diff options
Diffstat (limited to 'todo.org')
| -rw-r--r-- | todo.org | 410 |
1 files changed, 204 insertions, 206 deletions
@@ -21,23 +21,9 @@ The vocabulary is open — topic tags are coined as needed — so these are conv - *Effort / autonomy*: =:quick:= a spare-moment fix (minutes, not a sitting); =:solo:= Claude can carry it end to end — there's a build path, a test path, and no upfront decision needed (a leftover manual spot-check doesn't disqualify it). - *Topic / area* (open): the subsystem a task touches — e.g. =:hyprland:= =:waybar:= =:mpd:= =:music:= =:network:= =:tooling:= =:llm:= =:eask:= =:pocketbook:= =:cmail:=. Coin a new one when it aids filtering. * Archsetup Open Work -** DONE [#B] VM test harness shared one NVRAM file across filesystem profiles :bug:test: -CLOSED: [2026-06-27 Sat] -The harness shared one OVMF NVRAM file (=vm-images/OVMF_VARS.fd=) across the btrfs -and zfs profiles (=init_vm_paths= suffixed the disk image per profile but not the -NVRAM). NVRAM lives outside the qcow2, so a disk-snapshot revert can't restore it, -and a zfs run's ZFSBootMenu boot entries clobbered the btrfs GRUB entry. With no -removable =\EFI\BOOT\BOOTX64.EFI= fallback on the base ESP, the next btrfs run -booted into UEFI with no bootable device ("BdsDxe: No bootable option or device -was found", then PXE/HTTP, then SSH timeout before archsetup ran). Found -2026-06-27 trying to VM-validate the installer refactor. - -Fixed: =OVMF_VARS= now carries the same per-profile suffix as the disk image -(=OVMF_VARS${img_suffix}.fd=) in =vm-utils.sh init_vm_paths=, so btrfs and zfs keep -separate NVRAM. Validated by a full green zfs run 2026-06-27 (ArchSetup exit 0, -Testinfra 96 passed / 0 failed). Remaining hardening tracked below. - -** TODO [#B] btrfs base VM unbuildable — archangel ISO bakes zfs-auto-snapshot :bug:test: +** DONE [#B] btrfs base VM unbuildable — archangel ISO bakes zfs-auto-snapshot :bug:test: +CLOSED: [2026-06-28 Sun] +Resolved: archangel shipped a fixed ISO (2026-06-27) that conditions the baked AUR list on the filesystem, so a btrfs install no longer drags in =zfs-auto-snapshot=. The btrfs base rebuilt and went green in the 2026-06-28 VM run (97/0, zero attributed issues). The EFI removable-fallback hardening is archangel-side and optional. =make test-vm-base= (btrfs) fails in archangel's installer: the ISO bakes a fixed AUR list ("downgrade yay informant zrepl pacman-cleanup-hook zfs-auto-snapshot topgrade ventoy-bin") into every install regardless of =FILESYSTEM=. On a btrfs @@ -55,6 +41,9 @@ with a removable =\EFI\BOOT\BOOTX64.EFI= fallback so a base boots even from fresh/empty NVRAM, and real installs survive firmware that drops boot entries. ** TODO [#C] Scratchpad launch turns on focus-follows-mouse :bug:hyprland: +:PROPERTIES: +:LAST_REVIEWED: 2026-06-28 +:END: Imported from roam inbox 2026-06-25. Repro: with two tiled windows, moving the mouse over the other tile does nothing (focus-follows-mouse off, as expected). Then launch a terminal (scratchpad), move the mouse over a tile, and focus now switches to the window under the pointer. Something about the scratchpad/terminal launch flips focus-follows-mouse on. Find what re-enables it (likely a Hyprland focus/input setting or a pyprland scratchpad side effect) and keep it off. ** TODO [#B] Scrolling layout: frame fit + wrap-around :hyprland: @@ -89,15 +78,6 @@ From the roam inbox: Zoom opens at a tiny size. Needs diagnosis (HiDPI scaling v :END: From the roam inbox: hiding a window (e.g. the org-capture popup) then unhiding it should leave the unhidden window focused, but another window typically takes focus. Also =ctrl+j/k= (layout-navigate) can't reach the unhidden window afterward — it should always reach any visible window except the waybar. Involves stash-restore + layout-navigate; needs interactive reproduction with Craig. -** DONE [#B] Guard against live mesa/hyprland/wayland-runtime updates :hyprland: -CLOSED: [2026-06-28 Sun] -:PROPERTIES: -:LAST_REVIEWED: 2026-06-09 -:END: -A live =pacman -Syu= that swaps mesa/hyprland/wayland runtime libs out from under a running Hyprland session can crash the compositor: the next GPU-lib call hits a now-"(deleted)" library and SIGABRTs, taking the Wayland clients down with it. Hit ratio 2026-06-07 (mesa 26.0.6 -> 26.1.2 + hyprland upgraded live; Hyprland SIGABRT took down awww/insync/emacs). Likely the driver behind ratio's high lifetime unsafe-shutdown ratio — a crashed compositor forces a hard reset. - -Shipped as a pacman PreTransaction hook rather than a wrapper, so it fires no matter how the upgrade is launched (pacman, yay, topgrade). =scripts/hypr-live-update-guard= aborts the transaction before any package is swapped when the GPU/compositor runtime set is being upgraded AND Hyprland is running, pointing the user to re-run from a TTY with the session stopped; it stays quiet when Hyprland isn't running (the safe from-a-TTY path). Override via =HYPR_ALLOW_LIVE_UPDATE=1= or by touching the sentinel file named in the abort message. archsetup installs the script to =/usr/local/bin= and the hook to =/etc/pacman.d/hooks/= in the hyprland path. Decision logic unit-tested (=tests/hypr-live-update-guard=, 9 cases). Live firing test filed under Manual testing and validation. Commits: archsetup (this session). - ** TODO [#C] Pocketbook development backlog :pocketbook: :PROPERTIES: :LAST_REVIEWED: 2026-05-26 @@ -173,20 +153,10 @@ A roam-inbox capture asked for the same widget and expands the scope, so folding - *Multiple simultaneous* — several timers/alarms/stopwatches set and displayed at once, in one panel. - Deliverable includes proposing a few panel designs and recommending one before building. -** DONE [#B] Collapsible waybar sides :waybar: -CLOSED: [2026-06-27 Sat] +** TODO [#B] Sysmon module right-click cycles the visible metric :feature:waybar:solo: :PROPERTIES: -:LAST_REVIEWED: 2026-06-09 +:LAST_REVIEWED: 2026-06-28 :END: -Let either side of the waybar collapse horizontally to a minimal base set, toggled by a click. Each collapsible side carries a small triangle / arrowhead pointing toward the screen edge it collapses into (away from center). Clicking it collapses that side to its base set and flips the arrow to point back toward center; clicking again restores the full side. Same shape-changes-with-state idea as the auto-dim indicator. - -Spec (2026-06-19): [[file:assets/2026-06-19-collapsible-waybar-sides-spec.org]]. Spike that settled the mechanism: [[file:assets/2026-06-18-collapsible-waybar-sides-spike-findings.org]]. - -Decisions locked: right base set = date + worldclock + tray; left base set = menu + workspaces; per-side independent; host-agnostic (base set constant, full set is each host's existing config). Mechanism = config-swap + SIGUSR2 reload via an active-config copy in =$XDG_RUNTIME_DIR= (the CSS/state-file approach was disproven — GTK3 can't reflow-hide native modules). Lives in =~/.dotfiles/hyprland/=. - -Shipped per spec (dotfiles 804bef6): 3 TDD'd scripts (=waybar-active-config=, =waybar-collapse=, =waybar-arrow=; 22 cases), arrow modules wired into the config (left arrow innermost-left, right arrow innermost-right), CSS ×3, =$mod+[= / =$mod+]= keybinds, and =waybar-toggle= relaunch updated to load the active config so a crash preserves collapse state. Verified live: click, keybind, and per-side independence all work; expand round-trips exactly to canonical. - -** TODO [#B] Sysmon module right-click cycles the visible metric :feature:waybar: Builds on the just-shipped =custom/sysmon= collapse (dotfiles be7469b). Right-clicking the module rotates which metric is the visible one, in a fixed order: battery → cpu → temp → mem → disk → back to battery. Each click advances one step and wraps around. The host default (battery on a laptop, disk on a desktop) is the starting/reset metric; the tooltip keeps showing all metrics regardless. Left-click stays =pypr toggle monitor= (the btop popup) — the cycle lives on =on-click-right=. Implementation notes: =waybar-sysmon= needs a persisted selection (a state file in =$XDG_RUNTIME_DIR/waybar/=, absent = host default) that it reads to pick the visible metric. A new =sysmon-cycle= helper bumps the index and signals the module to refresh (add a =signal= to =custom/sysmon=, like the other custom modules; wire =sysmon-cycle= to =on-click-right=). TDD both — extend =tests/waybar-sysmon= for selection-driven output, add a =tests/sysmon-cycle= for the index advance/wrap and the signal. @@ -275,7 +245,7 @@ Acceptance: fresh VM install of the ratio profile reaches an endpoint on =:8081= ** DOING [#B] Prepare for GitHub open-source release :PROPERTIES: -:LAST_REVIEWED: 2026-06-09 +:LAST_REVIEWED: 2026-06-28 :END: Remove personal info, credentials, and code quality issues before publishing. *** 2026-06-16 Tue @ 00:55:39 -0500 Six dotfiles-scoped sub-tasks moved to the ~/.dotfiles project @@ -303,34 +273,31 @@ Checked each subtask below against the source / git state. Bottom line: almost n - *Standardize boolean comparison style* — NOT DONE. Mixed: =[ "$var" = "true" ]= at =archsetup:542,544,569= vs bare =if $var;= form ~7 places elsewhere. - *Replace eval with safer alternatives* — NOT DONE. =archsetup:442= still =if eval "$cmd" >> "$logfile" 2>&1;= in =retry_install=. -*** TODO [#A] Rotate exposed calendar feed URLs -Needs the ratio GUI (browser-based regeneration), so deferred until I'm in front of ratio. Three private ical URLs sat in git history (commit =500b1f5=, 2026-05-13) until the 2026-05-20 scrub. The scrub removed them from local + remote history, but anyone who pulled the repo between those dates still has the tokens, so regenerate all three: -- Google personal (=craigmartinjennings@gmail.com= private ical URL) -- Proton (calendar.proton.me URL with PassphraseKey) -- Google DeepSat (=craig.jennings@deepsat.com= private ical URL) -After regenerating, update the live =~/.emacs.d/calendar-sync.local.el= (now owned by the emacs/dotemacs project — see its inbox handoff from 2026-05-20). +*** 2026-06-28 Sun @ 13:34:03 -0400 Cancelled: calendar-feed URL rotation +Craig's call — not rotating. The three private iCal URLs (Google personal, Proton with PassphraseKey, Google DeepSat) sat in git history from =500b1f5= (2026-05-13) until the 2026-05-20 filter-repo scrub, which removed them from local + remote history. The residual exposure is only to anyone who cloned the repo in that 2026-05-13..05-20 window; Craig accepts that window rather than regenerating all three tokens on ratio. The history scrub already happened; the live =calendar-sync.local.el= is owned by the emacs project. Closing without rotation. *** 2026-05-20 Wed @ 12:09:32 -0500 Scrubbed the calendar secret from git history =dotfiles/common/.emacs.d/calendar-sync.local.el= (private Google/Proton/DeepSat ical URLs, added in =500b1f5= for stow distribution) was discovered while folding tmux-util into stow. Sent the file back to the emacs project's inbox, =git rm='d it, then =git filter-repo --invert-paths --path= purged it from all 29 affected commits. Force-pushed (=0921e4d...618e6cc=, with lease) and ran =reflog expire= + =gc --prune=now= on the bare repo at =/var/git/archsetup.git=. Verified: the file is in zero commits, the secret tokens return zero matches across all history, and =500b1f5= / =0921e4d= are unreachable on both local and remote. Rotation of the URLs tracked as the sibling TODO above. This also proves =filter-repo= works cleanly here — relevant precedent for the broader [[*Scrub git history of secrets (or start fresh)][history-scrub task]] below (the 5 credential files are still in history). *** TODO [#B] Remove/template personal information from scripts -- =archsetup= lines 2-3: personal email and website in header -- =archsetup= lines 141-146: hardcoded =git.cjennings.net= repository URLs — make configurable via conf +- =archsetup= lines 3-4: personal email and website in header - =scripts/post-install.sh=: personal git repos and server URLs (the old =scripts/gitrepos.sh= was consolidated into this script in =dae7659=, so its personal =git.cjennings.net= clone targets now live here) -- =init= line 8: hardcoded password =welcome= +- =init= line 9: hardcoded password =welcome= +**** 2026-06-28 Sun @ 13:29:29 -0400 Reconciled: dotfiles repo URLs already config-driven +Dropped the "lines 141-146 hardcoded =git.cjennings.net= URLs" bullet. archsetup:138-140 reads =DOTFILES_REPO= / =DOTFILES_BRANCH= / =DOTFILES_DIR= overrides (defaults only, documented in =archsetup.conf.example=), so that item is already done. Refreshed the stale line numbers on the remaining bullets (header email/site now lines 3-4, init password now line 9, after the SPDX headers shifted the files). *** TODO [#B] Scrub git history of secrets (or start fresh) Even after removing files, secrets remain in git history. Options: =git filter-repo= to rewrite history, or start a fresh repo for the GitHub remote. Recommend: fresh repo for GitHub (keep cjennings.net remote with full history). +**** 2026-06-28 Sun @ 13:29:29 -0400 Reconciled: 589 commits, 5 credential files still in history +History is now 589 commits (the 2026-05-11 note's "275" is stale). Only the calendar-feed file has been filter-repo'd so far (2026-05-20). The five credential files remain in history at their pre-=b10cba5= paths: =.tidal-dl.token.json= (5 commits), =calibre/smtp.py.json= (6), =transmission/settings.json= (5), =.msmtprc= (8), =.mbsyncrc= (9). None are tracked in the current tree. The scrub-or-fresh-repo decision still stands. *** 2026-06-24 Wed @ 19:41:56 -0400 Gated device-specific udev rules behind a flag The Logitech BRIO udev rule is now wrapped in =if [ "$install_device_udev_rules" = "true" ]=, fed by a new =INSTALL_DEVICE_UDEV_RULES= key (default yes, opt-out — still mainly a personal project). Added the var default, the config read, a =validate_config= check, and an =archsetup.conf.example= entry. Verified: default/yes writes the rule, no skips it, bogus is rejected; =bash -n= clean. -*** DOING [#B] Add README.md for GitHub -Project description, features, requirements, installation instructions, -configuration guide (archsetup.conf), security considerations, -contributing guidelines (or separate CONTRIBUTING.md), and license. +*** 2026-06-28 Sun @ 13:37:33 -0400 Added README.md — full draft complete, final read filed +=README.md= is substantively done at repo root (10.9 KB), covering project description, features, requirements, installation, the =archsetup.conf= configuration guide, security considerations, contributing, and license, with generic placeholders for the eventual public fork. The 2026-05-11 "first pass" note below is superseded. Craig's final read before public release is filed under "Manual testing and validation"; closing as code-complete pending that human check, per the audit rule. **** 2026-05-11 Mon @ 13:01:29 -0500 AI Response: Initial README draft Drafted =README.md= at repo root, modeled on =~/code/chime/README.org=. First pass — review and run a voice/style pass before committing. Personal info (emails, =cjennings.net= URLs, personal repo names) intentionally replaced with placeholders for the eventual public release. @@ -451,16 +418,98 @@ Add kernel parameter: ~rtc_cmos.use_acpi_alarm=1~ (will become systemd default) Consider: ~acpi_mask_gpe=0x1A~ for battery drain, suspend-then-hibernate config See Framework community notes on logind.conf and sleep.conf settings -** TODO [#C] Build CI/CD pipeline that runs archsetup on every commit +** TODO [#B] Test + CI infrastructure :test: +:PROPERTIES: +:LAST_REVIEWED: 2026-06-28 +:END: +Umbrella for the test-harness and CI-automation buildout. Consolidated from the 2026-06-28 task audit: these were scattered top-level tasks circling one effort, re-homed as children so the work reads as a unit. Each child ships independently and keeps the priority it carried before. No CI runner exists yet, so the CI/CD-pipeline child gates several of the others. + +*** TODO [#C] Build CI/CD pipeline that runs archsetup on every commit :PROPERTIES: :LAST_REVIEWED: 2026-06-13 :END: Core automation infrastructure - enables continuous validation +*** TODO [#B] Generate recovery scripts from test failures +:PROPERTIES: +:LAST_REVIEWED: 2026-06-13 +:END: +Auto-create post-install fix scripts for failed packages - makes failures actionable +*** TODO [#B] Establish monthly review workflow +:PROPERTIES: +:LAST_REVIEWED: 2026-06-13 +:END: +The diff engine now exists (=scripts/package-inventory= / =make package-diff=), so what remains here is the cadence, not the tooling: a scheduled prompt to run the diff and act on it. Subtasks 1-2 are the recurring human judgment the engine feeds; subtask 3 is the automation to schedule it. +**** TODO [#B] For packages in archsetup but not on system: determine if still needed +**** TODO [#B] For packages on system but not in archsetup: decide add or remove +**** TODO [#B] Schedule monthly package diff review +*** TODO [#C] Set up automated test schedule +:PROPERTIES: +:LAST_REVIEWED: 2026-06-28 +:END: +Weekly full run to catch deprecated packages even without commits +*** TODO [#C] Implement manual test trigger capability +:PROPERTIES: +:LAST_REVIEWED: 2026-06-28 +:END: +Allow on-demand test runs when automation is toggled off +*** TODO [#C] Create test results dashboard/reporting +:PROPERTIES: +:LAST_REVIEWED: 2026-06-28 +:END: +Make test outcomes visible and actionable +*** TODO [#B] Block merges to main if tests fail +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Enforce quality gate - broken changes don't enter main branch +*** TODO [#B] Add network failure testing to test suite +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Simulate network disconnect mid-install to verify resilience +*** TODO [#B] Keep VM base images up to date +:PROPERTIES: +:LAST_REVIEWED: 2026-06-28 +:END: +Regular updates to the Arch base VM image (qemu, built by =create-base-vm.sh=) with a review process and schedule. The harness is VM/qemu-based, not containers. +*** TODO [#B] Persist test logs for historical analysis +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Archive logs with review process and schedule to identify failure patterns and trends +*** TODO [#B] Implement automated deprecation detection +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Parse package warnings and repo metadata to catch upcoming deprecations proactively +*** TODO [#C] Monitor and optimize test execution time +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Keep test runs performant as installs and post-install tests grow (target < 2 hours) +*** TODO [#C] Set up alerts for deprecated packages +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Proactive monitoring integrated with testing +*** TODO [#C] Fix VM cloning machine-ID conflicts for parallel testing +:PROPERTIES: +:LAST_REVIEWED: 2026-05-21 +:END: +Currently using snapshot-based testing which works but limits to sequential test runs +Cloned VMs fail to get DHCP/network even with machine-ID manipulation (truncate/remove) +Root cause: Truncating /etc/machine-id breaks systemd/NetworkManager startup +Need to investigate proper machine-ID regeneration that doesn't break networking +Would enable parallel test execution in CI/CD +Priority C because snapshot-based testing meets current needs ** TODO [#B] Fix install errors surfaced by the 2026-05-11 VM test run :PROPERTIES: :LAST_REVIEWED: 2026-06-15 :END: +*** 2026-06-28 Sun @ 13:29:29 -0400 Audit reconcile: 2026-06-28 btrfs+zfs runs reproduce the same residual set +Newer full runs landed since the 2026-06-11 reconcile below: the 2026-06-25 zfs run (Testinfra 96/0) and the 2026-06-28 btrfs+zfs runs (97/0, "zero attributed issues"). The residual four were NOT fixed and reproduce unchanged: =enabling firewall= (archsetup:1496-1498, carries a VM-kernel note), =enabling gamemode for user= (archsetup:2221, non-critical), and =tidaler (AUR)=. Zero archsetup-attributed Testinfra issues across both profiles confirms these are environment / non-critical, not archsetup bugs. Bare-metal confirmation of the firewall pair is still the open thread. + *** 2026-06-15 Mon @ 23:53:21 -0500 Audit reconcile: latest VM run (2026-06-11) confirms the surviving error set The most recent VM run (=test-results/20260611-113904/=) carries four error-summary entries: =enabling firewall= + =verifying firewall is active= (the iptables/nf_tables "Could not fetch rule set generation id" pair, still unconfirmed on bare metal), =enabling gamemode for user= (non-critical), and =tidaler (AUR)=. The earlier fontconfig/dconf fixes held — none reappear. So the count is down from the 7→6 anchor below to four, all of them the known-residual items already itemized. Errors logged during the VM install. Status as of the 2026-05-11 18:36 run (=test-results/20260511-183643/archsetup-output.log=) after the =48c9439= fontconfig/dconf fix: 7 → 6. @@ -482,12 +531,6 @@ Root cause was in =retry_install=: =last_exit_code=$?= ran AFTER =if eval ...; t *** 2026-05-19 Tue @ 01:25:26 -0500 Verified the b9907c7 emacs-stow fix end-to-end =make test= 21:44 → 22:29 (42 min), =test-results/20260518-214516/=. 52/0/5, =ArchSetup Exit Code: 0=. The third-branch path fired correctly — install log =archsetup-2026-05-18-21-45-46.log:14358-14365= shows =From https://git.cjennings.net/dotemacs= → =[new branch] main -> origin/main= → =Reset branch 'main'= → =branch 'main' set up to track 'origin/main'=. No exit-128, no =fatal: not a git repository=. Error Summary down to 7 (was 13 on 2026-05-16); the emacs entry is gone. AUR exit-0 logging triggered for 2 packages this run (mkinitcpio-firmware, tidaler) vs 6 on 2026-05-16 — same bug class, fewer triggers, still tracked under =[#B] AUR exit-0 logged as error=. Issue Attribution: 1 ARCHSETUP entry (Proton VPN Daemon failed — known VM-no-VPN-config artifact). Cleanup ran clean via the normal path. -** TODO [#B] Generate recovery scripts from test failures -:PROPERTIES: -:LAST_REVIEWED: 2026-06-13 -:END: -Auto-create post-install fix scripts for failed packages - makes failures actionable - ** TODO [#B] Review undeclared ratio packages for installer inclusion :PROPERTIES: :LAST_REVIEWED: 2026-06-24 @@ -537,21 +580,6 @@ Some entries are libraries likely pulled in as dependencies (blas-openblas, open - [ ] webkit2gtk - [ ] whisper.cpp -** TODO [#B] Establish monthly review workflow -:PROPERTIES: -:LAST_REVIEWED: 2026-06-13 -:END: -The diff engine now exists (=scripts/package-inventory= / =make package-diff=), so what remains here is the cadence, not the tooling: a scheduled prompt to run the diff and act on it. Subtasks 1-2 are the recurring human judgment the engine feeds; subtask 3 is the automation to schedule it. -*** TODO [#B] For packages in archsetup but not on system: determine if still needed -*** TODO [#B] For packages on system but not in archsetup: decide add or remove -*** TODO [#B] Schedule monthly package diff review - -** TODO [#C] Complete security education within 3 months -:PROPERTIES: -:LAST_REVIEWED: 2026-06-24 -:END: -Read recommended resources to make informed security decisions (see metrics for Claude suggestions) - ** TODO [#B] All error messages should be actionable with recovery steps :PROPERTIES: :LAST_REVIEWED: 2026-06-24 @@ -566,81 +594,43 @@ Some operations log to ~$logfile~, others don't - standardize logging All package installs should log, all system modifications should log, all errors should log with context Makes debugging failed installations easier -** TODO [#B] Set up automated test schedule -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Weekly full run to catch deprecated packages even without commits - -** TODO [#B] Implement manual test trigger capability -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Allow on-demand test runs when automation is toggled off - -** TODO [#B] Create test results dashboard/reporting -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Make test outcomes visible and actionable - -** TODO [#B] Block merges to main if tests fail -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Enforce quality gate - broken changes don't enter main branch - -** TODO [#B] Add network failure testing to test suite -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Simulate network disconnect mid-install to verify resilience - -** TODO [#B] Keep container base images up to date -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Regular updates to Arch base image with review process and schedule +** CANCELLED [#B] Audit dotfiles/common directory +CLOSED: [2026-06-28 Sun] +Refiled to the standalone =~/.dotfiles= repo, which owns this content since the 2026-06-16 split. Handoff sent 2026-06-28: =~/.dotfiles/inbox/2026-06-28-1335-from-archsetup-refiled-from-archsetup-task-audit-2026.org=. The three sub-tasks (review ~/.local/bin scripts, remove orphaned configs, verify stowed files are used) travel with it. Cancelled here, not abandoned. -** TODO [#B] Persist test logs for historical analysis +** TODO [#B] Security hardening + audit :security: :PROPERTIES: -:LAST_REVIEWED: 2026-05-21 +:LAST_REVIEWED: 2026-06-28 :END: -Archive logs with review process and schedule to identify failure patterns and trends +Umbrella for the security-hardening and audit effort. Consolidated from the 2026-06-28 task audit, re-homing the scattered security tasks as children so the work reads as a unit. Each child ships independently and keeps its prior priority. -** TODO [#B] Implement automated deprecation detection +*** TODO [#B] Test security + functionality together :PROPERTIES: :LAST_REVIEWED: 2026-05-21 :END: -Parse package warnings and repo metadata to catch upcoming deprecations proactively - -** TODO [#B] Audit dotfiles/common directory +**** TODO [#B] Verify no unexpected open ports or services +*** TODO [#B] Security audit tooling :PROPERTIES: :LAST_REVIEWED: 2026-05-21 :END: -*** TODO [#B] Review all 50+ scripts in ~/.local/bin - remove unused scripts -*** TODO [#B] Check dotfiles for uninstalled packages - remove orphaned configs -*** TODO [#B] Verify all stowed files are actually used - -** TODO [#B] Test security + functionality together +**** TODO [#B] Implement port scanning check +**** TODO [#B] Create security posture verification script +**** TODO [#B] Set up intrusion detection monitoring +*** TODO [#B] Document threat model and mitigations within 6 months :PROPERTIES: :LAST_REVIEWED: 2026-05-21 :END: -*** TODO [#B] Verify no unexpected open ports or services - -** TODO [#B] Security audit tooling +Identify attack vectors, what's mitigated, what remains +*** TODO [#C] Complete security education within 3 months :PROPERTIES: -:LAST_REVIEWED: 2026-05-21 +:LAST_REVIEWED: 2026-06-24 :END: -*** TODO [#B] Implement port scanning check -*** TODO [#B] Create security posture verification script -*** TODO [#B] Set up intrusion detection monitoring - -** TODO [#B] Document threat model and mitigations within 6 months +Read recommended resources to make informed security decisions (see metrics for Claude suggestions) +*** TODO [#C] Create security checklist for cafe/public wifi scenarios :PROPERTIES: :LAST_REVIEWED: 2026-05-21 :END: -Identify attack vectors, what's mitigated, what remains +Practical guidelines for working in public spaces ** TODO [#C] Re-check python-lyricsgenius --skipinteg workaround :solo: :PROPERTIES: @@ -653,9 +643,9 @@ Ran =makepkg --verifysource= on the current AUR PKGBUILD (3.7.0-1). The package ** TODO [#B] Test each modernization thoroughly before replacing :PROPERTIES: -:LAST_REVIEWED: 2026-05-21 +:LAST_REVIEWED: 2026-06-28 :END: -Ensure new tools integrate with DWM environment and don't break workflow +Ensure new tools integrate with the Hyprland environment and don't break workflow (the fleet is all Hyprland now; archsetup still supports DWM/X11 but no current machine uses it) ** TODO [#B] Add NVIDIA preflight check for Hyprland :PROPERTIES: @@ -680,35 +670,6 @@ error-prone — changes must be made in both places. Consider: - Same situation applies to fuzzel.ini The goal is a single place to edit each config, not two. -** TODO [#C] Monitor and optimize test execution time -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Keep test runs performant as installs and post-install tests grow (target < 2 hours) - -** TODO [#C] Set up alerts for deprecated packages -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Proactive monitoring integrated with testing - -** TODO [#C] Fix VM cloning machine-ID conflicts for parallel testing -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Currently using snapshot-based testing which works but limits to sequential test runs -Cloned VMs fail to get DHCP/network even with machine-ID manipulation (truncate/remove) -Root cause: Truncating /etc/machine-id breaks systemd/NetworkManager startup -Need to investigate proper machine-ID regeneration that doesn't break networking -Would enable parallel test execution in CI/CD -Priority C because snapshot-based testing meets current needs - -** TODO [#C] Create security checklist for cafe/public wifi scenarios -:PROPERTIES: -:LAST_REVIEWED: 2026-05-21 -:END: -Practical guidelines for working in public spaces - ** TODO [#B] Migrate terminal emulator from foot to ghostty :tooling: :PROPERTIES: :LAST_REVIEWED: 2026-06-24 @@ -758,33 +719,34 @@ Parse yay errors and provide specific, actionable fixes instead of generic error Enhance existing indicators to show what's happening in real-time ** TODO Manual testing and validation -*** Live-update guard aborts a GPU/compositor upgrade while Hyprland runs -What we're verifying: the pacman PreTransaction hook =hypr-live-update-guard= aborts a =-Syu= that swaps GPU/compositor libs while Hyprland is live, and stays quiet once the session is stopped. Unit tests cover the script's decision logic; this confirms pacman parses the hook, feeds the matched targets on stdin (=NeedsTargets=), and =AbortOnFail= actually stops the transaction. Run on a Hyprland box (ratio/velox). -- Prereq on machines installed before this shipped: place the guard if missing (a fresh archsetup install does this in the hyprland step). -#+begin_src sh :results output -if [ ! -e /usr/local/bin/hypr-live-update-guard ]; then - sudo cp ~/code/archsetup/scripts/hypr-live-update-guard /usr/local/bin/ && sudo chmod 755 /usr/local/bin/hypr-live-update-guard -fi -sudo cp ~/code/archsetup/scripts/hypr-live-update-guard /usr/local/bin/ # refresh -ls -l /usr/local/bin/hypr-live-update-guard /etc/pacman.d/hooks/hypr-live-update-guard.hook 2>&1 -#+end_src -- Quick contract check (no pending upgrade needed): feed the script the hook's stdin contract with Hyprland running. -#+begin_src sh :results output -printf 'mesa\nhyprland\n' | /usr/local/bin/hypr-live-update-guard; echo "exit=$?" -#+end_src -Expected: exit=1, plus the BLOCKED banner naming mesa/hyprland and the from-a-TTY remedy. -- Real firing inside pacman: with a mesa/hyprland/wayland/GPU-driver upgrade actually pending AND Hyprland running, run the upgrade. -#+begin_src sh :results output -sudo pacman -Syu -#+end_src -Expected: pacman runs the "Checking for a live Hyprland session..." hook and aborts; no packages upgraded. -- The from-a-TTY path: the guard keys off the Hyprland *process*, so switching VTs while Hyprland still runs does NOT clear it (correct -- the session is still vulnerable). Fully log out of Hyprland (or =hyprctl dispatch exit=) so no Hyprland process remains, then from the console/display-manager run the upgrade again. -Expected: the guard stays quiet and the upgrade completes. -- Override while running (escape hatch): -#+begin_src sh :results output -sudo touch /run/archsetup-allow-live-gpu-update && echo "sentinel set" -#+end_src -Expected: with the sentinel present, =sudo pacman -Syu= proceeds despite Hyprland running. (The sentinel clears on reboot -- /run is tmpfs.) +*** Give the README a final read before public release +What we're verifying: =README.md= reads cleanly and accurately for a first-time reader, with no stale personal info and consistent public-fork placeholders. +- Open =~/code/archsetup/README.md= +- Read it end to end as if you've never seen the project +Expected: every section is accurate, the personal-project disclaimer reads right, the placeholders (=<your-domain>=, =github.com/yourusername=) are consistent, and nothing personal leaked into the public-facing draft. +*** 2026-06-28 Sun @ 12:54:47 -0400 Live-update guard verified on velox (live Hyprland) +Verified the =hypr-live-update-guard= PreTransaction hook end-to-end on velox +with Hyprland running (pid 1997). velox predated the feature, so the guard was +absent — placed =/usr/local/bin/hypr-live-update-guard= (755) and +=/etc/pacman.d/hooks/hypr-live-update-guard.hook= (644), byte-matching the +archsetup hyprland-step install. The guard now ships on velox permanently. + +Results: +- Quick contract (=printf 'mesa\nhyprland\n' | guard=) → exit=1, BLOCKED banner, + sorted pkgs, correct TTY remedy + sentinel path. +- Not-running branch (=HYPR_GUARD_RUNNING=0=) → exit=0, silent. +- Env override (=HYPR_ALLOW_LIVE_UPDATE=1=) → exit=0. +- Sentinel (=touch /run/archsetup-allow-live-gpu-update=) → exit=0; removed → + re-armed exit=1. +- Real firing through pacman: =sudo pacman -S mesa= (same-version reinstall = + Upgrade op on a guarded target). pacman ran the hook, fed =mesa= via + =NeedsTargets=, the guard aborted, =AbortOnFail= stopped the transaction + ("no packages were upgraded"); mesa unchanged at 1:26.1.3-2. This is the + authoritative proof pacman parses + wires the hook. +- Full-logout end-to-end (guard quiet, upgrade completes after logout): covered + by construction — the not-running branch exits 0, and a 0-exit PreTransaction + hook lets pacman proceed normally (proven by the mesa abort showing the hook + path runs). Not re-run under a real logout; no separate residual. *** Wallpaper survives relogin (waypaper --restore) What we're verifying: the hyprland =exec-once= now runs =waypaper --restore= instead of a hardcoded =awww img=, so a wallpaper chosen via =set-wallpaper= / waypaper / dirvish persists across a relogin. The exec-once only fires at Hyprland startup, so this can't be confirmed without a real relogin. (Mechanism already verified: =waypaper --restore= applied the persisted wallpaper via the awww backend, exit 0.) - Set a wallpaper different from the current one (or pick one in waypaper, Super+Shift+P): @@ -848,25 +810,10 @@ A 2026-06-22 roam capture expands the scope past a passive indicator: the wifi m :END: From the roam inbox (2026-06-22): with Emacs integrated into the system as file manager and instant note-taker, make bouncing it trivial. A waybar component showing the emacs service status, with detail on hover, that turns the server on / off / bounce via right-click. Pairs with running the Emacs daemon as a managed systemd user service. -** DONE [#C] Collapse waybar sysmonitor to a single icon + hover :feature:waybar: -CLOSED: [2026-06-27 Sat] +** TODO [#C] set-wallpaper detaches waypaper config from its stow symlink :bug:hyprland:quick:solo: :PROPERTIES: -:LAST_REVIEWED: 2026-06-24 +:LAST_REVIEWED: 2026-06-28 :END: -From the roam inbox (2026-06-22): replace the spread-out sysmonitor readouts (temp, cpu, mem, storage) with one visible icon showing a single chosen metric, the rest in the hover tooltip. Open question: fold it into the battery component instead of a standalone module. Implementation lives in the waybar config under ~/.dotfiles. - -Shipped as a standalone =custom/sysmon= module (Craig's call: host-dependent primary — battery on laptop, disk on desktop — rather than fold into battery, which is laptop-only). Backing script =waybar-sysmon= gathers cpu/temp/mem/disk/battery, shows the host-appropriate metric, rest in tooltip; 13-case TDD suite; removed the 5 native modules + their CSS across all 3 themes. Dotfiles be7469b. - -** DONE [#C] Rename idle inhibitor to something more intuitive :chore:waybar: -CLOSED: [2026-06-27 Sat] -:PROPERTIES: -:LAST_REVIEWED: 2026-06-24 -:END: -From the roam inbox (2026-06-24): the "idle inhibitor" name doesn't work as a mnemonic — something like "sleep" (i.e. "keep awake" / "no-sleep") would land better. Decide the new name, then rename across the touchpoints: the =custom/idle= waybar module, the keybind mnemonic, and the backing script names (=hypridle-toggle= / =waybar-idle= from the 2026-06-24 idle-inhibitor work). Needs Craig's call on the name first, so not solo. - -Renamed to "caffeine" (Craig's call, 2026-06-27): =custom/caffeine= module, =waybar-caffeine= + =caffeine-toggle= scripts, tooltip "Caffeine: ON/OFF", CSS + test suites updated. Keybind stays =$mod+I= (=$mod+C= is hyprpicker). Shipped in dotfiles 8b45b51. - -** TODO [#C] set-wallpaper detaches waypaper config from its stow symlink :bug:hyprland:quick: =set-wallpaper= persists with =mv "$tmp" "$CONFIG"=, which replaces the =~/.config/waypaper/config.ini= stow symlink with a real file. After the first run the live config is detached from =~/.dotfiles/hyprland/.config/waypaper/config.ini=, so a later =git pull= + restow won't update it and set-wallpaper changes never flow back to the repo. Fix: write in place rather than =mv= over the symlink — e.g. =cp "$tmp" "$CONFIG"= (follows the symlink to the real dotfiles file), or resolve the link target and write there. Lives in =~/.dotfiles/hyprland/.local/bin/set-wallpaper=; it has a test suite, so add a Boundary case for "CONFIG is a symlink". * Archsetup Resolved @@ -1538,3 +1485,54 @@ CLOSED: [2026-06-24 Wed] The Hyprland =exec-once= (=hyprland.conf:26=) restores the wallpaper with a hardcoded =awww img ~/pictures/wallpaper/trondheim-norway.jpg=, so any wallpaper set later (via =set-wallpaper=, waypaper, or the dirvish =bg=) reverts on relogin. =set-wallpaper= now persists the choice to =waypaper/config.ini=, so switch the exec-once to =waypaper --restore= (after =awww-daemon= is up) to make set wallpapers survive a relogin. Small, dotfiles-only; verify by setting a different wallpaper, relogging, and confirming it sticks. Done 2026-06-24 (dotfiles): swapped the line-26 exec-once from the hardcoded =awww img …/trondheim-norway.jpg= to =awww-daemon & sleep 1 && waypaper --restore=. waypaper has a real =awww= backend (in its =--backend= list), the stowed =waypaper/config.ini= carries =backend = awww= plus a default =wallpaper == line, so =--restore= works on a fresh install too. Mechanism verified live: =waypaper --restore= reapplied the persisted wallpaper via awww, exit 0. Relogin confirmation filed under "Manual testing and validation". Follow-up filed: =set-wallpaper='s =mv= detached the live =waypaper/config.ini= from its stow symlink, so set-wallpaper changes no longer flow back to dotfiles. +** DONE [#B] VM test harness shared one NVRAM file across filesystem profiles :bug:test: +CLOSED: [2026-06-27 Sat] +The harness shared one OVMF NVRAM file (=vm-images/OVMF_VARS.fd=) across the btrfs +and zfs profiles (=init_vm_paths= suffixed the disk image per profile but not the +NVRAM). NVRAM lives outside the qcow2, so a disk-snapshot revert can't restore it, +and a zfs run's ZFSBootMenu boot entries clobbered the btrfs GRUB entry. With no +removable =\EFI\BOOT\BOOTX64.EFI= fallback on the base ESP, the next btrfs run +booted into UEFI with no bootable device ("BdsDxe: No bootable option or device +was found", then PXE/HTTP, then SSH timeout before archsetup ran). Found +2026-06-27 trying to VM-validate the installer refactor. + +Fixed: =OVMF_VARS= now carries the same per-profile suffix as the disk image +(=OVMF_VARS${img_suffix}.fd=) in =vm-utils.sh init_vm_paths=, so btrfs and zfs keep +separate NVRAM. Validated by a full green zfs run 2026-06-27 (ArchSetup exit 0, +Testinfra 96 passed / 0 failed). Remaining hardening tracked below. +** DONE [#B] Guard against live mesa/hyprland/wayland-runtime updates :hyprland: +CLOSED: [2026-06-28 Sun] +:PROPERTIES: +:LAST_REVIEWED: 2026-06-09 +:END: +A live =pacman -Syu= that swaps mesa/hyprland/wayland runtime libs out from under a running Hyprland session can crash the compositor: the next GPU-lib call hits a now-"(deleted)" library and SIGABRTs, taking the Wayland clients down with it. Hit ratio 2026-06-07 (mesa 26.0.6 -> 26.1.2 + hyprland upgraded live; Hyprland SIGABRT took down awww/insync/emacs). Likely the driver behind ratio's high lifetime unsafe-shutdown ratio — a crashed compositor forces a hard reset. + +Shipped as a pacman PreTransaction hook rather than a wrapper, so it fires no matter how the upgrade is launched (pacman, yay, topgrade). =scripts/hypr-live-update-guard= aborts the transaction before any package is swapped when the GPU/compositor runtime set is being upgraded AND Hyprland is running, pointing the user to re-run from a TTY with the session stopped; it stays quiet when Hyprland isn't running (the safe from-a-TTY path). Override via =HYPR_ALLOW_LIVE_UPDATE=1= or by touching the sentinel file named in the abort message. archsetup installs the script to =/usr/local/bin= and the hook to =/etc/pacman.d/hooks/= in the hyprland path. Decision logic unit-tested (=tests/hypr-live-update-guard=, 9 cases). Live firing test filed under Manual testing and validation. Commits: archsetup (this session). +** DONE [#B] Collapsible waybar sides :waybar: +CLOSED: [2026-06-27 Sat] +:PROPERTIES: +:LAST_REVIEWED: 2026-06-09 +:END: +Let either side of the waybar collapse horizontally to a minimal base set, toggled by a click. Each collapsible side carries a small triangle / arrowhead pointing toward the screen edge it collapses into (away from center). Clicking it collapses that side to its base set and flips the arrow to point back toward center; clicking again restores the full side. Same shape-changes-with-state idea as the auto-dim indicator. + +Spec (2026-06-19): [[file:assets/2026-06-19-collapsible-waybar-sides-spec.org]]. Spike that settled the mechanism: [[file:assets/2026-06-18-collapsible-waybar-sides-spike-findings.org]]. + +Decisions locked: right base set = date + worldclock + tray; left base set = menu + workspaces; per-side independent; host-agnostic (base set constant, full set is each host's existing config). Mechanism = config-swap + SIGUSR2 reload via an active-config copy in =$XDG_RUNTIME_DIR= (the CSS/state-file approach was disproven — GTK3 can't reflow-hide native modules). Lives in =~/.dotfiles/hyprland/=. + +Shipped per spec (dotfiles 804bef6): 3 TDD'd scripts (=waybar-active-config=, =waybar-collapse=, =waybar-arrow=; 22 cases), arrow modules wired into the config (left arrow innermost-left, right arrow innermost-right), CSS ×3, =$mod+[= / =$mod+]= keybinds, and =waybar-toggle= relaunch updated to load the active config so a crash preserves collapse state. Verified live: click, keybind, and per-side independence all work; expand round-trips exactly to canonical. +** DONE [#C] Collapse waybar sysmonitor to a single icon + hover :feature:waybar: +CLOSED: [2026-06-27 Sat] +:PROPERTIES: +:LAST_REVIEWED: 2026-06-24 +:END: +From the roam inbox (2026-06-22): replace the spread-out sysmonitor readouts (temp, cpu, mem, storage) with one visible icon showing a single chosen metric, the rest in the hover tooltip. Open question: fold it into the battery component instead of a standalone module. Implementation lives in the waybar config under ~/.dotfiles. + +Shipped as a standalone =custom/sysmon= module (Craig's call: host-dependent primary — battery on laptop, disk on desktop — rather than fold into battery, which is laptop-only). Backing script =waybar-sysmon= gathers cpu/temp/mem/disk/battery, shows the host-appropriate metric, rest in tooltip; 13-case TDD suite; removed the 5 native modules + their CSS across all 3 themes. Dotfiles be7469b. +** DONE [#C] Rename idle inhibitor to something more intuitive :chore:waybar: +CLOSED: [2026-06-27 Sat] +:PROPERTIES: +:LAST_REVIEWED: 2026-06-24 +:END: +From the roam inbox (2026-06-24): the "idle inhibitor" name doesn't work as a mnemonic — something like "sleep" (i.e. "keep awake" / "no-sleep") would land better. Decide the new name, then rename across the touchpoints: the =custom/idle= waybar module, the keybind mnemonic, and the backing script names (=hypridle-toggle= / =waybar-idle= from the 2026-06-24 idle-inhibitor work). Needs Craig's call on the name first, so not solo. + +Renamed to "caffeine" (Craig's call, 2026-06-27): =custom/caffeine= module, =waybar-caffeine= + =caffeine-toggle= scripts, tooltip "Caffeine: ON/OFF", CSS + test suites updated. Keybind stays =$mod+I= (=$mod+C= is hyprpicker). Shipped in dotfiles 8b45b51. |