diff --git a/kez-chat/web/.gitignore b/kez-chat/web/.gitignore
index c0e66cc..18f3293 100644
--- a/kez-chat/web/.gitignore
+++ b/kez-chat/web/.gitignore
@@ -3,3 +3,6 @@ dist/
 .vite/
 *.tsbuildinfo
 .DS_Store
+# Written by the deploy script so the in-image build can stamp the real
+# commit sha into the footer. Falls back to "dev" if missing.
+BUILD_SHA
diff --git a/kez-chat/web/vite.config.ts b/kez-chat/web/vite.config.ts
index 7e9647d..bea44c2 100644
--- a/kez-chat/web/vite.config.ts
+++ b/kez-chat/web/vite.config.ts
@@ -1,4 +1,5 @@
 import { execSync } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
 import { defineConfig } from "vite";
 import { svelte } from "@sveltejs/vite-plugin-svelte";
 import tailwindcss from "@tailwindcss/vite";
@@ -7,7 +8,18 @@ import { VitePWA } from "vite-plugin-pwa";
 // Build-time identity: short git SHA + ISO date. Surfaced in the footer
 // as "kez-chat <sha>" so users can eyeball which build they're on (handy
 // when verifying that a deploy actually landed instead of being cached).
+//
+// Resolution order, so it works both locally (with .git) and in the
+// Docker build on the remote (no .git copied):
+//   1. process.env.BUILD_SHA              — set by deploy script
+//   2. ./BUILD_SHA file in this dir       — set by deploy script
+//   3. `git rev-parse --short HEAD`       — local dev
+//   4. "dev"                              — give up
 const BUILD_SHA = (() => {
+  if (process.env.BUILD_SHA) return process.env.BUILD_SHA.trim();
+  if (existsSync("./BUILD_SHA")) {
+    return readFileSync("./BUILD_SHA", "utf-8").trim();
+  }
   try {
     return execSync("git rev-parse --short HEAD").toString().trim();
   } catch {