ArchRiot Development Plan

OVERVIEW

This document tracks outstanding development tasks for the ArchRiot installer and system components.

🚧 OUTSTANDING TASKS

TASK 1: Secure Boot Enablement

Problem

Users without Secure Boot enabled are vulnerable to memory hijacking attacks on LUKS encrypted drives. The installer should offer to enable Secure Boot during installation/upgrade to improve system security.

Requirements

  • Detect if Secure Boot is currently disabled during installation/upgrade
  • Prompt user with clear explanation of Secure Boot benefits for LUKS protection
  • If user selects “YES”, guide them through Secure Boot enablement process
  • Handle the complexity of UEFI setup, key management, and bootloader signing
  • Ensure process works across different hardware vendors (Dell, Lenovo, etc.)
  • Provide fallback/recovery options if Secure Boot setup fails

Implementation Challenges

  • UEFI Firmware Interaction: Different vendors have different UEFI interfaces
  • Key Management: Generating and managing Secure Boot keys (PK, KEK, db, dbx)
  • Bootloader Signing: Signing GRUB/systemd-boot with custom keys
  • Kernel Signing: Signing Linux kernel and modules for Secure Boot validation
  • User Guidance: Walking users through BIOS/UEFI settings safely
  • Recovery Planning: Ensuring users can disable Secure Boot if needed

Technical Approach

CRITICAL: REUSE EXISTING TUI ARCHITECTURE

ArchRiot already has a sophisticated TUI system that MUST be reused:

  • Existing message types in source/tui/messages.go (LogMsg, ProgressMsg, etc.)
  • Existing input modes in source/tui/model.go (git-username, git-email, reboot, etc.)
  • Existing confirmation prompt system with YES/NO options
  • Existing callback pattern for user decisions

Implementation Using EXISTING TUI:

  1. Detection Phase: Check bootctl status and /sys/firmware/efi/efivars for Secure Boot state
  2. TUI Integration: Add new message types (SecureBootPromptMsg, SecureBootStatusMsg) to existing messages.go
  3. User Education: REUSE existing confirmation prompt system to explain LUKS memory attack protection benefits
  4. Decision Flow: EXTEND existing inputMode system for “secure-boot-confirm” mode
  5. Key Generation: Create custom Secure Boot key hierarchy (PK → KEK → db)
  6. Bootloader Setup: Configure and sign bootloader with custom keys
  7. Kernel Setup: Sign kernel and modules for Secure Boot validation
  8. UEFI Guidance: Provide vendor-specific instructions for enabling Secure Boot
  9. Validation: Verify Secure Boot is working correctly after setup

Priority: Medium - Important security enhancement but complex implementation

ARCHITECTURE REQUIREMENTS:

  • NO new TUI interfaces - extend existing system only
  • Follow existing message/callback patterns in tui/messages.go and tui/model.go
  • Integrate into existing installation flow, don’t create separate flows
  • Use existing tools.go framework for optional Secure Boot tool access

✅ TASK 2: Kernel Upgrade Reboot Detection - COMPLETED

Implementation Summary:

  • ✅ Added kernel upgrade detection in upgrade.go using pacman -Qu to check for “linux” package upgrades
  • ✅ Created KernelUpgradeMsg message type to communicate kernel upgrade status to TUI
  • ✅ Modified reboot prompt to default to “YES” with special message when kernel upgraded
  • ✅ Maintained existing “NO” default for regular upgrades

Files Modified:

  • ArchRiot/source/upgrade/upgrade.go - Added detectKernelUpgrade() function
  • ArchRiot/source/tui/model.go - Added kernel upgrade handling in reboot prompt
  • ArchRiot/source/tui/messages.go - Added KernelUpgradeMsg type

Result: System now automatically recommends reboot when kernel is upgraded, improving user experience and system stability.

✅ TASK 3: Scripts Directory Cleanup - COMPLETED

Problem

The config/bin/scripts directory and related script directories contained legacy scripts from previous ArchRiot versions, making it difficult to maintain the codebase and potentially causing confusion about which scripts are actively used versus deprecated.

Implementation Summary

  • ✅ Audited all 26 scripts across config/bin/scripts/, config/bin/, and config/waybar/scripts/
  • ✅ Identified and removed 4 unused scripts (Hypridle.sh, waybar-mic-status.py, show-keybindings, version)
  • ✅ Removed legacy upgrade-system script superseded by integrated archriot upgrade functionality
  • ✅ Fixed waybar brightness module parameter inconsistencies
  • ✅ Updated README.md to reflect integrated upgrade system
  • ✅ Verified all remaining 22 scripts are actively used and properly integrated

Files Removed:

  • config/bin/scripts/Hypridle.sh - unused idle management toggle
  • config/bin/scripts/waybar-mic-status.py - unused microphone status display
  • config/bin/show-keybindings - unused keybinding display utility
  • config/bin/version - unused, overlapped with version-check functionality
  • config/bin/upgrade-system - superseded by integrated archriot upgrade

Files Fixed:

  • config/waybar/Modules - corrected brightness script parameters
  • config/waybar/ModulesVertical - corrected brightness script parameters
  • README.md - updated upgrade system documentation

Result: Repository now contains only actively used scripts with verified integration points. All remaining scripts serve important functions in the ArchRiot system.

Priority: Low - Code quality improvement, no user-facing functionality impact ✅ COMPLETED

Script Audit Progress:

✅ AUDITED - config/bin/scripts:

  1. Brightness.sh - ✅ ACTIVE
    • Used by Hyprland hardware keys (XF86MonBrightnessUp/Down)
    • Fixed waybar module definitions to use correct parameters
    • Status: Keep, properly integrated
  2. Volume.sh - ✅ ACTIVE
    • Used by Hyprland hardware keys and waybar audio modules
    • All parameters correctly implemented and used
    • Status: Keep, properly integrated
  3. Hypridle.sh - ❌ UNUSED
    • No references in active waybar modules or configs
    • CSS styling exists but module not defined or used
    • Action: REMOVED via git rm
  4. fix-offscreen-windows.sh - ✅ ACTIVE
    • Used by Hyprland keybinding ($mod SHIFT TAB)
    • Fixes AMD DPMS wake bug with off-screen windows
    • Status: Keep, serves important function
  5. hyprlock-wrapper.sh - ✅ ACTIVE
    • Used by waybar lock button (custom/lock module)
    • Used by power menu Lock option
    • Enhanced hyprlock with monitor change handling and theme integration
    • Status: Keep, serves important functions

⏳ REMAINING TO AUDIT:

  1. mullvad-startup.sh - ✅ ACTIVE
    • Used by Hyprland exec-once to conditionally start Mullvad GUI
    • Intelligent startup: only if installed and account configured
    • Handles tray integration and prevents duplicate instances
    • Status: Keep, serves important function
  2. signal-launcher.sh - ✅ ACTIVE
    • Used by Hyprland keybindings ($mod G and $mod S)
    • Smart Signal launching: focuses existing window or launches new instance
    • Proper Wayland configuration and window management
    • Status: Keep, serves important function
  3. waybar-cpu-aggregate.py - ✅ ACTIVE
    • Used by waybar custom/cpu-aggregate module (visible in main waybar)
    • Shows total CPU usage averaged across all cores
    • Status: Keep, serves important function
  4. waybar-memory-accurate.py - ✅ ACTIVE
    • Used by waybar custom/memory-accurate module (visible in main waybar)
    • Modern memory calculation (Total - Available like btop)
    • Status: Keep, serves important function
  5. waybar-tomato-click.sh - ✅ ACTIVE
    • Used by waybar tomato timer module (on-click handler)
    • Used by Hyprland keybinding ($mod comma)
    • Status: Keep, serves important function
  6. waybar-tomato-timer.py - ✅ ACTIVE
    • Used by waybar custom/tomato-timer module (visible in main waybar)
    • Pomodoro timer functionality
    • Status: Keep, serves important function
  7. window-switcher.sh - ✅ ACTIVE
    • Used by Hyprland keybinding ($mod TAB)
    • Fuzzel-based window switching across workspaces
    • Status: Keep, serves important function

✅ AUDITED - config/bin/ (direct files):

  1. archriot-config - ✅ ACTIVE
    • Core configuration system used by archriot-control-panel
    • Centralized settings management
    • Status: Keep, core component
  2. archriot-control-panel - ✅ ACTIVE
    • Used by Hyprland keybinding ($mod C) and power menu
    • Main ArchRiot settings interface
    • Status: Keep, core component
  3. battery-monitor - ✅ ACTIVE
    • Used by systemd timer service for battery alerts
    • Enabled during installation process
    • Status: Keep, serves important function
  4. power-menu - ✅ ACTIVE
    • Used by Hyprland keybinding ($mod ESCAPE) and waybar
    • System power management interface
    • Status: Keep, core component
  5. setup-temperature - ✅ ACTIVE
    • Used by installer to configure waybar temperature sensors
    • One-time setup script for hardware detection
    • Status: Keep, serves important function
  6. swaybg-next - ✅ ACTIVE
    • Used by Hyprland keybinding ($mod CTRL SPACE)
    • Wallpaper cycling functionality
    • Status: Keep, serves important function
  7. version-check - ✅ ACTIVE
    • Used by systemd timer service and waybar update module
    • Automated update checking and notification
    • Status: Keep, core component
  8. waybar-workspace-click.sh - ✅ ACTIVE
    • Used by waybar workspace modules for safe workspace switching
    • Prevents invalid workspace navigation
    • Status: Keep, serves important function
  9. welcome - ✅ ACTIVE
    • Used by Hyprland exec-once for first-run welcome dialog
    • User onboarding and education
    • Status: Keep, serves important function
  10. zed-wayland - ✅ ACTIVE
    • Used by Zed editor desktop application as Wayland launcher
    • Ensures proper Wayland integration for Zed
    • Status: Keep, serves important function

✅ AUDITED - config/waybar/scripts/:

  1. archriot-update.sh - ✅ ACTIVE
    • Used by waybar custom/archriot-update module (visible in main waybar)
    • Three-state update notification system
    • Status: Keep, core component
  2. mullvad-click.sh - ✅ ACTIVE
    • Used by waybar custom/mullvad module for click handling
    • Smart connect/disconnect logic
    • Status: Keep, serves important function
  3. mullvad-status.sh - ✅ ACTIVE
    • Used by waybar custom/mullvad module for status display
    • Shows VPN connection status and location
    • Status: Keep, serves important function
  4. wifi-selector.sh - ✅ ACTIVE
    • Used by waybar network module for WiFi management
    • Launches iwgtk for proper wireless configuration
    • Status: Keep, serves important function

📋 FINAL AUDIT SUMMARY:

SCRIPTS TO KEEP (22): All remaining scripts are actively used and properly integrated

SCRIPTS REMOVED (4): ✅ COMPLETED

  • Hypridle.sh - unused idle management script
  • waybar-mic-status.py - unused microphone status display
  • show-keybindings - unused keybinding display
  • version - unused, overlapped with version-check
  • upgrade-system - superseded by integrated archriot upgrade functionality

ACTIONS COMPLETED:

  • ✅ Fixed waybar brightness module parameters to match Brightness.sh
  • ✅ Removed all unused scripts from repository
  • ✅ Updated README to reflect integrated upgrade functionality
  • ✅ Complete audit of all config/bin/ and config/waybar/scripts/ files

RESULT: Repository is now clean with only actively used scripts remaining

NEXT STEPS

Remaining Task:

  • TASK 1: Secure Boot Enablement - Complex security enhancement requiring UEFI firmware interaction, key management, and bootloader signing

Phased Implementation Plan:

PHASE 1: Detection & User Interface (Low Risk)

  • Add Secure Boot status detection using existing system calls
  • Extend existing TUI message types in source/tui/messages.go
  • Add new input mode to existing source/tui/model.go system
  • Integrate Secure Boot prompt into existing installation flow
  • Deliverable: User sees Secure Boot status and can choose to enable it

PHASE 2: Key Management Foundation (Medium Risk)

  • Implement secure key generation (PK, KEK, db hierarchy)
  • Add key storage and backup mechanisms
  • Create validation functions for key integrity
  • Deliverable: Secure Boot keys can be generated and managed safely

PHASE 3: Bootloader Integration (High Risk)

  • Sign GRUB/systemd-boot with generated keys
  • Implement pacman hook for automatic kernel signing
  • Add recovery mechanisms if signing fails
  • Deliverable: System can boot with Secure Boot enabled

PHASE 4: User Guidance & Recovery (Medium Risk)

  • Vendor-specific UEFI setup instructions
  • Automated verification of Secure Boot status
  • Recovery tools if Secure Boot breaks system
  • Deliverable: Complete, production-ready Secure Boot enablement

Recommended Next Action: Start with Phase 1 - low risk TUI integration to establish foundation

VERSION HISTORY

  • v2.9.7: Kernel upgrade reboot detection - intelligent reboot prompting
  • v2.9.6: Blue light persistence, Plymouth progress fixes, control panel –reapply
  • v2.9.5: System upgrade integration, AUR resilience enhancements
  • v2.9.4: Core installer stability improvements