diff --git a/.dockerignore b/.dockerignore
index d2d74868..6e504097 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -145,9 +145,8 @@ docker-compose*.yml
 dist/
 
 # -----------------------------------------------------------------------------
-# Scripts & Tools (not needed in image)
+# Tools (not needed in image)
 # -----------------------------------------------------------------------------
-scripts/
 tools/
 create_issues.sh
 cookies.txt
diff --git a/Dockerfile b/Dockerfile
index ebe876b9..fb4848da 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -243,10 +243,10 @@ RUN set -eux; \
 FROM ${CADDY_IMAGE}
 WORKDIR /app
 
-# Install runtime dependencies for Charon (no bash needed)
+# Install runtime dependencies for Charon, including bash for maintenance scripts
 # Explicitly upgrade c-ares to fix CVE-2025-62408
 # hadolint ignore=DL3018
-RUN apk --no-cache add ca-certificates sqlite-libs tzdata curl gettext \
+RUN apk --no-cache add bash ca-certificates sqlite-libs sqlite tzdata curl gettext \
     && apk --no-cache upgrade \
     && apk --no-cache upgrade c-ares
 
@@ -301,6 +301,10 @@ COPY --from=frontend-builder /app/frontend/dist /app/frontend/dist
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 RUN chmod +x /docker-entrypoint.sh
 
+# Copy utility scripts (used for DB recovery and maintenance)
+COPY scripts/ /app/scripts/
+RUN chmod +x /app/scripts/db-recovery.sh
+
 # Set default environment variables
 ENV CHARON_ENV=production \
     CHARON_DB_PATH=/app/data/charon.db \
diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md
index dfe97f26..77c8dacd 100644
--- a/docs/plans/current_spec.md
+++ b/docs/plans/current_spec.md
@@ -10,6 +10,12 @@
 
 **This is NOT a logic bug.** The root cause is **SQLite database corruption** affecting specific records in the `uptime_heartbeats` table. The error `database disk image is malformed` is consistently returned when querying heartbeat history for exactly 6 specific monitor IDs.
 
+## Dockerfile Scripts Inclusion Check (Dec 17, 2025)
+
+- Observation: The runtime stage in Dockerfile (base `${CADDY_IMAGE}` → WORKDIR `/app`) copies Caddy, CrowdSec binaries, backend binary (`/app/charon`), frontend build, and `docker-entrypoint.sh`, but does **not** copy the repository `scripts/` directory. No prior stage copies `scripts/` either.
+- Impact: `docker exec -it charon /app/scripts/db-recovery.sh` fails after rebuild because `/app/scripts/db-recovery.sh` is absent in the image.
+- Minimal fix to apply: Add a copy step in the final stage, e.g. `COPY scripts/ /app/scripts/` followed by `RUN chmod +x /app/scripts/db-recovery.sh` to ensure the recovery script is present and executable inside the container at `/app/scripts/db-recovery.sh`.
+
 ---
 
 ## 1. Evidence from Container Logs