diff --git a/docker/Dockerfile.gateway b/docker/Dockerfile.gateway
index 5d87272..fdaaab6 100644
--- a/docker/Dockerfile.gateway
+++ b/docker/Dockerfile.gateway
@@ -32,12 +32,6 @@ RUN apk add --no-cache \
     jq \
     && rm -rf /var/cache/apk/*
 
-# Create non-root user and add to docker group (GID 999 — matches host docker group)
-RUN addgroup -g 999 docker 2>/dev/null || true && \
-    addgroup -g 1001 goclaw && \
-    adduser -u 1001 -G goclaw -s /bin/sh -D goclaw && \
-    adduser goclaw docker
-
 WORKDIR /app
 
 # Copy binary from builder
@@ -49,8 +43,9 @@ COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 # Ensure binary is executable
 RUN chmod +x /usr/local/bin/gateway
 
-# Use non-root user
-USER goclaw
+# Run as root so we can access /var/run/docker.sock (mounted from host)
+# The gateway only reads Docker API — no write access to host filesystem
+USER root
 
 # Expose port
 EXPOSE 18789