diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29d19b8..f45d5c9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,10 @@ CalVer image tags (`stable-YYYY.MM.N`, `dev-YYYY.MM.N`) are produced for every C
 <!-- Add bullets here. Group: Added / Changed / Fixed / Removed / Internal.
      Mark breaking changes with **BREAKING** at the start of the bullet. -->
 
+### Fixed
+
+- `docker-compose.yml` caddy service now passes `CADDY_TLS` through to the container (`- CADDY_TLS` bare-form passthrough). Without it the `Caddyfile` `{$CADDY_TLS:default}` substitution always falls back to cert-file mode regardless of what the operator wrote into `.env`, and Caddy crash-loops on Let's Encrypt / internal-CA deployments. Should have shipped with #52; first attempt was #55, accidentally closed before merging.
+
 ### Internal
 
 - `CLAUDE.md` — non-negotiable changelog discipline: every PR touching user-visible behavior must update `CHANGELOG.md` under `## [Unreleased]` in the same PR.
diff --git a/docker-compose.yml b/docker-compose.yml
index 5f1317c..a40d10f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -127,6 +127,12 @@ services:
       - caddy_config:/config
     environment:
       - DOMAIN=${DOMAIN:-localhost}
+      # Passes through whatever the operator set in .env. Caddyfile uses
+      # {$CADDY_TLS:tls /certs/fullchain.pem /certs/privkey.pem} so:
+      # - unset            → cert-file mode (corp PKI rotated by tls-rotate.sh)
+      # - "tls <email>"    → Let's Encrypt auto-issue
+      # - "tls internal"   → Caddy-managed self-signed
+      - CADDY_TLS
     depends_on:
       app:
         condition: service_healthy