diff --git a/packages/openclaw-bridge/supervisord.conf b/packages/openclaw-bridge/supervisord.conf
index 6d627ec..5330eb6 100644
--- a/packages/openclaw-bridge/supervisord.conf
+++ b/packages/openclaw-bridge/supervisord.conf
@@ -1,6 +1,7 @@
 [supervisord]
 nodaemon=true
-user=root
+; No user= here: container already runs as 'node' (USER node in Dockerfile).
+; Setting user=root when running as non-root causes "Can't drop privilege" error.
 logfile=/dev/stdout
 logfile_maxbytes=0
 pidfile=/tmp/supervisord.pid
@@ -9,7 +10,7 @@ pidfile=/tmp/supervisord.pid
 [program:openclaw]
 command=node /app/openclaw/dist/openclaw.mjs
 directory=/app/openclaw
-user=node
+; No user= — inherited from container user
 autostart=true
 autorestart=true
 startretries=5
@@ -23,7 +24,7 @@ environment=HOME="/home/node",NODE_ENV="production",OPENCLAW_GATEWAY_TOKEN="%(EN
 [program:it0-bridge]
 command=node /app/bridge/dist/index.js
 directory=/app/bridge
-user=node
+; No user= — inherited from container user
 autostart=true
 autorestart=true
 startretries=10
@@ -33,3 +34,20 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 environment=HOME="/home/node",BRIDGE_PORT="3000",OPENCLAW_GATEWAY_URL="ws://127.0.0.1:18789",OPENCLAW_GATEWAY_TOKEN="%(ENV_OPENCLAW_GATEWAY_TOKEN)s",IT0_INSTANCE_ID="%(ENV_IT0_INSTANCE_ID)s",IT0_AGENT_SERVICE_URL="%(ENV_IT0_AGENT_SERVICE_URL)s"
+
+; DingTalk Channel — stays running only if DINGTALK_CLIENT_ID is set.
+; Clean exit (code 0) = not configured → supervisord leaves it EXITED, no restart loop.
+[program:dingtalk-channel]
+command=/app/bridge/start-dingtalk.sh
+directory=/app/bridge
+; No user= — inherited from container user
+autostart=true
+autorestart=unexpected
+exitcodes=0
+startretries=5
+startsecs=10
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+environment=HOME="/home/node",OPENCLAW_GATEWAY_URL="ws://127.0.0.1:18789",OPENCLAW_GATEWAY_TOKEN="%(ENV_OPENCLAW_GATEWAY_TOKEN)s",DINGTALK_CLIENT_ID="%(ENV_DINGTALK_CLIENT_ID)s",DINGTALK_CLIENT_SECRET="%(ENV_DINGTALK_CLIENT_SECRET)s"