diff --git a/.env.example b/.env.example
index 7e16a7a..79c8e8c 100644
--- a/.env.example
+++ b/.env.example
@@ -5,7 +5,7 @@ DATABASE_URL=postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable
 REDIS_URL=redis://localhost:6379/0
 
 # Control Plane
-WRENN_CP_LISTEN_ADDR=:8080
+WRENN_CP_LISTEN_ADDR=:9725
 
 # Host Agent
 WRENN_HOST_LISTEN_ADDR=:50051
@@ -44,4 +44,4 @@ WRENN_ENCRYPTION_KEY=
 OAUTH_GITHUB_CLIENT_ID=
 OAUTH_GITHUB_CLIENT_SECRET=
 OAUTH_REDIRECT_URL=https://app.wrenn.dev
-CP_PUBLIC_URL=https://api.wrenn.dev
+CP_PUBLIC_URL=https://app.wrenn.dev
diff --git a/deploy/Caddyfile.dev b/deploy/Caddyfile.dev
index 789f8df..bbeb7d7 100644
--- a/deploy/Caddyfile.dev
+++ b/deploy/Caddyfile.dev
@@ -8,7 +8,7 @@
 # Option 2: Use dnsmasq: address=/.localhost/127.0.0.1
 # Option 3: Use systemd-resolved (Ubuntu default — *.localhost resolves to 127.0.0.1)
 http://*.localhost {
-	reverse_proxy host.docker.internal:8080
+	reverse_proxy host.docker.internal:9725
 }
 
 # Main entry point: API + frontend
@@ -16,21 +16,21 @@ http://localhost {
 	# API routes — strip /api prefix and proxy to the control plane.
 	# The frontend calls /api/v1/... which becomes /v1/... at the CP.
 	handle_path /api/* {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 
 	# Backend routes served directly (SDK clients, OAuth initiation)
 	handle /v1/* {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 	handle /openapi.yaml {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 	handle /docs {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 	handle /auth/oauth/* {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 
 	# Everything else — proxy to the frontend dev server