- Run deployment containers as a non-root user (for example uid 10001) after `chown -R /app` to meet least-privilege expectations without breaking runtime file access *(F007)*