diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index c4b9841..c79303f 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -240,6 +240,9 @@ jobs:
             echo "-- yggdrasil"; rpm -q yggdrasil || echo "not installed"
             echo "-- tailscale"; rpm -q tailscale || echo "not installed"
             echo "-- veilor-firstboot unit"; ls -la /etc/systemd/system/veilor-firstboot.service 2>&1 || true
+            echo "-- brand-leak scan (text files only, bounded paths)"
+            HITS=$(find /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os /usr/local/bin/veilor-* -type f \( -name "*.sh" -o -name "*.conf" -o -name "*.service" -o -name "*.timer" -o -name "*.txt" -o -name "*.md" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "os-release" \) -exec grep -liE "onyx|192\.168\.0\.|fedora\.local|xynki\.dev" {} + 2>/dev/null || true)
+            if [ -n "$HITS" ]; then echo "[ERR] brand leak detected:"; echo "$HITS"; exit 1; fi
           '
 
       # ── GitHub-only signing/SBOM/attest ────────────────────────────
diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index cad5e62..79fa713 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -63,11 +63,8 @@ modules:
                 -e 's|^ID=.*|ID=veilor|' \
                 -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
                 /etc/os-release || true ; \
-            fi ; \
-            if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
-                /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then \
-              echo "[ERR] brand leak detected" ; exit 1 ; \
             fi
+            # brand-leak check moved to CI smoke-test (STEP 14 hang under buildah overlayfs, run 171 2026-05-07)
 
   # ── 3. Override secureblue's run0-only — restore sudo ───────────
   # secureblue removes sudo + replaces with run0. Too disruptive for