diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl
index d34ac71a..1baaa58d 100644
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -50,6 +50,7 @@
 {"id":"zakapp-o1w","title":"Refine Docker workflow: Main=Latest, Tags=Release, Remove Noise","description":"Update CI/CD to only build on main/releases. Remove SHA tags. Ensure main maps to latest and tags map to semver.","status":"closed","priority":2,"issue_type":"task","owner":"agent@zakapp.dev","created_at":"2026-02-07T12:37:40.045500964Z","created_by":"ZakApp Agent","updated_at":"2026-02-07T12:38:31.859470573Z","closed_at":"2026-02-07T12:38:31.859470573Z","close_reason":"Closed"}
 {"id":"zakapp-o8e","title":"CRITICAL: Fix failing test suite - 170+ failing tests (74% pass rate)","description":"Test suite has 170+ failing tests preventing reliable deployment. Critical tests failing include authentication, asset management, and payment processing.\n\nFailing test categories:\n1. Asset creation/management tests failing due to auth token issues\n2. Rate limiting tests inconsistent\n3. Contract tests missing required fields\n4. Payment record validation failing\n\nRequired fixes:\n1. Fix authentication token generation in tests\n2. Implement missing validation in payment endpoints\n3. Resolve rate limiting test inconsistencies\n4. Update test data and assertions\n\nVerification: npm test passes with \u003e95% success rate.","notes":"Major progress: Fixed 5 more contract test files. Current status: 56 failed test files (down from 77), 150 failed tests (down from 170+), 726/899 tests passing (81% pass rate). Fixed: encryption.test.ts async bug, assets-post/put/get contract tests, auth-register contract tests, SimpleValidation non-negative value check.","status":"closed","priority":1,"issue_type":"task","owner":"agent@zakapp.dev","created_at":"2026-02-08T00:55:24.240278535Z","created_by":"ZakApp Agent","updated_at":"2026-02-09T16:54:31.874242431Z","closed_at":"2026-02-09T16:54:31.874242431Z","close_reason":"Closed","labels":["critical","quality","testing"]}
 {"id":"zakapp-o95","title":"Resolve merge conflicts in feature/prebuilt-docker-images","description":"Resolve merge conflicts in README.md, docker-compose.prod.yml, and docker-compose.yml on feature/prebuilt-docker-images branch.","status":"closed","priority":1,"issue_type":"task","owner":"agent@zakapp.dev","created_at":"2026-02-06T22:02:31.190750175Z","created_by":"ZakApp Agent","updated_at":"2026-02-06T22:03:51.382804555Z","closed_at":"2026-02-06T22:03:51.382804555Z","close_reason":"Closed"}
+{"id":"zakapp-qz0","title":"Advanced Retirement Zakat Logic (Fiqh Compliance)","description":"Implement specific calculation methodologies for retirement assets - 'Collectible Value' vs 'Invested Growth' based on scholarly analysis.","status":"in_progress","priority":1,"issue_type":"feature","owner":"agent@zakapp.dev","created_at":"2026-02-13T15:18:58.778767861Z","created_by":"ZakApp Agent","updated_at":"2026-02-13T15:19:06.271771896Z"}
 {"id":"zakapp-tba","title":"CLEANUP: Resolve 100+ TODO/FIXME comments indicating incomplete features","description":"Codebase contains 100+ TODO/FIXME comments indicating rushed development and incomplete core functionality.\n\nCritical TODOs to resolve:\n- AnnualSummaryService missing payment calculations\n- Zakat routes with stubbed liability handling\n- Missing unique recipient counting in summaries\n- Incomplete methodology handling\n- Push notification service database schema\n- Missing export functionality\n\nApproach:\n1. Prioritize business-critical TODOs\n2. Implement missing functionality or remove dead code\n3. Add proper error handling for incomplete features\n4. Update documentation\n\nVerification: TODO/FIXME count reduced to \u003c20, all critical features implemented.","status":"open","priority":2,"issue_type":"task","owner":"agent@zakapp.dev","created_at":"2026-02-08T00:55:28.830212251Z","created_by":"ZakApp Agent","updated_at":"2026-02-08T00:55:28.830212251Z","labels":["cleanup","maintainability"]}
 {"id":"zakapp-vz1","title":"Finalize deployment script cleanup","status":"closed","priority":2,"issue_type":"task","owner":"agent@zakapp.dev","created_at":"2026-02-06T20:33:18.776788604Z","created_by":"ZakApp Agent","updated_at":"2026-02-06T20:33:23.061741955Z","closed_at":"2026-02-06T20:33:23.061741955Z","close_reason":"Closed"}
 {"id":"zakapp-wlu","title":"SECURITY: Remove exposed production secrets from git history","description":"Multiple .env.backup.* files containing live JWT secrets, encryption keys, and database credentials are committed to the repository despite being in .gitignore. This represents an immediate security breach requiring emergency remediation.\n\nImmediate actions needed:\n1. Remove .env.backup.* files from git tracking\n2. Rotate all exposed secrets in production\n3. Clean git history if secrets were exposed\n4. Update .gitignore to prevent future occurrences\n\nVerification: Run 'git log --all --full-history -- .env*' and confirm no secret exposure.","status":"closed","priority":0,"issue_type":"task","owner":"agent@zakapp.dev","created_at":"2026-02-08T00:55:17.971892975Z","created_by":"ZakApp Agent","updated_at":"2026-02-09T13:51:02.209817035Z","closed_at":"2026-02-09T13:51:02.209817035Z","close_reason":"Closed","labels":["critical","emergency","security"]}
diff --git a/.env.dev.example b/.env.dev.example
new file mode 100644
index 00000000..e2854689
--- /dev/null
+++ b/.env.dev.example
@@ -0,0 +1,61 @@
+# ZakApp Development Environment Configuration
+# Copy this file to .env.dev and customize as needed
+# =========================================
+
+# =====================================================
+# PORT CONFIGURATION (Dev defaults - different from prod)
+# =====================================================
+FRONTEND_PORT=3002
+FRONTEND_PORT_SSL=3444
+
+# =====================================================
+# ACCESS CONFIGURATION
+# =====================================================
+# Client URL (used for CORS)
+CLIENT_URL=http://localhost:3002
+
+# Backend CORS allowed origins
+ALLOWED_ORIGINS=http://localhost:3002
+
+# Backend allowed hosts
+ALLOWED_HOSTS=localhost
+
+# App URL
+APP_URL=http://localhost:3002
+
+# =====================================================
+# SECURITY SECRETS (REQUIRED)
+# =====================================================
+# Generate these with: openssl rand -hex 32
+JWT_SECRET=REPLACE_WITH_SECURE_SECRET
+JWT_REFRESH_SECRET=REPLACE_WITH_SECURE_SECRET
+ENCRYPTION_KEY=REPLACE_WITH_SECURE_SECRET
+
+# =====================================================
+# OPTIONAL CONFIGURATION
+# =====================================================
+# CouchDB credentials
+COUCHDB_USER=admin
+COUCHDB_PASSWORD=REPLACE_WITH_SECURE_SECRET
+COUCHDB_JWT_SECRET=REPLACE_WITH_SECURE_SECRET
+
+# Admin emails (comma-separated)
+ADMIN_EMAILS=admin@example.com
+
+# Gold API Key (optional)
+# GOLD_API_KEY=your_api_key_here
+
+# =====================================================
+# QUICK START
+# =====================================================
+# 1. Run the deployment script:
+#    ./deploy-dev-build.sh
+#
+# 2. Access the application:
+#    - Frontend: http://localhost:3002
+#    - Backend API: http://localhost:3002/api
+#
+# 3. For network access:
+#    - HTTPS: https://YOUR_IP:3444
+#
+# =====================================================
diff --git a/.env.easy.example b/.env.easy.example
index d69a62e7..73eba850 100644
--- a/.env.easy.example
+++ b/.env.easy.example
@@ -60,6 +60,7 @@ FRONTEND_PORT_SSL=3443
 # These are auto-detected from APP_URL
 # Only modify if you have specific requirements
 
+CLIENT_URL=
 ALLOWED_ORIGINS=
 ALLOWED_HOSTS=
 
diff --git a/.gitignore b/.gitignore
index bfef9db5..0c5d185d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -81,10 +81,14 @@ Thumbs.db
 # Temporary files
 tmp/
 temp/
+.tmp/
 
 # Package lock files (keep package-lock.json for server)
 # package-lock.json (uncomment if you want to exclude)
 
+# OpenCode context and sessions
+.opencode/
+
 # Testing
 jest.config.js
 coverage/
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6adcdf1..d615b0aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,22 @@
 # Changelog
 
+## [0.10.1] - 2026-02-16
+
+### 🐛 Bug Fixes - Deployment Scripts
+
+**Fixed:**
+- Fixed `deploy-dev-build.sh` white screen issue caused by volume mount in `docker-compose.dev.yml` that overwrote built frontend assets with unprocessed `client/public` files
+- Fixed deployment scripts not properly reading `.env.dev` file (added `--env-file .env.dev` to docker-compose commands)
+- Fixed missing `ALLOWED_ORIGINS`, `ALLOWED_HOSTS`, and `APP_URL` variables in newly generated `.env` files during deployment
+- Improved `deploy-easy.sh` with fallback to create minimal `.env` when `.env.easy.example` doesn't exist
+
+**Technical Details:**
+- Removed broken volume mount `./client/public:/usr/share/nginx/html:ro` from `docker-compose.dev.yml` frontend service
+- This mount was serving raw `client/public/index.html` (with `%PUBLIC_URL%` placeholders) instead of the built `client/dist/index.html`
+- The `/assets/` directory (Vite's compiled JS/CSS output) was missing, causing 404 errors and blank page
+
+---
+
 ## [0.10.0] - 2026-02-11
 
 ### 🚀 Release: Test Infrastructure & Deployment Improvements
diff --git a/client/package-lock.json b/client/package-lock.json
index 7cb6fe0e..c6d643a3 100644
--- a/client/package-lock.json
+++ b/client/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "client",
-  "version": "0.9.1",
+  "version": "0.10.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "client",
-      "version": "0.9.1",
+      "version": "0.10.0",
       "dependencies": {
         "@headlessui/react": "^2.2.9",
         "@heroicons/react": "^2.2.0",
@@ -90,7 +90,7 @@
     },
     "../shared": {
       "name": "@zakapp/shared",
-      "version": "0.9.1",
+      "version": "0.9.2",
       "dependencies": {
         "js-sha256": "^0.10.0",
         "zod": "^3.22.4"
diff --git a/client/package.json b/client/package.json
index f1af7e27..d3eefd8b 100644
--- a/client/package.json
+++ b/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "client",
-  "version": "0.10.0",
+  "version": "0.10.1",
   "private": true,
   "dependencies": {
     "@headlessui/react": "^2.2.9",
diff --git a/client/src/components/assets/AssetForm.tsx b/client/src/components/assets/AssetForm.tsx
index 4bd13be9..81e1a5fd 100644
--- a/client/src/components/assets/AssetForm.tsx
+++ b/client/src/components/assets/AssetForm.tsx
@@ -22,6 +22,7 @@ import { useAssetRepository } from '../../hooks/useAssetRepository';
 import { useAuth } from '../../contexts/AuthContext';
 import { METHODOLOGIES, MethodologyName } from '../../core/calculations/methodology';
 import type { Asset, AssetType } from '../../types';
+import type { RetirementConfig } from '../../types/asset.types';
 import { Button, Input } from '../ui';
 import { EncryptedBadge } from '../ui/EncryptedBadge';
 import {
@@ -76,23 +77,6 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
     return map[assetType] || 'cash';
   };
 
-  // Parse initial retirement treatment from metadata
-  const getInitialRetirementTreatment = (asset: Asset | undefined): string => {
-    if (!asset || !asset.metadata) return 'net_value';
-    try {
-      const meta = typeof asset.metadata === 'string' ? JSON.parse(asset.metadata) : asset.metadata;
-      const details = meta.retirementDetails;
-      if (!details) return 'net_value';
-
-      if (details.withdrawalPenalty === 1.0) return 'deferred';
-      if (details.withdrawalPenalty === 0.7) return 'passive';
-      if (details.withdrawalPenalty === 0 && details.taxRate === 0) return 'full';
-      return 'net_value';
-    } catch (e) {
-      return 'net_value';
-    }
-  };
-
   const [formData, setFormData] = useState({
     name: asset?.name || '',
     category: getInitialCategory(asset?.type as unknown as string),
@@ -105,7 +89,6 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
     isPassiveInvestment: (asset as any)?.isPassiveInvestment || false,
     isRestrictedAccount: (asset as any)?.isRestrictedAccount || false,
     isEligibilityManual: (asset as any)?.isEligibilityManual || false,
-    retirementTreatment: getInitialRetirementTreatment(asset),
   });
 
   const [errors, setErrors] = useState<Record<string, string>>({});
@@ -113,6 +96,16 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
   const [calculationModifier, setCalculationModifier] = useState<number>(
     (asset as any)?.calculationModifier || 1.0
   );
+  const [retirementConfig, setRetirementConfig] = useState<RetirementConfig | undefined>(() => {
+    // Parse initial retirement config from asset metadata
+    if (!asset?.metadata) return undefined;
+    try {
+      const meta = typeof asset.metadata === 'string' ? JSON.parse(asset.metadata) : asset.metadata;
+      return meta.retirementConfig;
+    } catch {
+      return undefined;
+    }
+  });
 
   const { addAsset, updateAsset } = useAssetRepository();
 
@@ -141,12 +134,18 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
 
     let newModifier = 1.0;
 
-    if (isRetirement) {
-      switch (formData.retirementTreatment) {
-        case 'deferred': newModifier = 0.0; break;
-        case 'passive': newModifier = 0.3; break;
-        case 'net_value': newModifier = 0.7; break; // Approx
-        case 'full': default: newModifier = 1.0; break;
+    if (isRetirement && retirementConfig) {
+      // Use the methodology from retirementConfig to determine modifier
+      switch (retirementConfig.methodology) {
+        case 'preserved_growth': newModifier = 0.20; break; // 0.5% is equivalent to 2.5% on 20%
+        case 'collectible_value': {
+          // Calculate net factor: 1 - penalty - tax
+          const penalty = retirementConfig.withdrawalPenalty || 0;
+          const tax = retirementConfig.estimatedTaxRate || 0;
+          newModifier = Math.max(0, 1 - penalty - tax);
+          break;
+        }
+        case 'manual': default: newModifier = 1.0; break;
       }
     } else if (formData.isRestrictedAccount) {
       newModifier = 0.0;
@@ -168,7 +167,7 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
     if (!RESTRICTED_ACCOUNT_TYPES.includes(formData.category as any)) {
       setFormData(prev => ({ ...prev, isRestrictedAccount: false }));
     }
-  }, [formData.category, formData.subCategory, formData.isRestrictedAccount, formData.isPassiveInvestment, formData.retirementTreatment]);
+  }, [formData.category, formData.subCategory, formData.isRestrictedAccount, formData.isPassiveInvestment, retirementConfig]);
 
   const handleChange = (field: string, value: string | number | boolean) => {
     setFormData(prev => ({ ...prev, [field]: value }));
@@ -254,17 +253,9 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
         isEligibilityManual: formData.isEligibilityManual
       };
 
-      if (isRetirement) {
-        const treatment = formData.retirementTreatment || 'net_value';
-        if (treatment === 'net_value') {
-          metadataObj.retirementDetails = { withdrawalPenalty: 0.1, taxRate: 0.2 };
-        } else if (treatment === 'deferred') {
-          metadataObj.retirementDetails = { withdrawalPenalty: 1.0, taxRate: 0 };
-        } else if (treatment === 'passive') {
-          metadataObj.retirementDetails = { withdrawalPenalty: 0.7, taxRate: 0 };
-        } else { // Full
-          metadataObj.retirementDetails = { withdrawalPenalty: 0, taxRate: 0 };
-        }
+      // Include retirement config if present
+      if (isRetirement && retirementConfig) {
+        metadataObj.retirementConfig = retirementConfig;
       }
 
       const commonData = {
@@ -626,10 +617,9 @@ export const AssetForm: React.FC<AssetFormProps> = ({ asset, onSuccess, onCancel
         {/* Modifier Section: Retirement Treatment (Radio Group) */}
         {formData.category === 'stocks' && formData.subCategory?.startsWith('retirement') && (
           <RetirementTreatmentSection
-            retirementTreatment={formData.retirementTreatment}
+            retirementConfig={retirementConfig}
             value={formData.value}
-            calculationModifier={calculationModifier}
-            onTreatmentChange={(treatment) => handleChange('retirementTreatment', treatment)}
+            onConfigChange={setRetirementConfig}
           />
         )}
 
diff --git a/client/src/components/assets/form-sections/RetirementTreatmentSection.tsx b/client/src/components/assets/form-sections/RetirementTreatmentSection.tsx
index a84fb6ca..81b6752b 100644
--- a/client/src/components/assets/form-sections/RetirementTreatmentSection.tsx
+++ b/client/src/components/assets/form-sections/RetirementTreatmentSection.tsx
@@ -1,94 +1,221 @@
-import React from 'react';
+import React, { useState, useEffect } from 'react';
 import { Decimal } from 'decimal.js';
+import type { RetirementMethodology, RetirementConfig } from '../../../types/asset.types';
 
 interface RetirementTreatmentSectionProps {
-    retirementTreatment: string;
+    retirementConfig?: RetirementConfig;
     value: string;
-    calculationModifier: number;
-    onTreatmentChange: (treatment: string) => void;
+    onConfigChange: (config: RetirementConfig | undefined) => void;
 }
 
+// Tax bracket options (simplified from full table)
+const TAX_BRACKET_OPTIONS = [
+    { value: 0.10, label: '10%' },
+    { value: 0.12, label: '12%' },
+    { value: 0.22, label: '22%' },
+    { value: 0.24, label: '24%' },
+    { value: 0.32, label: '32%' },
+    { value: 0.35, label: '35%' },
+    { value: 0.37, label: '37%' },
+];
+
+// Penalty rate options
+const PENALTY_OPTIONS = [
+    { value: 0.0, label: '0%' },
+    { value: 0.10, label: '10%' },
+    { value: 0.20, label: '20%' },
+    { value: 0.30, label: '30%' },
+    { value: 0.35, label: '35%' },
+];
+
 export const RetirementTreatmentSection: React.FC<RetirementTreatmentSectionProps> = ({
-    retirementTreatment,
+    retirementConfig,
     value,
-    calculationModifier,
-    onTreatmentChange
+    onConfigChange
 }) => {
+    const [methodology, setMethodology] = useState<RetirementMethodology>(
+        retirementConfig?.methodology || 'collectible_value'
+    );
+    const [withdrawalPenalty, setWithdrawalPenalty] = useState<number>(
+        retirementConfig?.withdrawalPenalty ?? 0.10
+    );
+    const [estimatedTaxRate, setEstimatedTaxRate] = useState<number>(
+        retirementConfig?.estimatedTaxRate ?? 0.25
+    );
+
+    // Update parent when values change
+    useEffect(() => {
+        if (methodology === 'manual') {
+            onConfigChange(undefined);
+        } else if (methodology === 'preserved_growth') {
+            onConfigChange({
+                methodology: 'preserved_growth',
+                withdrawalPenalty: 0,
+                estimatedTaxRate: 0,
+            });
+        } else {
+            // collectible_value
+            onConfigChange({
+                methodology: 'collectible_value',
+                withdrawalPenalty,
+                estimatedTaxRate,
+            });
+        }
+    }, [methodology, withdrawalPenalty, estimatedTaxRate]);
+
+    // Calculate preview values
+    const numericValue = parseFloat(String(value)) || 0;
+    const gross = new Decimal(numericValue);
+
+    let zatakatableValue = gross;
+    let zatakatRate = 0.025;
+    let explanation = '';
+
+    if (methodology === 'preserved_growth') {
+        // 0.5% rule
+        zatakatableValue = gross.times(0.20); // 20% is equivalent to 0.5% vs 2.5%
+        zatakatRate = 0.005;
+        explanation = 'Based on Dr. Salah Al-Sawy\'s opinion: Zakat is due on the liquid assets of the underlying companies (0.5% of total).';
+    } else if (methodology === 'collectible_value') {
+        // Net after penalty/tax * 2.5%
+        const penalty = new Decimal(withdrawalPenalty);
+        const tax = new Decimal(estimatedTaxRate);
+        const netFactor = Decimal.max(0, new Decimal(1).minus(penalty).minus(tax));
+        zatakatableValue = gross.times(netFactor);
+        explanation = `Zakat is due only on what you would receive after paying ${(withdrawalPenalty * 100).toFixed(0)}% penalty and ${(estimatedTaxRate * 100).toFixed(0)}% taxes.`;
+    } else {
+        explanation = 'Standard 2.5% Zakat applied to the full balance.';
+    }
+
+    const zatakatDue = zatakatableValue.times(zatakatRate);
+
     return (
-        <div className="bg-white/50 p-4 rounded-lg border border-blue-100/50 space-y-3">
-            <p className="text-sm font-medium text-blue-900">Zakat Treatment:</p>
+        <div className="bg-white/50 p-4 rounded-lg border border-blue-100/50 space-y-4">
+            <div>
+                <p className="text-sm font-medium text-blue-900 mb-2">How should we calculate Zakat on this retirement account?</p>
+                <p className="text-xs text-gray-600 mb-4">
+                    Based on scholarly analysis of US retirement plans
+                </p>
+            </div>
 
-            <label className="flex items-start gap-3 cursor-pointer">
+            {/* Option 1: Collectible Value */}
+            <label className={`flex items-start gap-3 cursor-pointer p-3 rounded-lg border-2 transition-colors ${
+                methodology === 'collectible_value' ? 'border-blue-500 bg-blue-50' : 'border-gray-200 hover:border-gray-300'
+            }`}>
                 <input
                     type="radio"
-                    name="retirement-treatment"
-                    checked={retirementTreatment === 'full'}
-                    onChange={() => onTreatmentChange('full')}
+                    name="retirement-methodology"
+                    checked={methodology === 'collectible_value'}
+                    onChange={() => setMethodology('collectible_value')}
                     className="mt-1 h-4 w-4 text-blue-600 focus:ring-blue-500 border-gray-300"
                 />
-                <div>
-                    <span className="block text-sm font-medium text-gray-900">Full Assessment (100%)</span>
-                </div>
-            </label>
+                <div className="flex-1">
+                    <span className="block text-sm font-medium text-gray-900">Option 1: Withdrawal Value (Conservative)</span>
+                    <span className="block text-xs text-gray-500 mt-1">
+                        Best if you plan to cash out soon. We calculate the value after taxes & penalties.
+                    </span>
 
-            <label className="flex items-start gap-3 cursor-pointer">
-                <input
-                    type="radio"
-                    name="retirement-treatment"
-                    checked={retirementTreatment === 'net_value'}
-                    onChange={() => onTreatmentChange('net_value')}
-                    className="mt-1 h-4 w-4 text-blue-600 focus:ring-blue-500 border-gray-300"
-                />
-                <div>
-                    <span className="block text-sm font-medium text-gray-900">Deduct Taxes/Penalties (Net Value)</span>
-                    <span className="block text-xs text-gray-500">Calculates zakat on ~70% of the value (after estimated taxes/fees).</span>
+                    {methodology === 'collectible_value' && (
+                        <div className="mt-3 space-y-3 pl-2 border-l-2 border-blue-300">
+                            <div className="grid grid-cols-2 gap-3">
+                                <div>
+                                    <label className="block text-xs font-medium text-gray-700 mb-1">
+                                        Early Withdrawal Penalty
+                                    </label>
+                                    <select
+                                        value={withdrawalPenalty}
+                                        onChange={(e) => setWithdrawalPenalty(parseFloat(e.target.value))}
+                                        className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded focus:ring-1 focus:ring-blue-500"
+                                    >
+                                        {PENALTY_OPTIONS.map(opt => (
+                                            <option key={opt.value} value={opt.value}>{opt.label}</option>
+                                        ))}
+                                    </select>
+                                </div>
+                                <div>
+                                    <label className="block text-xs font-medium text-gray-700 mb-1">
+                                        Estimated Tax Rate
+                                    </label>
+                                    <select
+                                        value={estimatedTaxRate}
+                                        onChange={(e) => setEstimatedTaxRate(parseFloat(e.target.value))}
+                                        className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded focus:ring-1 focus:ring-blue-500"
+                                    >
+                                        {TAX_BRACKET_OPTIONS.map(opt => (
+                                            <option key={opt.value} value={opt.value}>{opt.label}</option>
+                                        ))}
+                                    </select>
+                                </div>
+                            </div>
+                            <p className="text-xs text-gray-600 italic">
+                                {(withdrawalPenalty * 100).toFixed(0)}% penalty + {(estimatedTaxRate * 100).toFixed(0)}% tax = {(gross.minus(gross.times(withdrawalPenalty + estimatedTaxRate)).div(gross).times(100).toNumber()).toFixed(0)}% net
+                            </p>
+                        </div>
+                    )}
                 </div>
             </label>
 
-            <label className="flex items-start gap-3 cursor-pointer">
+            {/* Option 2: Preserved Growth */}
+            <label className={`flex items-start gap-3 cursor-pointer p-3 rounded-lg border-2 transition-colors ${
+                methodology === 'preserved_growth' ? 'border-blue-500 bg-blue-50' : 'border-gray-200 hover:border-gray-300'
+            }`}>
                 <input
                     type="radio"
-                    name="retirement-treatment"
-                    checked={retirementTreatment === 'passive'}
-                    onChange={() => onTreatmentChange('passive')}
+                    name="retirement-methodology"
+                    checked={methodology === 'preserved_growth'}
+                    onChange={() => setMethodology('preserved_growth')}
                     className="mt-1 h-4 w-4 text-blue-600 focus:ring-blue-500 border-gray-300"
                 />
                 <div>
-                    <span className="block text-sm font-medium text-gray-900">Passive Investment (30%)</span>
-                    <span className="block text-xs text-gray-500">Treats underlying assets as passive/business assets (Zakatable on 30%).</span>
+                    <span className="block text-sm font-medium text-gray-900">Option 2: Invested Growth (0.5% Rule)</span>
+                    <span className="block text-xs text-gray-500 mt-1">
+                        Follows the opinion of Dr. Salah Al-Sawy. Assumes Zakat is due on the liquid assets of the companies you hold.
+                    </span>
                 </div>
             </label>
 
-            <label className="flex items-start gap-3 cursor-pointer">
+            {/* Option 3: Manual (Standard) */}
+            <label className={`flex items-start gap-3 cursor-pointer p-3 rounded-lg border-2 transition-colors ${
+                methodology === 'manual' ? 'border-blue-500 bg-blue-50' : 'border-gray-200 hover:border-gray-300'
+            }`}>
                 <input
                     type="radio"
-                    name="retirement-treatment"
-                    checked={retirementTreatment === 'deferred'}
-                    onChange={() => onTreatmentChange('deferred')}
+                    name="retirement-methodology"
+                    checked={methodology === 'manual'}
+                    onChange={() => setMethodology('manual')}
                     className="mt-1 h-4 w-4 text-blue-600 focus:ring-blue-500 border-gray-300"
                 />
                 <div>
-                    <span className="block text-sm font-medium text-gray-900">Deferred (Exempt)</span>
-                    <span className="block text-xs text-gray-500">No Zakat due until withdrawal (based on lack of complete ownership/access).</span>
+                    <span className="block text-sm font-medium text-gray-900">Option 3: Standard Calculation</span>
+                    <span className="block text-xs text-gray-500 mt-1">
+                        Apply standard 2.5% Zakat to the full balance (default behavior).
+                    </span>
                 </div>
             </label>
 
-            {/* Modifier Summary */}
-            {value && (
+            {/* Calculation Preview */}
+            {value && numericValue > 0 && (
                 <div className="mt-4 pt-4 border-t border-blue-100">
-                    <div className="bg-blue-50 rounded-lg p-3 space-y-2">
+                    <div className="bg-emerald-50 rounded-lg p-3 space-y-2">
+                        <div className="flex justify-between text-sm">
+                            <span className="text-gray-600">Original Balance:</span>
+                            <span className="font-medium text-gray-900">${numericValue.toLocaleString('en-US', { minimumFractionDigits: 2 })}</span>
+                        </div>
                         <div className="flex justify-between text-sm">
-                            <span className="text-gray-600">Original Value:</span>
-                            <span className="font-medium text-gray-900">${parseFloat(String(value)).toLocaleString('en-US', { minimumFractionDigits: 2 })}</span>
+                            <span className="text-gray-600">Zakatable Amount:</span>
+                            <span className="font-bold text-blue-600">${zatakatableValue.toNumber().toLocaleString('en-US', { minimumFractionDigits: 2 })}</span>
                         </div>
                         <div className="flex justify-between text-sm">
-                            <span className="text-gray-600">Modifier Applied:</span>
-                            <span className="font-bold text-blue-600">{(calculationModifier * 100).toFixed(0)}%</span>
+                            <span className="text-gray-600">Zakat Rate:</span>
+                            <span className="font-medium text-gray-900">{(zatakatRate * 100).toFixed(1)}%</span>
                         </div>
-                        <div className="flex justify-between text-sm border-t border-blue-200 pt-2">
-                            <span className="font-medium text-gray-900">Zakatable Value:</span>
-                            <span className="font-bold text-emerald-600">${(parseFloat(String(value)) * calculationModifier).toLocaleString('en-US', { minimumFractionDigits: 2 })}</span>
+                        <div className="flex justify-between text-sm border-t border-emerald-200 pt-2">
+                            <span className="font-medium text-gray-900">Zakat Due:</span>
+                            <span className="font-bold text-emerald-600">${zatakatDue.toNumber().toLocaleString('en-US', { minimumFractionDigits: 2 })}</span>
                         </div>
+                        <p className="text-xs text-gray-500 mt-2 pt-2 border-t border-emerald-200">
+                            💡 {explanation}
+                        </p>
                     </div>
                 </div>
             )}
diff --git a/client/src/core/calculations/zakat.ts b/client/src/core/calculations/zakat.ts
index a5fcc5b6..b525bb2e 100644
--- a/client/src/core/calculations/zakat.ts
+++ b/client/src/core/calculations/zakat.ts
@@ -17,11 +17,16 @@
 
 import { Asset, AssetType } from '../../types/index';
 import { MethodologyName, getMethodology } from './methodology';
+import type { RetirementMethodology, RetirementConfig } from '../../types/asset.types';
 
 import { Decimal } from 'decimal.js';
 
 export type ZakatMethodology = MethodologyName;
 
+// Retirement methodology constants
+const PRESERVED_GROWTH_RATE = 0.005; // 0.5% rule (Dr. Salah Al-Sawy)
+const STANDARD_ZAKAT_RATE = 0.025; // 2.5%
+
 export interface CalculationResult {
     totalAssets: number;
     zakatableAssets: number;
@@ -66,37 +71,100 @@ export function isAssetZakatable(asset: Asset, methodologyName: ZakatMethodology
     return true;
 }
 
-// Net Withdrawable Logic for Retirement
-function calculateNetWithdrawable(asset: Asset): number {
-    // Access metadata for retirement-specific settings
-    let penalty = new Decimal(0);
-    let tax = new Decimal(0);
-
-    // Try metadata string parse for retirement details
-    if (typeof asset.metadata === 'string' && asset.metadata.startsWith('{')) {
-        try {
-            const meta = JSON.parse(asset.metadata);
-            if (meta.retirementDetails) {
-                penalty = new Decimal(meta.retirementDetails.withdrawalPenalty || 0);
-                tax = new Decimal(meta.retirementDetails.taxRate || 0);
-            }
-        } catch (e) {
-            // ignore
-        }
-    } else if ((asset as any).retirementDetails) {
-        // Fallback: Check if retirementDetails is already on the object (pre-parsed)
-        const details = (asset as any).retirementDetails;
-        penalty = new Decimal(details.withdrawalPenalty || 0);
-        tax = new Decimal(details.taxRate || 0);
+// Parse retirement config from asset metadata
+function parseRetirementConfig(asset: Asset): RetirementConfig | null {
+  // Try metadata string parse
+  if (typeof asset.metadata === 'string' && asset.metadata.startsWith('{')) {
+    try {
+      const meta = JSON.parse(asset.metadata);
+      if (meta.retirementConfig) {
+        return meta.retirementConfig;
+      }
+      // Legacy support: check for retirementDetails
+      if (meta.retirementDetails) {
+        return {
+          methodology: 'collectible_value',
+          withdrawalPenalty: meta.retirementDetails.withdrawalPenalty || 0,
+          estimatedTaxRate: meta.retirementDetails.taxRate || 0,
+        };
+      }
+    } catch (e) {
+      // ignore
     }
+  }
 
-    // netFactor = 1 - penalty - tax
-    const one = new Decimal(1);
-    const netFactor = one.minus(penalty).minus(tax);
+  // Fallback: Check if retirementConfig is already on the object (pre-parsed)
+  const config = (asset as any).retirementConfig;
+  if (config) {
+    return config;
+  }
 
-    // asset.value * max(0, netFactor)
-    const factor = Decimal.max(0, netFactor);
-    return new Decimal(asset.value || 0).times(factor).toNumber();
+  // Legacy support: check for retirementDetails
+  const details = (asset as any).retirementDetails;
+  if (details) {
+    return {
+      methodology: 'collectible_value',
+      withdrawalPenalty: details.withdrawalPenalty || 0,
+      estimatedTaxRate: details.taxRate || 0,
+    };
+  }
+
+  return null;
+}
+
+// Calculate retirement Zakat based on methodology
+function calculateRetirementZakat(asset: Asset): number {
+  const config = parseRetirementConfig(asset);
+  const grossBalance = new Decimal(asset.value || 0);
+
+  // If no config, default to 'manual' (treat as regular asset)
+  if (!config || config.methodology === 'manual') {
+    // Fall back to standard 2.5% calculation (or use calculationModifier if set)
+    if (typeof asset.calculationModifier === 'number' && asset.calculationModifier !== 1.0) {
+      return grossBalance.times(asset.calculationModifier).times(STANDARD_ZAKAT_RATE).toNumber();
+    }
+    return grossBalance.times(STANDARD_ZAKAT_RATE).toNumber();
+  }
+
+  // Opinion B: Preserved Growth (0.5% Rule - Dr. Salah Al-Sawy)
+  if (config.methodology === 'preserved_growth') {
+    return grossBalance.times(PRESERVED_GROWTH_RATE).toNumber();
+  }
+
+  // Opinion A: Collectible Value (Withdrawal Method)
+  // Formula: (GrossBalance - (GrossBalance * (Penalty + Tax))) * 0.025
+  const penalty = new Decimal(config.withdrawalPenalty || 0);
+  const tax = new Decimal(config.estimatedTaxRate || 0);
+  const one = new Decimal(1);
+  const netFactor = one.minus(penalty).minus(tax);
+  const factor = Decimal.max(0, netFactor);
+  const netBalance = grossBalance.times(factor);
+  
+  return netBalance.times(STANDARD_ZAKAT_RATE).toNumber();
+}
+
+// Legacy function kept for backward compatibility
+function calculateNetWithdrawable(asset: Asset): number {
+  const config = parseRetirementConfig(asset);
+  const grossBalance = new Decimal(asset.value || 0);
+
+  // If no config or manual, return full value (will get 2.5% applied elsewhere)
+  if (!config || config.methodology === 'manual') {
+    return grossBalance.toNumber();
+  }
+
+  // If preserved growth, return 20% of value (equivalent to 0.5% vs 2.5%)
+  if (config.methodology === 'preserved_growth') {
+    return grossBalance.times(0.20).toNumber();
+  }
+
+  // Collectible value: apply penalty and tax
+  const penalty = new Decimal(config.withdrawalPenalty || 0);
+  const tax = new Decimal(config.estimatedTaxRate || 0);
+  const one = new Decimal(1);
+  const netFactor = one.minus(penalty).minus(tax);
+  const factor = Decimal.max(0, netFactor);
+  return grossBalance.times(factor).toNumber();
 }
 
 export function getAssetZakatableValue(asset: Asset, methodologyName: ZakatMethodology): number {
diff --git a/client/src/types/asset.types.ts b/client/src/types/asset.types.ts
index fefdce0e..b05ef320 100644
--- a/client/src/types/asset.types.ts
+++ b/client/src/types/asset.types.ts
@@ -22,6 +22,22 @@
 
 import type { Asset } from './index';
 
+/**
+ * Retirement Zakat calculation methodology
+ * Based on scholarly analysis of US retirement plans
+ */
+export type RetirementMethodology = 
+  | 'collectible_value'  // Opinion A: Net after penalty/tax * 2.5%
+  | 'preserved_growth'   // Opinion B: 0.5% rule (Dr. Salah Al-Sawy)
+  | 'manual';            // User-defined or default 2.5% on full
+
+export interface RetirementConfig {
+  methodology: RetirementMethodology;
+  // For 'collectible_value' only
+  withdrawalPenalty: number; // Percentage (0-1), e.g., 0.10 = 10%
+  estimatedTaxRate: number;  // Percentage (0-1), e.g., 0.25 = 25%
+}
+
 export interface CreateAssetDto {
   name: string;
   category: string;
@@ -32,10 +48,7 @@ export interface CreateAssetDto {
   notes?: string;
   isPassiveInvestment?: boolean;
   isRestrictedAccount?: boolean;
-  retirementDetails?: {
-    withdrawalPenalty: number; // Percentage (0-1)
-    taxRate: number; // Percentage (0-1)
-  };
+  retirementConfig?: RetirementConfig;
 }
 
 export type UpdateAssetDto = Partial<CreateAssetDto>;
@@ -59,8 +72,5 @@ export interface AssetFormState {
   notes?: string;
   isPassiveInvestment: boolean;
   isRestrictedAccount: boolean;
-  retirementDetails?: {
-    withdrawalPenalty: number;
-    taxRate: number;
-  };
+  retirementConfig?: RetirementConfig;
 }
diff --git a/client/vite.config.ts b/client/vite.config.ts
index 9d601bea..5d2816de 100644
--- a/client/vite.config.ts
+++ b/client/vite.config.ts
@@ -39,6 +39,7 @@ export default defineConfig(({ mode }) => {
     define: {
       __APP_VERSION__: JSON.stringify(pkg.version),
       __COMMIT_HASH__: JSON.stringify(commitHash),
+      'process.env.NODE_ENV': JSON.stringify(mode),
     },
     plugins: [
       react(),
diff --git a/deploy-dev-build.sh b/deploy-dev-build.sh
new file mode 100755
index 00000000..8620a79a
--- /dev/null
+++ b/deploy-dev-build.sh
@@ -0,0 +1,624 @@
+#!/bin/bash
+# ZakApp Development Build Deployment Script
+# Builds from local source with hot-reload support
+# Use this for local development with Docker
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+COMPOSE_FILE="docker-compose.dev.yml"
+ENV_FILE=".env.dev"
+COMPOSE_PROFILE="--profile dev --env-file .env.dev"
+
+# Dev-specific defaults (different from production to avoid conflicts)
+DEFAULT_HTTP_PORT=3002
+DEFAULT_HTTPS_PORT=3444
+
+# Function to print colored output
+print_status() {
+    echo -e "${BLUE}ℹ️  $1${NC}"
+}
+
+print_success() {
+    echo -e "${GREEN}✅ $1${NC}"
+}
+
+print_warning() {
+    echo -e "${YELLOW}⚠️  $1${NC}"
+}
+
+print_error() {
+    echo -e "${RED}❌ $1${NC}"
+}
+
+print_header() {
+    echo ""
+    echo -e "${BLUE}========================================${NC}"
+    echo -e "${BLUE}$1${NC}"
+    echo -e "${BLUE}========================================${NC}"
+    echo ""
+}
+
+# Check if Docker is installed
+check_prerequisites() {
+    print_header "Checking Prerequisites"
+    
+    if ! command -v docker &> /dev/null; then
+        print_error "Docker is not installed"
+        echo "Please install Docker first:"
+        echo "  Ubuntu/Debian: sudo apt-get install docker.io"
+        echo "  macOS/Windows: https://docs.docker.com/get-docker/"
+        exit 1
+    fi
+    
+    if ! docker compose version &> /dev/null; then
+        print_error "Docker Compose is not installed"
+        echo "Please install Docker Compose plugin"
+        exit 1
+    fi
+    
+    # Check if Docker daemon is running
+    if ! docker info > /dev/null 2>&1; then
+        print_error "Docker daemon is not running"
+        echo "Please start Docker and try again:"
+        echo "  Ubuntu: sudo systemctl start docker"
+        echo "  macOS: Start Docker Desktop from Applications"
+        exit 1
+    fi
+    
+    print_success "Docker and Docker Compose are installed"
+}
+
+# Detect the server's IP address
+detect_ip() {
+    local ip=$(hostname -I 2>/dev/null | awk '{print $1}')
+    
+    if [ -z "$ip" ]; then
+        ip=$(ip route get 1 2>/dev/null | awk '{print $7; exit}')
+    fi
+    
+    if [ -z "$ip" ]; then
+        ip=$(ifconfig 2>/dev/null | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | head -n 1)
+    fi
+    
+    echo "$ip"
+}
+
+# Verify network accessibility
+verify_network() {
+    local ip=$1
+    print_status "Checking network configuration..."
+    
+    if [ -z "$ip" ]; then
+        print_warning "Could not detect server IP automatically"
+        return 1
+    fi
+    
+    if [[ "$ip" == 127.* ]]; then
+        print_warning "Detected IP is localhost ($ip)"
+        print_status "Network access will only work if you configure a real IP"
+        return 1
+    fi
+    
+    print_success "Network IP detected: $ip"
+    return 0
+}
+
+# Check if a port is in use
+check_port() {
+    local port=$1
+    if docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps 2>/dev/null | grep -q "$port"; then
+        return 0
+    fi
+    
+    if command -v netstat &> /dev/null; then
+        netstat -tuln 2>/dev/null | grep -q ":$port "
+        return $?
+    elif command -v ss &> /dev/null; then
+        ss -tuln 2>/dev/null | grep -q ":$port "
+        return $?
+    fi
+    
+    return 1
+}
+
+# Find next available port
+find_available_port() {
+    local start_port=$1
+    local port=$start_port
+    
+    while check_port "$port"; do
+        port=$((port + 1))
+        if [ $port -gt 65535 ]; then
+            print_error "No available ports found"
+            exit 1
+        fi
+    done
+    
+    echo "$port"
+}
+
+# Generate a secure secret
+generate_secret() {
+    openssl rand -base64 32
+}
+
+# Validate email addresses (comma-separated)
+validate_emails() {
+    local emails=$1
+    local email_regex="^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$"
+    
+    IFS=',' read -ra EMAIL_ARRAY <<< "$emails"
+    for email in "${EMAIL_ARRAY[@]}"; do
+        email=$(echo "$email" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//')
+        
+        if [ -z "$email" ]; then
+            continue
+        fi
+        
+        if [[ ! $email =~ $email_regex ]]; then
+            return 1
+        fi
+    done
+    return 0
+}
+
+# Collect admin email addresses from user
+collect_admin_emails() {
+    print_status "Configuring admin access"
+    echo ""
+    echo "Admin email addresses will have access to the ZakApp dashboard."
+    echo "You can enter multiple emails separated by commas."
+    echo "Example: admin@example.com, manager@company.com"
+    echo ""
+    
+    local admin_emails=""
+    while true; do
+        read -p "Enter admin email addresses (comma-separated): " admin_emails
+        
+        if [ -z "$admin_emails" ]; then
+            print_warning "No admin emails specified. You can add them later by editing the .env.dev file."
+            return
+        fi
+        
+        if validate_emails "$admin_emails"; then
+            break
+        else
+            print_error "Invalid email format. Please enter valid email addresses."
+            echo "Examples: admin@example.com or admin@example.com,manager@company.com"
+        fi
+    done
+    
+    if grep -q "^ADMIN_EMAILS=" "$ENV_FILE"; then
+        sed -i "s|^ADMIN_EMAILS=.*|ADMIN_EMAILS=$admin_emails|" "$ENV_FILE"
+    else
+        echo "ADMIN_EMAILS=$admin_emails" >> "$ENV_FILE"
+    fi
+    
+    print_success "Admin emails configured: $admin_emails"
+}
+
+# Setup environment file with dev-specific defaults
+setup_environment() {
+    print_header "Setting up Environment (Development Mode)"
+    
+    # Check if env file exists
+    if [ -f "$ENV_FILE" ]; then
+        print_warning "$ENV_FILE file already exists"
+        echo ""
+        echo "Options:"
+        echo "  1) Keep existing configuration"
+        echo "  2) Regenerate with dev defaults (will backup existing)"
+        echo "  3) Update access settings only"
+        read -p "Select option (1-3): " -n 1 -r
+        echo
+        
+        case $REPLY in
+            1)
+                print_status "Using existing $ENV_FILE configuration"
+                local server_ip=$(detect_ip)
+                verify_network "$server_ip" || true
+                return
+                ;;
+            2)
+                cp "$ENV_FILE" ".env.backup.dev.$(date +%Y%m%d_%H%M%S)"
+                print_status "Backup created: .env.backup.dev.*"
+                rm -f "$ENV_FILE"
+                ;;
+            3)
+                print_status "Updating access settings only..."
+                configure_access_mode
+                configure_ports
+                generate_missing_secrets
+                print_success "Environment configured"
+                return
+                ;;
+            *)
+                print_warning "Invalid option, keeping existing configuration"
+                return
+                ;;
+        esac
+    fi
+    
+    # Set dev-specific defaults
+    echo "# ZakApp Development Environment" >> "$ENV_FILE"
+    echo "# Generated by deploy-dev-build.sh" >> "$ENV_FILE"
+    echo "" >> "$ENV_FILE"
+    
+    # Port configuration with dev defaults
+    echo "FRONTEND_PORT=$DEFAULT_HTTP_PORT" >> "$ENV_FILE"
+    echo "FRONTEND_PORT_SSL=$DEFAULT_HTTPS_PORT" >> "$ENV_FILE"
+    echo "CLIENT_URL=http://localhost:$DEFAULT_HTTP_PORT" >> "$ENV_FILE"
+    echo "ALLOWED_ORIGINS=http://localhost:$DEFAULT_HTTP_PORT" >> "$ENV_FILE"
+    echo "ALLOWED_HOSTS=localhost" >> "$ENV_FILE"
+    echo "APP_URL=http://localhost:$DEFAULT_HTTP_PORT" >> "$ENV_FILE"
+    
+    # Configure access mode
+    configure_access_mode
+    generate_missing_secrets
+    
+    # Detect actual ports and update CORS settings
+    configure_ports
+    
+    print_success "Environment configured with dev defaults (ports $DEFAULT_HTTP_PORT/$DEFAULT_HTTPS_PORT)"
+}
+
+# Configure access mode (IP/domain/localhost)
+configure_access_mode() {
+    local server_ip=$(detect_ip)
+    verify_network "$server_ip" || true
+    
+    print_status "Detected server IP: $server_ip"
+    echo ""
+    echo "How will you access ZakApp dev?"
+    echo "1) Localhost only (this machine)"
+    echo "2) IP address ($server_ip) - accessible from your network"
+    echo "3) Custom domain"
+    read -p "Select option (1-3) [default: 2]: " access_option
+    
+    # Default to IP access if no input
+    if [ -z "$access_option" ]; then
+        access_option="2"
+    fi
+    
+    local access_mode=""
+    case $access_option in
+        1)
+            access_mode="localhost"
+            ;;
+        2)
+            access_mode="ip"
+            ;;
+        3)
+            access_mode="domain"
+            ;;
+        *)
+            print_warning "Invalid option, defaulting to IP access (most common for dev)"
+            access_mode="ip"
+            ;;
+    esac
+    
+    local http_port=$(grep "^FRONTEND_PORT=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTP_PORT")
+    local https_port=$(grep "^FRONTEND_PORT_SSL=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTPS_PORT")
+    
+    case $access_mode in
+        localhost)
+            sed -i "s|^APP_URL=.*|APP_URL=http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=localhost|" "$ENV_FILE"
+            print_success "Configured for localhost access (http://localhost:$http_port)"
+            ;;
+        ip)
+            sed -i "s|^APP_URL=.*|APP_URL=https://$server_ip:$https_port|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=https://$server_ip:$https_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=https://$server_ip:$https_port,http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=$server_ip,localhost|" "$ENV_FILE"
+            print_success "Configured for IP access: https://$server_ip:$https_port"
+            ;;
+        domain)
+            read -p "Enter your domain (e.g., zakapp-dev.example.com): " domain
+            sed -i "s|^APP_URL=.*|APP_URL=https://$domain|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=https://$domain|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=https://$domain|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=$domain|" "$ENV_FILE"
+            sed -i "s|^# ZAKAPP_DOMAIN=.*|ZAKAPP_DOMAIN=$domain|" "$ENV_FILE"
+            print_success "Configured for domain: https://$domain"
+            ;;
+    esac
+    
+    collect_admin_emails
+}
+
+# Configure ports - detect actual ports after container start
+configure_ports() {
+    local server_ip=$(detect_ip)
+    
+    # Check if services are already running
+    local running=$(docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps -q 2>/dev/null | wc -l)
+    
+    if [ "$running" -eq 0 ]; then
+        # No services running, start them temporarily to detect ports
+        print_status "Starting services temporarily to detect actual port assignments..."
+        docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE up -d --no-build 2>/dev/null || true
+        sleep 8
+    fi
+    
+    # Get actual HTTP port from docker compose ps
+    local http_port=$(docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps --format json 2>/dev/null | grep -o '"HostPort":"[0-9]*"' | head -1 | grep -o '[0-9]*$' || echo "")
+    
+    # If not found via JSON, try alternative method
+    if [ -z "$http_port" ]; then
+        http_port=$(docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps caddy 2>/dev/null | grep -oE '0\.0\.0\.0:[0-9]+->80' | grep -oE '[0-9]+(?=->80)' || echo "")
+    fi
+    
+    # Get actual HTTPS port
+    local https_port=$(docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps caddy 2>/dev/null | grep -oE '0\.0\.0\.0:[0-9]+->443' | grep -oE '[0-9]+(?=->443)' || echo "")
+    
+    # Fallback to default if detection failed
+    if [ -z "$http_port" ]; then
+        http_port=$(grep "^FRONTEND_PORT=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTP_PORT")
+    fi
+    if [ -z "$https_port" ]; then
+        https_port=$(grep "^FRONTEND_PORT_SSL=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTPS_PORT")
+    fi
+    
+    print_status "Detected actual ports - HTTP: $http_port, HTTPS: $https_port"
+    
+    # Check if ports differ from what's in env file
+    local current_http=$(grep "^FRONTEND_PORT=" "$ENV_FILE" | cut -d'=' -f2 || echo "")
+    local current_https=$(grep "^FRONTEND_PORT_SSL=" "$ENV_FILE" | cut -d'=' -f2 || echo "")
+    
+    if [ "$http_port" != "$current_http" ] || [ "$https_port" != "$current_https" ]; then
+        print_status "Port mismatch detected! Updating .env.dev with actual ports..."
+        
+        # Update .env.dev with actual ports
+        sed -i "s|^FRONTEND_PORT=.*|FRONTEND_PORT=$http_port|" "$ENV_FILE"
+        sed -i "s|^FRONTEND_PORT_SSL=.*|FRONTEND_PORT_SSL=$https_port|" "$ENV_FILE"
+        
+        # Update CORS settings with actual ports
+        print_status "Updating CORS settings with actual ports..."
+        
+        # Detect if using IP or localhost
+        local current_app_url=$(grep "^APP_URL=" "$ENV_FILE" | cut -d'=' -f2)
+        
+        if [[ "$current_app_url" == https://*:* ]]; then
+            # IP access - update with actual https port
+            local base_url="https://$server_ip:$https_port"
+            sed -i "s|^APP_URL=.*|APP_URL=$base_url|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=$base_url|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=$base_url,http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=$server_ip,localhost|" "$ENV_FILE"
+            print_success "Updated to https://$server_ip:$https_port"
+        elif [[ "$current_app_url" == https://* ]]; then
+            # Domain - no port change needed
+            print_success "Using domain configuration"
+        else
+            # Localhost
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=http://localhost:$http_port|" "$ENV_FILE"
+            print_success "Updated to http://localhost:$http_port"
+        fi
+        
+        # If services were started temporarily, restart them with correct env
+        if [ "$running" -eq 0 ]; then
+            print_status "Restarting services with correct configuration..."
+            docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE down 2>/dev/null || true
+        fi
+    else
+        # Ports match, just stop if we started temporarily
+        if [ "$running" -eq 0 ]; then
+            docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE down 2>/dev/null || true
+            print_status "Ports match. Services stopped. Will restart in deploy phase..."
+        fi
+    fi
+}
+
+# Generate missing secrets
+generate_missing_secrets() {
+    print_status "Generating secure secrets..."
+    
+    local secrets=(
+        "JWT_SECRET"
+        "JWT_REFRESH_SECRET"
+        "REFRESH_SECRET"
+        "ENCRYPTION_KEY"
+        "APP_SECRET"
+        "COUCHDB_JWT_SECRET"
+        "COUCHDB_PASSWORD"
+    )
+    
+    for secret in "${secrets[@]}"; do
+        if ! grep -q "^$secret=" "$ENV_FILE" || [ -z "$(grep "^$secret=" "$ENV_FILE" | cut -d'=' -f2)" ]; then
+            local value=$(generate_secret)
+            if [ "$secret" = "ENCRYPTION_KEY" ]; then
+                value=$(openssl rand -hex 32)
+            fi
+            
+            if grep -q "^$secret=" "$ENV_FILE"; then
+                sed -i "s|^$secret=.*|$secret=$value|" "$ENV_FILE"
+            else
+                echo "$secret=$value" >> "$ENV_FILE"
+            fi
+        fi
+    done
+}
+
+# Build and deploy the application
+deploy() {
+    print_header "Building & Deploying ZakApp (Dev Mode)"
+    
+    print_status "Building images from local source..."
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE build
+    
+    print_status "Starting services..."
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE up -d
+    
+    print_status "Waiting for services to be ready..."
+    sleep 5
+    
+    # Wait for backend health check
+    local retries=0
+    local max_retries=30
+    
+    while [ $retries -lt $max_retries ]; do
+        if docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps backend 2>/dev/null | grep -q "healthy"; then
+            print_success "Backend is ready"
+            break
+        fi
+        
+        retries=$((retries + 1))
+        echo -n "."
+        sleep 2
+    done
+    
+    if [ $retries -eq $max_retries ]; then
+        print_warning "Backend may not be fully ready yet, but continuing..."
+    fi
+    
+    # Run migrations
+    print_status "Running database migrations..."
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE run --rm migrations || print_warning "Migration step completed"
+    
+    verify_deployment
+}
+
+# Verify deployment is successful
+verify_deployment() {
+    print_header "Verifying Deployment"
+    
+    local http_port=$(grep "^FRONTEND_PORT=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTP_PORT")
+    local https_port=$(grep "^FRONTEND_PORT_SSL=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTPS_PORT")
+    local server_ip=$(detect_ip)
+    local all_healthy=true
+    
+    # Check CouchDB
+    print_status "Checking CouchDB..."
+    if docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps couchdb 2>/dev/null | grep -q "healthy"; then
+        print_success "CouchDB is healthy"
+    else
+        print_warning "CouchDB may not be ready yet"
+        all_healthy=false
+    fi
+    
+    # Check Backend
+    print_status "Checking Backend..."
+    if docker compose -f "$COMPOSE_FILE" $COMPOSE_PROFILE ps backend 2>/dev/null | grep -q "healthy"; then
+        print_success "Backend is healthy"
+    else
+        print_warning "Backend may not be ready yet"
+        all_healthy=false
+    fi
+    
+    # Check Frontend via HTTP
+    print_status "Checking Frontend HTTP..."
+    local frontend_retries=0
+    while [ $frontend_retries -lt 10 ]; do
+        if curl -sf "http://localhost:$http_port" > /dev/null 2>&1; then
+            print_success "Frontend is responding on HTTP"
+            break
+        fi
+        frontend_retries=$((frontend_retries + 1))
+        sleep 2
+    done
+    if [ $frontend_retries -eq 10 ]; then
+        print_warning "Frontend may need more time to start"
+        all_healthy=false
+    fi
+    
+    # Check API accessibility through proxy
+    print_status "Checking API accessibility..."
+    local api_retries=0
+    while [ $api_retries -lt 10 ]; do
+        if curl -sf "http://localhost:$http_port/api/health" > /dev/null 2>&1 || \
+           curl -sf "http://localhost:$http_port/api/auth/test" > /dev/null 2>&1; then
+            print_success "API is accessible through proxy"
+            break
+        fi
+        api_retries=$((api_retries + 1))
+        sleep 2
+    done
+    if [ $api_retries -eq 10 ]; then
+        print_warning "API may need more time or check CORS settings"
+        all_healthy=false
+    fi
+    
+    # Summary
+    echo ""
+    if [ "$all_healthy" = true ]; then
+        print_success "All services are healthy and responding!"
+    else
+        print_warning "Some services may still be starting. Check logs with: docker compose -f $COMPOSE_FILE $COMPOSE_PROFILE logs -f"
+    fi
+}
+
+# Display access information
+show_access_info() {
+    print_header "ZakApp Dev Build is Ready!"
+    
+    local app_url=$(grep "^APP_URL=" "$ENV_FILE" | cut -d'=' -f2)
+    local http_port=$(grep "^FRONTEND_PORT=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTP_PORT")
+    local https_port=$(grep "^FRONTEND_PORT_SSL=" "$ENV_FILE" | cut -d'=' -f2 || echo "$DEFAULT_HTTPS_PORT")
+    local server_ip=$(detect_ip)
+    
+    echo -e "${GREEN}🎉 ZakApp dev build has been successfully deployed!${NC}"
+    echo ""
+    echo "Access your development application:"
+    echo ""
+    echo -e "  ${GREEN}Local Access:${NC}  http://localhost:$http_port"
+    
+    if [[ "$app_url" == https://*:* ]] && [ -n "$server_ip" ]; then
+        echo -e "  ${GREEN}Network Access:${NC} https://$server_ip:$https_port"
+        echo ""
+        echo -e "${YELLOW}⚠️  Note about HTTPS:${NC}"
+        echo "   When accessing via IP address, your browser will show a"
+        echo "   'Not Secure' warning. This is expected with self-signed certificates."
+        echo "   Click 'Advanced' → 'Proceed' to continue."
+    fi
+    
+    echo ""
+    echo -e "${BLUE}📋 Development Features:${NC}"
+    echo "   - Hot-reload: Code changes in ./client and ./server auto-reload"
+    echo "   - Frontend: http://localhost:$http_port"
+    echo "   - Backend API: http://localhost:$http_port/api"
+    echo ""
+    echo -e "${BLUE}📋 Quick Commands:${NC}"
+    echo "  # View logs"
+    echo "  docker compose -f $COMPOSE_FILE $COMPOSE_PROFILE logs -f"
+    echo ""
+    echo "  # Stop services"
+    echo "  docker compose -f $COMPOSE_FILE $COMPOSE_PROFILE down"
+    echo ""
+    echo "  # Restart services"
+    echo "  docker compose -f $COMPOSE_FILE $COMPOSE_PROFILE restart"
+    echo ""
+    echo "  # Full rebuild (after package changes)"
+    echo "  docker compose -f $COMPOSE_FILE $COMPOSE_PROFILE build --no-cache && docker compose -f $COMPOSE_FILE $COMPOSE_PROFILE up -d"
+    echo ""
+    echo -e "${GREEN}Happy developing! 🧑‍💻✨${NC}"
+}
+
+# Main execution
+main() {
+    print_header "ZakApp Development Build Deployment"
+    echo "Local source with hot-reload support"
+    echo ""
+    
+    check_prerequisites
+    setup_environment
+    deploy
+    show_access_info
+}
+
+# Handle script interruption
+trap 'print_error "Deployment interrupted"; exit 1' INT
+
+# Run main function
+main
diff --git a/deploy-easy.sh b/deploy-easy.sh
index b62251fc..acab4cfc 100755
--- a/deploy-easy.sh
+++ b/deploy-easy.sh
@@ -276,7 +276,25 @@ setup_environment() {
         if [ -f ".env.easy.example" ]; then
             cp ".env.easy.example" "$ENV_FILE"
         else
-            touch "$ENV_FILE"
+            # Create minimal .env with required variables
+            cat > "$ENV_FILE" << 'EOF'
+# ZakApp Configuration
+APP_URL=
+CLIENT_URL=
+ALLOWED_ORIGINS=
+ALLOWED_HOSTS=
+FRONTEND_PORT=3000
+FRONTEND_PORT_SSL=3443
+JWT_SECRET=
+JWT_REFRESH_SECRET=
+REFRESH_SECRET=
+ENCRYPTION_KEY=
+APP_SECRET=
+COUCHDB_USER=admin
+COUCHDB_PASSWORD=
+COUCHDB_JWT_SECRET=
+ADMIN_EMAILS=
+EOF
         fi
     fi
     
@@ -322,12 +340,14 @@ configure_access_mode() {
     case $access_mode in
         localhost)
             sed -i "s|^APP_URL=.*|APP_URL=http://localhost:3000|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=http://localhost:3000|" "$ENV_FILE"
             sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=http://localhost:3000|" "$ENV_FILE"
             sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=localhost|" "$ENV_FILE"
             print_success "Configured for localhost access"
             ;;
         ip)
             sed -i "s|^APP_URL=.*|APP_URL=https://$server_ip:3443|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=https://$server_ip:3443|" "$ENV_FILE"
             sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=https://$server_ip:3443,http://localhost:3000|" "$ENV_FILE"
             sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=$server_ip,localhost|" "$ENV_FILE"
             print_success "Configured for IP access: https://$server_ip:3443"
@@ -335,6 +355,7 @@ configure_access_mode() {
         domain)
             read -p "Enter your domain (e.g., zakapp.example.com): " domain
             sed -i "s|^APP_URL=.*|APP_URL=https://$domain|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=https://$domain|" "$ENV_FILE"
             sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=https://$domain|" "$ENV_FILE"
             sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=$domain|" "$ENV_FILE"
             sed -i "s|^# ZAKAPP_DOMAIN=.*|ZAKAPP_DOMAIN=$domain|" "$ENV_FILE"
@@ -350,12 +371,16 @@ configure_access_mode() {
 configure_ports() {
     local http_port=$(grep "^FRONTEND_PORT=" "$ENV_FILE" | cut -d'=' -f2 || echo "3000")
     local https_port=$(grep "^FRONTEND_PORT_SSL=" "$ENV_FILE" | cut -d'=' -f2 || echo "3443")
+    local server_ip=$(detect_ip)
+    local ports_changed=false
     
     if check_port "$http_port"; then
         print_warning "Port $http_port is already in use"
         local new_port=$(find_available_port "$http_port")
         print_status "Using alternative port: $new_port"
         sed -i "s|^FRONTEND_PORT=.*|FRONTEND_PORT=$new_port|" "$ENV_FILE"
+        http_port=$new_port
+        ports_changed=true
     fi
     
     if check_port "$https_port"; then
@@ -363,6 +388,36 @@ configure_ports() {
         local new_ssl_port=$(find_available_port "$https_port")
         print_status "Using alternative SSL port: $new_ssl_port"
         sed -i "s|^FRONTEND_PORT_SSL=.*|FRONTEND_PORT_SSL=$new_ssl_port|" "$ENV_FILE"
+        https_port=$new_ssl_port
+        ports_changed=true
+    fi
+    
+    # Update CLIENT_URL and ALLOWED_ORIGINS with the final ports
+    if [ "$ports_changed" = true ]; then
+        print_status "Updating CORS settings with final ports..."
+        
+        # Get current access mode from APP_URL
+        local current_app_url=$(grep "^APP_URL=" "$ENV_FILE" | cut -d'=' -f2)
+        
+        if [[ "$current_app_url" == https://*:* ]]; then
+            # IP or domain with HTTPS
+            local base_url="https://$server_ip:$https_port"
+            sed -i "s|^APP_URL=.*|APP_URL=$base_url|" "$ENV_FILE"
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=$base_url|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=$base_url,http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_HOSTS=.*|ALLOWED_HOSTS=$server_ip,localhost|" "$ENV_FILE"
+            print_success "Updated to https://$server_ip:$https_port"
+        elif [[ "$current_app_url" == https://* ]]; then
+            # Domain with HTTPS (no port)
+            local domain=$(echo "$current_app_url" | sed 's|https://||')
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=https://$domain|" "$ENV_FILE"
+            print_success "Updated for domain: https://$domain"
+        else
+            # Localhost
+            sed -i "s|^CLIENT_URL=.*|CLIENT_URL=http://localhost:$http_port|" "$ENV_FILE"
+            sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=http://localhost:$http_port|" "$ENV_FILE"
+            print_success "Updated to http://localhost:$http_port"
+        fi
     fi
 }
 
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 7c39fe30..64a3854a 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -1,117 +1,158 @@
+# ZakApp Development Configuration
+# Local build with hot-reload support
+# Run with: docker compose -f docker-compose.dev.yml up
+# Or use deploy-dev-build.sh for one-shot deployment
+
 services:
-  frontend:
-    image: ghcr.io/slimatic/zakapp-frontend:latest
-    build:
-      context: .
-      dockerfile: docker/Dockerfile.frontend
-      target: development
+  # Reverse proxy with automatic HTTPS (same as production)
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
     profiles: ["dev"]
     ports:
-      - '3000:3000'
+      - "${FRONTEND_PORT:-3002}:80"
+      - "${FRONTEND_PORT_SSL:-3444}:443"
     volumes:
-      - ./client:/app/client
-      - ./shared/src:/app/shared/src
-      - /app/client/node_modules
-      - /app/shared/node_modules
-      - /app/shared/dist
-      - ./docker/frontend-entrypoint.sh:/docker-entrypoint.sh
-    entrypoint: ["/docker-entrypoint.sh"]
-    env_file:
-      - .env
+      - ./docker/Caddyfile.dev:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_certs:/root/.local/share/caddy
     environment:
-      - NODE_ENV=development
-      - HOST=0.0.0.0
-      - ALLOWED_HOSTS=${ALLOWED_HOSTS}
-      - PORT=3000
-      - VITE_PORT=3000
-      - REACT_APP_API_BASE_URL=${REACT_APP_API_BASE_URL}
-      - REACT_APP_FEEDBACK_ENABLED=${REACT_APP_FEEDBACK_ENABLED:-true}
-      - REACT_APP_FEEDBACK_WEBHOOK_URL=${REACT_APP_FEEDBACK_WEBHOOK_URL:-}
-      - REACT_APP_COUCHDB_URL=${REACT_APP_COUCHDB_URL}
+      - ZAKAPP_DOMAIN=${ZAKAPP_DOMAIN:-}
+      - ZAKAPP_IP=${ZAKAPP_IP:-}
+    networks:
+      - zakapp-dev-network
     depends_on:
-      backend:
-        condition: service_healthy
-      couchdb:
-        condition: service_started
-    command: npm start
+      - frontend
+      - backend
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      test: ["CMD-SHELL", "curl -f http://localhost:80 || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
-      start_period: 40s
 
-  couchdb:
-    image: apache/couchdb:3.5.1
+  # Frontend - build from source and serve with nginx
+  frontend:
+    build:
+      context: .
+      dockerfile: docker/Dockerfile.frontend
+      target: frontend-production
+    profiles: ["dev"]
+    expose:
+      - "80"
     ports:
-      - "5984:5984"
-      - "6984:6984"
-    environment:
-      - COUCHDB_USER=${COUCHDB_USER}
-      - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
-      - COUCHDB_BIND_ADDRESS=0.0.0.0
-      - COUCHDB_PORT=5984
-      - COUCHDB_ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:3000}
-    volumes:
-      - couchdb-data:/opt/couchdb/data
-      - ./docker/couchdb/entrypoint-wrapper.sh:/usr/local/bin/entrypoint-wrapper.sh
-      - ./docker/couchdb/generate-cert.sh:/usr/local/bin/generate-cert.sh
-    entrypoint: ["/usr/local/bin/entrypoint-wrapper.sh"]
-    command: ["couchdb"]
+      - "3003:80"
+    networks:
+      - zakapp-dev-network
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:5984"]
+      test: ["CMD-SHELL", "curl -f http://localhost:80 || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
       start_period: 40s
 
+  # Backend - builds from local source with hot-reload
   backend:
-    image: ghcr.io/slimatic/zakapp-backend:latest
     build:
       context: .
       dockerfile: docker/Dockerfile.backend
       target: development
     profiles: ["dev"]
-    ports:
-      - '3001:3001'
+    expose:
+      - "3001"
     volumes:
       - ./server:/app/server
-      - ./shared/src:/app/shared/src
+      - ./shared:/app/shared
       - /app/server/node_modules
       - /app/shared/node_modules
       - /app/shared/dist
       - zakapp-db:/app/server/prisma/data
     env_file:
-      - .env
+      - .env.dev
     environment:
       - NODE_ENV=development
       - PORT=3001
       - DATABASE_URL=file:./prisma/data/dev.db
-      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS}
       - FEEDBACK_WEBHOOK_URL=${REACT_APP_FEEDBACK_WEBHOOK_URL:-}
-      - COUCHDB_JWT_SECRET=${COUCHDB_JWT_SECRET}
-      - COUCHDB_USER=${COUCHDB_USER}
-      - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
-      - COUCHDB_URL=${COUCHDB_URL}
-      - GOLD_API_KEY=${GOLD_API_KEY}
-      - APP_URL=${APP_URL:-http://localhost:3000}
-      - ADMIN_EMAILS=${ADMIN_EMAILS}
+      - COUCHDB_USER=${COUCHDB_USER:-admin}
+      - COUCHDB_URL=http://couchdb:5984
+    networks:
+      - zakapp-dev-network
+    depends_on:
+      couchdb:
+        condition: service_healthy
     healthcheck:
-      test: ["CMD", "sh", "-c", "wget -q --spider http://localhost:3001/api/auth/register || exit 0"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
+      test: ["CMD-SHELL", "curl -f http://localhost:3001/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
       start_period: 45s
+
+  # Database migrations - runs once on startup
+
+  # Database on startup
+  migrations:
+    build:
+      context: .
+      dockerfile: docker/Dockerfile.backend
+      target: development
+    profiles: ["dev"]
+    environment:
+      - DATABASE_URL=file:./prisma/data/dev.db
+    volumes:
+      - zakapp-db:/app/server/prisma/data
+    networks:
+      - zakapp-dev-network
     depends_on:
-      - couchdb
+      - backend
+    command: >
+      sh -c "echo 'Running database migrations...' &&
+             cd /app/server &&
+             npx prisma migrate deploy ||
+             (echo 'Migration completed or already up to date' && exit 0)"
+
+  # CouchDB for multi-device sync
+  couchdb:
+    image: apache/couchdb:3.5.1
+    profiles: ["dev"]
+    expose:
+      - "5984"
+    ports:
+      - "5985:5984"
+      - "6985:6984"
+    environment:
+      - COUCHDB_USER=${COUCHDB_USER:-admin}
+      - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
+      - COUCHDB_BIND_ADDRESS=0.0.0.0
+      - COUCHDB_PORT=5984
+      - COUCHDB_HTTPD_ENABLE_CORS=true
+      - COUCHDB_CORS_ORIGINS=${ALLOWED_ORIGINS}
+      - COUCHDB_CORS_CREDENTIALS=true
+      - COUCHDB_CORS_HEADERS=accept, authorization, content-type, origin, referer
+      - COUCHDB_CORS_METHODS=GET, PUT, POST, HEAD, DELETE
+    volumes:
+      - couchdb-data:/opt/couchdb/data
+      - ./docker/couchdb/entrypoint-wrapper.sh:/usr/local/bin/entrypoint-wrapper.sh
+      - ./docker/couchdb/generate-cert.sh:/usr/local/bin/generate-cert.sh
+    entrypoint: ["/usr/local/bin/entrypoint-wrapper.sh"]
+    command: ["couchdb"]
+    networks:
+      - zakapp-dev-network
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:5984/_up"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 40s
 
 volumes:
+  caddy_data:
+  caddy_certs:
   zakapp-db:
-    name: zakapp-database
+    name: zakapp-dev-database
   couchdb-data:
-    name: couchdb-data
+    name: couchdb-dev-data
 
 networks:
-  default:
-    name: zakapp-dev
-
+  zakapp-dev-network:
+    name: zakapp-dev-network
+    driver: bridge
diff --git a/docker-compose.yml b/docker-compose.yml
index 32ae62c6..0bafe3e6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -64,6 +64,7 @@ services:
       - REFRESH_SECRET=${REFRESH_SECRET}
       - ENCRYPTION_KEY=${ENCRYPTION_KEY}
       - APP_SECRET=${APP_SECRET}
+      - CLIENT_URL=${CLIENT_URL}
       - COUCHDB_URL=http://couchdb:5984
       - COUCHDB_USER=${COUCHDB_USER:-admin}
       - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
diff --git a/docker/Caddyfile.dev b/docker/Caddyfile.dev
new file mode 100644
index 00000000..f7785013
--- /dev/null
+++ b/docker/Caddyfile.dev
@@ -0,0 +1,64 @@
+# Caddyfile for ZakApp Development Build
+
+{
+    auto_https disable_redirects
+    admin off
+}
+
+:80 {
+    encode gzip
+    
+    # Health check
+    @health {
+        path /health
+    }
+    reverse_proxy @health backend:3001
+    
+    # API routes
+    @api {
+        path /api
+        path /api/*
+    }
+    reverse_proxy @api backend:3001
+    
+    # CouchDB routes
+    @db {
+        path /db
+        path /db/*
+    }
+    reverse_proxy @db couchdb:5984
+    
+    # Everything else to frontend
+    reverse_proxy frontend:80
+}
+
+:443 {
+    encode gzip
+    
+    tls internal {
+        on_demand
+    }
+    
+    # Health check
+    @health {
+        path /health
+    }
+    reverse_proxy @health backend:3001
+    
+    # API routes
+    @api {
+        path /api
+        path /api/*
+    }
+    reverse_proxy @api backend:3001
+    
+    # CouchDB routes
+    @db {
+        path /db
+        path /db/*
+    }
+    reverse_proxy @db couchdb:5984
+    
+    # Everything else to frontend
+    reverse_proxy frontend:80
+}
diff --git a/docker/Caddyfile.prod b/docker/Caddyfile.prod
new file mode 100644
index 00000000..ad2f7c23
--- /dev/null
+++ b/docker/Caddyfile.prod
@@ -0,0 +1,227 @@
+# Caddyfile for ZakApp Easy Deployment
+# Automatically handles HTTPS for localhost, IP addresses, and custom domains
+
+{
+    # Auto HTTPS settings - disable redirects since we handle them manually
+    auto_https disable_redirects
+    
+    # Admin API (optional)
+    admin off
+}
+
+# HTTP on port 80 - serves HTTP traffic
+:80 {
+    # Enable compression
+    encode gzip
+    
+    # Handle API requests
+    handle /api/* {
+        reverse_proxy backend:3001 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    # Handle CouchDB requests - support both /db and /couchdb paths
+    handle /db/* {
+        uri strip_prefix /db
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    handle /couchdb/* {
+        uri strip_prefix /couchdb
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    # Handle CouchDB WebSocket and _changes feed
+    handle /_changes {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up Upgrade {http_upgrade}
+            header_up Connection {http_connection}
+        }
+    }
+    
+    # Handle all CouchDB system paths
+    handle /_users/* {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    handle /_replicator/* {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    handle /_session {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    # Handle all other CouchDB internal paths (WebSocket support)
+    handle /* {
+        # Check if it's a CouchDB WebSocket or feed request
+        @couchdb_websocket {
+            header Connection *Upgrade*
+            header Upgrade websocket
+        }
+        reverse_proxy @couchdb_websocket couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up Upgrade {http_upgrade}
+            header_up Connection {http_connection}
+        }
+    }
+    
+    # Everything else goes to frontend
+    reverse_proxy frontend:3000 {
+        header_up Host {host}
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-Proto {scheme}
+    }
+    
+    # Logging
+    log {
+        output file /data/access.log
+        format json
+    }
+}
+
+# HTTPS on port 443 - serves HTTPS traffic with self-signed certs
+:443 {
+    # Enable compression
+    encode gzip
+    
+    # Generate self-signed certificates for any hostname
+    tls internal {
+        on_demand
+    }
+    
+    # Handle API requests
+    handle /api/* {
+        reverse_proxy backend:3001 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    # Handle CouchDB requests - support both /db and /couchdb paths
+    handle /db/* {
+        uri strip_prefix /db
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    handle /couchdb/* {
+        uri strip_prefix /couchdb
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    # Handle CouchDB WebSocket and _changes feed
+    handle /_changes {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up Upgrade {http_upgrade}
+            header_up Connection {http_connection}
+        }
+    }
+    
+    # Handle all CouchDB system paths
+    handle /_users/* {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    handle /_replicator/* {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    handle /_session {
+        reverse_proxy couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+    
+    # Handle all other CouchDB internal paths (WebSocket support)
+    handle /* {
+        # Check if it's a CouchDB WebSocket or feed request
+        @couchdb_websocket {
+            header Connection *Upgrade*
+            header Upgrade websocket
+        }
+        reverse_proxy @couchdb_websocket couchdb:5984 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up Upgrade {http_upgrade}
+            header_up Connection {http_connection}
+        }
+    }
+    
+    # Everything else goes to frontend
+    reverse_proxy frontend:3000 {
+        header_up Host {host}
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-Proto {scheme}
+    }
+    
+    # Logging
+    log {
+        output file /data/access.log
+        format json
+    }
+}
\ No newline at end of file
diff --git a/docker/Dockerfile.backend b/docker/Dockerfile.backend
index bc650e77..24aaaa35 100644
--- a/docker/Dockerfile.backend
+++ b/docker/Dockerfile.backend
@@ -6,7 +6,7 @@ ENV NPM_CONFIG_LEGACY_PEER_DEPS=true
 WORKDIR /app
 
 # Install build dependencies for native modules (better-sqlite3)
-RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y python3 make g++ curl && rm -rf /var/lib/apt/lists/*
 
 # Copy npmrc configuration
 COPY .npmrc ./
@@ -85,7 +85,7 @@ ENV NPM_CONFIG_LEGACY_PEER_DEPS=true
 WORKDIR /app
 
 # Install build dependencies for native modules (better-sqlite3)
-RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y python3 make g++ curl && rm -rf /var/lib/apt/lists/*
 
 # Copy npmrc configuration
 COPY .npmrc ./
diff --git a/docker/Dockerfile.frontend b/docker/Dockerfile.frontend
index 7d374b21..0f464c9f 100644
--- a/docker/Dockerfile.frontend
+++ b/docker/Dockerfile.frontend
@@ -46,6 +46,9 @@ COPY --from=build /app/client ./client
 COPY docker/frontend-entrypoint.sh /docker-entrypoint.sh
 RUN chmod +x /docker-entrypoint.sh
 
+# Install curl for healthcheck
+RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
+
 # Set working directory to client
 WORKDIR /app/client
 
diff --git a/package.json b/package.json
index aad69ece..1433e89f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "zakapp",
-  "version": "0.10.0",
+  "version": "0.10.1",
   "description": "A user-friendly, self-hosted Zakat application with modern UI",
   "main": "server/index.js",
   "scripts": {
diff --git a/server/package.json b/server/package.json
index 81973619..4a3348a5 100644
--- a/server/package.json
+++ b/server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "zakapp-server",
-  "version": "0.10.0",
+  "version": "0.10.1",
   "description": "zakapp backend server",
   "main": "index.js",
   "scripts": {