diff --git a/.gitea/workflows/docker-build.yml b/.gitea/workflows/docker-build.yml
index 20364dc..4b343fc 100644
--- a/.gitea/workflows/docker-build.yml
+++ b/.gitea/workflows/docker-build.yml
@@ -8,8 +8,10 @@ on:
       - 'solitaire_server/**'
       - 'solitaire_sync/**'
       - 'solitaire_core/**'
+      - 'solitaire_engine/**'
       - 'Cargo.toml'
       - 'Cargo.lock'
+      - 'solitaire_server/Dockerfile'
       - '.gitea/workflows/docker-build.yml'
 
 env:
@@ -55,6 +57,8 @@ jobs:
             ${{ env.IMAGE }}:latest
           cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
           cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
+          secrets: |
+            cargo_token=${{ secrets.CI_TOKEN }}
 
       - name: Install kustomize
         run: |
diff --git a/solitaire_server/Dockerfile b/solitaire_server/Dockerfile
index 4708f06..e5cd106 100644
--- a/solitaire_server/Dockerfile
+++ b/solitaire_server/Dockerfile
@@ -12,6 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Copy only the files needed to build the server crate.
 # Layer order: workspace manifests first so dependency fetches are cached.
+COPY .cargo/config.toml            ./.cargo/config.toml
 COPY Cargo.toml Cargo.lock ./
 COPY solitaire_core/Cargo.toml     ./solitaire_core/Cargo.toml
 COPY solitaire_sync/Cargo.toml     ./solitaire_sync/Cargo.toml
@@ -33,7 +34,11 @@ RUN for crate in solitaire_core solitaire_sync solitaire_data solitaire_engine \
     echo "fn main() {}" > solitaire_app/src/main.rs && \
     echo "fn main() {}" > solitaire_assetgen/src/main.rs
 
-RUN cargo fetch --locked
+# The Quaternions registry requires authentication. CI passes CI_TOKEN as a
+# build secret so it never appears in image layers or docker history.
+RUN --mount=type=secret,id=cargo_token,required=true \
+    CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
+    cargo fetch --locked
 
 # Now copy real source and build in release mode.
 COPY solitaire_core/src ./solitaire_core/src
@@ -46,7 +51,9 @@ COPY solitaire_server/migrations ./solitaire_server/migrations
 COPY .sqlx ./.sqlx
 
 ENV SQLX_OFFLINE=true
-RUN cargo build --release --locked -p solitaire_server --bin solitaire_server
+RUN --mount=type=secret,id=cargo_token,required=true \
+    CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
+    cargo build --release --locked -p solitaire_server --bin solitaire_server
 
 # --- Runtime stage ---
 FROM debian:bookworm-slim