diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt
index a864327..571a1b8 100644
--- a/.bootc-dev-infra-commit.txt
+++ b/.bootc-dev-infra-commit.txt
@@ -1 +1 @@
-eb09fd52a83e77dad0465baded5c982c23bd5414
+eee9b691c9fcf5783ca044671dade3e32efd7e7b
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 678171b..f1b43a8 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,30 +1,25 @@
 {
   "name": "bootc-devenv-debian",
-  // TODO override this back to prod image
   "image": "ghcr.io/bootc-dev/devenv-debian",
   "customizations": {
     "vscode": {
-      // Abitrary, but most of our code is in one of these two
+      // Arbitrary, but most of our code is in one of these two
       "extensions": [
         "rust-lang.rust-analyzer",
         "golang.Go"
       ]
+    },
+    "devaipod": {
+      // When running under devaipod, use minimal capabilities
+      // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged.
+      "nestedContainers": true
     }
   },
   "features": {},
-  "runArgs": [
-    // In general we hope that the outer environment has set up
-    // a user namespace to keep this secure.
-    "--cap-add=all",
-    // Required for mounting /proc in nested user namespace
-    "--security-opt", "label=disable",
-    // Allows access to /proc paths needed for nested containers
-    "--security-opt", "unmask=/proc/*",
-    // Device access for nested containers and VMs
-    "--device", "/dev/net/tun",
-    // I always want KVM
-    "--device", "/dev/kvm"
-  ],
+  // Use privileged mode for broad compatibility (Codespaces, Docker,
+  // stock devcontainer CLI). devaipod overrides this with tighter
+  // security via the nestedContainers customization above.
+  "privileged": true,
   "postCreateCommand": {
     // Our init script
     "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
@@ -33,4 +28,3 @@
     "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin"
   }
 }
-