11 files changed, 154 insertions, 23 deletions

diff --git a/assets/outbox/podman.txt b/assets/outbox/podman.txt
new file mode 100644
index 0000000..6ec3199
--- /dev/null
+++ b/assets/outbox/podman.txt
@@ -0,0 +1,10 @@
+Add podman and related packages to the base system install:
+
+  podman
+  podman-compose
+  python-dotenv
+
+These are required by winvm (~/code/winvm), which runs a Windows 11 VM
+in a rootless Podman container via QEMU/KVM for Office, Visio, Adobe,
+and other Windows-only applications. podman-compose manages the container
+lifecycle and python-dotenv is a runtime dependency of podman-compose.
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Bold.woff b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Bold.woff
new file mode 100644
index 0000000..28c5ba6
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Bold.woff
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Bold.woff2 b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Bold.woff2
new file mode 100644
index 0000000..69365a3
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Bold.woff2
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-BoldItalic.woff b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-BoldItalic.woff
new file mode 100644
index 0000000..a9abcf4
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-BoldItalic.woff
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-BoldItalic.woff2 b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-BoldItalic.woff2
new file mode 100644
index 0000000..c021d29
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-BoldItalic.woff2
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Italic.woff b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Italic.woff
new file mode 100644
index 0000000..2ce289f
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Italic.woff
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Italic.woff2 b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Italic.woff2
new file mode 100644
index 0000000..062d3a7
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Italic.woff2
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Regular.woff b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Regular.woff
new file mode 100644
index 0000000..dc4f0a5
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Regular.woff
diff --git a/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Regular.woff2 b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Regular.woff2
new file mode 100644
index 0000000..1fa6f48
--- /dev/null
+++ b/dotfiles/common/.local/share/fonts/BerkeleyMonoNerdFont-Regular.woff2
diff --git a/dotfiles/common/.ssh/config b/dotfiles/common/.ssh/config
index 6f97ab5..06a94e6 100644
--- a/dotfiles/common/.ssh/config
+++ b/dotfiles/common/.ssh/config
@@ -4,5 +4,11 @@ IdentityFile ~/.ssh/id_ed25519
 ServerAliveCountMax=30
 ServerAliveInterval=5
 
+Host deepsat.ghe.com
+    HostName deepsat.ghe.com
+    User git
+    IdentityFile ~/.ssh/deepsat-github
+    IdentitiesOnly yes
+
 Host cjennings.net
     LogLevel ERROR
diff --git a/todo.org b/todo.org
index 13fe210..03a0386 100644
--- a/todo.org
+++ b/todo.org
@@ -4,6 +4,106 @@
 
 * Archsetup Open Work
 
+** TODO [#A] Prepare for GitHub open-source release
+Remove personal info, credentials, and code quality issues before publishing.
+
+*** TODO [#A] Remove credentials and secrets from dotfiles
+- =.config/.tidal-dl.token.json= — active Tidal API token with userId
+- =.config/calibre/smtp.py.json= — hex-encoded relay password, personal email mappings (family Kindle accounts)
+- =.config/transmission/settings.json= — bcrypt-hashed RPC password
+- =.msmtprc= — mail server credentials (gpg password references)
+- =.mbsyncrc= — ProtonBridge IMAP credentials
+Add all to =.gitignore=, remove from git tracking, create =.example= templates where appropriate.
+
+*** TODO [#A] Remove/template personal information from scripts
+- =archsetup= lines 2-3: personal email and website in header
+- =archsetup= lines 141-146: hardcoded =git.cjennings.net= repository URLs — make configurable via conf
+- =scripts/post-install.sh=: personal git repos (finances, documents, danneel-*, nextjob, etc.)
+- =scripts/gitrepos.sh=: personal server URLs
+- =init= line 8: hardcoded password =welcome=
+
+*** TODO [#A] Remove/template personal info from dotfiles
+- =.gitconfig=: hardcoded name, email, GitHub username
+- =.config/musicpd.conf=: hardcoded =~cjennings/= paths (use =~/= instead)
+- =.ssh/config=: personal host configuration
+- =.config/yt-dlp/config=: personal domain reference
+- =hyprland.conf= line 3: personal attribution
+
+*** TODO [#A] Scrub git history of secrets (or start fresh)
+Even after removing files, secrets remain in git history.
+Options: =git filter-repo= to rewrite history, or start a fresh repo for the GitHub remote.
+Recommend: fresh repo for GitHub (keep cjennings.net remote with full history).
+
+*** TODO [#B] Remove device-specific configuration
+=archsetup= lines 1458-1463: Logitech BRIO webcam udev rule — move to optional/configurable section.
+
+*** DONE [#B] Fix unsafe sed patterns with user input
+CLOSED: [2026-02-23 Sun]
+Quoted =$username= in sed replacement, switched locale and wireless-regdom sed
+patterns to pipe delimiter to avoid conflicts with path/encoding characters.
+
+*** DONE [#B] Fix unsafe heredoc variable expansion
+CLOSED: [2026-02-23 Sun]
+Quoted =UDEVEOF= heredoc and used placeholder + sed replacement pattern (same as hyprpm hook).
+
+*** TODO [#B] Add README.md for GitHub
+Project description, features, requirements, installation instructions,
+configuration guide (archsetup.conf), security considerations,
+contributing guidelines (or separate CONTRIBUTING.md), and license.
+
+*** TODO [#B] Add LICENSE file
+Currently no license — must choose one before open-source release.
+
+*** TODO [#B] Remove binary font files from repo
+PragmataPro and Apple Color Emoji fonts in =dotfiles/common/.local/share/fonts/=.
+Add to =.gitignore=, document font installation separately.
+May have licensing issues for redistribution.
+
+*** TODO [#B] Make claude-code installation optional
+Line 1781: =curl | sh= from claude.ai — should be behind a config flag.
+Not all users want AI tooling; curl-pipe-bash is a red flag for reviewers.
+
+*** TODO [#B] Add input validation for username and paths
+Variables like ~$username~, ~$source_dir~, and paths are not validated.
+Special characters or malicious input could break the script or cause security issues.
+Should validate inputs match expected patterns (alphanumeric, valid paths, etc.).
+
+*** TODO [#B] Bulk shellcheck cleanup
+Reviewed 2026-01-24: ~128 warnings, mostly acceptable patterns or low-priority style issues.
+- SC2024 (sudo redirects) - acceptable, script runs as root
+- SC2174 (mkdir -p -m) - reviewed, not a practical issue
+- Various quoting warnings - high-priority ones already fixed
+Focus on warnings that matter for public code review.
+
+*** TODO [#B] Document testing process in README
+Help future maintainers and contributors understand and modify test infrastructure.
+
+*** TODO [#C] Add guard for rm -rf on constructed paths
+Lines 236, 466, 905: validate directory exists and is in expected location before =rm -rf=.
+
+*** DONE [#C] Add mountpoint check before ramdisk mount
+CLOSED: [2026-02-23 Sun]
+Added =mountpoint -q= guard before mount; skips with info message if already mounted.
+
+*** TODO [#C] Improve error handling in chained commands
+Line 820: three operations chained with =&&= reported as single failure.
+Break into separate error-handled steps.
+
+*** DONE [#C] Add comments on complex logic
+CLOSED: [2026-02-23 Sun]
+Added comments explaining wireless region locale-to-ISO3166 mapping and
+archsetup clone strategy (why symlinks need user-owned repo).
+
+*** TODO [#C] Standardize boolean comparison style
+Mixed =[ "$var" = "true" ]= vs =$var= evaluation — pick one pattern.
+
+*** TODO [#D] Replace eval with safer alternatives
+Line 434: =eval "$cmd"= — use arrays or direct execution.
+
+*** DONE [#D] Validate reserved usernames
+CLOSED: [2026-02-23 Sun]
+Added check against list of reserved system usernames (root, bin, daemon, sys, etc.).
+
 ** TODO [#A] Ensure sleep/suspend works on laptops
 Critical functionality for laptop use - current battery drain unacceptable
 **NOTE:** This applies to Framework Laptop (velox), not Framework Desktop (ratio)
@@ -46,13 +146,6 @@ Removed conflicting setxkbmap statements, gdm, and keyd configs - still didn't w
 ** TODO [#B] All error messages should be actionable with recovery steps
 Currently just reports errors without guidance on how to fix them
 
-** TODO [#B] Full install logs should contain timestamps
-Verify timestamps exist for debugging failures
-
-** TODO [#B] Add input validation for username and paths
-Variables like ~$username~, ~$source_dir~, and paths are not validated
-Special characters or malicious input could break the script or cause security issues
-Should validate inputs match expected patterns (alphanumeric, valid paths, etc.)
 
 ** TODO [#B] Enable TLP power management for laptops
 TLP manages power-saving modes for Wi-Fi, USB, PCIe, Bluetooth, CPU scheduler
@@ -202,13 +295,30 @@ Detect NVIDIA GPU and warn user about potential Wayland issues:
 - Document required env vars (LIBVA_DRIVER_NAME, GBM_BACKEND, etc.)
 - Prompt to continue or abort if NVIDIA detected
 
-** TODO [#B] Validate DESKTOP_ENV default behavior
-Confirm that defaulting DESKTOP_ENV to "dwm" when unassigned is the right choice.
-Consider: should it prompt interactively instead? Or fail with a clear message?
 
-** TODO [#B] Test archsetup username/password prompts
-Test the username and password prompt functionality added to archsetup.
-Verify prompts work correctly on fresh install simulation.
+** TODO [#B] Add org-capture popup frame on keyboard shortcut
+Set up a quick-capture popup using emacsclient that opens a small floating
+org-capture frame, with Hyprland window rules to float, size, and center it.
+Frame should auto-close on finalize (C-c C-c) or abort (C-c C-k).
+
+Implementation:
+1. Create =~/.local/bin/quick-capture= script:
+   - =emacsclient -c -F '((name . "org-capture") (width . 80) (height . 20))' -e '(org-capture)'=
+   - Requires Emacs daemon running (already configured via systemd)
+2. Add Hyprland window rules to =hyprland.conf=:
+   - =windowrulev2 = float, title:^(org-capture)$=
+   - =windowrulev2 = size 800 400, title:^(org-capture)$=
+   - =windowrulev2 = center, title:^(org-capture)$=
+   - =windowrulev2 = stayfocused, title:^(org-capture)$=
+3. Add keybind in =hyprland.conf= (choose available key combo)
+4. Add Elisp hook to auto-delete the frame after capture:
+   =(defun my/org-capture-delete-frame ()
+     (when (equal (frame-parameter nil 'name) "org-capture")
+       (delete-frame)))
+   (add-hook 'org-capture-after-finalize-hook #'my/org-capture-delete-frame)=
+5. Notes go directly into existing org capture templates — zero new infrastructure
+
+Reference: Protesilaos Stavrou's popup frame pattern for emacsclient.
 
 ** TODO Check linux-lts version until 6.18+
 SCHEDULED: <2026-02-23 Mon +3w>
@@ -229,9 +339,6 @@ The goal is a single place to edit each config, not two.
 ** TODO [#C] Create Chrome theme with dupre colors
 Create a Chrome browser theme using the dupre color palette. Plan saved in [[file:docs/PLAN-browser-themes.org][docs/PLAN-browser-themes.org]].
 
-** TODO [#C] Document testing process in README
-Help future maintainers understand and modify test infrastructure
-
 ** TODO [#C] Monitor and optimize test execution time
 Keep test runs performant as installs and post-install tests grow (target < 2 hours)
 
@@ -323,11 +430,19 @@ pacman_install and aur_install have retry logic, but git_install doesn't
 cpupower service configures the default CPU scheduler (powersave or performance)
 Install cpupower, configure /etc/default/cpupower, enable service: ~systemctl enable --now cpupower.service~
 
-** TODO [#D] Bulk shellcheck cleanup
-Reviewed 2026-01-24: ~128 warnings, mostly acceptable patterns or low-priority style issues.
-- SC2024 (sudo redirects) - acceptable, script runs as root
-- SC2174 (mkdir -p -m) - reviewed, not a practical issue
-- Various quoting warnings - high-priority ones already fixed
-Run =shellcheck archsetup= periodically to check for new issues, but bulk cleanup is low priority.
-
 * Archsetup Resolved
+
+** DONE [#B] Full install logs should contain timestamps
+CLOSED: [2026-02-23 Sun]
+Log filename includes timestamp via =date +'%Y-%m-%d-%H-%M-%S'=.
+Functions =error_warn()=, =error_fatal()=, and =display()= all output timestamps via =date +'%T'=.
+
+** DONE [#B] Validate DESKTOP_ENV default behavior
+CLOSED: [2026-02-23 Sun]
+Defaults to =hyprland= silently via =desktop_env="${desktop_env:-hyprland}"=.
+Overridable via config file or =DESKTOP_ENV= environment variable.
+
+** DONE [#B] Test archsetup username/password prompts
+CLOSED: [2026-02-23 Sun]
+Username prompt with regex validation (lines 320-332) and password prompt
+with confirmation (lines 339-353) implemented and functional.