diff --git a/ruby/Dockerfile b/ruby/Dockerfile
index 192f66b..c4ed520 100644
--- a/ruby/Dockerfile
+++ b/ruby/Dockerfile
@@ -11,6 +11,9 @@ RUN apt-get update -qq \
     postgresql-client \
     && rm -rf /var/lib/apt/lists /var/cache/apt/archives
 
+# Non-root user for runtime stages (USER not set here so build stage keeps root)
+RUN useradd --system --uid 1000 app && chown app:app /app
+
 # Set production environment
 ENV BUNDLE_DEPLOYMENT="1" \
     BUNDLE_PATH="/usr/local/bundle" \