diff --git a/.gitea/workflows/manual-deploy.yml b/.gitea/workflows/manual-deploy.yml
new file mode 100644
index 00000000..aa8c2656
--- /dev/null
+++ b/.gitea/workflows/manual-deploy.yml
@@ -0,0 +1,456 @@
+name: 🚀 Manual Deployment
+
+run-name: Manual Deploy - ${{ inputs.environment }} - ${{ inputs.image_tag || 'latest' }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deployment environment'
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+      image_tag:
+        description: 'Image tag to deploy (e.g. abc1234-1696234567, git-abc1234). Leave empty for latest'
+        required: false
+        type: string
+        default: ''
+      branch:
+        description: 'Branch to checkout (default: main for production, staging for staging)'
+        required: false
+        type: string
+        default: ''
+
+env:
+  REGISTRY: registry.michaelschiemer.de
+  IMAGE_NAME: framework
+  DEPLOYMENT_HOST: 94.16.110.151
+
+jobs:
+  determine-image:
+    name: Determine Deployment Image
+    runs-on: ubuntu-latest
+    outputs:
+      image_url: ${{ steps.image.outputs.image_url }}
+      image_tag: ${{ steps.image.outputs.image_tag }}
+      registry_host: ${{ env.REGISTRY }}
+      image_name: ${{ env.IMAGE_NAME }}
+    steps:
+      - name: Determine image to deploy
+        id: image
+        shell: bash
+        run: |
+          REGISTRY="${{ env.REGISTRY }}"
+          IMAGE_NAME="${{ env.IMAGE_NAME }}"
+          INPUT_TAG="${{ inputs.image_tag }}"
+          
+          if [ -z "$INPUT_TAG" ] || [ "$INPUT_TAG" = "" ]; then
+            IMAGE_TAG="latest"
+          else
+            IMAGE_TAG="$INPUT_TAG"
+          fi
+          
+          IMAGE_URL="${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
+          
+          echo "image_url=${IMAGE_URL}" >> "$GITHUB_OUTPUT"
+          echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
+          
+          echo "📦 Deployment Image:"
+          echo "   URL: ${IMAGE_URL}"
+          echo "   Tag: ${IMAGE_TAG}"
+          echo ""
+          echo "ℹ️  Image will be validated during deployment"
+
+  deploy-staging:
+    name: Deploy to Staging
+    needs: determine-image
+    if: inputs.environment == 'staging'
+    runs-on: ubuntu-latest
+    environment:
+      name: staging
+      url: https://staging.michaelschiemer.de
+    steps:
+      - name: Determine branch name
+        id: branch
+        shell: bash
+        run: |
+          INPUT_BRANCH="${{ inputs.branch }}"
+          if [ -z "$INPUT_BRANCH" ] || [ "$INPUT_BRANCH" = "" ]; then
+            REF_NAME="staging"
+          else
+            REF_NAME="$INPUT_BRANCH"
+          fi
+          echo "BRANCH=$REF_NAME" >> $GITHUB_OUTPUT
+          echo "📋 Branch: $REF_NAME"
+
+      - name: Checkout deployment scripts
+        run: |
+          REF_NAME="${{ steps.branch.outputs.BRANCH }}"
+          REPO="${{ github.repository }}"
+          
+          if [ -n "${{ secrets.CI_TOKEN }}" ]; then
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          else
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo || \
+            git clone --depth 1 \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          fi
+          
+          cd /workspace/repo
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
+          chmod 600 ~/.ssh/production
+          ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Deploy to Staging Server
+        run: |
+          set -e
+          
+          DEPLOYMENT_HOST="${{ env.DEPLOYMENT_HOST }}"
+          REGISTRY_HOST="${{ needs.determine-image.outputs.registry_host }}"
+          IMAGE_NAME="${{ needs.determine-image.outputs.image_name }}"
+          DEPLOY_IMAGE="${{ needs.determine-image.outputs.image_url }}"
+          IMAGE_TAG="${{ needs.determine-image.outputs.image_tag }}"
+          
+          DEFAULT_IMAGE="${REGISTRY_HOST}/${IMAGE_NAME}:latest"
+          FALLBACK_IMAGE="$DEFAULT_IMAGE"
+          
+          SELECTED_IMAGE="$DEPLOY_IMAGE"
+          if [ -z "$SELECTED_IMAGE" ] || [ "$SELECTED_IMAGE" = "null" ]; then
+            SELECTED_IMAGE="$DEFAULT_IMAGE"
+          fi
+          
+          STACK_PATH_DISPLAY="~/deployment/stacks/staging"
+          
+          SELECTED_TAG="${SELECTED_IMAGE##*:}"
+          SELECTED_REPO="${SELECTED_IMAGE%:*}"
+          
+          if [ -z "$SELECTED_REPO" ] || [ "$SELECTED_REPO" = "$SELECTED_IMAGE" ]; then
+            FALLBACK_IMAGE="$DEFAULT_IMAGE"
+          else
+            FALLBACK_IMAGE="${SELECTED_REPO}:latest"
+          fi
+          
+          echo "🚀 Starting staging deployment..."
+          echo "   Image: ${SELECTED_IMAGE}"
+          echo "   Tag: ${SELECTED_TAG}"
+          echo "   Host: ${DEPLOYMENT_HOST}"
+          echo "   Stack: ${STACK_PATH_DISPLAY}"
+          
+          FULL_IMAGE_ARG=$(printf '%q' "$SELECTED_IMAGE")
+          FALLBACK_IMAGE_ARG=$(printf '%q' "$FALLBACK_IMAGE")
+          IMAGE_NAME_ARG=$(printf '%q' "$IMAGE_NAME")
+          REGISTRY_ARG=$(printf '%q' "$REGISTRY_HOST")
+          
+          ssh -i ~/.ssh/production \
+              -o StrictHostKeyChecking=no \
+              -o UserKnownHostsFile=/dev/null \
+              deploy@${DEPLOYMENT_HOST} "bash -s -- $FULL_IMAGE_ARG $FALLBACK_IMAGE_ARG $IMAGE_NAME_ARG $REGISTRY_ARG" <<'EOF'
+            set -e
+            
+            FULL_IMAGE="$1"
+            FALLBACK_IMAGE="$2"
+            IMAGE_NAME="$3"
+            REGISTRY="$4"
+            shift 4
+            
+            CURRENT_USER="$(whoami)"
+            USER_HOME="$(getent passwd "$CURRENT_USER" | cut -d: -f6 2>/dev/null)"
+            [ -z "$USER_HOME" ] && USER_HOME="$HOME"
+            [ -z "$USER_HOME" ] && USER_HOME="/home/$CURRENT_USER"
+            
+            STACK_TARGET="${USER_HOME}/deployment/stacks/staging"
+
+            # Ensure staging stack directory exists
+            mkdir -p "${STACK_TARGET}"
+            cd "${STACK_TARGET}"
+            
+            declare -a REGISTRY_TARGETS=()
+            if [ -n "${REGISTRY}" ]; then
+              REGISTRY_TARGETS+=("${REGISTRY}")
+            fi
+            for IMAGE_REF in "${FULL_IMAGE}" "${FALLBACK_IMAGE}"; do
+              if [ -n "${IMAGE_REF}" ]; then
+                HOST_PART="${IMAGE_REF%%/*}"
+                if [ -n "${HOST_PART}" ]; then
+                  if ! printf '%s\n' "${REGISTRY_TARGETS[@]}" | grep -qx "${HOST_PART}"; then
+                    REGISTRY_TARGETS+=("${HOST_PART}")
+                  fi
+                fi
+              fi
+            done
+            
+            for TARGET in "${REGISTRY_TARGETS[@]}"; do
+              [ -z "${TARGET}" ] && continue
+              echo "🔐 Logging in to Docker registry ${TARGET}..."
+              echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login "${TARGET}" \
+                -u "${{ secrets.REGISTRY_USER }}" \
+                --password-stdin || echo "⚠️  Registry login failed for ${TARGET}, continuing..."
+            done
+            
+            DEPLOY_IMAGE="$FULL_IMAGE"
+            echo "📥 Pulling image ${DEPLOY_IMAGE}..."
+            if ! docker pull "${DEPLOY_IMAGE}"; then
+              if [ -n "${FALLBACK_IMAGE}" ] && [ "${DEPLOY_IMAGE}" != "${FALLBACK_IMAGE}" ]; then
+                echo "⚠️  Failed to pull ${DEPLOY_IMAGE}, attempting fallback ${FALLBACK_IMAGE}"
+                if docker pull "${FALLBACK_IMAGE}"; then
+                  DEPLOY_IMAGE="${FALLBACK_IMAGE}"
+                  echo "ℹ️ Using fallback image ${DEPLOY_IMAGE}"
+                else
+                  echo "❌ Failed to pull fallback image ${FALLBACK_IMAGE}"
+                  exit 1
+                fi
+              else
+                echo "❌ Failed to pull image ${DEPLOY_IMAGE}"
+                exit 1
+              fi
+            fi
+            
+            # Copy base and staging docker-compose files if they don't exist
+            if [ ! -f docker-compose.base.yml ]; then
+              echo "⚠️  docker-compose.base.yml not found, copying from repo..."
+              cp /workspace/repo/docker-compose.base.yml . || {
+                echo "❌ Failed to copy docker-compose.base.yml"
+                exit 1
+              }
+            fi
+            
+            if [ ! -f docker-compose.staging.yml ]; then
+              echo "⚠️  docker-compose.staging.yml not found, copying from repo..."
+              cp /workspace/repo/docker-compose.staging.yml . || {
+                echo "❌ Failed to copy docker-compose.staging.yml"
+                exit 1
+              }
+            fi
+            
+            # Update docker-compose.staging.yml with new image tag
+            echo "📝 Updating docker-compose.staging.yml with new image tag..."
+            sed -i "s|image:.*/${IMAGE_NAME}:.*|image: ${DEPLOY_IMAGE}|g" docker-compose.staging.yml
+            
+            echo "✅ Updated docker-compose.staging.yml:"
+            grep "image:" docker-compose.staging.yml | head -5
+            
+            # Ensure networks exist
+            echo "🔗 Ensuring Docker networks exist..."
+            docker network create traefik-public 2>/dev/null || true
+            docker network create staging-internal 2>/dev/null || true
+            
+            echo "🔄 Starting/updating services..."
+            # Use --pull missing instead of --pull always since we already pulled the specific image
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml up -d --pull missing --force-recreate || {
+              echo "❌ Failed to start services"
+              exit 1
+            }
+            
+            echo "⏳ Waiting for services to start..."
+            sleep 15
+            
+            # Pull latest code from Git repository
+            echo "🔄 Pulling latest code from Git repository in staging-app container..."
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml exec -T staging-app bash -c "cd /var/www/html && git -c safe.directory=/var/www/html fetch origin staging && git -c safe.directory=/var/www/html reset --hard origin/staging && git -c safe.directory=/var/www/html clean -fd" || echo "⚠️  Git pull failed, container will sync on next restart"
+            
+            # Also trigger a restart to ensure entrypoint script runs
+            echo "🔄 Restarting staging-app to ensure all services are up-to-date..."
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml restart staging-app || echo "⚠️  Failed to restart staging-app"
+            
+            # Fix nginx upstream configuration - critical fix for 502 errors
+            # sites-available/default uses 127.0.0.1:9000 but PHP-FPM runs in staging-app container
+            echo "🔧 Fixing nginx PHP-FPM upstream configuration (post-deploy fix)..."
+            sleep 5
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml exec -T staging-nginx sed -i '/upstream php-upstream {/,/}/s|server 127.0.0.1:9000;|server staging-app:9000;|g' /etc/nginx/sites-available/default || echo "⚠️  Upstream fix (127.0.0.1) failed"
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml exec -T staging-nginx sed -i '/upstream php-upstream {/,/}/s|server localhost:9000;|server staging-app:9000;|g' /etc/nginx/sites-available/default || echo "⚠️  Upstream fix (localhost) failed"
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml exec -T staging-nginx nginx -t && docker compose -f docker-compose.base.yml -f docker-compose.staging.yml restart staging-nginx || echo "⚠️  Nginx config test or restart failed"
+            echo "✅ Nginx configuration fixed and reloaded"
+            
+            echo "⏳ Waiting for services to stabilize..."
+            sleep 10
+            echo "📊 Container status:"
+            docker compose -f docker-compose.base.yml -f docker-compose.staging.yml ps
+            
+            echo "✅ Staging deployment completed!"
+          EOF
+
+      - name: Wait for deployment to stabilize
+        run: sleep 30
+
+      - name: Health check
+        id: health
+        run: |
+          for i in {1..10}; do
+            if curl -f -k https://staging.michaelschiemer.de/health; then
+              echo "✅ Health check passed"
+              exit 0
+            fi
+            echo "⏳ Waiting for staging service... (attempt $i/10)"
+            sleep 10
+          done
+          echo "❌ Health check failed"
+          exit 1
+
+      - name: Notify deployment success
+        if: success()
+        run: |
+          echo "🚀 Staging deployment successful!"
+          echo "URL: https://staging.michaelschiemer.de"
+          echo "Image: ${{ needs.determine-image.outputs.image_url }}"
+
+  deploy-production:
+    name: Deploy to Production
+    needs: determine-image
+    if: inputs.environment == 'production'
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://michaelschiemer.de
+    steps:
+      - name: Determine branch name
+        id: branch
+        shell: bash
+        run: |
+          INPUT_BRANCH="${{ inputs.branch }}"
+          if [ -z "$INPUT_BRANCH" ] || [ "$INPUT_BRANCH" = "" ]; then
+            REF_NAME="main"
+          else
+            REF_NAME="$INPUT_BRANCH"
+          fi
+          echo "BRANCH=$REF_NAME" >> $GITHUB_OUTPUT
+          echo "📋 Branch: $REF_NAME"
+
+      - name: Checkout deployment scripts
+        run: |
+          REF_NAME="${{ steps.branch.outputs.BRANCH }}"
+          REPO="${{ github.repository }}"
+          
+          if [ -n "${{ secrets.CI_TOKEN }}" ]; then
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          else
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo || \
+            git clone --depth 1 \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          fi
+          
+          cd /workspace/repo
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
+          chmod 600 ~/.ssh/production
+          ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Deploy to Production Server
+        run: |
+          set -e
+          
+          DEPLOYMENT_HOST="${{ env.DEPLOYMENT_HOST }}"
+          REGISTRY="${{ needs.determine-image.outputs.registry_host }}"
+          IMAGE_NAME="${{ needs.determine-image.outputs.image_name }}"
+          IMAGE_TAG="${{ needs.determine-image.outputs.image_tag }}"
+          
+          FULL_IMAGE="${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
+          STACK_PATH="~/deployment/stacks/application"
+          
+          echo "🚀 Starting production deployment..."
+          echo "   Image: ${FULL_IMAGE}"
+          echo "   Tag: ${IMAGE_TAG}"
+          echo "   Host: ${DEPLOYMENT_HOST}"
+          echo "   Stack: ${STACK_PATH}"
+          
+          ssh -i ~/.ssh/production \
+              -o StrictHostKeyChecking=no \
+              -o UserKnownHostsFile=/dev/null \
+              deploy@${DEPLOYMENT_HOST} <<EOF
+            set -e
+            
+            cd ${STACK_PATH}
+            
+            echo "🔐 Logging in to Docker registry..."
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${REGISTRY} \
+              -u "${{ secrets.REGISTRY_USER }}" \
+              --password-stdin || echo "⚠️  Registry login failed, continuing..."
+            
+            echo "📥 Pulling image ${FULL_IMAGE}..."
+            docker pull ${FULL_IMAGE} || {
+              echo "❌ Failed to pull image ${FULL_IMAGE}"
+              exit 1
+            }
+            
+            # Copy base and production docker-compose files if they don't exist
+            if [ ! -f docker-compose.base.yml ]; then
+              echo "⚠️  docker-compose.base.yml not found, copying from repo..."
+              cp /workspace/repo/docker-compose.base.yml . || {
+                echo "❌ Failed to copy docker-compose.base.yml"
+                exit 1
+              }
+            fi
+            
+            if [ ! -f docker-compose.production.yml ]; then
+              echo "⚠️  docker-compose.production.yml not found, copying from repo..."
+              cp /workspace/repo/docker-compose.production.yml . || {
+                echo "❌ Failed to copy docker-compose.production.yml"
+                exit 1
+              }
+            fi
+            
+            echo "📝 Updating docker-compose.production.yml with new image tag..."
+            sed -i "s|image:.*/${IMAGE_NAME}:.*|image: ${FULL_IMAGE}|g" docker-compose.production.yml
+            sed -i "s|image:.*/${IMAGE_NAME}@.*|image: ${FULL_IMAGE}|g" docker-compose.production.yml
+            
+            echo "✅ Updated docker-compose.production.yml:"
+            grep "image:" docker-compose.production.yml | head -5
+            
+            echo "🔄 Restarting services..."
+            # Use --pull missing instead of --pull always since we already pulled the specific image
+            docker compose -f docker-compose.base.yml -f docker-compose.production.yml up -d --pull missing --force-recreate || {
+              echo "❌ Failed to restart services"
+              exit 1
+            }
+            
+            echo "⏳ Waiting for services to start..."
+            sleep 10
+            
+            echo "📊 Container status:"
+            docker compose -f docker-compose.base.yml -f docker-compose.production.yml ps
+            
+            echo "✅ Production deployment completed!"
+          EOF
+
+      - name: Wait for deployment to stabilize
+        run: sleep 30
+
+      - name: Health check
+        id: health
+        run: |
+          for i in {1..10}; do
+            if curl -f -k https://michaelschiemer.de/health; then
+              echo "✅ Health check passed"
+              exit 0
+            fi
+            echo "⏳ Waiting for production service... (attempt $i/10)"
+            sleep 10
+          done
+          echo "❌ Health check failed"
+          exit 1
+
+      - name: Notify deployment success
+        if: success()
+        run: |
+          echo "🚀 Production deployment successful!"
+          echo "URL: https://michaelschiemer.de"
+          echo "Image: ${{ needs.determine-image.outputs.image_url }}"
+
diff --git a/deployment/stacks/semaphore/docker-compose.yml b/deployment/stacks/semaphore/docker-compose.yml
index 1fcbafaf..c743fb01 100644
--- a/deployment/stacks/semaphore/docker-compose.yml
+++ b/deployment/stacks/semaphore/docker-compose.yml
@@ -54,9 +54,8 @@ services:
       - "traefik.http.routers.semaphore-secure.tls=true"
       - "traefik.http.routers.semaphore-secure.tls.certresolver=letsencrypt"
       - "traefik.http.routers.semaphore-secure.service=semaphore"
-      # Service definition (use container IP in host network mode)
-      - "traefik.http.services.semaphore.loadbalancer.server.scheme=http"
-      - "traefik.http.services.semaphore.loadbalancer.server.port=3000"
+      # Service definition (use localhost port binding)
+      # Note: Dynamic config in traefik/dynamic/semaphore.yml takes precedence
     environment:
       - TZ=Europe/Berlin
       # Database Configuration
diff --git a/deployment/stacks/traefik/acme.json b/deployment/stacks/traefik/acme.json
new file mode 100644
index 00000000..e69de29b
diff --git a/deployment/stacks/traefik/dynamic/semaphore.yml b/deployment/stacks/traefik/dynamic/semaphore.yml
index 2343e2a9..bb7e2177 100644
--- a/deployment/stacks/traefik/dynamic/semaphore.yml
+++ b/deployment/stacks/traefik/dynamic/semaphore.yml
@@ -12,7 +12,6 @@ http:
     semaphore:
       loadBalancer:
         # Use localhost port binding since Semaphore binds to 127.0.0.1
-        # Check actual port with: docker ps | grep semaphore
-        # Default is 3001, but may be 9300 if SEMAPHORE_PORT env var is set differently
+        # Port is configured via SEMAPHORE_PORT in .env (currently 9300)
         servers:
-          - url: http://127.0.0.1:3001
\ No newline at end of file
+          - url: http://127.0.0.1:9300
\ No newline at end of file