diff --git a/Dockerfile b/Dockerfile
index 04b1eca..b69701b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.4
 # aldabra — Cardano lite wallet over MCP.
 #
 # Multi-stage:
@@ -44,7 +45,15 @@ COPY crates ./crates
 # trick above leaves stale build artifacts otherwise.
 RUN find crates -name '*.rs' -exec touch {} +
 
-RUN cargo build --release --bin aldabra && \
+# Fetch the pallas patch dep via HTTP+PAT at build time. Source URLs
+# stay SSH (Cargo.toml + Cargo.lock) — the rewrite is git-CLI-level
+# only, so no credential gets baked into the lock file or the image.
+# Pass `--secret id=git_credentials,src=<file>` where <file> is one
+# line: http://USER:PAT@192.168.0.5:3001
+RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \
+    git config --global credential.helper store && \
+    git config --global url."http://192.168.0.5:3001/".insteadOf "ssh://git@192.168.0.5:23/" && \
+    cargo build --release --bin aldabra && \
     strip target/release/aldabra
 
 FROM debian:bookworm-slim AS runtime