diff --git a/nix/modules/nightly-sweep.nix b/nix/modules/nightly-sweep.nix
index a41f6d7..17fe2b8 100644
--- a/nix/modules/nightly-sweep.nix
+++ b/nix/modules/nightly-sweep.nix
@@ -26,6 +26,13 @@ let
       export HOME=/root
       export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
       export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
+      # ENV PARITY with the Drone recipe-CI runner (canon DEFECT-3): the recipes + their tests shell
+      # out to host tooling (git-lfs for gitea, openssl, etc.). Drone's exec runner runs them with
+      # PATH=/run/current-system/sw/bin:/run/wrappers/bin; writeShellApplication otherwise gives a
+      # clean nix-only PATH, so the timer sweep silently lacked tools the recipes assume (a real fire
+      # caught git-lfs + bash gaps that manual ssh runs, with a login PATH, masked). Prepend the host
+      # system PATH so the sweep validates recipes in the SAME environment Drone does.
+      export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"
       # canon M1.4: read enrollment + run the harness from the deployed checkout (has tests/).
       export CCCI_REPO=/etc/cc-ci
       cd "$CCCI_REPO"