diff --git a/services/zpush/Dockerfile b/services/zpush/Dockerfile
index a13b92b..b53accd 100644
--- a/services/zpush/Dockerfile
+++ b/services/zpush/Dockerfile
@@ -15,6 +15,12 @@ FROM alpine/git AS source
 ARG ZPUSH_VERSION
 RUN git clone --depth 1 --branch ${ZPUSH_VERSION} \
       https://github.com/EGroupware/z-push.git /z-push
+# AWL (Andrew's Web Libraries) — Z-Push's CalDAV client (include/z_caldav.php)
+# requires XMLDocument.php from it, and its include_path already expects the
+# Debian location /usr/share/awl/inc. Debian dropped the php-awl package
+# after bullseye, so vendor it from upstream at a pinned tag.
+RUN git clone --depth 1 --branch r0.65 \
+      https://gitlab.com/davical-project/awl.git /awl
 
 # php:8.2 — the imap extension lives in PHP core through 8.3 and moved to
 # PECL in 8.4; stay on a version where docker-php-ext-install still works.
@@ -31,6 +37,7 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/*
 
 COPY --from=source /z-push/src/ /usr/share/z-push/
+COPY --from=source /awl/inc/ /usr/share/awl/inc/
 
 # Main config: keep the 50+ upstream defaults, patch only what we change.
 # The greps make the build fail loudly if an upstream config rename ever
@@ -65,6 +72,16 @@ COPY config/autodiscover.config.php /usr/share/z-push/autodiscover/config.php
 # autodiscover.php resolves its requires relative to that directory.
 COPY autodiscover-router.php /usr/share/z-push/autodiscover/router.php
 
+# Build-time smoke test: force-load every class the combined backend pulls
+# in at runtime. Catches missing vendored dependencies (the AWL include
+# above only crashes on the first *authenticated* request otherwise).
+RUN php -d include_path='.:/usr/local/lib/php:/usr/share/z-push/:/usr/share/awl/inc' -r ' \
+      require "/usr/share/z-push/vendor/autoload.php"; \
+      foreach (array("CalDAVClient", "carddav_backend", "BackendIMAP", "BackendCalDAV", "BackendCardDAV", "BackendCombined") as $c) { \
+        if (!class_exists($c)) { fwrite(STDERR, "FAILED loading $c\n"); exit(1); } \
+      } \
+      echo "class-load smoke OK\n";'
+
 COPY apache/zpush.conf /etc/apache2/conf-available/zpush.conf
 COPY php/zpush.ini /usr/local/etc/php/conf.d/zpush.ini
 RUN a2enconf zpush \
diff --git a/services/zpush/php/zpush.ini b/services/zpush/php/zpush.ini
index 077880a..032059a 100644
--- a/services/zpush/php/zpush.ini
+++ b/services/zpush/php/zpush.ini
@@ -9,3 +9,6 @@ log_errors = On
 error_log = /dev/stderr
 display_errors = Off
 expose_php = Off
+; Never capture function arguments in exception traces — Z-Push passes raw
+; passwords through Logon(), and an uncaught fatal would log them.
+zend.exception_ignore_args = 1