diff --git a/Dockerfile b/Dockerfile
index 0ad5d0e..3a4035e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,8 +27,9 @@ ENV NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL
 ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
 # A throwaway BETTER_AUTH_SECRET, scoped to THIS command only (not a persisted ENV
 # layer), satisfies the prod-secret guard in lib/auth/auth.ts during `next build`.
-# Dokploy injects the real secret at run time; it's never baked into the bundle.
-RUN BETTER_AUTH_SECRET=build-time-placeholder npm run build
+# Must be >= 32 chars (and not a known placeholder) to pass that guard; the real
+# secret is injected at run time and is never baked into the bundle.
+RUN BETTER_AUTH_SECRET=build-time-placeholder-not-a-real-secret npm run build
 
 # ---- runtime ----
 FROM base AS runner