diff --git a/live/operator-session/clawdie-join-hive.sh b/live/operator-session/clawdie-join-hive.sh
index fabc879..27c0842 100755
--- a/live/operator-session/clawdie-join-hive.sh
+++ b/live/operator-session/clawdie-join-hive.sh
@@ -204,15 +204,20 @@ printf "%s" "$ITEM"
 ' 2>/dev/null)"
     if [ -n "${_tskey:-}" ]; then
         echo "$_tskey" | grep -q '^tskey-auth-' && {
-            mdo -u root sh -c "
-                printf 'TAILSCALE_AUTH_KEY=%s\\n' '$_tskey' >> /usr/local/etc/colibri/provider.env
-                chmod 0600 /usr/local/etc/colibri/provider.env
-            "
+            # Pass the key via stdin, not argv, so it never appears in ps.
+            printf '%s' "$_tskey" | mdo -u root sh -c '
+                set -eu
+                f="/usr/local/etc/colibri/provider.env"
+                read -r k
+                printf "TAILSCALE_AUTH_KEY=%s\n" "$k" >> "$f"
+                chmod 0600 "$f"
+            '
             echo "       TAILSCALE_AUTH_KEY written to provider.env."
-            if service clawdie_tailscale_up start >/dev/null 2>&1; then
+            # onestart: the service defaults to enable=NO on the OOTB image, and
+            # onestart bypasses rcvar. With required_files removed it reads the
+            # key from provider.env and strips it after a successful join.
+            if mdo -u root service clawdie_tailscale_up onestart >/dev/null 2>&1; then
                 echo "       Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))."
-                # One-shot: remove the key from provider.env after use.
-                mdo -u root sh -c "sed -i '' '/^TAILSCALE_AUTH_KEY=/d' /usr/local/etc/colibri/provider.env/d"
             else
                 echo "       WARNING: tailscale up failed — check the key in Vaultwarden."
             fi
diff --git a/live/operator-session/clawdie-tailscale-up b/live/operator-session/clawdie-tailscale-up
index a0db8a2..1814858 100644
--- a/live/operator-session/clawdie-tailscale-up
+++ b/live/operator-session/clawdie-tailscale-up
@@ -10,8 +10,11 @@ name="clawdie_tailscale_up"
 rcvar="${name}_enable"
 start_cmd="${name}_start"
 stop_cmd=":"
-required_files="/var/lib/clawdie-iso/tailscale-authkey"
 
+# No required_files: the key may come from provider.env (vault-fetched by
+# join-hive) rather than the legacy keyfile, and onestart still enforces
+# required_files. The start function returns 0 cleanly when neither source
+# carries a key.
 clawdie_tailscale_up_start() {
     _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
     _envfile="/usr/local/etc/colibri/provider.env"
@@ -31,9 +34,14 @@ clawdie_tailscale_up_start() {
     service tailscaled onestatus >/dev/null 2>&1 || return 1
 
     if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
-        # Clean up both sources so the one-shot key is consumed.
-        grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \
-            mv "$_envfile.tmp" "$_envfile" || true
+        # Clean up both sources so the one-shot key is consumed. provider.env
+        # still holds the BW_* creds, so keep it 0600 after the rewrite.
+        if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then
+            chmod 0600 "$_envfile.tmp"
+            mv "$_envfile.tmp" "$_envfile"
+        else
+            rm -f "$_envfile.tmp"
+        fi
         rm -f "$_keyfile"
         /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
         return 0