diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml
index 9e74fbd..5d55451 100644
--- a/.gitea/workflows/dev-deploy.yaml
+++ b/.gitea/workflows/dev-deploy.yaml
@@ -261,11 +261,19 @@ jobs:
           # Unset/empty → the compose default (non-routable) keeps the
           # stack capture-only.
           GALAXY_DEV_MAIL_RELAY_MATCH: ${{ vars.GALAXY_DEV_MAIL_RELAY_MATCH }}
+          # Grafana admin password; unset/empty -> compose default 'admin'.
+          GALAXY_DEV_GRAFANA_ADMIN_PASSWORD: ${{ secrets.GALAXY_DEV_GRAFANA_ADMIN_PASSWORD }}
         run: |
           # Resolve in the shell, not in YAML expressions — `env.HOME`
           # is empty at the workflow-evaluation stage.
           export GALAXY_DEV_GAME_STATE_DIR="$HOME/.galaxy-dev/game-state"
           mkdir -p "$GALAXY_DEV_GAME_STATE_DIR"
+          # Seed the monitoring config to a stable, reboot-surviving host
+          # path (compose binds \${GALAXY_DEV_MONITORING_DIR} read-only).
+          export GALAXY_DEV_MONITORING_DIR="$HOME/.galaxy-dev/monitoring"
+          rm -rf "$GALAXY_DEV_MONITORING_DIR"
+          mkdir -p "$GALAXY_DEV_MONITORING_DIR"
+          cp -r monitoring/. "$GALAXY_DEV_MONITORING_DIR/"
           docker compose up -d --wait --remove-orphans
 
       - name: Probe the stack
diff --git a/tools/dev-deploy/Caddyfile.dev b/tools/dev-deploy/Caddyfile.dev
index af25751..bd485bf 100644
--- a/tools/dev-deploy/Caddyfile.dev
+++ b/tools/dev-deploy/Caddyfile.dev
@@ -37,6 +37,22 @@
 		reverse_proxy galaxy-api:8080
 	}
 
+	# Grafana (observability UI) under /grafana/ — Caddy sub-path mode
+	# (Grafana set with GF_SERVER_SERVE_FROM_SUB_PATH); its own login.
+	handle /grafana/* {
+		reverse_proxy galaxy-grafana:3000
+	}
+
+	# Mailpit captured-mail UI under /mailpit/. Shows every message the
+	# backend sent (relayed or not); basic-auth (dev: gm / gm-dev-password)
+	# guards the OTP codes it exposes. Mailpit runs with MP_WEBROOT=/mailpit.
+	handle /mailpit/* {
+		basic_auth {
+			gm "$2a$14$xVh1TLaZxh8fazlKrI9Mx.NQMQlMarYWtr3FRELmZIXuac/DeeTRO"
+		}
+		reverse_proxy galaxy-mailpit:8025
+	}
+
 	# Bare `/game` (no trailing slash) -> `/game/` so the SPA root
 	# resolves before the site catch-all can claim it.
 	handle /game {