diff --git a/hosts/common/programs/audacity.nix b/hosts/common/programs/audacity.nix
index 4e7dae0d..adeeb65e 100644
--- a/hosts/common/programs/audacity.nix
+++ b/hosts/common/programs/audacity.nix
@@ -10,6 +10,7 @@
     };
 
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = true;
     sandbox.extraHomePaths = [
       # support media imports via file->open dir to some common media directories
diff --git a/hosts/common/programs/cozy.nix b/hosts/common/programs/cozy.nix
index 99ef56be..c918e248 100644
--- a/hosts/common/programs/cozy.nix
+++ b/hosts/common/programs/cozy.nix
@@ -3,7 +3,7 @@
 {
   sane.programs.cozy = {
     sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
-    sandbox.embedProfile = true;
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraHomePaths = [
       "Books"
     ];
diff --git a/hosts/common/programs/gtkcord4.nix b/hosts/common/programs/gtkcord4.nix
index bceef634..1f511472 100644
--- a/hosts/common/programs/gtkcord4.nix
+++ b/hosts/common/programs/gtkcord4.nix
@@ -32,6 +32,7 @@ in
       '';
     });
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
 
     persist.byStore.private = [
       ".cache/gtkcord4"
diff --git a/hosts/common/programs/wireshark.nix b/hosts/common/programs/wireshark.nix
index dcf6fc55..78dbdade 100644
--- a/hosts/common/programs/wireshark.nix
+++ b/hosts/common/programs/wireshark.nix
@@ -5,6 +5,7 @@ in
 {
   sane.programs.wireshark = {
     sandbox.method = "landlock";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraPaths = [
       "/proc/net"  #< only needed if using landlock
     ];