Remaining Audit Findings

Items already completed: zsh, starship, git, ghostty, tmux config + scripts.

Sway

[high] waybar custom/ssh-login on-click runs pkill -9 -t $(who | awk '{ print $2 }'). Unquoted command substitution causes word-splitting across multiple TTYs. Use pkill -HUP instead of -9, and quote the substitution or target a specific TTY.
[medium] 80-autostart.conf starts protonmail-bridge -n as bare exec. Consider systemd user service for proper lifecycle management.
[medium] swayidle timeout of 300s (5 min) is relatively long for an unattended workstation.
[medium] swaylock/config lacks show-failed-attempts and ignore-empty-password verification.
[low] wlsunset -l 46.1 -L 14.5 exposes approximate geographic coordinates in public dotfiles.

[issue] host.d include is before config.d/* in main sway config. Host files cannot reference $variables from 10-variables.conf. Move host.d include after config.d/*.
[issue] 41-theme-swayfx.conf uses SwayFX-specific directives that error on stock sway. Gate or document.
[issue] Volume keybindings mix pactl (mute toggle) and pamixer (volume up/down). Pick one consistently. Mic mute on F16 also uses pactl instead of pamixer.
[issue] wob FIFO setup has race condition on sway restart. Consider wob 0.14+ --socket flag or $XDG_RUNTIME_DIR/wob.sock path.
[issue] swayidle missing lock event handler (lock 'swaylock -f'). loginctl lock-session won't lock the screen without it.
[issue] No idle inhibitor configured. Fullscreen video will trigger lock after timeout. Options: waybar idle_inhibitor module, for_window rule with inhibit_idle fullscreen, or sway-audio-idle-inhibit.

[issue] custom/ssh-login polls every 1 second. Reduce to 10-30s.
[issue] custom/ssh-login on-click uses pkill -9 (SIGKILL). Use SIGHUP.
[dead] custom/power module defined but not included in any bar's module list.
[issue] style.css references @define-color names (@gray, @background-light, @foreground, @red, etc.) that are not defined in the file. They must come from an external GTK theme. Define them in style.css for self-containment or document the dependency.
[issue] Hardcoded #1e1e2e (Catppuccin Mocha) in #waybar .module conflicts with gruvbox scheme. Leftover from a template.
[note] cpu on-click hardcodes ghostty -e htop (waybar JSONC doesn't support sway variables).

[dead] !alacritty is tracked but alacritty is no longer used (ghostty replaced it). Remove or keep intentionally.
[issue] !waybar and !bin un-ignore entire directories with no interior filter. Every other program explicitly whitelists files. Tighten to two-level pattern:
```
!waybar
waybar/*
!waybar/config.jsonc
!waybar/style.css
```
[note] !ghostty/themes, !sway/config.d, !sway/host.d also un-ignore whole subdirectories. Intentional for sway (new drop-in files auto-tracked), worth noting for ghostty themes.

bin/waybar-custom-cider.sh is the only script and is waybar-specific. Consider moving to waybar/cider.sh and updating the exec path in waybar/config.jsonc.

zsh/ssh-menu defines _ssh_menu_preview and tmux/tmux-ssher defines _preview. Same function with cosmetic differences. Extract to a shared script (e.g. bin/ssh-preview) to eliminate drift. The command -v host guard is only in ssh-menu, not ssher.

tmux.conf hardcodes ~/.config/tmux/... in run-shell bindings instead of $XDG_CONFIG_HOME.
flameshot.ini hardcodes /home/matej/screens — breaks on other usernames/machines.
swaylock/config and sway/config.d/20-output.conf reference ~/.assets/ — not XDG, but consistent with each other.

Waybar CSS color variables depend on external GTK theme (see waybar section above).
Swaylock uses #000000/#ffffff (black/white) instead of gruvbox. May be intentional for contrast.
Alacritty config is dead weight if no longer used.