diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index 773fde8..c4d8595 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -126,7 +126,10 @@ git_deploy = {
         'repo': node.metadata.get('left4me/git_url'),
         'rev': node.metadata.get('left4me/git_branch'),
         'triggers': [
-            'action:left4me_create_venv',
+            # create_venv is gated by `unless` for idempotency and doesn't
+            # need to refire on git updates — once the venv exists, it
+            # persists. pip_install IS retriggered so editable installs
+            # pick up the new code.
             'action:left4me_pip_install',
         ],
     },
diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py
index f3bdef7..d589ced 100644
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@@ -19,6 +19,34 @@ defaults = {
             'python3-dev': {},
         },
     },
+    'nftables': {
+        # Match deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft.
+        # Mark srcds UDP egress (uid left4me) with DSCP EF + skb priority 6
+        # so CAKE classifies it into the priority tin.
+        'output': {
+            'meta skuid "left4me" meta l4proto udp ip dscp set ef meta priority set 0006:0000',
+            'meta skuid "left4me" meta l4proto udp ip6 dscp set ef meta priority set 0006:0000',
+        },
+    },
+    'systemd': {
+        'services': {
+            'left4me-web.service': {
+                'enabled': True,
+                'running': True,
+                'needs': [
+                    'action:left4me_alembic_upgrade',
+                    'file:/etc/left4me/host.env',
+                    'file:/etc/left4me/web.env',
+                ],
+            },
+            # Note: left4me-server@.service is a TEMPLATE — instances are
+            # started on-demand by the web app via the left4me-systemctl
+            # helper. Don't enable/start it from here.
+            # The slices are installed (file present) but don't need
+            # enable/start — they're activated implicitly when a unit
+            # uses Slice=.
+        },
+    },
 }
 
 
@@ -155,47 +183,3 @@ def systemd_units(metadata):
             },
         },
     }
-
-
-@metadata_reactor.provides(
-    'systemd/services',
-)
-def systemd_services(metadata):
-    return {
-        'systemd': {
-            'services': {
-                'left4me-web.service': {
-                    'enabled': True,
-                    'running': True,
-                    'needs': [
-                        'action:left4me_alembic_upgrade',
-                        'file:/etc/left4me/host.env',
-                        'file:/etc/left4me/web.env',
-                    ],
-                },
-                # Note: left4me-server@.service is a TEMPLATE — instances are
-                # started on-demand by the web app via the left4me-systemctl
-                # helper. Don't enable/start it from here.
-                # The slices are installed (file present) but don't need
-                # enable/start — they're activated implicitly when a unit
-                # uses Slice=.
-            },
-        },
-    }
-
-
-@metadata_reactor.provides(
-    'nftables/output',
-)
-def nftables_output(metadata):
-    # Match deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft.
-    # Mark srcds UDP egress (uid left4me) with DSCP EF + skb priority 6
-    # so CAKE classifies it into the priority tin.
-    return {
-        'nftables': {
-            'output': {
-                'meta skuid "left4me" meta l4proto udp ip dscp set ef meta priority set 0006:0000',
-                'meta skuid "left4me" meta l4proto udp ip6 dscp set ef meta priority set 0006:0000',
-            },
-        },
-    }