diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c690e4c..d571aa4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
     types: [opened, synchronize]
 
 jobs:
+  # ---------------------------------
+  # Lint & Typecheck
+  # ---------------------------------
   lint-and-typecheck:
     name: Lint & Typecheck
     runs-on: ubuntu-latest
@@ -16,22 +19,20 @@ jobs:
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
-
     steps:
       - uses: actions/checkout@v4
-
       - name: Enable pnpm
         run: corepack enable
-
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Lint
         run: pnpm lint
-
       - name: Typecheck
         run: pnpm typecheck
 
+  # ---------------------------------
+  # Unit / Service / Route / Security Tests
+  # ---------------------------------
   test:
     name: Test (${{ matrix.group }})
     runs-on: ubuntu-latest
@@ -41,27 +42,24 @@ jobs:
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
-
     strategy:
       fail-fast: false
       matrix:
         group: [unit, services, routes, security]
-
     steps:
       - uses: actions/checkout@v4
-
       - name: Enable pnpm
         run: corepack enable
-
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Build dependencies (shared, test-utils)
         run: pnpm turbo run build --filter=@tracearr/shared --filter=@tracearr/test-utils
-
       - name: Run ${{ matrix.group }} tests
         run: pnpm --filter @tracearr/server test:${{ matrix.group }}
 
+  # ---------------------------------
+  # Integration Tests (TimescaleDB + Redis)
+  # ---------------------------------
   test-integration:
     name: Test (integration)
     runs-on: ubuntu-latest
@@ -73,7 +71,6 @@ jobs:
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
       TEST_DATABASE_URL: postgresql://test:test@timescale:5432/tracearr_test
       TEST_REDIS_URL: redis://redis:6379
-
     services:
       timescale:
         image: timescale/timescaledb:latest-pg15
@@ -86,7 +83,6 @@ jobs:
           --health-interval 5s
           --health-timeout 3s
           --health-retries 10
-
       redis:
         image: redis:7-alpine
         options: >-
@@ -94,22 +90,20 @@ jobs:
           --health-interval 5s
           --health-timeout 3s
           --health-retries 5
-
     steps:
       - uses: actions/checkout@v4
-
       - name: Enable pnpm
         run: corepack enable
-
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Build dependencies (shared, test-utils)
         run: pnpm turbo run build --filter=@tracearr/shared --filter=@tracearr/test-utils
-
       - name: Run integration tests
         run: pnpm --filter @tracearr/server test:integration
 
+  # ---------------------------------
+  # Test Coverage
+  # ---------------------------------
   test-coverage:
     name: Test Coverage
     runs-on: ubuntu-latest
@@ -119,24 +113,18 @@ jobs:
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
-
     steps:
       - uses: actions/checkout@v4
-
       - name: Enable pnpm
         run: corepack enable
-
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Build dependencies (shared, test-utils)
         run: pnpm turbo run build --filter=@tracearr/shared --filter=@tracearr/test-utils
-
       - name: Run tests with coverage
         run: pnpm test:coverage
-
       - name: Upload coverage reports
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         if: always()
         with:
           name: coverage-report
@@ -144,6 +132,9 @@ jobs:
           retention-days: 7
           if-no-files-found: warn
 
+  # ---------------------------------
+  # Build App
+  # ---------------------------------
   build:
     name: Build
     runs-on: ubuntu-latest
@@ -158,15 +149,46 @@ jobs:
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
-
     steps:
       - uses: actions/checkout@v4
-
       - name: Enable pnpm
         run: corepack enable
-
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Build
         run: pnpm build
+
+  # ---------------------------------
+  # Deploy to Docker
+  # ---------------------------------
+  deploy:
+    name: Deploy Tracearr
+    runs-on: ubuntu-latest
+    container:
+      image: docker:26-cli
+    needs: build
+    if: github.ref == 'refs/heads/main'
+    env:
+      REGISTRY: gitea.yourdomain.co.nz
+      IMAGE_NAME: tracearr
+      IMAGE_TAG: latest
+      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+      REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Login to Gitea registry
+        run: |
+          echo "${REGISTRY_TOKEN}" | docker login $REGISTRY \
+            -u "${REGISTRY_USER}" --password-stdin
+      - name: Build Docker image
+        run: |
+          docker build \
+            -t $REGISTRY/$REGISTRY_USER/$IMAGE_NAME:$IMAGE_TAG \
+            -f docker/Dockerfile .
+      - name: Push Docker image
+        run: |
+          docker push $REGISTRY/$REGISTRY_USER/$IMAGE_NAME:$IMAGE_TAG
+      - name: Deploy via docker compose
+        run: |
+          docker compose -f docker/docker-compose.yml pull
+          docker compose -f docker/docker-compose.yml up -d