diff --git a/scripts/codegen.sh b/scripts/codegen.sh
index fda423c..0a1b236 100755
--- a/scripts/codegen.sh
+++ b/scripts/codegen.sh
@@ -37,6 +37,10 @@ require_cmd xhost
 
 : "${DISPLAY:=:0}"
 
+# Run containers as the current host user to avoid root-owned files in bind mounts.
+USER_ID="$(id -u)"
+GROUP_ID="$(id -g)"
+
 ROOT="$(repo_root)"
 REC_DIR="${ROOT}/${RECORDINGS_DIR}"
 WORK_DIR="${REC_DIR}/.work"
@@ -107,6 +111,8 @@ if [[ -n "${START_URL}" ]]; then
 fi
 
 docker run --rm -it \
+  --user "${USER_ID}:${GROUP_ID}" \
+  -e HOME=/tmp \
   --ipc=host \
   --network host \
   -e "DISPLAY=${DISPLAY}" \
diff --git a/scripts/replay.sh b/scripts/replay.sh
index 791f3e2..2b27883 100644
--- a/scripts/replay.sh
+++ b/scripts/replay.sh
@@ -38,6 +38,10 @@ repo_root() {
 
 require_cmd docker
 
+# Run containers as the current host user to avoid root-owned files in bind mounts.
+USER_ID="$(id -u)"
+GROUP_ID="$(id -g)"
+
 ROOT="$(repo_root)"
 REC_DIR="${ROOT}/${RECORDINGS_DIR}"
 
@@ -46,7 +50,12 @@ REC_DIR="${ROOT}/${RECORDINGS_DIR}"
 # Build ephemeral workspace
 WORK_DIR="${REC_DIR}/.replay-work"
 
-rm -rf "${WORK_DIR}"
+# Robust cleanup: handle possible permission issues from previous runs.
+if [[ -e "${WORK_DIR}" ]]; then
+  chmod -R u+rwX "${WORK_DIR}" 2>/dev/null || true
+  rm -rf "${WORK_DIR}" 2>/dev/null || true
+fi
+
 mkdir -p "${WORK_DIR}/tests"
 
 cleanup() {
@@ -97,6 +106,8 @@ echo "Tests        : ${TEST_FILE:-all recordings}"
 echo
 
 docker run --rm \
+  --user "${USER_ID}:${GROUP_ID}" \
+  -e HOME=/tmp \
   -v "${WORK_DIR}:/work" \
   -w /work \
   "${PLAYWRIGHT_IMAGE}" \