chore: log dotfiles-separation progress and file processed handoffs

4 files changed, 156 insertions, 0 deletions

diff --git a/assets/outbox/2026-05-20-lint-followups.org b/assets/outbox/2026-05-20-lint-followups.org
new file mode 100644
index 0000000..5b84e34
--- /dev/null
+++ b/assets/outbox/2026-05-20-lint-followups.org
@@ -0,0 +1,49 @@
+
+* 2026-05-20 lint-org follow-ups — todo.org
+** TODO line 484 — link-to-local-file — Link to non-existent local file "docs/PLAN-browser-themes.org"
+** TODO line 394 — link-to-local-file — Link to non-existent local file "docs/firmware-cleanup.org"
+** TODO line 326 — link-to-local-file — Link to non-existent local file "docs/testing-strategy.org"
+** TODO line 230 — misplaced-heading — Possibly misplaced heading line
+
+* 2026-05-20 Wed — Date coverage: [#A] / [#B] tasks without DEADLINE or SCHEDULED
+Review each: add a date, drop the priority, or confirm 'no-date by intent' inline.
+- 6: ** DOING [#A] Separate dotfiles from archsetup
+- 35: ** DOING [#A] Prepare for GitHub open-source release
+- 165: ** TODO [#A] Review post-archsetup laptop setup steps (velox 2026-04-10)
+- 224: ** TODO [#A] Ensure sleep/suspend works on laptops
+- 231: ** TODO [#A] Build CI/CD pipeline that runs archsetup on every commit
+- 234: ** TODO [#B] Fix install errors surfaced by the 2026-05-11 VM test run
+- 279: ** TODO [#A] Generate recovery scripts from test failures
+- 282: ** TODO [#A] Create package inventory system
+- 287: ** TODO [#A] Establish monthly review workflow
+- 292: ** TODO [#A] Automate the inventory comparison
+- 295: ** TODO [#A] Complete security education within 3 months
+- 298: ** TODO [#A] Prevent X termination and VT switching (security risk)
+- 305: ** TODO [#B] All error messages should be actionable with recovery steps
+- 308: ** TODO [#B] Enable TLP power management for laptops
+- 313: ** TODO [#B] Improve logging consistency
+- 318: ** TODO [#B] Add backup before system file modifications
+- 323: ** TODO [#B] Implement Testinfra test suite for archsetup
+- 344: ** TODO [#B] Set up automated test schedule
+- 347: ** TODO [#B] Implement manual test trigger capability
+- 350: ** TODO [#B] Create test results dashboard/reporting
+- 353: ** TODO [#B] Block merges to main if tests fail
+- 356: ** TODO [#B] Add network failure testing to test suite
+- 359: ** TODO [#B] Keep container base images up to date
+- 362: ** TODO [#B] Persist test logs for historical analysis
+- 365: ** TODO [#B] Implement automated deprecation detection
+- 368: ** TODO [#B] Audit dotfiles/common directory
+- 373: ** TODO [#B] Remove unnecessary linux-firmware packages (velox only)
+- 398: ** TODO [#B] Identify and replace packages no longer in repos
+- 401: ** TODO [#B] Verify package origin for all packages
+- 404: ** TODO [#B] Automate script usage tracking
+- 407: ** TODO [#B] Automate dotfile validation
+- 410: ** TODO [#B] Test security + functionality together
+- 413: ** TODO [#B] Security audit tooling
+- 418: ** TODO [#B] Document threat model and mitigations within 6 months
+- 421: ** TODO [#B] Verify package signature verification not bypassed by --noconfirm
+- 426: ** TODO [#B] Document evaluation criteria and trade-offs
+- 429: ** TODO [#B] Test each modernization thoroughly before replacing
+- 432: ** TODO [#B] Add Rust installation via rustup instead of pacman package
+- 442: ** TODO [#B] Add NVIDIA preflight check for Hyprland
+- 448: ** TODO [#B] Add org-capture popup frame on keyboard shortcut
diff --git a/assets/outbox/2026-05-22-archangel-ssh-auth-sock-finalize-handoff.org b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-finalize-handoff.org
new file mode 100644
index 0000000..5a090b8
--- /dev/null
+++ b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-finalize-handoff.org
@@ -0,0 +1,37 @@
+#+TITLE: Finalize the machine-wide SSH_AUTH_SOCK fix (from archangel)
+#+DATE: 2026-05-22
+
+* Why this is here
+
+A machine-wide =SSH_AUTH_SOCK= change was started from an *archangel* session and lives in archsetup's =common= stow package, still uncommitted. The goal: every shell and session on a box — login shells, GUI apps, cron, and Claude's non-interactive Bash-tool shells — reaches gpg-agent for SSH keys with no per-script effort, so =ssh= / =ssh-add= to external hosts (e.g. truenas) work anywhere. gpg-agent already has =enable-ssh-support= (per-DE =gpg-agent.conf=); this just points =SSH_AUTH_SOCK= at its fixed socket.
+
+* Current uncommitted state (dotfiles/common)
+
+- =.config/environment.d/envvars.conf= — added =SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh= (modified, tracked).
+- =.zshenv= — *new file*, exports the same (untracked).
+- =~/.zshenv= was symlinked into the stow tree this session to activate it immediately; confirm stow owns it on the next =make restow=.
+
+* The decision to make: one mechanism or two
+
+- *1a — environment.d only.* Matches archsetup's existing convention (env vars already live in envvars.conf), one clean mechanism, no new dotfile type. Drop the =.zshenv=.
+- *1b — environment.d + .zshenv.* Belt-and-suspenders: environment.d covers the systemd/GUI session, =.zshenv= guarantees *every* zsh including non-interactive ones (cron, tooling). Cost: a =.zshenv= convention the repo didn't have, and apparent redundancy.
+
+** How to decide (empirically — couldn't be isolated from the archangel session)
+
+The original problem was that *non-interactive* shells (Claude's Bash tool) didn't inherit =SSH_AUTH_SOCK=. The =.zshenv= path was *verified* to fix that; =environment.d=-alone was *not* isolated, because testing it needs the change committed/stowed and a fresh login.
+
+After =make restow= + re-login, in a *non-interactive* shell check whether environment.d alone propagated:
+#+begin_src bash
+zsh -fc 'echo "${SSH_AUTH_SOCK:-UNSET}"'   # -f skips .zshenv, so this shows environment.d-only reach
+#+end_src
+- Prints the gpg-agent socket → environment.d reaches non-interactive shells → go *1a*, delete =dotfiles/common/.zshenv= and the =~/.zshenv= symlink.
+- Prints =UNSET= → environment.d doesn't reach them → keep *1b*.
+
+* Steps
+
+1. =make restow <de>= so stow owns the symlink(s).
+2. Re-login (environment.d reloads at session start).
+3. Run the reachability check above; pick 1a or 1b.
+4. Commit the dotfile change(s). Conventional-commit, no AI attribution. Suggested subject: =feat(dotfiles): route SSH_AUTH_SOCK through gpg-agent=.
+
+Nothing personal-tooling/.ai is referenced in the dotfiles, so they're clean to commit as-is.
diff --git a/assets/outbox/2026-05-22-archangel-ssh-auth-sock-gpg-agent.org b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-gpg-agent.org
new file mode 100644
index 0000000..37fc1b1
--- /dev/null
+++ b/assets/outbox/2026-05-22-archangel-ssh-auth-sock-gpg-agent.org
@@ -0,0 +1,50 @@
+#+TITLE: Handoff from archangel — SSH_AUTH_SOCK routed through gpg-agent
+#+DATE: 2026-05-22
+
+* Why this is here
+
+This change was made from an *archangel* session (cross-project edit into
+archsetup's stow dotfiles), so it's logged here for archsetup's next session
+to review and commit. The trigger: from archangel I needed to SSH to the
+TrueNAS, but Claude's non-interactive Bash-tool shells couldn't reach any
+ssh-agent — =SSH_AUTH_SOCK= was unset in dotfiles, and ad-hoc =ssh-agent -s=
+instances live on random =/tmp= sockets that fresh shells can't find.
+
+* What changed (two stow files in dotfiles/common)
+
+1. =dotfiles/common/.config/environment.d/envvars.conf= — appended:
+   #+begin_example
+   SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh
+   #+end_example
+   Systemd-native, cross-app, takes effect at next login.
+
+2. =dotfiles/common/.zshenv= — *new file*, exports the same socket. zsh
+   sources =.zshenv= on every invocation (incl. non-interactive tooling and
+   cron), so it works immediately without a re-login. Mirrors the
+   environment.d value.
+
+Also created the stow symlink =~/.zshenv -> code/archsetup/dotfiles/common/.zshenv=
+(relative, matching the existing =~/.zshrc= link style). If you re-run the
+stow/install step, confirm it keeps this link rather than clobbering it.
+
+* Why gpg-agent
+
+=~/.gnupg/gpg-agent.conf= already had =enable-ssh-support=, and gpg-agent
+serves a fixed socket. So this reuses an agent you already run rather than
+adding a new one. The =id_ed25519= key was loaded via =ssh-add= and persists
+in =~/.gnupg= across reboots. The only other =SSH_AUTH_SOCK= reference in the
+dotfiles is a commented-out gnome-keyring line in =.config/systemd/user/emacs.service=
+(=%t/keyring/ssh=) — inactive, no conflict, but worth reconciling if you ever
+want emacs on the same agent (point it at the gpg-agent socket instead).
+
+* Verification
+
+- Fresh =zsh -c= sources =.zshenv= → =SSH_AUTH_SOCK= set, =ssh-add -l= shows the key.
+- =ssh cjennings@truenas= (tailscale 100.67.22.65) connects with no inline prefix.
+
+* For archsetup's next session
+
+- Review + commit the two dotfile changes (envvars.conf, new .zshenv). Only
+  =todo.org= was dirty in archsetup before this; these two are the new edits.
+- Decide whether =.zshenv= should carry anything else you'd previously put in
+  an interactive-only file by mistake (it shouldn't produce output).
diff --git a/assets/outbox/2026-05-22-emacs-proton-bridge-disable-package-service.org b/assets/outbox/2026-05-22-emacs-proton-bridge-disable-package-service.org
new file mode 100644
index 0000000..b4c2fb3
--- /dev/null
+++ b/assets/outbox/2026-05-22-emacs-proton-bridge-disable-package-service.org
@@ -0,0 +1,20 @@
+#+TITLE: Proton Bridge: disable the package systemd service in favor 
+#+SOURCE: from .emacs.d
+#+DATE: 2026-05-22 13:35:21 -0500
+
+Proton Bridge: disable the package systemd service in favor of the Hyprland GUI autostart
+
+ISSUE
+The protonmail-bridge package ships an enabled systemd USER service at /usr/lib/systemd/user/protonmail-bridge.service (ExecStart=/usr/bin/protonmail-bridge-core --noninteractive, Restart=always). hyprland.conf already autostarts the GUI build (exec-once = protonmail-bridge --no-window, line ~46). At login both fire and conflict:
+
+1. No tray icon. The headless service grabs the IMAP/SMTP ports (127.0.0.1:1143 / :1025) before the GUI '--no-window' instance can bind, so the GUI build that would show a StatusNotifierItem tray icon never fully starts. Bridge ends up running headless with no tray and no entry feel in the session.
+
+2. TLS cert mismatch breaks mail clients. The headless --noninteractive service can't reach gnome-keyring (it starts outside the graphical session), so it falls back to its OWN self-signed TLS cert. ~/.config/protonbridge.pem is exported from the GUI build's keychain cert, so mbsync (mu4e) and the work project's cmail-action.py both fail STARTTLS against the headless service with: SSL CERTIFICATE_VERIFY_FAILED: self-signed certificate. Looks like a 'rotated/stale cert' but is not — it's two different certs from two different bridge instances.
+
+SOLUTION (applied on this machine 2026-05-22)
+systemctl --user disable --now protonmail-bridge.service
+
+That leaves the Hyprland exec-once GUI autostart as the sole bridge: tray icon appears, and the served cert matches ~/.config/protonbridge.pem. Verified: 'echo | openssl s_client -starttls imap -connect 127.0.0.1:1143 -CAfile ~/.config/protonbridge.pem' returns 'Verify return code: 0 (ok)', and 'mbsync -a' syncs all accounts (incl. cmail/Proton) with no TLS error.
+
+ARCHSETUP ACTION
+The fix is a per-machine systemctl state change that a fresh install would undo (the package re-enables its service). Make it durable in the setup: either mask/disable protonmail-bridge.service as part of the install, or document that the Hyprland 'exec-once = protonmail-bridge --no-window' is the intended bridge launcher and the package service must stay disabled. Don't run both.