chore: cancel obsolete X11 VT-switch task, demote 6 undated A's to B

The priority scheme requires an [#A] to carry a date. Six were undated aspirational backlog with no active work — the CI/CD pipeline, recovery-script generation, the package-inventory trio (inventory system, monthly review, automated comparison), and security education — so I dropped them to [#B].

I cancelled "Prevent X termination and VT switching." Its whole approach is xorg.conf.d with DontVTSwitch and DontZap, dead now that these machines run pure Wayland with no XWayland.

I also recorded today's review date on the open tasks I walked.

1 files changed, 180 insertions, 9 deletions

diff --git a/todo.org b/todo.org
index 9b60d9d..7af5395 100644
--- a/todo.org
+++ b/todo.org
@@ -14,14 +14,27 @@ Four levels, matching the Emacs config (=org-highest-priority ?A=, =org-lowest-p
 Rule of thumb: A = dated-and-must; B = the active backlog; C = parking lot; D = untriaged. Fixing the undated A/B tasks means either dating them or demoting to C.
 * Archsetup Open Work
 ** TODO [#C] Waybar indicators unevenly spaced
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 The right-side module icons don't sit at even intervals — spacing reads as inconsistent across the group. Tune the per-module margin/padding in =dotfiles/hyprland/.config/waybar/style.css= so the icons are evenly distributed. Noticed 2026-05-21 after adding the airplane indicator.
 ** TODO [#C] Airplane-mode toggle robustness follow-ups
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Two minor robustness gaps in =dotfiles/hyprland/.local/bin/airplane-mode= surfaced when the feature shipped (2026-05-21). Neither is a live bug — both are defense-in-depth.
 - No laptop guard on the toggle itself. The =waybar-airplane= indicator hides on battery-less machines, but =airplane-mode= would still run if invoked directly (e.g. a future keybind on a desktop). Mirror the =is_laptop= check at the top of the toggle so it no-ops off a laptop.
 - Brightness-restore edge. If =brightnessctl get= returns empty at engage time, disengage skips the restore (guarded by =[ -n "$bright_was" ]=) and the screen stays at 35%. Fall back to a sane brightness (e.g. 100%) when no prior value was recorded.
 ** TODO [#C] Wlogout exit-menu buttons are rectangular, not square
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 The wlogout exit menu renders its buttons taller than they are wide, so the cells read as vertical rectangles instead of squares. Fix the button sizing in the wlogout style (=dotfiles/hyprland/.config/wlogout/style.css=) so each cell is square. Noticed 2026-05-21. Related: the [#D] VERIFY about wlogout sizing across displays.
 ** DOING [#A] Separate dotfiles from archsetup
+SCHEDULED: <2026-05-21 Thu>
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 *** 2026-05-11 Mon @ 13:01:29 -0500 AI Response: Dotfile separation plan
 Approach: keep =dotfiles/= committed in this repo as the working default (Craig's machines and CI keep functioning untouched), but make the *source location* a config variable. The install script learns one new conf key — =DOTFILES_REPO= / =DOTFILES_BRANCH= — and when set, clones that repo into =~/.dotfiles= and stows from there instead of from =dotfiles/= inside archsetup. The Makefile gets a =DOTFILES= override env var so the same stow targets work whether dotfiles live in-repo or elsewhere. No submodule (adds fragility for a curl|bash installer); a separate published =archsetup-dotfiles= repo is optional follow-up, not a blocker.
 
@@ -51,6 +64,10 @@ Review the spec for accuracy, edge cases, and scope. Flag changes before impleme
 Walked the spec's 5 open questions plus my 5 review concerns. Locked: URL =https://git.cjennings.net/dotfiles.git= (anonymous HTTPS read confirmed against existing repos at the same host), bare repo path =/var/git/dotfiles.git=, scope = Phase 1 only (~30 min). Added =environment.d/envvars.conf= (with rofi path stripped) and =systemd/user/emacs.service= to the =minimal/= tree; skipped =ncmpcpp= and =systemd/user/geoclue-agent.service=. Phase 2/3 constraints folded into the spec body for the executor: =DESKTOP_ENV=none= VM test required (was optional), clone uses =sudo -u "$username"= to avoid chown-after races, Phase 3 unstow/restow runs without an intermediate Hyprland reload, dotfiles repo can't go on GitHub until secrets cleanup ships, and Step 3.3 documents the post-install update flow. Latest spec at =docs/PLAN-dotfiles-separation.org= (=817d939=). End-of-day Phase 1 session reads from there and executes.
 
 ** DOING [#A] Prepare for GitHub open-source release
+SCHEDULED: <2026-05-21 Thu>
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Remove personal info, credentials, and code quality issues before publishing.
 *** 2026-05-11 Mon @ 13:01:29 -0500 AI Response: Open-source-prep source audit
 Checked each subtask below against the source / git state. Bottom line: almost nothing is fully done. =LICENSE= and =README.md= were added this session (see those subtasks); the rest still stands.
@@ -188,7 +205,10 @@ Mixed =[ "$var" = "true" ]= vs =$var= evaluation — pick one pattern.
 *** TODO [#A] Replace eval with safer alternatives
 Line 434: =eval "$cmd"= — use arrays or direct execution.
 
-** TODO [#A] Review post-archsetup laptop setup steps (velox 2026-04-10)
+** TODO [#B] Review post-archsetup laptop setup steps (velox 2026-04-10)
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Items discovered during velox setup that needed manual intervention after archsetup.
 Decide which should be automated in archsetup vs documented as post-install steps.
 
@@ -247,17 +267,26 @@ docs/ dirs (gitignored) for ~/code and ~/projects repos needed scp/rsync from ra
 Same for ~/.emacs.d/docs/. Not in git, so not available after clone.
 Consider: document as post-install step or create a sync script.
 
-** TODO [#A] Ensure sleep/suspend works on laptops
+** TODO [#B] Ensure sleep/suspend works on laptops
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Critical functionality for laptop use - current battery drain unacceptable
 **NOTE:** This applies to Framework Laptop (velox), not Framework Desktop (ratio)
 Add kernel parameter: ~rtc_cmos.use_acpi_alarm=1~ (will become systemd default)
 Consider: ~acpi_mask_gpe=0x1A~ for battery drain, suspend-then-hibernate config
 See Framework community notes on logind.conf and sleep.conf settings
 
-** TODO [#A] Build CI/CD pipeline that runs archsetup on every commit
+** TODO [#B] Build CI/CD pipeline that runs archsetup on every commit
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Core automation infrastructure - enables continuous validation
 
 ** TODO [#B] Fix install errors surfaced by the 2026-05-11 VM test run
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Errors logged during the VM install. Status as of the 2026-05-11 18:36 run (=test-results/20260511-183643/archsetup-output.log=) after the =48c9439= fontconfig/dconf fix: 7 → 6.
 - refreshing font cache — RESOLVED in =48c9439= (now installs =fontconfig= before calling =fc-cache=).
 - configuring GTK file chooser — RESOLVED in =ecab29f= (switched to a system-wide dconf db at =/etc/dconf/db/site.d/=; needs no session bus during install).
@@ -278,6 +307,9 @@ Root cause was in =retry_install=: =last_exit_code=$?= ran AFTER =if eval ...; t
 =make test= 21:44 → 22:29 (42 min), =test-results/20260518-214516/=. 52/0/5, =ArchSetup Exit Code: 0=. The third-branch path fired correctly — install log =archsetup-2026-05-18-21-45-46.log:14358-14365= shows =From https://git.cjennings.net/dotemacs= → =[new branch] main -> origin/main= → =Reset branch 'main'= → =branch 'main' set up to track 'origin/main'=. No exit-128, no =fatal: not a git repository=. Error Summary down to 7 (was 13 on 2026-05-16); the emacs entry is gone. AUR exit-0 logging triggered for 2 packages this run (mkinitcpio-firmware, tidaler) vs 6 on 2026-05-16 — same bug class, fewer triggers, still tracked under =[#B] AUR exit-0 logged as error=. Issue Attribution: 1 ARCHSETUP entry (Proton VPN Daemon failed — known VM-no-VPN-config artifact). Cleanup ran clean via the normal path.
 
 ** TODO [#C] Investigate the 2026-05-11 VM-test warnings
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 The 18:36 =make test= run passed (52/0/5) but raised 5 validation warnings. Each is investigated below with a recommendation. Most look like headless-VM / QEMU-slirp false positives the test harness should skip rather than archsetup bugs — but a couple have a real archsetup angle worth checking. Source: =test-results/20260511-183643/test.log= (WARN lines) and =scripts/testing/lib/validation.sh=.
 
 *** TODO [#C] Warning: Hyprland socket not found (Hyprland may not be running)
@@ -302,26 +334,42 @@ Recommendation: harness fix in the docker check — treat "enabled, not running
 
 Note: the run also logged two log-diff meta-warnings — "Found 4 new error lines after archsetup" and "New failed services detected (before: 1, after: 2)". Those correspond to the post-install systemd noise (pam_systemd / logind / Proton VPN) already captured under =[#B] Fix install errors= above; not duplicated here.
 
-** TODO [#A] Generate recovery scripts from test failures
+** TODO [#B] Generate recovery scripts from test failures
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Auto-create post-install fix scripts for failed packages - makes failures actionable
 
-** TODO [#A] Create package inventory system
+** TODO [#B] Create package inventory system
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 *** TODO [#A] List all packages archsetup would install (including dependencies)
 *** TODO [#A] List all packages currently installed on live system
 *** TODO [#A] Generate diff showing what's in archsetup vs what's on system
 
-** TODO [#A] Establish monthly review workflow
+** TODO [#B] Establish monthly review workflow
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 *** TODO [#A] For packages in archsetup but not on system: determine if still needed
 *** TODO [#A] For packages on system but not in archsetup: decide add or remove
 *** TODO [#A] Schedule monthly package diff review
 
-** TODO [#A] Automate the inventory comparison
+** TODO [#B] Automate the inventory comparison
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Make package diff a runnable script instead of manual process
 
-** TODO [#A] Complete security education within 3 months
+** TODO [#B] Complete security education within 3 months
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Read recommended resources to make informed security decisions (see metrics for Claude suggestions)
 
-** TODO [#A] Prevent X termination and VT switching (security risk)
+** CANCELLED [#A] Prevent X termination and VT switching (security risk)
+CLOSED: [2026-05-21 Thu]
 If someone grabs laptop at cafe and hits ctrl+alt+backspace, they kill screensaver/X and get console access
 Need to disable: ctrl+alt+backspace (zap X) and ctrl+alt+F# (VT switching)
 Previous attempts to configure in xorg.conf.d failed - need to investigate what's overriding the settings
@@ -329,24 +377,39 @@ Tried: /etc/X11/xorg.conf.d/00-no-vt-or-zap.conf with DontVTSwitch and DontZap o
 Removed conflicting setxkbmap statements, gdm, and keyd configs - still didn't work
 
 ** TODO [#B] All error messages should be actionable with recovery steps
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Currently just reports errors without guidance on how to fix them
 
 ** TODO [#B] Enable TLP power management for laptops
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 TLP manages power-saving modes for Wi-Fi, USB, PCIe, Bluetooth, CPU scheduler
 Install tlp, enable service, add custom Framework 13 config to /etc/tlp.d/01-custom.conf
 Improves battery life and prevents power-related issues during install/post-install
 
 ** TODO [#B] Improve logging consistency
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Some operations log to ~$logfile~, others don't - standardize logging
 All package installs should log, all system modifications should log, all errors should log with context
 Makes debugging failed installations easier
 
 ** TODO [#B] Add backup before system file modifications
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Safety net for /etc/X11/xorg.conf.d and other system file edits
 Files like ~/etc/sudoers~, ~/etc/pacman.conf~, ~/etc/default/grub~ modified without backup
 If modifications fail or are incorrect, difficult to recover - should backup files to ~.backup~ before modifying
 
 ** TODO [#B] Implement Testinfra test suite for archsetup
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Create comprehensive integration tests using Testinfra (Python + pytest) to validate archsetup installations
 
 Tests should cover:
@@ -366,35 +429,65 @@ A design doc (not yet written) should cover:
 - Comparison with alternatives (Goss)
 
 ** TODO [#B] Set up automated test schedule
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Weekly full run to catch deprecated packages even without commits
 
 ** TODO [#B] Implement manual test trigger capability
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Allow on-demand test runs when automation is toggled off
 
 ** TODO [#B] Create test results dashboard/reporting
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Make test outcomes visible and actionable
 
 ** TODO [#B] Block merges to main if tests fail
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Enforce quality gate - broken changes don't enter main branch
 
 ** TODO [#B] Add network failure testing to test suite
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Simulate network disconnect mid-install to verify resilience
 
 ** TODO [#B] Keep container base images up to date
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Regular updates to Arch base image with review process and schedule
 
 ** TODO [#B] Persist test logs for historical analysis
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Archive logs with review process and schedule to identify failure patterns and trends
 
 ** TODO [#B] Implement automated deprecation detection
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Parse package warnings and repo metadata to catch upcoming deprecations proactively
 
 ** TODO [#B] Audit dotfiles/common directory
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 *** TODO [#B] Review all 50+ scripts in ~/.local/bin - remove unused scripts
 *** TODO [#B] Check dotfiles for uninstalled packages - remove orphaned configs
 *** TODO [#B] Verify all stowed files are actually used
 
 ** TODO [#B] Remove unnecessary linux-firmware packages (velox only)
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Remove firmware packages for hardware not present on Framework laptop.
 *NOTE:* This applies to Framework Laptop (velox), not Framework Desktop (ratio)
 
@@ -418,40 +511,73 @@ Disk space savings: ~600 MB
 After removal, update archsetup script to install only needed firmware packages.
 
 ** TODO [#B] Identify and replace packages no longer in repos
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Systematic check for availability issues
 
 ** TODO [#B] Verify package origin for all packages
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Ensure packages are installed from correct source (official repos vs AUR) - prevent installing from wrong place
 
 ** TODO [#B] Automate script usage tracking
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Parse shell history files for ~/.local/bin script names to identify last usage date and unused scripts
 
 ** TODO [#B] Automate dotfile validation
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Parse config files for binary/command references and verify those binaries exist - catch orphaned references
 
 ** TODO [#B] Test security + functionality together
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 *** TODO [#B] Verify no unexpected open ports or services
 
 ** TODO [#B] Security audit tooling
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 *** TODO [#B] Implement port scanning check
 *** TODO [#B] Create security posture verification script
 *** TODO [#B] Set up intrusion detection monitoring
 
 ** TODO [#B] Document threat model and mitigations within 6 months
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Identify attack vectors, what's mitigated, what remains
 
 ** TODO [#B] Verify package signature verification not bypassed by --noconfirm
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Packages installed with ~--noconfirm~ may skip signature checks
 AUR had issues previously requiring --noconfirm workaround - verify this doesn't compromise security
 Ensure package signatures are still verified despite --noconfirm flag
 
 ** TODO [#B] Document evaluation criteria and trade-offs
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Establish clear process for tool evaluation decisions
 
 ** TODO [#B] Test each modernization thoroughly before replacing
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Ensure new tools integrate with DWM environment and don't break workflow
 
 ** TODO [#B] Add Rust installation via rustup instead of pacman package
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 The =rust= package has been removed from archsetup. Need to add Rust installation using =rustup= (the official Rust toolchain manager) instead of the Arch package.
 
 Steps:
@@ -462,12 +588,18 @@ Steps:
 Reference: Removed from archsetup on 2025-11-15
 
 ** TODO [#B] Add NVIDIA preflight check for Hyprland
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Detect NVIDIA GPU and warn user about potential Wayland issues:
 - Require driver version 535+ or abort
 - Document required env vars (LIBVA_DRIVER_NAME, GBM_BACKEND, etc.)
 - Prompt to continue or abort if NVIDIA detected
 
 ** TODO [#B] Add org-capture popup frame on keyboard shortcut
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Set up a quick-capture popup using emacsclient that opens a small floating
 org-capture frame, with Hyprland window rules to float, size, and center it.
 Frame should auto-close on finalize (C-c C-c) or abort (C-c C-k).
@@ -492,6 +624,9 @@ Implementation:
 Reference: Protesilaos Stavrou's popup frame pattern for emacsclient.
 
 ** TODO [#C] Review theme config architecture for dunst/fuzzel
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 The active dunst config is stowed from dotfiles/common/ but theme templates
 live in dotfiles/hyprland/.config/themes/. set-theme copies the templates to
 the stowed locations at runtime, so edits to the common file get overwritten
@@ -503,15 +638,27 @@ error-prone — changes must be made in both places. Consider:
 The goal is a single place to edit each config, not two.
 
 ** TODO [#C] Create Chrome theme with dupre colors
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Create a Chrome browser theme using the dupre color palette.
 
 ** TODO [#C] Monitor and optimize test execution time
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Keep test runs performant as installs and post-install tests grow (target < 2 hours)
 
 ** TODO [#C] Set up alerts for deprecated packages
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Proactive monitoring integrated with testing
 
 ** TODO [#C] Fix VM cloning machine-ID conflicts for parallel testing
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Currently using snapshot-based testing which works but limits to sequential test runs
 Cloned VMs fail to get DHCP/network even with machine-ID manipulation (truncate/remove)
 Root cause: Truncating /etc/machine-id breaks systemd/NetworkManager startup
@@ -520,21 +667,39 @@ Would enable parallel test execution in CI/CD
 Priority C because snapshot-based testing meets current needs
 
 ** TODO [#C] Create security checklist for cafe/public wifi scenarios
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Practical guidelines for working in public spaces
 
 ** TODO [#C] Build security dashboard command
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Single command shows: encryption status, firewall status, open ports, running services
 
 ** TODO [#C] Evaluate modern CLI tool replacements
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 bat, eza, zoxide, dust, ripgrep-all - only adopt if clear friction reduction
 
 ** TODO [#C] Consider paru instead of yay
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Evaluate if paru offers meaningful improvements for AUR management
 
 ** TODO [#C] Evaluate terminal emulator alternatives
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 ghostty for ligature support - addresses known deficiency
 
 ** TODO [#C] Review file manager options for Wayland
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Ranger image previews don't work in foot terminal (Wayland). Ranger's kitty graphics
 method checks TERM for "kitty" string, and foot's kitty protocol implementation
 has subtle incompatibilities that cause hangs. ueberzug is X11-only.
@@ -545,9 +710,15 @@ Revisit later when yazi matures or try lf with custom preview scripts.
 Keep ranger for DWM/X11 where ueberzug works fine.
 
 ** TODO [#C] Review current tool pain points annually
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 Once-yearly systematic inventory of known deficiencies and friction points in current toolset
 
 ** TODO [#C] Install Zoxide integration into Ranger
+:PROPERTIES:
+:LAST_REVIEWED: 2026-05-21
+:END:
 https://github.com/jchook/ranger-zoxide - enables zoxide jumping within ranger file manager
 
 ** TODO [#D] Consider Customizing Hyprland Animations