diff --git a/flake.nix b/flake.nix
index 116b312..ad70f32 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,7 @@
           meshd = pkgs.callPackage ./packages/mesh/meshd.nix { };
           meshd-linkd = pkgs.callPackage ./packages/mesh/meshd-linkd.nix { };
           meshd-exitd = pkgs.callPackage ./packages/mesh/meshd-exitd.nix { };
+          bearbrowser = pkgs.callPackage ./packages/browser/bearbrowser.nix { };
           lampstand = pkgs.callPackage ./packages/search/lampstand.nix {
             inherit lampstand-src;
           };
diff --git a/packages/browser/bearbrowser.nix b/packages/browser/bearbrowser.nix
new file mode 100644
index 0000000..515a39c
--- /dev/null
+++ b/packages/browser/bearbrowser.nix
@@ -0,0 +1,120 @@
+# BearBrowser — SourceOS privacy / anti-fingerprinting browser.
+#
+# Packages the prebuilt Linux Gecko build (compiled with the BearBrowser engine
+# anti-fingerprint patches: canvas text-metric quantization + audio farble in
+# libxul) from the BearBrowser GitHub release. This is a prebuilt-binary wrapper
+# (firefox-bin style) — autoPatchelf + the Gecko runtime libs + a desktop entry.
+#
+# NOTE: built from the v0.1.0-alpha "human-secure" Linux artifact. When a new
+# release is cut, bump `version` + `src.url` + `src.hash`.
+{ lib
+, stdenv
+, fetchurl
+, autoPatchelfHook
+, makeWrapper
+, wrapGAppsHook3
+, gtk3
+, glib
+, dbus-glib
+, libXt
+, alsa-lib
+, libX11
+, libXcursor
+, libXdamage
+, libXrandr
+, libXcomposite
+, libXext
+, libXfixes
+, libXrender
+, libXtst
+, libXScrnSaver
+, nspr
+, nss
+, pango
+, atk
+, cairo
+, gdk-pixbuf
+, freetype
+, fontconfig
+, libxcb
+, mesa
+, pciutils
+, ffmpeg
+, libnotify
+, gnome2 ? null
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bearbrowser";
+  version = "0.1.0-alpha";
+
+  src = fetchurl {
+    url = "https://github.com/SourceOS-Linux/BearBrowser/releases/download/v${version}/bearbrowser-${version}-linux-x86_64.tar.gz";
+    hash = "sha256-K17S8uORD1RDL7OLPyU2LkxcXgo5fTBGIRJ+Nd/gNRA=";
+  };
+
+  nativeBuildInputs = [ autoPatchelfHook makeWrapper wrapGAppsHook3 ];
+
+  # Gecko runtime libraries (autoPatchelf resolves the binary's NEEDED libs here).
+  buildInputs = [
+    stdenv.cc.cc        # libstdc++ / libgcc_s
+    gtk3 glib dbus-glib libXt alsa-lib
+    libX11 libXcursor libXdamage libXrandr libXcomposite libXext libXfixes
+    libXrender libXtst libXScrnSaver
+    nspr nss pango atk cairo gdk-pixbuf freetype fontconfig libxcb mesa
+    pciutils ffmpeg libnotify
+  ];
+
+  # The release tarball is a dist/bin tree rooted at ./bin/.
+  sourceRoot = ".";
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    # Stage the Gecko dist under libexec, expose a wrapped launcher on PATH.
+    mkdir -p "$out/libexec/bearbrowser" "$out/bin" "$out/share/applications" "$out/share/pixmaps"
+    cp -r bin/* "$out/libexec/bearbrowser/"
+
+    # The executable is named "bearbrowser" (--with-app-name=bearbrowser).
+    makeWrapper "$out/libexec/bearbrowser/bearbrowser" "$out/bin/bearbrowser" \
+      --prefix LD_LIBRARY_PATH : "$out/libexec/bearbrowser" \
+      --set MOZ_LEGACY_PROFILES 1 \
+      --set MOZ_ALLOW_DOWNGRADE 1
+
+    # Icon (fall back silently if the dist layout differs).
+    if [ -f "$out/libexec/bearbrowser/browser/chrome/icons/default/default128.png" ]; then
+      cp "$out/libexec/bearbrowser/browser/chrome/icons/default/default128.png" \
+         "$out/share/pixmaps/bearbrowser.png" || true
+    fi
+
+    cat > "$out/share/applications/bearbrowser.desktop" <<EOF
+    [Desktop Entry]
+    Version=1.0
+    Type=Application
+    Name=BearBrowser
+    GenericName=Web Browser
+    Comment=SourceOS privacy / anti-fingerprinting browser
+    Exec=$out/bin/bearbrowser %U
+    Icon=bearbrowser
+    Terminal=false
+    Categories=Network;WebBrowser;
+    MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;
+    StartupNotify=true
+    StartupWMClass=bearbrowser
+    EOF
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "SourceOS privacy / anti-fingerprinting browser (Gecko + engine anti-fp patches)";
+    homepage = "https://github.com/SourceOS-Linux/BearBrowser";
+    license = lib.licenses.mpl20;   # LibreWolf/Firefox base — MPL-2.0
+    platforms = [ "x86_64-linux" ];
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+    mainProgram = "bearbrowser";
+  };
+}
diff --git a/profiles/desktop-gnome/default.nix b/profiles/desktop-gnome/default.nix
index b87adde..2060d12 100644
--- a/profiles/desktop-gnome/default.nix
+++ b/profiles/desktop-gnome/default.nix
@@ -5,6 +5,17 @@
 # The imperative GNOME "polish" layer (profiles/linux-dev/workstation-v0) can be
 # applied on top after first boot via its apply.sh; it is not required to boot.
 { lib, pkgs, ... }:
+let
+  # BearBrowser — the SourceOS default browser (Gecko + anti-fingerprint engine
+  # patches), packaged in packages/browser/bearbrowser.nix. Built via callPackage
+  # so this works in any module-eval context (the boot VM tests don't pass `self`).
+  # The prebuilt release artifact is x86_64-only for now, so fall back to Firefox
+  # on aarch64 until an aarch64 BearBrowser build exists.
+  isX86 = pkgs.stdenv.hostPlatform.system == "x86_64-linux";
+  bearbrowser = pkgs.callPackage ../../packages/browser/bearbrowser.nix { };
+  browser = if isX86 then bearbrowser else pkgs.firefox;
+  browserDesktop = if isX86 then "bearbrowser.desktop" else "firefox.desktop";
+in
 {
   imports = [ ../base/default.nix ];
 
@@ -26,6 +37,17 @@
 
   users.users.sourceos.extraGroups = [ "video" "audio" ];
 
-  environment.systemPackages = with pkgs; [ firefox gnome-tweaks ];
+  # BearBrowser replaces Firefox as the shipped browser on the SourceOS desktop
+  # (x86_64; Firefox fallback on aarch64 until an aarch64 build exists).
+  environment.systemPackages = [ browser ] ++ (with pkgs; [ gnome-tweaks ]);
   environment.gnome.excludePackages = with pkgs; [ gnome-tour epiphany geary ];
+
+  # Make it the default browser (http/https + html).
+  xdg.mime.defaultApplications = {
+    "text/html" = browserDesktop;
+    "x-scheme-handler/http" = browserDesktop;
+    "x-scheme-handler/https" = browserDesktop;
+    "x-scheme-handler/about" = browserDesktop;
+    "x-scheme-handler/unknown" = browserDesktop;
+  };
 }
diff --git a/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh b/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh
index 9b543ea..fb335ea 100644
--- a/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh
+++ b/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh
@@ -66,7 +66,7 @@ main(){
   mkdir -p "$HOME/Pictures/Screenshots"
 
   # Favorites / dock seed (best-effort)
-  set_key org.gnome.shell favorite-apps "['org.gnome.Nautilus.desktop', 'org.gnome.Terminal.desktop', 'firefox.desktop', 'org.gnome.Settings.desktop']"
+  set_key org.gnome.shell favorite-apps "['org.gnome.Nautilus.desktop', 'org.gnome.Terminal.desktop', 'bearbrowser.desktop', 'org.gnome.Settings.desktop']"
 
   # Preserve palette hotkey in custom0, then add Finder/Terminal/screenshot bindings.
   local base="/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/"