| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Filed the zoom-launches-tiny and focus-on-unhide bugs as tracked tasks (held for a debug pass), and moved this round's completed tasks into Resolved.
|
| |
|
|
|
|
| |
The installer now writes /etc/ssh/sshd_config.d/10-hardening.conf with PermitRootLogin prohibit-password and reloads sshd, right after it starts the service. Root can still log in by key, never by password. PasswordAuthentication is left at the default so a normal user can bootstrap a key with ssh-copy-id.
This makes the posture intentional instead of leaning on Arch's commented default. velox and ratio both carried an explicit PermitRootLogin yes from earlier provisioning, which I'd already fixed by hand.
|
| | |
|
| | |
|
| |
|
|
| |
audit
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Filed a [#C] task for the Fn+F9-toggles-pocketbook behavior on velox, with the investigation findings: the trigger isn't in any Hyprland bind, remapper, or pocketbook's own source, so it's parked until it resurfaces.
Also closed the paru-vs-yay research task properly: it had been left as a level-2 dated header, which is a sub-task shape, so it became DONE + CLOSED.
|
| |
|
|
| |
Manual-test checklists for the Super+F Dirvish popup (launch, focus-loss dismiss, per-type external launch, single-instance, q). New tasks captured from the roam inbox: wifi remediation scope, waybar emacs-service control, collapse sysmonitor to one icon, and Proton Mail Bridge font size.
|
| | |
|
| |
|
|
|
|
| |
A spike disproved the CSS / state-file approach. GTK3 has no display:none, so native modules go invisible but hold their space, and the bar never reflows. The mechanism is config-swap plus a SIGUSR2 reload, driven through an active config copied into XDG_RUNTIME_DIR so the toggle never rewrites the stowed canonical config.
The spec locks the base sets (left: menu + workspaces; right: date + worldclock + tray), keeps the two sides independent, and stays host-agnostic: the base set is constant, the full set is whatever each host already defines. Spec and spike findings live under working/.
|
| |
|
|
|
|
|
|
|
|
| |
Arch's rolling repo ships zig 0.16+, but ghostel's native-module compile fallback needs exactly 0.15.2: ghostel pins ghostty 1.3.2-dev, whose build does requireZig(0.15.2), and 0.16's build-API changes break the dependency build scripts. So a plain pacman -S zig produces a zig that can't build ghostel.
install_zig_pin downloads zig-x86_64-linux-0.15.2.tar.xz from ziglang.org, verifies the sha256, extracts to /opt/zig-0.15.2, and symlinks /usr/local/bin/zig ahead of /usr/bin on PATH, where pacman -Syu can't bump it. I split the verify-and-install core (zig_install_from_tarball) out so it stays network-free and unit-testable: it refuses on a sha256 mismatch, a missing tarball, or a tree with no zig binary, and short-circuits when a correct install already exists.
ghostel's default path downloads a prebuilt module and needs no zig, so this only matters for the offline compile fallback. The pin needs a one-line bump (ZIG_VERSION + ZIG_SHA256) whenever ghostel moves to a newer ghostty.
Tests live in tests/zig-pin/: 7 cases covering extract+symlink, idempotency, sha256-mismatch refusal, missing tarball, and no-binary cleanup, run against the real function extracted from the script.
|
| |
|
|
|
|
|
|
| |
I ran an audit pass over the open-work tasks. I moved the six release-prep sub-tasks that target the now-standalone ~/.dotfiles repo out of the GitHub-release epic into that project, leaving a dated note pointing at the handoff. The epic now covers archsetup-proper release work only.
I reconciled two stale facts: dropped the dead scripts/gitrepos.sh reference (consolidated into post-install.sh in dae7659), and noted on the install-errors task that the latest VM run holds the error set at four known residuals.
I added a Tags section to the priority scheme (type, effort/autonomy, and an open set of topic tags) so the file declares its tag vocabulary, not just its priorities. I also de-linked two dead handoff-file references and filed the Waybar Wi-Fi no-internet task.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
I marked the two package-inventory tasks DONE. Both are satisfied by scripts/package-inventory, now covered by characterization tests and a make package-diff target. I demoted the CI/CD pipeline task to C, since a full VM install per commit isn't realistic active backlog.
|
| |
|
|
|
|
|
|
| |
package-inventory compares archsetup's declared packages against the live system but had no tests, so a future archsetup edit (a new for-loop shape, a renamed install helper) could silently break the extraction.
I added two env seams so the script is testable without the real system. PKGINV_ARCHSETUP points the extractor at a fixture installer, PKGINV_PACMAN swaps in a fake pacman serving controlled query output. Both default to the real targets, so normal use is unchanged, and the seams match the env-override pattern audit-packages.sh already uses.
The 7 tests pin the extraction (direct calls, for-loop lists, variable-arg skip) and both diff directions against the fixture, with no network or real pacman db. I also added a make package-diff target so the tool is reachable alongside the test targets.
|
| |
|
|
| |
The popup fix shipped in the dotfiles repo (the script now calls cj/quick-capture; the scrolling layout is disabled and Super+Shift+S reassigned to a fullscreen screenshot). I filed the scrolling-layout frame-fit and wrap-around work as a follow-up, and archived the processed cross-project handoff replies.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The check captured 'ls path && echo yes', so a present linger file produced 'path\nyes', which never string-equals yes — every run warned regardless of actual state. Forensics on a kept VM showed lingering correctly enabled all along (file present mid-install, loginctl Linger=yes, logind healthy): the original VM-artifact hypothesis was wrong, archsetup's enable-linger calls were always fine. test -e captures cleanly; verified returning 'yes' against the live VM.
|
| |
|
|
| |
A single slow mirror (fastly, <1 byte/sec on one signature file) halted a full install at the -Syu step, which had no retry while every per-package install gets three attempts. The refresh now shares MAX_INSTALL_RETRIES; pacman resumes partial downloads, so a transient stall recovers.
|
| |
|
|
|
|
| |
scripts/audit-packages.sh extracts every pacman_install/aur_install package (loop lists included) and verifies each against its declared source — sync dbs for official, one batched RPC query for AUR — flagging movers in both directions. Unit-tested against fixture installers with fake pacman/curl.
First real run over 420 packages found four that vanished from both sources, each now fixed: libva-mesa-driver folded into mesa (line dropped), nvidia-dkms replaced by nvidia-open-dkms (Turing+; legacy cards are the preflight task's problem), swww replaced by awww (its successor, already what both machines run), and libappindicator-gtk3 replaced by libayatana-appindicator. Fifteen AUR entries that graduated to official repos still install fine via yay and are left as-is.
|
| |
|
|
| |
Mirrors the dotfiles Makefile semantics: a package named after the machine (/etc/hostname, uname -n fallback) is stowed after common + DE when the directory exists, skipped with a message otherwise. Hosts without a tier — including the test VM — see no behavior change.
|
| | |
|
| |
|
|
| |
close-out
|
| |
|
|
| |
handoffs
|
| |
|
|
| |
The 19:06 verification run showed the portal skip not firing: a socket-activated xdg-desktop-portal process exists even headless, so the process check was the wrong precondition. The skip now keys on a running Hyprland, same as the socket check. That run confirmed the other three skips live (warnings 5 to 2); the remaining counted warnings are this portal case and the lingering question, which stays open.
|
| |
|
|
|
|
| |
file managers, criteria
Five evaluation reports: modern CLI tools (adopt bat/dust/hyperfine/tealdeer/doggo, all in extra), paru vs yay (stay with yay — paru dormant 11 months with a libalpm-broken stable), terminal emulators (stay with foot; ghostty the only challenger, wezterm effectively unmaintained), Wayland file managers (keep nautilus, add yazi over porting the frozen ranger), and the standing evaluation criteria distilled from the round. Maintenance claims verified against live repo data, not aggregator articles.
|
| |
|
|
| |
Four warnings fired on every headless VM run, training the reader to ignore the warning count: the Hyprland socket and portal queries (no graphical login), the mDNS ping (slirp passes no multicast), and docker-not-responding (enabled but deliberately not started pre-reboot). Each now detects its precondition and logs a skip that counts nowhere; the warn paths stay for the cases that are real (compositor running without a socket, portal running but unqueryable, mDNS failing on real networking, docker active but dead). The lingering warning stays — it needs its own investigation.
|
| |
|
|
| |
velox's first post-trim boot showed r8152 failing to load rtl_nic/rtl8156b-2.fw — the Framework Ethernet expansion card is a Realtek RTL8156B, so the trim list was wrong to drop realtek firmware. The driver runs on internal defaults without the blob, so nothing broke, but the package is back on velox and out of the removal list.
|
| | |
|
| | |
|
| |
|
|
| |
The dotfiles validation hardcoded .dotfiles/common/.zshrc, but a none install stows the standalone minimal/ tree, so the first none-run ever to reach validation failed on a correct symlink. The expected path now follows DESKTOP_ENV from the VM conf.
|
| | |
|
| |
|
|
| |
TLP installs and enables on any machine with a battery (BAT* present), with an /etc/tlp.d/01-custom.conf pinning the CPU energy/perf split per power source; systemd-rfkill gets masked per TLP's docs. The firmware trim is DMI-gated to Framework Intel machines, where the hardware set is known: keep linux-firmware-intel and -atheros, remove the meta and the other ten subpackages (~600MB). Applied live on velox first — TLP 1.10.1 active, wifi up after the trim, initramfs rebuilt clean.
|
| |
|
|
| |
Unpacked-extension theme mapping the dupre palette onto Chrome's window chrome: bg #151311 frame, bg+1 toolbar/omnibox, gold #d7af5f new-tab links, steel inactive-tab text. Install via chrome://extensions dev mode, Load unpacked.
|
| |
|
|
| |
It's the headless JSON-RPC backend for the in-Emacs Signal client, hand-installed until now. Device linking stays manual (interactive QR scan) — the install only guarantees the binary.
|
| |
|
|
| |
Fresh installs were skipping uv, so PEP 723 inline-script shebangs (#!/usr/bin/env -S uv run --script) failed with env: uv: No such file or directory. ratio and velox had it hand-installed.
|
| | |
|
| | |
|
| |
|
|
| |
Add :solo: to the waybar even-spacing and Chrome dupre-theme tasks. Both are ratio-local and objectively verifiable (measure the gaps, confirm the palette hex values), with the eyeball confirmation handed off as a manual-testing reminder. Velox-only or design-call visual tasks stay off.
|
| |
|
|
| |
Add :solo: to the security-dashboard command task. It's buildable and locally verifiable against known system state with no upfront decision, so it meets the clarified solo bar.
|
| |
|
|
| |
Tag six tasks :solo: (finishable end to end with no input, verifiable locally): the airplane-mode robustness follow-ups, the signal-cli and uv install additions, the Phase-2 VM verify, and the two automate-X scripts (usage tracking, dotfile validation). Kept :solo: off anything needing a design call, visual confirmation, laptop-only hardware, or sign-off.
|
| |
|
|
| |
File three [#B] waybar tasks: collapsible bar sides (an arrow click shrinks either side to a base set), an nmcli-backed network-manager dropdown with optional GPG-encrypted secrets, and a desktop-settings dropdown gathering the dim, brightness, touchpad, airplane, and idle toggles and sliders.
|
