chore: log dotfiles-separation progress and file processed handoffs

5 files changed, 193 insertions, 0 deletions

diff --git a/assets/outbox/2026-05-20-lint-followups.org b/assets/outbox/2026-05-20-lint-followups.org
new file mode 100644
index 0000000..5b84e34
--- /dev/null
+++ b/assets/outbox/2026-05-20-lint-followups.org
@@ -0,0 +1,49 @@
+
+* 2026-05-20 lint-org follow-ups — todo.org
+** TODO line 484 — link-to-local-file — Link to non-existent local file "docs/PLAN-browser-themes.org"
+** TODO line 394 — link-to-local-file — Link to non-existent local file "docs/firmware-cleanup.org"
+** TODO line 326 — link-to-local-file — Link to non-existent local file "docs/testing-strategy.org"
+** TODO line 230 — misplaced-heading — Possibly misplaced heading line
+
+* 2026-05-20 Wed — Date coverage: [#A] / [#B] tasks without DEADLINE or SCHEDULED
+Review each: add a date, drop the priority, or confirm 'no-date by intent' inline.
+- 6: ** DOING [#A] Separate dotfiles from archsetup
+- 35: ** DOING [#A] Prepare for GitHub open-source release
+- 165: ** TODO [#A] Review post-archsetup laptop setup steps (velox 2026-04-10)
+- 224: ** TODO [#A] Ensure sleep/suspend works on laptops
+- 231: ** TODO [#A] Build CI/CD pipeline that runs archsetup on every commit
+- 234: ** TODO [#B] Fix install errors surfaced by the 2026-05-11 VM test run
+- 279: ** TODO [#A] Generate recovery scripts from test failures
+- 282: ** TODO [#A] Create package inventory system
+- 287: ** TODO [#A] Establish monthly review workflow
+- 292: ** TODO [#A] Automate the inventory comparison
+- 295: ** TODO [#A] Complete security education within 3 months
+- 298: ** TODO [#A] Prevent X termination and VT switching (security risk)
+- 305: ** TODO [#B] All error messages should be actionable with recovery steps
+- 308: ** TODO [#B] Enable TLP power management for laptops
+- 313: ** TODO [#B] Improve logging consistency
+- 318: ** TODO [#B] Add backup before system file modifications
+- 323: ** TODO [#B] Implement Testinfra test suite for archsetup
+- 344: ** TODO [#B] Set up automated test schedule
+- 347: ** TODO [#B] Implement manual test trigger capability
+- 350: ** TODO [#B] Create test results dashboard/reporting
+- 353: ** TODO [#B] Block merges to main if tests fail
+- 356: ** TODO [#B] Add network failure testing to test suite
+- 359: ** TODO [#B] Keep container base images up to date
+- 362: ** TODO [#B] Persist test logs for historical analysis
+- 365: ** TODO [#B] Implement automated deprecation detection
+- 368: ** TODO [#B] Audit dotfiles/common directory
+- 373: ** TODO [#B] Remove unnecessary linux-firmware packages (velox only)
+- 398: ** TODO [#B] Identify and replace packages no longer in repos
+- 401: ** TODO [#B] Verify package origin for all packages
+- 404: ** TODO [#B] Automate script usage tracking
+- 407: ** TODO [#B] Automate dotfile validation
+- 410: ** TODO [#B] Test security + functionality together
+- 413: ** TODO [#B] Security audit tooling
+- 418: ** TODO [#B] Document threat model and mitigations within 6 months
+- 421: ** TODO [#B] Verify package signature verification not bypassed by --noconfirm
+- 426: ** TODO [#B] Document evaluation criteria and trade-offs
+- 429: ** TODO [#B] Test each modernization thoroughly before replacing
+- 432: ** TODO [#B] Add Rust installation via rustup instead of pacman package
+- 442: ** TODO [#B] Add NVIDIA preflight check for Hyprland
+- 448: ** TODO [#B] Add org-capture popup frame on keyboard shortcut
diff --git a/assets/outbox/2026-05-22-archangel-ssh-auth-sock-finalize-handoff.org b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-finalize-handoff.org
new file mode 100644
index 0000000..5a090b8
--- /dev/null
+++ b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-finalize-handoff.org
@@ -0,0 +1,37 @@
+#+TITLE: Finalize the machine-wide SSH_AUTH_SOCK fix (from archangel)
+#+DATE: 2026-05-22
+
+* Why this is here
+
+A machine-wide =SSH_AUTH_SOCK= change was started from an *archangel* session and lives in archsetup's =common= stow package, still uncommitted. The goal: every shell and session on a box — login shells, GUI apps, cron, and Claude's non-interactive Bash-tool shells — reaches gpg-agent for SSH keys with no per-script effort, so =ssh= / =ssh-add= to external hosts (e.g. truenas) work anywhere. gpg-agent already has =enable-ssh-support= (per-DE =gpg-agent.conf=); this just points =SSH_AUTH_SOCK= at its fixed socket.
+
+* Current uncommitted state (dotfiles/common)
+
+- =.config/environment.d/envvars.conf= — added =SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh= (modified, tracked).
+- =.zshenv= — *new file*, exports the same (untracked).
+- =~/.zshenv= was symlinked into the stow tree this session to activate it immediately; confirm stow owns it on the next =make restow=.
+
+* The decision to make: one mechanism or two
+
+- *1a — environment.d only.* Matches archsetup's existing convention (env vars already live in envvars.conf), one clean mechanism, no new dotfile type. Drop the =.zshenv=.
+- *1b — environment.d + .zshenv.* Belt-and-suspenders: environment.d covers the systemd/GUI session, =.zshenv= guarantees *every* zsh including non-interactive ones (cron, tooling). Cost: a =.zshenv= convention the repo didn't have, and apparent redundancy.
+
+** How to decide (empirically — couldn't be isolated from the archangel session)
+
+The original problem was that *non-interactive* shells (Claude's Bash tool) didn't inherit =SSH_AUTH_SOCK=. The =.zshenv= path was *verified* to fix that; =environment.d=-alone was *not* isolated, because testing it needs the change committed/stowed and a fresh login.
+
+After =make restow= + re-login, in a *non-interactive* shell check whether environment.d alone propagated:
+#+begin_src bash
+zsh -fc 'echo "${SSH_AUTH_SOCK:-UNSET}"'   # -f skips .zshenv, so this shows environment.d-only reach
+#+end_src
+- Prints the gpg-agent socket → environment.d reaches non-interactive shells → go *1a*, delete =dotfiles/common/.zshenv= and the =~/.zshenv= symlink.
+- Prints =UNSET= → environment.d doesn't reach them → keep *1b*.
+
+* Steps
+
+1. =make restow <de>= so stow owns the symlink(s).
+2. Re-login (environment.d reloads at session start).
+3. Run the reachability check above; pick 1a or 1b.
+4. Commit the dotfile change(s). Conventional-commit, no AI attribution. Suggested subject: =feat(dotfiles): route SSH_AUTH_SOCK through gpg-agent=.
+
+Nothing personal-tooling/.ai is referenced in the dotfiles, so they're clean to commit as-is.
diff --git a/assets/outbox/2026-05-22-archangel-ssh-auth-sock-gpg-agent.org b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-gpg-agent.org
new file mode 100644
index 0000000..37fc1b1
--- /dev/null
+++ b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-gpg-agent.org
@@ -0,0 +1,50 @@
+#+TITLE: Handoff from archangel — SSH_AUTH_SOCK routed through gpg-agent
+#+DATE: 2026-05-22
+
+* Why this is here
+
+This change was made from an *archangel* session (cross-project edit into
+archsetup's stow dotfiles), so it's logged here for archsetup's next session
+to review and commit. The trigger: from archangel I needed to SSH to the
+TrueNAS, but Claude's non-interactive Bash-tool shells couldn't reach any
+ssh-agent — =SSH_AUTH_SOCK= was unset in dotfiles, and ad-hoc =ssh-agent -s=
+instances live on random =/tmp= sockets that fresh shells can't find.
+
+* What changed (two stow files in dotfiles/common)
+
+1. =dotfiles/common/.config/environment.d/envvars.conf= — appended:
+   #+begin_example
+   SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh
+   #+end_example
+   Systemd-native, cross-app, takes effect at next login.
+
+2. =dotfiles/common/.zshenv= — *new file*, exports the same socket. zsh
+   sources =.zshenv= on every invocation (incl. non-interactive tooling and
+   cron), so it works immediately without a re-login. Mirrors the
+   environment.d value.
+
+Also created the stow symlink =~/.zshenv -> code/archsetup/dotfiles/common/.zshenv=
+(relative, matching the existing =~/.zshrc= link style). If you re-run the
+stow/install step, confirm it keeps this link rather than clobbering it.
+
+* Why gpg-agent
+
+=~/.gnupg/gpg-agent.conf= already had =enable-ssh-support=, and gpg-agent
+serves a fixed socket. So this reuses an agent you already run rather than
+adding a new one. The =id_ed25519= key was loaded via =ssh-add= and persists
+in =~/.gnupg= across reboots. The only other =SSH_AUTH_SOCK= reference in the
+dotfiles is a commented-out gnome-keyring line in =.config/systemd/user/emacs.service=
+(=%t/keyring/ssh=) — inactive, no conflict, but worth reconciling if you ever
+want emacs on the same agent (point it at the gpg-agent socket instead).
+
+* Verification
+
+- Fresh =zsh -c= sources =.zshenv= → =SSH_AUTH_SOCK= set, =ssh-add -l= shows the key.
+- =ssh cjennings@truenas= (tailscale 100.67.22.65) connects with no inline prefix.
+
+* For archsetup's next session
+
+- Review + commit the two dotfile changes (envvars.conf, new .zshenv). Only
+  =todo.org= was dirty in archsetup before this; these two are the new edits.
+- Decide whether =.zshenv= should carry anything else you'd previously put in
+  an interactive-only file by mistake (it shouldn't produce output).
diff --git a/assets/outbox/2026-05-22-emacs-proton-bridge-disable-package-service.org b/assets/outbox/2026-05-22-emacs-proton-bridge-disable-package-service.org
new file mode 100644
index 0000000..b4c2fb3
--- /dev/null
+++ b/assets/outbox/2026-05-22-emacs-proton-bridge-disable-package-service.org
@@ -0,0 +1,20 @@
+#+TITLE: Proton Bridge: disable the package systemd service in favor 
+#+SOURCE: from .emacs.d
+#+DATE: 2026-05-22 13:35:21 -0500
+
+Proton Bridge: disable the package systemd service in favor of the Hyprland GUI autostart
+
+ISSUE
+The protonmail-bridge package ships an enabled systemd USER service at /usr/lib/systemd/user/protonmail-bridge.service (ExecStart=/usr/bin/protonmail-bridge-core --noninteractive, Restart=always). hyprland.conf already autostarts the GUI build (exec-once = protonmail-bridge --no-window, line ~46). At login both fire and conflict:
+
+1. No tray icon. The headless service grabs the IMAP/SMTP ports (127.0.0.1:1143 / :1025) before the GUI '--no-window' instance can bind, so the GUI build that would show a StatusNotifierItem tray icon never fully starts. Bridge ends up running headless with no tray and no entry feel in the session.
+
+2. TLS cert mismatch breaks mail clients. The headless --noninteractive service can't reach gnome-keyring (it starts outside the graphical session), so it falls back to its OWN self-signed TLS cert. ~/.config/protonbridge.pem is exported from the GUI build's keychain cert, so mbsync (mu4e) and the work project's cmail-action.py both fail STARTTLS against the headless service with: SSL CERTIFICATE_VERIFY_FAILED: self-signed certificate. Looks like a 'rotated/stale cert' but is not — it's two different certs from two different bridge instances.
+
+SOLUTION (applied on this machine 2026-05-22)
+systemctl --user disable --now protonmail-bridge.service
+
+That leaves the Hyprland exec-once GUI autostart as the sole bridge: tray icon appears, and the served cert matches ~/.config/protonbridge.pem. Verified: 'echo | openssl s_client -starttls imap -connect 127.0.0.1:1143 -CAfile ~/.config/protonbridge.pem' returns 'Verify return code: 0 (ok)', and 'mbsync -a' syncs all accounts (incl. cmail/Proton) with no TLS error.
+
+ARCHSETUP ACTION
+The fix is a per-machine systemctl state change that a fresh install would undo (the package re-enables its service). Make it durable in the setup: either mask/disable protonmail-bridge.service as part of the install, or document that the Hyprland 'exec-once = protonmail-bridge --no-window' is the intended bridge launcher and the package service must stay disabled. Don't run both.
diff --git a/todo.org b/todo.org
index ba6b329..2810577 100644
--- a/todo.org
+++ b/todo.org
@@ -30,6 +30,22 @@ Two minor robustness gaps in =dotfiles/hyprland/.local/bin/airplane-mode= surfac
 :LAST_REVIEWED: 2026-05-21
 :END:
 The wlogout exit menu renders its buttons taller than they are wide, so the cells read as vertical rectangles instead of squares. Fix the button sizing in the wlogout style (=dotfiles/hyprland/.config/wlogout/style.css=) so each cell is square. Noticed 2026-05-21. Related: the [#D] VERIFY about wlogout sizing across displays.
+** DONE [#C] super+e emacs launch doesn't grab focus from tiled browser :quick:
+CLOSED: [2026-05-22 Fri]
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-22
+:END:
+Launching emacs with super+e while a browser window is open in tiled mode leaves focus on the browser instead of moving it to the newly opened emacs window in the main (left) portion of the screen. Expected: the new emacs window takes focus. Noticed 2026-05-22.
+
+Resolved 2026-05-22: not a focus *failure* but a focus *fight*. Live socket2 capture showed the new (XWayland, non-pgtk Emacs 30.2) frame does get focus on open, then Firefox reclaims it via an activation request because =misc:focus_on_activate=true=. Set it =false= in the dotfiles repo (=3bfba5a=) — new-window focus is a separate path so emacs still focuses on open, but the browser can no longer steal it back. Verified by Craig.
+** TODO [#B] protonmail-bridge package service conflicts with Hyprland autostart :cmail:
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-22
+:END:
+The =protonmail-bridge= package ships an enabled systemd user service (=/usr/lib/systemd/user/protonmail-bridge.service=, =--noninteractive=, =Restart=always=) that double-launches with the Hyprland =exec-once = protonmail-bridge --no-window= GUI autostart. Two symptoms: (1) no tray icon — the headless service grabs ports 127.0.0.1:1143/:1025 before the GUI =--no-window= instance can bind; (2) TLS cert mismatch — the headless service can't reach gnome-keyring (starts outside the graphical session), falls back to its own self-signed cert, so =mbsync=/mu4e and cmail-action.py fail STARTTLS against =~/.config/protonbridge.pem= with SSL CERTIFICATE_VERIFY_FAILED.
+
+Fix applied per-machine 2026-05-22: =systemctl --user disable --now protonmail-bridge.service=, leaving the Hyprland exec-once GUI as the sole bridge (tray icon returns, served cert matches, =mbsync -a= clean). A fresh install re-enables the package service, so make it durable: mask/disable =protonmail-bridge.service= during install (likely in =scripts/cmail-setup-finish.sh=) and document that the Hyprland exec-once is the intended launcher — never run both. Source: handoff from .emacs.d 2026-05-22.
+
 ** DOING [#A] Separate dotfiles from archsetup
 SCHEDULED: <2026-05-21 Thu>
 :PROPERTIES:
@@ -63,6 +79,27 @@ Review the spec for accuracy, edge cases, and scope. Flag changes before impleme
 *** 2026-05-14 Thu @ 21:43:41 -0500 AI Response: Review resolved; spec locked for Phase 1
 Walked the spec's 5 open questions plus my 5 review concerns. Locked: URL =https://git.cjennings.net/dotfiles.git= (anonymous HTTPS read confirmed against existing repos at the same host), bare repo path =/var/git/dotfiles.git=, scope = Phase 1 only (~30 min). Added =environment.d/envvars.conf= (with rofi path stripped) and =systemd/user/emacs.service= to the =minimal/= tree; skipped =ncmpcpp= and =systemd/user/geoclue-agent.service=. Phase 2/3 constraints folded into the spec body for the executor: =DESKTOP_ENV=none= VM test required (was optional), clone uses =sudo -u "$username"= to avoid chown-after races, Phase 3 unstow/restow runs without an intermediate Hyprland reload, dotfiles repo can't go on GitHub until secrets cleanup ships, and Step 3.3 documents the post-install update flow. Latest spec at =docs/PLAN-dotfiles-separation.org= (=817d939=). End-of-day Phase 1 session reads from there and executes.
 
+*** 2026-05-22 Fri @ 13:41:08 -0500 Phase 1 executed — dotfiles repo live on cjennings.net
+Created the bare repo at =/var/git/dotfiles.git=, extracted =dotfiles/= from archsetup with =git filter-repo --subdirectory-filter= (229 commits, per-file history preserved), built the =minimal/= stow target per the spec, and pushed to =git@cjennings.net:dotfiles.git= (HEAD =68daeab=). Anonymous read at =https://git.cjennings.net/dotfiles.git= confirmed. Two spec corrections committed in archsetup (=7c26495=): push URL switched to SSH (HTTPS is read-only), and =minimal/.profile.d/= now ships 5 files including =claude.sh= (added on Craig's call, post-dated the spec lock). Phase 2 (wire archsetup config + VM test, ~2-3 hrs) and Phase 3 (migrate machines, remove =dotfiles/= from archsetup) remain.
+
+*** 2026-05-22 Fri @ 17:05 -0500 Phase 2 shipped — archsetup clones the dotfiles repo
+Wired archsetup to the external dotfiles repo: clones =DOTFILES_REPO= to =~/.dotfiles= and stows per =DESKTOP_ENV= (dwm/hyprland → common + that DE; none → minimal). Added =DOTFILES_REPO=/=BRANCH=/=DIR= config keys + validation; test harness serves the repo to the VM as =/tmp/dotfiles-test=. Commits =bab6901= (feat) + =68172c8= (test infra), pushed to origin/main. Spec-directed =sudo -u= clone hit a real bug — =useradd -m= skips the home-dir chown when =/home/$username= pre-exists (root-owned), so the user-clone failed with Permission denied; fixed by cloning as root + =chown -R= (mirrors the archsetup clone). git restore now runs for all DE paths (minimal ships skel-colliding .bashrc etc.).
+
+*** 2026-05-22 Fri @ 18:10 -0500 Phase 3.1 + 3.3 done — this machine on ~/.dotfiles
+Migrated this workstation: cloned the dotfiles repo to =~/.dotfiles=, committed the gpg-agent SSH routing (=.zshenv= + =envvars.conf=) that was uncommitted in the live tree as =888a599= in the dotfiles repo, then =make unstow hyprland= + =make stow hyprland DOTFILES=~/.dotfiles=. Snag: unstowing while Hyprland ran made it write a stub hyprland.conf that blocked the restow — quit Hyprland, removed the stub, restowed clean. All symlinks now resolve into =~/.dotfiles=. CLAUDE.md updated with the external-repo docs + migration steps + the quit-Hyprland gotcha (=e1810ce=). Remaining: 3.2 (=git rm dotfiles/=) blocked until ratio + velox migrate the same way.
+
+*** 2026-05-22 Fri @ 21:20 -0500 velox migrated to ~/.dotfiles (laptop overrides preserved)
+ratio is THIS machine (was "fractal" pre-reinstall) — migrated in 3.1. velox migrated over SSH (Craig quit its Hyprland): cloned ~/.dotfiles, stowed common+hyprland from it. velox carries deliberate laptop-local real-file overrides (foot.ini font 12, pypr config.toml laptop scratchpad sizing, waybar config battery module) that shadow stow — preserved them as local real files (backed up, restowed the rest, restored the overrides). All machines now on ~/.dotfiles.
+
+*** TODO [#A] Phase 3.2 — git rm -r dotfiles/ from archsetup, drop transitional CLAUDE.md notes
+Now unblocked (ratio + velox both migrated). Remove =dotfiles/= from the archsetup repo, drop the "transitional / retained until velox migrates" notes in CLAUDE.md (Project Structure + Dotfiles Repository section). Note velox + ratio still have local archsetup clones with dotfiles/ — harmless (they stow from ~/.dotfiles now); their next archsetup pull drops it.
+
+*** TODO [#B] Cleaner per-machine override mechanism for the dotfiles repo
+velox keeps laptop-specific configs (foot font, pypr scratchpad sizing for 2256x1504, waybar battery) as local REAL files shadowing the stow symlinks. That's fragile: any =make restow= on velox re-conflicts (hit exactly this during the 2026-05-22 migration — stow aborts on the real files). The =~/.dotfiles= model needs a real per-machine override story (a =minimal/=-style per-host package, a documented local-override convention with =.stow-local-ignore=, or host-conditional includes) so overrides survive restows without manual backup/restore.
+
+*** TODO [#A] Verify Phase 2 in the VM (hyprland + none) — pending clean run
+Phase 2 shipped without a full VM integration pass: four runs hit env issues (pacman timeout, an SSH drop at 60 min, then a port-2222 collision with an active archangel VM). The fixed clone code was exercised by run 3 and run 4 ran 60 min past it, but the stow-per-DESKTOP_ENV paths — especially =none=/minimal, which no run reached — are unverified end-to-end. Close the gap: =make test= (hyprland) and a =DESKTOP_ENV=none= run, once port 2222 is free.
+
 ** DOING [#A] Prepare for GitHub open-source release
 SCHEDULED: <2026-05-21 Thu>
 :PROPERTIES: