diff --git a/backend/.env.example b/backend/.env.example
index c472a67..7a8a35d 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -33,11 +33,11 @@ S3_BUCKET=xtablo-dev
 # S3 region. Cloudflare R2 accepts "auto" or a standard region token; "us-east-1" is safe default.
 S3_REGION=us-east-1
 
-# S3 access key (MinIO dev default: minioadmin).
-S3_ACCESS_KEY=minioadmin
+# S3 access key. Dev (MinIO default): minioadmin — CHANGE for production R2.
+S3_ACCESS_KEY=your-access-key-id
 
-# S3 secret key (MinIO dev default: minioadmin).
-S3_SECRET_KEY=minioadmin
+# S3 secret key. Dev (MinIO default): minioadmin — CHANGE for production R2.
+S3_SECRET_KEY=your-secret-access-key
 
 # Use path-style S3 URLs.
 # true  — for MinIO and other self-hosted S3 (path-style: http://host/bucket/key).
diff --git a/backend/docker-compose.prod.yaml b/backend/docker-compose.prod.yaml
index 83f8301..71276f6 100644
--- a/backend/docker-compose.prod.yaml
+++ b/backend/docker-compose.prod.yaml
@@ -61,6 +61,10 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
+      web:
+        # Ensures web starts first so goose.Up() runs before the worker connects.
+        # restart: unless-stopped means the worker self-heals if it races anyway.
+        condition: service_started
 
   # -------------------------------------------------------------------------
   # Caddy reverse proxy (D-04) — TLS termination via Let's Encrypt