diff --git a/build.zsh b/build.zsh
index 449c83e..29d8899 100755
--- a/build.zsh
+++ b/build.zsh
@@ -65,7 +65,7 @@ cp -rf ./cfg/os-release root.x86_64/etc/os-release
 
 # Configure sudoers for wheel group
 echo "Configuring sudoers..."
-arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /bin/bash" >> /etc/sudoers'
+arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /usr/bin/mount, /usr/bin/chroot, /bin/bash" >> /etc/sudoers'
 
 # Install aigpt (aios core package)
 echo "Installing aigpt..."
diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh
index 59e0c36..b80c936 100755
--- a/cfg/setup-user.sh
+++ b/cfg/setup-user.sh
@@ -75,7 +75,11 @@ if [[ -o login ]] && [[ -o interactive ]]; then
     if [[ -z "$INSIDE_WORKSPACE" ]]; then
         # Running as ai user on aios OS - enter workspace container
         export INSIDE_WORKSPACE=1
-        exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh
+        # Setup bind mount for shared user directory
+        sudo mkdir -p /var/lib/machines/workspace/root 2>/dev/null || true
+        sudo mount --bind /home/ai /var/lib/machines/workspace/root 2>/dev/null || true
+        # Enter workspace via chroot (avoiding nested systemd-nspawn audit issues)
+        exec sudo chroot /var/lib/machines/workspace /bin/zsh
     else
         # Running as root inside workspace container - start claude
         if command -v claude &>/dev/null; then