diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 6e64457..9fa1cbd 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -64,7 +64,24 @@ jobs:
               createrepo_c \
               git \
               which \
-              shadow-utils
+              shadow-utils \
+              syslinux \
+              tar \
+              curl
+
+            # Vendor gum binary onto the ISO so the TTY1 installer can use
+            # Charm.sh TUI primitives. gum is not packaged in Fedora repos,
+            # so pull the upstream release tarball pinned by sha256.
+            GUM_VERSION="0.17.0"
+            GUM_URL="https://github.com/charmbracelet/gum/releases/download/v${GUM_VERSION}/gum_${GUM_VERSION}_Linux_x86_64.tar.gz"
+            GUM_SHA256="69ee169bd6387331928864e94d47ed01ef649fbfe875baed1bbf27b5377a6fdb"
+            mkdir -p /work/overlay/usr/local/bin
+            curl -fsSL "$GUM_URL" -o /tmp/gum.tgz
+            echo "$GUM_SHA256  /tmp/gum.tgz" | sha256sum -c -
+            tar -xzf /tmp/gum.tgz -C /tmp/
+            install -m 0755 "/tmp/gum_${GUM_VERSION}_Linux_x86_64/gum" /work/overlay/usr/local/bin/gum
+            /work/overlay/usr/local/bin/gum --version
+            echo "[OK] gum ${GUM_VERSION} vendored into overlay/usr/local/bin/"
 
             cd /work
 
@@ -102,6 +119,40 @@ jobs:
               --tmpdir /var/lmc \
               --cache /var/lmc-cache 2>&1 | tee build/out/build.log
 
+            # Graft veilor source tree onto the ISO so the installer-generated
+            # kickstart's `%post --nochroot` can find SRC at
+            # /run/install/repo/veilor/{overlay,scripts,assets}/ when the user
+            # promotes the live ISO into a real install.
+            ISO_FILE=$(ls /work/*.iso 2>/dev/null | head -1)
+            [ -n "$ISO_FILE" ] || { echo "[ERR] no ISO produced by livecd-creator"; exit 1; }
+            echo "[INFO] grafting /veilor/ onto $ISO_FILE"
+
+            # Extract original ISO's exact boot stanza so the rebuild matches
+            # livecd-creator's layout byte-for-byte. This is immune to upstream
+            # Fedora layout changes (e.g. images/ vs isolinux/ for efiboot.img,
+            # partition geometry flags, hybrid MBR/GPT options).
+            xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>&1 | tee /tmp/iso-boot.txt || true
+            ORIG_FLAGS=$(xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>/dev/null | \
+                grep -v '^xorriso :' | grep -E '^-' | tr '\n' ' ')
+            [ -n "$ORIG_FLAGS" ] || { echo "[ERR] could not extract boot stanza from $ISO_FILE"; exit 1; }
+            echo "[INFO] re-pack flags from original ISO: $ORIG_FLAGS"
+
+            mkdir -p /tmp/iso-mod
+            xorriso -osirrox on -indev "$ISO_FILE" -extract / /tmp/iso-mod
+            chmod -R u+w /tmp/iso-mod
+            mkdir -p /tmp/iso-mod/veilor
+            cp -a /work/overlay /work/scripts /work/assets /tmp/iso-mod/veilor/
+
+            # Replay the exact stanza captured above. eval is needed because
+            # ORIG_FLAGS contains multiple flag/value pairs that must word-split.
+            eval xorriso -as mkisofs \
+              -volid "veilor-os-43" \
+              $ORIG_FLAGS \
+              -o "${ISO_FILE}.tmp" /tmp/iso-mod
+            mv "${ISO_FILE}.tmp" "$ISO_FILE"
+            rm -rf /tmp/iso-mod
+            echo "[OK] /veilor/ grafted onto $ISO_FILE"
+
             # Move output ISO to expected dir
             mv ./veilor-os-43.iso build/out/ 2>/dev/null || mv ./*.iso build/out/ 2>/dev/null || true