Appendix: Scope Creep & Backlog

Scope Creep & Backlog

Items discovered during deployment that should have been planned but weren’t:

Item Priority Notes

Item	Priority	Notes
gocryptfs vault mount (`~/.credentials/`, Claude Code creds)	P0	gocryptfs installed but vault not initialized. Claude Code needs `credentials.json` from mounted vault.
Vault SSH certificates for machine-to-machine auth	P0	`TrustedUserCAKeys` not configured in sshd. Currently using authorized_keys + YubiKey FIDO2 as workaround.
Re-issue EAP-TLS cert with `modestus-p16g` CN	P0	Current cert has `modestus-t16g` — hostname corrected but cert/nmcli identity still wrong.
Update nmcli WiFi identity to `modestus-p16g`	P0	`nmcli connection modify "Domus-WiFi-EAP-TLS" 802-1x.identity "modestus-p16g.inside.domusdigitalis.dev"`
Re-encrypt SSH config with P16g entry	P0	Added `modestus-p16g` to SSH config Host block, need `age -e` and commit to dots-quantum.
Fix git remote URLs cloned with port 443 workaround	P1	dots-quantum cloned with `ssh://ssh.github.com:443/` — fixed with `git remote set-url`. Check other repos.
Razer `env-gpu.conf` symlink	P1	`hosts/razer/env-gpu.conf` existed but wasn’t symlinked to `~/.config/hypr/`. Fixed manually.
P16g `env-gpu.conf` not in stow path	P1	Created at `~/.config/hypr/env-gpu.conf` directly. Should be in `hosts/p16g/` and symlinked.
Phase 9: Clone all domus-* repos	P1	15 spoke repos + project repos not cloned yet.
Phase 10: Ollama storage + model pulls	P1	Ollama not installed. Bind mount, model pulls, custom modelfiles, API service.
Phase 11: Verification checklist + btrfs snapshot	P1	Full verification not run. No clean-state snapshot taken.
Pacman hook for ESP kernel sync — needs testing	P2	Hook written but untested. Next kernel update will validate.
Multiple nvim configs cleanup	P2	Razer has `nvim` → instrumentum-nvim and `nvim-domus` → domus-nvim. P16g only has domus-nvim. Decide on canonical config.
ssh-agent persistence across sessions	P2	SSH keys require manual `ssh-add` + gopass passphrase every session. Consider keychain or systemd-based agent.
`.cargo/env` missing warning on login	P2 → RESOLVED	`.zshenv` sources `~/.cargo/env` but Rust installed via `rustup` not cargo. Fix applied Apr 4: guarded with `[[ -f ]] &&` in dots-quantum `zsh/.zshenv`.
`zsh-completions` not installed — autocompletion broken	P1 → PARTIAL	`pacman -S zsh-completions` missing from Phase 5 essential packages. Fix applied Apr 4: package installed, added to Phase 5 package list. However, `ls docs<TAB>` still shows `No matches for: '(when)'` even with `zsh-completions` installed. Same `.zshrc` and same `_eza` completion file (`/usr/share/zsh/site-functions/_eza`, eza 0.23.4-3) work on the Razer. Hypothesis: Razer’s `.zcompdump` is stale (cached from before the eza completion bug was introduced) and never rebuilt. P16g builds fresh and hits the bug. Next step: On Razer, run `stat -c '%y' ~/.zcompdump` to confirm staleness, then `rm -f ~/.zcompdump* && exec zsh` to see if the bug reproduces. If it does, the upstream `_eza` is broken — `'*:filename:_files'` on line 73 is placed before trailing option specs (lines 74-75) instead of being last in the `_arguments` spec.
`npm install` required on fresh clones of domus-* repos	P1	`node_modules/` is gitignored (correctly). `git clone` or `git pull` on a new machine does not bring dependencies — `npm install` must be run per-repo. Razer had `node_modules/` from prior install; P16g failed `make` with `Cannot find module '@antora/lunr-extension'`. Add to Phase 9 clone checklist.
No git-level pre-commit hook for AsciiDoc validation	P1	Claude Code hooks (`~/.claude/settings.json` PostToolUse) only fire inside Claude Code sessions. Terminal commits via `gach`/`git commit` skip AsciiDoc attribute validation entirely. Confirmed Apr 3: `gach` committed 11 .adoc files (tmux-quantum project) with zero validation. Need a git `pre-commit` hook or `core.hooksPath` in dots-quantum to cover terminal workflows. `.git/hooks/` is never tracked by git — must be deployed via stow, setup script, or `core.hooksPath` pointing to a tracked directory.
Docker not installed — Kroki diagram rendering unavailable	P1 → RESOLVED	`make serve` calls Kroki via `docker` — `/bin/bash: line 3: docker: command not found`. Fix applied Apr 3: `sudo pacman -S docker`, `sudo systemctl enable --now docker.service`, `sudo usermod -aG docker evanusmodestus`, `newgrp docker` (avoids full re-login).
`domus-antora-ui` UI bundle not built	P0 → RESOLVED	Repo was cloned but `build/ui-bundle.zip` never generated. Fix applied Apr 3: `cd ~/atelier/_bibliotheca/domus-antora-ui && npm install && npx gulp bundle`. Note: `npx --prefix` does NOT change cwd for gulp — must `cd` into the repo first.
`lsof` not installed — Makefile `serve` target warns	P2 → RESOLVED	Makefile uses `lsof -ti:8000` to kill stale server processes before serving. Missing on fresh Arch install. Fix applied Apr 3: `sudo pacman -S lsof`.
Stow audit table not portable between hosts	P1	Apr 3 stow audit showed `claude ✓` but was from Razer, not P16g. Claude Code hooks silently didn’t fire — `~/.claude/settings.json` wasn’t symlinked. Discovery: `git pull` alone is insufficient for domus-* builds. Every new machine needs: (1) `stow` all dots-quantum packages, (2) `npm install` per domus-* repo, (3) Docker + Kroki container, (4) `domus-antora-ui` UI bundle built. None tracked in git. New machine bootstrap checklist required in dots-quantum README or setup script.
P16g `.gitconfig.local` — placeholder identity, needs real values	P1	`hosts/p16g/.gitconfig.local` created Apr 4 with `REPLACE_WITH_YOUR_EMAIL` / `REPLACE_WITH_YOUR_NAME` placeholders + `gh auth git-credential` helper. Symlinked to `~/.gitconfig.local`. Edit with real identity before committing as this user. `git config user.email` currently returns placeholder.
`dots-quantum/setup` script package coverage unknown	P1	The `setup` script stows public packages but `claude` may not be included or may fail silently. Verify script stows ALL required packages including `claude`, `shell`, `bin`, `tmux`. Missing packages = broken workflows on new machines with zero indication of what failed.
AppArmor MAC deployment (SEC-001)	P0	No MAC on P16g since deployment (Apr 2). AppArmor installed + boot params configured Apr 5. Pending reboot + Phase 2 (complain-mode baseline) + Phase 3 (enforce high-risk profiles). Now tracked as Phase 12. Same gap exists on Razer. CR: AppArmor. INC-2026-04-04-002.
Audio not working — `Dummy Output` only, onboard speakers not detected	P1	PipeWire 1.6.2 running but only detects RTX 5090 HDMI audio (`GB203`), not onboard speakers. Sink is `Dummy Output`. Root cause: `sof-firmware` not installed — Intel SOF (Sound Open Firmware) needed for P16g onboard codec. Fix: `sudo pacman -S sof-firmware` + reboot. Discovered Apr 5.
Bluetooth audio not tested	P1	`bluez` + `bluez-utils` + `blueman` installed but Bluetooth audio pairing never verified. Check `systemctl is-active bluetooth.service`. May need additional PipeWire Bluetooth codec support. Discovered Apr 5.
`asciidoctor-pdf` + LaTeX math pipeline — can’t print field docs with equations	P1 → RESOLVED	Discovered Apr 5 during navigation curriculum work — needed to print land-nav docs (43 stem blocks, 14 inline) for solo mountain night nav. `gem install asciidoctor-pdf rouge` (v2.3.24). `asciidoctor-mathematical` gem failed to compile on Arch/Ruby 3.4 (mtex2MML C build failure). Built custom `adoc-stem` Python preprocessor: extracts LaTeX → renders via `texlive` + `dvisvgm` → SVG → replaces stem blocks with `image::` references. Integrated into `adoc` script’s `to_pdf()`. Requires `texlive-basic texlive-latexextra texlive-fontsrecommended`. Add to Phase 5 essential packages list. See dots-quantum `bin-package.adoc` partial.

gocryptfs vault mount (~/.credentials/, Claude Code creds)

gocryptfs installed but vault not initialized. Claude Code needs credentials.json from mounted vault.

Vault SSH certificates for machine-to-machine auth

TrustedUserCAKeys not configured in sshd. Currently using authorized_keys + YubiKey FIDO2 as workaround.

Re-issue EAP-TLS cert with modestus-p16g CN

Current cert has modestus-t16g — hostname corrected but cert/nmcli identity still wrong.

Update nmcli WiFi identity to modestus-p16g

nmcli connection modify "Domus-WiFi-EAP-TLS" 802-1x.identity "modestus-p16g.inside.domusdigitalis.dev"

Re-encrypt SSH config with P16g entry

Added modestus-p16g to SSH config Host block, need age -e and commit to dots-quantum.

Fix git remote URLs cloned with port 443 workaround

dots-quantum cloned with ssh://ssh.github.com:443/ — fixed with git remote set-url. Check other repos.

Razer env-gpu.conf symlink

hosts/razer/env-gpu.conf existed but wasn’t symlinked to ~/.config/hypr/. Fixed manually.

P16g env-gpu.conf not in stow path

Created at ~/.config/hypr/env-gpu.conf directly. Should be in hosts/p16g/ and symlinked.

Phase 9: Clone all domus-* repos

15 spoke repos + project repos not cloned yet.

Phase 10: Ollama storage + model pulls

Ollama not installed. Bind mount, model pulls, custom modelfiles, API service.

Phase 11: Verification checklist + btrfs snapshot

Full verification not run. No clean-state snapshot taken.

Pacman hook for ESP kernel sync — needs testing

Hook written but untested. Next kernel update will validate.

Multiple nvim configs cleanup

Razer has nvim → instrumentum-nvim and nvim-domus → domus-nvim. P16g only has domus-nvim. Decide on canonical config.

ssh-agent persistence across sessions

SSH keys require manual ssh-add + gopass passphrase every session. Consider keychain or systemd-based agent.

.cargo/env missing warning on login

P2 → RESOLVED

.zshenv sources ~/.cargo/env but Rust installed via rustup not cargo. Fix applied Apr 4: guarded with [[ -f ]] && in dots-quantum zsh/.zshenv.

zsh-completions not installed — autocompletion broken

P1 → PARTIAL

pacman -S zsh-completions missing from Phase 5 essential packages. Fix applied Apr 4: package installed, added to Phase 5 package list. However, ls docs<TAB> still shows No matches for: '(when)' even with zsh-completions installed. Same .zshrc and same _eza completion file (/usr/share/zsh/site-functions/_eza, eza 0.23.4-3) work on the Razer. Hypothesis: Razer’s .zcompdump is stale (cached from before the eza completion bug was introduced) and never rebuilt. P16g builds fresh and hits the bug. Next step: On Razer, run stat -c '%y' ~/.zcompdump to confirm staleness, then rm -f ~/.zcompdump* && exec zsh to see if the bug reproduces. If it does, the upstream _eza is broken — '*:filename:_files' on line 73 is placed before trailing option specs (lines 74-75) instead of being last in the _arguments spec.

npm install required on fresh clones of domus-* repos

node_modules/ is gitignored (correctly). git clone or git pull on a new machine does not bring dependencies — npm install must be run per-repo. Razer had node_modules/ from prior install; P16g failed make with Cannot find module '@antora/lunr-extension'. Add to Phase 9 clone checklist.

No git-level pre-commit hook for AsciiDoc validation

Claude Code hooks (~/.claude/settings.json PostToolUse) only fire inside Claude Code sessions. Terminal commits via gach/git commit skip AsciiDoc attribute validation entirely. Confirmed Apr 3: gach committed 11 .adoc files (tmux-quantum project) with zero validation. Need a git pre-commit hook or core.hooksPath in dots-quantum to cover terminal workflows. .git/hooks/ is never tracked by git — must be deployed via stow, setup script, or core.hooksPath pointing to a tracked directory.

Docker not installed — Kroki diagram rendering unavailable

P1 → RESOLVED

make serve calls Kroki via docker — /bin/bash: line 3: docker: command not found. Fix applied Apr 3: sudo pacman -S docker, sudo systemctl enable --now docker.service, sudo usermod -aG docker evanusmodestus, newgrp docker (avoids full re-login).

domus-antora-ui UI bundle not built

P0 → RESOLVED

Repo was cloned but build/ui-bundle.zip never generated. Fix applied Apr 3: cd ~/atelier/_bibliotheca/domus-antora-ui && npm install && npx gulp bundle. Note: npx --prefix does NOT change cwd for gulp — must cd into the repo first.

lsof not installed — Makefile serve target warns

P2 → RESOLVED

Makefile uses lsof -ti:8000 to kill stale server processes before serving. Missing on fresh Arch install. Fix applied Apr 3: sudo pacman -S lsof.

Stow audit table not portable between hosts

Apr 3 stow audit showed claude ✓ but was from Razer, not P16g. Claude Code hooks silently didn’t fire — ~/.claude/settings.json wasn’t symlinked. Discovery: git pull alone is insufficient for domus-* builds. Every new machine needs: (1) stow all dots-quantum packages, (2) npm install per domus-* repo, (3) Docker + Kroki container, (4) domus-antora-ui UI bundle built. None tracked in git. New machine bootstrap checklist required in dots-quantum README or setup script.

P16g .gitconfig.local — placeholder identity, needs real values

hosts/p16g/.gitconfig.local created Apr 4 with REPLACE_WITH_YOUR_EMAIL / REPLACE_WITH_YOUR_NAME placeholders + gh auth git-credential helper. Symlinked to ~/.gitconfig.local. Edit with real identity before committing as this user. git config user.email currently returns placeholder.

dots-quantum/setup script package coverage unknown

The setup script stows public packages but claude may not be included or may fail silently. Verify script stows ALL required packages including claude, shell, bin, tmux. Missing packages = broken workflows on new machines with zero indication of what failed.

AppArmor MAC deployment (SEC-001)

No MAC on P16g since deployment (Apr 2). AppArmor installed + boot params configured Apr 5. Pending reboot + Phase 2 (complain-mode baseline) + Phase 3 (enforce high-risk profiles). Now tracked as Phase 12. Same gap exists on Razer. CR: AppArmor. INC-2026-04-04-002.

Audio not working — Dummy Output only, onboard speakers not detected

PipeWire 1.6.2 running but only detects RTX 5090 HDMI audio (GB203), not onboard speakers. Sink is Dummy Output. Root cause: sof-firmware not installed — Intel SOF (Sound Open Firmware) needed for P16g onboard codec. Fix: sudo pacman -S sof-firmware + reboot. Discovered Apr 5.

Bluetooth audio not tested

bluez + bluez-utils + blueman installed but Bluetooth audio pairing never verified. Check systemctl is-active bluetooth.service. May need additional PipeWire Bluetooth codec support. Discovered Apr 5.

asciidoctor-pdf + LaTeX math pipeline — can’t print field docs with equations

P1 → RESOLVED

Discovered Apr 5 during navigation curriculum work — needed to print land-nav docs (43 stem blocks, 14 inline) for solo mountain night nav. gem install asciidoctor-pdf rouge (v2.3.24). asciidoctor-mathematical gem failed to compile on Arch/Ruby 3.4 (mtex2MML C build failure). Built custom adoc-stem Python preprocessor: extracts LaTeX → renders via texlive + dvisvgm → SVG → replaces stem blocks with image:: references. Integrated into adoc script’s to_pdf(). Requires texlive-basic texlive-latexextra texlive-fontsrecommended. Add to Phase 5 essential packages list. See dots-quantum bin-package.adoc partial.