diff --git a/.gitea/workflows/push-develop.yml b/.gitea/workflows/push-develop.yml
index 0bfb715..b66f9bf 100644
--- a/.gitea/workflows/push-develop.yml
+++ b/.gitea/workflows/push-develop.yml
@@ -51,7 +51,7 @@ jobs:
 
   # ── 2. Deploy ─────────────────────────────────────────────────────────────────
   deploy:
-    name: Rolling deploy
+    name: Deploy
     runs-on: stage-gatehouse-api
     needs: build
     env:
@@ -60,10 +60,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Deploy (rolling restart)
+      - name: Deploy (docker compose up)
         run: |
           cp docker-compose.yml "${COMPOSE_DIR}/docker-compose.yml"
-          bash deploy/deploy.sh "${{ needs.build.outputs.tag }}"
+          cd "${COMPOSE_DIR}"
+          IMAGE_TAG="${{ needs.build.outputs.tag }}" docker compose up -d --remove-orphans
 
   # ── 3. Alert ──────────────────────────────────────────────────────────────────
   alert:
diff --git a/.gitea/workflows/push-main.yml b/.gitea/workflows/push-main.yml
index 3408493..d2222ef 100644
--- a/.gitea/workflows/push-main.yml
+++ b/.gitea/workflows/push-main.yml
@@ -50,7 +50,7 @@ jobs:
 
   # ── 2. Deploy ─────────────────────────────────────────────────────────────────
   deploy:
-    name: Rolling deploy
+    name: Deploy
     runs-on: prod-gatehouse-api
     needs: build
     env:
@@ -59,10 +59,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Deploy (rolling restart)
+      - name: Deploy (docker compose up)
         run: |
           cp docker-compose.yml "${COMPOSE_DIR}/docker-compose.yml"
-          bash deploy/deploy.sh "${{ needs.build.outputs.tag }}"
+          cd "${COMPOSE_DIR}"
+          IMAGE_TAG="${{ needs.build.outputs.tag }}" docker compose up -d --remove-orphans
 
   # ── 3. Alert ──────────────────────────────────────────────────────────────────
   alert:
diff --git a/deploy/ansible/group_vars/all.yml b/deploy/ansible/group_vars/all.yml
index e9687db..7f56c55 100644
--- a/deploy/ansible/group_vars/all.yml
+++ b/deploy/ansible/group_vars/all.yml
@@ -29,6 +29,12 @@ node_major_version: "26"
 trivy_version: "0.71.2"
 gitleaks_version: "8.30.1"
 
+# Docker CLI plugins. The engine ships without them, so `docker compose` (used by
+# deploy.sh) and `docker buildx` are missing — deploy.sh then fails with exit 125.
+# Installed as pinned binaries into the host cli-plugins dir; bump to upgrade.
+docker_compose_version: "5.1.4"
+docker_buildx_version: "0.35.0"
+
 # Registration tokens come from env vars named by each project's `token_env`
 # (e.g. RUNNER_TOKEN_GATEHOUSE_API). Export them on the control node before running.
 # Mint from: Gitea repo → Settings → Actions → Runners → Create new runner token.
diff --git a/deploy/ansible/host_vars/stage01.yml b/deploy/ansible/host_vars/stage01.yml
index 5549699..535107b 100644
--- a/deploy/ansible/host_vars/stage01.yml
+++ b/deploy/ansible/host_vars/stage01.yml
@@ -14,6 +14,6 @@ runners:
 
   - project: gatehouse-ui
     url: https://source.hawkless.id.au/coryHawkvelt/gatehouse-ui
-    labels: "self-hosted:host,linux:host,stage:host"
+    labels: "self-hosted:host,linux:host,stage:host,stage-gatehouse-ui:host"
     token_env: RUNNER_TOKEN_GATEHOUSE_UI
     count: 1
diff --git a/deploy/ansible/install-runner.yml b/deploy/ansible/install-runner.yml
index 622dab6..e0fd903 100644
--- a/deploy/ansible/install-runner.yml
+++ b/deploy/ansible/install-runner.yml
@@ -84,6 +84,43 @@
         mode: "0755"
       when: gitleaks_version not in (gitleaks_check.stdout | default(''))
 
+    # The Docker engine ships without CLI plugins, so `docker compose` (used by
+    # deploy.sh) and `docker buildx` are absent. Install them host-wide; this
+    # path is searched by both docker.io and docker-ce CLIs.
+    - name: Ensure Docker CLI plugins dir exists
+      ansible.builtin.file:
+        path: /usr/libexec/docker/cli-plugins
+        state: directory
+        mode: "0755"
+
+    - name: Check installed Docker Compose plugin version
+      ansible.builtin.command: docker compose version --short
+      register: compose_check
+      changed_when: false
+      failed_when: false
+
+    - name: Install Docker Compose v2 plugin {{ docker_compose_version }}
+      ansible.builtin.get_url:
+        url: "https://github.com/docker/compose/releases/download/v{{ docker_compose_version }}/docker-compose-linux-x86_64"
+        dest: /usr/libexec/docker/cli-plugins/docker-compose
+        mode: "0755"
+        force: true
+      when: docker_compose_version not in (compose_check.stdout | default(''))
+
+    - name: Check installed Docker Buildx plugin version
+      ansible.builtin.command: docker buildx version
+      register: buildx_check
+      changed_when: false
+      failed_when: false
+
+    - name: Install Docker Buildx plugin {{ docker_buildx_version }}
+      ansible.builtin.get_url:
+        url: "https://github.com/docker/buildx/releases/download/v{{ docker_buildx_version }}/buildx-v{{ docker_buildx_version }}.linux-amd64"
+        dest: /usr/libexec/docker/cli-plugins/docker-buildx
+        mode: "0755"
+        force: true
+      when: docker_buildx_version not in (buildx_check.stdout | default(''))
+
     # Deploy target for each project's compose stack. Owned by the runner so the
     # deploy job can `cp docker-compose.yml` here; the host-managed .env lives
     # here too. Basename matches the compose project name, preserving volumes.