diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..ec606cf
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,11 @@
+# Docker build context exclusions
+**/target/
+**/node_modules/
+frontend/dist/
+.storkit/worktrees/
+.storkit/logs/
+.storkit/work/6_archived/
+.git/
+*.swp
+*.swo
+.DS_Store
diff --git a/docker/.dockerignore b/docker/.dockerignore
index a7dfc5e..ec606cf 100644
--- a/docker/.dockerignore
+++ b/docker/.dockerignore
@@ -1,8 +1,9 @@
 # Docker build context exclusions
-target/
-frontend/node_modules/
+**/target/
+**/node_modules/
 frontend/dist/
 .storkit/worktrees/
+.storkit/logs/
 .storkit/work/6_archived/
 .git/
 *.swp
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 4200c7b..ec0c072 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -72,11 +72,15 @@ services:
     read_only: true
     tmpfs:
       - /tmp:size=512M
-      - /home/storkit/.npm:size=256M
+      - /home/storkit:size=512M
 
     # Drop all Linux capabilities, then add back only what's needed.
+    # SETUID/SETGID needed by Claude Code's PTY allocation (openpty).
     cap_drop:
       - ALL
+    cap_add:
+      - SETUID
+      - SETGID
 
     # Prevent child processes from gaining new privileges via setuid,
     # setgid, or other mechanisms.