chore: log the calendar-secret scrub and queue URL rotation

Recorded the git-history scrub of the private calendar config and added a follow-up to rotate the three exposed feed URLs once I'm at ratio's GUI. Also closed the testing-docs and shellcheck tasks that shipped this round.

1 files changed, 21 insertions, 11 deletions

diff --git a/todo.org b/todo.org
index c8f46c3..b7925ec 100644
--- a/todo.org
+++ b/todo.org
@@ -63,6 +63,16 @@ Checked each subtask below against the source / git state. Bottom line: almost n
 - =.mbsyncrc= — ProtonBridge IMAP credentials
 Add all to =.gitignore=, remove from git tracking, create =.example= templates where appropriate.
 
+*** TODO [#A] Rotate exposed calendar feed URLs
+Needs the ratio GUI (browser-based regeneration), so deferred until I'm in front of ratio. Three private ical URLs sat in git history (commit =500b1f5=, 2026-05-13) until the 2026-05-20 scrub. The scrub removed them from local + remote history, but anyone who pulled the repo between those dates still has the tokens, so regenerate all three:
+- Google personal (=craigmartinjennings@gmail.com= private ical URL)
+- Proton (calendar.proton.me URL with PassphraseKey)
+- Google DeepSat (=craig.jennings@deepsat.com= private ical URL)
+After regenerating, update the live =~/.emacs.d/calendar-sync.local.el= (now owned by the emacs/dotemacs project — see its inbox handoff from 2026-05-20).
+
+*** 2026-05-20 Wed @ 12:09:32 -0500 Scrubbed the calendar secret from git history
+=dotfiles/common/.emacs.d/calendar-sync.local.el= (private Google/Proton/DeepSat ical URLs, added in =500b1f5= for stow distribution) was discovered while folding tmux-util into stow. Sent the file back to the emacs project's inbox, =git rm='d it, then =git filter-repo --invert-paths --path= purged it from all 29 affected commits. Force-pushed (=0921e4d...618e6cc=, with lease) and ran =reflog expire= + =gc --prune=now= on the bare repo at =/var/git/archsetup.git=. Verified: the file is in zero commits, the secret tokens return zero matches across all history, and =500b1f5= / =0921e4d= are unreachable on both local and remote. Rotation of the URLs tracked as the sibling TODO above. This also proves =filter-repo= works cleanly here — relevant precedent for the broader [[*Scrub git history of secrets (or start fresh)][history-scrub task]] below (the 5 credential files are still in history).
+
 *** TODO [#A] Remove/template personal information from scripts
 - =archsetup= lines 2-3: personal email and website in header
 - =archsetup= lines 141-146: hardcoded =git.cjennings.net= repository URLs — make configurable via conf
@@ -132,17 +142,17 @@ Pyprland scratchpad percentages (50% wide, 70% tall) look good on 3440x1440 but
 *** TODO [#A] Dynamic waybar/foot config based on screen resolution
 Resolution-aware font sizes and conditional module inclusion. A startup script detects resolution and generates waybar CSS and foot config with appropriate values, so both machines use the same stowed templates.
 
-*** TODO [#A] Bulk shellcheck cleanup
-Reviewed 2026-01-24: ~128 warnings, mostly acceptable patterns or low-priority style issues.
-- SC2024 (sudo redirects) - acceptable, script runs as root
-- SC2174 (mkdir -p -m) - reviewed, not a practical issue
-- Various quoting warnings - high-priority ones already fixed
-Focus on warnings that matter for public code review.
-cj: you can probably do this one on your own.
-
-*** TODO [#A] Document testing process in README
-Help future maintainers and contributors understand and modify test infrastructure.
-cj: you can probably do this on our own.
+*** 2026-05-20 Wed @ 06:50:25 -0500 Swept shellcheck across the shell scripts
+Census across the 16 shell scripts (=archsetup=, =init=, =scripts/*.sh=, =scripts/testing/=): 124 findings, zero errors. Triaged against "what matters for public review" and confirmed the 2026-01-24 read — most are intentional or documented-acceptable:
+- SC2024 (14, sudo redirects), SC2174 (16, =mkdir -p -m=), SC1091 (13, unfollowable sources), SC2329 (32, functions invoked indirectly via the =STEPS= dispatch array), SC2153 (1, =DISK_PATH= sourced from =vm-utils.sh=) — all false positives or accepted.
+- SC2086 on =$SSH_OPTS= in =vm-utils.sh= (×4) and =$TEMP_DISKS= in =cleanup-tests.sh= — intentional word-splitting; quoting would break them. The SSH_OPTS-as-array refactor is the proper fix, deliberately deferred (codebase-wide, one atomic change).
+- SC2086 integer tests in =[ ]= (=archsetup=, =cleanup-tests=) — safe, note-level style; left to avoid churn in the just-fixed =retry_install=.
+- SC2015 (×2, =vm_exec && success || warn=) — =success=/=warn= return 0, so C won't spuriously fire. Idiomatic.
+
+Fixed the four that are genuine: =init= (a =#!/bin/sh= script) used =$(</etc/hostname)= (SC3034 bashism → =$(cat ...)=) and an unquoted =$interface_up= (SC2086 → quoted); =shellcheck init= now clean, =sh -n= passes. Suppressed the two =VM_IP= SC2034 warnings with documented =# shellcheck disable= directives (consumed by the sourced =validation.sh=, which shellcheck can't follow). 124 → 120; the remaining 120 are the triaged-acceptable set above.
+
+*** 2026-05-20 Wed @ 06:32:17 -0500 Documented the testing process in the README
+The README only covered the VM integration harness; the unit-test layer under =tests/= (Python =unittest=, fake-binary-on-PATH, one dir per script — =layout-navigate=, =tmux-util=) was undocumented. Added a =make test-unit= target that runs every =tests/*/test_*.py= suite explicitly (=unittest discover= can't find them — hyphenated dir names aren't valid package paths), then rewrote the README Testing section into "Unit tests" and "Integration tests (VM harness)" subsections, including how to add a suite for a new script. Updated Contributing to point at =make test-unit= for script changes. 61 unit tests pass via the new target.
 *** TODO [#A] Add guard for rm -rf on constructed paths
 Lines 236, 466, 905: validate directory exists and is in expected location before =rm -rf=.
 cj: you can probably do this on your own