diff --git a/compose.prod.yml b/compose.prod.yml
index 0b3d8ab..2b81c06 100644
--- a/compose.prod.yml
+++ b/compose.prod.yml
@@ -1,15 +1,27 @@
 # compose.prod.yml — overrides pour env production
 # Usage : docker compose -f compose.yml -f compose.prod.yml up -d
+# Reseau externe : admin_proxy (Traefik)
 
 services:
   docmost:
+    image: acadedoc:${ACADEDOC_VERSION:-local}
+    pull_policy: never
     restart: always
     environment:
       APP_URL: ${DOCMOST_URL:?DOCMOST_URL requis sur prod}
       LOG_LEVEL: warn
+      MAIL_DRIVER: smtp
+      SMTP_HOST: ${SMTP_HOST}
+      SMTP_PORT: ${SMTP_PORT}
+      SMTP_USERNAME: ${SMTP_USERNAME}
+      SMTP_PASSWORD: ${SMTP_PASSWORD}
+      SMTP_SECURE: "false"
+      MAIL_FROM_ADDRESS: ${MAIL_FROM_ADDRESS}
+      MAIL_FROM_NAME: ${MAIL_FROM_NAME}
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.docmost-prod.rule=Host(`wiki.acadenice.fr`)"
+      - "traefik.docker.network=admin_proxy"
+      - "traefik.http.routers.docmost-prod.rule=Host(`doc.stark.a3n.fr`)"
       - "traefik.http.routers.docmost-prod.entrypoints=websecure"
       - "traefik.http.routers.docmost-prod.tls.certresolver=letsencrypt"
       - "traefik.http.services.docmost-prod.loadbalancer.server.port=3000"
@@ -18,10 +30,11 @@ services:
       resources:
         limits:
           memory: 2G
+          cpus: "1.5"
         reservations:
           memory: 512M
     healthcheck:
-      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:3000"]
+      test: ["CMD", "node", "-e", "fetch('http://127.0.0.1:3000').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -31,9 +44,11 @@ services:
     restart: always
     environment:
       BASEROW_PUBLIC_URL: ${BASEROW_URL:?BASEROW_URL requis sur prod}
+      BASEROW_EXTRA_ALLOWED_HOSTS: baserow
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.baserow-prod.rule=Host(`baserow.acadenice.fr`)"
+      - "traefik.docker.network=admin_proxy"
+      - "traefik.http.routers.baserow-prod.rule=Host(`baserow.stark.a3n.fr`)"
       - "traefik.http.routers.baserow-prod.entrypoints=websecure"
       - "traefik.http.routers.baserow-prod.tls.certresolver=letsencrypt"
       - "traefik.http.services.baserow-prod.loadbalancer.server.port=80"
@@ -42,8 +57,54 @@ services:
       resources:
         limits:
           memory: 3G
+          cpus: "2.0"
         reservations:
           memory: 1G
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsS http://localhost/_health/ || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 5
+      start_period: 60s
+
+  bridge:
+    restart: always
+    environment:
+      BASEROW_WEBHOOK_SECRET: ${BASEROW_WEBHOOK_SECRET:?BASEROW_WEBHOOK_SECRET requis (>= 16 chars)}
+      LOG_LEVEL: warn
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=admin_proxy"
+      # Router public : webhooks Baserow + appels machine-to-machine (token brg_*).
+      - "traefik.http.routers.bridge-prod.rule=Host(`bridge.stark.a3n.fr`)"
+      - "traefik.http.routers.bridge-prod.entrypoints=websecure"
+      - "traefik.http.routers.bridge-prod.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.bridge-prod.service=bridge-prod"
+      # Router same-origin sur le doc : appels SPA front. Le cookie authToken
+      # de Docmost est host-only sur doc.stark.a3n.fr donc on ne peut PAS
+      # router cross-subdomain. Le strip /bridge laisse passer /api/v1/* tel
+      # que le bridge l'attend.
+      - "traefik.http.routers.bridge-on-doc.rule=Host(`doc.stark.a3n.fr`) && PathPrefix(`/bridge`)"
+      - "traefik.http.routers.bridge-on-doc.entrypoints=websecure"
+      - "traefik.http.routers.bridge-on-doc.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.bridge-on-doc.middlewares=bridge-strip"
+      - "traefik.http.routers.bridge-on-doc.service=bridge-prod"
+      - "traefik.http.middlewares.bridge-strip.stripprefix.prefixes=/bridge"
+      - "traefik.http.services.bridge-prod.loadbalancer.server.port=4000"
+    ports: !reset []
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "0.5"
+        reservations:
+          memory: 128M
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:4000/api/health | grep -q '\"status\":\"ok\"' || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 20s
 
   docmost-db:
     restart: always
@@ -51,6 +112,9 @@ services:
       resources:
         limits:
           memory: 1G
+          cpus: "1.0"
+        reservations:
+          memory: 256M
 
   docmost-redis:
     restart: always
@@ -58,8 +122,16 @@ services:
       resources:
         limits:
           memory: 256M
+          cpus: "0.5"
+        reservations:
+          memory: 64M
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 5
 
 networks:
   default:
     external: true
-    name: traefik
+    name: admin_proxy
diff --git a/compose.yml b/compose.yml
index 80098f1..81c790f 100644
--- a/compose.yml
+++ b/compose.yml
@@ -66,8 +66,12 @@ services:
     environment:
       BASEROW_API_URL: http://baserow:80/api
       BASEROW_API_TOKEN: ${BASEROW_API_TOKEN}
+      BASEROW_USER_EMAIL: ${BASEROW_USER_EMAIL}
+      BASEROW_USER_PASSWORD: ${BASEROW_USER_PASSWORD}
       DOCMOST_API_URL: http://docmost:3000/api
       DOCMOST_API_TOKEN: ${DOCMOST_API_TOKEN}
+      DOCMOST_APP_SECRET: ${DOCMOST_APP_SECRET}
+      DOCMOST_JWT_ISSUER: Docmost
       REDIS_URL: redis://docmost-redis:6379
     ports:
       - "4000:4000"