diff --git a/scripts/start-container b/scripts/start-container
index a921e93..0b3fcd8 100644
--- a/scripts/start-container
+++ b/scripts/start-container
@@ -137,7 +137,11 @@ if [ -f /home/agent/.ssh/id_rsa ]; then
     export GIT_SSH_COMMAND="ssh -o IdentityFile=/home/agent/.ssh/id_rsa -o UserKnownHostsFile=/home/agent/.ssh/known_hosts -o StrictHostKeyChecking=accept-new"
 fi
 
-exec sh -c "$(cat /etc/bastion/force-command.cmd)"
+# Forward args from the caller (CGI passes one optional --patch|--minor|
+# --major arg; SSH ForceCommand passes none). The user's FORCE_COMMAND in
+# compose can reference "$@" to thread these through to deploy.sh. With
+# no args, "$@" expands to nothing and behavior is identical to before.
+exec sh -c "$(cat /etc/bastion/force-command.cmd)" sh "$@"
 WRAPPER
 chmod 0755 /etc/bastion/force-command
 echo "  $FORCE_COMMAND_VALUE"
@@ -210,8 +214,20 @@ if [ -n "${HTTP_BASIC_AUTH:-}" ]; then
 #!/bin/sh
 # Auto-generated. Auth was validated by busybox httpd via httpd.conf
 # before this script ran — REMOTE_USER holds the authenticated username.
+#
+# Optional X-Deploy-Bump header (set by upstream nginx capturing the URL
+# suffix /patch|/minor|/major) is validated here and forwarded to the
+# FORCE_COMMAND wrapper as a single positional arg. Anything else
+# (missing header, unknown value) passes through with no arg, leaving
+# the caller's deploy.sh to apply its own default.
+BUMP_ARG=""
+case "${HTTP_X_DEPLOY_BUMP:-}" in
+    patch) BUMP_ARG="--patch" ;;
+    minor) BUMP_ARG="--minor" ;;
+    major) BUMP_ARG="--major" ;;
+esac
 printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
-exec /etc/bastion/force-command 2>&1
+exec /etc/bastion/force-command $BUMP_ARG 2>&1
 CGI
     chmod 0755 /var/www/cgi-bin/run
     # -c CONFFILE = auth + content-type rules; httpd reads it as root before