archive: repo moved to titaniumtown/nixos

.gitea/workflows/deploy.yml

@@ -1,10 +1,10 @@
-name: Build and Deploy
+name: Build
 on:
   push:
     branches: [main]
 
 jobs:
-  deploy:
+  build:
     runs-on: nix
     steps:
       - uses: https://github.com/actions/checkout@v4
@@ -19,37 +19,20 @@ jobs:
         run: |
           nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
 
+      - name: Record yarn store path for pull-update
+        continue-on-error: true
+        run: |
+          mkdir -p /var/lib/dotfiles-deploy
+          readlink -f result > /var/lib/dotfiles-deploy/yarn
+          nix-store --add-root /var/lib/dotfiles-deploy/yarn-gcroot -r "$(readlink -f result)"
+
       - name: Build NixOS configuration (mreow)
         run: |
           nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
 
-      - name: Deploy to desktop
+      - name: Record mreow store path
+        continue-on-error: true
         run: |
-          eval $(ssh-agent -s)
+          mkdir -p /var/lib/dotfiles-deploy
-          ssh-add /run/agenix/ci-deploy-key
+          readlink -f result > /var/lib/dotfiles-deploy/mreow
-          if ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@desktop "echo reachable" 2>/dev/null; then
+          nix-store --add-root /var/lib/dotfiles-deploy/mreow-gcroot -r "$(readlink -f result)"
-            nix run github:serokell/deploy-rs -- .#yarn --ssh-opts="-o StrictHostKeyChecking=no"
-            echo "Deploy to desktop succeeded"
-          else
-            echo "Desktop unreachable - skipping deploy. Build succeeded."
-          fi
-
-      - name: Notify success
-        if: success()
-        run: |
-          curl -sf -X POST \
-            "https://ntfy.sigkill.computer/deployments" \
-            -H "Title: [dotfiles] Build succeeded" \
-            -H "Priority: default" \
-            -H "Tags: white_check_mark" \
-            -d "dotfiles built from commit ${GITHUB_SHA::8}"
-
-      - name: Notify failure
-        if: failure()
-        run: |
-          curl -sf -X POST \
-            "https://ntfy.sigkill.computer/deployments" \
-            -H "Title: [dotfiles] Build FAILED" \
-            -H "Priority: urgent" \
-            -H "Tags: rotating_light" \
-            -d "dotfiles build failed at commit ${GITHUB_SHA::8}"

AGENTS.md

@@ -4,7 +4,7 @@
 
 NixOS dotfiles for two hosts using Nix flakes + home-manager:
 - **mreow** — Framework 13 AMD AI 300 laptop, niri WM, greetd, swaylock
-- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, deploy-rs target
+- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, pull-based updates from CI
 
 Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-crypt. **Never read or write files in those directories.**
 
@@ -21,8 +21,10 @@ Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-
 nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
 nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
 
-# Remote deploy to yarn via deploy-rs
+# yarn pulls updates automatically on boot from the binary cache.
-deploy .#yarn
+# CI builds the yarn closure, records the store path, and Harmonia serves it.
+# To manually trigger the pull on yarn:
+systemctl start pull-update
 
 # Format all Nix files (uses nixfmt-tree, declared in flake.nix)
 nix fmt

README.md

@@ -1,3 +1,10 @@
+> **Archived.** These dotfiles have moved into the unified
+> [`titaniumtown/nixos`](https://git.sigkill.computer/titaniumtown/nixos) repo
+> (merged with `server-config`). The final pre-unify commit is tagged
+> `final-before-unify`. No new commits will land here.
+
+---
+
 # My Dotfiles ✨
 These are my dotfiles for my laptop and desktop (which I use [NixOS](https://nixos.org/) and [home-manager](https://github.com/nix-community/home-manager) on).
 

flake.lock

@@ -12,11 +12,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771437256,
+        "lastModified": 1776249299,
-        "narHash": "sha256-bLqwib+rtyBRRVBWhMuBXPCL/OThfokA+j6+uH7jDGU=",
+        "narHash": "sha256-Dt9t1TGRmJFc0xVYhttNBD6QsAgHOHCArqGa0AyjrJY=",
         "owner": "numtide",
         "repo": "blueprint",
-        "rev": "06ee7190dc2620ea98af9eb225aa9627b68b0e33",
+        "rev": "56131e8628f173d24a27f6d27c0215eff57e40dd",
         "type": "github"
       },
       "original": {
@@ -46,19 +46,52 @@
         ]
       },
       "locked": {
-        "lastModified": 1770895533,
+        "lastModified": 1776182890,
-        "narHash": "sha256-v3QaK9ugy9bN9RXDnjw0i2OifKmz2NnKM82agtqm/UY=",
+        "narHash": "sha256-+/VOe8XGq5klpU+I19D+3TcaR7o+Cwbq67KNF7mcFak=",
-        "owner": "nix-community",
+        "owner": "Mic92",
         "repo": "bun2nix",
-        "rev": "c843f477b15f51151f8c6bcc886954699440a6e1",
+        "rev": "648d293c51e981aec9cb07ba4268bc19e7a8c575",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
+        "owner": "Mic92",
+        "ref": "catalog-support",
         "repo": "bun2nix",
         "type": "github"
       }
     },
+    "cachyos-kernel": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1776183001,
+        "narHash": "sha256-lvLKB5dTqjO1S/YonS9ZyWemEjO6QXtN4D76rYEYy4s=",
+        "owner": "CachyOS",
+        "repo": "linux-cachyos",
+        "rev": "4224303b6d7a50dd1cc3ffa78864050cc9536eec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CachyOS",
+        "repo": "linux-cachyos",
+        "type": "github"
+      }
+    },
+    "cachyos-kernel-patches": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1776355454,
+        "narHash": "sha256-b9Hc0sTxjEzDbphzS9yQqxVha/7bsPIs2cQQQvaG45E=",
+        "owner": "CachyOS",
+        "repo": "kernel-patches",
+        "rev": "b5e029226df5cc30c103651072d49a7af2878202",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CachyOS",
+        "repo": "kernel-patches",
+        "type": "github"
+      }
+    },
     "crane": {
       "locked": {
         "lastModified": 1773189535,
@@ -74,28 +107,6 @@
         "type": "github"
       }
     },
-    "deploy-rs": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1770019181,
-        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
-        "type": "github"
-      },
-      "original": {
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "type": "github"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -120,11 +131,11 @@
     "doomemacs": {
       "flake": false,
       "locked": {
-        "lastModified": 1775361441,
+        "lastModified": 1776400245,
-        "narHash": "sha256-XaHk6Tyktb5BjO2l5OlU1yY0mI5BA/ymbdKEDzdlEsw=",
+        "narHash": "sha256-RuQB1PxazI4DOw3O+rEVU2FPT0vP0Xb+Gp/M6Yqer20=",
         "owner": "doomemacs",
         "repo": "doomemacs",
-        "rev": "4a5046c4294f70e09609f7d7d62db399747edb58",
+        "rev": "860a91aaac235701f30b70fdc74259d438818968",
         "type": "github"
       },
       "original": {
@@ -143,11 +154,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775581188,
+        "lastModified": 1776478519,
-        "narHash": "sha256-3zC5iNv9l6a595dYomfesWr30t6YZxv5Jzf5zLtpPAM=",
+        "narHash": "sha256-4TWCOVYe0iWEKuW7OH93nRI4Z7u68wNT6k9UJn0FZ5w=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "6877822fc1855f248077d7833f25432e21940543",
+        "rev": "513e332b074507e1b46992952e7d83f329f2c22c",
         "type": "github"
       },
       "original": {
@@ -164,11 +175,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1775534587,
+        "lastModified": 1776398575,
-        "narHash": "sha256-OLAoGTTwPVTH13C1e2Vcdff4WigTsk6hO5Y3sEcwl/s=",
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "9f1e4b7f5443c50cb4ccc2a376ba1058231e64b4",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
         "type": "gitlab"
       },
       "original": {
@@ -181,15 +192,15 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
+        "lastModified": 1767039857,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -231,9 +242,27 @@
         "type": "github"
       }
     },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -278,11 +307,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775556024,
+        "lastModified": 1776454077,
-        "narHash": "sha256-j1u/859OVS54rGlsvFqJdwKPEnFYCI+4pyfTiSfv1Xc=",
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4bdfeff1d9b7473e6e58f73f5809576e8a69e406",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
         "type": "github"
       },
       "original": {
@@ -337,11 +366,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775287496,
+        "lastModified": 1776428236,
-        "narHash": "sha256-tCBlt+RP85MLrMYntro/YvG7NWktbmFiyItGBo85Tf8=",
+        "narHash": "sha256-+0SyQglnT2xUiyY07155G+O7aUWISELwqtTnfURufRU=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "0a7a3feb77606db451aa10287ad4c4c8f85922f8",
+        "rev": "eac78fc379ca47f7e21be8539c405e5fb489a857",
         "type": "github"
       },
       "original": {
@@ -383,11 +412,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775510693,
+        "lastModified": 1776248416,
-        "narHash": "sha256-gZfJ07j/oOciDi8mF/V8QTm7YCeDcusNSMZzBFi8OUM=",
+        "narHash": "sha256-TC6yzbCAex1pDfqUZv9u8fVm8e17ft5fNrcZ0JRDOIQ=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "3fe0ae8cb285e0ad101a9675f4190d455fb05e85",
+        "rev": "18e9e64bae15b828c092658335599122a6db939b",
         "type": "github"
       },
       "original": {
@@ -404,21 +433,19 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "rust-overlay": "rust-overlay",
+        "systems": "systems_2",
-        "systems": "systems_3",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1775663139,
+        "lastModified": 1776482297,
-        "narHash": "sha256-mFmUbE2OLNl0YA1RACprVObeBjK8Qv9aV/V6fmn3mUU=",
+        "narHash": "sha256-KmsWPwtbO8vrlH/R9stIun0LKZ4PFSCCEdqWDeLgbTE=",
-        "owner": "titaniumtown",
+        "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "a507240bd404b28dbfc7e8d98bdf6c265e2ad51a",
+        "rev": "66c76393570f8fc4730caa2dc2d2c470fe33a3c9",
         "type": "github"
       },
       "original": {
-        "owner": "titaniumtown",
+        "owner": "numtide",
-        "ref": "pr/omp-build-from-source",
         "repo": "llm-agents.nix",
         "type": "github"
       }
@@ -437,11 +464,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1775566751,
+        "lastModified": 1776435348,
-        "narHash": "sha256-5Xkx4NQvl2azAQe3lCZCMUx4FiwGOlEb+I4kyycQYw8=",
+        "narHash": "sha256-qsZnMThxTqxCJZ7DEKu3DD3KjIPcuUBvZ0C9a2uIvaQ=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "6aa49a9c5b82911459e230db5bd64289082d4354",
+        "rev": "55b5b1fc9481ab267603a1099e5d4b4ebc7394d7",
         "type": "github"
       },
       "original": {
@@ -470,11 +497,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1775561155,
+        "lastModified": 1776432730,
-        "narHash": "sha256-TK2IrqQivRcwqJa0suZMbcsN17CtA8Uu0v7CDnLATb0=",
+        "narHash": "sha256-Pq1ZVvRGq/IFiFH6vkNwMfZEpWk23NjgGdX50COdj/c=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "599db847f857b8a7ff78ce02f15acab5d5d9fee1",
+        "rev": "c814c656c53ea9d69f5afb45c88f4dc4d25338cd",
         "type": "github"
       },
       "original": {
@@ -483,6 +510,31 @@
         "type": "github"
       }
     },
+    "nix-cachyos-kernel": {
+      "inputs": {
+        "cachyos-kernel": "cachyos-kernel",
+        "cachyos-kernel-patches": "cachyos-kernel-patches",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1776386586,
+        "narHash": "sha256-eVAUaL/6n8mnmBiPpEVW1NDNVSKLWhYVfycG+P0SvWU=",
+        "owner": "xddxdd",
+        "repo": "nix-cachyos-kernel",
+        "rev": "c65c3faf90ae07bae101c15ef502f0bcb06c5d74",
+        "type": "github"
+      },
+      "original": {
+        "owner": "xddxdd",
+        "ref": "release",
+        "repo": "nix-cachyos-kernel",
+        "type": "github"
+      }
+    },
     "nix-doom-emacs-unstraightened": {
       "inputs": {
         "doomemacs": "doomemacs",
@@ -492,14 +544,14 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1775559092,
+        "lastModified": 1776419397,
-        "narHash": "sha256-Xm3XmkDw+59B9pCOmauWMNoFmOMC1giMzxkOOAk9JmY=",
+        "narHash": "sha256-vmWJwNYtQFexLG6r/v8Dlou/5z8FbFCLo3QqZ/stLYQ=",
         "owner": "marienz",
         "repo": "nix-doom-emacs-unstraightened",
-        "rev": "a75f733dc11e31d60f8c8e63ca4c8fe0654fd98a",
+        "rev": "7623dd4adbdf5f8a8464ecc5fd089e5c5cb5dada",
         "type": "github"
       },
       "original": {
@@ -563,11 +615,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775423009,
+        "lastModified": 1776169885,
-        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
         "type": "github"
       },
       "original": {
@@ -577,6 +629,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "noctalia": {
       "inputs": {
         "nixpkgs": [
@@ -585,11 +652,11 @@
         "noctalia-qs": "noctalia-qs"
       },
       "locked": {
-        "lastModified": 1775569376,
+        "lastModified": 1776302695,
-        "narHash": "sha256-Gge4uDqbcl5kl3fNaRRc6PuOv7YMOqWbX6tRcYwayok=",
+        "narHash": "sha256-xZc9o1JLQpmWn2Dqui323+Tq2Ai4sSdtdvbFZCs4qLo=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "91d0bb83aefa2d238df31e2a96098a2ef75aa238",
+        "rev": "a7c724181fca5d1aff2d47b18fa733504cfdbda2",
         "type": "github"
       },
       "original": {
@@ -604,15 +671,15 @@
           "noctalia",
           "nixpkgs"
         ],
-        "systems": "systems_5",
+        "systems": "systems_4",
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1775491791,
+        "lastModified": 1775957204,
-        "narHash": "sha256-elzmRpudiwtYQNCKk9TAEhlYQV0+yUM81poo01Z7FfQ=",
+        "narHash": "sha256-d4CVRtAty2GzDYXx4xYQmR+nlOjjKovyprQfZhgLckU=",
         "owner": "noctalia-dev",
         "repo": "noctalia-qs",
-        "rev": "9e2736531ef7a1a336abf7ec72255d0b192273b6",
+        "rev": "68e82fe34c68ee839a9c37e3466820e266af0c86",
         "type": "github"
       },
       "original": {
@@ -623,7 +690,7 @@
     },
     "pre-commit": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
@@ -646,7 +713,6 @@
     },
     "root": {
       "inputs": {
-        "deploy-rs": "deploy-rs",
         "disko": "disko",
         "emacs-overlay": "emacs-overlay",
         "firefox-addons": "firefox-addons",
@@ -657,48 +723,28 @@
         "lanzaboote": "lanzaboote",
         "llm-agents": "llm-agents",
         "niri": "niri",
+        "nix-cachyos-kernel": "nix-cachyos-kernel",
         "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
         "nix-flatpak": "nix-flatpak",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "noctalia": "noctalia",
-        "rust-overlay": "rust-overlay_2",
+        "rust-overlay": "rust-overlay",
         "zen-browser": "zen-browser"
       }
     },
     "rust-overlay": {
       "inputs": {
         "nixpkgs": [
-          "llm-agents",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1775617983,
+        "lastModified": 1776481912,
-        "narHash": "sha256-2NWGA/I4j/qlx6qbg86QvJiK1/GyH9gnf0hFiARWVwE=",
+        "narHash": "sha256-Xq7p+Ex3YHFAd+fFFLOYw2Wv67582X7SAmrEDtIDZQ4=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "d98b91b1feae7ef07fa2ccb3aa3f83f11abfae54",
+        "rev": "e611106c527e8ab0adbb641183cda284411d575c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
-    "rust-overlay_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1775531562,
-        "narHash": "sha256-G83GDxQo6lqO5aeTSD5RFLhnh2g6DzJpSvSju2EjjrQ=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "d8b1b209203665924c81eabf750492530754f27e",
         "type": "github"
       },
       "original": {
@@ -753,21 +799,6 @@
       }
     },
     "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_5": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -790,11 +821,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775125835,
+        "lastModified": 1775636079,
-        "narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=",
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "75925962939880974e3ab417879daffcba36c4a3",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {
@@ -812,11 +843,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775125835,
+        "lastModified": 1775636079,
-        "narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=",
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "75925962939880974e3ab417879daffcba36c4a3",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {
@@ -825,24 +856,6 @@
         "type": "github"
       }
     },
-    "utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "xwayland-satellite-stable": {
       "flake": false,
       "locked": {
@@ -886,11 +899,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775453133,
+        "lastModified": 1776403742,
-        "narHash": "sha256-VIlMG985ONqVqF+OnPuS5Shbz5k6tqbOWnDL7EH+IT4=",
+        "narHash": "sha256-ZmGY9XiOsuMS/THsSNkgp2fnc3asXQX/xRrQpWnY9nA=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "8d0508ffceba8ad785ae442591dd115080a55142",
+        "rev": "ca7077bea5c830470437ea878da2a1940773324c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -63,12 +63,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
-
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     jovian-nixos = {
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -79,8 +73,12 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nix-cachyos-kernel = {
+      url = "github:xddxdd/nix-cachyos-kernel/release";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     llm-agents = {
-      url = "github:titaniumtown/llm-agents.nix/pr/omp-build-from-source";
+      url = "github:numtide/llm-agents.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -97,7 +95,6 @@
       lanzaboote,
       nixos-hardware,
       home-manager,
-      deploy-rs,
       jovian-nixos,
       ...
     }@inputs:
@@ -154,14 +151,5 @@
           };
         }
       ) { } hostnames;
-
-      # Deploy-rs configuration for yarn host only
-      deploy.nodes.yarn = {
-        hostname = "desktop";
-        profiles.system = {
-          sshUser = "root";
-          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.yarn;
-        };
-      };
     };
 }

home-manager/desktop.nix

@@ -9,9 +9,6 @@
     # niri wayland compositor
     ./progs/niri.nix
 
-    # statusbar
-    # ./progs/eww/eww.nix
-
     # lockscreen
     ./progs/swaylock.nix
 
@@ -29,5 +26,4 @@
     # used by /etc/nixos logic to launch niri
     config.programs.niri.package
   ];
-
 }

home-manager/progs/eww/config/eww.scss

@@ -1,109 +0,0 @@
-$background: #1e1e2e;
-$pink: #f5c2e7;
-$lavendar: #b4befe;
-$red: #f38ba8;
-$maroon: #eba0ac;
-$peach: #fab387;
-$yellow: #f9e2af;
-$green: #a6e3a1;
-$text: #cdd6f4;
-$subtext: #a6adc8;
-$surface: #585b70;
-
-* {
-	color: $text;
-	font-family: CaskaydiaCove Nerd Font Mono;
-	font-weight: 600;
-	font-size: 10pt;
-	padding: 0 1px;
-}
-
-.red {
-	color: $red;
-}
-
-.maroon {
-	color: $maroon;
-}
-
-.peach {
-	color: $peach;
-}
-
-.yellow {
-	color: $yellow;
-}
-
-.green {
-	color: $green;
-}
-
-.lavendar {
-	color: $lavendar;
-}
-
-.symbol {
-	color: $lavendar;
-	font-size: 20px;
-}
-
-.button {
-	* {
-		all: unset;
-		margin: 0 5px;
-		font-size: 14pt;
-		transition: color 0.2s ease-in-out;
-	}
-
-	&:hover * {
-		color: $pink;
-	}
-}
-
-.bluetooth * {
-	font-size: 10pt;
-	padding: 0 0.3em;
-}
-
-.padded>*:not(:last-child) {
-	padding: 0 10px;
-	border-right: 1px solid $surface;
-}
-
-.background {
-	border: 1px solid $pink;
-	background-color: $background;
-	border-radius: 12px;
-	opacity: 0.8;
-}
-
-scale trough {
-	margin: 0 10px;
-	border: none;
-	background-color: #FFF;
-	min-height: 3px;
-	min-width: 100px;
-
-	& slider {
-		box-shadow: none;
-		background-image: none;
-		border: none;
-		background-color: $pink;
-		min-width: 5pt;
-		min-height: 5pt;
-		margin: -5pt;
-	}
-
-	& highlight {
-		border: none;
-		background-color: $lavendar;
-	}
-}
-
-.clipboard {
-	color: $subtext;
-}
-
-.time {
-	padding-right: 10px;
-}

home-manager/progs/eww/config/eww.yuck

@@ -1 +0,0 @@
-(include "./statusbar.yuck")

home-manager/progs/eww/config/scripts/currentWindow.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-niri_data=$(niri msg --json focused-window)
-
-if [[ "$niri_data" == "null" ]]; then
-    exit 0
-fi
-
-name=$(echo "$niri_data" | jq -r '.["app_id"], .["title"]' | tr '\n' ' ' | sed 's/.$//')
-proc_name=$(echo "$name" | head -c 55)
-
-
-# TODO! fix this logic, add a '...' at the end
-if [[ "$name" != "$proc_name" ]]; then
-    proc_name="$proc_name..."
-fi
-
-echo "$proc_name"

home-manager/progs/eww/config/scripts/currentWorkspace.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env fish
-
-niri msg --json workspaces | jq -r '.[] | select(.is_focused == true) | .["id"]'

home-manager/progs/eww/config/scripts/power_bat.rs

@@ -1,58 +0,0 @@
-#!/usr/bin/env rust-script
-
-use std::{fmt, fs::read_to_string, str::FromStr};
-
-const BASE_PATH: &str = "/sys/class/power_supply/BAT1/";
-const CURRENT_NOW_PATH: &str = "current_now";
-const VOLTAGE_NOW_PATH: &str = "voltage_now";
-const STATUS_PATH: &str = "status";
-const FACTOR: f32 = 1e6_f32;
-
-#[derive(Debug)]
-enum Status {
-    Charging,
-    Discharging,
-    NotCharging,
-}
-
-impl FromStr for Status {
-    type Err = &'static str;
-
-    fn from_str(input: &str) -> Result<Status, Self::Err> {
-        match input {
-            "Charging" => Ok(Status::Charging),
-            "Discharging" => Ok(Status::Discharging),
-            "Not charging" => Ok(Status::NotCharging),
-            _ => Err("unknown state"),
-        }
-    }
-}
-
-impl fmt::Display for Status {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        fmt::Debug::fmt(self, f)
-    }
-}
-
-fn fetch_and_trim_into<T: FromStr<Err = impl fmt::Debug>>(path: &str) -> T {
-    let mut content = read_to_string(BASE_PATH.to_owned() + path).unwrap();
-    content.pop();
-    T::from_str(&content).unwrap()
-}
-
-fn fetch_bat_info(path: &str) -> f32 {
-    let value: f32 = fetch_and_trim_into(path);
-    value / FACTOR
-}
-
-fn main() {
-    let current_now: f32 = fetch_bat_info(CURRENT_NOW_PATH);
-    let voltage_now: f32 = fetch_bat_info(VOLTAGE_NOW_PATH);
-    let watts: f32 = current_now * voltage_now;
-    let status: Status = fetch_and_trim_into(STATUS_PATH);
-
-    println!(
-        "voltage: {:.4}\ncurrent: {:.4}\nwatts: {:.4}\nstatus: {}",
-        voltage_now, current_now, watts, status
-    );
-}

home-manager/progs/eww/config/scripts/sound/getSink.sh

@@ -1,2 +0,0 @@
-#!/usr/bin/env sh
-wpctl inspect @DEFAULT_SINK@ | grep -E "^  +\* node\.description" | cut -d' ' -f6- | tr -d '"'

home-manager/progs/eww/config/scripts/sound/getVolume.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-output=$(wpctl get-volume @DEFAULT_SINK@ | cut -d' ' -f2- | sed -E 's/\.//g' | sed 's/^0*//g')
-count=$(echo "$output" | awk -F, '{print $1+0}')
-muted=$(echo "$output" | cut -d'[' -f2 | cut -d ']' -f1)
-
-# if not muted, set to empty string
-if [ "$muted" == "$count" ]; then
-  muted=""
-fi
-
-color="green"
-if ((count > 75)); then color="yellow"; fi
-if ((count > 90)); then color="peach"; fi
-if ((count > 100)); then color="maroon"; fi
-if ((count > 110)); then color="red"; fi
-
-output="${count}%"
-if [ "$muted" != "" ]; then
-  output="${output} [${muted}]"
-fi
-
-echo "{\"count\":\"${output}\", \"color\":\"${color}\"}"

home-manager/progs/eww/config/scripts/wifiInfo.zsh

@@ -1,23 +0,0 @@
-#!/usr/bin/env zsh
-export CHARSET=ASCII
-case $1 in
-	name)
-		nmcli -f IN-USE,SSID d w | grep '*' | sed 's/[\* ]//g' | cat
-		exit 0;;
-	strength)
-		str=$(nmcli -f ACTIVE,BARS d w | grep 'yes' | tr -d ' yesno')
-		case ${str: 0:-1} in
-		'****')
-			icon="󰤨"; colour="green";;
-		'***')
-			icon="󰤥"; colour="yellow";;
-		'**')
-			icon="󰤢"; colour="peach";;
-		'*')
-			icon="󰤟"; colour="maroon";;
-		*)
-			icon="󰤯"; colour="red";;
-		esac
-		echo "{\"icon\":\"$icon\",\"colour\":\"$colour\"}"
-		exit 0;;
-esac

home-manager/progs/eww/config/statusbar.yuck

@@ -1,130 +0,0 @@
-(defwindow statusbar
-    :monitor 0
-    :stacking "fg"
-    :exclusive true
-    :geometry (geometry
-               :y "0.5%"
-               :width "100%"
-               :height "24px"
-               :anchor "top center")
-    (statusbar))
-
-(defwidget statusbar []
-  (centerbox
-   (box :space-evenly false :halign 'start' :class 'padded'
-        (window-title))
-   (time)
-   (box :space-evenly false :halign 'end' :class 'padded'
-        (brightness-ctl)
-        (brightness-ctl-opener)
-        (volume)
-        (battery)
-        (bluetooth)
-        (wifi))))
-
-(defwidget cmd-slider [?symbol value command max color]
-           (box :space-evenly false
-                (label :text symbol :class "symbol")
-                (scale
-                 :min 0 :max max
-                 :value value
-                 :round-digits 0
-                 :timeout "200ms"
-                 :onchange command)
-                (label :text "${value}%" :class color)))
-
-(defpoll windowtitle :interval "1s" `scripts/currentWindow.sh`)
-
-(defwidget window-title []
-  (label
-   :text {windowtitle == "" ? "" : "(${windowtitle})"}))
-
-(defwidget brightness-ctl []
-  (box :visible brightnessctl-open
-       (cmd-slider :symbol "󰃠" :value brightness
-                   :command `brightnessctl set {}%`
-                   :max 101 :color {
-                   brightness >= 80 ? "green" :
-                   brightness >= 50 ? "yellow" :
-                   brightness >= 30 ? "peach" :
-                   brightness >= 10 ? "maroon" : "red"
-                   })))
-
-
-(defpoll brightness :interval "1s" :run-while brightnessctl-open `brightnessctl -m | awk -F, '{print $4+0}'`)
-
-
-(defvar brightnessctl-open false)
-(defwidget brightness-ctl-opener []
-  (eventbox :class "button"
-    (button
-      :onclick `${EWW_CMD} update brightnessctl-open=${!brightnessctl-open}`
-    "󰃠")))
-
-(defwidget wifi []
-  (eventbox
-    :class "button ${wifi-strength.colour}"
-    (label
-      :text {wifi-strength.icon}
-    :tooltip "Connected To: ${wifi-name}")))
-
-(defpoll wifi-strength :interval "10s" `scripts/wifiInfo.zsh strength`)
-(defpoll wifi-name :interval "1m" `scripts/wifiInfo.zsh name`)
-
-(defwidget bluetooth []
-  (eventbox
-    :class "bluetooth button ${ bluetooth-name != "" ? "green" : "lavendar" }"
-    :onclick `blueman-manager &`
-    (label
-    :text "${bluetooth-name} 󰂯")))
-
-; `FNR == 1 + head -c 30` so the name doesn't explode the screen
-(defpoll bluetooth-name :interval "10s" `bluetoothctl devices Connected | awk '$1 == "Device" {print $0}' | cut -d' ' -f3-`)
-
-(defwidget time []
-  (box
-    :space-evenly false
-    :class "time"
-    :tooltip {time.long}
-    (label :class "yellow" :text {time.hour})
-    (label :text ":")
-    (label :class "yellow" :text {time.minute})))
-
-(defpoll time :interval "1s" `date +'{"long":"%a %b %e %H:%M:%S %Z %Y","hour":"%H","minute":"%M"}'`)
-
-(defpoll powerstats :interval "2s" `power_bat`)
-
-(defwidget battery []
-  (box :space-evenly false
-    :tooltip powerstats
-    (label
-      :text {EWW_BATTERY.BAT1.status == "Charging" ? "󰂄" :
-      EWW_BATTERY.BAT1.capacity >= 90 ? "󰁹" :
-      EWW_BATTERY.BAT1.capacity >= 80 ? "󰂂" :
-      EWW_BATTERY.BAT1.capacity >= 70 ? "󰂁" :
-      EWW_BATTERY.BAT1.capacity >= 60 ? "󰂀" :
-      EWW_BATTERY.BAT1.capacity >= 50 ? "󰁿" :
-      EWW_BATTERY.BAT1.capacity >= 40 ? "󰁾" :
-      EWW_BATTERY.BAT1.capacity >= 30 ? "󰁽" :
-      EWW_BATTERY.BAT1.capacity >= 20 ? "󰁼" :
-      EWW_BATTERY.BAT1.capacity >= 10 ? "󰁻" : "󰁺"
-      }
-      :class {
-      EWW_BATTERY.BAT1.capacity >= 80 ? "green" :
-      EWW_BATTERY.BAT1.capacity >= 50 ? "yellow" :
-      EWW_BATTERY.BAT1.capacity >= 30 ? "peach" :
-      EWW_BATTERY.BAT1.capacity >= 10 ? "maroon" : "red"
-    })
-    (label :text "${EWW_BATTERY.BAT1.capacity}%" :class "yellow")))
-
-
-(defpoll volumevalue :interval "1s" `scripts/sound/getVolume.sh`)
-(defpoll volumesink :interval "1s" `scripts/sound/getSink.sh`)
-
-(defwidget volume []
-  (eventbox :tooltip volumesink
-  :onclick `pwvucontrol &`
-  (label :text "${volumevalue.count}" :class {volumevalue.color})))
-
-
-(defpoll currentworkspace :interval "1s" `scripts/currentWorkspace.sh`)

home-manager/progs/eww/eww.nix

@@ -1,40 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-{
-  home.packages = with pkgs; [
-    zsh
-    bluez
-    brightnessctl
-    (callPackage ./power_bat.nix { })
-  ];
-
-  programs.eww = {
-    enable = true;
-    configDir = ./config;
-  };
-
-  programs.niri.settings.spawn-at-startup = [
-    {
-      command = [
-        (lib.getExe config.programs.eww.package)
-        "-c"
-        "${config.programs.eww.configDir}"
-        "open"
-        "statusbar"
-      ];
-    }
-
-    # swaybg works on more than just sway (sets a wallpaper)
-    {
-      command = [
-        (lib.getExe pkgs.swaybg)
-        "-i"
-        "${../wallpaper.png}"
-      ];
-    }
-  ];
-}

home-manager/progs/eww/power_bat.nix

@@ -1,4 +0,0 @@
-{ pkgs, lib, ... }:
-pkgs.writeShellScriptBin "power_bat" ''
-  exec ${lib.getExe pkgs.rust-script} ${./config/scripts/power_bat.rs} "$@"
-''

home-manager/progs/pi.nix

@@ -10,10 +10,10 @@ let
   #   librarian/explore/quick   → smol/commit = haiku
   ompSettings = {
     modelRoles = {
-      default = "anthropic/claude-opus-4-6:high";
+      default = "anthropic/claude-opus-4-7:high";
       smol = "anthropic/claude-haiku-4-5:low";
-      slow = "anthropic/claude-opus-4-6:xhigh";
+      slow = "anthropic/claude-opus-4-7:xhigh";
-      plan = "anthropic/claude-opus-4-6:high";
+      plan = "anthropic/claude-opus-4-7:high";
       commit = "anthropic/claude-haiku-4-5:low";
     };
   };
@@ -38,7 +38,7 @@ in
 {
   home.packages = [
     (inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp.overrideAttrs (old: {
-      patches = (old.patches or [ ]) ++ [ ../../patches/omp-fix-auth.patch ];
+      patches = (old.patches or [ ]) ++ [ ];
     }))
   ];
 

home-manager/progs/zen/default.nix

@@ -109,6 +109,9 @@ in
         # https://github.com/nix-community/home-manager/issues/6083
         "services.sync.engine.prefs" = false;
         "services.sync.engine.addons" = false;
+        # use a separate default search engine in private windows
+        "browser.search.separatePrivateDefault.ui.enabled" = true;
+        "browser.search.separatePrivateDefault" = true;
         # disable built-in password manager — using bitwarden
         "signon.rememberSignons" = false;
         "signon.autofillForms" = false;

patches/omp-fix-auth.patch

@@ -1,293 +0,0 @@
-commit 31d537735d3c5e25a2b620d63ebbfea4cf84f57e
-Author: Simon Gardling <titaniumtown@proton.me>
-Date:   Wed Apr 8 13:05:09 2026 -0400
-
-    Fix key reauth with parallel sessions
-
-diff --git a/packages/ai/CHANGELOG.md b/packages/ai/CHANGELOG.md
-index 3f50b7bd4..248dacbff 100644
---- a/packages/ai/CHANGELOG.md
-+++ b/packages/ai/CHANGELOG.md
-@@ -5,6 +5,10 @@
- 
- - Removed `coerceNullStrings` function and its automatic null-string coercion behavior from JSON parsing
- 
-+### Fixed
-+
-+- Fixed concurrent OAuth refresh token rotation race: when multiple instances share the same credential DB, one instance refreshing a token no longer causes other instances to permanently disable the credential on `invalid_grant` ([#607](https://github.com/can1357/oh-my-pi/issues/607))
-+
- ## [13.19.0] - 2026-04-05
- 
- ### Fixed
-diff --git a/packages/ai/src/auth-storage.ts b/packages/ai/src/auth-storage.ts
-index 9fdb4473b..fac936dad 100644
---- a/packages/ai/src/auth-storage.ts
-+++ b/packages/ai/src/auth-storage.ts
-@@ -1865,7 +1865,30 @@ export class AuthStorage {
- 			});
- 
- 			if (isDefinitiveFailure) {
--				// Permanently disable invalid credentials with an explicit cause for inspection/debugging
-+				// Before permanently disabling, check if another instance already refreshed
-+				// the token in the shared DB. Concurrent instances hold stale in-memory
-+				// copies; refresh token rotation by one instance invalidates the token
-+				// that other instances still hold. Re-read from DB before giving up.
-+				if (/invalid_grant/i.test(errorMsg)) {
-+					const entries = this.#getStoredCredentials(provider);
-+					const entry = entries[selection.index];
-+					if (entry) {
-+						const dbCredentials = this.#store.listAuthCredentials(provider);
-+						const dbEntry = dbCredentials.find(row => row.id === entry.id);
-+						if (
-+							dbEntry?.credential.type === "oauth" &&
-+							dbEntry.credential.refresh !== selection.credential.refresh
-+						) {
-+							// DB has a newer refresh token — another instance refreshed.
-+							// Update in-memory state and retry with the fresh credential.
-+							const updated = [...entries];
-+							updated[selection.index] = { id: entry.id, credential: dbEntry.credential };
-+							this.#setStoredCredentials(provider, updated);
-+							return this.getApiKey(provider, sessionId, options);
-+						}
-+					}
-+				}
-+				// Genuinely invalid — disable the credential
- 				this.#disableCredentialAt(provider, selection.index, `oauth refresh failed: ${errorMsg}`);
- 				if (this.#getCredentialsForProvider(provider).some(credential => credential.type === "oauth")) {
- 					return this.getApiKey(provider, sessionId, options);
-diff --git a/packages/ai/test/auth-storage-refresh-race.test.ts b/packages/ai/test/auth-storage-refresh-race.test.ts
-new file mode 100644
-index 000000000..5a8098a18
---- /dev/null
-+++ b/packages/ai/test/auth-storage-refresh-race.test.ts
-@@ -0,0 +1,230 @@
-+import { Database } from "bun:sqlite";
-+import { afterEach, beforeEach, describe, expect, test, vi } from "bun:test";
-+import * as fs from "node:fs/promises";
-+import * as os from "node:os";
-+import * as path from "node:path";
-+import { AuthCredentialStore, AuthStorage, type OAuthCredential } from "../src/auth-storage";
-+import * as oauthUtils from "../src/utils/oauth";
-+import type { OAuthCredentials } from "../src/utils/oauth/types";
-+
-+/**
-+ * Tests for the concurrent OAuth refresh token rotation race condition.
-+ *
-+ * When multiple omp instances share the same SQLite credential DB but hold
-+ * independent in-memory caches, refresh token rotation by one instance
-+ * invalidates the token that other instances still hold. Without the fix,
-+ * the stale instance permanently disables the credential on `invalid_grant`
-+ * even though a valid refresh token exists in the DB.
-+ */
-+
-+function readDisabledCauses(dbPath: string, provider: string): string[] {
-+	const db = new Database(dbPath, { readonly: true });
-+	try {
-+		const rows = db
-+			.prepare(
-+				"SELECT disabled_cause FROM auth_credentials WHERE provider = ? AND disabled_cause IS NOT NULL ORDER BY id ASC",
-+			)
-+			.all(provider) as Array<{ disabled_cause?: string | null }>;
-+		return rows.flatMap(row => (typeof row.disabled_cause === "string" ? [row.disabled_cause] : []));
-+	} finally {
-+		db.close();
-+	}
-+}
-+
-+function countActiveCredentials(dbPath: string, provider: string): number {
-+	const db = new Database(dbPath, { readonly: true });
-+	try {
-+		const row = db
-+			.prepare("SELECT COUNT(*) AS count FROM auth_credentials WHERE provider = ? AND disabled_cause IS NULL")
-+			.get(provider) as { count?: number } | undefined;
-+		return row?.count ?? 0;
-+	} finally {
-+		db.close();
-+	}
-+}
-+
-+const EXPIRED_TOKEN_EXPIRES = Date.now() - 60_000;
-+const FRESH_TOKEN_EXPIRES = Date.now() + 3_600_000;
-+
-+function makeOAuthCredential(suffix: string, opts?: { expires?: number }): OAuthCredential {
-+	return {
-+		type: "oauth",
-+		access: `access-${suffix}`,
-+		refresh: `refresh-${suffix}`,
-+		expires: opts?.expires ?? FRESH_TOKEN_EXPIRES,
-+		accountId: "acct-shared",
-+		email: "user@example.com",
-+	};
-+}
-+
-+describe("AuthStorage concurrent OAuth refresh token rotation race", () => {
-+	let tempDir = "";
-+	let dbPath = "";
-+	let storeA: AuthCredentialStore | null = null;
-+	let storeB: AuthCredentialStore | null = null;
-+	let authStorageA: AuthStorage | null = null;
-+	let authStorageB: AuthStorage | null = null;
-+
-+	beforeEach(async () => {
-+		tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "pi-ai-auth-refresh-race-"));
-+		dbPath = path.join(tempDir, "agent.db");
-+
-+		// Both stores point at the same SQLite DB — simulates two omp instances
-+		storeA = await AuthCredentialStore.open(dbPath);
-+		storeB = await AuthCredentialStore.open(dbPath);
-+	});
-+
-+	afterEach(async () => {
-+		vi.restoreAllMocks();
-+		storeA?.close();
-+		storeB?.close();
-+		storeA = null;
-+		storeB = null;
-+		authStorageA = null;
-+		authStorageB = null;
-+		if (tempDir) {
-+			await fs.rm(tempDir, { recursive: true, force: true });
-+			tempDir = "";
-+		}
-+	});
-+
-+	test("instance B recovers from invalid_grant when instance A already refreshed", async () => {
-+		if (!storeA || !storeB) throw new Error("test setup failed");
-+
-+		// Store an expired OAuth credential — both instances will need to refresh
-+		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
-+		authStorageA = new AuthStorage(storeA);
-+		await authStorageA.set("anthropic", [staleCredential]);
-+
-+		// Instance B loads same credential from DB into its own in-memory cache
-+		authStorageB = new AuthStorage(storeB);
-+		await authStorageB.reload();
-+
-+		// The refreshed credential that instance A will produce
-+		const refreshedCredential: OAuthCredentials = {
-+			access: "access-v2",
-+			refresh: "refresh-v2",
-+			expires: FRESH_TOKEN_EXPIRES,
-+			accountId: "acct-shared",
-+			email: "user@example.com",
-+		};
-+
-+		// Mock both refresh paths:
-+		// - refreshOAuthToken: called by pre-refresh in #resolveOAuthApiKey for expired tokens
-+		// - getOAuthApiKey: called by #tryOAuthCredential for the actual token exchange
-+		const refreshSpy = vi.spyOn(oauthUtils, "refreshOAuthToken");
-+		const getApiKeySpy = vi.spyOn(oauthUtils, "getOAuthApiKey");
-+
-+		// Step 1: Instance A refreshes successfully
-+		refreshSpy.mockImplementation(async (_provider, credential) => {
-+			return { ...credential, ...refreshedCredential };
-+		});
-+		getApiKeySpy.mockImplementation(async (_provider, credentials) => {
-+			const cred = credentials.anthropic as OAuthCredentials | undefined;
-+			if (!cred) return null;
-+			return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key" };
-+		});
-+
-+		const keyA = await authStorageA.getApiKey("anthropic", "session-a");
-+		expect(keyA).toBe("sk-ant-new-key");
-+
-+		// DB now has refreshed credential from instance A.
-+		// Instance B still has stale refresh-v1 in memory.
-+
-+		// Step 2: Instance B tries to refresh with stale token.
-+		// The pre-refresh (refreshOAuthToken) runs first, then #tryOAuthCredential calls getOAuthApiKey.
-+		// Both throw invalid_grant for stale tokens. After DB re-read, retry with fresh token succeeds.
-+		let getApiKeyCallCount = 0;
-+		refreshSpy.mockImplementation(async (_provider, credential) => {
-+			if (credential.refresh === "refresh-v1") {
-+				throw new Error("invalid_grant: Refresh token not found or invalid");
-+			}
-+			return { ...credential, ...refreshedCredential };
-+		});
-+		getApiKeySpy.mockImplementation(async (_provider, credentials) => {
-+			const cred = credentials.anthropic as OAuthCredentials | undefined;
-+			if (!cred) return null;
-+			getApiKeyCallCount++;
-+
-+			if (cred.refresh === "refresh-v1") {
-+				// Stale token — Anthropic would return invalid_grant
-+				throw new Error("invalid_grant: Refresh token not found or invalid");
-+			}
-+			if (cred.refresh === "refresh-v2") {
-+				// Fresh token from instance A — success
-+				return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key-b" };
-+			}
-+			return null;
-+		});
-+
-+		const keyB = await authStorageB.getApiKey("anthropic", "session-b");
-+
-+		// The credential must NOT be disabled — instance B should have recovered
-+		expect(keyB).toBeDefined();
-+		expect(typeof keyB).toBe("string");
-+
-+		// DB should still have exactly 1 active credential, none disabled
-+		expect(countActiveCredentials(dbPath, "anthropic")).toBe(1);
-+		expect(readDisabledCauses(dbPath, "anthropic")).toEqual([]);
-+		// The getOAuthApiKey mock must have been called at least twice: once with stale, once with fresh
-+		expect(getApiKeyCallCount).toBeGreaterThanOrEqual(2);
-+	});
-+
-+	test("credential is still disabled when DB has same stale token (genuine failure)", async () => {
-+		if (!storeA || !storeB) throw new Error("test setup failed");
-+
-+		// Store an expired credential — only one instance, no concurrent refresh
-+		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
-+		authStorageA = new AuthStorage(storeA);
-+		await authStorageA.set("anthropic", [staleCredential]);
-+
-+		// Mock: always fail with invalid_grant (genuinely revoked token)
-+		vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
-+			throw new Error("invalid_grant: Refresh token not found or invalid");
-+		});
-+		vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
-+			throw new Error("invalid_grant: Refresh token not found or invalid");
-+		});
-+
-+		const key = await authStorageA.getApiKey("anthropic", "session-a");
-+
-+		// Should return undefined — no valid credentials
-+		expect(key).toBeUndefined();
-+
-+		// Credential should be disabled in DB
-+		const causes = readDisabledCauses(dbPath, "anthropic");
-+		expect(causes.length).toBe(1);
-+		expect(causes[0]).toContain("invalid_grant");
-+	});
-+
-+	test("terminates when DB token matches stale token (no concurrent refresh)", async () => {
-+		if (!storeA || !storeB) throw new Error("test setup failed");
-+
-+		// Both instances share the same stale credential — nobody refreshed
-+		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
-+		authStorageA = new AuthStorage(storeA);
-+		await authStorageA.set("anthropic", [staleCredential]);
-+
-+		// Instance B loads same stale credential
-+		authStorageB = new AuthStorage(storeB);
-+		await authStorageB.reload();
-+
-+		// Mock: always fail — the token is genuinely revoked, nobody refreshed
-+		vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
-+			throw new Error("invalid_grant: Refresh token not found or invalid");
-+		});
-+		vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
-+			throw new Error("invalid_grant: Refresh token not found or invalid");
-+		});
-+
-+		// Instance B fails. DB has the same token (nobody refreshed), so the
-+		// fix correctly falls through to disable instead of retrying forever.
-+		const keyB = await authStorageB.getApiKey("anthropic", "session-b");
-+		expect(keyB).toBeUndefined();
-+
-+		// Credential should be disabled — the fix did not prevent a genuine failure
-+		const causes = readDisabledCauses(dbPath, "anthropic");
-+		expect(causes.length).toBe(1);
-+		expect(causes[0]).toContain("invalid_grant");
-+	});
-+});

system/common.nix

@@ -94,16 +94,192 @@
     };
   };
 
+  # cachyos kernel overlay
+  nixpkgs.overlays = [ inputs.nix-cachyos-kernel.overlays.default ];
+
   # kernel options
   boot = {
-    kernelPackages = pkgs.linuxPackages_testing;
+
-    # kernelPackages = pkgs.linuxPackages_latest;
+    # cachyos kernel: bore scheduler, full lto, x86_64-v3 (common to zen 3 + zen 5)
+    kernelPackages =
+      let
+        helpers = pkgs.callPackage "${inputs.nix-cachyos-kernel}/helpers.nix" { };
+        kernel = pkgs.cachyosKernels.linux-cachyos-bore-lto.override {
+          lto = "full";
+          processorOpt = "x86_64-v3";
+        };
+      in
+      helpers.kernelModuleLLVMOverride (pkgs.linuxKernel.packagesFor kernel);
+
+    # disable legacy subsystems neither host will ever use
+    kernelPatches = [
+      {
+        name = "disable-legacy-subsystems";
+        patch = null;
+        structuredExtraConfig = with lib.kernel; {
+          # ancient bus/card standards
+          PCMCIA = lib.mkForce no;
+          PCCARD = lib.mkForce no;
+          PARPORT = lib.mkForce no;
+          GAMEPORT = lib.mkForce module;
+          FIREWIRE = lib.mkForce no;
+          AGP = lib.mkForce no;
+
+          # legacy networking
+          ATM = lib.mkForce no;
+          FDDI = lib.mkForce no;
+          ISDN = lib.mkForce no;
+          CAN = lib.mkForce no;
+          NFC = lib.mkForce no;
+          INFINIBAND = lib.mkForce no;
+
+          # amateur radio (HAMRADIO is the umbrella but these are separate symbols)
+          HAMRADIO = lib.mkForce no;
+          AX25 = lib.mkForce no;
+          NETROM = lib.mkForce no;
+          ROSE = lib.mkForce no;
+
+          # dead protocols
+          PHONET = lib.mkForce no;
+          IEEE802154 = lib.mkForce no;
+          "6LOWPAN" = lib.mkForce no;
+          NET_9P = lib.mkForce no;
+          BATMAN_ADV = lib.mkForce no;
+
+          # tv tuners / digital video broadcasting
+          MEDIA_ANALOG_TV_SUPPORT = lib.mkForce no;
+          MEDIA_DIGITAL_TV_SUPPORT = lib.mkForce no;
+          DVB_CORE = lib.mkForce no;
+
+          # hypervisor guest support (bare metal only)
+          HYPERV = lib.mkForce no;
+          XEN = lib.mkForce no;
+          VMWARE_VMCI = lib.mkForce no;
+          VMWARE_BALLOON = lib.mkForce no;
+          VMWARE_PVSCSI = lib.mkForce no;
+          VMWARE_VMCI_VSOCKETS = lib.mkForce no;
+          VMXNET3 = lib.mkForce no;
+          DRM_VMWGFX = lib.mkForce no;
+          VBOXGUEST = lib.mkForce no;
+          VBOXSF_FS = lib.mkForce no;
+
+          # staging drivers (experimental/unmaintained)
+          STAGING = lib.mkForce no;
+          # SND_PCI stays — SND_HDA_INTEL (AMD HDA audio) lives under it
+          ACCESSIBILITY = lib.mkForce no;
+          MTD = lib.mkForce no;
+          MEDIA_RC_SUPPORT = lib.mkForce no;
+
+          # legacy storage (AHCI for modern SATA is independent)
+          ATA_SFF = lib.mkForce no;
+          SCSI_LOWLEVEL = lib.mkForce no;
+          FUSION = lib.mkForce no;
+
+          # misc legacy
+          MOST = lib.mkForce no;
+          PPDEV = lib.mkForce no;
+          PHANTOM = lib.mkForce no;
+          X86_ANDROID_TABLETS = lib.mkForce no;
+          # CHROME_PLATFORMS stays — Framework laptops use CrOS EC
+          SURFACE_PLATFORMS = lib.mkForce no;
+          MCTP = lib.mkForce no;
+          GPIB = lib.mkForce no;
+          SIOX = lib.mkForce no;
+          SLIMBUS = lib.mkForce no;
+          WWAN = lib.mkForce no;
+
+          # nvidia gpu
+          DRM_NOUVEAU = lib.mkForce no;
+
+          # other gpus not present
+          DRM_RADEON = lib.mkForce no;
+          DRM_GMA500 = lib.mkForce no;
+          DRM_AST = lib.mkForce no;
+          DRM_MGAG200 = lib.mkForce no;
+          DRM_HISI_HIBMC = lib.mkForce no;
+          DRM_APPLETBDRM = lib.mkForce no;
+
+          # intel gpu
+          DRM_I915 = lib.mkForce no;
+          DRM_XE = lib.mkForce no;
+
+          # intel cpu / platform
+          INTEL_IOMMU = lib.mkForce no;
+          INTEL_IDLE = lib.mkForce no;
+          INTEL_HFI_THERMAL = lib.mkForce no;
+          INTEL_TCC_COOLING = lib.mkForce no;
+          INTEL_SOC_DTS_THERMAL = lib.mkForce no;
+          INTEL_PCH_THERMAL = lib.mkForce no;
+          INTEL_POWERCLAMP = lib.mkForce no;
+          X86_PKG_TEMP_THERMAL = lib.mkForce no;
+          X86_INTEL_LPSS = lib.mkForce no;
+          INTEL_MEI = lib.mkForce no;
+          INTEL_TH = lib.mkForce no;
+          INTEL_VSEC = lib.mkForce no;
+          INTEL_IDXD = lib.mkForce no;
+          INTEL_IOATDMA = lib.mkForce no;
+          EDAC_E752X = lib.mkForce no;
+          EDAC_I82975X = lib.mkForce no;
+          EDAC_I3000 = lib.mkForce no;
+          EDAC_I3200 = lib.mkForce no;
+          EDAC_IE31200 = lib.mkForce no;
+          EDAC_X38 = lib.mkForce no;
+          EDAC_I5400 = lib.mkForce no;
+          EDAC_I7CORE = lib.mkForce no;
+          EDAC_I5100 = lib.mkForce no;
+          EDAC_I7300 = lib.mkForce no;
+          EDAC_SBRIDGE = lib.mkForce no;
+          EDAC_SKX = lib.mkForce no;
+          EDAC_I10NM = lib.mkForce no;
+          EDAC_IMH = lib.mkForce no;
+          EDAC_PND2 = lib.mkForce no;
+          EDAC_IGEN6 = lib.mkForce no;
+
+          # intel audio
+          SND_SOC_SOF_INTEL_TOPLEVEL = lib.mkForce no;
+          SND_SOC_INTEL_SST_TOPLEVEL = lib.mkForce no;
+
+          # mellanox networking
+          MLX4_CORE = lib.mkForce no;
+          MLX5_CORE = lib.mkForce no;
+          MLXSW_CORE = lib.mkForce no;
+          MLX_PLATFORM = lib.mkForce no;
+
+          # fpga
+          FPGA = lib.mkForce no;
+
+          # old x86 cpufreq / platform (both systems are modern Zen)
+          AMD_NUMA = lib.mkForce no;
+          X86_POWERNOW_K8 = lib.mkForce no;
+          X86_P4_CLOCKMOD = lib.mkForce no;
+          X86_SPEEDSTEP_LIB = lib.mkForce no;
+
+          # cxl (datacenter memory expansion)
+          CXL_BUS = lib.mkForce no;
+
+          # embedded SoC peripherals (not present on desktop/laptop)
+          INPUT_TOUCHSCREEN = lib.mkForce no;
+          INPUT_TABLET = lib.mkForce no;
+          INPUT_JOYSTICK = lib.mkForce no;
+          MEDIA_PLATFORM_DRIVERS = lib.mkForce no;
+          MEDIA_TEST_SUPPORT = lib.mkForce no;
+
+          # deprecated userland compat
+          SGETMASK_SYSCALL = lib.mkForce no;
+          UID16 = lib.mkForce no;
+          X86_X32_ABI = lib.mkForce no;
+        };
+      }
+    ];
 
     # aes_generic is built-in as of linux 7.0, no longer a loadable module
     initrd.luks.cryptoModules = lib.mkForce (
       lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
     );
 
+    # some default initrd modules (ata_piix etc) don't exist with ATA_SFF=n
+    initrd.allowMissingModules = true;
+
     lanzaboote = {
       enable = true;
       # TODO: proper secrets management so this is not stored in nix store

system/system-yarn.nix

@@ -75,12 +75,54 @@
   # LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
   environment.systemPackages = with pkgs; [
     lact
+    jovian-stubs
   ];
   systemd.packages = with pkgs; [ lact ];
   systemd.services.lactd.wantedBy = [ "multi-user.target" ];
 
   systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
 
+  # root-level service that applies a pending update. Triggered by
+  # steamos-update (via systemctl start) when the user accepts an update.
+  # Runs as root so it can write the system profile and boot entry.
+  systemd.services.pull-update-apply = {
+    description = "Apply pending NixOS update pulled from binary cache";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
+        set -uo pipefail
+        export PATH=${
+          pkgs.lib.makeBinPath [
+            pkgs.curl
+            pkgs.coreutils
+            pkgs.nix
+          ]
+        }
+        STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
+        if [ -z "$STORE_PATH" ]; then
+          echo "server unreachable"
+          exit 1
+        fi
+        echo "applying $STORE_PATH"
+        nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
+        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
+        "$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
+        echo "update applied; reboot required"
+      '';
+    };
+  };
+
+  # Allow primary user to start pull-update-apply.service without a password
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          action.lookup("unit") == "pull-update-apply.service" &&
+          subject.user == "${username}") {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
   nixpkgs.config.allowUnfreePredicate =
     pkg:
     builtins.elem (lib.getName pkg) [
@@ -96,65 +138,123 @@
   # This prevents Steam from requesting reboots for "system updates"
   # Steam client updates will still work normally
   nixpkgs.overlays = [
-    (final: prev: {
+    (
-      jovian-stubs = prev.stdenv.mkDerivation {
+      final: prev:
-        name = "jovian-stubs-no-update";
+      let
-        dontUnpack = true;
+        deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
-        installPhase = ''
-          mkdir -p $out/bin
 
-          # steamos-update: always report "no update available" (exit 7)
+        steamos-update-script = final.writeShellScript "steamos-update" ''
-          # This disables the kernel mismatch check that triggers reboot prompts
+          export PATH=${
-          cat > $out/bin/steamos-update << 'STUB'
+            final.lib.makeBinPath [
-          #!/bin/sh
+              final.curl
-          >&2 echo "[JOVIAN] $0: stub called with: $* (system updates disabled)"
+              final.coreutils
-          exit 7
+              final.systemd
-          STUB
+            ]
+          }
 
-          # steamos-reboot: reboot the system
+          STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
-          cat > $out/bin/steamos-reboot << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          systemctl reboot
-          STUB
 
-          # steamos-select-branch: no-op stub
+          if [ -z "$STORE_PATH" ]; then
-          cat > $out/bin/steamos-select-branch << 'STUB'
+            >&2 echo "[steamos-update] server unreachable"
-          #!/bin/sh
+            exit 7
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
+          fi
-          exit 0
-          STUB
 
-          # steamos-factory-reset-config: no-op stub
+          CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-          cat > $out/bin/steamos-factory-reset-config << 'STUB'
+          if [ "$CURRENT" = "$STORE_PATH" ]; then
-          #!/bin/sh
+            >&2 echo "[steamos-update] no update available"
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
-          exit 0
+          fi
-          STUB
 
-          # steamos-firmware-update: no-op stub
+          # check-only mode: just report that an update exists
-          cat > $out/bin/steamos-firmware-update << 'STUB'
+          if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
-          #!/bin/sh
+            >&2 echo "[steamos-update] update available"
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
-          exit 0
+          fi
-          STUB
 
-          # pkexec: pass through to real pkexec
+          # apply: trigger the root-running systemd service to install the update
-          cat > $out/bin/pkexec << 'STUB'
+          >&2 echo "[steamos-update] applying update..."
-          #!/bin/sh
+          if systemctl start --wait pull-update-apply.service; then
-          exec /run/wrappers/bin/pkexec "$@"
+            >&2 echo "[steamos-update] update installed, reboot to apply"
-          STUB
+            exit 0
-
+          else
-          # sudo: pass through to doas
+            >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
-          cat > $out/bin/sudo << 'STUB'
+            exit 1
-          #!/bin/sh
+          fi
-          exec /run/wrappers/bin/doas "$@"
-          STUB
-
-          chmod 755 $out/bin/*
         '';
-      };
+      in
-    })
+      {
+        jovian-stubs = prev.stdenv.mkDerivation {
+          name = "jovian-stubs";
+          dontUnpack = true;
+          installPhase = ''
+            mkdir -p $out/bin
+            ln -s ${steamos-update-script} $out/bin/steamos-update
+            ln -s ${steamos-update-script} $out/bin/steamos-mandatory-update
+
+            # jupiter-initial-firmware-update: no-op (not a real steam deck)
+            cat > $out/bin/jupiter-initial-firmware-update << 'STUB'
+            #!/bin/sh
+            exit 0
+            STUB
+
+            # jupiter-biosupdate: no-op (not a real steam deck)
+            cat > $out/bin/jupiter-biosupdate << 'STUB'
+            #!/bin/sh
+            exit 0
+            STUB
+
+            # steamos-reboot: reboot the system
+            cat > $out/bin/steamos-reboot << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            systemctl reboot
+            STUB
+
+            # steamos-select-branch: no-op stub
+            cat > $out/bin/steamos-select-branch << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # steamos-factory-reset-config: no-op stub
+            cat > $out/bin/steamos-factory-reset-config << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # steamos-firmware-update: no-op stub
+            cat > $out/bin/steamos-firmware-update << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # pkexec: pass through to real pkexec
+            cat > $out/bin/pkexec << 'STUB'
+            #!/bin/sh
+            exec /run/wrappers/bin/pkexec "$@"
+            STUB
+
+            # sudo: strip flags and run the command directly (no escalation).
+            # privileged ops are delegated to root systemd services via systemctl.
+            cat > $out/bin/sudo << 'STUB'
+            #!/bin/sh
+            while [ $# -gt 0 ]; do
+              case "$1" in
+                -*) shift ;;
+                *) break ;;
+              esac
+            done
+            exec "$@"
+            STUB
+
+            find $out/bin -type f -exec chmod 755 {} +
+          '';
+        };
+      }
+    )
   ];
 
   jovian = {