diff --git a/hive-c0re/src/lifecycle.rs b/hive-c0re/src/lifecycle.rs
index 1a0a3d6..2ad9188 100644
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@@ -341,13 +341,27 @@ fn set_nspawn_flags(container: &str, agent_dir: &Path) -> Result<()> {
         .lines()
         .filter(|line| {
             let trimmed = line.trim_start();
+            // Strip any network-namespace knobs nixos-container's create
+            // might have populated. The start script adds `--network-veth`
+            // whenever HOST_ADDRESS / LOCAL_ADDRESS (or their IPv6 cousins)
+            // are non-empty — and veth implies a private netns, hiding our
+            // web-UI port from the host. Force host netns.
             !trimmed.starts_with("EXTRA_NSPAWN_FLAGS=")
                 && !trimmed.starts_with("PRIVATE_NETWORK=")
+                && !trimmed.starts_with("HOST_ADDRESS=")
+                && !trimmed.starts_with("LOCAL_ADDRESS=")
+                && !trimmed.starts_with("HOST_ADDRESS6=")
+                && !trimmed.starts_with("LOCAL_ADDRESS6=")
+                && !trimmed.starts_with("HOST_BRIDGE=")
         })
         .map(str::to_owned)
         .collect();
-    // Share host netns so per-agent web UI ports are reachable directly.
     lines.push("PRIVATE_NETWORK=0".to_owned());
+    lines.push("HOST_ADDRESS=".to_owned());
+    lines.push("LOCAL_ADDRESS=".to_owned());
+    lines.push("HOST_ADDRESS6=".to_owned());
+    lines.push("LOCAL_ADDRESS6=".to_owned());
+    lines.push("HOST_BRIDGE=".to_owned());
     lines.push(bind_flag);
     let mut content = lines.join("\n");
     content.push('\n');