diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index 99f05ad3..ea68a68b 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -783,6 +783,21 @@ AWFEOF
     fi
   fi
 
+  # Ensure ~/.gemini exists and is owned by the chroot user.
+  # If Docker created this directory as root:root (because it did not exist on the
+  # host at container start time), the Gemini CLI cannot write its project registry
+  # (atomic rename of projects.json.tmp → projects.json fails with ENOENT).
+  # AWF pre-creates this directory host-side in writeConfigs(), but on first run or
+  # after a previous failed run the directory may still be root-owned.
+  # We fix ownership here (as root, before privilege drop) as a defense-in-depth measure.
+  GEMINI_DIR="/host${HOME}/.gemini"
+  mkdir -p "${GEMINI_DIR}" 2>/dev/null || true
+  if chown "${HOST_UID}:${HOST_GID}" "${GEMINI_DIR}" 2>/dev/null; then
+    echo "[entrypoint] Ensured ~/.gemini ownership for chroot user (${HOST_UID}:${HOST_GID})"
+  else
+    echo "[entrypoint][WARN] Could not set ~/.gemini ownership to chroot user (${HOST_UID}:${HOST_GID})"
+  fi
+
   # Build LD_PRELOAD command for one-shot token protection
   LD_PRELOAD_CMD=""
   if [ -n "${ONE_SHOT_TOKEN_LIB}" ]; then