diff --git a/scripts/publish.sh b/scripts/publish.sh
index e527d7f..3e1e33d 100755
--- a/scripts/publish.sh
+++ b/scripts/publish.sh
@@ -1,3 +1,124 @@
 #!/usr/bin/env bash
-echo "scripts/publish.sh: not yet implemented (see plan 4)" >&2
-exit 1
+set -euo pipefail
+
+# Build and push the cm-whatsapp-bot service images to the private
+# Gitea registry. Modeled on cm_bot_v2/scripts/publish.sh — same
+# auth path, same buildx flow, same NO_SUDO toggle, same registry.
+
+REGISTRY_PREFIX="gitea.04080616.xyz/yiekheng"
+
+usage() {
+  cat <<'EOF'
+Build and push cm-whatsapp-bot service images to gitea.04080616.xyz/yiekheng.
+
+Usage:
+  scripts/publish.sh [tag]
+
+Arguments:
+  tag  Optional tag to publish (default: latest). Override with DOCKER_IMAGE_TAG.
+
+Environment:
+  DOCKER_IMAGE_TAG     Alternative way to set the tag (overrides CLI argument).
+  BUILD_ARGS           Extra arguments passed to each docker build command.
+  CM_IMAGE_PLATFORMS   Buildx platforms (default: linux/amd64).
+  NO_SUDO=1            Skip the 'sudo' prefix (use if your user is in the docker group).
+
+Authentication:
+  The script invokes docker via sudo by default (matching scripts/dev.sh).
+  Authenticate as the same user that runs the build:
+    sudo docker login gitea.04080616.xyz       # default (sudo path)
+    docker login gitea.04080616.xyz            # only with NO_SUDO=1
+EOF
+}
+
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+  usage
+  exit 0
+fi
+
+# Match scripts/dev.sh: prefix docker calls with sudo unless the user opts
+# out via NO_SUDO=1 (typically because they're in the docker group).
+SUDO="sudo"
+[[ "${NO_SUDO:-0}" == "1" ]] && SUDO=""
+DOCKER=(${SUDO} docker)
+
+if ! "${DOCKER[@]}" info >/dev/null 2>&1; then
+  cat <<EOF >&2
+Docker daemon is not reachable as the current effective user.
+
+If you usually run docker via sudo (matching scripts/dev.sh), make sure
+your password is cached / interactive — try 'sudo -v' first, then rerun.
+
+If you've added yourself to the docker group, set NO_SUDO=1:
+  NO_SUDO=1 bash scripts/publish.sh ${1:-latest}
+EOF
+  exit 1
+fi
+
+# (Earlier versions checked `docker system info` for the registry — but
+# IndexServerAddress always points at Docker Hub regardless of which
+# registries you've logged into, so the check was a guaranteed false
+# positive. If push fails with 401, run:
+#   ${SUDO:+sudo }docker login gitea.04080616.xyz
+
+IMAGE_TAG="${1:-${DOCKER_IMAGE_TAG:-latest}}"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+PLATFORMS="${CM_IMAGE_PLATFORMS:-linux/amd64}"
+
+if ! "${DOCKER[@]}" buildx version >/dev/null 2>&1; then
+  RUNNER="$([[ -n "${SUDO}" ]] && echo "root via sudo" || echo "current user")"
+  cat <<EOF >&2
+Docker Buildx isn't reachable as the user this script runs docker as
+(${RUNNER}).
+
+Likely cause: buildx is installed at the per-user path
+~/.docker/cli-plugins/docker-buildx, which sudo doesn't see.
+
+Pick one fix:
+
+  1) Add yourself to the docker group (works for everything, no sudo):
+       sudo usermod -aG docker \$USER
+       newgrp docker
+       docker login gitea.04080616.xyz
+       NO_SUDO=1 bash scripts/publish.sh ${1:-latest}
+
+  2) Install the buildx plugin system-wide:
+       sudo apt install docker-buildx-plugin
+       sudo docker login gitea.04080616.xyz
+       bash scripts/publish.sh ${1:-latest}
+
+EOF
+  exit 1
+fi
+
+echo "Using buildx with platforms: ${PLATFORMS}"
+echo
+
+# The bot and web services each ship as their own image. The tools
+# container is dev-only (long-running pnpm sidecar) and isn't
+# published to the registry — there's no production deploy path
+# that needs it.
+SERVICES=(
+  "bot docker/bot.Dockerfile"
+  "web docker/web.Dockerfile"
+)
+
+echo "Publishing cm-whatsapp-bot images to ${REGISTRY_PREFIX}/cm-whatsapp-<service>:${IMAGE_TAG}"
+echo
+
+for ENTRY in "${SERVICES[@]}"; do
+  SERVICE="${ENTRY%% *}"
+  DOCKERFILE="${ENTRY#* }"
+  IMAGE_NAME="${REGISTRY_PREFIX}/cm-whatsapp-${SERVICE}:${IMAGE_TAG}"
+
+  echo "==> Building and pushing ${IMAGE_NAME} (${DOCKERFILE})"
+  "${DOCKER[@]}" buildx build ${BUILD_ARGS:-} \
+    --platform "${PLATFORMS}" \
+    -f "${ROOT_DIR}/${DOCKERFILE}" \
+    -t "${IMAGE_NAME}" \
+    --push \
+    "${ROOT_DIR}"
+  echo
+done
+
+echo "All images pushed to ${REGISTRY_PREFIX} with tag '${IMAGE_TAG}'."