diff --git a/setup/archbaseos-guided-install.sh b/setup/archbaseos-guided-install.sh
index d4294d0..521759d 100755
--- a/setup/archbaseos-guided-install.sh
+++ b/setup/archbaseos-guided-install.sh
@@ -55,11 +55,27 @@ trap 'error_handler $LINENO' ERR
 # Helper Functions
 ############################################
 
-confirm() {
-    # Require the exact string "YES" before erasing $1 — prevents accidental wipes.
-    echo "WARNING: This will ERASE ALL DATA on $1"
-    read -rp "Type YES to continue: " ans
-    [[ $ans == "YES" ]]
+ask_password() {
+    # Prompt for a password and confirm it — BOTH shown in clear text (by request).
+    # Loops until the two entries are identical and non-empty, so a typo can't
+    # silently lock the operator out. The password is therefore typed exactly
+    # twice (once + confirmation) and never again. The result is printed to stdout
+    # for capture via $(...); the prompts and error messages go to stderr so they
+    # never pollute the captured value.
+    local label=$1 _p1 _p2
+    while true; do
+        read -rp "$label: " _p1
+        if [[ -z "$_p1" ]]; then
+            echo "  Password cannot be empty — try again." >&2
+            continue
+        fi
+        read -rp "$label (confirm): " _p2
+        if [[ "$_p1" == "$_p2" ]]; then
+            printf '%s' "$_p1"
+            return 0
+        fi
+        echo "  Passwords do not match — try again." >&2
+    done
 }
 
 ask() {
@@ -157,8 +173,13 @@ KEYMAPS=(
 )
 
 ############################################
-# User input
+# User input — gather EVERYTHING up front
 ############################################
+# All operator input (including passwords) is collected here, before any
+# destructive action runs. Passwords are shown in clear text by request and are
+# each entered twice (once + confirmation) so a typo can't silently lock you out.
+# After this block the only remaining interaction is the single final "type YES"
+# gate plus any physical FIDO2 key taps.
 if $AF_MODE; then
     KERNEL=$(af_get '.kernel' 'linux')
     RAW_HOSTNAME=$(af_get '.hostname' '')
@@ -209,24 +230,62 @@ else
         # Out-of-range input silently falls back to the first entry (us).
         KEYMAP="${KEYMAPS[0]%%|*}"
     fi
+
+    # Whether to run the dotfiles TUI inside the chroot — asked now so the whole
+    # back half of the install can proceed without further interaction.
+    read -rp "Run dotfiles TUI setup inside chroot after base install? [YES/no]: " _TUI_IN
+    _TUI_IN="${_TUI_IN:-YES}"
+    [[ "${_TUI_IN^^}" == "YES" ]] && RUN_TUI="YES" || RUN_TUI="NO"
 fi
 
-# Password always prompted interactively — never stored in the answerfile.
-read -rp "Password for $USERNAME: " USERPASS
-[[ -z "$USERPASS" ]] && { echo "Error: password cannot be empty."; exit 1; }
-
-# Print block device layout so the operator can visually confirm the target drive.
+# ── Target drive ──────────────────────────────────────────────────────────────
+# Print the block device layout so the operator can identify the correct disk.
 lsblk
-
 if $AF_MODE && [[ -n "$(af_get '.drive')" ]]; then
     DRIVE=$(af_get '.drive')
     echo "Drive (from answerfile): $DRIVE"
-    echo "WARNING: All data on $DRIVE will be erased. Proceeding in 5 seconds..."
-    # Give the operator a 5-second window to abort with Ctrl-C before destructive ops.
-    sleep 5
 else
     DRIVE=$(ask "Enter install drive (e.g., /dev/sda)")
-    confirm "$DRIVE" || exit 1
+fi
+
+# ── Passwords (always interactive; shown in clear text, each entered twice) ────
+# Never read from the answerfile. Captured once here and reused everywhere so the
+# operator is never prompted for them again mid-install.
+USERPASS=$(ask_password "Password for $USERNAME")
+
+# LUKS passphrase — only needed when encrypting. Reused below for luksFormat /
+# open / luksAddKey / cryptenroll so it is typed exactly once (plus confirmation),
+# never again during the destructive phase.
+LUKS_PASS=""
+if [[ "$ENCRYPT_DISK" == "YES" ]]; then
+    LUKS_PASS=$(ask_password "Disk encryption (LUKS) passphrase")
+fi
+
+# ── Final confirmation ────────────────────────────────────────────────────────
+# A single gate before anything destructive happens. Summarise the choices so the
+# operator can sanity-check them, then require one explicit all-caps YES.
+echo ""
+echo "──────────────────────────────────────────────"
+echo "  Review your selections:"
+echo "    Kernel:        $KERNEL"
+echo "    Hostname:      $HOSTNAME"
+echo "    Username:      $USERNAME"
+echo "    Keymap:        $KEYMAP"
+echo "    Encrypt disk:  $ENCRYPT_DISK"
+echo "    FIDO2 root:    $ENABLE_FIDO_ROOT"
+echo "    FIDO2 user:    $ENABLE_FIDO_USER"
+echo "    Run TUI:       $RUN_TUI"
+echo "    Target drive:  $DRIVE"
+echo "──────────────────────────────────────────────"
+echo "  WARNING: ALL DATA on $DRIVE will be PERMANENTLY ERASED."
+echo ""
+if $AF_MODE; then
+    # Unattended deployment: no human to type YES — give a short abort window.
+    echo "Answerfile mode — proceeding in 5 seconds (Ctrl-C to abort)..."
+    sleep 5
+else
+    read -rp "Type YES (all caps) to begin installation: " _final_ans
+    [[ "$_final_ans" == "YES" ]] || { echo "Aborted."; exit 1; }
 fi
 
 # Required packages — installed into the live environment before partitioning.
@@ -285,9 +344,11 @@ LUKS_BACKUP_KEY=""
 if [[ "$ENCRYPT_DISK" == "YES" ]]; then
     echo "Formatting LUKS2 root..."
     # --type luks2 uses the newer LUKS2 format required by systemd-cryptenroll for FIDO2.
-    cryptsetup luksFormat "$ROOT_PART" --type luks2
+    # Feed the pre-gathered passphrase on stdin (--key-file=-) and --batch-mode to
+    # skip cryptsetup's own interactive "type uppercase YES" + passphrase prompts.
+    printf '%s' "$LUKS_PASS" | cryptsetup luksFormat "$ROOT_PART" --type luks2 --batch-mode --key-file=-
     # Open (decrypt) the container; exposes it as /dev/mapper/cryptroot for formatting.
-    cryptsetup open "$ROOT_PART" cryptroot
+    printf '%s' "$LUKS_PASS" | cryptsetup open "$ROOT_PART" cryptroot --key-file=-
 
     # ── Auto-generate backup LUKS key ─────────────────────────────────────────
     # A random key enrolled in a second LUKS slot enables recovery without
@@ -297,8 +358,9 @@ if [[ "$ENCRYPT_DISK" == "YES" ]]; then
     # Read 64 bytes of entropy; base64-encode with -w0 to disable line wrapping.
     dd if=/dev/urandom bs=64 count=1 2>/dev/null | base64 -w0 > "$LUKS_BACKUP_KEY"
     echo "Enrolling auto-generated backup LUKS key..."
-    # luksAddKey prompts for the existing passphrase to authorise adding the new key file.
-    cryptsetup luksAddKey "$ROOT_PART" "$LUKS_BACKUP_KEY"
+    # --key-file=- supplies the EXISTING passphrase (on stdin) to authorise the
+    # operation; the positional file is the NEW backup key added to a second slot.
+    printf '%s' "$LUKS_PASS" | cryptsetup luksAddKey "$ROOT_PART" "$LUKS_BACKUP_KEY" --key-file=-
 
     if [[ "$ENABLE_FIDO_ROOT" == "YES" ]]; then
         echo "Enroll FIDO2 key for LUKS2"
@@ -306,7 +368,9 @@ if [[ "$ENCRYPT_DISK" == "YES" ]]; then
         pause
         # systemd-cryptenroll writes the FIDO2 credential into a LUKS2 token slot.
         # --fido2-with-client-pin=no: presence tap only, no PIN required at boot.
-        systemd-cryptenroll "$ROOT_PART" --fido2-device=auto --fido2-with-client-pin=no
+        # $PASSWORD supplies the existing passphrase to unlock a slot for enrollment,
+        # so only the physical key tap remains interactive here.
+        PASSWORD="$LUKS_PASS" systemd-cryptenroll "$ROOT_PART" --fido2-device=auto --fido2-with-client-pin=no
     fi
 
     # Format btrfs on the decrypted mapper device, not the raw partition.
@@ -540,15 +604,9 @@ fi
 ############################################
 # DOTFILES SETUP (in-chroot, optional)
 ############################################
-if $AF_MODE; then
-    # RUN_TUI was already populated from the answerfile earlier.
-    _DO_TUI="${RUN_TUI}"
-else
-    read -rp "Run dotfiles TUI setup inside chroot now? [YES/no]: " _TUI_IN
-    # Default to YES when the user presses Enter without typing anything.
-    _TUI_IN="${_TUI_IN:-YES}"
-    [[ "${_TUI_IN^^}" == "YES" ]] && _DO_TUI="YES" || _DO_TUI="NO"
-fi
+# RUN_TUI was gathered up front (answerfile field or the initial prompt), so no
+# additional interaction is needed at this point.
+_DO_TUI="${RUN_TUI}"
 
 if [[ "${_DO_TUI^^}" == "YES" ]]; then
     # Grant temporary passwordless sudo so the TUI installer can call pacman/yay
diff --git a/setup/modules/lib/logging.sh b/setup/modules/lib/logging.sh
index c6907e4..52891c0 100644
--- a/setup/modules/lib/logging.sh
+++ b/setup/modules/lib/logging.sh
@@ -58,15 +58,15 @@ ensure_flatpak() {
         log "Installing flatpak..."
         sudo pacman -S --noconfirm --needed flatpak
     fi
-    # Add the Flathub remote at --user scope. A system-scope remote (and the
-    # matching `flatpak install` below) needs the org.freedesktop.Flatpak
-    # SystemHelper D-Bus service + polkit, which are not activatable in a chroot
-    # or bare-TTY install — that is the "The name is not activatable" failure.
-    # User scope needs neither, so it works during install and is the right place
-    # for per-user app installs anyway (apply_flatpak_theme already uses --user).
-    if ! flatpak remotes --user 2>/dev/null | grep -q flathub; then
-        log "Adding Flathub remote (user)..."
-        flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+    # Add the Flathub remote at --system scope (global install for all users).
+    # A non-root user requesting a system action triggers the
+    # org.freedesktop.Flatpak SystemHelper over D-Bus + polkit, which is not
+    # activatable in a chroot/bare-TTY install — the "The name is not activatable"
+    # failure. Running via sudo (as root) performs the system operation directly,
+    # so no helper/polkit is involved and global installs work during setup.
+    if ! flatpak remotes --system 2>/dev/null | grep -q flathub; then
+        log "Adding Flathub remote (system)..."
+        sudo flatpak remote-add --system --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
     fi
 }
 
diff --git a/setup/modules/optional-Modules/apps/ardour.sh b/setup/modules/optional-Modules/apps/ardour.sh
index 7a4fc68..43d1543 100755
--- a/setup/modules/optional-Modules/apps/ardour.sh
+++ b/setup/modules/optional-Modules/apps/ardour.sh
@@ -25,7 +25,7 @@ ensure_flatpak
 
 # Install Ardour from the Flathub repository.
 # -y skips the interactive confirmation prompt so the script is non-interactive.
-flatpak install --user -y flathub org.ardour.Ardour
+sudo flatpak install --system -y flathub org.ardour.Ardour
 
 # apply_flatpak_theme: applies the cyberqueer GTK theme override so Ardour's
 # GTK widgets match the rest of the desktop, rather than using the Flatpak
diff --git a/setup/modules/optional-Modules/apps/audacity.sh b/setup/modules/optional-Modules/apps/audacity.sh
index 30fd0c8..27e5aa0 100755
--- a/setup/modules/optional-Modules/apps/audacity.sh
+++ b/setup/modules/optional-Modules/apps/audacity.sh
@@ -22,7 +22,7 @@ log "Installing Audacity (Flatpak)..."
 ensure_flatpak
 
 # Install from Flathub. -y suppresses the interactive confirmation.
-flatpak install --user -y flathub org.audacityteam.Audacity
+sudo flatpak install --system -y flathub org.audacityteam.Audacity
 
 # apply_flatpak_theme: injects the cyberqueer GTK theme into Audacity's
 # Flatpak environment so it renders consistently with the rest of the desktop.
diff --git a/setup/modules/optional-Modules/apps/blender-povray.sh b/setup/modules/optional-Modules/apps/blender-povray.sh
index af17f2f..400daf3 100755
--- a/setup/modules/optional-Modules/apps/blender-povray.sh
+++ b/setup/modules/optional-Modules/apps/blender-povray.sh
@@ -29,7 +29,7 @@ ensure_flatpak
 # Install Blender from Flathub. The Flatpak edition ships its own Python,
 # CUDA/HIP compute libraries, and codec support pre-bundled, avoiding
 # dependency conflicts with the system Python or GPU driver packages.
-flatpak install --user -y flathub org.blender.Blender
+sudo flatpak install --system -y flathub org.blender.Blender
 
 # apply_flatpak_theme: sets the cyberqueer GTK theme for Blender's dialogs
 # (the main 3D viewport uses its own renderer, but file choosers and system
diff --git a/setup/modules/optional-Modules/apps/chromium.sh b/setup/modules/optional-Modules/apps/chromium.sh
index 3cfc80e..bef3b31 100755
--- a/setup/modules/optional-Modules/apps/chromium.sh
+++ b/setup/modules/optional-Modules/apps/chromium.sh
@@ -24,7 +24,7 @@ log "Installing Chromium (Flatpak)..."
 ensure_flatpak
 
 # Install Chromium from Flathub. -y skips the confirmation prompt.
-flatpak install --user -y flathub org.chromium.Chromium
+sudo flatpak install --system -y flathub org.chromium.Chromium
 
 # apply_flatpak_theme: applies the cyberqueer GTK theme so Chromium's file
 # dialogs and context menus match the rest of the desktop.
diff --git a/setup/modules/optional-Modules/apps/firefox-browser.sh b/setup/modules/optional-Modules/apps/firefox-browser.sh
index 17514e7..c107bbe 100755
--- a/setup/modules/optional-Modules/apps/firefox-browser.sh
+++ b/setup/modules/optional-Modules/apps/firefox-browser.sh
@@ -26,7 +26,7 @@ log "Installing Firefox (Flatpak)..."
 ensure_flatpak
 
 # Install from Flathub. -y skips interactive confirmation.
-flatpak install --user -y flathub org.mozilla.firefox
+sudo flatpak install --system -y flathub org.mozilla.firefox
 
 # apply_flatpak_theme: injects the cyberqueer GTK theme so Firefox's native
 # file-open dialogs and context menus match the rest of the desktop.
diff --git a/setup/modules/optional-Modules/apps/obsidian.sh b/setup/modules/optional-Modules/apps/obsidian.sh
index 4fefd4e..c87291f 100755
--- a/setup/modules/optional-Modules/apps/obsidian.sh
+++ b/setup/modules/optional-Modules/apps/obsidian.sh
@@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Obsidian (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub md.obsidian.Obsidian
+sudo flatpak install --system -y flathub md.obsidian.Obsidian
 apply_flatpak_theme "md.obsidian.Obsidian"
 
 log "Obsidian installed."
diff --git a/setup/modules/optional-Modules/apps/prism.sh b/setup/modules/optional-Modules/apps/prism.sh
index 65d23e8..91237fd 100755
--- a/setup/modules/optional-Modules/apps/prism.sh
+++ b/setup/modules/optional-Modules/apps/prism.sh
@@ -8,6 +8,6 @@ log "Installing PrismLauncher (Flatpak)..."
 # PrismLauncher is a Minecraft launcher that manages multiple instances and Java versions.
 # The Flatpak edition bundles its own Java runtimes, avoiding system JDK conflicts.
 # -y: non-interactive, auto-approve all prompts.
-flatpak install --user -y flathub org.prismlauncher.PrismLauncher
+sudo flatpak install --system -y flathub org.prismlauncher.PrismLauncher
 apply_flatpak_theme "org.prismlauncher.PrismLauncher"
 log "PrismLauncher installed."
diff --git a/setup/modules/optional-Modules/apps/rdp-client.sh b/setup/modules/optional-Modules/apps/rdp-client.sh
index 7d597bc..5e92db6 100755
--- a/setup/modules/optional-Modules/apps/rdp-client.sh
+++ b/setup/modules/optional-Modules/apps/rdp-client.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Remmina (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub org.remmina.Remmina
+sudo flatpak install --system -y flathub org.remmina.Remmina
 apply_flatpak_theme "org.remmina.Remmina"
 log "Remmina installed."
diff --git a/setup/modules/optional-Modules/apps/rnote.sh b/setup/modules/optional-Modules/apps/rnote.sh
index 38185f6..de6c1c5 100755
--- a/setup/modules/optional-Modules/apps/rnote.sh
+++ b/setup/modules/optional-Modules/apps/rnote.sh
@@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Rnote (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub com.github.flxzt.rnote
+sudo flatpak install --system -y flathub com.github.flxzt.rnote
 apply_flatpak_theme "com.github.flxzt.rnote"
 
 log "Rnote installed."
diff --git a/setup/modules/optional-Modules/apps/shotcut.sh b/setup/modules/optional-Modules/apps/shotcut.sh
index 75b34b9..a44d145 100755
--- a/setup/modules/optional-Modules/apps/shotcut.sh
+++ b/setup/modules/optional-Modules/apps/shotcut.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Shotcut (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub org.shotcut.Shotcut
+sudo flatpak install --system -y flathub org.shotcut.Shotcut
 apply_flatpak_theme "org.shotcut.Shotcut"
 log "Shotcut installed."
diff --git a/setup/modules/optional-Modules/apps/steam.sh b/setup/modules/optional-Modules/apps/steam.sh
index 9ea193f..68711be 100755
--- a/setup/modules/optional-Modules/apps/steam.sh
+++ b/setup/modules/optional-Modules/apps/steam.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Steam (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub com.valvesoftware.Steam
+sudo flatpak install --system -y flathub com.valvesoftware.Steam
 apply_flatpak_theme "com.valvesoftware.Steam"
 log "Steam installed."
diff --git a/setup/modules/optional-Modules/apps/stuntrally.sh b/setup/modules/optional-Modules/apps/stuntrally.sh
index 246b3ce..aa5378f 100755
--- a/setup/modules/optional-Modules/apps/stuntrally.sh
+++ b/setup/modules/optional-Modules/apps/stuntrally.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Stunt Rally (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub io.github.stuntrally.StuntRally3
+sudo flatpak install --system -y flathub io.github.stuntrally.StuntRally3
 apply_flatpak_theme "io.github.stuntrally.StuntRally3"
 log "Stunt Rally installed."
diff --git a/setup/modules/optional-Modules/apps/tangent-notes.sh b/setup/modules/optional-Modules/apps/tangent-notes.sh
index f39d6f7..4d51bfb 100755
--- a/setup/modules/optional-Modules/apps/tangent-notes.sh
+++ b/setup/modules/optional-Modules/apps/tangent-notes.sh
@@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Tangent Notes (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub io.github.suchnsuch.Tangent
+sudo flatpak install --system -y flathub io.github.suchnsuch.Tangent
 apply_flatpak_theme "io.github.suchnsuch.Tangent"
 
 log "Tangent Notes installed."
diff --git a/setup/modules/optional-Modules/apps/vesktop.sh b/setup/modules/optional-Modules/apps/vesktop.sh
index 549b0ca..0dc5e40 100755
--- a/setup/modules/optional-Modules/apps/vesktop.sh
+++ b/setup/modules/optional-Modules/apps/vesktop.sh
@@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Vesktop (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub dev.vencord.Vesktop
+sudo flatpak install --system -y flathub dev.vencord.Vesktop
 apply_flatpak_theme "dev.vencord.Vesktop"
 
 log "Deploying Vencord config..."
diff --git a/setup/modules/optional-Modules/apps/vscodium.sh b/setup/modules/optional-Modules/apps/vscodium.sh
index 42243d9..8401d49 100755
--- a/setup/modules/optional-Modules/apps/vscodium.sh
+++ b/setup/modules/optional-Modules/apps/vscodium.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing VSCodium (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub com.vscodium.codium
+sudo flatpak install --system -y flathub com.vscodium.codium
 apply_flatpak_theme "com.vscodium.codium"
 log "VSCodium installed."
diff --git a/setup/modules/optional-Modules/apps/wireshark.sh b/setup/modules/optional-Modules/apps/wireshark.sh
index d9d565e..2910658 100755
--- a/setup/modules/optional-Modules/apps/wireshark.sh
+++ b/setup/modules/optional-Modules/apps/wireshark.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Wireshark (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub org.wireshark.Wireshark
+sudo flatpak install --system -y flathub org.wireshark.Wireshark
 apply_flatpak_theme "org.wireshark.Wireshark"
 log "Wireshark installed."
diff --git a/setup/modules/optional-Modules/apps/xournal.sh b/setup/modules/optional-Modules/apps/xournal.sh
index d58f626..e1b749d 100755
--- a/setup/modules/optional-Modules/apps/xournal.sh
+++ b/setup/modules/optional-Modules/apps/xournal.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Xournal++ (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub com.github.xournalpp.xournalpp
+sudo flatpak install --system -y flathub com.github.xournalpp.xournalpp
 apply_flatpak_theme "com.github.xournalpp.xournalpp"
 log "Xournal++ installed."
diff --git a/setup/modules/optional-Modules/apps/zed-ide.sh b/setup/modules/optional-Modules/apps/zed-ide.sh
index 6aa037d..17add9f 100755
--- a/setup/modules/optional-Modules/apps/zed-ide.sh
+++ b/setup/modules/optional-Modules/apps/zed-ide.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Zed editor (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub dev.zed.Zed
+sudo flatpak install --system -y flathub dev.zed.Zed
 apply_flatpak_theme "dev.zed.Zed"
 log "Zed editor installed."
diff --git a/setup/modules/optional-Modules/apps/zen-browser.sh b/setup/modules/optional-Modules/apps/zen-browser.sh
index 8ff3bf7..6441402 100755
--- a/setup/modules/optional-Modules/apps/zen-browser.sh
+++ b/setup/modules/optional-Modules/apps/zen-browser.sh
@@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"
 
 log "Installing Zen Browser (Flatpak)..."
 ensure_flatpak
-flatpak install --user -y flathub io.github.zen_browser.zen
+sudo flatpak install --system -y flathub io.github.zen_browser.zen
 apply_flatpak_theme "io.github.zen_browser.zen"
 log "Zen Browser installed."
diff --git a/setup/tui-install.sh b/setup/tui-install.sh
index 9329eae..61c1217 100755
--- a/setup/tui-install.sh
+++ b/setup/tui-install.sh
@@ -390,7 +390,6 @@ count_steps() {
 # AF_* variables hold values parsed from the JSON answerfile.
 # They are initialised to safe defaults so the rest of the script can reference
 # them unconditionally whether or not answerfile mode is active.
-AF_HOSTNAME=""
 AF_COMPONENTS=""
 AF_DE="none"
 AF_APPS=""
@@ -406,7 +405,6 @@ load_answerfile() {
     # -r outputs raw strings without JSON quoting.
     # '// ""' / '// "none"' are jq's null-coalescing operator: if the key is
     # absent from the file the expression yields the fallback instead.
-    AF_HOSTNAME=$(jq -r '.hostname // ""' "$ANSWERFILE")
     # JSON arrays are flattened to a space-separated string to match the format
     # that COMPONENTS and SELECTED_APPS expect throughout the rest of the script.
     AF_COMPONENTS=$(jq -r '(.components // []) | join(" ")' "$ANSWERFILE")
@@ -421,20 +419,6 @@ load_answerfile() {
     AF_COLOR_RED=$(jq -r '.colors.COLOR_RED // ""' "$ANSWERFILE")
 }
 
-# ── MAC address helper ────────────────────────────────────────────────────────
-get_mac_suffix() {
-    # Returns the MAC address of the first non-loopback interface, colons stripped.
-    # Used to make answerfile-derived hostnames unique per machine (e.g. "myhost-aabbccddee").
-    local mac
-    # awk state machine: sets iface=1 when it sees an interface line whose name
-    # does NOT start with "lo" ([^l][^o] skips "lo"), then captures the
-    # 'link/ether XX:XX:XX:XX:XX:XX' line and exits immediately after the first hit.
-    mac=$(ip link show 2>/dev/null \
-        | awk '/^[0-9]+: [^l][^o]/{iface=1} iface && /link\/ether/{print $2; iface=0; exit}')
-    # Strip colons from the MAC so it is safe to embed in a hostname (only [a-z0-9-] allowed).
-    printf '%s' "${mac//:/}"
-}
-
 # ── Preflight ─────────────────────────────────────────────────────────────────
 if [[ $EUID -eq 0 ]]; then
     # Root context (e.g. archiso chroot): shim sudo as a passthrough
@@ -493,32 +477,8 @@ if ! $ANSWERFILE_MODE; then
   Log:     $LOG"
 fi
 
-# ── Hostname ──────────────────────────────────────────────────────────────────
-HOSTNAME_SET=""
-if $ANSWERFILE_MODE; then
-    if [[ -n "$AF_HOSTNAME" ]]; then
-        # Append the stripped MAC address to the base name from the answerfile.
-        # This makes each cloned machine's hostname unique without needing per-host
-        # answerfiles (useful for mass-provisioning identical images).
-        MAC=$(get_mac_suffix)
-        HOSTNAME_SET="${AF_HOSTNAME}-${MAC}"
-        printf "Hostname (from answerfile + MAC): %s\n" "$HOSTNAME_SET" | tee -a "$LOG"
-    fi
-else
-    # ui_input prints its prompt to stderr and the typed value to stdout, so the
-    # $() capture receives only the hostname.  A blank line keeps the default.
-    HOSTNAME_INPUT=$(ui_input " Hostname " \
-        "  Hostname for this machine (leave blank to keep default).") || HOSTNAME_INPUT=""
-    HOSTNAME_SET="$HOSTNAME_INPUT"
-fi
-
-if [[ -n "$HOSTNAME_SET" ]]; then
-    # hostnamectl is the preferred method on systemd systems; fall back to writing
-    # /etc/hostname directly for minimal chroot environments that lack systemd.
-    sudo hostnamectl set-hostname "$HOSTNAME_SET" 2>/dev/null \
-        || echo "$HOSTNAME_SET" | sudo tee /etc/hostname > /dev/null
-    printf "Hostname set: %s\n" "$HOSTNAME_SET" >> "$LOG"
-fi
+# Note: the hostname is set by the base installer (archbaseos-guided-install.sh),
+# so this script intentionally does not prompt for or change it.
 
 # ── Component selection ───────────────────────────────────────────────────────
 if $ANSWERFILE_MODE; then
@@ -660,7 +620,6 @@ if ! $ANSWERFILE_MODE; then
     # Build a human-readable summary of everything that will be installed so the
     # user can review the full list before any changes are made to the system.
     SUMMARY=""
-    [[ -n "$HOSTNAME_SET" ]] && SUMMARY+="  ✦ Hostname: $HOSTNAME_SET\n"
     [[ "$COMPONENTS" == *"pkg"*      ]] && SUMMARY+="  ✦ Package managers (yay, nvm, rust)\n"
     [[ "$COMPONENTS" == *"core"*     ]] && SUMMARY+="  ✦ Core packages\n"
     [[ "$COMPONENTS" == *"svc"*      ]] && SUMMARY+="  ✦ Core services\n"