diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index 53ebfaa9..ffe22664 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -44,28 +44,6 @@ FROM python:3.11-slim
 
 WORKDIR /app
 
-# Copy installed packages from builder
-COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
-COPY --from=builder /usr/local/bin /usr/local/bin
-
-# 2026-04-01 ogt: CACHE_BUST 強制失效 src/ 和 models.json 層
-# deps 層 (pip install) 仍可 cache；代碼/配置變更必須重建
-ARG CACHE_BUST=none
-COPY apps/api/src/ ./src/
-COPY apps/api/models.json ./models.json
-# 2026-04-09 ogt: 規則引擎配置 — alert_rule_engine.py 從此檔載入規則
-COPY apps/api/alert_rules.yaml ./alert_rules.yaml
-# 2026-04-10 Claude Sonnet 4.6: drift_detector 需要 k8s/ YAML 做 Git state 比對
-COPY k8s/ ./k8s/
-# 2026-04-10 Claude Sonnet 4.6: RAG 知識庫索引來源 (ADR-067 Phase 33)
-COPY docs/ ./docs/
-COPY .agents/skills/ ./.agents/skills/
-# 2026-05-04 Claude Sonnet 4.6 (Task 1.2): hermes agent_loader 的 system prompt 來源
-# agent_loader.py 預設讀 /app/.claude/agents/，對應 K8s AGENTS_DIR 環境變數
-COPY .claude/agents/ ./.claude/agents/
-# 2026-04-12 ogt (ADR-073 P2-1): CronJob 腳本 — 獨立腳本取代 inline Python
-COPY scripts/ ./scripts/
-
 # Install openssh-client + curl — SSH_COMMAND Playbook + healthcheck
 # Install kubectl — drift_detector 需要 kubectl 讀取 K8s 實際狀態
 # (2026-04-09 Claude Sonnet 4.6 Asia/Taipei, Bug #6 修正 — python:3.11-slim 無 openssh-client)
@@ -75,8 +53,31 @@ RUN apt-get update && apt-get install -y --no-install-recommends openssh-client
     chmod +x kubectl && mv kubectl /usr/local/bin/kubectl && \
     rm -rf /var/lib/apt/lists/*
 
-# Create non-root user
-RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
+# Create non-root user before copying app artifacts so COPY --chown can avoid
+# an expensive full-tree chown layer on every source-only rebuild.
+RUN useradd -m -u 1000 appuser
+
+# Copy installed packages from builder
+COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
+COPY --from=builder /usr/local/bin /usr/local/bin
+
+# 2026-04-01 ogt: CACHE_BUST 強制失效 src/ 和 models.json 層
+# deps 層 (pip install) 仍可 cache；代碼/配置變更必須重建
+ARG CACHE_BUST=none
+COPY --chown=appuser:appuser apps/api/src/ ./src/
+# 2026-04-09 ogt: 規則引擎配置 — alert_rule_engine.py 從此檔載入規則
+COPY --chown=appuser:appuser apps/api/models.json ./models.json
+COPY --chown=appuser:appuser apps/api/alert_rules.yaml ./alert_rules.yaml
+# 2026-04-10 Claude Sonnet 4.6: drift_detector 需要 k8s/ YAML 做 Git state 比對
+COPY --chown=appuser:appuser k8s/ ./k8s/
+# 2026-04-10 Claude Sonnet 4.6: RAG 知識庫索引來源 (ADR-067 Phase 33)
+COPY --chown=appuser:appuser docs/ ./docs/
+COPY --chown=appuser:appuser .agents/skills/ ./.agents/skills/
+# 2026-05-04 Claude Sonnet 4.6 (Task 1.2): hermes agent_loader 的 system prompt 來源
+# agent_loader.py 預設讀 /app/.claude/agents/，對應 K8s AGENTS_DIR 環境變數
+COPY --chown=appuser:appuser .claude/agents/ ./.claude/agents/
+# 2026-04-12 ogt (ADR-073 P2-1): CronJob 腳本 — 獨立腳本取代 inline Python
+COPY --chown=appuser:appuser scripts/ ./scripts/
 USER appuser
 
 # Expose port