chore: reconcile task facts, consolidate CI + security clusters

I audited the open-work tasks for factual accuracy. Reconciled stale facts against the code and git state: dropped the "hardcoded repo URLs" item (the dotfiles repo is config-driven now), corrected the commit count to 589, and noted that the 2026-06-28 btrfs/zfs runs reproduce the same residual install warnings. Cancelled the calendar-URL rotation (Craig's call, exposure window recorded) and refiled the dotfiles-audit task to the standalone dotfiles repo. Closed the README as code-complete with the final read filed under manual testing. Grouped 14 scattered CI/test tasks under a "Test + CI infrastructure" parent and 5 security tasks under "Security hardening + audit", each child keeping its prior priority. Fixed two terminology drifts (container to VM, DWM to Hyprland).

1 files changed, 119 insertions, 123 deletions

diff --git a/todo.org b/todo.org
index fc2b58b..6a2f8c7 100644
--- a/todo.org
+++ b/todo.org
@@ -245,7 +245,7 @@ Acceptance: fresh VM install of the ratio profile reaches an endpoint on =:8081=
 
 ** DOING [#B] Prepare for GitHub open-source release
 :PROPERTIES:
-:LAST_REVIEWED: 2026-06-09
+:LAST_REVIEWED: 2026-06-28
 :END:
 Remove personal info, credentials, and code quality issues before publishing.
 *** 2026-06-16 Tue @ 00:55:39 -0500 Six dotfiles-scoped sub-tasks moved to the ~/.dotfiles project
@@ -273,34 +273,31 @@ Checked each subtask below against the source / git state. Bottom line: almost n
 - *Standardize boolean comparison style* — NOT DONE. Mixed: =[ "$var" = "true" ]= at =archsetup:542,544,569= vs bare =if $var;= form ~7 places elsewhere.
 - *Replace eval with safer alternatives* — NOT DONE. =archsetup:442= still =if eval "$cmd" >> "$logfile" 2>&1;= in =retry_install=.
 
-*** TODO [#A] Rotate exposed calendar feed URLs
-Needs the ratio GUI (browser-based regeneration), so deferred until I'm in front of ratio. Three private ical URLs sat in git history (commit =500b1f5=, 2026-05-13) until the 2026-05-20 scrub. The scrub removed them from local + remote history, but anyone who pulled the repo between those dates still has the tokens, so regenerate all three:
-- Google personal (=craigmartinjennings@gmail.com= private ical URL)
-- Proton (calendar.proton.me URL with PassphraseKey)
-- Google DeepSat (=craig.jennings@deepsat.com= private ical URL)
-After regenerating, update the live =~/.emacs.d/calendar-sync.local.el= (now owned by the emacs/dotemacs project — see its inbox handoff from 2026-05-20).
+*** 2026-06-28 Sun @ 13:34:03 -0400 Cancelled: calendar-feed URL rotation
+Craig's call — not rotating. The three private iCal URLs (Google personal, Proton with PassphraseKey, Google DeepSat) sat in git history from =500b1f5= (2026-05-13) until the 2026-05-20 filter-repo scrub, which removed them from local + remote history. The residual exposure is only to anyone who cloned the repo in that 2026-05-13..05-20 window; Craig accepts that window rather than regenerating all three tokens on ratio. The history scrub already happened; the live =calendar-sync.local.el= is owned by the emacs project. Closing without rotation.
 
 *** 2026-05-20 Wed @ 12:09:32 -0500 Scrubbed the calendar secret from git history
 =dotfiles/common/.emacs.d/calendar-sync.local.el= (private Google/Proton/DeepSat ical URLs, added in =500b1f5= for stow distribution) was discovered while folding tmux-util into stow. Sent the file back to the emacs project's inbox, =git rm='d it, then =git filter-repo --invert-paths --path= purged it from all 29 affected commits. Force-pushed (=0921e4d...618e6cc=, with lease) and ran =reflog expire= + =gc --prune=now= on the bare repo at =/var/git/archsetup.git=. Verified: the file is in zero commits, the secret tokens return zero matches across all history, and =500b1f5= / =0921e4d= are unreachable on both local and remote. Rotation of the URLs tracked as the sibling TODO above. This also proves =filter-repo= works cleanly here — relevant precedent for the broader [[*Scrub git history of secrets (or start fresh)][history-scrub task]] below (the 5 credential files are still in history).
 
 *** TODO [#B] Remove/template personal information from scripts
-- =archsetup= lines 2-3: personal email and website in header
-- =archsetup= lines 141-146: hardcoded =git.cjennings.net= repository URLs — make configurable via conf
+- =archsetup= lines 3-4: personal email and website in header
 - =scripts/post-install.sh=: personal git repos and server URLs (the old =scripts/gitrepos.sh= was consolidated into this script in =dae7659=, so its personal =git.cjennings.net= clone targets now live here)
-- =init= line 8: hardcoded password =welcome=
+- =init= line 9: hardcoded password =welcome=
+**** 2026-06-28 Sun @ 13:29:29 -0400 Reconciled: dotfiles repo URLs already config-driven
+Dropped the "lines 141-146 hardcoded =git.cjennings.net= URLs" bullet. archsetup:138-140 reads =DOTFILES_REPO= / =DOTFILES_BRANCH= / =DOTFILES_DIR= overrides (defaults only, documented in =archsetup.conf.example=), so that item is already done. Refreshed the stale line numbers on the remaining bullets (header email/site now lines 3-4, init password now line 9, after the SPDX headers shifted the files).
 
 *** TODO [#B] Scrub git history of secrets (or start fresh)
 Even after removing files, secrets remain in git history.
 Options: =git filter-repo= to rewrite history, or start a fresh repo for the GitHub remote.
 Recommend: fresh repo for GitHub (keep cjennings.net remote with full history).
+**** 2026-06-28 Sun @ 13:29:29 -0400 Reconciled: 589 commits, 5 credential files still in history
+History is now 589 commits (the 2026-05-11 note's "275" is stale). Only the calendar-feed file has been filter-repo'd so far (2026-05-20). The five credential files remain in history at their pre-=b10cba5= paths: =.tidal-dl.token.json= (5 commits), =calibre/smtp.py.json= (6), =transmission/settings.json= (5), =.msmtprc= (8), =.mbsyncrc= (9). None are tracked in the current tree. The scrub-or-fresh-repo decision still stands.
 
 *** 2026-06-24 Wed @ 19:41:56 -0400 Gated device-specific udev rules behind a flag
 The Logitech BRIO udev rule is now wrapped in =if [ "$install_device_udev_rules" = "true" ]=, fed by a new =INSTALL_DEVICE_UDEV_RULES= key (default yes, opt-out — still mainly a personal project). Added the var default, the config read, a =validate_config= check, and an =archsetup.conf.example= entry. Verified: default/yes writes the rule, no skips it, bogus is rejected; =bash -n= clean.
 
-*** DOING [#B] Add README.md for GitHub
-Project description, features, requirements, installation instructions,
-configuration guide (archsetup.conf), security considerations,
-contributing guidelines (or separate CONTRIBUTING.md), and license.
+*** 2026-06-28 Sun @ 13:37:33 -0400 Added README.md — full draft complete, final read filed
+=README.md= is substantively done at repo root (10.9 KB), covering project description, features, requirements, installation, the =archsetup.conf= configuration guide, security considerations, contributing, and license, with generic placeholders for the eventual public fork. The 2026-05-11 "first pass" note below is superseded. Craig's final read before public release is filed under "Manual testing and validation"; closing as code-complete pending that human check, per the audit rule.
 
 **** 2026-05-11 Mon @ 13:01:29 -0500 AI Response: Initial README draft
 Drafted =README.md= at repo root, modeled on =~/code/chime/README.org=. First pass — review and run a voice/style pass before committing. Personal info (emails, =cjennings.net= URLs, personal repo names) intentionally replaced with placeholders for the eventual public release.
@@ -421,16 +418,98 @@ Add kernel parameter: ~rtc_cmos.use_acpi_alarm=1~ (will become systemd default)
 Consider: ~acpi_mask_gpe=0x1A~ for battery drain, suspend-then-hibernate config
 See Framework community notes on logind.conf and sleep.conf settings
 
-** TODO [#C] Build CI/CD pipeline that runs archsetup on every commit
+** TODO [#B] Test + CI infrastructure :test:
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-28
+:END:
+Umbrella for the test-harness and CI-automation buildout. Consolidated from the 2026-06-28 task audit: these were scattered top-level tasks circling one effort, re-homed as children so the work reads as a unit. Each child ships independently and keeps the priority it carried before. No CI runner exists yet, so the CI/CD-pipeline child gates several of the others.
+
+*** TODO [#C] Build CI/CD pipeline that runs archsetup on every commit
 :PROPERTIES:
 :LAST_REVIEWED: 2026-06-13
 :END:
 Core automation infrastructure - enables continuous validation
+*** TODO [#B] Generate recovery scripts from test failures
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-13
+:END:
+Auto-create post-install fix scripts for failed packages - makes failures actionable
+*** TODO [#B] Establish monthly review workflow
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-13
+:END:
+The diff engine now exists (=scripts/package-inventory= / =make package-diff=), so what remains here is the cadence, not the tooling: a scheduled prompt to run the diff and act on it. Subtasks 1-2 are the recurring human judgment the engine feeds; subtask 3 is the automation to schedule it.
+**** TODO [#B] For packages in archsetup but not on system: determine if still needed
+**** TODO [#B] For packages on system but not in archsetup: decide add or remove
+**** TODO [#B] Schedule monthly package diff review
+*** TODO [#C] Set up automated test schedule
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-28
+:END:
+Weekly full run to catch deprecated packages even without commits
+*** TODO [#C] Implement manual test trigger capability
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-28
+:END:
+Allow on-demand test runs when automation is toggled off
+*** TODO [#C] Create test results dashboard/reporting
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-28
+:END:
+Make test outcomes visible and actionable
+*** TODO [#B] Block merges to main if tests fail
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Enforce quality gate - broken changes don't enter main branch
+*** TODO [#B] Add network failure testing to test suite
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Simulate network disconnect mid-install to verify resilience
+*** TODO [#B] Keep VM base images up to date
+:PROPERTIES:
+:LAST_REVIEWED: 2026-06-28
+:END:
+Regular updates to the Arch base VM image (qemu, built by =create-base-vm.sh=) with a review process and schedule. The harness is VM/qemu-based, not containers.
+*** TODO [#B] Persist test logs for historical analysis
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Archive logs with review process and schedule to identify failure patterns and trends
+*** TODO [#B] Implement automated deprecation detection
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Parse package warnings and repo metadata to catch upcoming deprecations proactively
+*** TODO [#C] Monitor and optimize test execution time
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Keep test runs performant as installs and post-install tests grow (target < 2 hours)
+*** TODO [#C] Set up alerts for deprecated packages
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Proactive monitoring integrated with testing
+*** TODO [#C] Fix VM cloning machine-ID conflicts for parallel testing
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
+Currently using snapshot-based testing which works but limits to sequential test runs
+Cloned VMs fail to get DHCP/network even with machine-ID manipulation (truncate/remove)
+Root cause: Truncating /etc/machine-id breaks systemd/NetworkManager startup
+Need to investigate proper machine-ID regeneration that doesn't break networking
+Would enable parallel test execution in CI/CD
+Priority C because snapshot-based testing meets current needs
 
 ** TODO [#B] Fix install errors surfaced by the 2026-05-11 VM test run
 :PROPERTIES:
 :LAST_REVIEWED: 2026-06-15
 :END:
+*** 2026-06-28 Sun @ 13:29:29 -0400 Audit reconcile: 2026-06-28 btrfs+zfs runs reproduce the same residual set
+Newer full runs landed since the 2026-06-11 reconcile below: the 2026-06-25 zfs run (Testinfra 96/0) and the 2026-06-28 btrfs+zfs runs (97/0, "zero attributed issues"). The residual four were NOT fixed and reproduce unchanged: =enabling firewall= (archsetup:1496-1498, carries a VM-kernel note), =enabling gamemode for user= (archsetup:2221, non-critical), and =tidaler (AUR)=. Zero archsetup-attributed Testinfra issues across both profiles confirms these are environment / non-critical, not archsetup bugs. Bare-metal confirmation of the firewall pair is still the open thread.
+
 *** 2026-06-15 Mon @ 23:53:21 -0500 Audit reconcile: latest VM run (2026-06-11) confirms the surviving error set
 The most recent VM run (=test-results/20260611-113904/=) carries four error-summary entries: =enabling firewall= + =verifying firewall is active= (the iptables/nf_tables "Could not fetch rule set generation id" pair, still unconfirmed on bare metal), =enabling gamemode for user= (non-critical), and =tidaler (AUR)=. The earlier fontconfig/dconf fixes held — none reappear. So the count is down from the 7→6 anchor below to four, all of them the known-residual items already itemized.
 Errors logged during the VM install. Status as of the 2026-05-11 18:36 run (=test-results/20260511-183643/archsetup-output.log=) after the =48c9439= fontconfig/dconf fix: 7 → 6.
@@ -452,12 +531,6 @@ Root cause was in =retry_install=: =last_exit_code=$?= ran AFTER =if eval ...; t
 *** 2026-05-19 Tue @ 01:25:26 -0500 Verified the b9907c7 emacs-stow fix end-to-end
 =make test= 21:44 → 22:29 (42 min), =test-results/20260518-214516/=. 52/0/5, =ArchSetup Exit Code: 0=. The third-branch path fired correctly — install log =archsetup-2026-05-18-21-45-46.log:14358-14365= shows =From https://git.cjennings.net/dotemacs= → =[new branch] main -> origin/main= → =Reset branch 'main'= → =branch 'main' set up to track 'origin/main'=. No exit-128, no =fatal: not a git repository=. Error Summary down to 7 (was 13 on 2026-05-16); the emacs entry is gone. AUR exit-0 logging triggered for 2 packages this run (mkinitcpio-firmware, tidaler) vs 6 on 2026-05-16 — same bug class, fewer triggers, still tracked under =[#B] AUR exit-0 logged as error=. Issue Attribution: 1 ARCHSETUP entry (Proton VPN Daemon failed — known VM-no-VPN-config artifact). Cleanup ran clean via the normal path.
 
-** TODO [#B] Generate recovery scripts from test failures
-:PROPERTIES:
-:LAST_REVIEWED: 2026-06-13
-:END:
-Auto-create post-install fix scripts for failed packages - makes failures actionable
-
 ** TODO [#B] Review undeclared ratio packages for installer inclusion
 :PROPERTIES:
 :LAST_REVIEWED: 2026-06-24
@@ -507,21 +580,6 @@ Some entries are libraries likely pulled in as dependencies (blas-openblas, open
 - [ ] webkit2gtk
 - [ ] whisper.cpp
 
-** TODO [#B] Establish monthly review workflow
-:PROPERTIES:
-:LAST_REVIEWED: 2026-06-13
-:END:
-The diff engine now exists (=scripts/package-inventory= / =make package-diff=), so what remains here is the cadence, not the tooling: a scheduled prompt to run the diff and act on it. Subtasks 1-2 are the recurring human judgment the engine feeds; subtask 3 is the automation to schedule it.
-*** TODO [#B] For packages in archsetup but not on system: determine if still needed
-*** TODO [#B] For packages on system but not in archsetup: decide add or remove
-*** TODO [#B] Schedule monthly package diff review
-
-** TODO [#C] Complete security education within 3 months
-:PROPERTIES:
-:LAST_REVIEWED: 2026-06-24
-:END:
-Read recommended resources to make informed security decisions (see metrics for Claude suggestions)
-
 ** TODO [#B] All error messages should be actionable with recovery steps
 :PROPERTIES:
 :LAST_REVIEWED: 2026-06-24
@@ -536,81 +594,43 @@ Some operations log to ~$logfile~, others don't - standardize logging
 All package installs should log, all system modifications should log, all errors should log with context
 Makes debugging failed installations easier
 
-** TODO [#C] Set up automated test schedule
-:PROPERTIES:
-:LAST_REVIEWED: 2026-06-28
-:END:
-Weekly full run to catch deprecated packages even without commits
-
-** TODO [#C] Implement manual test trigger capability
-:PROPERTIES:
-:LAST_REVIEWED: 2026-06-28
-:END:
-Allow on-demand test runs when automation is toggled off
+** CANCELLED [#B] Audit dotfiles/common directory
+CLOSED: [2026-06-28 Sun]
+Refiled to the standalone =~/.dotfiles= repo, which owns this content since the 2026-06-16 split. Handoff sent 2026-06-28: =~/.dotfiles/inbox/2026-06-28-1335-from-archsetup-refiled-from-archsetup-task-audit-2026.org=. The three sub-tasks (review ~/.local/bin scripts, remove orphaned configs, verify stowed files are used) travel with it. Cancelled here, not abandoned.
 
-** TODO [#C] Create test results dashboard/reporting
+** TODO [#B] Security hardening + audit :security:
 :PROPERTIES:
 :LAST_REVIEWED: 2026-06-28
 :END:
-Make test outcomes visible and actionable
+Umbrella for the security-hardening and audit effort. Consolidated from the 2026-06-28 task audit, re-homing the scattered security tasks as children so the work reads as a unit. Each child ships independently and keeps its prior priority.
 
-** TODO [#B] Block merges to main if tests fail
+*** TODO [#B] Test security + functionality together
 :PROPERTIES:
 :LAST_REVIEWED: 2026-05-21
 :END:
-Enforce quality gate - broken changes don't enter main branch
-
-** TODO [#B] Add network failure testing to test suite
+**** TODO [#B] Verify no unexpected open ports or services
+*** TODO [#B] Security audit tooling
 :PROPERTIES:
 :LAST_REVIEWED: 2026-05-21
 :END:
-Simulate network disconnect mid-install to verify resilience
-
-** TODO [#B] Keep container base images up to date
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-Regular updates to Arch base image with review process and schedule
-
-** TODO [#B] Persist test logs for historical analysis
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-Archive logs with review process and schedule to identify failure patterns and trends
-
-** TODO [#B] Implement automated deprecation detection
+**** TODO [#B] Implement port scanning check
+**** TODO [#B] Create security posture verification script
+**** TODO [#B] Set up intrusion detection monitoring
+*** TODO [#B] Document threat model and mitigations within 6 months
 :PROPERTIES:
 :LAST_REVIEWED: 2026-05-21
 :END:
-Parse package warnings and repo metadata to catch upcoming deprecations proactively
-
-** TODO [#B] Audit dotfiles/common directory
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-*** TODO [#B] Review all 50+ scripts in ~/.local/bin - remove unused scripts
-*** TODO [#B] Check dotfiles for uninstalled packages - remove orphaned configs
-*** TODO [#B] Verify all stowed files are actually used
-
-** TODO [#B] Test security + functionality together
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-*** TODO [#B] Verify no unexpected open ports or services
-
-** TODO [#B] Security audit tooling
+Identify attack vectors, what's mitigated, what remains
+*** TODO [#C] Complete security education within 3 months
 :PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
+:LAST_REVIEWED: 2026-06-24
 :END:
-*** TODO [#B] Implement port scanning check
-*** TODO [#B] Create security posture verification script
-*** TODO [#B] Set up intrusion detection monitoring
-
-** TODO [#B] Document threat model and mitigations within 6 months
+Read recommended resources to make informed security decisions (see metrics for Claude suggestions)
+*** TODO [#C] Create security checklist for cafe/public wifi scenarios
 :PROPERTIES:
 :LAST_REVIEWED: 2026-05-21
 :END:
-Identify attack vectors, what's mitigated, what remains
+Practical guidelines for working in public spaces
 
 ** TODO [#C] Re-check python-lyricsgenius --skipinteg workaround :solo:
 :PROPERTIES:
@@ -623,9 +643,9 @@ Ran =makepkg --verifysource= on the current AUR PKGBUILD (3.7.0-1). The package
 
 ** TODO [#B] Test each modernization thoroughly before replacing
 :PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
+:LAST_REVIEWED: 2026-06-28
 :END:
-Ensure new tools integrate with DWM environment and don't break workflow
+Ensure new tools integrate with the Hyprland environment and don't break workflow (the fleet is all Hyprland now; archsetup still supports DWM/X11 but no current machine uses it)
 
 ** TODO [#B] Add NVIDIA preflight check for Hyprland
 :PROPERTIES:
@@ -650,35 +670,6 @@ error-prone — changes must be made in both places. Consider:
 - Same situation applies to fuzzel.ini
 The goal is a single place to edit each config, not two.
 
-** TODO [#C] Monitor and optimize test execution time
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-Keep test runs performant as installs and post-install tests grow (target < 2 hours)
-
-** TODO [#C] Set up alerts for deprecated packages
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-Proactive monitoring integrated with testing
-
-** TODO [#C] Fix VM cloning machine-ID conflicts for parallel testing
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-Currently using snapshot-based testing which works but limits to sequential test runs
-Cloned VMs fail to get DHCP/network even with machine-ID manipulation (truncate/remove)
-Root cause: Truncating /etc/machine-id breaks systemd/NetworkManager startup
-Need to investigate proper machine-ID regeneration that doesn't break networking
-Would enable parallel test execution in CI/CD
-Priority C because snapshot-based testing meets current needs
-
-** TODO [#C] Create security checklist for cafe/public wifi scenarios
-:PROPERTIES:
-:LAST_REVIEWED: 2026-05-21
-:END:
-Practical guidelines for working in public spaces
-
 ** TODO [#B] Migrate terminal emulator from foot to ghostty :tooling:
 :PROPERTIES:
 :LAST_REVIEWED: 2026-06-24
@@ -728,6 +719,11 @@ Parse yay errors and provide specific, actionable fixes instead of generic error
 Enhance existing indicators to show what's happening in real-time
 
 ** TODO Manual testing and validation
+*** Give the README a final read before public release
+What we're verifying: =README.md= reads cleanly and accurately for a first-time reader, with no stale personal info and consistent public-fork placeholders.
+- Open =~/code/archsetup/README.md=
+- Read it end to end as if you've never seen the project
+Expected: every section is accurate, the personal-project disclaimer reads right, the placeholders (=<your-domain>=, =github.com/yourusername=) are consistent, and nothing personal leaked into the public-facing draft.
 *** 2026-06-28 Sun @ 12:54:47 -0400 Live-update guard verified on velox (live Hyprland)
 Verified the =hypr-live-update-guard= PreTransaction hook end-to-end on velox
 with Hyprland running (pid 1997). velox predated the feature, so the guard was