# Remaining Audit Findings Items already completed: zsh, starship, git, ghostty, tmux config + scripts. ## Sway ### Security - **[high]** waybar `custom/ssh-login` on-click runs `pkill -9 -t $(who | awk '{ print $2 }')`. Unquoted command substitution causes word-splitting across multiple TTYs. Use `pkill -HUP` instead of `-9`, and quote the substitution or target a specific TTY. - **[medium]** `80-autostart.conf` starts `protonmail-bridge -n` as bare `exec`. Consider systemd user service for proper lifecycle management. - **[medium]** swayidle timeout of 300s (5 min) is relatively long for an unattended workstation. - **[medium]** `swaylock/config` lacks `show-failed-attempts` and `ignore-empty-password` verification. - **[low]** `wlsunset -l 46.1 -L 14.5` exposes approximate geographic coordinates in public dotfiles. ### Idiomacy - **[issue]** host.d include is before config.d/* in main sway config. Host files cannot reference `$variables` from `10-variables.conf`. Move host.d include after config.d/*. - **[issue]** `41-theme-swayfx.conf` uses SwayFX-specific directives that error on stock sway. Gate or document. - **[issue]** Volume keybindings mix `pactl` (mute toggle) and `pamixer` (volume up/down). Pick one consistently. Mic mute on F16 also uses `pactl` instead of `pamixer`. - **[issue]** wob FIFO setup has race condition on sway restart. Consider wob 0.14+ `--socket` flag or `$XDG_RUNTIME_DIR/wob.sock` path. - **[issue]** swayidle missing `lock` event handler (`lock 'swaylock -f'`). `loginctl lock-session` won't lock the screen without it. - **[issue]** No idle inhibitor configured. Fullscreen video will trigger lock after timeout. Options: waybar `idle_inhibitor` module, `for_window` rule with `inhibit_idle fullscreen`, or `sway-audio-idle-inhibit`. ### Waybar - **[issue]** `custom/ssh-login` polls every 1 second. Reduce to 10-30s. - **[issue]** `custom/ssh-login` on-click uses `pkill -9` (SIGKILL). Use SIGHUP. - **[dead]** `custom/power` module defined but not included in any bar's module list. - **[issue]** `style.css` references `@define-color` names (`@gray`, `@background-light`, `@foreground`, `@red`, etc.) that are not defined in the file. They must come from an external GTK theme. Define them in `style.css` for self-containment or document the dependency. - **[issue]** Hardcoded `#1e1e2e` (Catppuccin Mocha) in `#waybar .module` conflicts with gruvbox scheme. Leftover from a template. - **[note]** `cpu` on-click hardcodes `ghostty -e htop` (waybar JSONC doesn't support sway variables). ### Typos - `50-keybind.conf` line 13: `# programs'` — trailing apostrophe - `50-keybind.conf` line 88: `# xf86-brightnes` — missing trailing 's' - `80-autostart.conf` line 1: `# deamon` — should be "daemon" ## Structure ### .gitignore - **[dead]** `!alacritty` is tracked but alacritty is no longer used (ghostty replaced it). Remove or keep intentionally. - **[issue]** `!waybar` and `!bin` un-ignore entire directories with no interior filter. Every other program explicitly whitelists files. Tighten to two-level pattern: ``` !waybar waybar/* !waybar/config.jsonc !waybar/style.css ``` - **[note]** `!ghostty/themes`, `!sway/config.d`, `!sway/host.d` also un-ignore whole subdirectories. Intentional for sway (new drop-in files auto-tracked), worth noting for ghostty themes. ### bin/ directory - `bin/waybar-custom-cider.sh` is the only script and is waybar-specific. Consider moving to `waybar/cider.sh` and updating the exec path in `waybar/config.jsonc`. ### SSH preview duplication - `zsh/ssh-menu` defines `_ssh_menu_preview` and `tmux/tmux-ssher` defines `_preview`. Same function with cosmetic differences. Extract to a shared script (e.g. `bin/ssh-preview`) to eliminate drift. The `command -v host` guard is only in ssh-menu, not ssher. ### Paths - `tmux.conf` hardcodes `~/.config/tmux/...` in run-shell bindings instead of `$XDG_CONFIG_HOME`. - `flameshot.ini` hardcodes `/home/matej/screens` — breaks on other usernames/machines. - `swaylock/config` and `sway/config.d/20-output.conf` reference `~/.assets/` — not XDG, but consistent with each other. ### Consistency - Waybar CSS color variables depend on external GTK theme (see waybar section above). - Swaylock uses `#000000`/`#ffffff` (black/white) instead of gruvbox. May be intentional for contrast. - Alacritty config is dead weight if no longer used.