diff --git a/.github/workflows/build-test-push-synvya.yaml b/.github/workflows/build-test-push-synvya.yaml
index cdd0721f..5cc82c0d 100644
--- a/.github/workflows/build-test-push-synvya.yaml
+++ b/.github/workflows/build-test-push-synvya.yaml
@@ -134,7 +134,7 @@ jobs:
           host: ${{ secrets.EC2_STAGING_HOST }}
           username: ec2-user
           key: ${{ secrets.EC2_STAGING_SSH_KEY }}
-          command_timeout: 30m
+          command_timeout: 60m
           script: |
             set -euo pipefail
             cd /opt/synvya/keycast
@@ -180,7 +180,7 @@ jobs:
           host: ${{ secrets.EC2_PRODUCTION_HOST }}
           username: ec2-user
           key: ${{ secrets.EC2_PRODUCTION_SSH_KEY }}
-          command_timeout: 30m
+          command_timeout: 60m
           script: |
             set -euo pipefail
             cd /opt/synvya/keycast
@@ -226,7 +226,7 @@ jobs:
           host: ${{ secrets.EC2_STAGING_HOST }}
           username: ec2-user
           key: ${{ secrets.EC2_STAGING_SSH_KEY }}
-          command_timeout: 30m
+          command_timeout: 60m
           script: |
             set -e
 
@@ -307,7 +307,7 @@ jobs:
           host: ${{ secrets.EC2_PRODUCTION_HOST }}
           username: ec2-user
           key: ${{ secrets.EC2_PRODUCTION_SSH_KEY }}
-          command_timeout: 30m
+          command_timeout: 60m
           script: |
             set -e
 
diff --git a/Dockerfile b/Dockerfile
index 066778ff..90a72d42 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -44,6 +44,12 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
 # Build stage for Bun frontend
 FROM oven/bun:1 AS web-builder
 
+# Force serial execution: only start web-builder after rust-builder
+# completes. BuildKit otherwise runs the two stages in parallel, which
+# pushes a small EC2 (e.g. t3.medium) into swap thrash and locks the
+# host. This COPY creates a build-graph dependency on rust-builder.
+COPY --from=rust-builder /artifacts/keycast /tmp/.rust-builder-done
+
 # Install build essentials for native modules
 RUN apt-get update && apt-get install -y \
     python3 \
diff --git a/scripts/ec2-prepare-host.sh b/scripts/ec2-prepare-host.sh
index 43962ecf..d863ba70 100755
--- a/scripts/ec2-prepare-host.sh
+++ b/scripts/ec2-prepare-host.sh
@@ -8,6 +8,17 @@ SWAPFILE="${SWAPFILE:-/swapfile}"
 SWAP_SIZE="${SWAP_SIZE:-4G}"
 CARGO_JOBS="${CARGO_JOBS:-2}"
 
+# When invoked under sudo, $HOME points to /root. We want the cargo
+# config to land in the invoking user's home so the workflow (which
+# runs as ec2-user over SSH) reads the same file.
+if [ -n "${SUDO_USER:-}" ] && [ "${SUDO_USER}" != "root" ]; then
+  TARGET_HOME="$(getent passwd "${SUDO_USER}" | cut -d: -f6)"
+  TARGET_USER="${SUDO_USER}"
+else
+  TARGET_HOME="${HOME}"
+  TARGET_USER="$(id -un)"
+fi
+
 echo "=== ec2-prepare-host: ensure swap (${SWAP_SIZE} at ${SWAPFILE}) ==="
 if swapon --show=NAME --noheadings | grep -qx "${SWAPFILE}"; then
   echo "swap already active at ${SWAPFILE}"
@@ -25,9 +36,9 @@ else
   echo "swap enabled at ${SWAPFILE}"
 fi
 
-echo "=== ec2-prepare-host: ensure ~/.cargo/config.toml jobs=${CARGO_JOBS} ==="
-mkdir -p "${HOME}/.cargo"
-CARGO_CFG="${HOME}/.cargo/config.toml"
+echo "=== ec2-prepare-host: ensure ${TARGET_HOME}/.cargo/config.toml jobs=${CARGO_JOBS} ==="
+mkdir -p "${TARGET_HOME}/.cargo"
+CARGO_CFG="${TARGET_HOME}/.cargo/config.toml"
 if [ ! -f "${CARGO_CFG}" ] || ! grep -qE '^\[build\]' "${CARGO_CFG}"; then
   cat >> "${CARGO_CFG}" <<EOF
 
@@ -35,6 +46,11 @@ if [ ! -f "${CARGO_CFG}" ] || ! grep -qE '^\[build\]' "${CARGO_CFG}"; then
 jobs = ${CARGO_JOBS}
 EOF
   echo "wrote [build] jobs=${CARGO_JOBS} to ${CARGO_CFG}"
+  # If we're running under sudo, restore ownership so the invoking
+  # user (and cargo running as that user) can read/write the config.
+  if [ "${TARGET_USER}" != "$(id -un)" ]; then
+    chown -R "${TARGET_USER}:${TARGET_USER}" "${TARGET_HOME}/.cargo"
+  fi
 else
   echo "${CARGO_CFG} already has [build] section, leaving as-is"
 fi