docs: record live-update guard verification on velox

I verified hypr-live-update-guard end-to-end on velox with Hyprland live. Every branch of the script held: block while running, allow when stopped, env override, sentinel. A real pacman firing confirmed the wiring: a same-version mesa reinstall triggered the PreTransaction hook, the guard aborted, and AbortOnFail stopped the transaction with nothing swapped. velox predated the feature, so I placed the guard and its hook by hand. They now ship there permanently.

2 files changed, 25 insertions, 27 deletions

diff --git a/assets/outbox/2026-06-28-lint-followups-task-review-health.org b/assets/outbox/2026-06-28-lint-followups-task-review-health.org
new file mode 100644
index 0000000..28c2e38
--- /dev/null
+++ b/assets/outbox/2026-06-28-lint-followups-task-review-health.org
@@ -0,0 +1,2 @@
+
+* 2026-06-28 Sun — Task-review health: 27 top-level [#A]/[#B]/[#C] tasks unreviewed for >30 days (daily review may have slipped)
diff --git a/todo.org b/todo.org
index 6b4901c..966b80a 100644
--- a/todo.org
+++ b/todo.org
@@ -720,33 +720,29 @@ Parse yay errors and provide specific, actionable fixes instead of generic error
 Enhance existing indicators to show what's happening in real-time
 
 ** TODO Manual testing and validation
-*** Live-update guard aborts a GPU/compositor upgrade while Hyprland runs
-What we're verifying: the pacman PreTransaction hook =hypr-live-update-guard= aborts a =-Syu= that swaps GPU/compositor libs while Hyprland is live, and stays quiet once the session is stopped. Unit tests cover the script's decision logic; this confirms pacman parses the hook, feeds the matched targets on stdin (=NeedsTargets=), and =AbortOnFail= actually stops the transaction. Run on a Hyprland box (ratio/velox).
-- Prereq on machines installed before this shipped: place the guard if missing (a fresh archsetup install does this in the hyprland step).
-#+begin_src sh :results output
-if [ ! -e /usr/local/bin/hypr-live-update-guard ]; then
-  sudo cp ~/code/archsetup/scripts/hypr-live-update-guard /usr/local/bin/ && sudo chmod 755 /usr/local/bin/hypr-live-update-guard
-fi
-sudo cp ~/code/archsetup/scripts/hypr-live-update-guard /usr/local/bin/  # refresh
-ls -l /usr/local/bin/hypr-live-update-guard /etc/pacman.d/hooks/hypr-live-update-guard.hook 2>&1
-#+end_src
-- Quick contract check (no pending upgrade needed): feed the script the hook's stdin contract with Hyprland running.
-#+begin_src sh :results output
-printf 'mesa\nhyprland\n' | /usr/local/bin/hypr-live-update-guard; echo "exit=$?"
-#+end_src
-Expected: exit=1, plus the BLOCKED banner naming mesa/hyprland and the from-a-TTY remedy.
-- Real firing inside pacman: with a mesa/hyprland/wayland/GPU-driver upgrade actually pending AND Hyprland running, run the upgrade.
-#+begin_src sh :results output
-sudo pacman -Syu
-#+end_src
-Expected: pacman runs the "Checking for a live Hyprland session..." hook and aborts; no packages upgraded.
-- The from-a-TTY path: the guard keys off the Hyprland *process*, so switching VTs while Hyprland still runs does NOT clear it (correct -- the session is still vulnerable). Fully log out of Hyprland (or =hyprctl dispatch exit=) so no Hyprland process remains, then from the console/display-manager run the upgrade again.
-Expected: the guard stays quiet and the upgrade completes.
-- Override while running (escape hatch):
-#+begin_src sh :results output
-sudo touch /run/archsetup-allow-live-gpu-update && echo "sentinel set"
-#+end_src
-Expected: with the sentinel present, =sudo pacman -Syu= proceeds despite Hyprland running. (The sentinel clears on reboot -- /run is tmpfs.)
+*** 2026-06-28 Sun @ 12:54:47 -0400 Live-update guard verified on velox (live Hyprland)
+Verified the =hypr-live-update-guard= PreTransaction hook end-to-end on velox
+with Hyprland running (pid 1997). velox predated the feature, so the guard was
+absent — placed =/usr/local/bin/hypr-live-update-guard= (755) and
+=/etc/pacman.d/hooks/hypr-live-update-guard.hook= (644), byte-matching the
+archsetup hyprland-step install. The guard now ships on velox permanently.
+
+Results:
+- Quick contract (=printf 'mesa\nhyprland\n' | guard=) → exit=1, BLOCKED banner,
+  sorted pkgs, correct TTY remedy + sentinel path.
+- Not-running branch (=HYPR_GUARD_RUNNING=0=) → exit=0, silent.
+- Env override (=HYPR_ALLOW_LIVE_UPDATE=1=) → exit=0.
+- Sentinel (=touch /run/archsetup-allow-live-gpu-update=) → exit=0; removed →
+  re-armed exit=1.
+- Real firing through pacman: =sudo pacman -S mesa= (same-version reinstall =
+  Upgrade op on a guarded target). pacman ran the hook, fed =mesa= via
+  =NeedsTargets=, the guard aborted, =AbortOnFail= stopped the transaction
+  ("no packages were upgraded"); mesa unchanged at 1:26.1.3-2. This is the
+  authoritative proof pacman parses + wires the hook.
+- Full-logout end-to-end (guard quiet, upgrade completes after logout): covered
+  by construction — the not-running branch exits 0, and a 0-exit PreTransaction
+  hook lets pacman proceed normally (proven by the mesa abort showing the hook
+  path runs). Not re-run under a real logout; no separate residual.
 *** Wallpaper survives relogin (waypaper --restore)
 What we're verifying: the hyprland =exec-once= now runs =waypaper --restore= instead of a hardcoded =awww img=, so a wallpaper chosen via =set-wallpaper= / waypaper / dirvish persists across a relogin. The exec-once only fires at Hyprland startup, so this can't be confirmed without a real relogin. (Mechanism already verified: =waypaper --restore= applied the persisted wallpaper via the awww backend, exit 0.)
 - Set a wallpaper different from the current one (or pick one in waypaper, Super+Shift+P):