diff --git a/.needle-predispatch-sha b/.needle-predispatch-sha
index 68b9fdd..945a355 100644
--- a/.needle-predispatch-sha
+++ b/.needle-predispatch-sha
@@ -1 +1 @@
-00d6754524b429bd61d3e6c581826aaaa5e614a2
+7137623f6a68882880fdeb89cf2ef06b41419a46
diff --git a/cmd/acb-evolver/Dockerfile b/cmd/acb-evolver/Dockerfile
index 425232d..52dcc03 100644
--- a/cmd/acb-evolver/Dockerfile
+++ b/cmd/acb-evolver/Dockerfile
@@ -46,7 +46,11 @@ WORKDIR /app
 # - python3, nodejs (typescript), rust (rustup), java, php
 # - nsjail for sandbox isolation during validation
 # - ca-certificates for HTTPS (LLM calls, K8s API)
-RUN apk --no-cache add \
+#
+# Note: nsjail is in the community repository, ensure it's enabled
+RUN grep -q '^https.*\/community$' /etc/apk/repositories || \
+    echo "https://dl-cdn.alpinelinux.org/alpine/v$(. /etc/os-release && echo $VERSION_ID | cut -d. -f1,2)/community" >> /etc/apk/repositories && \
+    apk --no-cache add \
     ca-certificates \
     tzdata \
     python3 \
diff --git a/cmd/acb-evolver/internal/validator/sandbox.go b/cmd/acb-evolver/internal/validator/sandbox.go
index ef56c38..ed09d79 100644
--- a/cmd/acb-evolver/internal/validator/sandbox.go
+++ b/cmd/acb-evolver/internal/validator/sandbox.go
@@ -127,7 +127,7 @@ func buildNsjailCmd(ctx context.Context, nsjailBin, execPath string, execArgs []
 	}
 
 	// Read-only bind-mounts for language runtimes and system libraries.
-	for _, p := range []string{"/bin", "/usr", "/lib", "/lib64", "/etc/alternatives", "/proc", "/dev"} {
+	for _, p := range []string{"/bin", "/usr", "/lib", "/lib64", "/etc/alternatives", "/opt", "/proc", "/dev"} {
 		if _, err := os.Stat(p); err == nil {
 			args = append(args, "--bindmount_ro", p)
 		}