diff --git a/hosts/server/slop/brave-shim.nix b/hosts/server/slop/brave-shim.nix
new file mode 100644
index 0000000..6c206d7
--- /dev/null
+++ b/hosts/server/slop/brave-shim.nix
@@ -0,0 +1,201 @@
+{ pkgs }:
+
+let
+  pythonEnv = pkgs.python3.withPackages (ps: with ps; [
+    fastapi
+    uvicorn
+    ddgs
+    pyyaml
+  ]);
+in
+pkgs.stdenvNoCC.mkDerivation {
+  pname = "brave-shim";
+  version = "0.1.0";
+  dontUnpack = true;
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/brave-shim
+
+    cat > $out/share/brave-shim/brave_shim.conf <<'CONF'
+server:
+  host: "127.0.0.1"
+  port: 8000
+
+ssl:
+  use_custom_ca: false
+  ca_bundle_path: "/etc/ssl/certs/ca-certificates.crt"
+  verify_ssl: true
+
+logging:
+  file_path: "/home/ocbwoy3/.local/state/brave-shim/brave_shim.log"
+  level: "INFO"
+
+bot_protection:
+  cache_expiration: 3600
+  min_delay: 1.0
+  max_delay: 2.5
+
+search:
+  default_count: 10
+  local_count: 5
+CONF
+
+    cat > $out/share/brave-shim/brave_shim.py <<'PY'
+import time
+import random
+import yaml
+import uvicorn
+import logging
+import os
+import ssl
+from fastapi import FastAPI, Query
+from ddgs import DDGS
+from pathlib import Path
+
+config_path = Path(os.environ.get("BRAVE_SHIM_CONF", "brave_shim.conf"))
+if not config_path.exists():
+    raise FileNotFoundError(f"Config not found: {config_path}")
+
+with open(config_path, "r") as f:
+    config = yaml.safe_load(f)
+
+os.makedirs(os.path.dirname(config["logging"]["file_path"]), exist_ok=True)
+logging.basicConfig(
+    level=config['logging']['level'],
+    format="%(asctime)s [%(levelname)s] %(message)s",
+    handlers=[logging.FileHandler(config['logging']['file_path'])]
+)
+logger = logging.getLogger("brave_shim")
+
+ssl_cfg = config.get('ssl', {})
+verify_ssl = ssl_cfg.get('verify_ssl', True)
+custom_ca_status = "System Default"
+
+if ssl_cfg.get('use_custom_ca'):
+    ca_path = ssl_cfg['ca_bundle_path']
+    if os.path.exists(ca_path):
+        os.environ["SSL_CERT_FILE"] = ca_path
+        os.environ["REQUESTS_CA_BUNDLE"] = ca_path
+        os.environ["CURL_CA_BUNDLE"] = ca_path
+
+        if not verify_ssl:
+            ssl._create_default_https_context = ssl._create_unverified_context
+            custom_ca_status = f"Active (Verify=OFF, Path={ca_path})"
+            logger.warning("SSL verification disabled")
+        else:
+            try:
+                context = ssl.create_default_context(cafile=ca_path)
+                ssl._create_default_https_context = lambda: context
+                custom_ca_status = f"Active (Path={ca_path})"
+            except Exception as e:
+                logger.error(f"SSL bundle load error: {e}")
+    else:
+        logger.error(f"SSL CA bundle not found: {ca_path}")
+        custom_ca_status = "Error: File not found"
+
+app = FastAPI(title="Brave Search API Shim", docs_url=None, redoc_url=None)
+search_cache = {}
+
+def get_from_cache(q):
+    expiration = config['bot_protection']['cache_expiration']
+    if q in search_cache:
+        timestamp, data = search_cache[q]
+        if time.time() - timestamp < expiration:
+            return data
+    return None
+
+@app.get("/status")
+async def health_check():
+    return {
+        "status": "online",
+        "cache_entries": len(search_cache),
+        "ssl_verify": verify_ssl,
+        "ca_bundle": custom_ca_status
+    }
+
+@app.get("/res/v1/web/search")
+async def search_proxy(q: str = Query(...), count: int = None):
+    res_count = count or config['search']['default_count']
+    cached_res = get_from_cache(q)
+    if cached_res:
+        logger.info(f"CACHE HIT: {q}")
+        return cached_res
+
+    time.sleep(random.uniform(config['bot_protection']['min_delay'], config['bot_protection']['max_delay']))
+    logger.info(f"FETCH WEB: {q}")
+    try:
+        with DDGS(verify=verify_ssl) as ddgs:
+            results = []
+            for r in ddgs.text(q, max_results=res_count):
+                results.append({
+                    "title": r.get("title"),
+                    "url": r.get("href"),
+                    "description": r.get("body"),
+                    "meta_url": {"path": r.get("href")}
+                })
+
+        response_data = {"web": {"results": results}}
+        search_cache[q] = (time.time(), response_data)
+        return response_data
+    except Exception as e:
+        logger.error(f"WEB search error for '{q}': {e}")
+        return {"web": {"results": []}, "error": str(e)}
+
+@app.get("/res/v1/local/pois")
+async def local_proxy(q: str = Query(...), count: int = None):
+    res_count = count or config['search']['local_count']
+    logger.info(f"FETCH LOCAL: {q}")
+    try:
+        with DDGS(verify=verify_ssl) as ddgs:
+            res = [
+                {
+                    "id": str(i),
+                    "name": r["title"],
+                    "address": r["body"][:100],
+                    "phone": "",
+                    "coordinates": {"latitude": 0.0, "longitude": 0.0}
+                }
+                for i, r in enumerate(ddgs.text(f"place {q}", max_results=res_count))
+            ]
+        return {"results": res}
+    except Exception as e:
+        logger.error(f"LOCAL search error for '{q}': {e}")
+        return {"results": []}
+
+@app.get("/res/v1/local/descriptions")
+async def local_descriptions(id: str = Query(...)):
+    return {"descriptions": {id: "Data from DDGS proxy."}}
+
+@app.get("/res/v1/summarizer/summary")
+async def summarizer_proxy(key: str = Query(...)):
+    return {"summary": "Summary ready.", "status": "complete"}
+
+if __name__ == "__main__":
+    logger.info(f"Starting brave-shim on {config['server']['host']}:{config['server']['port']}")
+    uvicorn.run(
+        app,
+        host=config['server']['host'],
+        port=config['server']['port'],
+        access_log=False,
+        log_level="critical"
+    )
+PY
+
+    cat > $out/bin/brave-shim <<EOF
+#!${pkgs.bash}/bin/bash
+set -euo pipefail
+export BRAVE_SHIM_CONF=\"\
+	s	h\
+\"
+EOF
+
+    # simpler wrapper (avoid quoting bugs)
+    cat > $out/bin/brave-shim <<EOF
+#!${pkgs.bash}/bin/bash
+set -euo pipefail
+export BRAVE_SHIM_CONF="''${BRAVE_SHIM_CONF:-$out/share/brave-shim/brave_shim.conf}"
+exec ${pythonEnv}/bin/python $out/share/brave-shim/brave_shim.py
+EOF
+    chmod +x $out/bin/brave-shim
+  '';
+}
diff --git a/hosts/server/slop/brave.nix b/hosts/server/slop/brave.nix
index e8846d3..dc83115 100644
--- a/hosts/server/slop/brave.nix
+++ b/hosts/server/slop/brave.nix
@@ -1,5 +1,8 @@
 { pkgs, ... }:
 
+let
+  braveShim = pkgs.callPackage ./brave-shim.nix { };
+in
 {
   # Local Brave API shim as a user service
   systemd.user.services.brave-shim = {
@@ -10,15 +13,7 @@
 
     serviceConfig = {
       Type = "simple";
-      WorkingDirectory = "/home/ocbwoy3/Projects/brave_shim";
-      ExecStart = ''
-        ${pkgs.uv}/bin/uv run \
-          --with fastapi \
-          --with uvicorn \
-          --with ddgs \
-          --with pyyaml \
-          python brave_shim.py
-      '';
+      ExecStart = "${braveShim}/bin/brave-shim";
       Restart = "always";
       RestartSec = "3";
     };
diff --git a/hosts/server/slop/openclaw.nix b/hosts/server/slop/openclaw.nix
index a8a249f..b134cf8 100644
--- a/hosts/server/slop/openclaw.nix
+++ b/hosts/server/slop/openclaw.nix
@@ -25,6 +25,7 @@ in
     packages = [
       openclawPatched
       (pkgs.callPackage ./gogcli.nix { })
+      (pkgs.callPackage ./brave-shim.nix { })
       pkgs.uv
       pkgs.python3
     ];