diff --git a/.gitea/workflows/dev.yaml b/.gitea/workflows/dev.yaml
index f69a6a4..83797a4 100644
--- a/.gitea/workflows/dev.yaml
+++ b/.gitea/workflows/dev.yaml
@@ -75,6 +75,17 @@ jobs:
         if: github.event_name != 'pull_request'
         run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet
 
+      - name: Prune Docker to reclaim disk
+        run: |
+          # Remove stopped containers, dangling images, unused volumes/networks.
+          # Do NOT prune build cache — that keeps Docker builds fast and under
+          # the ~26min runner restart window. Selective pruning frees ~4-5GB
+          # which is enough to prevent overlay2 "no space left on device" errors.
+          docker container prune -f 2>&1 || true
+          docker image prune -f 2>&1 || true
+          docker volume prune -f 2>&1 || true
+          df -h /
+
       # ── El SDK setup ──────────────────────────────────────────────────────
       # Push builds: extract elb + elc + runtime from ci-base (always latest).
       # PR builds:   use committed bin/elb-linux-amd64 + bin/elc-linux-amd64 + runtime/.
diff --git a/.gitea/workflows/stage.yaml b/.gitea/workflows/stage.yaml
index 48fc8ef..92edb4b 100644
--- a/.gitea/workflows/stage.yaml
+++ b/.gitea/workflows/stage.yaml
@@ -96,6 +96,17 @@ jobs:
       - name: Configure docker auth for Artifact Registry
         run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet
 
+      - name: Prune Docker to reclaim disk
+        run: |
+          # Remove stopped containers, dangling images, unused volumes/networks.
+          # Do NOT prune build cache — that keeps Docker builds fast and under
+          # the ~26min runner restart window. Selective pruning frees ~4-5GB
+          # which is enough to prevent overlay2 "no space left on device" errors.
+          docker container prune -f 2>&1 || true
+          docker image prune -f 2>&1 || true
+          docker volume prune -f 2>&1 || true
+          df -h /
+
       - name: Compute image tag
         id: tag
         run: |
@@ -111,28 +122,6 @@ jobs:
         # in the build context for Dockerfile COPY to succeed.
         run: touch src/index.html src/about.html src/terms.html src/enterprise-terms.html
 
-      - name: Build soul-demo image tar
-        # Dockerfile.stage COPYs dist/soul-demo-image.tar so k3s can import
-        # soul-demo:local at runtime. We compile soul-demo from source on the
-        # host runner (ci-base has gcc), build a minimal OCI image, and save it.
-        # Runs before the main Docker build so the COPY succeeds.
-        if: steps.changetype.outputs.asset_only != 'true'
-        run: |
-          set -euo pipefail
-          # Compile el_runtime.o and soul-demo on the host runner
-          cc -O2 -DHAVE_CURL -c runtime/el_runtime.c -I runtime/ -o /tmp/el_runtime.o
-          cc -O2 -rdynamic -DEL_SOUL_DEMO_BUILD \
-             -I runtime/ \
-             -o dist/soul-demo \
-             dist/soul-demo.c dist/vessel_stubs.c /tmp/el_runtime.o \
-             -lcurl -lpthread -ldl -lm -lssl -lcrypto
-          echo "soul-demo compiled: $(ls -lh dist/soul-demo)"
-          # Package as minimal OCI image for k3s import
-          docker build -f dist/Dockerfile.soul-demo -t soul-demo:local dist/
-          docker save soul-demo:local -o dist/soul-demo-image.tar
-          echo "soul-demo-image.tar: $(du -sh dist/soul-demo-image.tar | cut -f1)"
-          docker rmi soul-demo:local 2>/dev/null || true
-
       # ── El SDK setup ──────────────────────────────────────────────────────
 
       - name: Extract El SDK from ci-base
@@ -184,6 +173,28 @@ jobs:
 
       # ── Docker build + push ───────────────────────────────────────────────
 
+      - name: Build soul-demo image tar
+        # Dockerfile.stage COPYs dist/soul-demo-image.tar so k3s can import
+        # soul-demo:local at runtime. We compile soul-demo from source on the
+        # host runner (ci-base has gcc), build a minimal OCI image, and save it.
+        # Moved AFTER JS compilation to avoid Docker memory pressure killing elc.
+        if: steps.changetype.outputs.asset_only != 'true'
+        run: |
+          set -euo pipefail
+          # Compile el_runtime.o and soul-demo on the host runner
+          cc -O2 -DHAVE_CURL -c runtime/el_runtime.c -I runtime/ -o /tmp/el_runtime.o
+          cc -O2 -rdynamic -DEL_SOUL_DEMO_BUILD \
+             -I runtime/ \
+             -o dist/soul-demo \
+             dist/soul-demo.c dist/vessel_stubs.c /tmp/el_runtime.o \
+             -lcurl -lpthread -ldl -lm -lssl -lcrypto
+          echo "soul-demo compiled: $(ls -lh dist/soul-demo)"
+          # Package as minimal OCI image for k3s import
+          docker build -f dist/Dockerfile.soul-demo -t soul-demo:local dist/
+          docker save soul-demo:local -o dist/soul-demo-image.tar
+          echo "soul-demo-image.tar: $(du -sh dist/soul-demo-image.tar | cut -f1)"
+          docker rmi soul-demo:local 2>/dev/null || true
+
       - name: Build and tag image
         if: steps.changetype.outputs.asset_only != 'true'
         run: |
diff --git a/Dockerfile.stage b/Dockerfile.stage
index 4a0a413..e3197e2 100644
--- a/Dockerfile.stage
+++ b/Dockerfile.stage
@@ -44,7 +44,7 @@ RUN cc -O2 -rdynamic \
        -lcurl -lpthread -ldl -lm -lssl -lcrypto
 
 # ── Download k3s binary ───────────────────────────────────────────────────────
-RUN curl -fL https://github.com/k3s-io/k3s/releases/download/v1.32.4%2Bk3s1/k3s -o /usr/local/bin/k3s \
+RUN curl -fL --retry 3 --retry-delay 10 https://github.com/k3s-io/k3s/releases/download/v1.32.4%2Bk3s1/k3s -o /usr/local/bin/k3s \
  && chmod +x /usr/local/bin/k3s
 
 # ── Stage 2: runtime image ────────────────────────────────────────────────────