fix: lock-screen, confirm-tier, and mail-folder audit bugs

Lock screen: slock is X11-only and never grabbed the Wayland session, so C-; ! l silently did nothing. On Wayland the locker now runs loginctl lock-session, which logind turns into a Lock signal that hypridle handles by running hyprlock, the same path idle and before-sleep locking already use. X11 keeps slock. system-commands.el now also requires host-environment, which it used at load time but never declared.

Confirmation tier: the global (fset 'yes-or-no-p 'y-or-n-p) plus use-short-answers t both flattened yes-or-no-p to a single keystroke, so the deliberate strong-confirm tier for irreversible actions was dead. A stray space could power off the machine or destroy files. I added cj/confirm-strong, which binds use-short-answers nil for one call to force a typed "yes", and routed the six irreversible sites through it (shutdown/reboot, permanent file destruction, file overwrites). I dropped the redundant fset and kept use-short-answers t so ordinary prompts stay single-key.

Mail folders: the cmail context set no trash folder, so D fell back to a nonexistent /trash, and no context set a refile folder, so r targeted a nonexistent /archive everywhere. Accepting mu4e's offer to create the maildir stranded mail where mbsync never syncs it. cmail now trashes to /cmail/Trash. Refile is computed per message rather than per context, because mu4e context :vars are sticky and a per-context refile would leak one account's archive folder into another. cmail archives to /cmail/Archive. The Gmail-backed accounts have no synced archive maildir, so they signal rather than move mail into an unsynced folder.

Lock and confirm-tier need a daemon restart to fully take effect. The mail changes apply on next mu4e open.

10 files changed, 164 insertions, 13 deletions

diff --git a/modules/custom-buffer-file.el b/modules/custom-buffer-file.el
index 6c3e6c6e..25b4a418 100644
--- a/modules/custom-buffer-file.el
+++ b/modules/custom-buffer-file.el
@@ -48,6 +48,7 @@
 ;; mm-decode for email viewing (mm-handle-type is a macro, needs early require)
 (require 'mm-decode)
 (require 'external-open) ;; for cj/xdg-open, cj/open-this-file-with
+(require 'system-lib)   ;; cj/confirm-strong (overwrite confirms), used below
 
 ;; cj/kill-buffer-and-window and cj/kill-other-window-buffer defined in undead-buffers.el
 (declare-function cj/kill-buffer-and-window "undead-buffers")
@@ -156,7 +157,7 @@ When called interactively, prompts for confirmation if target file exists."
     (condition-case _
         (cj/--move-buffer-and-file dir nil)
       (file-already-exists
-       (if (yes-or-no-p (format "File %s exists; overwrite? " target))
+       (if (cj/confirm-strong (format "File %s exists; overwrite? " target))
            (cj/--move-buffer-and-file dir t)
          (message "File not moved"))))))
 
@@ -196,7 +197,7 @@ When called interactively, prompts for confirmation if target file exists."
   (condition-case err
       (cj/--rename-buffer-and-file new-name nil)
     (file-already-exists
-     (if (yes-or-no-p (format "File %s exists; overwrite? " new-name))
+     (if (cj/confirm-strong (format "File %s exists; overwrite? " new-name))
          (cj/--rename-buffer-and-file new-name t)
        (message "File not renamed")))
     (error
@@ -338,7 +339,6 @@ Do not save the deleted text in the kill ring."
   (kill-new (buffer-name))
   (message "Copied: %s" (buffer-name)))
 
-(require 'system-lib)
 (declare-function ansi-color-apply-on-region "ansi-color")
 
 (defun cj/--diff-with-difftastic (file1 file2 buffer)
diff --git a/modules/dwim-shell-config.el b/modules/dwim-shell-config.el
index 57eea706..655c8d85 100644
--- a/modules/dwim-shell-config.el
+++ b/modules/dwim-shell-config.el
@@ -98,6 +98,7 @@
 ;;; Code:
 
 (require 'cl-lib)
+(require 'system-lib)  ;; cj/confirm-strong (permanent file destruction confirm)
 
 ;; --------------------------- Password-file helpers ---------------------------
 
@@ -801,7 +802,7 @@ switching off the .7z format to gpg-wrapped tar."
 Uses =shred -u= so the file is unlinked after overwriting, matching the
 \"delete\" the command name and prompt promise."
 	(interactive)
-	(when (yes-or-no-p "This will permanently destroy files. Continue? ")
+	(when (cj/confirm-strong "This will permanently destroy files. Continue? ")
 	  (dwim-shell-command-on-marked-files
 	   "Secure delete"
 	   "shred -vfzu -n 3 '<<f>>'"
diff --git a/modules/mail-config.el b/modules/mail-config.el
index f71d6eeb..dfc0c4e0 100644
--- a/modules/mail-config.el
+++ b/modules/mail-config.el
@@ -48,6 +48,31 @@
 (defvar message-send-mail-function nil)
 (defvar message-sendmail-envelope-from nil)
 
+(declare-function mu4e-message-field "mu4e-message")
+
+;; Refile (archive) target dispatch.  A per-context `mu4e-refile-folder' string
+;; is unsafe: mu4e context :vars are sticky, so a value set when one context is
+;; active leaks into a later context that doesn't set its own -- archiving one
+;; account's mail into another's folder.  A single function evaluated per
+;; message at refile time avoids that.  Only cmail has a real synced Archive
+;; folder; the Gmail-backed accounts (gmail, dmail) sync no archive maildir, so
+;; refiling them would move mail into an unsynced, server-invisible folder
+;; (silent loss) -- signal instead.
+(defun cj/mu4e--refile-folder-for-maildir (maildir)
+  "Return the refile (archive) folder for MAILDIR, or signal when none exists.
+MAILDIR is a mu4e :maildir string such as \"/cmail/INBOX\"."
+  (cond
+   ((not (stringp maildir))
+    (user-error "Cannot refile: message has no maildir"))
+   ((string-prefix-p "/cmail" maildir) "/cmail/Archive")
+   (t
+    (user-error "No archive folder syncs for this account; refile disabled to avoid moving mail into an unsynced folder"))))
+
+(defun cj/mu4e--refile-folder (msg)
+  "Refile-folder function for `mu4e-refile-folder'.
+Dispatch on MSG's maildir via `cj/mu4e--refile-folder-for-maildir'."
+  (cj/mu4e--refile-folder-for-maildir (and msg (mu4e-message-field msg :maildir))))
+
 (defcustom cj/smtpmail-debug-enabled nil
   "Non-nil means enable verbose SMTP transport debug logging.
 
@@ -217,7 +242,8 @@ Prompts user for the action when executing."
           :vars '((user-mail-address    . "c@cjennings.net")
                   (user-full-name       . "Craig Jennings")
                   (mu4e-drafts-folder   . "/cmail/Drafts")
-                  (mu4e-sent-folder     . "/cmail/Sent")))
+                  (mu4e-sent-folder     . "/cmail/Sent")
+                  (mu4e-trash-folder    . "/cmail/Trash")))
 
          (make-mu4e-context
           :name "deepsat.com"
@@ -232,6 +258,12 @@ Prompts user for the action when executing."
                   (mu4e-starred-folder      . "/dmail/Starred")
                   (mu4e-trash-folder        . "/dmail/Trash")))))
 
+  ;; Refile target is computed per message (see `cj/mu4e--refile-folder'), not
+  ;; set per context, because mu4e context :vars are sticky and would leak one
+  ;; account's archive folder into another.  cmail archives to /cmail/Archive;
+  ;; gmail/dmail signal rather than move mail into an unsynced folder.
+  (setq mu4e-refile-folder #'cj/mu4e--refile-folder)
+
   (setq mu4e-maildir-shortcuts
         '(("/cmail/Inbox"       . ?i)
           ("/cmail/Sent"        . ?s)
diff --git a/modules/music-config.el b/modules/music-config.el
index fd619d8c..799db133 100644
--- a/modules/music-config.el
+++ b/modules/music-config.el
@@ -95,6 +95,7 @@
 (require 'user-constants)
 (require 'keybindings)  ;; provides cj/custom-keymap
 (require 'cj-window-toggle-lib)  ;; side-window size memory (F10 toggle)
+(require 'system-lib)            ;; cj/confirm-strong (overwrite confirms)
 
 ;;; Settings (no Customize)
 
@@ -371,7 +372,7 @@ Offers completion over existing names but allows new names."
          (filename (if (string-suffix-p ".m3u" chosen) chosen (concat chosen ".m3u")))
          (full (expand-file-name filename cj/music-m3u-root)))
     (when (and (file-exists-p full)
-               (not (yes-or-no-p (format "Overwrite %s? " filename))))
+               (not (cj/confirm-strong (format "Overwrite %s? " filename))))
       (user-error "Aborted saving playlist"))
     (with-current-buffer (cj/music--ensure-playlist-buffer)
       (let ((emms-source-playlist-ask-before-overwrite nil))
@@ -924,7 +925,7 @@ For URL tracks: decoded URL."
          (file (expand-file-name (concat safe "_Radio.m3u") cj/music-m3u-root))
          (content (format "#EXTM3U\n#EXTINF:-1,%s\n%s\n" name url)))
     (when (and (file-exists-p file)
-               (not (yes-or-no-p (format "Overwrite %s? " (file-name-nondirectory file)))))
+               (not (cj/confirm-strong (format "Overwrite %s? " (file-name-nondirectory file)))))
       (user-error "Aborted creating radio station"))
     (with-temp-file file
       (insert content))
diff --git a/modules/system-commands.el b/modules/system-commands.el
index dba4d40e..44ac3ae8 100644
--- a/modules/system-commands.el
+++ b/modules/system-commands.el
@@ -9,7 +9,7 @@
 ;; Eager reason: registers the C-; ! system-command keymap; high-impact commands
 ;;   that should run only by command (command-loaded target).
 ;; Top-level side effects: defines a system-command keymap under cj/custom-keymap.
-;; Runtime requires: keybindings, rx.
+;; Runtime requires: keybindings, host-environment, rx.
 ;; Direct test load: yes (requires keybindings explicitly).
 ;;
 ;; System commands for logout, lock, suspend, shutdown, reboot, and Emacs
@@ -17,7 +17,7 @@
 ;;
 ;; Commands include:
 ;; - Logout (terminate user session)
-;; - Lock screen (slock)
+;; - Lock screen (hyprlock on Wayland, slock on X11)
 ;; - Suspend (systemctl suspend)
 ;; - Shutdown (systemctl poweroff)
 ;; - Reboot (systemctl reboot)
@@ -34,6 +34,14 @@
 ;; the load-time reference void if anything required `system-commands'
 ;; before `keybindings'.  Make the dependency explicit.
 (require 'keybindings)
+;; `host-environment' provides `env-wayland-p', referenced at load time by the
+;; `lockscreen-cmd' defvar below to pick the session-appropriate locker. A hard
+;; require keeps the module loadable on its own (tests, byte-compile) rather
+;; than relying on init.el's load order.
+(require 'host-environment)
+;; `system-lib' provides `cj/confirm-strong', used at runtime by the `strong'
+;; confirm branch of `cj/system-cmd' for irreversible actions (shutdown/reboot).
+(require 'system-lib)
 (eval-when-compile (require 'subr-x))
 (require 'rx)
 
@@ -71,7 +79,7 @@ If CMD is deemed dangerous, ask for confirmation."
        ;; Strong confirm for irreversible actions (shutdown, reboot):
        ;; require an explicit "yes", so a stray RET/space can't trigger them.
        ((eq confirm 'strong)
-        (unless (yes-or-no-p (format "Really run %s (%s)? " label cmdstr))
+        (unless (cj/confirm-strong (format "Really run %s (%s)? " label cmdstr))
           (user-error "Aborted")))
        ;; Quick (Y/n) confirm for recoverable actions (logout, suspend).
        (confirm
@@ -102,7 +110,13 @@ actions like shutdown and reboot), nil for no confirmation."
 
 ;; Define system commands
 (cj/defsystem-command cj/system-cmd-logout   logout-cmd "loginctl terminate-user $(whoami)" t)
-(cj/defsystem-command cj/system-cmd-lock     lockscreen-cmd "slock")
+;; slock is X11-only and can't grab a Wayland session.  On Wayland, lock via
+;; the session manager (`loginctl lock-session') rather than spawning a locker
+;; directly: logind emits the Lock signal, hypridle catches it and runs its
+;; lock_cmd (hyprlock), the same path idle/before-sleep locking already uses.
+;; X11 machines keep slock.
+(cj/defsystem-command cj/system-cmd-lock     lockscreen-cmd
+  (if (env-wayland-p) "loginctl lock-session" "slock"))
 (cj/defsystem-command cj/system-cmd-suspend  suspend-cmd "systemctl suspend" t)
 (cj/defsystem-command cj/system-cmd-shutdown shutdown-cmd "systemctl poweroff" strong)
 (cj/defsystem-command cj/system-cmd-reboot   reboot-cmd "systemctl reboot" strong)
diff --git a/modules/system-defaults.el b/modules/system-defaults.el
index eccc6c35..1703b1bf 100644
--- a/modules/system-defaults.el
+++ b/modules/system-defaults.el
@@ -200,8 +200,9 @@ appears only once per session."
 (setq confirm-nonexistent-file-or-buffer nil) ;; don't ask if a file I visit with C-x C-f or C-x b doesn't exist
 (setq ad-redefinition-action 'accept)         ;; silence warnings about advised functions getting redefined.
 (setq large-file-warning-threshold nil)       ;; open files regardless of size
-(fset 'yes-or-no-p 'y-or-n-p)                 ;; require a single letter for binary answers
-(setq use-short-answers t)                    ;; same as above with Emacs 28+
+(setq use-short-answers t)                    ;; single-key y/n for ordinary yes-or-no-p prompts
+                                              ;; (irreversible actions use `cj/confirm-strong', which
+                                              ;; forces a typed "yes" by binding this nil for that call)
 (setq auto-revert-verbose nil)                ;; turn off auto revert messages
 (setq custom-safe-themes t)                   ;; treat all themes as safe (stop asking)
 (setq server-client-instructions nil)         ;; I already know what to do when done with the frame
diff --git a/modules/system-lib.el b/modules/system-lib.el
index 333c15ee..9e25be5b 100644
--- a/modules/system-lib.el
+++ b/modules/system-lib.el
@@ -130,5 +130,16 @@ Callers that must have a secret layer their own error on top."
          (secret (plist-get (car (apply #'auth-source-search spec)) :secret)))
     (if (functionp secret) (funcall secret) secret)))
 
+;; ---------------------------- Strong Confirmation ----------------------------
+
+(defun cj/confirm-strong (prompt)
+  "Ask PROMPT, requiring a full typed \"yes\" or \"no\" answer.
+For irreversible actions -- file destruction, overwrites, power-off.  The
+global default makes `yes-or-no-p' a single keystroke (`use-short-answers'
+is t); this binds it to nil for the one call so the prompt demands the
+long-form answer, keeping a stray RET or space from confirming."
+  (let ((use-short-answers nil))
+    (yes-or-no-p prompt)))
+
 (provide 'system-lib)
 ;;; system-lib.el ends here
diff --git a/tests/test-mail-config-refile-folder.el b/tests/test-mail-config-refile-folder.el
new file mode 100644
index 00000000..e2d224eb
--- /dev/null
+++ b/tests/test-mail-config-refile-folder.el
@@ -0,0 +1,40 @@
+;;; test-mail-config-refile-folder.el --- Tests for refile-folder dispatch -*- lexical-binding: t; -*-
+
+;;; Commentary:
+;; ERT tests for `cj/mu4e--refile-folder-for-maildir', the per-message refile
+;; (archive) target dispatch.  cmail has a real synced Archive folder; the
+;; Gmail-backed accounts (gmail, dmail) have none, so refiling them must signal
+;; rather than move mail into an unsynced, phantom folder (silent mail loss).
+
+;;; Code:
+
+(require 'ert)
+
+(add-to-list 'load-path (expand-file-name "modules" user-emacs-directory))
+(require 'mail-config)
+
+(ert-deftest test-mail-config-refile-cmail-returns-archive ()
+  "Normal: a cmail message refiles into the synced /cmail/Archive folder."
+  (should (string= (cj/mu4e--refile-folder-for-maildir "/cmail/INBOX")
+                   "/cmail/Archive"))
+  (should (string= (cj/mu4e--refile-folder-for-maildir "/cmail/Sent")
+                   "/cmail/Archive")))
+
+(ert-deftest test-mail-config-refile-gmail-signals ()
+  "Error: gmail has no synced archive folder, so refile signals rather than
+moving mail into a phantom folder."
+  (should-error (cj/mu4e--refile-folder-for-maildir "/gmail/INBOX")
+                :type 'user-error))
+
+(ert-deftest test-mail-config-refile-dmail-signals ()
+  "Error: dmail (Gmail-backed) has no synced archive folder; refile signals."
+  (should-error (cj/mu4e--refile-folder-for-maildir "/dmail/INBOX")
+                :type 'user-error))
+
+(ert-deftest test-mail-config-refile-nil-maildir-signals ()
+  "Boundary: a message with no maildir cannot be refiled; signal."
+  (should-error (cj/mu4e--refile-folder-for-maildir nil)
+                :type 'user-error))
+
+(provide 'test-mail-config-refile-folder)
+;;; test-mail-config-refile-folder.el ends here
diff --git a/tests/test-system-lib-confirm-strong.el b/tests/test-system-lib-confirm-strong.el
new file mode 100644
index 00000000..26c00822
--- /dev/null
+++ b/tests/test-system-lib-confirm-strong.el
@@ -0,0 +1,37 @@
+;;; test-system-lib-confirm-strong.el --- Tests for cj/confirm-strong -*- lexical-binding: t; -*-
+
+;;; Commentary:
+;; ERT tests for `cj/confirm-strong', the typed-"yes" confirmation used for
+;; irreversible actions.  The behavior under test is the long-form guarantee:
+;; the prompt demands a typed yes/no even when the global single-key default
+;; (`use-short-answers') is in effect.
+
+;;; Code:
+
+(require 'ert)
+(require 'cl-lib)
+(require 'system-lib)
+
+(ert-deftest test-system-lib-confirm-strong-returns-t-on-yes ()
+  "Normal: passes a t answer through from `yes-or-no-p'."
+  (cl-letf (((symbol-function 'yes-or-no-p) (lambda (&rest _) t)))
+    (should (eq (cj/confirm-strong "Really? ") t))))
+
+(ert-deftest test-system-lib-confirm-strong-returns-nil-on-no ()
+  "Normal: passes a nil answer through from `yes-or-no-p'."
+  (cl-letf (((symbol-function 'yes-or-no-p) (lambda (&rest _) nil)))
+    (should (eq (cj/confirm-strong "Really? ") nil))))
+
+(ert-deftest test-system-lib-confirm-strong-forces-long-form ()
+  "Boundary: binds `use-short-answers' to nil for the call even when it is
+globally t, so the irreversible prompt requires a typed yes/no regardless of
+the single-key default."
+  (let ((use-short-answers t)
+        (seen 'unset))
+    (cl-letf (((symbol-function 'yes-or-no-p)
+               (lambda (&rest _) (setq seen use-short-answers) t)))
+      (cj/confirm-strong "Really? ")
+      (should (eq seen nil)))))
+
+(provide 'test-system-lib-confirm-strong)
+;;; test-system-lib-confirm-strong.el ends here
diff --git a/todo.org b/todo.org
index 556f2918..5d4b30a3 100644
--- a/todo.org
+++ b/todo.org
@@ -97,9 +97,11 @@ Surfaced 2026-06-06 while building the bookmark naming: the metadata embedded in
 
 ** TODO [#A] Lock screen silently fails — slock is X11-only :bug:quick:
 =modules/system-commands.el:105= binds the lockscreen command to =slock=, which can't grab a Wayland session; =cj/system-cmd= launches it detached with output silenced, so C-; ! l does nothing and the screen never locks. Security issue: Craig believes the screen locks when it doesn't. Fix: =hyprlock= (or =swaylock=), ideally resolved per session type via =env-wayland-p= so an X11 fallback survives for other machines. From the 2026-06 config audit.
+Fixed 2026-06-13: lockscreen-cmd resolves to =loginctl lock-session= on Wayland (logind Lock → hypridle → hyprlock, the path idle/sleep locking already uses), =slock= on X11; also added the missing =(require 'host-environment)=. Live in the daemon; manual lock test under the Manual testing parent.
 
 ** TODO [#A] mu4e: cmail can't trash, no account can refile :bug:quick:solo:
 =modules/mail-config.el:217-220= — the cmail context (primary account) sets only drafts/sent, so D falls back to default "/trash" which doesn't exist under ~/.mail (=/cmail/Trash= does); and NO context sets =mu4e-refile-folder=, so r targets nonexistent "/archive" everywhere. Accepting mu4e's offer to create the maildir strands mail in a directory mbsync never syncs — messages silently vanish from the server's view. Add =mu4e-trash-folder= to cmail + per-context =mu4e-refile-folder=. From the 2026-06 config audit.
+Fixed 2026-06-13: cmail gets =mu4e-trash-folder= "/cmail/Trash"; refile is a per-message function (=cj/mu4e--refile-folder=) instead of a per-context string — mu4e context :vars are sticky, so a per-context refile leaks one account's archive folder into another. cmail → "/cmail/Archive"; gmail/dmail signal a =user-error= rather than move mail into an unsynced phantom folder (Craig chose the fail-safe over syncing [Gmail]/All Mail — the All Mail option means a multi-GB pull + cross-folder duplicates; revisit if local Gmail archiving is wanted). Applies on next mu4e open; pure dispatch helper covered by tests.
 
 ** TODO [#A] calendar-sync drops final occurrences and resurrects cancelled meetings :bug:solo:
 RFC 5545 conformance holes in =modules/calendar-sync.el=, all agenda-visible (from the 2026-06 config audit):
@@ -112,6 +114,7 @@ From the 2026-06 config audit (verified against the live daemon). =early-init.el
 
 ** TODO [#A] Global yes-or-no-p fset defeats every strong confirmation :bug:quick:
 =modules/system-defaults.el:203= =(fset 'yes-or-no-p 'y-or-n-p)= — verified live. Several modules deliberately chose yes-or-no-p as the strong tier for irreversible actions: shutdown/reboot (=system-commands.el:74=, whose comment explicitly says "so a stray RET/space can't trigger them"), "permanently destroy files" (=dwim-shell-config.el:804=), file overwrites (=custom-buffer-file.el:159,199=, =music-config.el:374=). The fset makes all of them single-keystroke — the two-tier design is dead. Drop the fset, or provide a real =cj/confirm-strong= (typed "yes") for the irreversible set. From the 2026-06 config audit.
+Fixed 2026-06-13 (Craig chose the surgical option): added =cj/confirm-strong= to system-lib.el (binds =use-short-answers= nil for one =yes-or-no-p= call → typed "yes"); removed the redundant fset (kept =use-short-answers t= so benign prompts stay single-key); routed the 6 irreversible sites through it (shutdown/reboot, permanent-destroy, file overwrites). Note: the fset is baked into the running daemon and can't be cleared from Lisp, so the typed-"yes" tier goes live only after a daemon restart — manual confirm under the Manual testing parent. TDD; tests green.
 
 ** TODO [#B] theme-studio preview face mislinks (org, erc, flycheck) :bug:quick:solo:
 :PROPERTIES:
@@ -4281,6 +4284,17 @@ What we're verifying: the Hyprland Super+Shift+N popup is single-window, offers
 - Re-open and pick Event (e): it prompts for a date and files to the schedule
 - Re-open and hit q (or C-g) at the menu: the popup frame closes (no orphan)
 Expected: single window at every step; menu limited to Task/Bug/Event; Task/Bug land in the inbox; aborting at the menu closes the frame; the frame still closes on normal finalize and C-c C-k.
+*** TODO Lock screen actually locks on Wayland
+What we're verifying: C-; ! l locks the screen on Wayland. slock (X11-only) never worked here; the locker now runs loginctl lock-session, which logind turns into a Lock signal that hypridle handles by running hyprlock — the same path idle/sleep locking already uses. Fix in modules/system-commands.el, live in the daemon.
+- Press C-; ! l (or run M-x cj/system-cmd-lock)
+- The screen should lock with hyprlock
+- Unlock with your password
+Expected: the screen locks immediately and unlocks with your password. (Before the fix it printed "Running lockscreen-cmd..." and nothing happened.)
+*** TODO Irreversible actions require a typed "yes" after a daemon restart
+What we're verifying: the strong-confirm tier is restored for irreversible actions. The global (fset 'yes-or-no-p 'y-or-n-p) was removed and those sites now call cj/confirm-strong, which forces a typed "yes"/"no". The fset is baked into the running daemon and can't be cleared from Lisp, so this only takes effect after a restart. Ordinary yes-or-no-p prompts stay single-key (use-short-answers t).
+- Restart the Emacs daemon (clean state)
+- Trigger an irreversible action, e.g. M-x cj/system-cmd-shutdown (then abort), or attempt to overwrite a file via the rename/move commands
+Expected: the irreversible prompt requires typing the full word "yes" (not a single y); a benign yes-or-no-p prompt elsewhere still accepts a single keystroke.
 *** 2026-06-11 Thu @ 18:29:39 -0500 Verified UI-face preview and contrast survive a ground bg change
 Craig walked the repro: mode-line with its own fg/bg kept its preview bg and ratio through a ground change; ground-dependent rows re-rated; package-faces contrast column updated. Pass. Closed the [#A] contrast-cell and [#B] preview-bg parents.
 *** 2026-06-11 Thu @ 18:29:39 -0500 Verified seeded package-face defaults, with steel tuning