diff --git a/compose.dev.yaml b/compose.dev.yaml
index 5afe4f7..680fcac 100644
--- a/compose.dev.yaml
+++ b/compose.dev.yaml
@@ -88,6 +88,11 @@ services:
     image: timescale/timescaledb-ha:pg16.6-ts2.17.2-all
     expose:
       - '5432'
+    # Bind Postgres to the Tailscale interface only — reachable from pgAdmin
+    # via the zero-trust mesh, never from the public internet. The internal
+    # `postgres:5432` hostname for stack peers (directus, processor) is unaffected.
+    ports:
+      - '100.66.187.183:5432:5432'
     volumes:
       - postgres-data:/home/postgres/pgdata/data
     environment: