diff --git a/Dockerfile b/Dockerfile
index 127de1d..df57709 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,9 +11,21 @@ RUN apk add --no-cache libc6-compat vips-dev
 WORKDIR /app
 
 COPY package.json package-lock.json ./
-# --include=optional ensures @img/sharp-linuxmusl-x64 (the Alpine sharp
-# prebuilt binary) is downloaded; otherwise sharp errors at runtime.
-RUN npm ci --include=optional
+
+# Strict, reproducible install for everything that's in the lock file.
+RUN npm ci --include=optional --no-audit --no-fund
+
+# Sharp 0.34 ships a separate binary per (os, libc, cpu) tuple as
+# optionalDependencies. The lock file was generated on the developer
+# machine (e.g. macOS arm64), so it only records THAT platform's binary.
+# `npm ci` is strict and refuses to install platform deps not recorded
+# in the lock — which means the Alpine (linuxmusl-x64) binary is missing,
+# sharp falls back to building from source, and the build fails with
+# "Please add node-gyp to your dependencies".
+#
+# Fix: explicitly fetch the Alpine binary after npm ci. --no-save keeps
+# package.json/lock untouched (no churn back to the dev machine).
+RUN npm install --no-save --include=optional --cpu=x64 --os=linux --libc=musl sharp
 
 # ── Stage 2: Build the application ──
 FROM node:22-alpine AS builder