diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index 79fa713..6e6f2d7 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -11,6 +11,17 @@
 # CI:       .github/workflows/build-bluebuild.yml signs + pushes to GHCR.
 #
 # Reference: https://blue-build.org/reference/recipe/
+#
+# ── Module collapse history ──────────────────────────────────────
+# Run 183 (2026-05-08) ate 3h10min before runner timeout: each RUN/COPY
+# layer COMMIT under fuse-overlayfs over secureblue's 130-layer hardened
+# base costs ~40min wallclock (STEP 10..13 each 38–43min). Ergo: every
+# saved module = ~40min saved. Collapsed:
+#   - 5× rpm-ostree → 1× (-4 layers)
+#   - 2× containerfile (brand sed + systemctl enable) → 1× (-1 layer)
+#   - 4× copy left as-is — BlueBuild copy module is one src/dest per
+#     entry per https://blue-build.org/reference/modules/copy/
+# Net: 12 → 7 modules, ~5×40min ≈ 3h20min off wallclock budget.
 ---
 name: veilor-os
 description: Hardened security-branded Fedora KDE on top of secureblue.
@@ -28,6 +39,11 @@ modules:
   # the BlueBuild-shipped /tmp/modules/files/files.sh under buildah +
   # podman privileged in our runner — the script tries to make itself
   # executable inside its own bind-mounted layer.
+  #
+  # NOTE: Each copy module = one COPY layer (~40min commit on our
+  # runner). BlueBuild's copy module accepts a single src/dest pair
+  # only, so these four entries are the floor unless we move to a
+  # hand-rolled Containerfile.
   - type: copy
     source: ../overlay
     destination: /
@@ -40,11 +56,53 @@ modules:
     source: ../scripts
     destination: /usr/share/veilor-os/scripts
 
-  # ── 2. Branding overrides at build time ─────────────────────────
+  - type: copy
+    source: config/just
+    destination: /usr/share/ublue-os/just
+
+  # ── 2. All package layering in one rpm-ostree pass ──────────────
+  # secureblue removes sudo + replaces with run0 (too disruptive for
+  # daily-driver) — restore. Xwayland was disabled for attack-surface
+  # reduction — restore for Element/Slack/Qt5 apps. Mullvad Browser
+  # layered alongside Trivalent (Trivalent default per STRATEGY.md;
+  # Mullvad for pseudonymous browsing). Mesh stack: Tailscale (Layer
+  # 1, daily driver, pre-disabled), Yggdrasil-go (Layer 2, idle warm-
+  # fallback). Reticulum/RetiNet stays opt-in via ujust. Memory
+  # hygiene + ergonomic deps for veilor-postinstall + veilor-doctor.
+  #
+  # Collapsed from 5 rpm-ostree modules → 1 to drop 4 layer commits
+  # (~160min wallclock on our buildah+fuse-overlayfs runner).
+  - type: rpm-ostree
+    install:
+      - sudo
+      - xorg-x11-server-Xwayland
+      - mullvad-browser
+      - tailscale
+      - yggdrasil
+      - zram-generator
+      - jq
+      - vim-enhanced
+      - tmux
+      - htop
+
+  # ── 3. Branding overrides + systemd unit toggles in one RUN ─────
   # Use raw `type: containerfile` (RUN line) instead of `type: script`
-  # — bluebuild's script-module helper script.nu fails 'chmod:
-  # Operation not permitted' on its own bind-mounted layer under
+  # / `type: systemd` — bluebuild's helper scripts fail 'chmod:
+  # Operation not permitted' on their own bind-mounted layer under
   # podman/buildah privileged. Raw RUN bypasses the helper.
+  #
+  # Single snippet (= single layer) merges:
+  #   - brand sed of /etc/os-release + GRUB_DISTRIBUTOR
+  #   - kde-theme + v03-theme apply scripts
+  #   - plymouth default-theme
+  #   - chmod +x on shipped veilor-* scripts/binaries
+  #   - fc-cache rebuild
+  #   - systemctl enable yggdrasil + veilor-{firstboot,modules-lock,
+  #     postinstall}.service + veilor-doctor.timer
+  #   - systemctl disable tailscaled (Day-1-disabled per threat model)
+  #
+  # brand-leak grep moved to CI smoke-test in build-bluebuild.yml
+  # (STEP 14 hung under buildah overlayfs, run 171 2026-05-07).
   - type: containerfile
     snippets:
       - |
@@ -63,75 +121,16 @@ modules:
                 -e 's|^ID=.*|ID=veilor|' \
                 -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
                 /etc/os-release || true ; \
-            fi
-            # brand-leak check moved to CI smoke-test (STEP 14 hang under buildah overlayfs, run 171 2026-05-07)
-
-  # ── 3. Override secureblue's run0-only — restore sudo ───────────
-  # secureblue removes sudo + replaces with run0. Too disruptive for
-  # daily-driver workflows. Restore sudo, keep run0 available.
-  - type: rpm-ostree
-    install:
-      - sudo
-
-  # ── 4. Re-enable Xwayland ───────────────────────────────────────
-  # secureblue disables Xwayland for attack-surface reduction. Some
-  # apps (Element, Slack-likes, older Qt5 tools) still need it.
-  # User who wants it removed back can `rpm-ostree override remove`.
-  - type: rpm-ostree
-    install:
-      - xorg-x11-server-Xwayland
-
-  # ── 5. Mullvad Browser as anti-fingerprint companion ────────────
-  # Layered alongside Trivalent (kept as default per STRATEGY.md).
-  # Trivalent for daily browsing, Mullvad for pseudonymous browsing.
-  # Thorium remains opt-in only via `ujust install-thorium` — see
-  # config/thorium.just for the warning + install logic.
-  - type: rpm-ostree
-    install:
-      - mullvad-browser
-
-  # ── 6. Mesh stack packages ──────────────────────────────────────
-  # Layer 1 (Day 1 daily driver, service pre-disabled): Tailscale
-  # Layer 2 (Day 1 idle warm-fallback): Yggdrasil-go
-  # Layer 3 (opt-in via ujust): Reticulum / RetiNet — handled in just/
-  - type: rpm-ostree
-    install:
-      - tailscale
-      - yggdrasil
-
-  # ── 6b. Memory hygiene + ergonomic deps ─────────────────────────
-  # zram-generator gives us zram swap (no disk swap, no cold-boot
-  # leak). gum is the TUI primitive used by veilor-postinstall +
-  # veilor-update + veilor-doctor — vendor binary at build time so
-  # post-install layering doesn't need it.
-  - type: rpm-ostree
-    install:
-      - zram-generator
-      - jq
-      - vim-enhanced
-      - tmux
-      - htop
-
-  # ── 7. ujust recipes for opt-in components ──────────────────────
-  - type: copy
-    source: config/just
-    destination: /usr/share/ublue-os/just
-
-  # ── 8 + 9. systemd unit enables/disables ────────────────────────
-  # Same chmod-permitted blocker on `type: systemd` helper. Use raw
-  # RUN systemctl preset/enable/disable instead.
-  - type: containerfile
-    snippets:
-      - |
-        RUN systemctl enable yggdrasil.service 2>/dev/null || true ; \
+            fi ; \
+            systemctl enable yggdrasil.service 2>/dev/null || true ; \
             systemctl disable tailscaled.service 2>/dev/null || true ; \
             systemctl enable veilor-firstboot.service 2>/dev/null || true ; \
             systemctl enable veilor-modules-lock.service 2>/dev/null || true ; \
             systemctl enable veilor-postinstall.service 2>/dev/null || true ; \
             systemctl enable veilor-doctor.timer 2>/dev/null || true
 
-  # ── 10. signing config ──────────────────────────────────────────
+  # ── 4. signing config ───────────────────────────────────────────
   # cosign.pub committed alongside this recipe; cosign.key kept off
   # repo and provided to CI as Forgejo secret COSIGN_PRIVATE_KEY.
   # The action exports it to /tmp at build time.
-  - type: signing
\ No newline at end of file
+  - type: signing