diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index bb213c76..a0bc1a60 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -16,8 +16,7 @@ services:
   # Sub2API Application
   # ===========================================================================
   sub2api:
-    # Override with SUB2API_IMAGE to use a private registry or pinned tag.
-    image: ${SUB2API_IMAGE:-weishaw/sub2api:latest}
+    image: weishaw/sub2api:latest
     container_name: sub2api
     restart: unless-stopped
     ulimits:
@@ -29,7 +28,6 @@ services:
     volumes:
       # Data persistence (config.yaml will be auto-generated here)
       - sub2api_data:/app/data
-      - /var/run/docker.sock:/var/run/docker.sock
       # Optional: Mount custom config.yaml (uncomment and create the file first)
       # Copy config.example.yaml to config.yaml, modify it, then uncomment:
       # - ./config.yaml:/app/data/config.yaml
@@ -122,26 +120,6 @@ services:
       - GEMINI_CLI_OAUTH_CLIENT_SECRET=${GEMINI_CLI_OAUTH_CLIENT_SECRET:-}
       - ANTIGRAVITY_OAUTH_CLIENT_SECRET=${ANTIGRAVITY_OAUTH_CLIENT_SECRET:-}
 
-      # =======================================================================
-      # Language Server Pool Mode (Enhanced Security)
-      # =======================================================================
-      # Enable to route requests through real LS binary (Google's own code)
-      # This makes upstream traffic indistinguishable from real IDE
-      - ANTIGRAVITY_LS_MODE=${ANTIGRAVITY_LS_MODE:-false}
-      - ANTIGRAVITY_APP_ROOT=/app/ls
-      # SOCKS5/HTTP proxy fallback used when account has no dedicated LS proxy
-      - ANTIGRAVITY_LS_PROXY=${ANTIGRAVITY_LS_PROXY:-}
-      - ANTIGRAVITY_LS_STRATEGY=${ANTIGRAVITY_LS_STRATEGY:-js-parity}
-      - ANTIGRAVITY_LS_REPLICAS_PER_ACCOUNT=${ANTIGRAVITY_LS_REPLICAS_PER_ACCOUNT:-5}
-      # Keep the worker image aligned with the main image release when overriding.
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_IMAGE=${GATEWAY_ANTIGRAVITY_LS_WORKER_IMAGE:-weishaw/sub2api-lsworker:latest}
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_NETWORK=${GATEWAY_ANTIGRAVITY_LS_WORKER_NETWORK:-sub2api-network}
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_DOCKER_SOCKET=${GATEWAY_ANTIGRAVITY_LS_WORKER_DOCKER_SOCKET:-unix:///var/run/docker.sock}
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_IDLE_TTL=${GATEWAY_ANTIGRAVITY_LS_WORKER_IDLE_TTL:-15m}
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_MAX_ACTIVE=${GATEWAY_ANTIGRAVITY_LS_WORKER_MAX_ACTIVE:-50}
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_STARTUP_TIMEOUT=${GATEWAY_ANTIGRAVITY_LS_WORKER_STARTUP_TIMEOUT:-45s}
-      - GATEWAY_ANTIGRAVITY_LS_WORKER_REQUEST_TIMEOUT=${GATEWAY_ANTIGRAVITY_LS_WORKER_REQUEST_TIMEOUT:-60s}
-
       # =======================================================================
       # Security Configuration (URL Allowlist)
       # =======================================================================
@@ -256,5 +234,4 @@ volumes:
 # =============================================================================
 networks:
   sub2api-network:
-    name: sub2api-network
     driver: bridge
diff --git a/deploy/docker-entrypoint.sh b/deploy/docker-entrypoint.sh
index c93c27ac..47ab6bf1 100644
--- a/deploy/docker-entrypoint.sh
+++ b/deploy/docker-entrypoint.sh
@@ -8,27 +8,9 @@ if [ "$(id -u)" = "0" ]; then
     mkdir -p /app/data
     # Use || true to avoid failure on read-only mounted files (e.g. config.yaml:ro)
     chown -R sub2api:sub2api /app/data 2>/dev/null || true
-    if [ -S /var/run/docker.sock ]; then
-        DOCKER_GID="$(stat -c '%g' /var/run/docker.sock 2>/dev/null || true)"
-        if [ -n "${DOCKER_GID}" ]; then
-            DOCKER_GROUP="$(getent group "${DOCKER_GID}" | cut -d: -f1 || true)"
-            if [ -z "${DOCKER_GROUP}" ]; then
-                DOCKER_GROUP="dockersock"
-                groupadd -for -g "${DOCKER_GID}" "${DOCKER_GROUP}" 2>/dev/null || true
-            fi
-            usermod -aG "${DOCKER_GROUP}" sub2api 2>/dev/null || true
-        fi
-    fi
     # Re-invoke this script as sub2api so the flag-detection below
     # also runs under the correct user.
-    # Use gosu if available (Debian), fall back to su-exec (Alpine)
-    if command -v gosu >/dev/null 2>&1; then
-        exec gosu sub2api "$0" "$@"
-    elif command -v su-exec >/dev/null 2>&1; then
-        exec su-exec sub2api "$0" "$@"
-    else
-        exec su -s /bin/sh sub2api -c "exec $0 $*"
-    fi
+    exec su-exec sub2api "$0" "$@"
 fi
 
 # Compatibility: if the first arg looks like a flag (e.g. --help),