diff --git a/docker/README.md b/docker/README.md
index d6fd0d0f..eecd14ea 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -1,10 +1,10 @@
-# CCS Dashboard - Docker
+# CCS Docker Deployment

-### Run the CCS Config Dashboard in Docker.
+### Run CCS in Docker, locally or over SSH.
Persistent config, restart on reboot.
**[Back to README](../README.md)**
@@ -13,7 +13,43 @@ Persistent config, restart on reboot.
-## Quick Start (Prebuilt Image)
+## Preferred: `ccs docker`
+
+The CLI now ships a first-class Docker command suite for the integrated CCS + CLIProxy stack:
+
+```bash
+ccs docker up
+ccs docker status
+ccs docker logs --follow
+ccs docker config
+ccs docker update
+ccs docker down
+```
+
+Remote deployment stages the bundled Docker assets to `~/.ccs/docker` on the target host:
+
+```bash
+ccs docker up --host my-server
+ccs docker --host my-server status
+ccs docker status --host my-server
+ccs docker logs --host my-server --service ccs --follow
+ccs docker config --host my-server
+```
+
+Use a single SSH target or SSH config alias for `--host`. If you need custom SSH flags such as a port override, configure them in `~/.ssh/config` and reference the alias from `ccs docker`.
+
+The `ccs docker` flow uses the integrated assets in this directory:
+
+- `docker/Dockerfile.integrated`
+- `docker/docker-compose.integrated.yml`
+- `docker/supervisord.conf`
+- `docker/entrypoint-integrated.sh`
+
+## Prebuilt Image Quick Start
+
+This existing image still runs the CCS dashboard and its locally managed CLIProxy inside one
+container. It does not provide the remote staging and in-container self-update flow exposed by
+`ccs docker`.
Pull the latest stable release image from GitHub Container Registry:
@@ -30,7 +66,7 @@ docker run -d \
Release-tag images are also published as `ghcr.io/kaitranntt/ccs-dashboard:`.
-## Build Locally
+## Prebuilt Image Build Locally
```bash
docker build -f docker/Dockerfile -t ccs-dashboard:latest .
@@ -91,7 +127,7 @@ docker start ccs-dashboard
docker rm -f ccs-dashboard
```
-## Docker Compose (Optional)
+## Prebuilt Image Docker Compose (Optional)
Using the included `docker/docker-compose.yml`:
@@ -106,6 +142,8 @@ Stop:
docker-compose -f docker/docker-compose.yml down
```
+For the integrated CCS + CLIProxy stack managed by the CLI, use `ccs docker up` instead.
+
## Persistence
- CCS stores data in `/home/node/.ccs` inside the container.
diff --git a/docs/project-roadmap.md b/docs/project-roadmap.md
index 80526d0c..7090a9a5 100644
--- a/docs/project-roadmap.md
+++ b/docs/project-roadmap.md
@@ -42,6 +42,7 @@ All major modularization work is complete. The codebase evolved from monolithic
### Recent Fixes
- **2026-03-27**: WebSearch dashboard cards now manage Exa, Tavily, and Brave API keys inline instead of relying on a separate manual env step. CCS stores those secrets through `global_env`, reflects masked key state in `/api/websearch`, and counts dashboard-managed keys as ready in the WebSearch status flow.
+- **2026-03-27**: **#812** CCS now includes a first-class `ccs docker` command suite for self-hosting the integrated Dashboard + CLIProxy stack. The CLI can stage bundled Docker assets locally or to a remote `--host` over SSH, report compose/supervisor status, stream CCS or CLIProxy logs, and run in-container update flows without relying on ad-hoc deployment scripts.
- **2026-03-24**: Official Claude Channels now follow Anthropic's actual runtime contract. CCS blocks auto-enable unless Bun is available, Claude Code is verified at v2.1.80+, and `claude.ai` auth is verified; treats `--allow-dangerously-skip-permissions` as an explicit override; keeps Telegram/Discord bot tokens in Claude's shared `~/.claude/channels/` state (or official `*_STATE_DIR` overrides); and upgrades the dashboard/CLI status flow with Bun/version/auth/state-scope guidance, safer token draft retention on refresh failures, and a non-macOS iMessage toggle that can still be turned off when already selected.
- **2026-03-23**: CLIProxy providers that do not expose an email no longer require a user-supplied nickname on first auth. CCS now derives a stable internal account identifier for Kiro/Copilot-style flows, preserves later rename support, hardens account discovery/registry sync around that identifier, and updates AI Provider CRUD to use stable entry IDs instead of dashboard list indexes.
- **2026-03-23**: Sensitive dashboard management routes now fail closed to localhost-only access whenever dashboard auth is disabled. Remote access remains available after `ccs config auth setup`, but AI Provider management, CLIProxy auth/status helpers, and other write-capable settings endpoints no longer trust unauthenticated non-loopback requests.