diff --git a/kickstart/veilor-os.ks b/kickstart/veilor-os.ks
index 805fa95..c5ef846 100644
--- a/kickstart/veilor-os.ks
+++ b/kickstart/veilor-os.ks
@@ -23,24 +23,22 @@ network --bootproto=dhcp --device=link --activate --hostname=veilor-os
 firewall --enabled --service=ssh
 
 # ── Identity (zero-prompt; only LUKS passphrase asked at install) ──
+# Note: `auth` command removed in pykickstart 3.x — defaults (sha512 shadow) apply.
 rootpw --lock
 user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintext
-auth --useshadow --passalgo=sha512
 
 # ── Bootloader: kernel hardening flags ──
 bootloader --location=mbr --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none"
 
 # ── Disk: BIOS+UEFI, LUKS2, btrfs subvols, zram swap (no disk swap) ──
+# Note: kickstart commands must be single-line — backslash continuations not supported.
 zerombr
 clearpart --all --initlabel
 reqpart --add-boot
 part /boot --fstype=ext4 --size=1024 --asprimary
-part pv.veilor --size=1 --grow --encrypted --luks-version=luks2 \
-    --pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-iterations=9 \
-    --cipher=aes-xts-plain64 --hash=sha512
+part pv.veilor --size=1 --grow --encrypted --luks-version=luks2 --pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-time=9000 --cipher=aes-xts-plain64
 volgroup veilor pv.veilor
-logvol / --vgname=veilor --name=root --fstype=btrfs --size=1 --grow \
-    --mkfsoptions="--mixed"
+logvol / --vgname=veilor --name=root --fstype=btrfs --size=1 --grow --mkfsoptions=--mixed
 
 # ── Packages ──
 %packages --excludedocs