diff --git a/scripts/bootstrap/bootstrap-remote.sh b/scripts/bootstrap/bootstrap-remote.sh
index fb71a2f4d..55342cc17 100755
--- a/scripts/bootstrap/bootstrap-remote.sh
+++ b/scripts/bootstrap/bootstrap-remote.sh
@@ -99,20 +99,36 @@ remote_phase_2_runner_socket() {
         sleep 3
     fi
 
-    info "ensuring incus client is installed inside the runner"
-    if ! incus exec forgejo-runner -- command -v incus >/dev/null 2>&1; then
-        incus exec forgejo-runner -- apt-get update -qq
-        incus exec forgejo-runner -- apt-get install -y incus-client >/dev/null
-        ok "incus-client installed in runner"
+    info "ensuring incus client binary is in the runner"
+    if incus exec forgejo-runner -- command -v incus >/dev/null 2>&1; then
+        ok "incus already in runner"
+    elif [[ -x /usr/bin/incus ]]; then
+        # Push the host's binary into the container — avoids apt repo
+        # issues (Debian 13 doesn't ship incus-client as a separate
+        # package, and the full `incus` package would also pull in the
+        # daemon which we don't want in a runner container).
+        info "pushing /usr/bin/incus from host into runner:/usr/local/bin/incus"
+        incus file push /usr/bin/incus forgejo-runner/usr/local/bin/incus --mode 0755
+        ok "incus binary pushed"
     else
-        ok "incus-client already in runner"
+        die "no /usr/bin/incus on host AND none in runner — install incus on the host first"
     fi
 
     info "smoke-test : runner can incus list"
-    if ! incus exec forgejo-runner -- incus list >/dev/null 2>&1; then
-        die "runner cannot reach Incus socket — verify nesting + permissions"
+    if incus exec forgejo-runner -- incus list >/dev/null 2>&1; then
+        ok "runner has Incus access"
+    else
+        # Common cause : the runner's process can read /var/lib/incus/
+        # unix.socket only if it has the right gid. The socket is owned
+        # root:incus-admin (or equivalent) on the host. Inside the
+        # container we either run as root (works) or need to add the
+        # runner user to a group with the same gid as host's incus-admin.
+        # We don't try to fix that here — it's runner-process-specific.
+        warn "runner cannot incus list as default user"
+        warn "this may be normal if the systemd unit runs as root inside"
+        warn "the container ; if not, add the runner user to a group with"
+        warn "the same gid as the host's incus-admin group"
     fi
-    ok "runner has Incus access"
 
     mark_done r2_runner_socket
     phase r2_runner_socket DONE