diff --git a/packaging/freebsd/colibri_daemon.in b/packaging/freebsd/colibri_daemon.in
index ac9a571..bc6c05a 100644
--- a/packaging/freebsd/colibri_daemon.in
+++ b/packaging/freebsd/colibri_daemon.in
@@ -50,6 +50,7 @@ load_rc_config $name
 : ${colibri_daemon_provider_env:="/usr/local/etc/colibri/provider.env"}
 : ${colibri_daemon_host:="$(/bin/hostname)"}
 : ${colibri_daemon_cost_mode:="smart"}
+: ${colibri_daemon_require_secured:="NO"}
 
 pidfile="${colibri_daemon_run_dir}/colibri-daemon.pid"
 # Supervisor pidfile (the daemon(8) parent). Kept distinct from the child
@@ -102,6 +103,22 @@ colibri_daemon_prestart()
         set +a
     fi
 
+    # Require-secured gate. When enabled (default NO), the daemon refuses to
+    # autospawn an agent until the first-boot password gate has written the
+    # .secured marker (/var/db/colibri/.secured).  This ensures an unsecured
+    # USB node does not register with mother or run tasks until the operator
+    # has set root+clawdie passwords.  Deployed/disk hosts that never run the
+    # firstboot gate should leave this at NO (the default).
+    #
+    # Must run AFTER the provider.env block above — otherwise a
+    # COLIBRI_AUTOSPAWN=YES in provider.env would override this.
+    if checkyesno colibri_daemon_require_secured; then
+        if [ ! -e "${colibri_daemon_data_dir}/.secured" ]; then
+            echo "colibri_daemon: node unsecured — autospawn disabled"
+            export COLIBRI_AUTOSPAWN=NO
+        fi
+    fi
+
     # Config is passed to the child via the environment.
     export COLIBRI_DAEMON_DATA_DIR="${colibri_daemon_data_dir}"
     export COLIBRI_DAEMON_SOCKET="${colibri_daemon_socket}"