perstack-ai · FL4TLiN3 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/.changeset/afraid-results-stay.md b/.changeset/afraid-results-stay.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/README.md b/README.md
@@ -276,7 +276,7 @@ Perstack ships a five-layer stack that gives micro-agents everything they need t
 | | Error handling | Configurable retries with provider-specific error normalization and retryability detection |
 | | Job hierarchy | Job → run → checkpoint structure with step continuity across delegations |
 | | Streaming | Real-time reasoning and result deltas via streaming callbacks |
-| **Infrastructure** | Container isolation | Docker image (Ubuntu, multi-arch, ~74 MB) with `PERSTACK_SANDBOX=1` marker and non-root user |
+| **Infrastructure** | Container isolation | Docker image (Ubuntu, multi-arch, ~74 MB) with `PERSTACK_SANDBOX=1` marker |
 | | Workspace boundaries | Path validation with symlink resolution to prevent traversal and escape attacks |
 | | Env / secrets | `.env` loading with `--env-path`, `requiredEnv` minimal-privilege filtering, and protected-variable blocklist |
 | | Exec protection | Filtered environment for subprocesses blocking `LD_PRELOAD`, `NODE_OPTIONS`, and similar vectors |

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -59,16 +59,11 @@ ENV PERSTACK_SANDBOX=1
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-      ca-certificates curl jq sudo && \
-    rm -rf /var/lib/apt/lists/* && \
-    useradd -m -s /bin/bash perstack && \
-    echo "perstack ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+      ca-certificates curl jq && \
+    rm -rf /var/lib/apt/lists/*
 
 COPY --from=build /app/out/perstack /usr/local/bin/perstack
 
 WORKDIR /workspace
-RUN chown perstack:perstack /workspace
-
-USER perstack
 
 ENTRYPOINT ["perstack"]
diff --git a/docs/architecture.svg b/docs/architecture.svg
diff --git a/docs/understanding-perstack/concept.mdx b/docs/understanding-perstack/concept.mdx
@@ -112,7 +112,7 @@ How you declare what experts do and how they collaborate.
 Isolation and security boundaries that make agents safe to operate.
 
 <CardGrid>
-  <LinkCard title="Sandbox integration" href="/docs/understanding-perstack/sandbox-integration/">Container isolation with Docker — multi-arch, non-root, ~74 MB.</LinkCard>
+  <LinkCard title="Sandbox integration" href="/docs/understanding-perstack/sandbox-integration/">Container isolation with Docker — multi-arch, ephemeral, ~74 MB.</LinkCard>
   <LinkCard title="Boundary model" href="/docs/understanding-perstack/boundary-model/">Workspace boundaries, path validation, and symlink traversal prevention.</LinkCard>
   <LinkCard title="Isolation by design" href="/docs/operating-experts/isolation-by-design/">Environment sandboxing, secret management, and exec protection.</LinkCard>
   <LinkCard title="Deployment" href="/docs/operating-experts/deployment/">Container images, `perstack install`, and production deployment patterns.</LinkCard>

diff --git a/packages/runtime/src/messages/instruction-message.ts b/packages/runtime/src/messages/instruction-message.ts
@@ -7,7 +7,7 @@ function getEnvironmentSection(): string {
   const lines = [`- Platform: ${os.platform()} ${os.release()} (${os.arch()})`]
   if (process.env.PERSTACK_SANDBOX === "1") {
     lines.push(
-      "- Sandbox: This is an isolated container environment (Ubuntu). You can freely install packages with `sudo apt-get install` and run arbitrary commands without affecting the host system.",
+      "- Sandbox: This is an isolated container environment (Ubuntu). You can freely install packages with `apt-get install` and run arbitrary commands without affecting the host system.",
     )
   }
   return `Environment:\n${lines.join("\n")}`