diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index cacd193..03d95f0 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -16,10 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - name: Install uv
         run: curl -LsSf https://astral.sh/uv/install.sh | sh
-
       - name: Cache uv
         uses: actions/cache@v4
         with:
@@ -27,10 +25,8 @@ jobs:
           key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
           restore-keys: |
             uv-${{ runner.os }}-
-
       - name: Install deps
         run: $HOME/.local/bin/uv sync --frozen --group dev
-
       - name: Ruff check
         run: $HOME/.local/bin/uv run ruff check services/
 
@@ -39,22 +35,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - name: Install uv
         run: curl -LsSf https://astral.sh/uv/install.sh | sh
-
       - name: Cache uv
         uses: actions/cache@v4
         with:
           path: ~/.cache/uv
           key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
-
       - name: Install deps
         run: $HOME/.local/bin/uv sync --frozen --group dev
-
       - name: Mypy on mcp_common (gating)
         run: $HOME/.local/bin/uv run mypy services/common/src/mcp_common
-
       - name: Mypy on services (warn-only)
         run: $HOME/.local/bin/uv run mypy services/ || true
 
@@ -63,26 +54,57 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - name: Install uv
         run: curl -LsSf https://astral.sh/uv/install.sh | sh
-
       - name: Cache uv
         uses: actions/cache@v4
         with:
           path: ~/.cache/uv
           key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
-
       - name: Install deps
         run: $HOME/.local/bin/uv sync --frozen --group dev
-
       - name: Pytest full suite
-        run: $HOME/.local/bin/uv run pytest services/ -v --tb=short
+        run: $HOME/.local/bin/uv run pytest services/ --tb=short
+
+  validate-config:
+    name: validate compose + Caddyfile
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate dev compose
+        run: docker compose -f docker-compose.yml config -q
+
+      - name: Validate prod compose
+        run: docker compose -f docker-compose.prod.yml config -q
+        env:
+          ACME_EMAIL: test@example.com
+          WRITE_ALLOWLIST: "127.0.0.1/32"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build gateway image (local, no push)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./gateway
+          file: gateway/Dockerfile
+          tags: cerbero-gateway:validate
+          load: true
+
+      - name: Validate Caddyfile syntax
+        run: |
+          docker run --rm \
+            -v "$PWD/gateway/Caddyfile:/etc/caddy/Caddyfile:ro" \
+            -e ACME_EMAIL=test@example.com \
+            -e WRITE_ALLOWLIST="127.0.0.1/32" \
+            cerbero-gateway:validate \
+            caddy validate --config /etc/caddy/Caddyfile
 
   build-and-push:
     name: build & push to registry
     runs-on: ubuntu-latest
-    needs: [lint, test]
+    needs: [lint, test, validate-config]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       packages: write
@@ -103,15 +125,15 @@ jobs:
         id: meta
         run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
-      - name: Build base image (cache only, not pushed)
+      - name: Build base image (load to local daemon)
         uses: docker/build-push-action@v6
         with:
           context: .
           file: docker/base.Dockerfile
           tags: cerbero-base:latest
           load: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:base
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:base,mode=max
 
       - name: Build & push gateway
         uses: docker/build-push-action@v6
@@ -122,8 +144,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/gateway:latest
             ${{ env.IMAGE_PREFIX }}/gateway:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:gateway
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:gateway,mode=max
 
       - name: Build & push mcp-deribit
         uses: docker/build-push-action@v6
@@ -135,8 +157,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/mcp-deribit:latest
             ${{ env.IMAGE_PREFIX }}/mcp-deribit:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-deribit
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-deribit,mode=max
 
       - name: Build & push mcp-bybit
         uses: docker/build-push-action@v6
@@ -148,8 +170,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/mcp-bybit:latest
             ${{ env.IMAGE_PREFIX }}/mcp-bybit:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-bybit
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-bybit,mode=max
 
       - name: Build & push mcp-hyperliquid
         uses: docker/build-push-action@v6
@@ -161,8 +183,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/mcp-hyperliquid:latest
             ${{ env.IMAGE_PREFIX }}/mcp-hyperliquid:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-hyperliquid
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-hyperliquid,mode=max
 
       - name: Build & push mcp-alpaca
         uses: docker/build-push-action@v6
@@ -174,8 +196,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/mcp-alpaca:latest
             ${{ env.IMAGE_PREFIX }}/mcp-alpaca:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-alpaca
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-alpaca,mode=max
 
       - name: Build & push mcp-macro
         uses: docker/build-push-action@v6
@@ -187,8 +209,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/mcp-macro:latest
             ${{ env.IMAGE_PREFIX }}/mcp-macro:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-macro
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-macro,mode=max
 
       - name: Build & push mcp-sentiment
         uses: docker/build-push-action@v6
@@ -200,5 +222,5 @@ jobs:
           tags: |
             ${{ env.IMAGE_PREFIX }}/mcp-sentiment:latest
             ${{ env.IMAGE_PREFIX }}/mcp-sentiment:sha-${{ steps.meta.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-sentiment
+          cache-to: type=registry,ref=${{ env.IMAGE_PREFIX }}/buildcache:mcp-sentiment,mode=max