diff --git a/scripts/stage-colibri-iso.sh b/scripts/stage-colibri-iso.sh
index 10fce5ba..74b77965 100755
--- a/scripts/stage-colibri-iso.sh
+++ b/scripts/stage-colibri-iso.sh
@@ -100,11 +100,18 @@ sed -i '' 's/ -u \${colibri_daemon_user} //' \
 # Fix pidfile permissions: daemon(8) -P creates the pidfile as 0600
 # owned by the target user, which blocks non-root users (clawdie) from
 # running 'service colibri_daemon status'. Chmod in poststart.
-sed -i '' '/socket ready/a\
-    chmod 644 "${pidfile}" 2>/dev/null || true
-a\
-    chmod 660 "${colibri_daemon_socket}" 2>/dev/null || true' \
-    "${RC_DIR}/colibri_daemon"
+# Use awk instead of sed append syntax: BSD sed's multi-line append form is
+# easy to get wrong and can corrupt the rc.d script by appending to every line.
+_rc_tmp="${RC_DIR}/colibri_daemon.tmp"
+awk '
+    { print }
+    /socket ready/ {
+        print "    chmod 644 \"${pidfile}\" 2>/dev/null || true"
+        print "    chmod 660 \"${colibri_daemon_socket}\" 2>/dev/null || true"
+    }
+' "${RC_DIR}/colibri_daemon" > "${_rc_tmp}"
+mv "${_rc_tmp}" "${RC_DIR}/colibri_daemon"
+chmod 0555 "${RC_DIR}/colibri_daemon"
 
 # Add DeepSeek API key and cache warming to daemon environment.
 # These are injected into the rc.d prestart so the daemon picks them up