diff --git a/builder/build.sh b/builder/build.sh
index 67e7b30..1392d02 100755
--- a/builder/build.sh
+++ b/builder/build.sh
@@ -148,11 +148,22 @@ routes.append(DASHBOARD)
 print(json.dumps(routes))
 " "$ROUTE_JSON")
 
-    curl --silent --fail "${CADDY_API}/config/apps/http/servers/hiy/routes" \
+    log "Upstream: ${UPSTREAM}"
+    log "Routes JSON: ${UPDATED}"
+    set +e
+    CADDY_RESP=$(curl --silent --show-error \
+        --write-out "\nHTTP_STATUS:%{http_code}" \
+        "${CADDY_API}/config/apps/http/servers/hiy/routes" \
         --header "Content-Type: application/json" \
         --request PUT \
-        --data "$UPDATED" && log "Caddy updated." \
-        || log "WARNING: Caddy update failed (app is running; fix routing manually)."
+        --data "$UPDATED" 2>&1)
+    set -e
+    if echo "$CADDY_RESP" | grep -q "HTTP_STATUS:2"; then
+        log "Caddy updated."
+    else
+        log "WARNING: Caddy update failed (app is running; fix routing manually)."
+        log "Caddy response: ${CADDY_RESP}"
+    fi
 else
     log "Caddy admin API not reachable; skipping route update."
     log "Container ${CONTAINER_NAME} is running on port ${PORT} but not publicly routed."
diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml
index 4b66238..c4c257a 100644
--- a/infra/docker-compose.yml
+++ b/infra/docker-compose.yml
@@ -6,6 +6,16 @@
 
 services:
 
+  # ── Docker socket proxy (unix → TCP) ──────────────────────────────────────
+  docker-proxy:
+    image: alpine/socat
+    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - hiy-net
+
   # ── Control plane ─────────────────────────────────────────────────────────
   server:
     build:
@@ -16,8 +26,6 @@ services:
       - "3000:3000"
     volumes:
       - hiy-data:/data
-      # Mount Docker socket so the server can spawn build containers.
-      - /var/run/docker.sock:/var/run/docker.sock
       # Mount the builder script so edits take effect without rebuilding.
       - ../builder:/app/builder:ro
     environment:
@@ -25,11 +33,14 @@ services:
       HIY_ADDR: 0.0.0.0:3000
       HIY_BUILD_SCRIPT: /app/builder/build.sh
       CADDY_API_URL: http://caddy:2019
+      DOCKER_HOST: tcp://docker-proxy:2375
       DOMAIN_SUFFIX: ${DOMAIN_SUFFIX:-localhost}
       RUST_LOG: hiy_server=debug,tower_http=info
     depends_on:
       caddy:
         condition: service_started
+      docker-proxy:
+        condition: service_started
     networks:
       - hiy-net
       - default