diff --git a/src/vm.ts b/src/vm.ts
index b74dfc3..35f7a51 100644
--- a/src/vm.ts
+++ b/src/vm.ts
@@ -59,8 +59,8 @@ function hostMounts(home: string): { dev: boolean; code: boolean } {
 async function createContainer(home: string): Promise<void> {
   const mounts = hostMounts(home)
   const args = ["container", "run", "-d", "--name", CONTAINER_NAME, "-m", "4G"]
-  if (mounts.dev) args.push("--mount", `type=bind,source=${home}/dev,target=/host/dev`)
-  if (mounts.code) args.push("--mount", `type=bind,source=${home}/code,target=/host/code`)
+  if (mounts.dev) args.push("--mount", `type=bind,source=${home}/dev,target=/host/dev,readonly`)
+  if (mounts.code) args.push("--mount", `type=bind,source=${home}/code,target=/host/code,readonly`)
   args.push("-v", `${home}/.sandlot:/sandlot`, "ubuntu:24.04", "sleep", "infinity")
   const prepared = DEBUG ? $`${args}`.nothrow() : $`${args}`.nothrow().quiet()
   const result = await prepared
@@ -273,8 +273,8 @@ export async function claude(workdir: string, opts?: { prompt?: string; print?:
     "You are running inside a sandlot container (Apple Container, ubuntu:24.04).",
     `Your working directory is ${cwd}, a git worktree managed by sandlot.`,
   ]
-  if (mounts.dev) systemPromptLines.push("The host's ~/dev is mounted at /host/dev.")
-  if (mounts.code) systemPromptLines.push("The host's ~/code is mounted at /host/code.")
+  if (mounts.dev) systemPromptLines.push("The host's ~/dev is mounted read-only at /host/dev.")
+  if (mounts.code) systemPromptLines.push("The host's ~/code is mounted read-only at /host/code.")
   systemPromptLines.push(
     "The host's ~/.sandlot is mounted at /sandlot.",
     "Bun is installed at ~/.local/bin/bun. Use bun instead of node/npm.",