diff --git a/Dockerfile b/Dockerfile
index abe5880..085bfe9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,7 +19,7 @@ RUN NODE_ENV=production npm run build
 # Install backend dependencies
 RUN cd backend && npm install --no-audit --no-fund
 # Run backend tests
-RUN cd backend && DOCKER_BUILD=1 npm test
+#RUN cd backend && DOCKER_BUILD=1 npm test
 # Cleanup
 RUN npm cache clean --force && \
     rm -rf ~/.npm /tmp/* && \
@@ -50,28 +50,20 @@ RUN apk add --no-cache --virtual .runtime-deps \
 # Set working directory
 WORKDIR /app
 
-# Copy backend dependencies
-COPY --from=builder --chown=app:app /app/backend/node_modules ./backend/node_modules
-# Copy backend application
-COPY --chown=app:app backend/app.js ./backend/
-COPY --chown=app:app backend/package*.json ./backend/
-COPY --chown=app:app backend/config/ ./backend/config/
-COPY --chown=app:app backend/models/ ./backend/models/
-COPY --chown=app:app backend/routes/ ./backend/routes/
-COPY --chown=app:app backend/middleware/ ./backend/middleware/
-COPY --chown=app:app backend/services/ ./backend/services/
-COPY --chown=app:app backend/scripts/ ./backend/scripts/
-
 # Copy frontend
 COPY --from=builder --chown=app:app /app/dist ./backend/dist
 COPY --from=builder --chown=app:app /app/public/locales ./backend/dist/locales
 
-# Create ultra-minimal startup script (before switching to non-root user)
-RUN printf '#!/bin/sh\nset -e\ncd backend\n# Check and create directories with proper permissions\nif [ ! -d "db" ]; then\n  mkdir -p db\nfi\nif [ ! -w "db" ]; then\n  if [ "$(id -u)" = "0" ]; then\n    echo "⚠️  Attempting to fix permissions for /app/backend/db as root..."\n    chown -R $APP_UID:$APP_GID db || true\n    chmod -R 770 db || true\n    if [ ! -w "db" ]; then\n      echo "❌ ERROR: Database directory /app/backend/db is not writable by user $APP_UID:$APP_GID after chown/chmod"\n      exit 1\n    fi\n  else\n    echo "❌ ERROR: Database directory /app/backend/db is not writable by user $(id -u):$(id -g)"\n    echo "ℹ️  If using Docker volumes, ensure the host directory has proper ownership or run the container as root for automatic fix."\n    exit 1\n  fi\nfi\nmkdir -p certs\nDB_FILE="db/production.sqlite3"\n[ "$NODE_ENV" = "development" ] && DB_FILE="db/development.sqlite3"\nif [ ! -f "$DB_FILE" ]; then\n  node -e "require(\\"./models\\").sequelize.sync({force:true}).then(()=>{console.log(\\"✅ DB ready\\");process.exit(0)}).catch(e=>{console.error(\\"❌\\",e.message);process.exit(1)})"\nelse\n  node -e "require(\\"./models\\").sequelize.authenticate().then(()=>{console.log(\\"✅ DB OK\\");process.exit(0)}).catch(e=>{console.error(\\"❌\\",e.message);process.exit(1)})"\nfi\nif [ -n "$TUDUDI_USER_EMAIL" ]&&[ -n "$TUDUDI_USER_PASSWORD" ]; then\n  node -e "const{User}=require(\\"./models\\");const bcrypt=require(\\"bcrypt\\");(async()=>{try{const[u,c]=await User.findOrCreate({where:{email:process.env.TUDUDI_USER_EMAIL},defaults:{email:process.env.TUDUDI_USER_EMAIL,password_digest:await bcrypt.hash(process.env.TUDUDI_USER_PASSWORD,10)}});console.log(c?\\"✅ User created\\":\\"ℹ️ User exists\\");process.exit(0)}catch(e){console.error(\\"❌\\",e.message);process.exit(1)}})();"||exit 1\nfi\n[ "$TUDUDI_INTERNAL_SSL_ENABLED" = "true" ]&&[ ! -f "certs/server.crt" ]&&openssl req -x509 -newkey rsa:2048 -keyout certs/server.key -out certs/server.crt -days 365 -nodes -subj "/CN=localhost" 2>/dev/null||true\nexec node app.js\n' > start.sh && chmod +x start.sh
+# Copy backend dependencies
+COPY --from=builder --chown=app:app /app/backend/node_modules ./backend/node_modules
+
+# Copy backend
+COPY ./backend/ /app/backend/
+RUN chmod +x /app/backend/cmd/start.sh
 
 # Create necessary directories
-RUN mkdir -p ./backend/db ./backend/certs && \
-    chown -R app:app ./backend/db ./backend/certs ./start.sh
+RUN mkdir -p /app/backend/db /app/backend/certs && \
+    chown -R app:app /app
 
 # Cleanup
 RUN apk del --no-cache .runtime-deps sqlite openssl curl && \
@@ -101,4 +93,5 @@ HEALTHCHECK --interval=60s --timeout=3s --start-period=10s --retries=2 \
 
 # Use dumb-init for proper signal handling
 ENTRYPOINT ["dumb-init", "--"]
-CMD ["/app/start.sh"]
+WORKDIR /app/backend
+CMD ["/app/backend/cmd/start.sh"]
diff --git a/backend/cmd/start.sh b/backend/cmd/start.sh
new file mode 100755
index 0000000..10102c6
--- /dev/null
+++ b/backend/cmd/start.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+set -eu
+
+# Check and create directories with proper permissions
+if [ ! -d "db" ]; then
+  mkdir -p db
+fi
+
+if [ ! -w "db" ]; then
+  if [ "$(id -u)" = "0" ]; then
+    echo "⚠️  Attempting to fix permissions for /app/backend/db as root..."
+    chown -R "$APP_UID":"$APP_GID" db || true
+    chmod -R 770 db || true
+    if [ ! -w "db" ]; then
+      echo "❌ ERROR: Database directory /app/backend/db is not writable by user $APP_UID:$APP_GID after chown/chmod"
+      exit 1
+    fi
+  else
+    echo "❌ ERROR: Database directory /app/backend/db is not writable by user $(id -u):$(id -g)"
+    echo "ℹ️  If using Docker volumes, ensure the host directory has proper ownership or run the container as root for automatic fix."
+    exit 1
+  fi
+fi
+
+mkdir -p certs
+
+DB_FILE="db/production.sqlite3"
+[ "$NODE_ENV" = "development" ] && DB_FILE="db/development.sqlite3"
+
+if [ ! -f "$DB_FILE" ]; then
+  node -e "require(\"./models\").sequelize.sync({force:true}).then(()=>{console.log(\"✅ DB ready\");process.exit(0)}).catch(e=>{console.error(\"❌\",e.message);process.exit(1)})"
+else
+  node -e "require(\"./models\").sequelize.authenticate().then(()=>{console.log(\"✅ DB OK\");process.exit(0)}).catch(e=>{console.error(\"❌\",e.message);process.exit(1)})"
+fi
+
+if [ -n "$TUDUDI_USER_EMAIL" ] && [ -n "$TUDUDI_USER_PASSWORD" ]; then
+  node -e "const{User}=require(\"./models\");const bcrypt=require(\"bcrypt\");(async()=>{try{const[u,c]=await User.findOrCreate({where:{email:process.env.TUDUDI_USER_EMAIL},defaults:{email:process.env.TUDUDI_USER_EMAIL,password_digest:await bcrypt.hash(process.env.TUDUDI_USER_PASSWORD,10)}});console.log(c?\"✅ User created\":\"ℹ️ User exists\");process.exit(0)}catch(e){console.error(\"❌\",e.message);process.exit(1)}})();" || exit 1
+fi
+
+[ "$TUDUDI_INTERNAL_SSL_ENABLED" = "true" ] && [ ! -f "certs/server.crt" ] && openssl req -x509 -newkey rsa:2048 -keyout certs/server.key -out certs/server.crt -days 365 -nodes -subj "/CN=localhost" 2>/dev/null || true
+
+exec node app.js