diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1ba6776b..81e55bf3c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@
 - Agents: recognize "usage limit" errors as rate limits for failover. (#687) — thanks @evalexpr.
 - CLI: avoid success message when daemon restart is skipped. (#685) — thanks @carlulsoe.
 - Commands: disable `/config` + `/debug` by default; gate via `commands.config`/`commands.debug` and hide from native registration/help output.
+- Agents/System: clarify that sub-agents remain sandboxed and cannot use elevated host access.
 - Gateway: disable the OpenAI-compatible `/v1/chat/completions` endpoint by default; enable via `gateway.http.endpoints.chatCompletions.enabled=true`.
 - macOS: stabilize bridge tunnels, guard invoke senders on disconnect, and drain stdout/stderr to avoid deadlocks. (#676) — thanks @ngutman.
 - Agents/System: clarify sandboxed runtime in system prompt and surface elevated availability when sandboxed.
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index c530e5e1a..9f10fd0c6 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -9,7 +9,7 @@ overrides:
 
 patchedDependencies:
   '@mariozechner/pi-ai@0.42.2':
-    hash: 3ac9ea7edf6cbef42d6ea15d92b5cb63142ef114f9bbd601e08393e966fc4f7f
+    hash: 4eb2abd3a960fad93eea95e24926111966cfd2bf7ad5e6a1bd3920fcac75fe09
     path: patches/@mariozechner__pi-ai@0.42.2.patch
 
 importers:
@@ -36,7 +36,7 @@ importers:
         version: 0.42.2(ws@8.19.0)(zod@4.3.5)
       '@mariozechner/pi-ai':
         specifier: ^0.42.2
-        version: 0.42.2(patch_hash=3ac9ea7edf6cbef42d6ea15d92b5cb63142ef114f9bbd601e08393e966fc4f7f)(ws@8.19.0)(zod@4.3.5)
+        version: 0.42.2(patch_hash=4eb2abd3a960fad93eea95e24926111966cfd2bf7ad5e6a1bd3920fcac75fe09)(ws@8.19.0)(zod@4.3.5)
       '@mariozechner/pi-coding-agent':
         specifier: ^0.42.2
         version: 0.42.2(ws@8.19.0)(zod@4.3.5)
@@ -3777,7 +3777,7 @@ snapshots:
 
   '@mariozechner/pi-agent-core@0.42.2(ws@8.19.0)(zod@4.3.5)':
     dependencies:
-      '@mariozechner/pi-ai': 0.42.2(patch_hash=3ac9ea7edf6cbef42d6ea15d92b5cb63142ef114f9bbd601e08393e966fc4f7f)(ws@8.19.0)(zod@4.3.5)
+      '@mariozechner/pi-ai': 0.42.2(patch_hash=4eb2abd3a960fad93eea95e24926111966cfd2bf7ad5e6a1bd3920fcac75fe09)(ws@8.19.0)(zod@4.3.5)
       '@mariozechner/pi-tui': 0.42.2
     transitivePeerDependencies:
       - '@modelcontextprotocol/sdk'
@@ -3787,7 +3787,7 @@ snapshots:
       - ws
       - zod
 
-  '@mariozechner/pi-ai@0.42.2(patch_hash=3ac9ea7edf6cbef42d6ea15d92b5cb63142ef114f9bbd601e08393e966fc4f7f)(ws@8.19.0)(zod@4.3.5)':
+  '@mariozechner/pi-ai@0.42.2(patch_hash=4eb2abd3a960fad93eea95e24926111966cfd2bf7ad5e6a1bd3920fcac75fe09)(ws@8.19.0)(zod@4.3.5)':
     dependencies:
       '@anthropic-ai/sdk': 0.71.2(zod@4.3.5)
       '@google/genai': 1.34.0
@@ -3811,7 +3811,7 @@ snapshots:
     dependencies:
       '@mariozechner/clipboard': 0.3.0
       '@mariozechner/pi-agent-core': 0.42.2(ws@8.19.0)(zod@4.3.5)
-      '@mariozechner/pi-ai': 0.42.2(patch_hash=3ac9ea7edf6cbef42d6ea15d92b5cb63142ef114f9bbd601e08393e966fc4f7f)(ws@8.19.0)(zod@4.3.5)
+      '@mariozechner/pi-ai': 0.42.2(patch_hash=4eb2abd3a960fad93eea95e24926111966cfd2bf7ad5e6a1bd3920fcac75fe09)(ws@8.19.0)(zod@4.3.5)
       '@mariozechner/pi-tui': 0.42.2
       chalk: 5.6.2
       cli-highlight: 2.1.11
diff --git a/src/agents/system-prompt.test.ts b/src/agents/system-prompt.test.ts
index c622ad53d..8626f7bcb 100644
--- a/src/agents/system-prompt.test.ts
+++ b/src/agents/system-prompt.test.ts
@@ -194,6 +194,7 @@ describe("buildAgentSystemPrompt", () => {
     });
 
     expect(prompt).toContain("You are running in a sandboxed runtime");
+    expect(prompt).toContain("Sub-agents stay sandboxed");
     expect(prompt).toContain("User can toggle with /elevated on|off.");
     expect(prompt).toContain("Current elevated level: on");
   });
diff --git a/src/agents/system-prompt.ts b/src/agents/system-prompt.ts
index 1cd95039e..2bb6c9593 100644
--- a/src/agents/system-prompt.ts
+++ b/src/agents/system-prompt.ts
@@ -231,6 +231,7 @@ export function buildAgentSystemPrompt(params: {
       ? [
           "You are running in a sandboxed runtime (tools execute in Docker).",
           "Some tools may be unavailable due to sandbox policy.",
+          "Sub-agents stay sandboxed (no elevated/host access). Need outside-sandbox read/write? Don't spawn; ask first.",
           params.sandboxInfo.workspaceDir
             ? `Sandbox workspace: ${params.sandboxInfo.workspaceDir}`
             : "",