diff --git a/backend/Dockerfile b/backend/Dockerfile
index 945aeb3..f419832 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,7 +1,19 @@
 # Backend Development Dockerfile
-FROM python:3.12-slim
+
+# UV source image (override for restricted networks that cannot reach ghcr.io)
+ARG UV_IMAGE=ghcr.io/astral-sh/uv:0.7.20
+FROM ${UV_IMAGE} AS uv-source
+
+FROM python:3.12-slim-bookworm
 
 ARG NODE_MAJOR=22
+ARG APT_MIRROR
+
+# Optionally override apt mirror for restricted networks (e.g. APT_MIRROR=mirrors.aliyun.com)
+RUN if [ -n "${APT_MIRROR}" ]; then \
+      sed -i "s|deb.debian.org|${APT_MIRROR}|g" /etc/apt/sources.list.d/debian.sources 2>/dev/null || true; \
+      sed -i "s|deb.debian.org|${APT_MIRROR}|g" /etc/apt/sources.list 2>/dev/null || true; \
+    fi
 
 # Install system dependencies + Node.js (provides npx for MCP servers)
 RUN apt-get update && apt-get install -y \
@@ -10,7 +22,7 @@ RUN apt-get update && apt-get install -y \
     gnupg \
     ca-certificates \
     && mkdir -p /etc/apt/keyrings \
-    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key -o /etc/apt/keyrings/nodesource.gpg \
+    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
     && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list \
     && apt-get update \
     && apt-get install -y nodejs \
@@ -19,8 +31,8 @@ RUN apt-get update && apt-get install -y \
 # Install Docker CLI (for DooD: allows starting sandbox containers via host Docker socket)
 COPY --from=docker:cli /usr/local/bin/docker /usr/local/bin/docker
 
-# Install uv from a pinned versioned image (avoids curl|sh from untrusted remote)
-COPY --from=ghcr.io/astral-sh/uv:0.7.20 /uv /uvx /usr/local/bin/
+# Install uv (source image overridable via UV_IMAGE build arg)
+COPY --from=uv-source /uv /uvx /usr/local/bin/
 
 # Set working directory
 WORKDIR /app
diff --git a/docker/docker-compose-dev.yaml b/docker/docker-compose-dev.yaml
index 93a46f3..b63fdd0 100644
--- a/docker/docker-compose-dev.yaml
+++ b/docker/docker-compose-dev.yaml
@@ -24,6 +24,8 @@ services:
     build:
       context: ./provisioner
       dockerfile: Dockerfile
+      args:
+        APT_MIRROR: ${APT_MIRROR:-}
     container_name: deer-flow-provisioner
     volumes:
       - ~/.kube/config:/root/.kube/config:ro
@@ -83,6 +85,7 @@ services:
       target: dev
       args:
         PNPM_STORE_PATH: ${PNPM_STORE_PATH:-/root/.local/share/pnpm/store}
+        NPM_REGISTRY: ${NPM_REGISTRY:-}
     container_name: deer-flow-frontend
     command: sh -c "cd frontend && pnpm run dev > /app/logs/frontend.log 2>&1"
     volumes:
@@ -109,6 +112,9 @@ services:
       context: ../
       dockerfile: backend/Dockerfile
       # cache_from disabled - requires manual setup: mkdir -p /tmp/docker-cache-gateway
+      args:
+        APT_MIRROR: ${APT_MIRROR:-}
+        UV_IMAGE: ${UV_IMAGE:-ghcr.io/astral-sh/uv:0.7.20}
     container_name: deer-flow-gateway
     command: sh -c "cd backend && PYTHONPATH=. uv run uvicorn app.gateway.app:app --host 0.0.0.0 --port 8001 --reload --reload-include='*.yaml .env' > /app/logs/gateway.log 2>&1"
     volumes:
@@ -158,6 +164,9 @@ services:
       context: ../
       dockerfile: backend/Dockerfile
       # cache_from disabled - requires manual setup: mkdir -p /tmp/docker-cache-langgraph
+      args:
+        APT_MIRROR: ${APT_MIRROR:-}
+        UV_IMAGE: ${UV_IMAGE:-ghcr.io/astral-sh/uv:0.7.20}
     container_name: deer-flow-langgraph
     command: sh -c "cd backend && uv run langgraph dev --no-browser --allow-blocking --host 0.0.0.0 --port 2024 > /app/logs/langgraph.log 2>&1"
     volumes:
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index 149a2de..4c2d689 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -46,6 +46,7 @@ services:
       target: prod
       args:
         PNPM_STORE_PATH: ${PNPM_STORE_PATH:-/root/.local/share/pnpm/store}
+        NPM_REGISTRY: ${NPM_REGISTRY:-}
     container_name: deer-flow-frontend
     environment:
       - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET}
@@ -60,6 +61,9 @@ services:
     build:
       context: ../
       dockerfile: backend/Dockerfile
+      args:
+        APT_MIRROR: ${APT_MIRROR:-}
+        UV_IMAGE: ${UV_IMAGE:-ghcr.io/astral-sh/uv:0.7.20}
     container_name: deer-flow-gateway
     command: sh -c "cd backend && PYTHONPATH=. uv run uvicorn app.gateway.app:app --host 0.0.0.0 --port 8001 --workers 2"
     volumes:
@@ -105,6 +109,9 @@ services:
     build:
       context: ../
       dockerfile: backend/Dockerfile
+      args:
+        APT_MIRROR: ${APT_MIRROR:-}
+        UV_IMAGE: ${UV_IMAGE:-ghcr.io/astral-sh/uv:0.7.20}
     container_name: deer-flow-langgraph
     command: sh -c "cd /app/backend && uv run langgraph dev --no-browser --allow-blocking --no-reload --host 0.0.0.0 --port 2024"
     volumes:
@@ -154,6 +161,8 @@ services:
     build:
       context: ./provisioner
       dockerfile: Dockerfile
+      args:
+        APT_MIRROR: ${APT_MIRROR:-}
     container_name: deer-flow-provisioner
     volumes:
       - ~/.kube/config:/root/.kube/config:ro
diff --git a/docker/provisioner/Dockerfile b/docker/provisioner/Dockerfile
index e264d90..6f30e77 100644
--- a/docker/provisioner/Dockerfile
+++ b/docker/provisioner/Dockerfile
@@ -1,4 +1,12 @@
-FROM python:3.12-slim
+FROM python:3.12-slim-bookworm
+
+ARG APT_MIRROR
+
+# Optionally override apt mirror for restricted networks (e.g. APT_MIRROR=mirrors.aliyun.com)
+RUN if [ -n "${APT_MIRROR}" ]; then \
+      sed -i "s|deb.debian.org|${APT_MIRROR}|g" /etc/apt/sources.list.d/debian.sources 2>/dev/null || true; \
+      sed -i "s|deb.debian.org|${APT_MIRROR}|g" /etc/apt/sources.list 2>/dev/null || true; \
+    fi
 
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index d6cec9d..9f37b4e 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -8,8 +8,17 @@ ARG PNPM_STORE_PATH=/root/.local/share/pnpm/store
 # ── Base: shared setup ────────────────────────────────────────────────────────
 FROM node:22-alpine AS base
 ARG PNPM_STORE_PATH
-RUN corepack enable && corepack install -g pnpm@10.26.2
+ARG NPM_REGISTRY
+# Configure corepack registry before installing pnpm so the download itself
+# succeeds in restricted networks (COREPACK_NPM_REGISTRY controls where
+# corepack fetches package managers from).
+RUN if [ -n "${NPM_REGISTRY}" ]; then \
+      export COREPACK_NPM_REGISTRY="${NPM_REGISTRY}"; \
+    fi && \
+    corepack enable && corepack install -g pnpm@10.26.2
 RUN pnpm config set store-dir ${PNPM_STORE_PATH}
+# Optionally override npm registry for restricted networks (e.g. NPM_REGISTRY=https://registry.npmmirror.com)
+RUN if [ -n "${NPM_REGISTRY}" ]; then pnpm config set registry "${NPM_REGISTRY}"; fi
 WORKDIR /app
 COPY frontend ./frontend
 
@@ -27,8 +36,13 @@ RUN cd /app/frontend && SKIP_ENV_VALIDATION=1 pnpm build
 # ── Prod: minimal runtime with pre-built output ───────────────────────────────
 FROM node:22-alpine AS prod
 ARG PNPM_STORE_PATH
-RUN corepack enable && corepack install -g pnpm@10.26.2
+ARG NPM_REGISTRY
+RUN if [ -n "${NPM_REGISTRY}" ]; then \
+      export COREPACK_NPM_REGISTRY="${NPM_REGISTRY}"; \
+    fi && \
+    corepack enable && corepack install -g pnpm@10.26.2
 RUN pnpm config set store-dir ${PNPM_STORE_PATH}
+RUN if [ -n "${NPM_REGISTRY}" ]; then pnpm config set registry "${NPM_REGISTRY}"; fi
 WORKDIR /app
 COPY --from=builder /app/frontend ./frontend
 EXPOSE 3000