diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..50e8e86c
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,41 @@
+# pwap/web Docker build context (root) — exclude everything not needed
+# for `web/` build. Other monorepo subprojects stay out of the image.
+
+# Other monorepo dirs (we only need web/ + shared/)
+exchange/
+mobile/
+pwap-mobile/
+docs/
+res/
+
+# All node_modules everywhere
+**/node_modules/
+**/dist/
+**/build/
+
+# Git, GitHub
+.git/
+.github/
+
+# Env files (built-in vars are passed as build-args from CI)
+**/.env
+**/.env.*
+!**/.env.example
+
+# Editor / OS
+.vscode/
+.idea/
+*.swp
+*.swo
+.DS_Store
+
+# Logs
+*.log
+
+# Cache
+**/.eslintcache
+**/coverage/
+
+# Already-built artifacts (we rebuild fresh inside container)
+web/dist/
+shared/**/dist/
diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
index 11147da0..0c748954 100644
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -127,7 +127,7 @@ jobs:
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
-          context: ./web
+          context: ./
           file: ./web/Dockerfile
           push: true
           tags: |
diff --git a/web/.dockerignore b/web/.dockerignore
deleted file mode 100644
index 9c57b904..00000000
--- a/web/.dockerignore
+++ /dev/null
@@ -1,19 +0,0 @@
-node_modules
-dist
-.git
-.github
-.env
-.env.local
-.env.development
-.env.production
-.env.alfa
-.env.beta
-.env.staging
-*.log
-.DS_Store
-coverage
-.vscode
-.idea
-*.swp
-*.swo
-.eslintcache
diff --git a/web/Dockerfile b/web/Dockerfile
index 8fd9e294..277de03a 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -1,4 +1,7 @@
 # pwap/web — Static SPA build for distribution.
+# Build context is the pwap repo ROOT (not web/) because vite aliases like
+# @pezkuwi/utils, @shared/* resolve to ../shared/* — both web/ and shared/
+# must be in the build context.
 # Stage 1: build with Node. Stage 2: pure dist/ in busybox (smallest possible
 # attacker surface — no shell, no package manager, no node runtime).
 # Tag the resulting image with the git SHA in CI so rollback is just
@@ -6,14 +9,15 @@
 
 # ─── Stage 1: Build ────────────────────────────────────────────
 FROM node:20-alpine AS builder
-WORKDIR /build
+WORKDIR /build/web
 
 # Copy package files first to leverage Docker layer cache when only src changes
-COPY package.json package-lock.json ./
+COPY web/package.json web/package-lock.json ./
 RUN npm ci
 
-# Copy source after dependencies — invalidates only on code change
-COPY . .
+# Copy shared/ first (less frequently changed), then web/ source
+COPY shared/ /build/shared/
+COPY web/ /build/web/
 
 # Build args for environment-specific values (passed from CI)
 ARG VITE_NETWORK=MAINNET