diff --git a/.changeset/afraid-results-stay.md b/.changeset/afraid-results-stay.md
new file mode 100644
index 00000000..a845151c
--- /dev/null
+++ b/.changeset/afraid-results-stay.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/README.md b/README.md
index 41273859..23d4a5df 100644
--- a/README.md
+++ b/README.md
@@ -276,7 +276,7 @@ Perstack ships a five-layer stack that gives micro-agents everything they need t
| | Error handling | Configurable retries with provider-specific error normalization and retryability detection |
| | Job hierarchy | Job → run → checkpoint structure with step continuity across delegations |
| | Streaming | Real-time reasoning and result deltas via streaming callbacks |
-| **Infrastructure** | Container isolation | Docker image (Ubuntu, multi-arch, ~74 MB) with `PERSTACK_SANDBOX=1` marker and non-root user |
+| **Infrastructure** | Container isolation | Docker image (Ubuntu, multi-arch, ~74 MB) with `PERSTACK_SANDBOX=1` marker |
| | Workspace boundaries | Path validation with symlink resolution to prevent traversal and escape attacks |
| | Env / secrets | `.env` loading with `--env-path`, `requiredEnv` minimal-privilege filtering, and protected-variable blocklist |
| | Exec protection | Filtered environment for subprocesses blocking `LD_PRELOAD`, `NODE_OPTIONS`, and similar vectors |
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 82aef8b7..25c2c395 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -59,16 +59,11 @@ ENV PERSTACK_SANDBOX=1
RUN apt-get update && \
apt-get install -y --no-install-recommends \
- ca-certificates curl jq sudo && \
- rm -rf /var/lib/apt/lists/* && \
- useradd -m -s /bin/bash perstack && \
- echo "perstack ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+ ca-certificates curl jq && \
+ rm -rf /var/lib/apt/lists/*
COPY --from=build /app/out/perstack /usr/local/bin/perstack
WORKDIR /workspace
-RUN chown perstack:perstack /workspace
-
-USER perstack
ENTRYPOINT ["perstack"]
diff --git a/docs/architecture.svg b/docs/architecture.svg
index 2085b592..1bfdec35 100644
--- a/docs/architecture.svg
+++ b/docs/architecture.svg
@@ -125,8 +125,7 @@
-Shell
-nonroot + sudo
+Shell
diff --git a/docs/understanding-perstack/concept.mdx b/docs/understanding-perstack/concept.mdx
index b6f4bfe2..1f27a6a4 100644
--- a/docs/understanding-perstack/concept.mdx
+++ b/docs/understanding-perstack/concept.mdx
@@ -112,7 +112,7 @@ How you declare what experts do and how they collaborate.
Isolation and security boundaries that make agents safe to operate.
- Container isolation with Docker — multi-arch, non-root, ~74 MB.
+ Container isolation with Docker — multi-arch, ephemeral, ~74 MB.
Workspace boundaries, path validation, and symlink traversal prevention.
Environment sandboxing, secret management, and exec protection.
Container images, `perstack install`, and production deployment patterns.
diff --git a/packages/runtime/src/messages/instruction-message.ts b/packages/runtime/src/messages/instruction-message.ts
index e8ed1c38..c522e79e 100644
--- a/packages/runtime/src/messages/instruction-message.ts
+++ b/packages/runtime/src/messages/instruction-message.ts
@@ -7,7 +7,7 @@ function getEnvironmentSection(): string {
const lines = [`- Platform: ${os.platform()} ${os.release()} (${os.arch()})`]
if (process.env.PERSTACK_SANDBOX === "1") {
lines.push(
- "- Sandbox: This is an isolated container environment (Ubuntu). You can freely install packages with `sudo apt-get install` and run arbitrary commands without affecting the host system.",
+ "- Sandbox: This is an isolated container environment (Ubuntu). You can freely install packages with `apt-get install` and run arbitrary commands without affecting the host system.",
)
}
return `Environment:\n${lines.join("\n")}`