diff --git a/hosts/yarn/default.nix b/hosts/yarn/default.nix
index 632db62..777b4d4 100644
--- a/hosts/yarn/default.nix
+++ b/hosts/yarn/default.nix
@@ -183,35 +183,15 @@
         '';
       in
       {
-        jovian-stubs = prev.stdenv.mkDerivation {
-          name = "jovian-stubs";
-          dontUnpack = true;
-          installPhase = ''
-            mkdir -p $out/bin
-            ln -s ${steamos-update-script} $out/bin/holo-update
-
-            # pkexec: pass through to real pkexec
-            cat > $out/bin/pkexec << 'STUB'
-            #!/bin/sh
-            exec /run/wrappers/bin/pkexec "$@"
-            STUB
-
-            # sudo: strip flags and run the command directly (no escalation).
-            # privileged ops are delegated to root systemd services via systemctl.
-            cat > $out/bin/sudo << 'STUB'
-            #!/bin/sh
-            while [ $# -gt 0 ]; do
-              case "$1" in
-                -*) shift ;;
-                *) break ;;
-              esac
-            done
-            exec "$@"
-            STUB
-
-            find $out/bin -type f -exec chmod 755 {} +
+        # Only replace holo-update (and its steamos-update alias) with our
+        # binary-cache pull script. All other stubs (pkexec, sudo,
+        # holo-reboot, holo-select-branch, …) come from upstream unchanged.
+        jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
+          buildCommand = (old.buildCommand or "") + ''
+            install -D -m 755 ${steamos-update-script} $out/bin/holo-update
+            install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
           '';
-        };
+        });
       }
     )
   ];