diff --git a/Dockerfile b/Dockerfile
index 1168d8c..9ace24a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,10 +39,20 @@ RUN npm install -g pnpm@9
 # Copy built files from the build stage
 COPY --from=build /app .
 
-# Install only runtime dependencies (pnpm respects the workspace protocol)
-RUN pnpm install --prod --no-frozen-lockfile
+# Install all dependencies (including devDeps). The prisma CLI lives in
+# devDependencies but scripts/start.js invokes `prisma migrate deploy`
+# at boot, so it must be available at runtime. Dropping --prod adds the
+# CLI tooling to the runtime image — a modest size cost for the
+# correctness of the migration step.
+RUN pnpm install --no-frozen-lockfile
 
 EXPOSE 3000
 
-ENTRYPOINT [ "node", "./dist/index.js" ]
+# Run via scripts/start.js so `prisma migrate deploy` applies pending
+# migrations before the daemon spawns. The upstream Dockerfile invokes
+# ./dist/index.js directly, which silently bypasses the migration step
+# and leaves the SQLite db empty on first boot — every command that
+# touches Policy/KeyUser/Token/etc. then throws "table does not exist."
+# Caught during aiolabs/nsecbunkerd#7 diagnosis 2026-05-27.
+ENTRYPOINT [ "node", "./scripts/start.js" ]
 CMD ["start"]