diff --git a/hosts/common/programs/bonsai.nix b/hosts/common/programs/bonsai.nix
index 43516225..85d45252 100644
--- a/hosts/common/programs/bonsai.nix
+++ b/hosts/common/programs/bonsai.nix
@@ -111,6 +111,11 @@ in
       };
     };
 
+    sandbox.method = "bwrap";
+    sandbox.extraRuntimePaths = [
+      "/"  #< just needs "bonsai", but needs to create it first...
+    ];
+
     services.bonsaid = {
       description = "bonsai: programmable input dispatcher";
       after = [ "graphical-session.target" ];
diff --git a/hosts/common/programs/sane-input-handler/default.nix b/hosts/common/programs/sane-input-handler/default.nix
index b5db1aac..fcc3b7e8 100644
--- a/hosts/common/programs/sane-input-handler/default.nix
+++ b/hosts/common/programs/sane-input-handler/default.nix
@@ -102,7 +102,6 @@ in
       "sway"
       "wvkbd"
     ];
-
     sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  #< to launch applications
@@ -137,6 +136,10 @@ in
   #   };
   # };
 
+  # TODO: duplicated sandboxing here is just ugly
+  sane.programs.bonsai.sandbox = lib.mkIf cfg.enabled (
+    builtins.removeAttrs cfg.sandbox [ "method" ]  #< else infinite recursion
+  );
   sane.programs.bonsai.config.transitions = lib.mkIf cfg.enabled (friendlyToBonsai {
     # map sequences of "events" to an argument to pass to sane-input-handler