diff --git a/.env.example b/.env.example
index 5edf74c..afe0f1d 100644
--- a/.env.example
+++ b/.env.example
@@ -20,6 +20,13 @@ NVD_API_KEY=
 # without a reachable acme-companion + public DNS + :443).
 # LETSENCRYPT_EMAIL=admin@neuronetz.ai
 
+# --- Production-only: the docker network the reverse-proxy is on ---
+# Cockpit must share this network with nginx-proxy + acme-companion so the
+# proxy can route to it. Default 'backend' matches AnD0R dev; on cloud
+# production this is typically 'neuronetz_default' (whatever the proxy stack
+# declares — check with `docker network ls`).
+# PSYC_PROXY_NETWORK=neuronetz_default
+
 # --- Internal service URLs — overridden in docker compose; defaults for venv CLI ---
 # PSYC_MOCK_CERT_URL=http://127.0.0.1:8770
 # PSYC_INFERENCE_URL=http://127.0.0.1:8771
diff --git a/docker-compose.yml b/docker-compose.yml
index 9ca670b..b5a7d61 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -99,6 +99,10 @@ services:
               capabilities: [gpu]
 
 networks:
+  # The reverse-proxy + acme-companion need to share a docker network with the
+  # cockpit so they can see each other. The actual network name differs by
+  # environment (e.g. 'backend' in dev, 'neuronetz_default' in production), so
+  # it's overridable via PSYC_PROXY_NETWORK in .env. Default keeps dev working.
   backend:
-    name: backend
+    name: ${PSYC_PROXY_NETWORK:-backend}
     external: true