diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index c90214e2..7989f758 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -587,9 +587,9 @@ in
     iw.sandbox.net = "all";
     iw.sandbox.capabilities = [ "net_admin" ];
 
-    # jq.sandbox.method = "bwrap";
-    # jq.sandbox.wrapperType = "wrappedDerivation";
-    # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect, but how else to sandbox?
+    jq.sandbox.method = "bwrap";
+    jq.sandbox.wrapperType = "wrappedDerivation";
+    jq.sandbox.autodetectCliPaths = "existingFile";
 
     killall.sandbox.method = "landlock";
     killall.sandbox.wrapperType = "wrappedDerivation";