diff --git a/.env.example b/.env.example
index 6cfa300..bdd1d85 100644
--- a/.env.example
+++ b/.env.example
@@ -1,13 +1,23 @@
 # Copy to .env for `docker compose up --build`. Local-dev runs (cargo run
 # / npm run dev) read backend/.env if present, or pick up the variables
 # from your shell.
+#
+# Production note: COOKIE_SECURE=true (the default below) makes browsers
+# refuse to send the session cookie over plain HTTP. Run with a TLS-
+# terminating reverse proxy (Caddy, Traefik, nginx) in front — the
+# compose file here doesn't ship one. Local/dev runs without HTTPS
+# should set COOKIE_SECURE=false.
 
 # ----- Postgres -----
 # These are read by the Postgres container *and* by DATABASE_URL below;
 # changing them after the first boot won't migrate existing data, so set
 # them up front for any new deployment.
+#
+# POSTGRES_PASSWORD is REQUIRED — docker-compose.yml fails fast if it
+# isn't set in this file, to prevent a deploy without an .env booting
+# Postgres with a publicly-known credential.
 POSTGRES_USER=mangalord
-POSTGRES_PASSWORD=mangalord
+POSTGRES_PASSWORD=change-me-to-a-strong-random-string
 POSTGRES_DB=mangalord
 
 # ----- Backend -----
diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 07da11f..b9aaaa7 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -3,6 +3,8 @@ name: deploy
 on:
   push:
     branches: [main]
+  pull_request:
+    branches: [main]
   workflow_dispatch:
 
 jobs:
@@ -63,6 +65,10 @@ jobs:
   build-and-push:
     runs-on: ubuntu-latest
     needs: [test-backend, test-frontend]
+    # PRs only run the test jobs; build + deploy are reserved for
+    # post-merge pushes to main. Without this gate every PR would push
+    # a tagged image to the registry and SSH-deploy to prod.
+    if: github.event_name != 'pull_request'
     outputs:
       image_tag: ${{ steps.meta.outputs.image_tag }}
       version: ${{ steps.meta.outputs.version }}
@@ -117,6 +123,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     needs: build-and-push
+    if: github.event_name != 'pull_request'
     steps:
       - name: SSH deploy
         uses: appleboy/ssh-action@v1.0.3
diff --git a/docker-compose.yml b/docker-compose.yml
index 282b86f..f9257e0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,15 @@
+# Production-like compose. Requires a populated `.env` next to this
+# file: at minimum POSTGRES_PASSWORD must be set to a non-default
+# value (the `?required` form below fails fast otherwise). The
+# frontend container expects HTTPS in front (Caddy/Traefik/nginx)
+# because COOKIE_SECURE=true browsers will refuse to send the session
+# cookie over plain HTTP.
 services:
   postgres:
     image: postgres:16-alpine
     environment:
       POSTGRES_USER: ${POSTGRES_USER:-mangalord}
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mangalord}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}
       POSTGRES_DB: ${POSTGRES_DB:-mangalord}
     volumes:
       - postgres-data:/var/lib/postgresql/data
@@ -19,7 +25,7 @@ services:
       postgres:
         condition: service_healthy
     environment:
-      DATABASE_URL: postgres://${POSTGRES_USER:-mangalord}:${POSTGRES_PASSWORD:-mangalord}@postgres:5432/${POSTGRES_DB:-mangalord}
+      DATABASE_URL: postgres://${POSTGRES_USER:-mangalord}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}@postgres:5432/${POSTGRES_DB:-mangalord}
       BIND_ADDRESS: 0.0.0.0:8080
       STORAGE_DIR: /var/lib/mangalord/storage
       RUST_LOG: ${RUST_LOG:-info,mangalord=debug}