diff --git a/.env.example b/.env.example
index e840eb7..59395f2 100755
--- a/.env.example
+++ b/.env.example
@@ -68,6 +68,12 @@ WECHAT_OA_APP_ID=replace-with-oa-appid
 WECHAT_OA_APP_SECRET=replace-with-oa-appsecret
 WECHAT_OA_TIMEOUT_SECONDS=5
 
+# 保质期小程序（前端/运维联调）
+# 小程序前端请求后端时使用的 API 根地址
+EXPIRY_API_BASE_URL=https://api.example.com
+# 小程序 AppID（前端 manifest.json 同步）
+EXPIRY_MINIAPP_APP_ID=replace-with-miniapp-appid
+
 # Redis（可选，用于缓存 session_key -> user）
 # 不配置 REDIS_ADDR 时，程序会自动禁用 Redis，保持原来每次请求查 MySQL 的方式。
 REDIS_ADDR=127.0.0.1:6379
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..de36472
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,21 @@
+FROM golang:1.23-alpine AS builder
+WORKDIR /app
+
+RUN apk add --no-cache git ca-certificates
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /wx_service ./cmd/api
+
+FROM alpine:3.20
+WORKDIR /app
+
+RUN apk add --no-cache ca-certificates wget && update-ca-certificates
+
+COPY --from=builder /wx_service /app/wx_service
+COPY .env /app/.env
+
+EXPOSE 8080
+CMD ["/app/wx_service"]
diff --git a/deploy/nginx/wx_service_https.conf b/deploy/nginx/wx_service_https.conf
index 1c4dcb2..f3d2460 100644
--- a/deploy/nginx/wx_service_https.conf
+++ b/deploy/nginx/wx_service_https.conf
@@ -36,6 +36,31 @@ server {
 
     client_max_body_size 50m;
 
+    # 健康检查接口
+    location = /healthz {
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Connection "";
+        proxy_pass http://wx_service_upstream;
+    }
+
+    # 业务接口（包括 /api/v1 与 /api/expiry）
+    location /api/ {
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Connection "";
+        proxy_connect_timeout 10s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        proxy_pass http://wx_service_upstream;
+    }
+
     location / {
         proxy_http_version 1.1;
         proxy_set_header Host $host;
@@ -46,4 +71,3 @@ server {
         proxy_pass http://wx_service_upstream;
     }
 }
-
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..1099d79
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,60 @@
+services:
+  api:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: wx_service_api
+    restart: always
+    env_file:
+      - .env
+    ports:
+      - "8080:8080"
+    depends_on:
+      - mysql
+      - redis
+    healthcheck:
+      test: ["CMD", "wget", "-q", "-O", "-", "http://127.0.0.1:8080/healthz"]
+      interval: 20s
+      timeout: 5s
+      retries: 5
+
+  mysql:
+    image: mysql:8.0
+    container_name: wx_service_mysql
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
+      MYSQL_DATABASE: ${DB_NAME}
+    ports:
+      - "3306:3306"
+    volumes:
+      - mysql_data:/var/lib/mysql
+    command: --default-authentication-plugin=mysql_native_password --innodb-buffer-pool-size=256M
+
+  redis:
+    image: redis:7-alpine
+    container_name: wx_service_redis
+    restart: always
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis_data:/data
+    command: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru
+
+  nginx:
+    image: nginx:1.27-alpine
+    container_name: wx_service_nginx
+    restart: always
+    depends_on:
+      - api
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./deploy/nginx/wx_service_https.conf:/etc/nginx/conf.d/default.conf:ro
+      # 请在部署机上挂载真实证书路径（示例）
+      # - /etc/letsencrypt:/etc/letsencrypt:ro
+
+volumes:
+  mysql_data:
+  redis_data:
diff --git a/docs/expiry/DEPLOYMENT.md b/docs/expiry/DEPLOYMENT.md
new file mode 100644
index 0000000..2a33cd6
--- /dev/null
+++ b/docs/expiry/DEPLOYMENT.md
@@ -0,0 +1,56 @@
+# 保质期小程序部署说明
+
+## 1. 准备
+1. 复制环境变量模板：
+```bash
+cp .env.example .env
+```
+2. 按实际环境填写 `.env`：数据库、Redis、AI、七牛、小程序 AppID、API 域名。
+3. 确认域名解析到部署机：
+- `api.example.com -> 服务器公网 IP`
+
+## 2. 数据库初始化
+```bash
+mysql -h <host> -u <user> -p <db_name> < docs/sql/expiry.sql
+```
+
+## 3. 一键部署（Docker Compose）
+```bash
+docker compose -f docker-compose.prod.yml up -d --build
+```
+
+## 4. Nginx HTTPS 配置
+1. 修改 `deploy/nginx/wx_service_https.conf` 中 `server_name` 与证书路径。
+2. 挂载证书目录（例如 `/etc/letsencrypt`）。
+3. 重载 Nginx：
+```bash
+docker exec wx_service_nginx nginx -s reload
+```
+
+## 5. 验证
+1. 健康检查：
+```bash
+curl -i https://api.example.com/healthz
+curl -i https://api.example.com/api/expiry/healthz
+```
+2. 接口联调：
+```bash
+BASE_URL=https://api.example.com TOKEN=<session_key> scripts/expiry/run_integration_tests.sh
+```
+
+## 6. 小程序侧配置
+1. `manifest.json` 配置正式 `appid`。
+2. 在小程序后台添加服务器域名：
+- request 合法域名：`https://api.example.com`
+3. 发布前执行：
+```bash
+# 在前端仓库 expiry_uniapp 中
+npm install
+npm run build -- wx
+```
+
+## 7. 回滚
+```bash
+docker compose -f docker-compose.prod.yml down
+# 回滚到上一版本镜像后再 up -d
+```