From 4bc5237beaaa1ced99d4205286fd83d9a617bcb8 Mon Sep 17 00:00:00 2001
From: damocles <damocles@hyperhive>
Date: Fri, 22 May 2026 14:04:59 +0200
Subject: [PATCH] harness: fix sandbox-fallback conflict with lib.mkForce
 (closes #247)

---
 nix/templates/harness-base.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nix/templates/harness-base.nix b/nix/templates/harness-base.nix
index e2d855b..62d7fe3 100644
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@@ -353,8 +353,10 @@
     # fail inside the container. Enable sandbox-fallback so builds that
     # can't set up the sandbox (no user-namespaces in nspawn) fall back
     # to unsandboxed local builds rather than failing outright.
-    # Security implications: see docs/security.md.
-    nix.settings.sandbox-fallback = true;
+    # mkForce overrides the nixpkgs nix module which sets this to false
+    # at normal priority -- without it agents get a conflicting definition
+    # error on rebuild. Security implications: see docs/security.md.
+    nix.settings.sandbox-fallback = lib.mkForce true;
 
     # `claude-code` is unfree. Each per-agent container's nixosConfiguration
     # evaluates its own `nixpkgs` instance, so the operator's host-level