diff --git a/.changeset/root-container-bump.md b/.changeset/root-container-bump.md
new file mode 100644
index 00000000..46e142be
--- /dev/null
+++ b/.changeset/root-container-bump.md
@@ -0,0 +1,5 @@
+---
+"perstack": patch
+---
+
+Run container as root by default; remove sudo package and non-root user
diff --git a/README.md b/README.md
index 23d4a5df..2c1c3bf3 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,12 @@ Swap models, change agent topology, or scale the harness — without touching ap
 
 ```dockerfile
 FROM perstack/perstack:latest
+
+# Install extra dependencies and configure a non-root user here if needed:
+# RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
+# RUN useradd -m agent
+# USER agent
+
 COPY perstack.toml .
 RUN perstack install
 ENTRYPOINT ["perstack", "run", "my-expert"]