diff --git a/BUILD.md b/BUILD.md
index 40a1afc8..2ba90ddf 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -146,7 +146,7 @@ Published/downloaded artifacts are compressed as `.img.xz`. Stream the
 compressed image directly into `dd`:
 
 ```sh
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
@@ -163,7 +163,7 @@ curl -fL --retry 5 --retry-delay 5 -O \
 For a build-local uncompressed image, plain `dd` is also fine:
 
 ```sh
-sudo dd if=tmp/output/clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync
+dd if=tmp/output/clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
diff --git a/FLASHING.md b/FLASHING.md
index d986fe5c..829f477d 100644
--- a/FLASHING.md
+++ b/FLASHING.md
@@ -68,7 +68,7 @@ Flash by streaming xz into `dd`:
 
 ```sh
 set -o pipefail 2>/dev/null || true
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
@@ -116,7 +116,7 @@ sudo umount /dev/daXs* 2>/dev/null
 Flash by streaming xz into `dd`:
 
 ```sh
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
@@ -152,14 +152,14 @@ For a local build artifact that already exists as a raw image:
 ### Linux
 
 ```sh
-sudo dd if=clawdie-quindecim-0.11.0.img of=/dev/sdX bs=4M status=progress conv=fsync
+dd if=clawdie-quindecim-0.11.0.img of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
 ### FreeBSD
 
 ```sh
-sudo dd if=clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync
+dd if=clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
@@ -189,7 +189,7 @@ Then wipe only after confirming `/dev/sdX` is the USB stick:
 
 ```sh
 sudo sgdisk --zap-all /dev/sdX
-sudo dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
+dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
 sync
 ```
 
@@ -205,7 +205,7 @@ Then wipe only after confirming `/dev/daX` is the USB stick:
 
 ```sh
 sudo gpart destroy -F /dev/daX
-sudo dd if=/dev/zero of=/dev/daX bs=16M status=progress conv=fsync
+dd if=/dev/zero of=/dev/daX bs=16M status=progress conv=fsync
 sync
 ```
 
diff --git a/README.md b/README.md
index 4317f935..038c38ea 100644
--- a/README.md
+++ b/README.md
@@ -243,7 +243,7 @@ Linux:
 ```sh
 sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
@@ -252,7 +252,7 @@ FreeBSD:
 ```sh
 HASH=$(awk '{print $1}' clawdie-quindecim-0.11.0.img.xz.sha256)
 sha256 -c "$HASH" clawdie-quindecim-0.11.0.img.xz
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
diff --git a/TESTING.md b/TESTING.md
index 1a7ddbe4..a9060fdc 100644
--- a/TESTING.md
+++ b/TESTING.md
@@ -418,7 +418,7 @@ If you see stale labels such as `nomadbsd_zroot`, wipe the whole stick first:
 ```sh
 sudo umount /dev/sdX* 2>/dev/null || true
 sudo sgdisk --zap-all /dev/sdX
-sudo dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
+dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
 ```
 
 ### Flash the image
@@ -433,7 +433,7 @@ curl -fL --retry 5 --retry-delay 5 -O \
   https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256
 sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
diff --git a/build.sh b/build.sh
index 3252e6be..9bafc23e 100755
--- a/build.sh
+++ b/build.sh
@@ -864,12 +864,74 @@ install_live_runtime_packages() {
         exit 1
     fi
 
+    # Lock the repacked networkmgr package so pkg upgrade doesn't replace it
+    # with the upstream version that depends on sudo. The ISO uses mdo/mac_do
+    # instead of sudo; see override_networkmgr_package() above.
+    if ! chroot "${MOUNT_POINT}" /usr/local/sbin/pkg lock -y networkmgr; then
+        [ "$_mounted_procfs" -eq 1 ] && umount "${MOUNT_POINT}/proc" 2>/dev/null || true
+        [ "$_mounted_devfs" -eq 1 ] && umount "${MOUNT_POINT}/dev" 2>/dev/null || true
+        echo "ERROR: failed to lock networkmgr package on live image"
+        exit 1
+    fi
+
     refresh_live_desktop_caches
 
     [ "$_mounted_procfs" -eq 1 ] && umount "${MOUNT_POINT}/proc" 2>/dev/null || true
     [ "$_mounted_devfs" -eq 1 ] && umount "${MOUNT_POINT}/dev" 2>/dev/null || true
 }
 
+install_firefox_extensions() {
+    # Pre-stage uBlock Origin and Bitwarden, and apply enterprise policies
+    # (no default-browser check — Firefox is the only browser on the USB).
+    local _ff_dist="${MOUNT_POINT}/usr/local/lib/firefox/distribution"
+    local _ext_dir="${_ff_dist}/extensions"
+    local _policies="${_ff_dist}/policies.json"
+
+    echo "    Configuring Firefox..."
+
+    mkdir -p "${_ext_dir}" || {
+        echo "ERROR: failed to create Firefox distribution directory"
+        exit 1
+    }
+
+    # Disable "make default browser" popup — Firefox is the only browser.
+    cat > "${_policies}" <<'POLICIES'
+{
+  "policies": {
+    "DontCheckDefaultBrowser": true
+  }
+}
+POLICIES
+    chmod 0644 "${_policies}"
+
+    # Download a Firefox extension XPI if not already cached.
+    # Usage: _fetch_xpi <slug> <extension-id> <label>
+    _fetch_xpi() {
+        local _slug="$1" _id="$2" _label="$3"
+        local _xpi="${_ext_dir}/${_id}.xpi"
+        local _url="https://addons.mozilla.org/firefox/downloads/latest/${_slug}/latest.xpi"
+
+        if [ -f "${_xpi}" ]; then
+            echo "    ${_label} XPI already cached, skipping download"
+            return 0
+        fi
+
+        echo "    Downloading ${_label}..."
+        /usr/bin/fetch -o "${_xpi}" "${_url}" || {
+            echo "ERROR: failed to download ${_label} XPI"
+            exit 1
+        }
+    }
+
+    _fetch_xpi "ublock-origin" "uBlock0@raymondhill.net" "uBlock Origin"
+    _fetch_xpi "sponsorblock" "sponsorBlocker@ajay.app" "SponsorBlock"
+    _fetch_xpi "istilldontcareaboutcookies" "idcac-pub@guus.ninja" "I still don't care about cookies"
+    _fetch_xpi "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}" "Bitwarden"
+
+    chmod 0755 "${_ext_dir}"
+    echo "    Firefox extensions staged — auto-installed on first launch"
+}
+
 install_colibri_service() {
     [ "${FEATURE_COLIBRI:-NO}" = "YES" ] || {
         echo "    Colibri service staging disabled (FEATURE_COLIBRI=${FEATURE_COLIBRI:-NO})"
@@ -2413,6 +2475,7 @@ mkdir -p "$USB_SHARE"
 rm -f "${MOUNT_POINT}/etc/installerconfig"
 
 install_live_runtime_packages
+install_firefox_extensions
 configure_live_operator_session
 install_colibri_service
 install_zot_agent
@@ -2527,4 +2590,4 @@ echo "    Image size : ${IMAGE_LOGICAL_SIZE}"
 echo "    Allocated  : ${IMAGE_ALLOCATED_SIZE} (sparse on build host)"
 echo ""
 echo "    Write to USB:"
-echo "    dd if=${OUTPUT_IMAGE} of=/dev/daX bs=1M status=progress"
+echo "    dd if=${OUTPUT_IMAGE} of=/dev/daX bs=1M status=progress conv=fsync && sync"
diff --git a/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml b/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
index 214f23c2..e06c588a 100644
--- a/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
+++ b/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
@@ -35,8 +35,8 @@
         <value type="int" value="5"/>
         <value type="int" value="6"/>
         <value type="int" value="7"/>
-        <value type="int" value="8"/>
         <value type="int" value="9"/>
+        <value type="int" value="8"/>
         <value type="int" value="10"/>
         <value type="int" value="12"/>
       </property>
@@ -96,7 +96,7 @@
     <property name="plugin-10" type="string" value="xkb">
       <property name="display-type" type="uint" value="0"/>
       <property name="display-name" type="uint" value="0"/>
-      <property name="display-scale" type="uint" value="60"/>
+      <property name="display-scale" type="uint" value="50"/>
       <property name="group-policy" type="uint" value="0"/>
     </property>
     <property name="plugin-12" type="string" value="clock">
diff --git a/skills/iso-flash-verify/SKILL.md b/skills/iso-flash-verify/SKILL.md
index 3a63c357..33deeb8d 100644
--- a/skills/iso-flash-verify/SKILL.md
+++ b/skills/iso-flash-verify/SKILL.md
@@ -95,7 +95,7 @@ whole-disk path with the operator before writing.
 Example for Linux, replacing `/dev/sdX` with the confirmed whole disk:
 
 ```sh
-xz -dc tmp/flash-downloads/<image>.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc tmp/flash-downloads/<image>.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```