diff --git a/Taskfile.yml b/Taskfile.yml
index 2d17c43..8589cb6 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -37,6 +37,8 @@ tasks:
     run: once
     deps: [_nix-check]
     preconditions:
+      - sh: '[ "$(id -u)" != "0" ]'
+        msg: "Do not run as root. Use the dedicated dev user (see DEVELOPMENT.md)."
       - sh: test -n "${IN_NIX_SHELL}"
         msg: "Not in nix dev shell. Run: nix develop"
     cmds:
diff --git a/deploy.sh b/deploy.sh
index c64e603..ba82019 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 REPO_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # Load .env into environment
diff --git a/scripts/setup_dagger_remote.sh b/scripts/setup_dagger_remote.sh
index 7a3f41a..02259f8 100755
--- a/scripts/setup_dagger_remote.sh
+++ b/scripts/setup_dagger_remote.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "${CI:-}" = "true" ] || [ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 if [ -z "${SOPS_AGE_KEY:-}" ]; then
     echo "Error: SOPS_AGE_KEY must be set."
@@ -50,6 +51,7 @@ export_secret "RENOVATE_FORGEJO_TOKEN"
 # Setup SSH directory and keys
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh
+rm -f ~/.ssh/dagger_key
 echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
 chmod 600 ~/.ssh/dagger_key
 
diff --git a/stalwart-dev/integration_android_test.sh b/stalwart-dev/integration_android_test.sh
index a1c9847..22d6941 100755
--- a/stalwart-dev/integration_android_test.sh
+++ b/stalwart-dev/integration_android_test.sh
@@ -7,6 +7,7 @@
 # Run inside nix develop:
 #   stalwart-dev/integration_android_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 _SCRIPT_START=$(date +%s%3N)
 ts() { echo "[$(( $(date +%s%3N) - _SCRIPT_START ))ms] $*"; }
diff --git a/stalwart-dev/integration_ui_test.sh b/stalwart-dev/integration_ui_test.sh
index b287ea0..514616a 100755
--- a/stalwart-dev/integration_ui_test.sh
+++ b/stalwart-dev/integration_ui_test.sh
@@ -5,6 +5,7 @@
 #
 # Run inside nix develop: stalwart-dev/integration_ui_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 # Timing helper: prints elapsed seconds since script start with a label.
 _SCRIPT_START=$(date +%s%3N)
diff --git a/stalwart-dev/test.sh b/stalwart-dev/test.sh
index 6170974..db82835 100755
--- a/stalwart-dev/test.sh
+++ b/stalwart-dev/test.sh
@@ -2,6 +2,7 @@
 # Starts Stalwart in the background on fresh random ports, runs Flutter
 # integration tests, then stops it.
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 trap 'echo "Warning: A command failed ($0:$LINENO)"; exit 3' ERR
 
 export STALWART_USER_B="${STALWART_USER_B:-alice@example.com}"