diff --git a/Dockerfile b/Dockerfile
index f92c1d0..b96445a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@ FROM node:22-alpine
 
 WORKDIR /app
 
+RUN apk add --no-cache su-exec
+
 # Copy package files first for better layer caching
 COPY package*.json ./
 RUN npm ci --omit=dev
@@ -9,6 +11,7 @@ RUN npm ci --omit=dev
 # Copy source
 COPY . .
 RUN mkdir -p /app/runs /app/runs/memory /app/runs/memory/cold && chown -R node:node /app
+RUN chmod +x /app/docker-entrypoint.sh
 
 # Default port (override with -e PORT=xxxx)
 EXPOSE 3117
@@ -20,5 +23,5 @@ ENV PORT=3117 \
 HEALTHCHECK --interval=60s --timeout=10s --start-period=45s --retries=3 \
   CMD node -e "fetch('http://127.0.0.1:'+(process.env.PORT||3117)+'/api/health').then(r=>{if(![200,503].includes(r.status))process.exit(1);return r.json()}).then(j=>{if(['error'].includes(j.status))process.exit(1)}).catch(()=>process.exit(1))"
 
-USER node
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["node", "server.mjs"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 0000000..5197b08
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -eu
+
+mkdir -p /app/runs/memory/cold
+
+if chown -R node:node /app/runs 2>/dev/null; then
+  exec su-exec node "$@"
+fi
+
+if su-exec node sh -c 'test -w /app/runs && test -w /app/runs/memory'; then
+  exec su-exec node "$@"
+fi
+
+echo "[entrypoint] WARNING: /app/runs is not writable by user node; starting as root for this bind mount." >&2
+exec "$@"