Document and harden registry push against 413 Payload Too Large.

Use ephemeral docker login config; document Cloudflare bypass via Jenkins extra_hosts.

docs/JENKINS.md

@@ -62,6 +62,21 @@ The bootstrap stage installs the **buildx** CLI plugin into `.ci-bin/docker-conf
 
 Set `DOCKER_GID` on the Jenkins Coolify service to the host docker group GID (`stat -c '%g' /var/run/docker.sock`), redeploy Jenkins.
 
+### Registry push `413 Payload Too Large`
+
+Docker image layers are often **>100MB**. If `git.aexoradao.com` is behind **Cloudflare proxy** (orange cloud), uploads fail with `413`.
+
+**Fix (recommended for same-host Jenkins):** Jenkins container `extra_hosts`:
+
+```yaml
+extra_hosts:
+  - 'git.aexoradao.com:host-gateway'
+```
+
+Pushes then go to **local Traefik** (Let's Encrypt on origin), not Cloudflare.
+
+**Alternative:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or use Docker Hub as `REGISTRY_IMAGE`.
+
 ### Registry push 401/403
 
 - Token needs **write:package** (or full repo scope including packages)

scripts/ci/jenkins-push-image.sh

@@ -14,8 +14,14 @@ if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
   exit 1
 fi
 
+# Ephemeral docker config — do not persist registry password in workspace
+PUSH_DOCKER_CONFIG="$(mktemp -d)"
+trap 'rm -rf "$PUSH_DOCKER_CONFIG"' EXIT
+export DOCKER_CONFIG="$PUSH_DOCKER_CONFIG"
+
 echo "$REGISTRY_PASSWORD" | $DOCKER login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin
 
+echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG} (large layers need Cloudflare bypass — Jenkins extra_hosts git.aexoradao.com:host-gateway)"
 $DOCKER push "${REGISTRY_IMAGE}:${IMAGE_TAG}"
 $DOCKER push "${REGISTRY_IMAGE}:main"