SESSION: P16g Phase 11 Validation Run

Summary

Post-reboot validation of the ThinkPad P16g deployment. Audio confirmed working (pw-play through CS35L56 speakers). Full Phase 11 verification executed: boot, encryption, security, desktop, development, secrets, network. 5 issues identified, doc corrections applied.

Trigger: Reboot to load sof-firmware for onboard speakers (installed in prior session).

Audio Verification (Post-Reboot)

PipeWire Status

wpctl status
Output
PipeWire 'pipewire-0' [1.6.2, evanusmodestus@modestus-p16g, cookie:862856192]
 └─ Clients:
        32. xdg-desktop-portal-hyprland         [1.6.2]
        33. WirePlumber                         [1.6.2]
        41. WirePlumber [export]                [1.6.2]
        42. pipewire                            [1.6.2]
        44. waybar                              [1.6.2]

Audio
 ├─ Devices:
 │      45. GB203 High Definition Audio Controller [alsa]
 │      46. 800 Series ACE (Audio Context Engine) [alsa]
 │
 ├─ Sinks:
 │      61. 800 Series ACE HDMI / DisplayPort 3 Output [vol: 1.00]
 │      62. 800 Series ACE HDMI / DisplayPort 2 Output [vol: 1.00]
 │      63. 800 Series ACE HDMI / DisplayPort 1 Output [vol: 1.00]
 │      64. 800 Series ACE Headphones [vol: 1.00]
 │  *   65. 800 Series ACE Speaker [vol: 0.40]
 │
 ├─ Sources:
 │      66. 800 Series ACE Headset Microphone [vol: 1.00]
 │  *   67. 800 Series ACE Digital Microphone [vol: 1.00]

ALSA Sound Cards

cat /proc/asound/cards
Output
 0 [NVidia         ]: HDA-Intel - HDA NVidia
                      HDA NVidia at 0x84000000 irq 17
 1 [sofsoundwire   ]: sof-soundwire - sof-soundwire
                      LENOVO-21V50016US-ThinkPadT16gGen3

Audio Sinks (All)

pactl list sinks short
Output
61  alsa_output.pci-0000_80_1f.3-platform-sof_sdw.HiFi__HDMI3__sink       PipeWire  s32le 2ch 48000Hz  SUSPENDED
62  alsa_output.pci-0000_80_1f.3-platform-sof_sdw.HiFi__HDMI2__sink       PipeWire  s32le 2ch 48000Hz  SUSPENDED
63  alsa_output.pci-0000_80_1f.3-platform-sof_sdw.HiFi__HDMI1__sink       PipeWire  s32le 2ch 48000Hz  SUSPENDED
64  alsa_output.pci-0000_80_1f.3-platform-sof_sdw.HiFi__Headphones__sink  PipeWire  s32le 2ch 48000Hz  SUSPENDED
65  alsa_output.pci-0000_80_1f.3-platform-sof_sdw.HiFi__Speaker__sink     PipeWire  s32le 2ch 48000Hz  SUSPENDED

Audio Sources (All)

pactl list sources short
Output
61  alsa_output...HDMI3__sink.monitor       PipeWire  s32le 2ch 48000Hz  SUSPENDED
62  alsa_output...HDMI2__sink.monitor       PipeWire  s32le 2ch 48000Hz  SUSPENDED
63  alsa_output...HDMI1__sink.monitor       PipeWire  s32le 2ch 48000Hz  SUSPENDED
64  alsa_output...Headphones__sink.monitor  PipeWire  s32le 2ch 48000Hz  SUSPENDED
65  alsa_output...Speaker__sink.monitor     PipeWire  s32le 2ch 48000Hz  SUSPENDED
66  alsa_input...HiFi__Headset__source      PipeWire  s32le 2ch 48000Hz  SUSPENDED
67  alsa_input...HiFi__Mic__source          PipeWire  s32le 2ch 48000Hz  SUSPENDED

Kernel Audio Messages (This Boot)

journalctl -b --grep='sof|sdw|sound|audio|codec' --no-pager | tail -30
Output — CS35L56 firmware loaded cleanly
sof-audio-pci-intel-mtl 0000:80:1f.3: loading topology: intel/sof-ipc4-tplg/sof-arl-cs42l43-l0-cs35l56-l2-2ch.tplg
sof-audio-pci-intel-mtl 0000:80:1f.3: Topology: ABI 3:29:1 Kernel ABI 3:23:1
cs35l56 sdw:0:2:01fa:3556:01:0: supply VDD_B not found, using dummy regulator
cs35l56 sdw:0:2:01fa:3556:01:0: supply VDD_AMP not found, using dummy regulator
cs35l56 sdw:0:2:01fa:3556:01:1: supply VDD_B not found, using dummy regulator
cs35l56 sdw:0:2:01fa:3556:01:1: supply VDD_AMP not found, using dummy regulator
cs35l56 sdw:0:2:01fa:3556:01:1: DSP1: cirrus/cs35l56-b0-dsp1-misc-17aa2347.wmfw: format 3
cs35l56 sdw:0:2:01fa:3556:01:1: DSP1: Tue 01 Jul 2025 18:54:52 Central Daylight Time
cs35l56 sdw:0:2:01fa:3556:01:0: DSP1: cirrus/cs35l56-b0-dsp1-misc-17aa2347.wmfw: format 3
cs35l56 sdw:0:2:01fa:3556:01:0: DSP1: Tue 01 Jul 2025 18:54:52 Central Daylight Time
cs35l56 sdw:0:2:01fa:3556:01:0: DSP1: Firmware: 1a10d6 vendor: 0x2 v3.13.3, 41 algorithms
cs35l56 sdw:0:2:01fa:3556:01:1: DSP1: Firmware: 1a10d6 vendor: 0x2 v3.13.3, 41 algorithms
cs35l56 sdw:0:2:01fa:3556:01:0: DSP1: cirrus/cs35l56-b0-dsp1-misc-17aa2347-amp1.bin: v3.13.3
cs35l56 sdw:0:2:01fa:3556:01:1: DSP1: cirrus/cs35l56-b0-dsp1-misc-17aa2347-amp2.bin: v3.13.3
cs35l56 sdw:0:2:01fa:3556:01:0: Calibration applied
cs35l56 sdw:0:2:01fa:3556:01:0: Tuning PID: 0x15, SID: 0x7, TID: 0x4
cs35l56 sdw:0:2:01fa:3556:01:1: Calibration applied
cs35l56 sdw:0:2:01fa:3556:01:1: Tuning PID: 0x25, SID: 0x7, TID: 0x4
input: sof-soundwire Jack as /devices/pci0000:80/0000:80:1f.3/sof_sdw/sound/card1/input29
input: sof-soundwire HDMI/DP,pcm=5 as .../input30
input: sof-soundwire HDMI/DP,pcm=6 as .../input31
input: sof-soundwire HDMI/DP,pcm=7 as .../input32
dummy regulator warnings for VDD_B/VDD_AMP are standard on this platform — no real supply regulators exposed via ACPI. Harmless.

Audio Test

# speaker-test not available (alsa-utils not installed)
speaker-test -D pipewire -c 2 -t wav -l 1
# zsh: command not found: speaker-test

# pw-play is native PipeWire — works without alsa-utils
pw-play --target 65 /usr/share/sounds/freedesktop/stereo/bell.oga

Result: ✅ Sound played through onboard speakers (sink 65, CS35L56 x2).

Phase 11: Full System Validation

System Health

systemctl --failed
Output
  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

Result: ✅ Zero failed services.

systemd-analyze
Output
Startup finished in 17.583s (firmware) + 3.850s (loader) + 1min 15.868s (kernel) + 17.168s (userspace) = 1min 54.471s
graphical.target reached after 16.911s in userspace.
1m16s kernel time is dominated by LUKS passphrase entry + decrypt. Userspace is fast (17s to graphical).

Boot & Encryption

uname -r
Output: 6.19.10-arch1-1
lsblk -f | grep -E 'crypto_LUKS|crypt'
Output
├─nvme0n1p3   crypto_LUKS 2   a33cc5e6-...
│ └─cryptroot btrfs  archroot  4de1f373-...  187.9G  24%  /var/log
└─nvme0n1p4   crypto_LUKS 2   4cba46dd-...
  └─crypthome btrfs  archhome  4fcc4995-...    1.6T   1%  /home

Result: ✅ Dual LUKS volumes open — cryptroot (btrfs, 24% used) + crypthome (btrfs, 1% used).

zramctl
Output
NAME       ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
/dev/zram0 zstd         31.1G   4K   64B   20K         [SWAP]

Result: ✅ 31.1G zram with zstd compression active.

bootctl list
Output (summarized)
Arch Linux (arch.conf) (default) (selected)     — ESP, vmlinuz-linux
Arch Linux LTS (arch-lts.conf)                  — ESP, vmlinuz-linux-lts
Arch Linux (fallback) (arch-fallback.conf)       — ESP, initramfs-linux-fallback.img (No such file or directory)

Result: ⚠️ Fallback entry references missing initramfs-linux-fallback.img on ESP. Pacman hook only copies main initramfs.

diff <(md5sum /boot/vmlinuz-linux | awk '{print $1}') \
     <(md5sum /boot/efi/vmlinuz-linux | awk '{print $1}') && echo "ESP KERNEL MATCH"
Output: ESP KERNEL MATCH

Result: ✅ ESP kernel synced with /boot.

grep apparmor /proc/cmdline
Output
initrd=\intel-ucode.img initrd=\initramfs-linux.img
cryptdevice=UUID=a33cc5e6-...:cryptroot root=/dev/mapper/cryptroot rootflags=subvol=@ rw
nvidia_drm.modeset=1 mem_sleep_default=s2idle acpi_mask_gpe=0x6E
lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor=1 security=apparmor

Result: ✅ AppArmor in cmdline with full LSM stack.

Security

cat /sys/kernel/security/lsm
Output: capability,landlock,lockdown,yama,apparmor,bpf

Result: ✅ Full LSM stack active.

sudo aa-status requires terminal password prompt — not available in non-interactive session. AppArmor confirmed active via LSM stack + kernel cmdline. 
ss -tlnp | awk 'NR>1{print $4, $6}' | sort
Output
0.0.0.0:22
127.0.0.1:11434
127.0.0.1:34695
[::]:22

Result: ✅ Clean port audit — SSH (22), Ollama localhost (11434), one ephemeral. No unexpected listeners.

Desktop Environment

echo $XDG_SESSION_TYPE
Output: wayland
nvidia-smi --query-gpu=name,driver_version,memory.total --format=csv,noheader
Output: NVIDIA GeForce RTX 5090 Laptop GPU, 595.58.03, 24463 MiB

Result: ✅ RTX 5090, driver 595.58.03, 24GB GDDR7.

systemctl is-active nvidia-persistenced.service
Output: inactive

Result: ❌ NVIDIA persistence daemon not running. Phase 6 documents enabling it but was never executed.

bluetoothctl show | grep -E 'Name|Powered|Address'
Output
Name: modestus-p16g
Powered: yes

Result: ✅ Bluetooth controller powered.

for proc in waybar mako pipewire wireplumber; do
    pgrep -x $proc > /dev/null && echo "✓ $proc" || echo "✗ $proc MISSING"
done
Output
✓ waybar
✓ mako
✓ pipewire
✓ wireplumber

Result: ✅ All desktop processes running.

wpctl status | grep -A5 'Sinks:'
Output
 ├─ Sinks:
 │      61. 800 Series ACE HDMI / DisplayPort 3 Output [vol: 1.00]
 │      62. 800 Series ACE HDMI / DisplayPort 2 Output [vol: 1.00]
 │      63. 800 Series ACE HDMI / DisplayPort 1 Output [vol: 1.00]
 │      64. 800 Series ACE Headphones [vol: 1.00]
 │  *   65. 800 Series ACE Speaker [vol: 0.40]

Result: ✅ Real audio devices — no Dummy Output. Speaker is default sink.

hyprctl monitors failed with HYPRLAND_INSTANCE_SIGNATURE not set — expected in SSH session (env var only set in Hyprland’s TTY).

Development Tools

python3 --version && node --version && rustc --version && go version
Output
Python 3.14.3
v25.8.2
rustc 1.94.1 (e408947bf 2026-03-25) (Arch Linux rust 1:1.94.1-1)
go version go1.26.1-X:nodwarf5 linux/amd64
uv --version && npm --version && cargo --version
Output
uv 0.11.3 (x86_64-unknown-linux-gnu)
11.12.1
cargo 1.94.1 (29ea6fb6a 2026-03-24) (Arch Linux rust 1:1.94.1-1)
nvim --version | head -1
ls ~/.config/nvim/init.lua
Output: NVIM v0.11.7 — config OK.
claude --version
Output: 2.1.92 (Claude Code)
ssh -T git@github.com
Output: ssh_askpass: exec(/usr/lib/ssh/ssh-askpass): No such file or directory

Result: ⚠️ SSH to GitHub failed in non-interactive context — ssh-askpass not installed. Works fine in terminal with agent.

gpg --list-secret-keys --keyid-format long | grep -c sec
Output: 1

Result: ✅ One GPG secret key present.

ls ~/.ssh/id_ed25519_* | wc -l
Output: 27

Result: ✅ 27 SSH key files present.

gopass ls | head -5
Output
gopass
├── v2 (/home/evanusmodestus/.local/share/gopass/stores/v2)
│   ├── ARCANA/
│   │   ├── api/
│   │   │   └── domus/

Result: ✅ gopass v2 store accessible.

Secrets & Credentials

ls ~/.credentials/
Output: directory does not exist.

Result: ❌ gocryptfs vault not mounted. Needs gcvault mount credentials.

openssl x509 -in /etc/ssl/certs/modestus-p16g-eaptls.pem -noout -enddate
Output: notAfter=Apr 3 21:32:06 2027 GMT

Result: ✅ EAP-TLS cert valid until April 2027.

Network & Connectivity

nmcli connection show --active | grep -i domus
Output: Domus-WiFi-EAP-TLS 8a212f0f-101e-4f39-ba0d-76811ef708b9 wifi wlan0

Result: ✅ WiFi EAP-TLS active on wlan0.

dig +short vault-01.inside.domusdigitalis.dev
Output: command not found: dig

Result: ⚠️ bind-tools not installed. DNS works (EAP-TLS connected, Ollama running) but dig unavailable for diagnostics.

AI Stack

systemctl is-active ollama.service
Output: active

Result: ✅ Ollama running.

Validation Summary

Check Status Notes

No failed systemd services

0 failed

Kernel booted

6.19.10-arch1-1

LUKS volumes open

cryptroot + crypthome

zram swap active

31.1G zstd

ESP kernel synced

md5sum match

Boot entries valid

⚠️

Fallback initramfs missing on ESP

AppArmor in kernel cmdline

Full LSM stack

LSM stack correct

capability,landlock,lockdown,yama,apparmor,bpf

Open ports clean

SSH + Ollama localhost only

NVIDIA GPU detected

RTX 5090, 595.58.03, 24GB

NVIDIA persistenced

Not enabled

Wayland session

wayland

Audio (not Dummy Output)

CS35L56 speakers, CS42L43 headphones

Audio playback tested

pw-play confirmed

Bluetooth controller

Powered, named modestus-p16g

Desktop processes

waybar, mako, pipewire, wireplumber

Python 3.14.3

Node 25.8.2

Rust 1.94.1

Go 1.26.1

uv / npm / cargo

Neovim 0.11.7 + config

Claude Code 2.1.92

Git SSH (GitHub)

⚠️

ssh-askpass missing for non-interactive

GPG key present

1 secret key

SSH keys

27 files

gopass accessible

gocryptfs vault

Not mounted

WiFi EAP-TLS active

EAP-TLS cert valid

Expires Apr 2027

DNS diagnostics

⚠️

dig not installed (bind-tools)

Ollama running

Score: 25/31 pass, 4 warnings, 2 failures.

Issues Found

Issue 1: nvidia-persistenced inactive

Phase 6 documents sudo systemctl enable --now nvidia-persistenced.service but it was never executed.

sudo systemctl enable --now nvidia-persistenced.service
systemctl is-active nvidia-persistenced.service

Issue 2: Fallback initramfs missing on ESP

The pacman hook (99-esp-kernel-sync.hook) copies initramfs-linux.img and initramfs-linux-lts.img but not initramfs-linux-fallback.img. The fallback boot entry on ESP references it.

Options:

  1. Update hook to also copy fallback images (increases ESP usage)

  2. Remove fallback boot entry from ESP (fallback still works from XBOOTLDR /boot)

# Option 1: copy fallback to ESP
sudo cp /boot/initramfs-linux-fallback.img /boot/efi/
# Then update hook to include fallback in future syncs

# Option 2: remove fallback entry from ESP
sudo rm /boot/efi/loader/entries/arch-fallback.conf

Issue 3: gocryptfs vault not mounted

gcvault mount credentials
ls ~/.credentials/

Issue 4: bind-tools not installed

sudo pacman -S bind
# Provides: dig, nslookup, host

Issue 5: ssh-askpass not installed

Non-interactive SSH contexts (tools, scripts) fail when key requires passphrase prompt.

sudo pacman -S x11-ssh-askpass
# Or for Wayland-native: yay -S ssh-askpass-fullscreen

Doc Corrections Applied

Updated phase-6-desktop.adoc — replaced all 3 speaker-test references with pw-play:

  • Line 158: speaker-test -c 2 -t wavpw-play /usr/share/sounds/freedesktop/stereo/bell.oga + added --target variant

  • Line 272: Bluetooth audio test → pw-play

  • Line 469: Phase 6 checklist label → pw-play

Rationale: speaker-test requires alsa-utils which is not in the Phase 5/6 package list. pw-play is native to PipeWire (already installed) and is the correct tool for this stack.