diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
index ddaa4cd4e..9ef80eff0 100644
--- a/src/docker-manager.test.ts
+++ b/src/docker-manager.test.ts
@@ -1495,7 +1495,7 @@ describe('docker-manager', () => {
       expect(fs.existsSync(path.join(testDir, 'squid-logs'))).toBe(true);
     });
 
-    it('should create /tmp/gh-aw/mcp-logs directory', async () => {
+    it('should create /tmp/gh-aw/mcp-logs directory with world-writable permissions', async () => {
       const config: WrapperConfig = {
         allowedDomains: ['github.com'],
         agentCommand: 'echo test',
@@ -1514,6 +1514,8 @@ describe('docker-manager', () => {
       expect(fs.existsSync('/tmp/gh-aw/mcp-logs')).toBe(true);
       const stats = fs.statSync('/tmp/gh-aw/mcp-logs');
       expect(stats.isDirectory()).toBe(true);
+      // Verify permissions are 0o777 (rwxrwxrwx) to allow non-root users to create subdirectories
+      expect((stats.mode & 0o777).toString(8)).toBe('777');
     });
 
     it('should write squid.conf file', async () => {
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 94032ccb8..22f517ea1 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -872,16 +872,26 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   const squidLogsDir = config.proxyLogsDir || path.join(config.workDir, 'squid-logs');
   if (!fs.existsSync(squidLogsDir)) {
     fs.mkdirSync(squidLogsDir, { recursive: true, mode: 0o777 });
+    // Explicitly set permissions to 0o777 (not affected by umask)
+    fs.chmodSync(squidLogsDir, 0o777);
   }
   logger.debug(`Squid logs directory created at: ${squidLogsDir}`);
 
   // Create /tmp/gh-aw/mcp-logs directory
   // This directory exists on the HOST for MCP gateway to write logs
   // Inside the AWF container, it's hidden via tmpfs mount (see generateDockerCompose)
+  // Uses mode 0o777 to allow GitHub Actions workflows and MCP gateway to create subdirectories
+  // even when AWF runs as root (e.g., sudo awf --enable-chroot)
   const mcpLogsDir = '/tmp/gh-aw/mcp-logs';
   if (!fs.existsSync(mcpLogsDir)) {
-    fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o755 });
+    fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o777 });
+    // Explicitly set permissions to 0o777 (not affected by umask)
+    fs.chmodSync(mcpLogsDir, 0o777);
     logger.debug(`MCP logs directory created at: ${mcpLogsDir}`);
+  } else {
+    // Fix permissions if directory already exists (e.g., created by a previous run)
+    fs.chmodSync(mcpLogsDir, 0o777);
+    logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`);
   }
 
   // Use fixed network configuration (network is created by host-iptables.ts)