diff --git a/.github/workflows/argo-build-and-backtest.yaml b/.github/workflows/argo-build-and-backtest.yaml
index 39e8f7f..88553de 100644
--- a/.github/workflows/argo-build-and-backtest.yaml
+++ b/.github/workflows/argo-build-and-backtest.yaml
@@ -50,6 +50,13 @@ jobs:
           sudo microk8s kubectl get ns "${{ needs.resolve-context.outputs.namespace }}" || \
           sudo microk8s kubectl create ns "${{ needs.resolve-context.outputs.namespace }}"
 
+      - name: Ensure Argo service account exists
+        run: |
+          sudo microk8s kubectl create serviceaccount argo-workflow-sa \
+            -n "${{ needs.resolve-context.outputs.namespace }}" \
+            --dry-run=client -o yaml | \
+          sudo microk8s kubectl apply -f -
+
       - name: Apply GHCR credentials
         run: |
           sudo microk8s kubectl -n "${{ needs.resolve-context.outputs.namespace }}" create secret docker-registry ghcr-secret \
@@ -133,6 +140,6 @@ jobs:
           export IMAGE_TAG="${GITHUB_SHA}"
 
           envsubst < argo/run-backtest.yaml | \
-          sudo microk8s kubectl -n "${{ needs.resolve-context.outputs.namespace }}" apply -f -
+          sudo microk8s kubectl -n "${{ needs.resolve-context.outputs.namespace }}" create -f -
 
           echo "Submitted backtest workflow in namespace: ${{ needs.resolve-context.outputs.namespace }}"
diff --git a/Dockerfile b/Dockerfile
index 82f9235..f761b8e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ FROM python:3.11.14-slim-trixie AS build
 ARG TRADING_RUNTIME_COMMIT
 
 ENV TRADING_RUNTIME_COMMIT=${TRADING_RUNTIME_COMMIT}
-ENV PATH="/install/bin:${PATH}"
+ENV PATH="/install/bin:/install-dev/bin:${PATH}"
 ENV PYTHONPATH="/install/lib/python3.11/site-packages"
 
 WORKDIR /workspaces/trading-runtime
diff --git a/README.md b/README.md
index f143d1c..99f374e 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,20 @@ tests/data/results/
 
 ---
 
+## ⚙️ Infrastructure Requirements
+
+The Argo-based workflows require:
+
+- A self-hosted GitHub Actions runner
+- microk8s Kubernetes distribution (with sudo access)
+- Argo Workflows installed in the cluster
+- GitHub Container Registry access (GHCR_TOKEN secret)
+
+GitHub-hosted runners are only used for unit tests.
+All Kubernetes orchestration runs on self-hosted infrastructure.
+
+---
+
 ## ☸ Kubernetes & Argo Workflows
 
 This runtime is designed for Kubernetes-native execution using Argo Workflows.
diff --git a/argo/workflowtemplate-backtest-fanout.yaml b/argo/workflowtemplate-backtest-fanout.yaml
index 24209a5..ce62e59 100644
--- a/argo/workflowtemplate-backtest-fanout.yaml
+++ b/argo/workflowtemplate-backtest-fanout.yaml
@@ -5,6 +5,11 @@ metadata:
 spec:
   entrypoint: backtest
 
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+
   parallelism: 4
 
   arguments:
@@ -297,6 +302,5 @@ spec:
 
   volumes:
     - name: scratch
-      hostPath:
-        path: /mnt/scratch
-        type: Directory
+      persistentVolumeClaim:
+        claimName: scratch-pvc