update

yarn: fix steamos update flow
kernel: re-enable SND_PCI
2026-04-17 23:26:43 -04:00 · 2026-04-17 23:26:15 -04:00 · 2026-04-17 18:26:21 -04:00 · 2026-04-17 12:33:33 -04:00 · 2026-04-17 00:25:38 -04:00 · 2026-04-16 23:46:13 -04:00
18 changed files with 196 additions and 875 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -79,11 +79,11 @@
    "cachyos-kernel-patches": {
      "flake": false,
      "locked": {
-        "lastModified": 1776181525,
+        "lastModified": 1776355454,
-        "narHash": "sha256-g07GhYlAOH0agNE8dIOT33vZ0eviF/HY5xgAQRwLytk=",
+        "narHash": "sha256-b9Hc0sTxjEzDbphzS9yQqxVha/7bsPIs2cQQQvaG45E=",
        "owner": "CachyOS",
        "repo": "kernel-patches",
-        "rev": "fcd21edaf0ff9b69f9d32ea8590002d6acd1c503",
+        "rev": "b5e029226df5cc30c103651072d49a7af2878202",
        "type": "github"
      },
      "original": {
@@ -131,11 +131,11 @@
    "doomemacs": {
      "flake": false,
      "locked": {
-        "lastModified": 1776049930,
+        "lastModified": 1776400245,
-        "narHash": "sha256-6nuelk+8qSRsh5Ryj9EpWOWXeeh/g3lI5mZsBfiFZQI=",
+        "narHash": "sha256-RuQB1PxazI4DOw3O+rEVU2FPT0vP0Xb+Gp/M6Yqer20=",
        "owner": "doomemacs",
        "repo": "doomemacs",
-        "rev": "5eb006f455f0558c97210ba7579880aacb045b67",
+        "rev": "860a91aaac235701f30b70fdc74259d438818968",
        "type": "github"
      },
      "original": {
@@ -154,11 +154,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776331221,
+        "lastModified": 1776478519,
-        "narHash": "sha256-I9HJO6ceghosCSraLRdAzz7f8pm+1zBo7sRVSvJbqUU=",
+        "narHash": "sha256-4TWCOVYe0iWEKuW7OH93nRI4Z7u68wNT6k9UJn0FZ5w=",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "23055e4c66f6b873d6d6299bf5a7fdfe6012be5c",
+        "rev": "513e332b074507e1b46992952e7d83f329f2c22c",
        "type": "github"
      },
      "original": {
@@ -175,11 +175,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1776312172,
+        "lastModified": 1776398575,
-        "narHash": "sha256-jxZfeRd9mxqrLlsFc9+MLcqTy1eN1hQMLWhX0MJMno8=",
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "501d3ee969edad2167e57a1499312cd4fdfdbc78",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
        "type": "gitlab"
      },
      "original": {
@@ -307,11 +307,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776184304,
+        "lastModified": 1776454077,
-        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
        "type": "github"
      },
      "original": {
@@ -366,11 +366,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776335039,
+        "lastModified": 1776428236,
-        "narHash": "sha256-2lkQhrv6YUCeMlC/lclzq9vkTALv/ptv7d0jIhZnrPQ=",
+        "narHash": "sha256-+0SyQglnT2xUiyY07155G+O7aUWISELwqtTnfURufRU=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "cbdf76c063b48d5d755fb26540367b8c2457c2ca",
+        "rev": "eac78fc379ca47f7e21be8539c405e5fb489a857",
        "type": "github"
      },
      "original": {
@@ -437,11 +437,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1776351423,
+        "lastModified": 1776482297,
-        "narHash": "sha256-JySMZu8hLD8kV2HerIZ6uZyrijc7SUaGhRAKH63X6R4=",
+        "narHash": "sha256-KmsWPwtbO8vrlH/R9stIun0LKZ4PFSCCEdqWDeLgbTE=",
        "owner": "numtide",
        "repo": "llm-agents.nix",
-        "rev": "1fb51dbe453f1c8ec5b7133df561512e43dc7cc2",
+        "rev": "66c76393570f8fc4730caa2dc2d2c470fe33a3c9",
        "type": "github"
      },
      "original": {
@@ -464,11 +464,11 @@
        "xwayland-satellite-unstable": "xwayland-satellite-unstable"
      },
      "locked": {
-        "lastModified": 1776337800,
+        "lastModified": 1776435348,
-        "narHash": "sha256-yZvCnzf0NDL1vfMGRBkKthRmg8V93FzQ4CQNXhxh0Wg=",
+        "narHash": "sha256-qsZnMThxTqxCJZ7DEKu3DD3KjIPcuUBvZ0C9a2uIvaQ=",
        "owner": "sodiboo",
        "repo": "niri-flake",
-        "rev": "3877b9fd1f78e831b3ea223f9e992c758d13df0f",
+        "rev": "55b5b1fc9481ab267603a1099e5d4b4ebc7394d7",
        "type": "github"
      },
      "original": {
@@ -497,11 +497,11 @@
    "niri-unstable": {
      "flake": false,
      "locked": {
-        "lastModified": 1776332135,
+        "lastModified": 1776432730,
-        "narHash": "sha256-7cKy5sGmN4Yt47Op0+A/b3iEMk/E2Ru+UiI42KfiEPc=",
+        "narHash": "sha256-Pq1ZVvRGq/IFiFH6vkNwMfZEpWk23NjgGdX50COdj/c=",
        "owner": "YaLTeR",
        "repo": "niri",
-        "rev": "892470afd3dce5396828dd9b211b19210a16eaeb",
+        "rev": "c814c656c53ea9d69f5afb45c88f4dc4d25338cd",
        "type": "github"
      },
      "original": {
@@ -521,11 +521,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776278748,
+        "lastModified": 1776386586,
-        "narHash": "sha256-mLvw1+fa6vr0C87XfX0ja8yZMx0H+HWL0ena2SBMdp8=",
+        "narHash": "sha256-eVAUaL/6n8mnmBiPpEVW1NDNVSKLWhYVfycG+P0SvWU=",
        "owner": "xddxdd",
        "repo": "nix-cachyos-kernel",
-        "rev": "65eaf1492a6f0850ef2f08943c6bfc59b144e72a",
+        "rev": "c65c3faf90ae07bae101c15ef502f0bcb06c5d74",
        "type": "github"
      },
      "original": {
@@ -547,11 +547,11 @@
        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1776333106,
+        "lastModified": 1776419397,
-        "narHash": "sha256-RR8gh+adHxFzpDm0yqKOtJAao8zqRyBcj8O5N1iIuoc=",
+        "narHash": "sha256-vmWJwNYtQFexLG6r/v8Dlou/5z8FbFCLo3QqZ/stLYQ=",
        "owner": "marienz",
        "repo": "nix-doom-emacs-unstraightened",
-        "rev": "191a0107f4863132f723fdc0bf43b322fe849a0a",
+        "rev": "7623dd4adbdf5f8a8464ecc5fd089e5c5cb5dada",
        "type": "github"
      },
      "original": {
@@ -740,11 +740,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776350315,
+        "lastModified": 1776481912,
-        "narHash": "sha256-ijD4bgb5Iyap9F3MX73vLAZF/SYu+q7Gd7Ux4cbfCWw=",
+        "narHash": "sha256-Xq7p+Ex3YHFAd+fFFLOYw2Wv67582X7SAmrEDtIDZQ4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "62e3b8aedabc240e5b0cc9fae003bc9edfebbc9b",
+        "rev": "e611106c527e8ab0adbb641183cda284411d575c",
        "type": "github"
      },
      "original": {
@@ -899,11 +899,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776317517,
+        "lastModified": 1776403742,
-        "narHash": "sha256-JP1XVRabZquf7pnXvRUjp7DV+EBrB6Qmp3+vG3HMy/k=",
+        "narHash": "sha256-ZmGY9XiOsuMS/THsSNkgp2fnc3asXQX/xRrQpWnY9nA=",
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "0a7be59e988bb2cb452080f59aaabae70bc415ae",
+        "rev": "ca7077bea5c830470437ea878da2a1940773324c",
        "type": "github"
      },
      "original": {
--- a/home-manager/desktop.nix
+++ b/home-manager/desktop.nix
@@ -9,9 +9,6 @@
    # niri wayland compositor
    ./progs/niri.nix
    # statusbar
    # ./progs/eww/eww.nix
    # lockscreen
    ./progs/swaylock.nix
@@ -29,5 +26,4 @@
    # used by /etc/nixos logic to launch niri
    config.programs.niri.package
  ];
 }
--- a/home-manager/progs/eww/config/eww.scss
+++ b/home-manager/progs/eww/config/eww.scss
@@ -1,109 +0,0 @@
 $background: #1e1e2e;
 $pink: #f5c2e7;
 $lavendar: #b4befe;
 $red: #f38ba8;
 $maroon: #eba0ac;
 $peach: #fab387;
 $yellow: #f9e2af;
 $green: #a6e3a1;
 $text: #cdd6f4;
 $subtext: #a6adc8;
 $surface: #585b70;
 * {
 	color: $text;
 	font-family: CaskaydiaCove Nerd Font Mono;
 	font-weight: 600;
 	font-size: 10pt;
 	padding: 0 1px;
 }
 .red {
 	color: $red;
 }
 .maroon {
 	color: $maroon;
 }
 .peach {
 	color: $peach;
 }
 .yellow {
 	color: $yellow;
 }
 .green {
 	color: $green;
 }
 .lavendar {
 	color: $lavendar;
 }
 .symbol {
 	color: $lavendar;
 	font-size: 20px;
 }
 .button {
 	* {
 		all: unset;
 		margin: 0 5px;
 		font-size: 14pt;
 		transition: color 0.2s ease-in-out;
 	}
 	&:hover * {
 		color: $pink;
 	}
 }
 .bluetooth * {
 	font-size: 10pt;
 	padding: 0 0.3em;
 }
 .padded>*:not(:last-child) {
 	padding: 0 10px;
 	border-right: 1px solid $surface;
 }
 .background {
 	border: 1px solid $pink;
 	background-color: $background;
 	border-radius: 12px;
 	opacity: 0.8;
 }
 scale trough {
 	margin: 0 10px;
 	border: none;
 	background-color: #FFF;
 	min-height: 3px;
 	min-width: 100px;
 	& slider {
 		box-shadow: none;
 		background-image: none;
 		border: none;
 		background-color: $pink;
 		min-width: 5pt;
 		min-height: 5pt;
 		margin: -5pt;
 	}
 	& highlight {
 		border: none;
 		background-color: $lavendar;
 	}
 }
 .clipboard {
 	color: $subtext;
 }
 .time {
 	padding-right: 10px;
 }
--- a/home-manager/progs/eww/config/eww.yuck
+++ b/home-manager/progs/eww/config/eww.yuck
@@ -1 +0,0 @@
 (include "./statusbar.yuck")
--- a/home-manager/progs/eww/config/scripts/currentWindow.sh
+++ b/home-manager/progs/eww/config/scripts/currentWindow.sh
@@ -1,17 +0,0 @@
 #!/usr/bin/env bash
 niri_data=$(niri msg --json focused-window)
 if [[ "$niri_data" == "null" ]]; then
    exit 0
 fi
 name=$(echo "$niri_data" | jq -r '.["app_id"], .["title"]' | tr '\n' ' ' | sed 's/.$//')
 proc_name=$(echo "$name" | head -c 55)
 # TODO! fix this logic, add a '...' at the end
 if [[ "$name" != "$proc_name" ]]; then
    proc_name="$proc_name..."
 fi
 echo "$proc_name"
--- a/home-manager/progs/eww/config/scripts/currentWorkspace.sh
+++ b/home-manager/progs/eww/config/scripts/currentWorkspace.sh
@@ -1,3 +0,0 @@
 #!/usr/bin/env fish
 niri msg --json workspaces | jq -r '.[] | select(.is_focused == true) | .["id"]'
--- a/home-manager/progs/eww/config/scripts/power_bat.rs
+++ b/home-manager/progs/eww/config/scripts/power_bat.rs
@@ -1,58 +0,0 @@
 #!/usr/bin/env rust-script
 use std::{fmt, fs::read_to_string, str::FromStr};
 const BASE_PATH: &str = "/sys/class/power_supply/BAT1/";
 const CURRENT_NOW_PATH: &str = "current_now";
 const VOLTAGE_NOW_PATH: &str = "voltage_now";
 const STATUS_PATH: &str = "status";
 const FACTOR: f32 = 1e6_f32;
 #[derive(Debug)]
 enum Status {
    Charging,
    Discharging,
    NotCharging,
 }
 impl FromStr for Status {
    type Err = &'static str;
    fn from_str(input: &str) -> Result<Status, Self::Err> {
        match input {
            "Charging" => Ok(Status::Charging),
            "Discharging" => Ok(Status::Discharging),
            "Not charging" => Ok(Status::NotCharging),
            _ => Err("unknown state"),
        }
    }
 }
 impl fmt::Display for Status {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        fmt::Debug::fmt(self, f)
    }
 }
 fn fetch_and_trim_into<T: FromStr<Err = impl fmt::Debug>>(path: &str) -> T {
    let mut content = read_to_string(BASE_PATH.to_owned() + path).unwrap();
    content.pop();
    T::from_str(&content).unwrap()
 }
 fn fetch_bat_info(path: &str) -> f32 {
    let value: f32 = fetch_and_trim_into(path);
    value / FACTOR
 }
 fn main() {
    let current_now: f32 = fetch_bat_info(CURRENT_NOW_PATH);
    let voltage_now: f32 = fetch_bat_info(VOLTAGE_NOW_PATH);
    let watts: f32 = current_now * voltage_now;
    let status: Status = fetch_and_trim_into(STATUS_PATH);
    println!(
        "voltage: {:.4}\ncurrent: {:.4}\nwatts: {:.4}\nstatus: {}",
        voltage_now, current_now, watts, status
    );
 }
--- a/home-manager/progs/eww/config/scripts/sound/getSink.sh
+++ b/home-manager/progs/eww/config/scripts/sound/getSink.sh
@@ -1,2 +0,0 @@
 #!/usr/bin/env sh
 wpctl inspect @DEFAULT_SINK@ | grep -E "^  +\* node\.description" | cut -d' ' -f6- | tr -d '"'
--- a/home-manager/progs/eww/config/scripts/sound/getVolume.sh
+++ b/home-manager/progs/eww/config/scripts/sound/getVolume.sh
@@ -1,22 +0,0 @@
 #!/usr/bin/env bash
 output=$(wpctl get-volume @DEFAULT_SINK@ | cut -d' ' -f2- | sed -E 's/\.//g' | sed 's/^0*//g')
 count=$(echo "$output" | awk -F, '{print $1+0}')
 muted=$(echo "$output" | cut -d'[' -f2 | cut -d ']' -f1)
 # if not muted, set to empty string
 if [ "$muted" == "$count" ]; then
  muted=""
 fi
 color="green"
 if ((count > 75)); then color="yellow"; fi
 if ((count > 90)); then color="peach"; fi
 if ((count > 100)); then color="maroon"; fi
 if ((count > 110)); then color="red"; fi
 output="${count}%"
 if [ "$muted" != "" ]; then
  output="${output} [${muted}]"
 fi
 echo "{\"count\":\"${output}\", \"color\":\"${color}\"}"
--- a/home-manager/progs/eww/config/scripts/wifiInfo.zsh
+++ b/home-manager/progs/eww/config/scripts/wifiInfo.zsh
@@ -1,23 +0,0 @@
 #!/usr/bin/env zsh
 export CHARSET=ASCII
 case $1 in
 	name)
 		nmcli -f IN-USE,SSID d w | grep '*' | sed 's/[\* ]//g' | cat
 		exit 0;;
 	strength)
 		str=$(nmcli -f ACTIVE,BARS d w | grep 'yes' | tr -d ' yesno')
 		case ${str: 0:-1} in
 		'****')
 			icon="󰤨"; colour="green";;
 		'***')
 			icon="󰤥"; colour="yellow";;
 		'**')
 			icon="󰤢"; colour="peach";;
 		'*')
 			icon="󰤟"; colour="maroon";;
 		*)
 			icon="󰤯"; colour="red";;
 		esac
 		echo "{\"icon\":\"$icon\",\"colour\":\"$colour\"}"
 		exit 0;;
 esac
--- a/home-manager/progs/eww/config/statusbar.yuck
+++ b/home-manager/progs/eww/config/statusbar.yuck
@@ -1,130 +0,0 @@
 (defwindow statusbar
    :monitor 0
    :stacking "fg"
    :exclusive true
    :geometry (geometry
               :y "0.5%"
               :width "100%"
               :height "24px"
               :anchor "top center")
    (statusbar))
 (defwidget statusbar []
  (centerbox
   (box :space-evenly false :halign 'start' :class 'padded'
        (window-title))
   (time)
   (box :space-evenly false :halign 'end' :class 'padded'
        (brightness-ctl)
        (brightness-ctl-opener)
        (volume)
        (battery)
        (bluetooth)
        (wifi))))
 (defwidget cmd-slider [?symbol value command max color]
           (box :space-evenly false
                (label :text symbol :class "symbol")
                (scale
                 :min 0 :max max
                 :value value
                 :round-digits 0
                 :timeout "200ms"
                 :onchange command)
                (label :text "${value}%" :class color)))
 (defpoll windowtitle :interval "1s" `scripts/currentWindow.sh`)
 (defwidget window-title []
  (label
   :text {windowtitle == "" ? "" : "(${windowtitle})"}))
 (defwidget brightness-ctl []
  (box :visible brightnessctl-open
       (cmd-slider :symbol "󰃠" :value brightness
                   :command `brightnessctl set {}%`
                   :max 101 :color {
                   brightness >= 80 ? "green" :
                   brightness >= 50 ? "yellow" :
                   brightness >= 30 ? "peach" :
                   brightness >= 10 ? "maroon" : "red"
                   })))
 (defpoll brightness :interval "1s" :run-while brightnessctl-open `brightnessctl -m | awk -F, '{print $4+0}'`)
 (defvar brightnessctl-open false)
 (defwidget brightness-ctl-opener []
  (eventbox :class "button"
    (button
      :onclick `${EWW_CMD} update brightnessctl-open=${!brightnessctl-open}`
    "󰃠")))
 (defwidget wifi []
  (eventbox
    :class "button ${wifi-strength.colour}"
    (label
      :text {wifi-strength.icon}
    :tooltip "Connected To: ${wifi-name}")))
 (defpoll wifi-strength :interval "10s" `scripts/wifiInfo.zsh strength`)
 (defpoll wifi-name :interval "1m" `scripts/wifiInfo.zsh name`)
 (defwidget bluetooth []
  (eventbox
    :class "bluetooth button ${ bluetooth-name != "" ? "green" : "lavendar" }"
    :onclick `blueman-manager &`
    (label
    :text "${bluetooth-name} 󰂯")))
 ; `FNR == 1 + head -c 30` so the name doesn't explode the screen
 (defpoll bluetooth-name :interval "10s" `bluetoothctl devices Connected | awk '$1 == "Device" {print $0}' | cut -d' ' -f3-`)
 (defwidget time []
  (box
    :space-evenly false
    :class "time"
    :tooltip {time.long}
    (label :class "yellow" :text {time.hour})
    (label :text ":")
    (label :class "yellow" :text {time.minute})))
 (defpoll time :interval "1s" `date +'{"long":"%a %b %e %H:%M:%S %Z %Y","hour":"%H","minute":"%M"}'`)
 (defpoll powerstats :interval "2s" `power_bat`)
 (defwidget battery []
  (box :space-evenly false
    :tooltip powerstats
    (label
      :text {EWW_BATTERY.BAT1.status == "Charging" ? "󰂄" :
      EWW_BATTERY.BAT1.capacity >= 90 ? "󰁹" :
      EWW_BATTERY.BAT1.capacity >= 80 ? "󰂂" :
      EWW_BATTERY.BAT1.capacity >= 70 ? "󰂁" :
      EWW_BATTERY.BAT1.capacity >= 60 ? "󰂀" :
      EWW_BATTERY.BAT1.capacity >= 50 ? "󰁿" :
      EWW_BATTERY.BAT1.capacity >= 40 ? "󰁾" :
      EWW_BATTERY.BAT1.capacity >= 30 ? "󰁽" :
      EWW_BATTERY.BAT1.capacity >= 20 ? "󰁼" :
      EWW_BATTERY.BAT1.capacity >= 10 ? "󰁻" : "󰁺"
      }
      :class {
      EWW_BATTERY.BAT1.capacity >= 80 ? "green" :
      EWW_BATTERY.BAT1.capacity >= 50 ? "yellow" :
      EWW_BATTERY.BAT1.capacity >= 30 ? "peach" :
      EWW_BATTERY.BAT1.capacity >= 10 ? "maroon" : "red"
    })
    (label :text "${EWW_BATTERY.BAT1.capacity}%" :class "yellow")))
 (defpoll volumevalue :interval "1s" `scripts/sound/getVolume.sh`)
 (defpoll volumesink :interval "1s" `scripts/sound/getSink.sh`)
 (defwidget volume []
  (eventbox :tooltip volumesink
  :onclick `pwvucontrol &`
  (label :text "${volumevalue.count}" :class {volumevalue.color})))
 (defpoll currentworkspace :interval "1s" `scripts/currentWorkspace.sh`)
--- a/home-manager/progs/eww/eww.nix
+++ b/home-manager/progs/eww/eww.nix
@@ -1,40 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 {
  home.packages = with pkgs; [
    zsh
    bluez
    brightnessctl
    (callPackage ./power_bat.nix { })
  ];
  programs.eww = {
    enable = true;
    configDir = ./config;
  };
  programs.niri.settings.spawn-at-startup = [
    {
      command = [
        (lib.getExe config.programs.eww.package)
        "-c"
        "${config.programs.eww.configDir}"
        "open"
        "statusbar"
      ];
    }
    # swaybg works on more than just sway (sets a wallpaper)
    {
      command = [
        (lib.getExe pkgs.swaybg)
        "-i"
        "${../wallpaper.png}"
      ];
    }
  ];
 }
--- a/home-manager/progs/eww/power_bat.nix
+++ b/home-manager/progs/eww/power_bat.nix
@@ -1,4 +0,0 @@
 { pkgs, lib, ... }:
 pkgs.writeShellScriptBin "power_bat" ''
  exec ${lib.getExe pkgs.rust-script} ${./config/scripts/power_bat.rs} "$@"
 ''
--- a/home-manager/progs/pi.nix
+++ b/home-manager/progs/pi.nix
@@ -10,10 +10,10 @@ let
  #   librarian/explore/quick   → smol/commit = haiku
  ompSettings = {
    modelRoles = {
-      default = "anthropic/claude-opus-4-6:high";
+      default = "anthropic/claude-opus-4-7:high";
      smol = "anthropic/claude-haiku-4-5:low";
-      slow = "anthropic/claude-opus-4-6:xhigh";
+      slow = "anthropic/claude-opus-4-7:xhigh";
-      plan = "anthropic/claude-opus-4-6:high";
+      plan = "anthropic/claude-opus-4-7:high";
      commit = "anthropic/claude-haiku-4-5:low";
    };
  };
@@ -38,7 +38,7 @@ in
 {
  home.packages = [
    (inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp.overrideAttrs (old: {
-      patches = (old.patches or [ ]) ++ [ ../../patches/omp-fix-auth.patch ];
+      patches = (old.patches or [ ]) ++ [ ];
    }))
  ];
--- a/patches/omp-fix-auth.patch
+++ b/patches/omp-fix-auth.patch
@@ -1,298 +0,0 @@
 commit 02b80dd74e2f962fffc9b0076bb7966eea4e45ff
 Author: Simon Gardling <titaniumtown@proton.me>
 Date:   Wed Apr 8 13:05:09 2026 -0400
    Fix key reauth with parallel sessions
 diff --git a/packages/ai/CHANGELOG.md b/packages/ai/CHANGELOG.md
 index 3f50b7bd4..248dacbff 100644
 --- a/packages/ai/CHANGELOG.md
 +++ b/packages/ai/CHANGELOG.md
@@ -5,6 +5,10 @@
 - Removed `coerceNullStrings` function and its automatic null-string coercion behavior from JSON parsing
 +### Fixed
 +
 +- Fixed concurrent OAuth refresh token rotation race: when multiple instances share the same credential DB, one instance refreshing a token no longer causes other instances to permanently disable the credential on `invalid_grant` ([#607](https://github.com/can1357/oh-my-pi/issues/607))
 +
 ## [13.19.0] - 2026-04-05
 ### Fixed
 diff --git a/packages/ai/src/auth-storage.ts b/packages/ai/src/auth-storage.ts
 index 9fdb4473b..fc81a6f3b 100644
 --- a/packages/ai/src/auth-storage.ts
 +++ b/packages/ai/src/auth-storage.ts
@@ -1865,7 +1865,35 @@ export class AuthStorage {
 			});
 			if (isDefinitiveFailure) {
 -				// Permanently disable invalid credentials with an explicit cause for inspection/debugging
 +				// Before permanently disabling, check if another instance already refreshed
 +				// the token in the shared DB. Concurrent instances hold stale in-memory
 +				// copies; refresh token rotation by one instance invalidates the token
 +				// that other instances still hold. Re-read from DB before giving up.
 +				if (/invalid_grant/i.test(errorMsg)) {
 +					const entries = this.#getStoredCredentials(provider);
 +					const entry = entries[selection.index];
 +					if (entry) {
 +						const dbCredentials = this.#store.listAuthCredentials(provider);
 +						const dbEntry = dbCredentials.find(row => row.id === entry.id);
 +						if (
 +							dbEntry?.credential.type === "oauth" &&
 +							dbEntry.credential.refresh !== selection.credential.refresh
 +						) {
 +							// DB has a newer refresh token — another instance refreshed.
 +							// Update in-memory state and retry with the fresh credential.
 +							logger.warn("Concurrent refresh detected, syncing from DB and retrying", {
 +								provider,
 +								index: selection.index,
 +								rowId: entry.id,
 +							});
 +							const updated = [...entries];
 +							updated[selection.index] = { id: entry.id, credential: dbEntry.credential };
 +							this.#setStoredCredentials(provider, updated);
 +							return this.getApiKey(provider, sessionId, options);
 +						}
 +					}
 +				}
 +				// Genuinely invalid — disable the credential
 				this.#disableCredentialAt(provider, selection.index, `oauth refresh failed: ${errorMsg}`);
 				if (this.#getCredentialsForProvider(provider).some(credential => credential.type === "oauth")) {
 					return this.getApiKey(provider, sessionId, options);
 diff --git a/packages/ai/test/auth-storage-refresh-race.test.ts b/packages/ai/test/auth-storage-refresh-race.test.ts
 new file mode 100644
 index 000000000..5a8098a18
 --- /dev/null
 +++ b/packages/ai/test/auth-storage-refresh-race.test.ts
@@ -0,0 +1,230 @@
 +import { Database } from "bun:sqlite";
 +import { afterEach, beforeEach, describe, expect, test, vi } from "bun:test";
 +import * as fs from "node:fs/promises";
 +import * as os from "node:os";
 +import * as path from "node:path";
 +import { AuthCredentialStore, AuthStorage, type OAuthCredential } from "../src/auth-storage";
 +import * as oauthUtils from "../src/utils/oauth";
 +import type { OAuthCredentials } from "../src/utils/oauth/types";
 +
 +/**
 + * Tests for the concurrent OAuth refresh token rotation race condition.
 + *
 + * When multiple omp instances share the same SQLite credential DB but hold
 + * independent in-memory caches, refresh token rotation by one instance
 + * invalidates the token that other instances still hold. Without the fix,
 + * the stale instance permanently disables the credential on `invalid_grant`
 + * even though a valid refresh token exists in the DB.
 + */
 +
 +function readDisabledCauses(dbPath: string, provider: string): string[] {
 +	const db = new Database(dbPath, { readonly: true });
 +	try {
 +		const rows = db
 +			.prepare(
 +				"SELECT disabled_cause FROM auth_credentials WHERE provider = ? AND disabled_cause IS NOT NULL ORDER BY id ASC",
 +			)
 +			.all(provider) as Array<{ disabled_cause?: string | null }>;
 +		return rows.flatMap(row => (typeof row.disabled_cause === "string" ? [row.disabled_cause] : []));
 +	} finally {
 +		db.close();
 +	}
 +}
 +
 +function countActiveCredentials(dbPath: string, provider: string): number {
 +	const db = new Database(dbPath, { readonly: true });
 +	try {
 +		const row = db
 +			.prepare("SELECT COUNT(*) AS count FROM auth_credentials WHERE provider = ? AND disabled_cause IS NULL")
 +			.get(provider) as { count?: number } | undefined;
 +		return row?.count ?? 0;
 +	} finally {
 +		db.close();
 +	}
 +}
 +
 +const EXPIRED_TOKEN_EXPIRES = Date.now() - 60_000;
 +const FRESH_TOKEN_EXPIRES = Date.now() + 3_600_000;
 +
 +function makeOAuthCredential(suffix: string, opts?: { expires?: number }): OAuthCredential {
 +	return {
 +		type: "oauth",
 +		access: `access-${suffix}`,
 +		refresh: `refresh-${suffix}`,
 +		expires: opts?.expires ?? FRESH_TOKEN_EXPIRES,
 +		accountId: "acct-shared",
 +		email: "user@example.com",
 +	};
 +}
 +
 +describe("AuthStorage concurrent OAuth refresh token rotation race", () => {
 +	let tempDir = "";
 +	let dbPath = "";
 +	let storeA: AuthCredentialStore | null = null;
 +	let storeB: AuthCredentialStore | null = null;
 +	let authStorageA: AuthStorage | null = null;
 +	let authStorageB: AuthStorage | null = null;
 +
 +	beforeEach(async () => {
 +		tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "pi-ai-auth-refresh-race-"));
 +		dbPath = path.join(tempDir, "agent.db");
 +
 +		// Both stores point at the same SQLite DB — simulates two omp instances
 +		storeA = await AuthCredentialStore.open(dbPath);
 +		storeB = await AuthCredentialStore.open(dbPath);
 +	});
 +
 +	afterEach(async () => {
 +		vi.restoreAllMocks();
 +		storeA?.close();
 +		storeB?.close();
 +		storeA = null;
 +		storeB = null;
 +		authStorageA = null;
 +		authStorageB = null;
 +		if (tempDir) {
 +			await fs.rm(tempDir, { recursive: true, force: true });
 +			tempDir = "";
 +		}
 +	});
 +
 +	test("instance B recovers from invalid_grant when instance A already refreshed", async () => {
 +		if (!storeA || !storeB) throw new Error("test setup failed");
 +
 +		// Store an expired OAuth credential — both instances will need to refresh
 +		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
 +		authStorageA = new AuthStorage(storeA);
 +		await authStorageA.set("anthropic", [staleCredential]);
 +
 +		// Instance B loads same credential from DB into its own in-memory cache
 +		authStorageB = new AuthStorage(storeB);
 +		await authStorageB.reload();
 +
 +		// The refreshed credential that instance A will produce
 +		const refreshedCredential: OAuthCredentials = {
 +			access: "access-v2",
 +			refresh: "refresh-v2",
 +			expires: FRESH_TOKEN_EXPIRES,
 +			accountId: "acct-shared",
 +			email: "user@example.com",
 +		};
 +
 +		// Mock both refresh paths:
 +		// - refreshOAuthToken: called by pre-refresh in #resolveOAuthApiKey for expired tokens
 +		// - getOAuthApiKey: called by #tryOAuthCredential for the actual token exchange
 +		const refreshSpy = vi.spyOn(oauthUtils, "refreshOAuthToken");
 +		const getApiKeySpy = vi.spyOn(oauthUtils, "getOAuthApiKey");
 +
 +		// Step 1: Instance A refreshes successfully
 +		refreshSpy.mockImplementation(async (_provider, credential) => {
 +			return { ...credential, ...refreshedCredential };
 +		});
 +		getApiKeySpy.mockImplementation(async (_provider, credentials) => {
 +			const cred = credentials.anthropic as OAuthCredentials | undefined;
 +			if (!cred) return null;
 +			return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key" };
 +		});
 +
 +		const keyA = await authStorageA.getApiKey("anthropic", "session-a");
 +		expect(keyA).toBe("sk-ant-new-key");
 +
 +		// DB now has refreshed credential from instance A.
 +		// Instance B still has stale refresh-v1 in memory.
 +
 +		// Step 2: Instance B tries to refresh with stale token.
 +		// The pre-refresh (refreshOAuthToken) runs first, then #tryOAuthCredential calls getOAuthApiKey.
 +		// Both throw invalid_grant for stale tokens. After DB re-read, retry with fresh token succeeds.
 +		let getApiKeyCallCount = 0;
 +		refreshSpy.mockImplementation(async (_provider, credential) => {
 +			if (credential.refresh === "refresh-v1") {
 +				throw new Error("invalid_grant: Refresh token not found or invalid");
 +			}
 +			return { ...credential, ...refreshedCredential };
 +		});
 +		getApiKeySpy.mockImplementation(async (_provider, credentials) => {
 +			const cred = credentials.anthropic as OAuthCredentials | undefined;
 +			if (!cred) return null;
 +			getApiKeyCallCount++;
 +
 +			if (cred.refresh === "refresh-v1") {
 +				// Stale token — Anthropic would return invalid_grant
 +				throw new Error("invalid_grant: Refresh token not found or invalid");
 +			}
 +			if (cred.refresh === "refresh-v2") {
 +				// Fresh token from instance A — success
 +				return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key-b" };
 +			}
 +			return null;
 +		});
 +
 +		const keyB = await authStorageB.getApiKey("anthropic", "session-b");
 +
 +		// The credential must NOT be disabled — instance B should have recovered
 +		expect(keyB).toBeDefined();
 +		expect(typeof keyB).toBe("string");
 +
 +		// DB should still have exactly 1 active credential, none disabled
 +		expect(countActiveCredentials(dbPath, "anthropic")).toBe(1);
 +		expect(readDisabledCauses(dbPath, "anthropic")).toEqual([]);
 +		// The getOAuthApiKey mock must have been called at least twice: once with stale, once with fresh
 +		expect(getApiKeyCallCount).toBeGreaterThanOrEqual(2);
 +	});
 +
 +	test("credential is still disabled when DB has same stale token (genuine failure)", async () => {
 +		if (!storeA || !storeB) throw new Error("test setup failed");
 +
 +		// Store an expired credential — only one instance, no concurrent refresh
 +		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
 +		authStorageA = new AuthStorage(storeA);
 +		await authStorageA.set("anthropic", [staleCredential]);
 +
 +		// Mock: always fail with invalid_grant (genuinely revoked token)
 +		vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
 +			throw new Error("invalid_grant: Refresh token not found or invalid");
 +		});
 +		vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
 +			throw new Error("invalid_grant: Refresh token not found or invalid");
 +		});
 +
 +		const key = await authStorageA.getApiKey("anthropic", "session-a");
 +
 +		// Should return undefined — no valid credentials
 +		expect(key).toBeUndefined();
 +
 +		// Credential should be disabled in DB
 +		const causes = readDisabledCauses(dbPath, "anthropic");
 +		expect(causes.length).toBe(1);
 +		expect(causes[0]).toContain("invalid_grant");
 +	});
 +
 +	test("terminates when DB token matches stale token (no concurrent refresh)", async () => {
 +		if (!storeA || !storeB) throw new Error("test setup failed");
 +
 +		// Both instances share the same stale credential — nobody refreshed
 +		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
 +		authStorageA = new AuthStorage(storeA);
 +		await authStorageA.set("anthropic", [staleCredential]);
 +
 +		// Instance B loads same stale credential
 +		authStorageB = new AuthStorage(storeB);
 +		await authStorageB.reload();
 +
 +		// Mock: always fail — the token is genuinely revoked, nobody refreshed
 +		vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
 +			throw new Error("invalid_grant: Refresh token not found or invalid");
 +		});
 +		vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
 +			throw new Error("invalid_grant: Refresh token not found or invalid");
 +		});
 +
 +		// Instance B fails. DB has the same token (nobody refreshed), so the
 +		// fix correctly falls through to disable instead of retrying forever.
 +		const keyB = await authStorageB.getApiKey("anthropic", "session-b");
 +		expect(keyB).toBeUndefined();
 +
 +		// Credential should be disabled — the fix did not prevent a genuine failure
 +		const causes = readDisabledCauses(dbPath, "anthropic");
 +		expect(causes.length).toBe(1);
 +		expect(causes[0]).toContain("invalid_grant");
 +	});
 +});
--- a/system/common.nix
+++ b/system/common.nix
@@ -165,7 +165,7 @@
          # staging drivers (experimental/unmaintained)
          STAGING = lib.mkForce no;
-          SND_PCI = lib.mkForce no;
+          # SND_PCI stays — SND_HDA_INTEL (AMD HDA audio) lives under it
          ACCESSIBILITY = lib.mkForce no;
          MTD = lib.mkForce no;
          MEDIA_RC_SUPPORT = lib.mkForce no;
--- a/system/pull-update.nix
+++ b/system/pull-update.nix
@@ -1,67 +0,0 @@
 # Pull-based NixOS updates for hosts that can't be pushed to reliably.
 # CI builds the system closure on muffin (which Harmonia serves), then
 # records the output store path at /deploy/<hostname>.  On boot this
 # service fetches that path, pulls the closure from the binary cache,
 # sets it as the boot profile, and reboots into it.
 { pkgs, hostname, ... }:
 let
  deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
  pull-update = pkgs.writeShellScript "pull-update" ''
    set -uo pipefail
    export PATH=${
      pkgs.lib.makeBinPath [
        pkgs.curl
        pkgs.coreutils
        pkgs.nix
        pkgs.systemd
        pkgs.util-linux
      ]
    }
    # wait for actual connectivity, not just networkd "up"
    for i in $(seq 1 30); do
      if curl -sf --max-time 5 "${deploy-url}" >/dev/null; then
        break
      fi
      echo "Waiting for network... ($i/30)"
      sleep 2
    done
    STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
    if [ -z "$STORE_PATH" ]; then
      echo "Server unreachable or no deployment available, skipping"
      exit 0
    fi
    CURRENT=$(readlink -f /nix/var/nix/profiles/system)
    if [ "$CURRENT" = "$STORE_PATH" ]; then
      echo "Already on latest configuration"
      exit 0
    fi
    echo "Update available: $CURRENT -> $STORE_PATH"
    nix-store -r "$STORE_PATH" || { echo "Failed to fetch closure"; exit 1; }
    nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "Failed to set profile"; exit 1; }
    "$STORE_PATH/bin/switch-to-configuration" boot || { echo "Failed to install boot entry"; exit 1; }
    wall "System update installed. Rebooting in 10 seconds..."
    sleep 10
    systemctl reboot
  '';
 in
 {
  systemd.services.pull-update = {
    description = "Pull latest NixOS configuration from binary cache";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    restartIfChanged = false;
    serviceConfig = {
      Type = "oneshot";
      ExecStart = pull-update;
    };
  };
 }
--- a/system/system-yarn.nix
+++ b/system/system-yarn.nix
@@ -11,7 +11,6 @@
    ./disk_yarn.nix
    ./common.nix
    ./impermanence.nix
    ./pull-update.nix
    ./no-rgb.nix
    ./vr.nix
@@ -76,12 +75,54 @@
  # LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
  environment.systemPackages = with pkgs; [
    lact
    jovian-stubs
  ];
  systemd.packages = with pkgs; [ lact ];
  systemd.services.lactd.wantedBy = [ "multi-user.target" ];
  systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
  # root-level service that applies a pending update. Triggered by
  # steamos-update (via systemctl start) when the user accepts an update.
  # Runs as root so it can write the system profile and boot entry.
  systemd.services.pull-update-apply = {
    description = "Apply pending NixOS update pulled from binary cache";
    serviceConfig = {
      Type = "oneshot";
      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
        set -uo pipefail
        export PATH=${
          pkgs.lib.makeBinPath [
            pkgs.curl
            pkgs.coreutils
            pkgs.nix
          ]
        }
        STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
        if [ -z "$STORE_PATH" ]; then
          echo "server unreachable"
          exit 1
        fi
        echo "applying $STORE_PATH"
        nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
        "$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
        echo "update applied; reboot required"
      '';
    };
  };
  # Allow primary user to start pull-update-apply.service without a password
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (action.id == "org.freedesktop.systemd1.manage-units" &&
          action.lookup("unit") == "pull-update-apply.service" &&
          subject.user == "${username}") {
        return polkit.Result.YES;
      }
    });
  '';
  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
@@ -97,65 +138,123 @@
  # This prevents Steam from requesting reboots for "system updates"
  # Steam client updates will still work normally
  nixpkgs.overlays = [
-    (final: prev: {
+    (
-      jovian-stubs = prev.stdenv.mkDerivation {
+      final: prev:
-        name = "jovian-stubs-no-update";
+      let
-        dontUnpack = true;
+        deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
        installPhase = ''
          mkdir -p $out/bin
-          # steamos-update: always report "no update available" (exit 7)
+        steamos-update-script = final.writeShellScript "steamos-update" ''
-          # This disables the kernel mismatch check that triggers reboot prompts
+          export PATH=${
-          cat > $out/bin/steamos-update << 'STUB'
+            final.lib.makeBinPath [
-          #!/bin/sh
+              final.curl
-          >&2 echo "[JOVIAN] $0: stub called with: $* (system updates disabled)"
+              final.coreutils
-          exit 7
+              final.systemd
-          STUB
+            ]
          }
-          # steamos-reboot: reboot the system
+          STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
          cat > $out/bin/steamos-reboot << 'STUB'
          #!/bin/sh
          >&2 echo "[JOVIAN] $0: stub called with: $*"
          systemctl reboot
          STUB
-          # steamos-select-branch: no-op stub
+          if [ -z "$STORE_PATH" ]; then
-          cat > $out/bin/steamos-select-branch << 'STUB'
+            >&2 echo "[steamos-update] server unreachable"
-          #!/bin/sh
+            exit 7
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
+          fi
          exit 0
          STUB
-          # steamos-factory-reset-config: no-op stub
+          CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-          cat > $out/bin/steamos-factory-reset-config << 'STUB'
+          if [ "$CURRENT" = "$STORE_PATH" ]; then
-          #!/bin/sh
+            >&2 echo "[steamos-update] no update available"
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
-          exit 0
+          fi
          STUB
-          # steamos-firmware-update: no-op stub
+          # check-only mode: just report that an update exists
-          cat > $out/bin/steamos-firmware-update << 'STUB'
+          if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
-          #!/bin/sh
+            >&2 echo "[steamos-update] update available"
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
-          exit 0
+          fi
          STUB
-          # pkexec: pass through to real pkexec
+          # apply: trigger the root-running systemd service to install the update
-          cat > $out/bin/pkexec << 'STUB'
+          >&2 echo "[steamos-update] applying update..."
-          #!/bin/sh
+          if systemctl start --wait pull-update-apply.service; then
-          exec /run/wrappers/bin/pkexec "$@"
+            >&2 echo "[steamos-update] update installed, reboot to apply"
-          STUB
+            exit 0
-
+          else
-          # sudo: pass through to doas
+            >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
-          cat > $out/bin/sudo << 'STUB'
+            exit 1
-          #!/bin/sh
+          fi
          exec /run/wrappers/bin/doas "$@"
          STUB
          chmod 755 $out/bin/*
        '';
-      };
+      in
-    })
+      {
        jovian-stubs = prev.stdenv.mkDerivation {
          name = "jovian-stubs";
          dontUnpack = true;
          installPhase = ''
            mkdir -p $out/bin
            ln -s ${steamos-update-script} $out/bin/steamos-update
            ln -s ${steamos-update-script} $out/bin/steamos-mandatory-update
            # jupiter-initial-firmware-update: no-op (not a real steam deck)
            cat > $out/bin/jupiter-initial-firmware-update << 'STUB'
            #!/bin/sh
            exit 0
            STUB
            # jupiter-biosupdate: no-op (not a real steam deck)
            cat > $out/bin/jupiter-biosupdate << 'STUB'
            #!/bin/sh
            exit 0
            STUB
            # steamos-reboot: reboot the system
            cat > $out/bin/steamos-reboot << 'STUB'
            #!/bin/sh
            >&2 echo "[JOVIAN] $0: stub called with: $*"
            systemctl reboot
            STUB
            # steamos-select-branch: no-op stub
            cat > $out/bin/steamos-select-branch << 'STUB'
            #!/bin/sh
            >&2 echo "[JOVIAN] $0: stub called with: $*"
            exit 0
            STUB
            # steamos-factory-reset-config: no-op stub
            cat > $out/bin/steamos-factory-reset-config << 'STUB'
            #!/bin/sh
            >&2 echo "[JOVIAN] $0: stub called with: $*"
            exit 0
            STUB
            # steamos-firmware-update: no-op stub
            cat > $out/bin/steamos-firmware-update << 'STUB'
            #!/bin/sh
            >&2 echo "[JOVIAN] $0: stub called with: $*"
            exit 0
            STUB
            # pkexec: pass through to real pkexec
            cat > $out/bin/pkexec << 'STUB'
            #!/bin/sh
            exec /run/wrappers/bin/pkexec "$@"
            STUB
            # sudo: strip flags and run the command directly (no escalation).
            # privileged ops are delegated to root systemd services via systemctl.
            cat > $out/bin/sudo << 'STUB'
            #!/bin/sh
            while [ $# -gt 0 ]; do
              case "$1" in
                -*) shift ;;
                *) break ;;
              esac
            done
            exec "$@"
            STUB
            find $out/bin -type f -exec chmod 755 {} +
          '';
        };
      }
    )
  ];
  jovian = {
Author	SHA1	Message	Date
Simon Gardling	e9a44f677d	update All checks were successful Build / build (push) Successful in 7m2s	2026-04-17 23:26:43 -04:00
Simon Gardling	0c881602e9	yarn: fix steamos update flow	2026-04-17 23:26:15 -04:00
Simon Gardling	7f375e8574	kernel: re-enable SND_PCI All checks were successful Build / build (push) Successful in 1h35m51s	2026-04-17 18:26:21 -04:00
Simon Gardling	577b5eeb77	update All checks were successful Build / build (push) Successful in 1h36m48s	2026-04-17 12:33:33 -04:00
Simon Gardling	91aba32afb	pi: update to claude opus 4.7 All checks were successful Build / build (push) Successful in 4m19s	2026-04-17 00:25:38 -04:00
Simon Gardling	29e71fb127	??!?!?!??! All checks were successful Build / build (push) Successful in 6m25s	2026-04-16 23:46:13 -04:00
Simon Gardling	ff94c3b027	steamos-update: exit 0 not 7 All checks were successful Build / build (push) Successful in 6m14s	2026-04-16 23:05:24 -04:00
Simon Gardling	0b457b83d3	fix build All checks were successful Build / build (push) Successful in 5m49s	2026-04-16 22:53:11 -04:00
Simon Gardling	c23240c529	yarn: move pull-update into steamos-update script Some checks failed Build / build (push) Failing after 1m25s	2026-04-16 22:28:49 -04:00
Simon Gardling	e40929018f	eww: remove All checks were successful Build / build (push) Successful in 1m13s	2026-04-16 18:02:02 -04:00
Simon Gardling	5997c886f6	pull-update: improvement All checks were successful Build / build (push) Successful in 3m0s	2026-04-16 17:43:35 -04:00
Simon Gardling	72d37f57ac	update All checks were successful Build / build (push) Successful in 12m59s	2026-04-16 16:31:49 -04:00
Simon Gardling	0718568bec	pull-update: forgot lib.getExe	2026-04-16 15:03:06 -04:00
Simon Gardling	982cc4aebc	pull-update: use `writeShellApplication` instead	2026-04-16 15:02:08 -04:00
Simon Gardling	d2d25bbdfe	omp: remove patch that didn't work	2026-04-16 14:52:51 -04:00
		`@@ -1,3 +0,0 @@`
			`#!/usr/bin/env fish`

			`niri msg --json workspaces \| jq -r '.[] \| select(.is_focused == true) \| .["id"]'`
		`@@ -1,2 +0,0 @@`
			`#!/usr/bin/env sh`
			`wpctl inspect @DEFAULT_SINK@ \| grep -E "^ +\* node\.description" \| cut -d' ' -f6- \| tr -d '"'`