diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
index 5add83a..5a175d4 100644
--- a/.github/workflows/build-and-deploy.yml
+++ b/.github/workflows/build-and-deploy.yml
@@ -39,6 +39,8 @@ jobs:
           context: ./web-app
           push: true
           tags: ghcr.io/${{ steps.repo_name.outputs.name }}/web-app:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Build and push Rust engine image ⚙️
         uses: docker/build-push-action@v6
@@ -46,13 +48,31 @@ jobs:
           context: ./rust-engine
           push: true
           tags: ghcr.io/${{ steps.repo_name.outputs.name }}/rust-engine:${{ github.sha }}
+          build-args: |
+            RUSTUP_TOOLCHAIN=stable
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Prepare SSH key
+        shell: bash
+        run: |
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          # Write private key
+          printf "%s" "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          # Pre-populate known_hosts to avoid interactive prompt
+          ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts || true
+          chmod 644 ~/.ssh/known_hosts
+
 
       - name: Deploy to server via SSH ☁️
         uses: appleboy/ssh-action@v1.0.3
         with:
           host: ${{ secrets.SERVER_HOST }}
           username: ${{ secrets.SERVER_USERNAME }}
-          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          key_path: ~/.ssh/id_rsa
+          debug: true
           script: |
             cd /var/www/codered-astra
             export GEMINI_API_KEY='${{ secrets.GEMINI_API_KEY }}'
diff --git a/rust-engine/Dockerfile b/rust-engine/Dockerfile
index 8e39de3..07d84d4 100644
--- a/rust-engine/Dockerfile
+++ b/rust-engine/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 # rust-engine/Dockerfile
 
 # --- Stage 1: Builder ---
@@ -32,14 +33,20 @@ COPY Cargo.toml Cargo.lock ./
 RUN mkdir -p src && echo "fn main() { println!(\"cargo cache build\"); }" > src/main.rs
 
 # Fetch and build dependencies (this will be cached until Cargo.toml changes)
-RUN cargo build --release || true
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=/usr/src/app/target,sharing=locked \
+    cargo build --release || true
 
 
 # Now copy the real source and build the final binary
 COPY src ./src
 # Only remove the dummy main.rs if it exists and is not the real one
 RUN if grep -q 'cargo cache build' src/main.rs 2>/dev/null; then rm src/main.rs; fi
-RUN cargo build --release
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=/usr/src/app/target,sharing=locked \
+    cargo build --release
 
 # --- Stage 2: Final, small image ---
 FROM debian:bookworm-slim