diff --git a/.woodpecker/build.yml b/.woodpecker/build.yml
index d15345e..3ebda9b 100644
--- a/.woodpecker/build.yml
+++ b/.woodpecker/build.yml
@@ -1,15 +1,27 @@
 # UNT (NOVA) Pipeline
+#
+# Two stages:
+#   build-* → runs on dev-side agent (label: location=local) to avoid server OOM
+#            pushes to the registry over WireGuard (10.8.0.1:5000 — plain HTTP,
+#            trusted because of the WG perimeter)
+#   deploy  → runs on server-side agent (label: location=server)
+#            pulls via the public HTTPS path (same registry, different edge)
+#            and runs docker compose on the host daemon
+#
+# Trigger: manual only. See ppl/def/ci-cd/local-agent-rollout.md.
 
 when:
-  - event: push
   - event: manual
 
 steps:
   - name: build-api
     image: plugins/docker
+    labels:
+      location: local
     settings:
-      repo: registry.mcrn.ar/unt/api
-      registry: registry.mcrn.ar
+      repo: 10.8.0.1:5000/unt/api
+      registry: 10.8.0.1:5000
+      insecure: true
       tags:
         - latest
         - ${CI_COMMIT_SHA:0:7}
@@ -18,11 +30,32 @@ steps:
 
   - name: build-ui
     image: plugins/docker
+    labels:
+      location: local
     settings:
-      repo: registry.mcrn.ar/unt/ui
-      registry: registry.mcrn.ar
+      repo: 10.8.0.1:5000/unt/ui
+      registry: 10.8.0.1:5000
+      insecure: true
       tags:
         - latest
         - ${CI_COMMIT_SHA:0:7}
       dockerfile: ctrl/Dockerfile.ui
       context: .
+
+  - name: deploy
+    image: docker:24-cli
+    labels:
+      location: server
+    depends_on:
+      - build-api
+      - build-ui
+    commands:
+      - cd /edge
+      - docker compose pull
+      - docker compose up -d --remove-orphans
+      - docker image prune -f
+      - docker compose ps
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      # read-only so the deploy step structurally cannot stomp on .env
+      - /home/mariano/unt/ctrl/edge:/edge:ro
diff --git a/ctrl/deploy.sh b/ctrl/deploy.sh
index ac149e1..4bbf2ba 100755
--- a/ctrl/deploy.sh
+++ b/ctrl/deploy.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
 # Deploy UNT (NOVA) to server
-# Usage: ./ctrl/deploy.sh [rsync|sync|restart|push|edge]
+# Usage: ./ctrl/deploy.sh [push|rsync|sync|restart|edge]
 #
+#   push     — (default) build images locally, push to registry, deploy (avoids OOM on server)
 #   rsync    — sync source, rebuild images on server, restart (bypass CI)
 #   sync     — sync source only (no rebuild, no restart)
 #   restart  — restart containers (no sync, no rebuild)
-#   push     — build images locally, push to registry, deploy (avoids OOM on server)
 #   edge     — pull latest images from registry and restart
 #
 # Note: code is baked into the image (no volume mounts), so code changes
@@ -50,7 +50,7 @@ do_restart() {
 EOF
 }
 
-case "${1:-rsync}" in
+case "${1:-push}" in
   rsync)
     do_sync
     do_rebuild_and_restart
@@ -66,8 +66,8 @@ case "${1:-rsync}" in
 
   push)
     echo "=== Building images locally ==="
-    docker build -t registry.mcrn.ar/unt/api:latest -f ctrl/Dockerfile.api .
-    docker build -t registry.mcrn.ar/unt/ui:latest -f ctrl/Dockerfile.ui .
+    docker build -t unt/api:latest -f ctrl/Dockerfile.api .
+    docker build -t unt/ui:latest -f ctrl/Dockerfile.ui .
 
     echo "=== Pushing to registry ==="
     /home/mariano/wdir/ppl/ctrl/push-image.sh unt/api latest