diff --git a/Dockerfile b/Dockerfile
index b69b90e..68a0409 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -208,9 +208,15 @@ ENV PATH=/home/crafter/.local/bin:/caches/cargo/bin:/home/crafter/.bun/bin:$PATH
 # 14. Rust (rustup, stable) + cargo-audit + cargo-deny
 # ============================================================
 RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path \
-    && /caches/cargo/bin/rustup component add clippy rustfmt \
-    && /caches/cargo/bin/cargo install cargo-audit --locked \
-    && /caches/cargo/bin/cargo install cargo-deny --locked
+    && /caches/cargo/bin/rustup component add clippy rustfmt
+# Install cargo-audit + cargo-deny to /usr/local (root-owned, NOT volume-shadowed
+# at runtime). The /caches/cargo/bin/ dir IS volume-shadowed by the host bind
+# mount, so cargo install artifacts there disappear inside the live container.
+USER root
+RUN /home/crafter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo install \
+        --locked --root /usr/local cargo-audit cargo-deny \
+    && chmod 755 /usr/local/bin/cargo-audit /usr/local/bin/cargo-deny
+USER crafter
 
 # ============================================================
 # 15. Bun (curl install)
@@ -227,7 +233,12 @@ RUN python3 -m pip install --user --break-system-packages --no-cache-dir pipx \
     && pipx install mypy \
     && pipx install pytest \
     && pipx install pip-audit \
-    && pipx install semgrep
+    && pipx install semgrep \
+    # mypy needs the third-party stub packages injected into its own pipx
+    # venv (mypy-isolated, not the system site-packages). Without these,
+    # `mypy --strict` against any project that imports requests/PyYAML/etc.
+    # fails with "Library stubs not installed for X" exit 1.
+    && pipx inject mypy types-requests types-PyYAML types-setuptools
 
 # ============================================================
 # Reset GOPATH to crafter-owned path BEFORE the go install runs as crafter.