diff --git a/cameleer-runtime-loader/Dockerfile b/cameleer-runtime-loader/Dockerfile
index 715026f9..31db2ae1 100644
--- a/cameleer-runtime-loader/Dockerfile
+++ b/cameleer-runtime-loader/Dockerfile
@@ -4,7 +4,10 @@ FROM busybox:1.37-musl
 
 # Run as non-root (UID 1000 inside the container; with userns_mode this is
 # remapped to host UID ~101000 — fully unprivileged on the host).
-RUN adduser -D -u 1000 loader
+# Pre-create /app/jars owned by `loader` so the orchestrator's named-volume
+# mount inherits that ownership at first init — without it the empty named
+# volume comes up as root:root 0755 and wget can't write app.jar.
+RUN adduser -D -u 1000 loader && mkdir -p /app/jars && chown -R loader:loader /app
 
 COPY entrypoint.sh /usr/local/bin/loader
 RUN chmod +x /usr/local/bin/loader