diff --git a/internal/templates/docker/Dockerfile.layered.tmpl b/internal/templates/docker/Dockerfile.layered.tmpl
index 60d50c6..e7b921a 100644
--- a/internal/templates/docker/Dockerfile.layered.tmpl
+++ b/internal/templates/docker/Dockerfile.layered.tmpl
@@ -32,8 +32,8 @@ RUN chmod 755 /usr/local/bin/compute-source-env.sh \
     && chmod 755 /usr/local/bin/caddy{{- end}} \
     && chmod 644 /usr/local/bin/kms-signing-public-key.pem
 
-# Switch back to the original user from base image
-USER {{.OriginalUser}}
+# Store original user - entrypoint will drop privileges to this user after TEE setup
+ENV __EIGENX_ORIGINAL_USER={{.OriginalUser}}
 {{- else}}
 # Make binaries executable (preserve existing permissions, just add execute)
 RUN chmod +x /usr/local/bin/compute-source-env.sh \
diff --git a/internal/templates/scripts/compute-source-env.sh.tmpl b/internal/templates/scripts/compute-source-env.sh.tmpl
index 4005287..a01eaef 100644
--- a/internal/templates/scripts/compute-source-env.sh.tmpl
+++ b/internal/templates/scripts/compute-source-env.sh.tmpl
@@ -107,4 +107,11 @@ setup_tls() {
 setup_tls
 
 echo "compute-source-env.sh: Environment sourced."
+
+# Drop privileges to original user for the application command
+if [ -n "$__EIGENX_ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
+    echo "compute-source-env.sh: Dropping privileges to user: $__EIGENX_ORIGINAL_USER"
+    exec su -s /bin/sh "$__EIGENX_ORIGINAL_USER" -c 'exec "$@"' -- sh "$@"
+fi
+
 exec "$@"
diff --git a/pkg/hooks/hooks.go b/pkg/hooks/hooks.go
index 9438573..742c2fd 100644
--- a/pkg/hooks/hooks.go
+++ b/pkg/hooks/hooks.go
@@ -244,7 +244,8 @@ var versionCheckChannel = make(chan *common.UpdateInfo, 1)
 // InitVersionCheck starts an async version check for prod builds
 func InitVersionCheck(cCtx *cli.Context) {
 	// Skip for non-prod builds or specific commands
-	if common.Build != "prod" || cCtx.Command.Name == "upgrade" || cCtx.Command.Name == "version" || cCtx.Command.Name == "help" {
+	subcommand := cCtx.Args().First()
+	if common.Build != "prod" || subcommand == "upgrade" || subcommand == "version" || subcommand == "help" {
 		return
 	}