # =====================================================
+  supabase-inbucket:
+    image: inbucket/inbucket:3.0.4
+    restart: unless-stopped
+    ports:
+      - '54324:9000'
+    volumes:
+      - supabase-inbucket-data:/storage
+
+  # =====================================================
+  # Supabase Kong (API Gateway) — localhost:8000
+  # =====================================================
+  supabase-kong:
+    image: kong:2.8.1
+    restart: unless-stopped
+    ports:
+      - '8000:8000'
+      - '8443:8443'
+    depends_on:
+      - supabase-auth
+      - supabase-rest
+      - supabase-storage
+      - supabase-realtime
+    entrypoint: >
+      sh -c "sed 's|\$${SUPABASE_ANON_KEY}|'\"$$SUPABASE_ANON_KEY\"'|g; s|\$${SUPABASE_SERVICE_KEY}|'\"$$SUPABASE_SERVICE_KEY\"'|g' /var/lib/kong/kong.yml.tpl > /tmp/kong.yml && KONG_DECLARATIVE_CONFIG=/tmp/kong.yml /docker-entrypoint.sh kong docker-start"
+    environment:
+      KONG_DATABASE: 'off'
+      KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
+      KONG_DNS_ORDER: LAST,A,CNAME
+      KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
+      KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
+      KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
+      SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0}
+      SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU}
+    volumes:
+      - ./docker/kong.yml:/var/lib/kong/kong.yml.tpl:ro
+    healthcheck:
+      test: ['CMD', 'kong', 'health']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # =====================================================
+  # Next.js App — localhost:3000
+  # =====================================================
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        # NEXT_PUBLIC_CI=true bypasses the HTTPS check during build
+        NEXT_PUBLIC_CI: 'true'
+        NEXT_PUBLIC_SITE_URL: http://localhost:3000
+        NEXT_PUBLIC_SUPABASE_URL: http://localhost:8000
+        NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0}
+        NEXT_PUBLIC_DEFAULT_LOCALE: de
+    restart: unless-stopped
+    ports:
+      - '3000:3000'
+    depends_on:
+      supabase-kong:
+        condition: service_healthy
+      supabase-db-migrate:
+        condition: service_completed_successfully
+    environment:
+      NODE_ENV: production
+      NEXT_PUBLIC_CI: 'true'
+      NEXT_PUBLIC_SITE_URL: http://localhost:3000
+      NEXT_PUBLIC_SUPABASE_URL: http://localhost:8000
+      NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0}
+      NEXT_PUBLIC_DEFAULT_LOCALE: de
+      # Server-side: internal Docker URL
+      SUPABASE_INTERNAL_URL: http://supabase-kong:8000
+      SUPABASE_SECRET_KEY: ${SUPABASE_SERVICE_ROLE_KEY:-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU}
+      SUPABASE_DB_WEBHOOK_SECRET: webhooksecret
+      EMAIL_SENDER: noreply@localhost
+      NEXT_PUBLIC_PRODUCT_NAME: MyEasyCMS
+      NEXT_PUBLIC_ENABLE_THEME_TOGGLE: 'true'
+      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS: 'true'
+      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_CREATION: 'true'
+      NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_BILLING: 'false'
+      NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_BILLING: 'false'
+      NEXT_PUBLIC_ENABLE_NOTIFICATIONS: 'true'
+
+volumes:
+  supabase-db-data:
+  supabase-storage-data:
+  supabase-inbucket-data: