diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..e63c2e0
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM node:20-bookworm-slim
+
+WORKDIR /app
+ENV NODE_ENV=production
+
+COPY package.json package-lock.json ./
+RUN npm ci --omit=dev && npm cache clean --force
+
+COPY server.mjs ./
+
+EXPOSE 8080
+CMD ["npm", "start"]
diff --git a/gen-ed25519.mjs b/gen-ed25519.mjs
deleted file mode 100644
index 3160442..0000000
--- a/gen-ed25519.mjs
+++ /dev/null
@@ -1,15 +0,0 @@
-import crypto from "crypto";
-
-const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519");
-
-// Private key (PKCS8 PEM) for signing
-const privPem = privateKey.export({ format: "pem", type: "pkcs8" });
-
-// Public key as raw 32-byte base64 (matches ENS cl.sig.pub format after "ed25519:")
-const pubSpkiDer = publicKey.export({ format: "der", type: "spki" });
-const raw32 = Buffer.from(pubSpkiDer).subarray(pubSpkiDer.length - 32);
-if (raw32.length !== 32) throw new Error("Unexpected public key length");
-const pubB64 = raw32.toString("base64");
-
-console.log("CL_PRIVATE_KEY_PEM=\n" + privPem.trim());
-console.log("CL_PUBLIC_KEY_B64=" + pubB64);
diff --git a/tests/smoke.mjs b/tests/smoke.mjs
index a48228e..263f72f 100644
--- a/tests/smoke.mjs
+++ b/tests/smoke.mjs
@@ -45,23 +45,6 @@ function extractReceiptEnvelope(body) {
   return { receipt, runtimeMetadata };
 }
 
-function assertReceiptInvariants(receipt) {
-  if (!receipt || typeof receipt !== "object") throw new Error("receipt must be object");
-  const proof = receipt?.metadata?.proof || {};
-  if (proof.alg !== "ed25519-sha256") throw new Error("proof.alg must be ed25519-sha256");
-  const canonical = String(proof.canonical_id || proof.canonical || "");
-  if (canonical !== "json.sorted_keys.v1") throw new Error("canonical must be json.sorted_keys.v1");
-  if (String(proof.kid || "") !== "v1") throw new Error("kid must be v1");
-
-  const h = String(proof.hash_sha256 || "");
-  if (!/^[a-f0-9]{64}$/i.test(h)) throw new Error("hash_sha256 must be 64 hex chars");
-
-  const sigB64 = String(proof.signature_b64 || "");
-  let sig;
-  try { sig = Buffer.from(sigB64, "base64"); } catch { sig = null; }
-  if (!sig || sig.length !== 64) throw new Error("signature_b64 must decode to 64 bytes");
-}
-
 function generateTestKeyPair() {
   const PRINT_EXPORTS = process.env.PRINT_EXPORTS === "1";