diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 14a962ed..152050bb 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -79,6 +79,7 @@ jobs:
           IMPORT_HOST_DIR=/srv/familienarchiv-staging/import
           POSTGRES_USER=archiv
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+          VITE_SENTRY_DSN=${{ secrets.VITE_SENTRY_DSN }}
           EOF
 
       - name: Verify backend /import:ro mount is wired
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 46504417..fe435306 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -268,6 +268,10 @@ services:
     build:
       context: ./frontend
       target: production
+      args:
+        # Vite build-time variable — baked into the JS bundle at build time.
+        # Empty default so deploys succeed before the secret is configured.
+        VITE_SENTRY_DSN: ${VITE_SENTRY_DSN:-}
     restart: unless-stopped
     depends_on:
       backend:
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index 344d5cb6..6347e64d 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -16,6 +16,10 @@ CMD ["npm", "run", "dev"]
 # Compiles the SvelteKit Node-adapter output to /app/build.
 FROM node:20.19.0-alpine3.21 AS build
 WORKDIR /app
+# VITE_SENTRY_DSN is a build-time variable — Vite bakes it into the bundle.
+# Passed via docker-compose build.args; empty string disables the SDK.
+ARG VITE_SENTRY_DSN
+ENV VITE_SENTRY_DSN=$VITE_SENTRY_DSN
 COPY package.json package-lock.json ./
 RUN npm ci
 COPY . .