flake: let module callers supply pkgs so overlays reach the build (#2244 )

The nixosModule/homeModule path previously called `buildDmsPkgs pkgs` but internally referenced `self.packages.${system}.default`, which was instantiated via `nixpkgs.legacyPackages`, an unoverlayed pkgs. That meant downstream flakes couldn't reach through their own overlays to the dms-shell build (e.g. to swap `kdePackages.sonnet` or trim perl out of the aspell closure). Extract the derivation as `mkDmsShell = pkgs: ...` at the top-level `let`, and call it from both `packages.${system}.dms-shell` (for direct consumers of the flake) and `buildDmsPkgs pkgs` (for module consumers, which now pass in the system's overlayed pkgs). Also re-checks overrideAttrs / .override still work: `mkDmsShell pkgs` is the same `pkgs.lib.makeOverridable` wrapper as before, just parameterized on the caller's pkgs instance. Co-authored-by: Lucas <43530291+LuckShiba@users.noreply.github.com>
Fixed mux tab having same id as locale tab (#2031 )
2026-05-03 02:52:07 -04:00 · 2026-04-28 22:59:59 -04:00 · 2026-04-28 16:34:31 -04:00 · 2026-04-28 16:34:29 -04:00 · 2026-04-28 16:26:33 -04:00 · 2026-04-28 16:03:24 -04:00
379 changed files with 29808 additions and 82093 deletions
--- a/.github/workflows/dms-stable.yml
+++ b/.github/workflows/dms-stable.yml
@@ -20,7 +20,7 @@ jobs:
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ steps.app_token.outputs.token }}
--- a/.github/workflows/go-ci.yml
+++ b/.github/workflows/go-ci.yml
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      - name: Install flatpak
        run: sudo apt update && sudo apt install -y flatpak
@@ -38,7 +38,7 @@ jobs:
        run: sudo flatpak install -y org.freedesktop.Platform/x86_64/24.08 app.zen_browser.zen

      - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version-file: ./core/go.mod

--- a/.github/workflows/nix-pr-check.yml
+++ b/.github/workflows/nix-pr-check.yml
@@ -12,7 +12,7 @@ jobs:
    steps:

      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

--- a/.github/workflows/prek.yml
+++ b/.github/workflows/prek.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      - name: Install flatpak
        run: sudo apt update && sudo apt install -y flatpak
@@ -21,7 +21,7 @@ jobs:
        run: sudo flatpak install -y org.freedesktop.Platform/x86_64/24.08 app.zen_browser.zen

      - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version-file: core/go.mod

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,13 +32,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.tag }}
          fetch-depth: 0

      - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version-file: ./core/go.mod

@@ -106,7 +106,7 @@ jobs:

      - name: Upload artifacts (${{ matrix.arch }})
        if: matrix.arch == 'arm64'
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: core-assets-${{ matrix.arch }}
          path: |
@@ -120,7 +120,7 @@ jobs:

      - name: Upload artifacts with completions
        if: matrix.arch == 'amd64'
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: core-assets-${{ matrix.arch }}
          path: |
@@ -147,7 +147,7 @@ jobs:
  #         private-key: ${{ secrets.APP_PRIVATE_KEY }}

  #     - name: Checkout
-  #       uses: actions/checkout@v6
+  #       uses: actions/checkout@v4
  #       with:
  #         token: ${{ steps.app_token.outputs.token }}
  #         fetch-depth: 0
@@ -181,7 +181,7 @@ jobs:
      TAG: ${{ inputs.tag }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.tag }}
          fetch-depth: 0
@@ -192,12 +192,12 @@ jobs:
          git checkout ${TAG}

      - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version-file: ./core/go.mod

      - name: Download core artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v4
        with:
          pattern: core-assets-*
          merge-multiple: true
--- a/.github/workflows/run-copr.yml
+++ b/.github/workflows/run-copr.yml
@@ -46,7 +46,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      - name: Determine version
        id: version
@@ -134,7 +134,7 @@ jobs:
          rpm -qpi "$SRPM"

      - name: Upload SRPM artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.package }}-stable-srpm-${{ steps.version.outputs.version }}
          path: ${{ steps.build.outputs.srpm_path }}
--- a/.github/workflows/run-obs.yml
+++ b/.github/workflows/run-obs.yml
@@ -9,8 +9,8 @@ on:
        type: choice
        options:
          - dms
-          - dms-greeter
          - dms-git
+          - dms-greeter
          - all
        default: "dms"
      rebuild_release:
@@ -32,7 +32,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -119,8 +119,9 @@ jobs:
              echo "🔄 Manual rebuild requested: $PKG (db$REBUILD)"

            elif [[ "$PKG" == "all" ]]; then
-              # Check each stable package and build list of those needing updates
+              # Check each package and build list of those needing updates
              PACKAGES_TO_UPDATE=()
+              check_dms_git && PACKAGES_TO_UPDATE+=("dms-git")
              if check_dms_stable; then
                PACKAGES_TO_UPDATE+=("dms")
                if [[ -n "$LATEST_TAG" ]]; then
@@ -139,7 +140,7 @@ jobs:
              else
                echo "packages=" >> $GITHUB_OUTPUT
                echo "has_updates=false" >> $GITHUB_OUTPUT
-                echo "✓ Both packages up to date"
+                echo "✓ All packages up to date"
              fi

            elif [[ "$PKG" == "dms-git" ]]; then
@@ -195,13 +196,10 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

-      - name: Wait before OBS upload
-        run: sleep 3
-
      - name: Determine packages to update
        id: packages
        run: |
@@ -247,7 +245,7 @@ jobs:
          fi

      - name: Update dms-git spec version
-        if: contains(steps.packages.outputs.packages, 'dms-git')
+        if: contains(steps.packages.outputs.packages, 'dms-git') || steps.packages.outputs.packages == 'all'
        run: |
          COMMIT_HASH=$(git rev-parse --short=8 HEAD)
          COMMIT_COUNT=$(git rev-list --count HEAD)
@@ -268,7 +266,7 @@ jobs:
          } > distro/opensuse/dms-git.spec

      - name: Update Debian dms-git changelog version
-        if: contains(steps.packages.outputs.packages, 'dms-git')
+        if: contains(steps.packages.outputs.packages, 'dms-git') || steps.packages.outputs.packages == 'all'
        run: |
          COMMIT_HASH=$(git rev-parse --short=8 HEAD)
          COMMIT_COUNT=$(git rev-list --count HEAD)
@@ -347,7 +345,7 @@ jobs:
          done

      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version-file: ./core/go.mod

@@ -391,7 +389,7 @@ jobs:
          UPLOADED_PACKAGES=()
          SKIPPED_PACKAGES=()

-          # PACKAGES can be space-separated list (e.g., "dms dms-greeter" from "all" check)
+          # PACKAGES can be space-separated list (e.g., "dms-git dms" from "all" check)
          # Loop through each package and upload
          for PKG in $PACKAGES; do
            echo ""
--- a/.github/workflows/run-ppa.yml
+++ b/.github/workflows/run-ppa.yml
@@ -4,15 +4,9 @@ on:
  workflow_dispatch:
    inputs:
      package:
-        description: "Package to upload"
-        required: true
-        type: choice
-        options:
-          - dms
-          - dms-greeter
-          - dms-git
-          - all
-        default: "dms"
+        description: "Package to upload (dms, dms-git, dms-greeter, or all)"
+        required: false
+        default: "dms-git"
      rebuild_release:
        description: "Release number for rebuilds (e.g., 2, 3, 4 for ppa2, ppa3, ppa4)"
        required: false
@@ -31,7 +25,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -145,7 +139,7 @@ jobs:
            fi
          else
            # Fallback
-            echo "packages=dms" >> $GITHUB_OUTPUT
+            echo "packages=dms-git" >> $GITHUB_OUTPUT
            echo "has_updates=true" >> $GITHUB_OUTPUT
          fi

@@ -157,12 +151,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version-file: ./core/go.mod
          cache: false
@@ -215,7 +209,7 @@ jobs:
            echo "✓ Using rebuild release number: ppa$REBUILD_RELEASE"
          fi

-          # PACKAGES can be space-separated list (e.g., "dms-git dms dms-greeter" from "all" check)
+          # PACKAGES can be space-separated list (e.g., "dms-git dms" from "all" check)
          # Loop through each package and upload
          for PKG in $PACKAGES; do
            # Map package to PPA name
@@ -242,11 +236,7 @@ jobs:
              echo "🔄 Using rebuild release number: ppa$REBUILD_RELEASE"
            fi
            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            # ppa-upload.sh uploads to questing + resolute when series is omitted
-            if ! bash distro/scripts/ppa-upload.sh "$PKG" "$PPA_NAME" ${REBUILD_RELEASE:+"$REBUILD_RELEASE"}; then
-              echo "::error::Upload failed for $PKG"
-              exit 1
-            fi
+            bash distro/scripts/ppa-upload.sh "$PKG" "$PPA_NAME" questing ${REBUILD_RELEASE:+"$REBUILD_RELEASE"}
          done

      - name: Summary
--- a/.github/workflows/update-vendor-hash.yml
+++ b/.github/workflows/update-vendor-hash.yml
@@ -24,7 +24,7 @@ jobs:
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ steps.app_token.outputs.token }}
--- a/CHANGELOG.MD
+++ b/CHANGELOG.MD
@@ -1,13 +1,5 @@
 This file is more of a quick reference so I know what to account for before next releases.

-# 1.5.0
- Overhauled shadows
- App ID changed to com.danklinux.dms - breaking for window rules
- Greeter stuff
- Terminal mux
- Locale overrides
- new neovim theming
-
 # 1.4.0

 - Overhauled system monitor, graphs, styling
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -86,9 +86,7 @@ touch .qmlls.ini

 4. Restart dms to generate the `.qmlls.ini` file

-5. Run `make lint-qml` from the repo root to lint QML entrypoints (requires the `.qmlls.ini` generated above). The script needs the **Qt 6** `qmllint`; it checks `qmllint6`, Fedora's `qmllint-qt6`, `/usr/lib/qt6/bin/qmllint`, then `qmllint` in `PATH`. If your Qt 6 binary lives elsewhere, set `QMLLINT=/path/to/qmllint`.
-
-6. Make your changes, test, and open a pull request.
+5. Make your changes, test, and open a pull request.

 ### I18n/Localization

--- a/8
+++ b/8
@@ -18,7 +18,7 @@ SHELL_INSTALL_DIR=$(DATA_DIR)/quickshell/dms
 ASSETS_DIR=assets
 APPLICATIONS_DIR=$(DATA_DIR)/applications

-.PHONY: all build clean lint-qml install install-bin install-shell install-completions install-systemd install-icon install-desktop uninstall uninstall-bin uninstall-shell uninstall-completions uninstall-systemd uninstall-icon uninstall-desktop help
+.PHONY: all build clean install install-bin install-shell install-completions install-systemd install-icon install-desktop uninstall uninstall-bin uninstall-shell uninstall-completions uninstall-systemd uninstall-icon uninstall-desktop help

 all: build

@@ -32,9 +32,6 @@ clean:
 	@$(MAKE) -C $(CORE_DIR) clean
 	@echo "Clean complete"

-lint-qml:
-	@./quickshell/scripts/qmllint-entrypoints.sh
-
 # Installation targets
 install-bin:
 	@echo "Installing $(BINARY_NAME) to $(INSTALL_DIR)..."
@@ -79,7 +76,7 @@ install-desktop:
 	@update-desktop-database -q $(APPLICATIONS_DIR) 2>/dev/null || true
 	@echo "Desktop entry installed"

-install: install-bin install-shell install-completions install-systemd install-icon install-desktop
+install: build install-bin install-shell install-completions install-systemd install-icon install-desktop
 	@echo ""
 	@echo "Installation complete!"
 	@echo ""
@@ -133,7 +130,6 @@ help:
 	@echo "  all (default)        - Build the DMS binary"
 	@echo "  build                - Same as 'all'"
 	@echo "  clean                - Clean build artifacts"
-	@echo "  lint-qml             - Run qmllint on shell entrypoints using the Quickshell tooling VFS"
 	@echo ""
 	@echo "Install:"
 	@echo "  install              - Build and install everything (requires sudo)"
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ Built with [Quickshell](https://quickshell.org/) and [Go](https://go.dev/)
 [![GitHub stars](https://img.shields.io/github/stars/AvengeMedia/DankMaterialShell?style=for-the-badge&labelColor=101418&color=ffd700)](https://github.com/AvengeMedia/DankMaterialShell/stargazers)
 [![GitHub License](https://img.shields.io/github/license/AvengeMedia/DankMaterialShell?style=for-the-badge&labelColor=101418&color=b9c8da)](https://github.com/AvengeMedia/DankMaterialShell/blob/master/LICENSE)
 [![GitHub release](https://img.shields.io/github/v/release/AvengeMedia/DankMaterialShell?style=for-the-badge&labelColor=101418&color=9ccbfb)](https://github.com/AvengeMedia/DankMaterialShell/releases)
-[![Arch version](https://img.shields.io/archlinux/v/extra/x86_64/dms-shell?style=for-the-badge&labelColor=101418&color=9ccbfb)](https://archlinux.org/packages/extra/x86_64/dms-shell/)
+[![AUR version](https://img.shields.io/aur/version/dms-shell-bin?style=for-the-badge&labelColor=101418&color=9ccbfb)](https://aur.archlinux.org/packages/dms-shell-bin)
 [![AUR version (git)](<https://img.shields.io/aur/version/dms-shell-git?style=for-the-badge&labelColor=101418&color=9ccbfb&label=AUR%20(git)>)](https://aur.archlinux.org/packages/dms-shell-git)
 [![Ko-Fi donate](https://img.shields.io/badge/donate-kofi?style=for-the-badge&logo=ko-fi&logoColor=ffffff&label=ko-fi&labelColor=101418&color=f16061&link=https%3A%2F%2Fko-fi.com%2Fdanklinux)](https://ko-fi.com/danklinux)

--- a/core/.mockery.yml
+++ b/core/.mockery.yml
@@ -28,12 +28,6 @@ packages:
      outpkg: mocks_brightness
    interfaces:
      DBusConn:
-  github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation:
-    config:
-      dir: "internal/mocks/geolocation"
-      outpkg: mocks_geolocation
-    interfaces:
-      Client:
  github.com/AvengeMedia/DankMaterialShell/core/internal/server/network:
    config:
      dir: "internal/mocks/network"
--- a/core/.pre-commit-config.yaml
+++ b/core/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/golangci/golangci-lint
-    rev: v2.10.1
+    rev: v2.9.0
    hooks:
      - id: golangci-lint-fmt
        require_serial: true
--- a/core/Makefile
+++ b/core/Makefile
@@ -63,19 +63,19 @@ endif

 build-all: build dankinstall

-install:
+install: build
 	@echo "Installing $(BINARY_NAME) to $(INSTALL_DIR)..."
 	@install -D -m 755 $(BUILD_DIR)/$(BINARY_NAME) $(INSTALL_DIR)/$(BINARY_NAME)
 	@echo "Installation complete"

-install-all:
+install-all: build-all
 	@echo "Installing $(BINARY_NAME) to $(INSTALL_DIR)..."
 	@install -D -m 755 $(BUILD_DIR)/$(BINARY_NAME) $(INSTALL_DIR)/$(BINARY_NAME)
 	@echo "Installing $(BINARY_NAME_INSTALL) to $(INSTALL_DIR)..."
 	@install -D -m 755 $(BUILD_DIR)/$(BINARY_NAME_INSTALL) $(INSTALL_DIR)/$(BINARY_NAME_INSTALL)
 	@echo "Installation complete"

-install-dankinstall:
+install-dankinstall: dankinstall
 	@echo "Installing $(BINARY_NAME_INSTALL) to $(INSTALL_DIR)..."
 	@install -D -m 755 $(BUILD_DIR)/$(BINARY_NAME_INSTALL) $(INSTALL_DIR)/$(BINARY_NAME_INSTALL)
 	@echo "Installation complete"
--- a/core/README.md
+++ b/core/README.md
@@ -10,7 +10,7 @@ Go-based backend for DankMaterialShell providing system integration, IPC, and in
 Command-line interface and daemon for shell management and system control.

 **dankinstall**
-Distribution-aware installer for deploying DMS and compositor configurations on Arch, Fedora, Debian, Ubuntu, openSUSE, and Gentoo. Supports both an interactive TUI and a headless (unattended) mode via CLI flags.
+Distribution-aware installer with TUI for deploying DMS and compositor configurations on Arch, Fedora, Debian, Ubuntu, openSUSE, and Gentoo.

 ## System Integration

@@ -147,50 +147,10 @@ go-wayland-scanner -i internal/proto/xml/wlr-gamma-control-unstable-v1.xml \

 ## Installation via dankinstall

-**Interactive (TUI):**
-
 ```bash
 curl -fsSL https://install.danklinux.com | sh
 ```

-**Headless (unattended):**
-
-Headless mode requires cached sudo credentials. Run `sudo -v` first:
-
-```bash
-sudo -v && curl -fsSL https://install.danklinux.com | sh -s -- -c niri -t ghostty -y
-sudo -v && curl -fsSL https://install.danklinux.com | sh -s -- -c hyprland -t kitty --include-deps dms-greeter -y
-```
-
-| Flag | Short | Description |
-|------|-------|-------------|
-| `--compositor <niri|hyprland>` | `-c` | Compositor/WM to install (required for headless) |
-| `--term <ghostty|kitty|alacritty>` | `-t` | Terminal emulator (required for headless) |
-| `--include-deps <name,...>` | | Enable optional dependencies (e.g. `dms-greeter`) |
-| `--exclude-deps <name,...>` | | Skip specific dependencies |
-| `--replace-configs <name,...>` | | Replace specific configuration files (mutually exclusive with `--replace-configs-all`) |
-| `--replace-configs-all` | | Replace all configuration files (mutually exclusive with `--replace-configs`) |
-| `--yes` | `-y` | Required for headless mode — confirms installation without interactive prompts |
-
-Headless mode requires `--yes` to proceed; without it, the installer exits with an error.
-Configuration files are not replaced by default unless `--replace-configs` or `--replace-configs-all` is specified.
-`dms-greeter` is disabled by default; use `--include-deps dms-greeter` to enable it.
-
-When no flags are provided, `dankinstall` launches the interactive TUI.
-
-### Headless mode validation rules
-
-Headless mode activates when `--compositor` or `--term` is provided.
-
- Both `--compositor` and `--term` are required; providing only one results in an error.
- Headless-only flags (`--include-deps`, `--exclude-deps`, `--replace-configs`, `--replace-configs-all`, `--yes`) are rejected in TUI mode.
- Positional arguments are not accepted.
-
-### Log file location
-
-`dankinstall` writes logs to `/tmp` by default.
-Set the `DANKINSTALL_LOG_DIR` environment variable to override the log directory.
-
 ## Supported Distributions

 Arch, Fedora, Debian, Ubuntu, openSUSE, Gentoo (and derivatives)
--- a/core/cmd/dankinstall/main.go
+++ b/core/cmd/dankinstall/main.go
@@ -3,152 +3,20 @@ package main
 import (
 	"fmt"
 	"os"
-	"strings"

-	"github.com/AvengeMedia/DankMaterialShell/core/internal/headless"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/tui"
 	tea "github.com/charmbracelet/bubbletea"
-	"github.com/spf13/cobra"
 )

 var Version = "dev"

-// Flag variables bound via pflag
-var (
-	compositor        string
-	term              string
-	includeDeps       []string
-	excludeDeps       []string
-	replaceConfigs    []string
-	replaceConfigsAll bool
-	yes               bool
-)
-
-var rootCmd = &cobra.Command{
-	Use:   "dankinstall",
-	Short: "Install DankMaterialShell and its dependencies",
-	Long: `dankinstall sets up DankMaterialShell with your chosen compositor and terminal.
-
-Without flags, it launches an interactive TUI. Providing either --compositor
-or --term activates headless (unattended) mode, which requires both flags.
-
-Headless mode requires cached sudo credentials. Run 'sudo -v' beforehand, or
-configure passwordless sudo for your user.`,
-	Args:          cobra.NoArgs,
-	RunE:          runDankinstall,
-	SilenceErrors: true,
-	SilenceUsage:  true,
-}
-
-func init() {
-	rootCmd.Flags().StringVarP(&compositor, "compositor", "c", "", "Compositor/WM to install: niri or hyprland (enables headless mode)")
-	rootCmd.Flags().StringVarP(&term, "term", "t", "", "Terminal emulator to install: ghostty, kitty, or alacritty (enables headless mode)")
-	rootCmd.Flags().StringSliceVar(&includeDeps, "include-deps", []string{}, "Optional deps to enable (e.g. dms-greeter)")
-	rootCmd.Flags().StringSliceVar(&excludeDeps, "exclude-deps", []string{}, "Deps to skip during installation")
-	rootCmd.Flags().StringSliceVar(&replaceConfigs, "replace-configs", []string{}, "Deploy only named configs (e.g. niri,ghostty)")
-	rootCmd.Flags().BoolVar(&replaceConfigsAll, "replace-configs-all", false, "Deploy and replace all configurations")
-	rootCmd.Flags().BoolVarP(&yes, "yes", "y", false, "Auto-confirm all prompts")
-}
-
 func main() {
 	if os.Getuid() == 0 {
 		fmt.Fprintln(os.Stderr, "Error: dankinstall must not be run as root")
 		os.Exit(1)
 	}

-	if err := rootCmd.Execute(); err != nil {
-		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-		os.Exit(1)
-	}
-}
-
-func runDankinstall(cmd *cobra.Command, args []string) error {
-	headlessMode := compositor != "" || term != ""
-
-	if !headlessMode {
-		// Reject headless-only flags when running in TUI mode.
-		headlessOnly := []string{
-			"include-deps",
-			"exclude-deps",
-			"replace-configs",
-			"replace-configs-all",
-			"yes",
-		}
-		var set []string
-		for _, name := range headlessOnly {
-			if cmd.Flags().Changed(name) {
-				set = append(set, "--"+name)
-			}
-		}
-		if len(set) > 0 {
-			return fmt.Errorf("flags %s are only valid in headless mode (requires both --compositor and --term)", strings.Join(set, ", "))
-		}
-	}
-
-	if headlessMode {
-		return runHeadless()
-	}
-	return runTUI()
-}
-
-func runHeadless() error {
-	// Validate required flags
-	if compositor == "" {
-		return fmt.Errorf("--compositor is required for headless mode (niri or hyprland)")
-	}
-	if term == "" {
-		return fmt.Errorf("--term is required for headless mode (ghostty, kitty, or alacritty)")
-	}
-
-	cfg := headless.Config{
-		Compositor:        compositor,
-		Terminal:          term,
-		IncludeDeps:       includeDeps,
-		ExcludeDeps:       excludeDeps,
-		ReplaceConfigs:    replaceConfigs,
-		ReplaceConfigsAll: replaceConfigsAll,
-		Yes:               yes,
-	}
-
-	runner := headless.NewRunner(cfg)
-
-	// Set up file logging
-	fileLogger, err := log.NewFileLogger()
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Warning: Failed to create log file: %v\n", err)
-	}
-
-	if fileLogger != nil {
-		fmt.Printf("Logging to: %s\n", fileLogger.GetLogPath())
-		fileLogger.StartListening(runner.GetLogChan())
-		defer func() {
-			if err := fileLogger.Close(); err != nil {
-				fmt.Fprintf(os.Stderr, "Warning: Failed to close log file: %v\n", err)
-			}
-		}()
-	} else {
-		// Drain the log channel to prevent blocking sends from deadlocking
-		// downstream components (distros, config deployer) that write to it.
-		// Use an explicit stop signal because this code does not own the
-		// runner log channel and cannot assume it will be closed.
-		defer drainLogChan(runner.GetLogChan())()
-	}
-
-	if err := runner.Run(); err != nil {
-		if fileLogger != nil {
-			fmt.Fprintf(os.Stderr, "\nFull logs are available at: %s\n", fileLogger.GetLogPath())
-		}
-		return err
-	}
-
-	if fileLogger != nil {
-		fmt.Printf("\nFull logs are available at: %s\n", fileLogger.GetLogPath())
-	}
-	return nil
-}
-
-func runTUI() error {
 	fileLogger, err := log.NewFileLogger()
 	if err != nil {
 		fmt.Printf("Warning: Failed to create log file: %v\n", err)
@@ -170,50 +38,18 @@ func runTUI() error {

 	if fileLogger != nil {
 		fileLogger.StartListening(model.GetLogChan())
-	} else {
-		// Drain the log channel to prevent blocking sends from deadlocking
-		// downstream components (distros, config deployer) that write to it.
-		// Use an explicit stop signal because this code does not own the
-		// model log channel and cannot assume it will be closed.
-		defer drainLogChan(model.GetLogChan())()
 	}

 	p := tea.NewProgram(model, tea.WithAltScreen())
 	if _, err := p.Run(); err != nil {
+		fmt.Printf("Error running program: %v\n", err)
 		if logFilePath != "" {
-			fmt.Fprintf(os.Stderr, "\nFull logs are available at: %s\n", logFilePath)
+			fmt.Printf("\nFull logs are available at: %s\n", logFilePath)
 		}
-		return fmt.Errorf("error running program: %w", err)
+		os.Exit(1)
 	}

 	if logFilePath != "" {
 		fmt.Printf("\nFull logs are available at: %s\n", logFilePath)
 	}
-	return nil
-}
-
-// drainLogChan starts a goroutine that discards all messages from logCh,
-// preventing blocking sends from deadlocking downstream components. It returns
-// a cleanup function that signals the goroutine to stop and waits for it to
-// exit. Callers should defer the returned function.
-func drainLogChan(logCh <-chan string) func() {
-	drainStop := make(chan struct{})
-	drainDone := make(chan struct{})
-	go func() {
-		defer close(drainDone)
-		for {
-			select {
-			case <-drainStop:
-				return
-			case _, ok := <-logCh:
-				if !ok {
-					return
-				}
-			}
-		}
-	}()
-	return func() {
-		close(drainStop)
-		<-drainDone
-	}
 }
--- a/core/cmd/dms/commands_auth.go
+++ b/core/cmd/dms/commands_auth.go
@@ -1,77 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	sharedpam "github.com/AvengeMedia/DankMaterialShell/core/internal/pam"
-	"github.com/spf13/cobra"
-)
-
-var authCmd = &cobra.Command{
-	Use:   "auth",
-	Short: "Manage DMS authentication sync",
-	Long:  "Manage shared PAM/authentication setup for DMS greeter and lock screen",
-}
-
-var authSyncCmd = &cobra.Command{
-	Use:     "sync",
-	Short:   "Sync DMS authentication configuration",
-	Long:    "Apply shared PAM/authentication changes for the lock screen and greeter based on current DMS settings",
-	PreRunE: preRunPrivileged,
-	Run: func(cmd *cobra.Command, args []string) {
-		yes, _ := cmd.Flags().GetBool("yes")
-		term, _ := cmd.Flags().GetBool("terminal")
-		if term {
-			if err := syncAuthInTerminal(yes); err != nil {
-				log.Fatalf("Error launching auth sync in terminal: %v", err)
-			}
-			return
-		}
-		if err := syncAuth(yes); err != nil {
-			log.Fatalf("Error syncing authentication: %v", err)
-		}
-	},
-}
-
-func init() {
-	authSyncCmd.Flags().BoolP("yes", "y", false, "Non-interactive mode: skip prompts")
-	authSyncCmd.Flags().BoolP("terminal", "t", false, "Run auth sync in a new terminal (for entering sudo password)")
-}
-
-func syncAuth(nonInteractive bool) error {
-	if !nonInteractive {
-		fmt.Println("=== DMS Authentication Sync ===")
-		fmt.Println()
-	}
-
-	logFunc := func(msg string) {
-		fmt.Println(msg)
-	}
-
-	if err := sharedpam.SyncAuthConfig(logFunc, "", sharedpam.SyncAuthOptions{}); err != nil {
-		return err
-	}
-
-	if !nonInteractive {
-		fmt.Println("\n=== Authentication Sync Complete ===")
-		fmt.Println("\nAuthentication changes have been applied.")
-	}
-
-	return nil
-}
-
-func syncAuthInTerminal(nonInteractive bool) error {
-	syncFlags := make([]string, 0, 1)
-	if nonInteractive {
-		syncFlags = append(syncFlags, "--yes")
-	}
-
-	shellSyncCmd := "dms auth sync"
-	if len(syncFlags) > 0 {
-		shellSyncCmd += " " + strings.Join(syncFlags, " ")
-	}
-	shellCmd := shellSyncCmd + `; echo; echo "Authentication sync finished. Closing in 3 seconds..."; sleep 3`
-	return runCommandInTerminal(shellCmd)
-}
--- a/core/cmd/dms/commands_colorpicker.go
+++ b/core/cmd/dms/commands_colorpicker.go
@@ -37,9 +37,6 @@ Output format flags (mutually exclusive, default: --hex):
  --cmyk - CMYK values (C% M% Y% K%)
  --json - JSON with all formats

-Optional:
-  --raw - Removes ANSI escape codes and background colors. Use this when piping to other commands
-
 Examples:
  dms color pick                # Pick color, output as hex
  dms color pick --rgb          # Output as RGB
@@ -56,7 +53,6 @@ func init() {
 	colorPickCmd.Flags().Bool("hsv", false, "Output as HSV (H S% V%)")
 	colorPickCmd.Flags().Bool("cmyk", false, "Output as CMYK (C% M% Y% K%)")
 	colorPickCmd.Flags().Bool("json", false, "Output all formats as JSON")
-	colorPickCmd.Flags().Bool("raw", false, "Removes ANSI escape codes and background colors. Use this when piping to other commands")
 	colorPickCmd.Flags().StringVarP(&colorOutputFmt, "output-format", "o", "", "Custom output format template")
 	colorPickCmd.Flags().BoolVarP(&colorAutocopy, "autocopy", "a", false, "Copy result to clipboard")
 	colorPickCmd.Flags().BoolVarP(&colorLowercase, "lowercase", "l", false, "Output hex in lowercase")
@@ -117,15 +113,7 @@ func runColorPick(cmd *cobra.Command, args []string) {

 	if jsonOutput {
 		fmt.Println(output)
-		return
-	}
-
-	if raw, _ := cmd.Flags().GetBool("raw"); raw {
-		fmt.Printf("%s\n", output)
-		return
-	}
-
-	if color.IsDark() {
+	} else if color.IsDark() {
 		fmt.Printf("\033[48;2;%d;%d;%dm\033[97m %s \033[0m\n", color.R, color.G, color.B, output)
 	} else {
 		fmt.Printf("\033[48;2;%d;%d;%dm\033[30m %s \033[0m\n", color.R, color.G, color.B, output)
--- a/core/cmd/dms/commands_doctor.go
+++ b/core/cmd/dms/commands_doctor.go
@@ -1110,14 +1110,14 @@ func formatResultsPlain(results []checkResult) string {
 			if currentCategory != -1 {
 				sb.WriteString("\n")
 			}
-			fmt.Fprintf(&sb, "**%s**\n", r.category.String())
+			sb.WriteString(fmt.Sprintf("**%s**\n", r.category.String()))
 			currentCategory = r.category
 		}

-		fmt.Fprintf(&sb, "- [%s] %s: %s\n", r.status, r.name, r.message)
+		sb.WriteString(fmt.Sprintf("- [%s] %s: %s\n", r.status, r.name, r.message))

 		if doctorVerbose && r.details != "" {
-			fmt.Fprintf(&sb, "  - %s\n", r.details)
+			sb.WriteString(fmt.Sprintf("  - %s\n", r.details))
 		}
 	}

@@ -1127,8 +1127,8 @@ func formatResultsPlain(results []checkResult) string {
 	}

 	sb.WriteString("\n---\n")
-	fmt.Fprintf(&sb, "**Summary:** %d error(s), %d warning(s), %d ok\n",
-		ds.ErrorCount(), ds.WarningCount(), ds.OKCount())
+	sb.WriteString(fmt.Sprintf("**Summary:** %d error(s), %d warning(s), %d ok\n",
+		ds.ErrorCount(), ds.WarningCount(), ds.OKCount()))

 	return sb.String()
 }
--- a/core/cmd/dms/commands_greeter.go
+++ b/core/cmd/dms/commands_greeter.go
@@ -14,7 +14,6 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/greeter"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	sharedpam "github.com/AvengeMedia/DankMaterialShell/core/internal/pam"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 	"github.com/spf13/cobra"
@@ -28,11 +27,6 @@ var greeterCmd = &cobra.Command{
 	Long:  "Manage DMS greeter (greetd)",
 }

-var (
-	greeterConfigSyncFn = greeter.SyncDMSConfigs
-	sharedAuthSyncFn    = sharedpam.SyncAuthConfig
-)
-
 var greeterInstallCmd = &cobra.Command{
 	Use:     "install",
 	Short:   "Install and configure DMS greeter",
@@ -157,16 +151,6 @@ func init() {
 	greeterUninstallCmd.Flags().BoolP("terminal", "t", false, "Run in a new terminal (for entering sudo password)")
 }

-func syncGreeterConfigsAndAuth(dmsPath, compositor string, logFunc func(string), options sharedpam.SyncAuthOptions, beforeAuth func()) error {
-	if err := greeterConfigSyncFn(dmsPath, compositor, logFunc, ""); err != nil {
-		return err
-	}
-	if beforeAuth != nil {
-		beforeAuth()
-	}
-	return sharedAuthSyncFn(logFunc, "", options)
-}
-
 func installGreeter(nonInteractive bool) error {
 	fmt.Println("=== DMS Greeter Installation ===")

@@ -262,9 +246,7 @@ func installGreeter(nonInteractive bool) error {
 	}

 	fmt.Println("\nSynchronizing DMS configurations...")
-	if err := syncGreeterConfigsAndAuth(dmsPath, selectedCompositor, logFunc, sharedpam.SyncAuthOptions{}, func() {
-		fmt.Println("\nConfiguring authentication...")
-	}); err != nil {
+	if err := greeter.SyncDMSConfigs(dmsPath, selectedCompositor, logFunc, "", false); err != nil {
 		return err
 	}

@@ -299,7 +281,7 @@ func uninstallGreeter(nonInteractive bool) error {
 	}

 	if !nonInteractive {
-		fmt.Print("\nThis will:\n  • Stop and disable greetd\n  • Remove the DMS-managed greeter auth block\n  • Remove the DMS AppArmor profile\n  • Restore the most recent pre-DMS greetd config (if available)\n\nContinue? [y/N]: ")
+		fmt.Print("\nThis will:\n  • Stop and disable greetd\n  • Remove the DMS PAM managed block\n  • Remove the DMS AppArmor profile\n  • Restore the most recent pre-DMS greetd config (if available)\n\nContinue? [y/N]: ")
 		var response string
 		fmt.Scanln(&response)
 		if strings.ToLower(strings.TrimSpace(response)) != "y" {
@@ -315,8 +297,8 @@ func uninstallGreeter(nonInteractive bool) error {
 		fmt.Println("  ✓ greetd disabled")
 	}

-	fmt.Println("\nRemoving DMS authentication configuration...")
-	if err := sharedpam.RemoveManagedGreeterPamBlock(logFunc, ""); err != nil {
+	fmt.Println("\nRemoving DMS PAM configuration...")
+	if err := greeter.RemoveGreeterPamManagedBlock(logFunc, ""); err != nil {
 		fmt.Printf("  ⚠ PAM cleanup failed: %v\n", err)
 	}

@@ -543,7 +525,7 @@ func resolveLocalWrapperShell() (string, error) {

 func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 	if !nonInteractive {
-		fmt.Println("=== DMS Greeter Sync ===")
+		fmt.Println("=== DMS Greeter Theme Sync ===")
 		fmt.Println()
 	}

@@ -726,11 +708,7 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 	}

 	fmt.Println("\nSynchronizing DMS configurations...")
-	if err := syncGreeterConfigsAndAuth(dmsPath, compositor, logFunc, sharedpam.SyncAuthOptions{
-		ForceGreeterAuth: forceAuth,
-	}, func() {
-		fmt.Println("\nConfiguring authentication...")
-	}); err != nil {
+	if err := greeter.SyncDMSConfigs(dmsPath, compositor, logFunc, "", forceAuth); err != nil {
 		return err
 	}

@@ -743,9 +721,8 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {

 	fmt.Println("\n=== Sync Complete ===")
 	fmt.Println("\nYour theme, settings, and wallpaper configuration have been synced with the greeter.")
-	fmt.Println("Shared authentication settings were also checked and reconciled where needed.")
 	if forceAuth {
-		fmt.Println("Authentication has been configured for fingerprint and U2F (where modules exist).")
+		fmt.Println("PAM has been configured for fingerprint and U2F (where modules exist).")
 	}
 	fmt.Println("The changes will be visible on the next login screen.")

@@ -1295,7 +1272,39 @@ func extractGreeterPathOverrideFromCommand(command string) string {
 }

 func parseManagedGreeterPamAuth(pamText string) (managed bool, fingerprint bool, u2f bool, legacy bool) {
-	return sharedpam.ParseManagedGreeterPamAuth(pamText)
+	if pamText == "" {
+		return false, false, false, false
+	}
+
+	lines := strings.Split(pamText, "\n")
+	inManaged := false
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		switch trimmed {
+		case greeter.GreeterPamManagedBlockStart:
+			managed = true
+			inManaged = true
+			continue
+		case greeter.GreeterPamManagedBlockEnd:
+			inManaged = false
+			continue
+		}
+
+		if strings.HasPrefix(trimmed, "# DMS greeter fingerprint") || strings.HasPrefix(trimmed, "# DMS greeter U2F") {
+			legacy = true
+		}
+		if !inManaged {
+			continue
+		}
+		if strings.Contains(trimmed, "pam_fprintd") {
+			fingerprint = true
+		}
+		if strings.Contains(trimmed, "pam_u2f") {
+			u2f = true
+		}
+	}
+
+	return managed, fingerprint, u2f, legacy
 }

 func packageInstallHint() string {
@@ -1605,29 +1614,29 @@ func checkGreeterStatus() error {
 			fmt.Println("  ℹ No managed auth block present (DMS-managed fingerprint/U2F lines are disabled)")
 		}
 		if legacyManaged {
-			fmt.Println("  ⚠ Legacy unmanaged DMS PAM lines detected. Run 'dms auth sync' to normalize.")
+			fmt.Println("  ⚠ Legacy unmanaged DMS PAM lines detected. Run 'dms greeter sync' to normalize.")
 			allGood = false
 		}
 		enableFprintToggle, enableU2fToggle := false, false
-		if enableFprint, enableU2f, settingsErr := sharedpam.ReadGreeterAuthToggles(homeDir); settingsErr == nil {
+		if enableFprint, enableU2f, settingsErr := greeter.ReadGreeterAuthToggles(homeDir); settingsErr == nil {
 			enableFprintToggle = enableFprint
 			enableU2fToggle = enableU2f
 		} else {
 			fmt.Printf("  ℹ Could not read greeter auth toggles from settings: %v\n", settingsErr)
 		}

-		includedFprintFile := sharedpam.DetectIncludedPamModule(string(pamData), "pam_fprintd.so")
-		includedU2fFile := sharedpam.DetectIncludedPamModule(string(pamData), "pam_u2f.so")
-		fprintAvailableForCurrentUser := sharedpam.FingerprintAuthAvailableForCurrentUser()
+		includedFprintFile := greeter.DetectIncludedPamModule(string(pamData), "pam_fprintd.so")
+		includedU2fFile := greeter.DetectIncludedPamModule(string(pamData), "pam_u2f.so")
+		fprintAvailableForCurrentUser := greeter.FingerprintAuthAvailableForCurrentUser()

 		if managedFprint && includedFprintFile != "" {
 			fmt.Printf("  ⚠ pam_fprintd found in both DMS managed block and %s.\n", includedFprintFile)
-			fmt.Println("    Double fingerprint auth detected — run 'dms auth sync' to resolve.")
+			fmt.Println("    Double fingerprint auth detected — run 'dms greeter sync' to resolve.")
 			allGood = false
 		}
 		if managedU2f && includedU2fFile != "" {
 			fmt.Printf("  ⚠ pam_u2f found in both DMS managed block and %s.\n", includedU2fFile)
-			fmt.Println("    Double security-key auth detected — run 'dms auth sync' to resolve.")
+			fmt.Println("    Double security-key auth detected — run 'dms greeter sync' to resolve.")
 			allGood = false
 		}

--- a/core/cmd/dms/commands_greeter_test.go
+++ b/core/cmd/dms/commands_greeter_test.go
@@ -1,87 +0,0 @@
-package main
-
-import (
-	"errors"
-	"reflect"
-	"testing"
-
-	sharedpam "github.com/AvengeMedia/DankMaterialShell/core/internal/pam"
-)
-
-func TestSyncGreeterConfigsAndAuthDelegatesSharedAuth(t *testing.T) {
-	origGreeterConfigSyncFn := greeterConfigSyncFn
-	origSharedAuthSyncFn := sharedAuthSyncFn
-	t.Cleanup(func() {
-		greeterConfigSyncFn = origGreeterConfigSyncFn
-		sharedAuthSyncFn = origSharedAuthSyncFn
-	})
-
-	var calls []string
-	greeterConfigSyncFn = func(dmsPath, compositor string, logFunc func(string), sudoPassword string) error {
-		if dmsPath != "/tmp/dms" {
-			t.Fatalf("unexpected dmsPath %q", dmsPath)
-		}
-		if compositor != "niri" {
-			t.Fatalf("unexpected compositor %q", compositor)
-		}
-		if sudoPassword != "" {
-			t.Fatalf("expected empty sudoPassword, got %q", sudoPassword)
-		}
-		calls = append(calls, "configs")
-		return nil
-	}
-
-	var gotOptions sharedpam.SyncAuthOptions
-	sharedAuthSyncFn = func(logFunc func(string), sudoPassword string, options sharedpam.SyncAuthOptions) error {
-		if sudoPassword != "" {
-			t.Fatalf("expected empty sudoPassword, got %q", sudoPassword)
-		}
-		gotOptions = options
-		calls = append(calls, "auth")
-		return nil
-	}
-
-	err := syncGreeterConfigsAndAuth("/tmp/dms", "niri", func(string) {}, sharedpam.SyncAuthOptions{
-		ForceGreeterAuth: true,
-	}, func() {
-		calls = append(calls, "before-auth")
-	})
-	if err != nil {
-		t.Fatalf("syncGreeterConfigsAndAuth returned error: %v", err)
-	}
-
-	wantCalls := []string{"configs", "before-auth", "auth"}
-	if !reflect.DeepEqual(calls, wantCalls) {
-		t.Fatalf("call order = %v, want %v", calls, wantCalls)
-	}
-	if !gotOptions.ForceGreeterAuth {
-		t.Fatalf("expected ForceGreeterAuth to be true, got %+v", gotOptions)
-	}
-}
-
-func TestSyncGreeterConfigsAndAuthStopsOnConfigError(t *testing.T) {
-	origGreeterConfigSyncFn := greeterConfigSyncFn
-	origSharedAuthSyncFn := sharedAuthSyncFn
-	t.Cleanup(func() {
-		greeterConfigSyncFn = origGreeterConfigSyncFn
-		sharedAuthSyncFn = origSharedAuthSyncFn
-	})
-
-	greeterConfigSyncFn = func(string, string, func(string), string) error {
-		return errors.New("config sync failed")
-	}
-
-	authCalled := false
-	sharedAuthSyncFn = func(func(string), string, sharedpam.SyncAuthOptions) error {
-		authCalled = true
-		return nil
-	}
-
-	err := syncGreeterConfigsAndAuth("/tmp/dms", "niri", func(string) {}, sharedpam.SyncAuthOptions{}, nil)
-	if err == nil || err.Error() != "config sync failed" {
-		t.Fatalf("expected config sync error, got %v", err)
-	}
-	if authCalled {
-		t.Fatal("expected auth sync not to run after config sync failure")
-	}
-}
--- a/core/cmd/dms/commands_matugen.go
+++ b/core/cmd/dms/commands_matugen.go
@@ -57,11 +57,10 @@ func init() {
 		cmd.Flags().Bool("sync-mode-with-portal", false, "Sync color scheme with GNOME portal")
 		cmd.Flags().Bool("terminals-always-dark", false, "Force terminal themes to dark variant")
 		cmd.Flags().String("skip-templates", "", "Comma-separated list of templates to skip")
-		cmd.Flags().Float64("contrast", 0, "Contrast value from -1 to 1 (0 = standard)")
 	}

 	matugenQueueCmd.Flags().Bool("wait", true, "Wait for completion")
-	matugenQueueCmd.Flags().Duration("timeout", 90*time.Second, "Timeout for waiting")
+	matugenQueueCmd.Flags().Duration("timeout", 30*time.Second, "Timeout for waiting")
 }

 func buildMatugenOptions(cmd *cobra.Command) matugen.Options {
@@ -78,7 +77,6 @@ func buildMatugenOptions(cmd *cobra.Command) matugen.Options {
 	syncModeWithPortal, _ := cmd.Flags().GetBool("sync-mode-with-portal")
 	terminalsAlwaysDark, _ := cmd.Flags().GetBool("terminals-always-dark")
 	skipTemplates, _ := cmd.Flags().GetString("skip-templates")
-	contrast, _ := cmd.Flags().GetFloat64("contrast")

 	return matugen.Options{
 		StateDir:            stateDir,
@@ -89,7 +87,6 @@ func buildMatugenOptions(cmd *cobra.Command) matugen.Options {
 		Mode:                matugen.ColorMode(mode),
 		IconTheme:           iconTheme,
 		MatugenType:         matugenType,
-		Contrast:            contrast,
 		RunUserTemplates:    runUserTemplates,
 		StockColors:         stockColors,
 		SyncModeWithPortal:  syncModeWithPortal,
@@ -131,7 +128,6 @@ func runMatugenQueue(cmd *cobra.Command, args []string) {
 			"syncModeWithPortal":  opts.SyncModeWithPortal,
 			"terminalsAlwaysDark": opts.TerminalsAlwaysDark,
 			"skipTemplates":       opts.SkipTemplates,
-			"contrast":            opts.Contrast,
 			"wait":                wait,
 		},
 	}
--- a/core/cmd/dms/commands_screenshot.go
+++ b/core/cmd/dms/commands_screenshot.go
@@ -22,8 +22,6 @@ var (
 	ssNoClipboard bool
 	ssNoFile      bool
 	ssNoNotify    bool
-	ssNoConfirm   bool
-	ssReset       bool
 	ssStdout      bool
 )

@@ -52,10 +50,8 @@ Examples:
  dms screenshot output -o DP-1      # Specific output
  dms screenshot window              # Focused window (Hyprland)
  dms screenshot last                # Last region (pre-selected)
-  dms screenshot --reset             # Reset last region pre-selection
  dms screenshot --no-clipboard      # Save file only
  dms screenshot --no-file           # Clipboard only
-  dms screenshot --no-confirm        # Region capture on mouse release
  dms screenshot --cursor=on         # Include cursor
  dms screenshot -f jpg -q 85        # JPEG with quality 85`,
 }
@@ -123,8 +119,6 @@ func init() {
 	screenshotCmd.PersistentFlags().BoolVar(&ssNoClipboard, "no-clipboard", false, "Don't copy to clipboard")
 	screenshotCmd.PersistentFlags().BoolVar(&ssNoFile, "no-file", false, "Don't save to file")
 	screenshotCmd.PersistentFlags().BoolVar(&ssNoNotify, "no-notify", false, "Don't show notification")
-	screenshotCmd.PersistentFlags().BoolVar(&ssNoConfirm, "no-confirm", false, "Region mode: capture on mouse release without Enter/Space confirmation")
-	screenshotCmd.PersistentFlags().BoolVar(&ssReset, "reset", false, "Reset saved last-region preselection before capturing")
 	screenshotCmd.PersistentFlags().BoolVar(&ssStdout, "stdout", false, "Output image to stdout (for piping to swappy, etc.)")

 	screenshotCmd.AddCommand(ssRegionCmd)
@@ -148,8 +142,6 @@ func getScreenshotConfig(mode screenshot.Mode) screenshot.Config {
 	config.Clipboard = !ssNoClipboard
 	config.SaveFile = !ssNoFile
 	config.Notify = !ssNoNotify
-	config.NoConfirm = ssNoConfirm
-	config.Reset = ssReset
 	config.Stdout = ssStdout

 	if ssOutputDir != "" {
--- a/core/cmd/dms/commands_setup.go
+++ b/core/cmd/dms/commands_setup.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"

@@ -11,6 +12,7 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/greeter"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 	"github.com/spf13/cobra"
 )
@@ -267,6 +269,8 @@ func runSetupDmsConfig(name string) error {
 func runSetup() error {
 	fmt.Println("=== DMS Configuration Setup ===")

+	ensureInputGroup()
+
 	wm, wmSelected := promptCompositor()
 	terminal, terminalSelected := promptTerminal()
 	useSystemd := promptSystemd()
@@ -340,6 +344,37 @@ func runSetup() error {
 	return nil
 }

+// Add user to the input group for the evdev manager for inut state tracking.
+// Caps Lock OSD and the Caps Lock bar indicator.
+func ensureInputGroup() {
+	if !utils.HasGroup("input") {
+		return
+	}
+	currentUser := os.Getenv("USER")
+	if currentUser == "" {
+		currentUser = os.Getenv("LOGNAME")
+	}
+	if currentUser == "" {
+		return
+	}
+	out, err := execGroups(currentUser)
+	if err == nil && strings.Contains(out, "input") {
+		fmt.Printf("✓ %s is already in the input group (Caps Lock OSD enabled)\n", currentUser)
+		return
+	}
+	fmt.Println("Adding user to input group for Caps Lock OSD support...")
+	if err := privesc.Run(context.Background(), "", "usermod", "-aG", "input", currentUser); err != nil {
+		fmt.Printf("⚠ Could not add %s to input group (Caps Lock OSD will be unavailable): %v\n", currentUser, err)
+	} else {
+		fmt.Printf("✓ Added %s to input group (logout/login required to take effect)\n", currentUser)
+	}
+}
+
+func execGroups(user string) (string, error) {
+	out, err := exec.Command("groups", user).Output()
+	return string(out), err
+}
+
 func promptCompositor() (deps.WindowManager, bool) {
 	fmt.Println("Select compositor:")
 	fmt.Println("1) Niri")
--- a/core/cmd/dms/main.go
+++ b/core/cmd/dms/main.go
@@ -18,13 +18,11 @@ func init() {
 	runCmd.Flags().MarkHidden("daemon-child")

 	greeterCmd.AddCommand(greeterInstallCmd, greeterSyncCmd, greeterEnableCmd, greeterStatusCmd, greeterUninstallCmd)
-	authCmd.AddCommand(authSyncCmd)
 	setupCmd.AddCommand(setupBindsCmd, setupLayoutCmd, setupColorsCmd, setupAlttabCmd, setupOutputsCmd, setupCursorCmd, setupWindowrulesCmd)
 	updateCmd.AddCommand(updateCheckCmd)
 	pluginsCmd.AddCommand(pluginsBrowseCmd, pluginsListCmd, pluginsInstallCmd, pluginsUninstallCmd, pluginsUpdateCmd)
 	rootCmd.AddCommand(getCommonCommands()...)

-	rootCmd.AddCommand(authCmd)
 	rootCmd.AddCommand(updateCmd)

 	rootCmd.SetHelpTemplate(getHelpTemplate())
--- a/core/cmd/dms/main_distro.go
+++ b/core/cmd/dms/main_distro.go
@@ -18,11 +18,9 @@ func init() {
 	runCmd.Flags().MarkHidden("daemon-child")

 	greeterCmd.AddCommand(greeterInstallCmd, greeterSyncCmd, greeterEnableCmd, greeterStatusCmd, greeterUninstallCmd)
-	authCmd.AddCommand(authSyncCmd)
 	setupCmd.AddCommand(setupBindsCmd, setupLayoutCmd, setupColorsCmd, setupAlttabCmd, setupOutputsCmd, setupCursorCmd, setupWindowrulesCmd)
 	pluginsCmd.AddCommand(pluginsBrowseCmd, pluginsListCmd, pluginsInstallCmd, pluginsUninstallCmd, pluginsUpdateCmd)
 	rootCmd.AddCommand(getCommonCommands()...)
-	rootCmd.AddCommand(authCmd)

 	rootCmd.SetHelpTemplate(getHelpTemplate())
 }
--- a/core/cmd/dms/shell.go
+++ b/core/cmd/dms/shell.go
@@ -192,9 +192,6 @@ func runShellInteractive(session bool) {
 		}
 	}

-	// ! TODO - remove when QS 0.3 is up and we can use the pragma
-	cmd.Env = append(cmd.Env, "QS_APP_ID=com.danklinux.dms")
-
 	if isSessionManaged && hasSystemdRun() {
 		cmd.Env = append(cmd.Env, "DMS_DEFAULT_LAUNCH_PREFIX=systemd-run --user --scope")
 	}
@@ -435,9 +432,6 @@ func runShellDaemon(session bool) {
 		}
 	}

-	// ! TODO - remove when QS 0.3 is up and we can use the pragma
-	cmd.Env = append(cmd.Env, "QS_APP_ID=com.danklinux.dms")
-
 	if isSessionManaged && hasSystemdRun() {
 		cmd.Env = append(cmd.Env, "DMS_DEFAULT_LAUNCH_PREFIX=systemd-run --user --scope")
 	}
--- a/core/go.mod
+++ b/core/go.mod
@@ -1,8 +1,6 @@
 module github.com/AvengeMedia/DankMaterialShell/core

-go 1.26.0
-
-toolchain go1.26.1
+go 1.25.0

 require (
 	github.com/Wifx/gonetworkmanager/v2 v2.2.0
@@ -18,8 +16,6 @@ require (
 	github.com/sblinch/kdl-go v0.0.0-20260121213736-8b7053306ca6
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
-	github.com/yeqown/go-qrcode/v2 v2.2.5
-	github.com/yeqown/go-qrcode/writer/standard v1.3.0
 	github.com/yuin/goldmark v1.7.16
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	go.etcd.io/bbolt v1.4.3
@@ -36,19 +32,15 @@ require (
 	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fogleman/gg v1.3.0 // indirect
 	github.com/go-git/gcfg/v2 v2.0.2 // indirect
 	github.com/go-git/go-billy/v6 v6.0.0-20260209124918-37866f83c2d3 // indirect
 	github.com/go-logfmt/logfmt v0.6.1 // indirect
-	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/kevinburke/ssh_config v1.6.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/pjbgf/sha1cd v0.5.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
-	github.com/yeqown/reedsolomon v1.0.0 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/net v0.50.0 // indirect
 )
--- a/core/go.sum
+++ b/core/go.sum
@@ -58,8 +58,6 @@ github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
-github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
-github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@@ -77,8 +75,6 @@ github.com/go-logfmt/logfmt v0.6.1/go.mod h1:EV2pOAQoZaT1ZXZbqDl5hrymndi4SY9ED9/
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -119,8 +115,6 @@ github.com/pilebones/go-udev v0.9.1 h1:uN72M1C1fgzhsVmBGEM8w9RD1JY4iVsPZpr+Z6rb3
 github.com/pilebones/go-udev v0.9.1/go.mod h1:Bgcl07crebF3JSeS4+nuaRvhWFdCeFoBhXXeAp93XNo=
 github.com/pjbgf/sha1cd v0.5.0 h1:a+UkboSi1znleCDUNT3M5YxjOnN1fz2FhN48FlwCxs0=
 github.com/pjbgf/sha1cd v0.5.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -148,12 +142,6 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
-github.com/yeqown/go-qrcode/v2 v2.2.5 h1:HCOe2bSjkhZyYoyyNaXNzh4DJZll6inVJQQw+8228Zk=
-github.com/yeqown/go-qrcode/v2 v2.2.5/go.mod h1:uHpt9CM0V1HeXLz+Wg5MN50/sI/fQhfkZlOM+cOTHxw=
-github.com/yeqown/go-qrcode/writer/standard v1.3.0 h1:chdyhEfRtUPgQtuPeaWVGQ/TQx4rE1PqeoW3U+53t34=
-github.com/yeqown/go-qrcode/writer/standard v1.3.0/go.mod h1:O4MbzsotGCvy8upYPCR91j81dr5XLT7heuljcNXW+oQ=
-github.com/yeqown/reedsolomon v1.0.0 h1:x1h/Ej/uJnNu8jaX7GLHBWmZKCAWjEJTetkqaabr4B0=
-github.com/yeqown/reedsolomon v1.0.0/go.mod h1:P76zpcn2TCuL0ul1Fso373qHRc69LKwAw/Iy6g1WiiM=
 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE=
 github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
--- a/core/internal/colorpicker/picker.go
+++ b/core/internal/colorpicker/picker.go
@@ -39,10 +39,11 @@ type LayerSurface struct {
 	wlSurface   *client.Surface
 	layerSurf   *wlr_layer_shell.ZwlrLayerSurfaceV1
 	viewport    *wp_viewporter.WpViewport
-	wlPools     [2]*client.ShmPool
-	wlBuffers   [2]*client.Buffer
-	slotBusy    [2]bool
-	needsRedraw bool
+	wlPool      *client.ShmPool
+	wlBuffer    *client.Buffer
+	bufferBusy  bool
+	oldPool     *client.ShmPool
+	oldBuffer   *client.Buffer
 	scopyBuffer *client.Buffer
 	configured  bool
 	hidden      bool
@@ -135,7 +136,6 @@ func (p *Picker) Run() (*Color, error) {
 			break
 		}

-		p.flushRedraws()
 		p.checkDone()
 	}

@@ -164,15 +164,6 @@ func (p *Picker) checkDone() {
 	}
 }

-func (p *Picker) flushRedraws() {
-	for _, ls := range p.surfaces {
-		if !ls.needsRedraw {
-			continue
-		}
-		p.redrawSurface(ls)
-	}
-}
-
 func (p *Picker) connect() error {
 	display, err := client.Connect("")
 	if err != nil {
@@ -516,45 +507,47 @@ func (p *Picker) captureForSurface(ls *LayerSurface) {
 }

 func (p *Picker) redrawSurface(ls *LayerSurface) {
-	slot := ls.state.FrontIndex()
-	if ls.slotBusy[slot] {
-		ls.needsRedraw = true
-		return
-	}
-
 	var renderBuf *ShmBuffer
-	switch {
-	case ls.hidden:
+	if ls.hidden {
 		renderBuf = ls.state.RedrawScreenOnly()
-	default:
+	} else {
 		renderBuf = ls.state.Redraw()
 	}
 	if renderBuf == nil {
 		return
 	}

-	ls.needsRedraw = false
-
-	if ls.wlPools[slot] == nil {
-		pool, err := p.shm.CreatePool(renderBuf.Fd(), int32(renderBuf.Size()))
-		if err != nil {
-			return
-		}
-		ls.wlPools[slot] = pool
-
-		wlBuffer, err := pool.CreateBuffer(0, int32(renderBuf.Width), int32(renderBuf.Height), int32(renderBuf.Stride), uint32(ls.state.ScreenFormat()))
-		if err != nil {
-			return
-		}
-		ls.wlBuffers[slot] = wlBuffer
-
-		s := slot
-		wlBuffer.SetReleaseHandler(func(e client.BufferReleaseEvent) {
-			ls.slotBusy[s] = false
-		})
+	if ls.oldBuffer != nil {
+		ls.oldBuffer.Destroy()
+		ls.oldBuffer = nil
+	}
+	if ls.oldPool != nil {
+		ls.oldPool.Destroy()
+		ls.oldPool = nil
 	}

-	ls.slotBusy[slot] = true
+	ls.oldPool = ls.wlPool
+	ls.oldBuffer = ls.wlBuffer
+	ls.wlPool = nil
+	ls.wlBuffer = nil
+
+	pool, err := p.shm.CreatePool(renderBuf.Fd(), int32(renderBuf.Size()))
+	if err != nil {
+		return
+	}
+	ls.wlPool = pool
+
+	wlBuffer, err := pool.CreateBuffer(0, int32(renderBuf.Width), int32(renderBuf.Height), int32(renderBuf.Stride), uint32(ls.state.ScreenFormat()))
+	if err != nil {
+		return
+	}
+	ls.wlBuffer = wlBuffer
+
+	lsRef := ls
+	wlBuffer.SetReleaseHandler(func(e client.BufferReleaseEvent) {
+		lsRef.bufferBusy = false
+	})
+	ls.bufferBusy = true

 	logicalW, logicalH := ls.state.LogicalSize()
 	if logicalW == 0 || logicalH == 0 {
@@ -573,7 +566,7 @@ func (p *Picker) redrawSurface(ls *LayerSurface) {
 		}
 		_ = ls.wlSurface.SetBufferScale(bufferScale)
 	}
-	_ = ls.wlSurface.Attach(ls.wlBuffers[slot], 0, 0)
+	_ = ls.wlSurface.Attach(wlBuffer, 0, 0)
 	_ = ls.wlSurface.Damage(0, 0, int32(logicalW), int32(logicalH))
 	_ = ls.wlSurface.Commit()

@@ -641,7 +634,7 @@ func (p *Picker) setupPointerHandlers() {
 		}

 		p.activeSurface.state.OnPointerMotion(e.SurfaceX, e.SurfaceY)
-		p.activeSurface.needsRedraw = true
+		p.redrawSurface(p.activeSurface)
 	})

 	p.pointer.SetLeaveHandler(func(e client.PointerLeaveEvent) {
@@ -662,7 +655,7 @@ func (p *Picker) setupPointerHandlers() {
 			return
 		}
 		p.activeSurface.state.OnPointerMotion(e.SurfaceX, e.SurfaceY)
-		p.activeSurface.needsRedraw = true
+		p.redrawSurface(p.activeSurface)
 	})

 	p.pointer.SetButtonHandler(func(e client.PointerButtonEvent) {
@@ -686,13 +679,17 @@ func (p *Picker) cleanup() {
 		if ls.scopyBuffer != nil {
 			ls.scopyBuffer.Destroy()
 		}
-		for i := range ls.wlBuffers {
-			if ls.wlBuffers[i] != nil {
-				ls.wlBuffers[i].Destroy()
-			}
-			if ls.wlPools[i] != nil {
-				ls.wlPools[i].Destroy()
-			}
+		if ls.oldBuffer != nil {
+			ls.oldBuffer.Destroy()
+		}
+		if ls.oldPool != nil {
+			ls.oldPool.Destroy()
+		}
+		if ls.wlBuffer != nil {
+			ls.wlBuffer.Destroy()
+		}
+		if ls.wlPool != nil {
+			ls.wlPool.Destroy()
 		}
 		if ls.viewport != nil {
 			ls.viewport.Destroy()
--- a/core/internal/colorpicker/state.go
+++ b/core/internal/colorpicker/state.go
@@ -274,12 +274,6 @@ func (s *SurfaceState) FrontRenderBuffer() *ShmBuffer {
 	return s.renderBufs[s.front]
 }

-func (s *SurfaceState) FrontIndex() int {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	return s.front
-}
-
 func (s *SurfaceState) SwapBuffers() {
 	s.mu.Lock()
 	s.front ^= 1
--- a/core/internal/config/deployer.go
+++ b/core/internal/config/deployer.go
@@ -62,31 +62,12 @@ func (cd *ConfigDeployer) DeployConfigurationsSelectiveWithReinstalls(ctx contex
 func (cd *ConfigDeployer) deployConfigurationsInternal(ctx context.Context, wm deps.WindowManager, terminal deps.Terminal, installedDeps []deps.Dependency, replaceConfigs map[string]bool, reinstallItems map[string]bool, useSystemd bool) ([]DeploymentResult, error) {
 	var results []DeploymentResult

-	// Primary config file paths used to detect fresh installs.
-	configPrimaryPaths := map[string]string{
-		"Niri":      filepath.Join(os.Getenv("HOME"), ".config", "niri", "config.kdl"),
-		"Hyprland":  filepath.Join(os.Getenv("HOME"), ".config", "hypr", "hyprland.conf"),
-		"Ghostty":   filepath.Join(os.Getenv("HOME"), ".config", "ghostty", "config"),
-		"Kitty":     filepath.Join(os.Getenv("HOME"), ".config", "kitty", "kitty.conf"),
-		"Alacritty": filepath.Join(os.Getenv("HOME"), ".config", "alacritty", "alacritty.toml"),
-	}
-
 	shouldReplaceConfig := func(configType string) bool {
 		if replaceConfigs == nil {
 			return true
 		}
 		replace, exists := replaceConfigs[configType]
-		if !exists || replace {
-			return true
-		}
-		// Config is explicitly set to "don't replace" — but still deploy
-		// if the config file doesn't exist yet (fresh install scenario).
-		if primaryPath, ok := configPrimaryPaths[configType]; ok {
-			if _, err := os.Stat(primaryPath); os.IsNotExist(err) {
-				return true
-			}
-		}
-		return false
+		return !exists || replace
 	}

 	switch wm {
--- a/core/internal/config/deployer_test.go
+++ b/core/internal/config/deployer_test.go
@@ -1,7 +1,6 @@
 package config

 import (
-	"context"
 	"os"
 	"path/filepath"
 	"testing"
@@ -625,168 +624,3 @@ func TestAlacrittyConfigDeployment(t *testing.T) {
 		assert.Contains(t, string(newContent), "decorations = \"None\"")
 	})
 }
-
-func TestShouldReplaceConfigDeployIfMissing(t *testing.T) {
-	allFalse := map[string]bool{
-		"Niri":      false,
-		"Hyprland":  false,
-		"Ghostty":   false,
-		"Kitty":     false,
-		"Alacritty": false,
-	}
-
-	t.Run("replaceConfigs nil deploys config", func(t *testing.T) {
-		tempDir, err := os.MkdirTemp("", "dankinstall-replace-nil-test")
-		require.NoError(t, err)
-		defer os.RemoveAll(tempDir)
-
-		originalHome := os.Getenv("HOME")
-		os.Setenv("HOME", tempDir)
-		defer os.Setenv("HOME", originalHome)
-
-		logChan := make(chan string, 100)
-		cd := NewConfigDeployer(logChan)
-
-		results, err := cd.DeployConfigurationsSelectiveWithReinstalls(
-			context.Background(),
-			deps.WindowManagerNiri,
-			deps.TerminalGhostty,
-			nil, // installedDeps
-			nil, // replaceConfigs
-			nil, // reinstallItems
-		)
-		require.NoError(t, err)
-
-		// With replaceConfigs=nil, all configs should be deployed
-		hasDeployed := false
-		for _, r := range results {
-			if r.Deployed {
-				hasDeployed = true
-				break
-			}
-		}
-		assert.True(t, hasDeployed, "expected at least one config to be deployed when replaceConfigs is nil")
-	})
-
-	t.Run("replaceConfigs all false and config missing deploys config", func(t *testing.T) {
-		tempDir, err := os.MkdirTemp("", "dankinstall-replace-missing-test")
-		require.NoError(t, err)
-		defer os.RemoveAll(tempDir)
-
-		originalHome := os.Getenv("HOME")
-		os.Setenv("HOME", tempDir)
-		defer os.Setenv("HOME", originalHome)
-
-		logChan := make(chan string, 100)
-		cd := NewConfigDeployer(logChan)
-
-		results, err := cd.DeployConfigurationsSelectiveWithReinstalls(
-			context.Background(),
-			deps.WindowManagerNiri,
-			deps.TerminalGhostty,
-			nil,      // installedDeps
-			allFalse, // replaceConfigs — all false
-			nil,      // reinstallItems
-		)
-		require.NoError(t, err)
-
-		// Config files don't exist on disk, so they should still be deployed
-		hasDeployed := false
-		for _, r := range results {
-			if r.Deployed {
-				hasDeployed = true
-				break
-			}
-		}
-		assert.True(t, hasDeployed, "expected configs to be deployed when files are missing, even with replaceConfigs all false")
-	})
-
-	t.Run("replaceConfigs false and config exists skips config", func(t *testing.T) {
-		tempDir, err := os.MkdirTemp("", "dankinstall-replace-exists-test")
-		require.NoError(t, err)
-		defer os.RemoveAll(tempDir)
-
-		originalHome := os.Getenv("HOME")
-		os.Setenv("HOME", tempDir)
-		defer os.Setenv("HOME", originalHome)
-
-		// Create the Ghostty primary config file so shouldReplaceConfig returns false
-		ghosttyPath := filepath.Join(tempDir, ".config", "ghostty", "config")
-		err = os.MkdirAll(filepath.Dir(ghosttyPath), 0o755)
-		require.NoError(t, err)
-		err = os.WriteFile(ghosttyPath, []byte("# existing ghostty config\n"), 0o644)
-		require.NoError(t, err)
-
-		// Also create the Niri primary config file
-		niriPath := filepath.Join(tempDir, ".config", "niri", "config.kdl")
-		err = os.MkdirAll(filepath.Dir(niriPath), 0o755)
-		require.NoError(t, err)
-		err = os.WriteFile(niriPath, []byte("// existing niri config\n"), 0o644)
-		require.NoError(t, err)
-
-		logChan := make(chan string, 100)
-		cd := NewConfigDeployer(logChan)
-
-		results, err := cd.DeployConfigurationsSelectiveWithReinstalls(
-			context.Background(),
-			deps.WindowManagerNiri,
-			deps.TerminalGhostty,
-			nil,      // installedDeps
-			allFalse, // replaceConfigs — all false
-			nil,      // reinstallItems
-		)
-		require.NoError(t, err)
-
-		// Both Niri and Ghostty config files exist, so with all false they should be skipped
-		for _, r := range results {
-			assert.Fail(t, "expected no configs to be deployed", "got deployed config: %s", r.ConfigType)
-		}
-	})
-
-	t.Run("replaceConfigs true and config exists deploys config", func(t *testing.T) {
-		tempDir, err := os.MkdirTemp("", "dankinstall-replace-true-test")
-		require.NoError(t, err)
-		defer os.RemoveAll(tempDir)
-
-		originalHome := os.Getenv("HOME")
-		os.Setenv("HOME", tempDir)
-		defer os.Setenv("HOME", originalHome)
-
-		// Create the Ghostty primary config file
-		ghosttyPath := filepath.Join(tempDir, ".config", "ghostty", "config")
-		err = os.MkdirAll(filepath.Dir(ghosttyPath), 0o755)
-		require.NoError(t, err)
-		err = os.WriteFile(ghosttyPath, []byte("# existing ghostty config\n"), 0o644)
-		require.NoError(t, err)
-
-		logChan := make(chan string, 100)
-		cd := NewConfigDeployer(logChan)
-
-		replaceConfigs := map[string]bool{
-			"Niri":      false,
-			"Hyprland":  false,
-			"Ghostty":   true, // explicitly true
-			"Kitty":     false,
-			"Alacritty": false,
-		}
-
-		results, err := cd.DeployConfigurationsSelectiveWithReinstalls(
-			context.Background(),
-			deps.WindowManagerNiri,
-			deps.TerminalGhostty,
-			nil,            // installedDeps
-			replaceConfigs, // Ghostty=true, rest=false
-			nil,            // reinstallItems
-		)
-		require.NoError(t, err)
-
-		// Ghostty should be deployed because replaceConfigs["Ghostty"]=true
-		foundGhostty := false
-		for _, r := range results {
-			if r.ConfigType == "Ghostty" && r.Deployed {
-				foundGhostty = true
-			}
-		}
-		assert.True(t, foundGhostty, "expected Ghostty config to be deployed when replaceConfigs is true")
-	})
-}
--- a/core/internal/distros/debian.go
+++ b/core/internal/distros/debian.go
@@ -104,6 +104,15 @@ func debianPackageInstalledPrecisely(pkg string) bool {
 	return strings.TrimSpace(string(output)) == "installed"
 }

+func containsString(values []string, target string) bool {
+	for _, value := range values {
+		if value == target {
+			return true
+		}
+	}
+	return false
+}
+
 func debianRepoArchitecture(arch string) string {
 	switch arch {
 	case "amd64", "x86_64":
--- a/core/internal/distros/opensuse.go
+++ b/core/internal/distros/opensuse.go
@@ -6,7 +6,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"slices"
 	"strings"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
@@ -427,7 +426,7 @@ func openSUSENiriRuntimePackages(wm deps.WindowManager, disabledFlags map[string

 func (o *OpenSUSEDistribution) appendMissingSystemPackages(systemPkgs []string, extraPkgs []string) []string {
 	for _, pkg := range extraPkgs {
-		if slices.Contains(systemPkgs, pkg) || o.packageInstalled(pkg) {
+		if containsString(systemPkgs, pkg) || o.packageInstalled(pkg) {
 			continue
 		}

--- a/core/internal/geolocation/client.go
+++ b/core/internal/geolocation/client.go
@@ -1,42 +0,0 @@
-package geolocation
-
-import "github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-
-func NewClient() Client {
-	geoclueClient, err := newGeoClueClient()
-	if err != nil {
-		log.Warnf("GeoClue2 unavailable: %v", err)
-		return newSeededIpClient()
-	}
-
-	loc, _ := geoclueClient.GetLocation()
-	if loc.Latitude != 0 || loc.Longitude != 0 {
-		log.Info("Using GeoClue2 location")
-		return geoclueClient
-	}
-
-	log.Info("GeoClue2 has no fix yet, seeding with IP location")
-	ipLoc, err := fetchIPLocation()
-	if err != nil {
-		log.Warnf("IP location seed failed: %v", err)
-		return geoclueClient
-	}
-
-	log.Info("Seeded GeoClue2 with IP location")
-	geoclueClient.SeedLocation(Location{Latitude: ipLoc.Latitude, Longitude: ipLoc.Longitude})
-	return geoclueClient
-}
-
-func newSeededIpClient() *IpClient {
-	client := newIpClient()
-	ipLoc, err := fetchIPLocation()
-	if err != nil {
-		log.Warnf("IP location also failed: %v", err)
-		return client
-	}
-
-	log.Info("Using IP location")
-	client.currLocation.Latitude = ipLoc.Latitude
-	client.currLocation.Longitude = ipLoc.Longitude
-	return client
-}
--- a/core/internal/geolocation/client_geoclue.go
+++ b/core/internal/geolocation/client_geoclue.go
@@ -1,243 +0,0 @@
-package geolocation
-
-import (
-	"fmt"
-	"sync"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/dbusutil"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
-	"github.com/godbus/dbus/v5"
-)
-
-const (
-	dbusGeoClueService   = "org.freedesktop.GeoClue2"
-	dbusGeoCluePath      = "/org/freedesktop/GeoClue2"
-	dbusGeoClueInterface = dbusGeoClueService
-
-	dbusGeoClueManagerPath      = dbusGeoCluePath + "/Manager"
-	dbusGeoClueManagerInterface = dbusGeoClueInterface + ".Manager"
-	dbusGeoClueManagerGetClient = dbusGeoClueManagerInterface + ".GetClient"
-
-	dbusGeoClueClientInterface       = dbusGeoClueInterface + ".Client"
-	dbusGeoClueClientDesktopId       = dbusGeoClueClientInterface + ".DesktopId"
-	dbusGeoClueClientTimeThreshold   = dbusGeoClueClientInterface + ".TimeThreshold"
-	dbusGeoClueClientTimeStart       = dbusGeoClueClientInterface + ".Start"
-	dbusGeoClueClientTimeStop        = dbusGeoClueClientInterface + ".Stop"
-	dbusGeoClueClientLocationUpdated = dbusGeoClueClientInterface + ".LocationUpdated"
-
-	dbusGeoClueLocationInterface = dbusGeoClueInterface + ".Location"
-	dbusGeoClueLocationLatitude  = dbusGeoClueLocationInterface + ".Latitude"
-	dbusGeoClueLocationLongitude = dbusGeoClueLocationInterface + ".Longitude"
-)
-
-type GeoClueClient struct {
-	currLocation  *Location
-	locationMutex sync.RWMutex
-
-	dbusConn   *dbus.Conn
-	clientPath dbus.ObjectPath
-	signals    chan *dbus.Signal
-
-	stopChan chan struct{}
-	sigWG    sync.WaitGroup
-
-	subscribers syncmap.Map[string, chan Location]
-}
-
-func newGeoClueClient() (*GeoClueClient, error) {
-	dbusConn, err := dbus.ConnectSystemBus()
-	if err != nil {
-		return nil, fmt.Errorf("system bus connection failed: %w", err)
-	}
-
-	c := &GeoClueClient{
-		dbusConn: dbusConn,
-		stopChan: make(chan struct{}),
-		signals:  make(chan *dbus.Signal, 256),
-
-		currLocation: &Location{
-			Latitude:  0.0,
-			Longitude: 0.0,
-		},
-	}
-
-	if err := c.setupClient(); err != nil {
-		dbusConn.Close()
-		return nil, err
-	}
-
-	if err := c.startSignalPump(); err != nil {
-		return nil, err
-	}
-
-	return c, nil
-}
-
-func (c *GeoClueClient) Close() {
-	close(c.stopChan)
-
-	c.sigWG.Wait()
-
-	if c.signals != nil {
-		c.dbusConn.RemoveSignal(c.signals)
-		close(c.signals)
-	}
-
-	c.subscribers.Range(func(key string, ch chan Location) bool {
-		close(ch)
-		c.subscribers.Delete(key)
-		return true
-	})
-
-	if c.dbusConn != nil {
-		c.dbusConn.Close()
-	}
-}
-
-func (c *GeoClueClient) Subscribe(id string) chan Location {
-	ch := make(chan Location, 64)
-	c.subscribers.Store(id, ch)
-	return ch
-}
-
-func (c *GeoClueClient) Unsubscribe(id string) {
-	if ch, ok := c.subscribers.LoadAndDelete(id); ok {
-		close(ch)
-	}
-}
-
-func (c *GeoClueClient) setupClient() error {
-	managerObj := c.dbusConn.Object(dbusGeoClueService, dbusGeoClueManagerPath)
-
-	if err := managerObj.Call(dbusGeoClueManagerGetClient, 0).Store(&c.clientPath); err != nil {
-		return fmt.Errorf("failed to create GeoClue2 client: %w", err)
-	}
-
-	clientObj := c.dbusConn.Object(dbusGeoClueService, c.clientPath)
-	if err := clientObj.SetProperty(dbusGeoClueClientDesktopId, "dms"); err != nil {
-		return fmt.Errorf("failed to set desktop ID: %w", err)
-	}
-
-	if err := clientObj.SetProperty(dbusGeoClueClientTimeThreshold, uint(10)); err != nil {
-		return fmt.Errorf("failed to set time threshold: %w", err)
-	}
-
-	return nil
-}
-
-func (c *GeoClueClient) startSignalPump() error {
-	c.dbusConn.Signal(c.signals)
-
-	if err := c.dbusConn.AddMatchSignal(
-		dbus.WithMatchObjectPath(c.clientPath),
-		dbus.WithMatchInterface(dbusGeoClueClientInterface),
-		dbus.WithMatchSender(dbusGeoClueClientLocationUpdated),
-	); err != nil {
-		return err
-	}
-
-	c.sigWG.Add(1)
-	go func() {
-		defer c.sigWG.Done()
-
-		clientObj := c.dbusConn.Object(dbusGeoClueService, c.clientPath)
-		clientObj.Call(dbusGeoClueClientTimeStart, 0)
-		defer clientObj.Call(dbusGeoClueClientTimeStop, 0)
-
-		for {
-			select {
-			case <-c.stopChan:
-				return
-			case sig, ok := <-c.signals:
-				if !ok {
-					return
-				}
-				if sig == nil {
-					continue
-				}
-
-				c.handleSignal(sig)
-			}
-		}
-	}()
-
-	return nil
-}
-
-func (c *GeoClueClient) handleSignal(sig *dbus.Signal) {
-	switch sig.Name {
-	case dbusGeoClueClientLocationUpdated:
-		if len(sig.Body) != 2 {
-			return
-		}
-
-		newLocationPath, ok := sig.Body[1].(dbus.ObjectPath)
-		if !ok {
-			return
-		}
-
-		if err := c.handleLocationUpdated(newLocationPath); err != nil {
-			log.Warn("GeoClue: Failed to handle location update: %v", err)
-			return
-		}
-	}
-}
-
-func (c *GeoClueClient) handleLocationUpdated(path dbus.ObjectPath) error {
-	locationObj := c.dbusConn.Object(dbusGeoClueService, path)
-
-	lat, err := locationObj.GetProperty(dbusGeoClueLocationLatitude)
-	if err != nil {
-		return err
-	}
-
-	long, err := locationObj.GetProperty(dbusGeoClueLocationLongitude)
-	if err != nil {
-		return err
-	}
-
-	c.locationMutex.Lock()
-	c.currLocation.Latitude = dbusutil.AsOr(lat, 0.0)
-	c.currLocation.Longitude = dbusutil.AsOr(long, 0.0)
-	c.locationMutex.Unlock()
-
-	c.notifySubscribers()
-	return nil
-}
-
-func (c *GeoClueClient) notifySubscribers() {
-	currentLocation, err := c.GetLocation()
-	if err != nil {
-		return
-	}
-
-	c.subscribers.Range(func(key string, ch chan Location) bool {
-		select {
-		case ch <- currentLocation:
-		default:
-			log.Warn("GeoClue: subscriber channel full, dropping update")
-		}
-		return true
-	})
-}
-
-func (c *GeoClueClient) SeedLocation(loc Location) {
-	c.locationMutex.Lock()
-	defer c.locationMutex.Unlock()
-	c.currLocation.Latitude = loc.Latitude
-	c.currLocation.Longitude = loc.Longitude
-}
-
-func (c *GeoClueClient) GetLocation() (Location, error) {
-	c.locationMutex.RLock()
-	defer c.locationMutex.RUnlock()
-	if c.currLocation == nil {
-		return Location{
-			Latitude:  0.0,
-			Longitude: 0.0,
-		}, nil
-	}
-	stateCopy := *c.currLocation
-	return stateCopy, nil
-}
--- a/core/internal/geolocation/client_ip.go
+++ b/core/internal/geolocation/client_ip.go
@@ -1,91 +0,0 @@
-package geolocation
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-)
-
-type IpClient struct {
-	currLocation *Location
-}
-
-type ipLocationResult struct {
-	Location
-	City string
-}
-
-type ipAPIResponse struct {
-	Status string  `json:"status"`
-	Lat    float64 `json:"lat"`
-	Lon    float64 `json:"lon"`
-	City   string  `json:"city"`
-}
-
-func newIpClient() *IpClient {
-	return &IpClient{
-		currLocation: &Location{},
-	}
-}
-
-func (c *IpClient) Subscribe(id string) chan Location {
-	ch := make(chan Location, 1)
-	if location, err := c.GetLocation(); err == nil {
-		ch <- location
-	}
-	return ch
-}
-
-func (c *IpClient) Unsubscribe(id string) {}
-
-func (c *IpClient) Close() {}
-
-func (c *IpClient) GetLocation() (Location, error) {
-	if c.currLocation.Latitude != 0 || c.currLocation.Longitude != 0 {
-		return *c.currLocation, nil
-	}
-
-	result, err := fetchIPLocation()
-	if err != nil {
-		return Location{}, err
-	}
-
-	c.currLocation.Latitude = result.Latitude
-	c.currLocation.Longitude = result.Longitude
-	return *c.currLocation, nil
-}
-
-func fetchIPLocation() (ipLocationResult, error) {
-	client := &http.Client{Timeout: 10 * time.Second}
-
-	resp, err := client.Get("http://ip-api.com/json/")
-	if err != nil {
-		return ipLocationResult{}, fmt.Errorf("failed to fetch IP location: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return ipLocationResult{}, fmt.Errorf("ip-api.com returned status %d", resp.StatusCode)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return ipLocationResult{}, fmt.Errorf("failed to read response: %w", err)
-	}
-
-	var data ipAPIResponse
-	if err := json.Unmarshal(body, &data); err != nil {
-		return ipLocationResult{}, fmt.Errorf("failed to parse response: %w", err)
-	}
-
-	if data.Status == "fail" || (data.Lat == 0 && data.Lon == 0) {
-		return ipLocationResult{}, fmt.Errorf("ip-api.com returned no location data")
-	}
-
-	return ipLocationResult{
-		Location: Location{Latitude: data.Lat, Longitude: data.Lon},
-		City:     data.City,
-	}, nil
-}
--- a/core/internal/geolocation/types.go
+++ b/core/internal/geolocation/types.go
@@ -1,15 +0,0 @@
-package geolocation
-
-type Location struct {
-	Latitude  float64
-	Longitude float64
-}
-
-type Client interface {
-	GetLocation() (Location, error)
-
-	Subscribe(id string) chan Location
-	Unsubscribe(id string)
-
-	Close()
-}
--- a/core/internal/greeter/installer.go
+++ b/core/internal/greeter/installer.go
@@ -16,7 +16,6 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/config"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/matugen"
-	sharedpam "github.com/AvengeMedia/DankMaterialShell/core/internal/pam"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 	"github.com/sblinch/kdl-go"
@@ -27,7 +26,26 @@ var appArmorProfileData []byte

 const appArmorProfileDest = "/etc/apparmor.d/usr.bin.dms-greeter"

-const GreeterCacheDir = "/var/cache/dms-greeter"
+const (
+	GreeterCacheDir = "/var/cache/dms-greeter"
+
+	GreeterPamManagedBlockStart = "# BEGIN DMS GREETER AUTH (managed by dms greeter sync)"
+	GreeterPamManagedBlockEnd   = "# END DMS GREETER AUTH"
+
+	legacyGreeterPamFprintComment = "# DMS greeter fingerprint"
+	legacyGreeterPamU2FComment    = "# DMS greeter U2F"
+)
+
+// Common PAM auth stack names referenced by greetd across supported distros.
+var includedPamAuthFiles = []string{
+	"system-auth",
+	"common-auth",
+	"password-auth",
+	"system-login",
+	"system-local-login",
+	"common-auth-pc",
+	"login",
+}

 func DetectDMSPath() (string, error) {
 	return config.LocateDMSConfig()
@@ -574,6 +592,7 @@ func EnsureGreeterCacheDir(logFunc func(string), sudoPassword string) error {
 	runtimeDirs := []string{
 		filepath.Join(cacheDir, ".local"),
 		filepath.Join(cacheDir, ".local", "state"),
+		filepath.Join(cacheDir, ".local", "state", "wireplumber"),
 		filepath.Join(cacheDir, ".local", "share"),
 		filepath.Join(cacheDir, ".cache"),
 	}
@@ -693,6 +712,49 @@ func InstallAppArmorProfile(logFunc func(string), sudoPassword string) error {
 	return nil
 }

+// RemoveGreeterPamManagedBlock strips the DMS managed auth block from /etc/pam.d/greetd
+func RemoveGreeterPamManagedBlock(logFunc func(string), sudoPassword string) error {
+	if IsNixOS() {
+		return nil
+	}
+	const greetdPamPath = "/etc/pam.d/greetd"
+	data, err := os.ReadFile(greetdPamPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return fmt.Errorf("failed to read %s: %w", greetdPamPath, err)
+	}
+
+	stripped, removed := stripManagedGreeterPamBlock(string(data))
+	strippedAgain, removedLegacy := stripLegacyGreeterPamLines(stripped)
+	if !removed && !removedLegacy {
+		return nil
+	}
+
+	tmp, err := os.CreateTemp("", "dms-pam-greetd-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temp PAM file: %w", err)
+	}
+	tmpPath := tmp.Name()
+	defer os.Remove(tmpPath)
+
+	if _, err := tmp.WriteString(strippedAgain); err != nil {
+		tmp.Close()
+		return fmt.Errorf("failed to write temp PAM file: %w", err)
+	}
+	tmp.Close()
+
+	if err := privesc.Run(context.Background(), sudoPassword, "cp", tmpPath, greetdPamPath); err != nil {
+		return fmt.Errorf("failed to write PAM config: %w", err)
+	}
+	if err := privesc.Run(context.Background(), sudoPassword, "chmod", "644", greetdPamPath); err != nil {
+		return fmt.Errorf("failed to set PAM config permissions: %w", err)
+	}
+	logFunc("  ✓ Removed DMS managed PAM block from " + greetdPamPath)
+	return nil
+}
+
 // UninstallAppArmorProfile removes the DMS AppArmor profile and reloads AppArmor.
 // It is a no-op when AppArmor is not active or the profile does not exist.
 func UninstallAppArmorProfile(logFunc func(string), sudoPassword string) error {
@@ -1190,7 +1252,7 @@ func syncGreeterColorSource(homeDir, cacheDir string, state greeterThemeSyncStat
 	return nil
 }

-func SyncDMSConfigs(dmsPath, compositor string, logFunc func(string), sudoPassword string) error {
+func SyncDMSConfigs(dmsPath, compositor string, logFunc func(string), sudoPassword string, forceAuth bool) error {
 	homeDir, err := os.UserHomeDir()
 	if err != nil {
 		return fmt.Errorf("failed to get user home directory: %w", err)
@@ -1255,6 +1317,10 @@ func SyncDMSConfigs(dmsPath, compositor string, logFunc func(string), sudoPasswo
 		return fmt.Errorf("greeter wallpaper override sync failed: %w", err)
 	}

+	if err := syncGreeterPamConfig(homeDir, logFunc, sudoPassword, forceAuth); err != nil {
+		return fmt.Errorf("greeter PAM config sync failed: %w", err)
+	}
+
 	if strings.ToLower(compositor) != "niri" {
 		return nil
 	}
@@ -1303,6 +1369,378 @@ func syncGreeterWallpaperOverride(cacheDir string, logFunc func(string), sudoPas
 	return nil
 }

+func pamModuleExists(module string) bool {
+	for _, libDir := range []string{
+		"/usr/lib64/security",
+		"/usr/lib/security",
+		"/lib64/security",
+		"/lib/security",
+		"/lib/x86_64-linux-gnu/security",
+		"/usr/lib/x86_64-linux-gnu/security",
+		"/lib/aarch64-linux-gnu/security",
+		"/usr/lib/aarch64-linux-gnu/security",
+		"/run/current-system/sw/lib64/security",
+		"/run/current-system/sw/lib/security",
+	} {
+		if _, err := os.Stat(filepath.Join(libDir, module)); err == nil {
+			return true
+		}
+	}
+	return false
+}
+
+func stripManagedGreeterPamBlock(content string) (string, bool) {
+	lines := strings.Split(content, "\n")
+	filtered := make([]string, 0, len(lines))
+	inManagedBlock := false
+	removed := false
+
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == GreeterPamManagedBlockStart {
+			inManagedBlock = true
+			removed = true
+			continue
+		}
+		if trimmed == GreeterPamManagedBlockEnd {
+			inManagedBlock = false
+			removed = true
+			continue
+		}
+		if inManagedBlock {
+			removed = true
+			continue
+		}
+		filtered = append(filtered, line)
+	}
+
+	return strings.Join(filtered, "\n"), removed
+}
+
+func stripLegacyGreeterPamLines(content string) (string, bool) {
+	lines := strings.Split(content, "\n")
+	filtered := make([]string, 0, len(lines))
+	removed := false
+
+	for i := 0; i < len(lines); i++ {
+		trimmed := strings.TrimSpace(lines[i])
+		if strings.HasPrefix(trimmed, legacyGreeterPamFprintComment) || strings.HasPrefix(trimmed, legacyGreeterPamU2FComment) {
+			removed = true
+			if i+1 < len(lines) {
+				nextLine := strings.TrimSpace(lines[i+1])
+				if strings.HasPrefix(nextLine, "auth") &&
+					(strings.Contains(nextLine, "pam_fprintd") || strings.Contains(nextLine, "pam_u2f")) {
+					i++
+				}
+			}
+			continue
+		}
+		filtered = append(filtered, lines[i])
+	}
+
+	return strings.Join(filtered, "\n"), removed
+}
+
+func insertManagedGreeterPamBlock(content string, blockLines []string, greetdPamPath string) (string, error) {
+	lines := strings.Split(content, "\n")
+	for i, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed != "" && !strings.HasPrefix(trimmed, "#") && strings.HasPrefix(trimmed, "auth") {
+			block := strings.Join(blockLines, "\n")
+			prefix := strings.Join(lines[:i], "\n")
+			suffix := strings.Join(lines[i:], "\n")
+			switch {
+			case prefix == "":
+				return block + "\n" + suffix, nil
+			case suffix == "":
+				return prefix + "\n" + block, nil
+			default:
+				return prefix + "\n" + block + "\n" + suffix, nil
+			}
+		}
+	}
+	return "", fmt.Errorf("no auth directive found in %s", greetdPamPath)
+}
+
+func PamTextIncludesFile(pamText, filename string) bool {
+	lines := strings.Split(pamText, "\n")
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+		if strings.Contains(trimmed, filename) &&
+			(strings.Contains(trimmed, "include") || strings.Contains(trimmed, "substack") || strings.HasPrefix(trimmed, "@include")) {
+			return true
+		}
+	}
+	return false
+}
+
+func PamFileHasModule(pamFilePath, module string) bool {
+	data, err := os.ReadFile(pamFilePath)
+	if err != nil {
+		return false
+	}
+	lines := strings.Split(string(data), "\n")
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+		if strings.Contains(trimmed, module) {
+			return true
+		}
+	}
+	return false
+}
+
+func DetectIncludedPamModule(pamText, module string) string {
+	for _, includedFile := range includedPamAuthFiles {
+		if PamTextIncludesFile(pamText, includedFile) && PamFileHasModule("/etc/pam.d/"+includedFile, module) {
+			return includedFile
+		}
+	}
+	return ""
+}
+
+type greeterAuthSettings struct {
+	GreeterEnableFprint bool `json:"greeterEnableFprint"`
+	GreeterEnableU2f    bool `json:"greeterEnableU2f"`
+}
+
+func readGreeterAuthSettings(homeDir string) (greeterAuthSettings, error) {
+	settingsPath := filepath.Join(homeDir, ".config", "DankMaterialShell", "settings.json")
+	data, err := os.ReadFile(settingsPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return greeterAuthSettings{}, nil
+		}
+		return greeterAuthSettings{}, fmt.Errorf("failed to read settings at %s: %w", settingsPath, err)
+	}
+	if strings.TrimSpace(string(data)) == "" {
+		return greeterAuthSettings{}, nil
+	}
+	var settings greeterAuthSettings
+	if err := json.Unmarshal(data, &settings); err != nil {
+		return greeterAuthSettings{}, fmt.Errorf("failed to parse settings at %s: %w", settingsPath, err)
+	}
+	return settings, nil
+}
+
+func ReadGreeterAuthToggles(homeDir string) (enableFprint bool, enableU2f bool, err error) {
+	settings, err := readGreeterAuthSettings(homeDir)
+	if err != nil {
+		return false, false, err
+	}
+	return settings.GreeterEnableFprint, settings.GreeterEnableU2f, nil
+}
+
+func hasEnrolledFingerprintOutput(output string) bool {
+	lower := strings.ToLower(output)
+	if strings.Contains(lower, "no fingers enrolled") ||
+		strings.Contains(lower, "no fingerprints enrolled") ||
+		strings.Contains(lower, "no prints enrolled") {
+		return false
+	}
+	if strings.Contains(lower, "has fingers enrolled") ||
+		strings.Contains(lower, "has fingerprints enrolled") {
+		return true
+	}
+	for _, line := range strings.Split(lower, "\n") {
+		trimmed := strings.TrimSpace(line)
+		if strings.HasPrefix(trimmed, "finger:") {
+			return true
+		}
+		if strings.HasPrefix(trimmed, "- ") && strings.Contains(trimmed, "finger") {
+			return true
+		}
+	}
+	return false
+}
+
+func FingerprintAuthAvailableForUser(username string) bool {
+	username = strings.TrimSpace(username)
+	if username == "" {
+		return false
+	}
+	if !pamModuleExists("pam_fprintd.so") {
+		return false
+	}
+	if _, err := exec.LookPath("fprintd-list"); err != nil {
+		return false
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	out, err := exec.CommandContext(ctx, "fprintd-list", username).CombinedOutput()
+	if err != nil {
+		return false
+	}
+	return hasEnrolledFingerprintOutput(string(out))
+}
+
+func FingerprintAuthAvailableForCurrentUser() bool {
+	username := strings.TrimSpace(os.Getenv("SUDO_USER"))
+	if username == "" {
+		username = strings.TrimSpace(os.Getenv("USER"))
+	}
+	if username == "" {
+		out, err := exec.Command("id", "-un").Output()
+		if err == nil {
+			username = strings.TrimSpace(string(out))
+		}
+	}
+	return FingerprintAuthAvailableForUser(username)
+}
+
+func pamManagerHintForCurrentDistro() string {
+	osInfo, err := distros.GetOSInfo()
+	if err != nil {
+		return "Disable it in your PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
+	}
+	config, exists := distros.Registry[osInfo.Distribution.ID]
+	if !exists {
+		return "Disable it in your PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
+	}
+
+	switch config.Family {
+	case distros.FamilyFedora:
+		return "Disable it in authselect to force password-only greeter login."
+	case distros.FamilyDebian, distros.FamilyUbuntu:
+		return "Disable it in pam-auth-update to force password-only greeter login."
+	default:
+		return "Disable it in your distro PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
+	}
+}
+
+func syncGreeterPamConfig(homeDir string, logFunc func(string), sudoPassword string, forceAuth bool) error {
+	var wantFprint, wantU2f bool
+	fprintToggleEnabled := forceAuth
+	u2fToggleEnabled := forceAuth
+	if forceAuth {
+		wantFprint = pamModuleExists("pam_fprintd.so")
+		wantU2f = pamModuleExists("pam_u2f.so")
+	} else {
+		settings, err := readGreeterAuthSettings(homeDir)
+		if err != nil {
+			return err
+		}
+		fprintToggleEnabled = settings.GreeterEnableFprint
+		u2fToggleEnabled = settings.GreeterEnableU2f
+		fprintModule := pamModuleExists("pam_fprintd.so")
+		u2fModule := pamModuleExists("pam_u2f.so")
+		wantFprint = settings.GreeterEnableFprint && fprintModule
+		wantU2f = settings.GreeterEnableU2f && u2fModule
+		if settings.GreeterEnableFprint && !fprintModule {
+			logFunc("⚠ Warning: greeter fingerprint toggle is enabled, but pam_fprintd.so was not found.")
+		}
+		if settings.GreeterEnableU2f && !u2fModule {
+			logFunc("⚠ Warning: greeter security key toggle is enabled, but pam_u2f.so was not found.")
+		}
+	}
+
+	if IsNixOS() {
+		logFunc("ℹ NixOS detected: PAM config is managed by NixOS modules. Skipping DMS PAM block write.")
+		logFunc("  Configure fingerprint/U2F auth via your greetd NixOS module options (e.g. security.pam.services.greetd).")
+		return nil
+	}
+
+	greetdPamPath := "/etc/pam.d/greetd"
+	pamData, err := os.ReadFile(greetdPamPath)
+	if err != nil {
+		return fmt.Errorf("failed to read %s: %w", greetdPamPath, err)
+	}
+	originalContent := string(pamData)
+	content, _ := stripManagedGreeterPamBlock(originalContent)
+	content, _ = stripLegacyGreeterPamLines(content)
+
+	includedFprintFile := DetectIncludedPamModule(content, "pam_fprintd.so")
+	includedU2fFile := DetectIncludedPamModule(content, "pam_u2f.so")
+	fprintAvailableForCurrentUser := FingerprintAuthAvailableForCurrentUser()
+	if wantFprint && includedFprintFile != "" {
+		logFunc("⚠ pam_fprintd already present in included " + includedFprintFile + " (managed by authselect/pam-auth-update). Skipping DMS fprint block to avoid double-fingerprint auth.")
+		wantFprint = false
+	}
+	if wantU2f && includedU2fFile != "" {
+		logFunc("⚠ pam_u2f already present in included " + includedU2fFile + " (managed by authselect/pam-auth-update). Skipping DMS U2F block to avoid double security-key auth.")
+		wantU2f = false
+	}
+	if !wantFprint && includedFprintFile != "" {
+		if fprintToggleEnabled {
+			logFunc("ℹ Fingerprint auth is still enabled via included " + includedFprintFile + ".")
+			if fprintAvailableForCurrentUser {
+				logFunc("  DMS toggle is enabled, and effective auth is provided by the included PAM stack.")
+			} else {
+				logFunc("  No enrolled fingerprints detected for the current user; password auth remains the effective path.")
+			}
+		} else {
+			if fprintAvailableForCurrentUser {
+				logFunc("ℹ Fingerprint auth is active via included " + includedFprintFile + " while DMS fingerprint toggle is off.")
+				logFunc("  Password login will work but may be delayed while the fingerprint module runs first.")
+				logFunc("  To eliminate the delay, " + pamManagerHintForCurrentDistro())
+			} else {
+				logFunc("ℹ pam_fprintd is present via included " + includedFprintFile + ", but no enrolled fingerprints were detected for the current user.")
+				logFunc("  Password auth remains the effective login path.")
+			}
+		}
+	}
+	if !wantU2f && includedU2fFile != "" {
+		if u2fToggleEnabled {
+			logFunc("ℹ Security-key auth is still enabled via included " + includedU2fFile + ".")
+			logFunc("  DMS toggle is enabled, but effective auth is provided by the included PAM stack.")
+		} else {
+			logFunc("⚠ Security-key auth is active via included " + includedU2fFile + " while DMS security-key toggle is off.")
+			logFunc("  " + pamManagerHintForCurrentDistro())
+		}
+	}
+
+	if wantFprint || wantU2f {
+		blockLines := []string{GreeterPamManagedBlockStart}
+		if wantFprint {
+			blockLines = append(blockLines, "auth sufficient pam_fprintd.so max-tries=1 timeout=5")
+		}
+		if wantU2f {
+			blockLines = append(blockLines, "auth sufficient pam_u2f.so cue nouserok timeout=10")
+		}
+		blockLines = append(blockLines, GreeterPamManagedBlockEnd)
+
+		content, err = insertManagedGreeterPamBlock(content, blockLines, greetdPamPath)
+		if err != nil {
+			return err
+		}
+	}
+
+	if content == originalContent {
+		return nil
+	}
+
+	tmpFile, err := os.CreateTemp("", "greetd-pam-*.conf")
+	if err != nil {
+		return err
+	}
+	tmpPath := tmpFile.Name()
+	defer os.Remove(tmpPath)
+	if _, err := tmpFile.WriteString(content); err != nil {
+		tmpFile.Close()
+		return err
+	}
+	if err := tmpFile.Close(); err != nil {
+		return err
+	}
+	if err := privesc.Run(context.Background(), sudoPassword, "cp", tmpPath, greetdPamPath); err != nil {
+		return fmt.Errorf("failed to install updated PAM config at %s: %w", greetdPamPath, err)
+	}
+	if err := privesc.Run(context.Background(), sudoPassword, "chmod", "644", greetdPamPath); err != nil {
+		return fmt.Errorf("failed to set permissions on %s: %w", greetdPamPath, err)
+	}
+	if wantFprint || wantU2f {
+		logFunc("✓ Configured greetd PAM for fingerprint/U2F")
+	} else {
+		logFunc("✓ Cleared DMS-managed greeter PAM auth block")
+	}
+	return nil
+}
+
 type niriGreeterSync struct {
 	processed   map[string]bool
 	nodes       []*document.Node
@@ -1710,6 +2148,8 @@ vt = 1

 	wrapperCmd := resolveGreeterWrapperPath()

+	// Build command based on compositor and dms path
+	// When dmsPath is empty (packaged greeter), omit -p; wrapper finds /usr/share/quickshell/dms-greeter
 	compositorLower := strings.ToLower(compositor)
 	commandValue := fmt.Sprintf("%s --command %s --cache-dir %s", wrapperCmd, compositorLower, GreeterCacheDir)
 	if dmsPath != "" {
@@ -1955,15 +2395,10 @@ func AutoSetupGreeter(compositor, sudoPassword string, logFunc func(string)) err
 	}

 	logFunc("Synchronizing DMS configurations...")
-	if err := SyncDMSConfigs(dmsPath, compositor, logFunc, sudoPassword); err != nil {
+	if err := SyncDMSConfigs(dmsPath, compositor, logFunc, sudoPassword, false); err != nil {
 		logFunc(fmt.Sprintf("⚠ Warning: config sync error: %v", err))
 	}

-	logFunc("Configuring authentication...")
-	if err := sharedpam.SyncAuthConfig(logFunc, sudoPassword, sharedpam.SyncAuthOptions{}); err != nil {
-		return fmt.Errorf("failed to sync authentication: %w", err)
-	}
-
 	logFunc("Checking for conflicting display managers...")
 	if err := DisableConflictingDisplayManagers(sudoPassword, logFunc); err != nil {
 		logFunc(fmt.Sprintf("⚠ Warning: %v", err))
--- a/core/internal/greeter/installer_test.go
+++ b/core/internal/greeter/installer_test.go
@@ -6,7 +6,7 @@ import (
 	"testing"
 )

-func writeTestFile(t *testing.T, path string, content string) {
+func writeTestJSON(t *testing.T, path string, content string) {
 	t.Helper()
 	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
 		t.Fatalf("failed to create parent dir for %s: %v", path, err)
@@ -70,8 +70,8 @@ func TestResolveGreeterThemeSyncState(t *testing.T) {
 			t.Parallel()

 			homeDir := t.TempDir()
-			writeTestFile(t, filepath.Join(homeDir, ".config", "DankMaterialShell", "settings.json"), tt.settingsJSON)
-			writeTestFile(t, filepath.Join(homeDir, ".local", "state", "DankMaterialShell", "session.json"), tt.sessionJSON)
+			writeTestJSON(t, filepath.Join(homeDir, ".config", "DankMaterialShell", "settings.json"), tt.settingsJSON)
+			writeTestJSON(t, filepath.Join(homeDir, ".local", "state", "DankMaterialShell", "session.json"), tt.sessionJSON)

 			state, err := resolveGreeterThemeSyncState(homeDir)
 			if err != nil {
--- a/core/internal/headless/runner.go
+++ b/core/internal/headless/runner.go
@@ -1,439 +0,0 @@
-package headless
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/config"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/greeter"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
-)
-
-// ErrConfirmationRequired is returned when --yes is not set and the user
-// must explicitly confirm the operation.
-var ErrConfirmationRequired = fmt.Errorf("confirmation required: pass --yes to proceed")
-
-// validConfigNames maps lowercase CLI input to the deployer key used in
-// replaceConfigs. Keep in sync with the config types checked by
-// shouldReplaceConfig in deployer.go.
-var validConfigNames = map[string]string{
-	"niri":      "Niri",
-	"hyprland":  "Hyprland",
-	"ghostty":   "Ghostty",
-	"kitty":     "Kitty",
-	"alacritty": "Alacritty",
-}
-
-// orderedConfigNames defines the canonical order for config names in output.
-// Must be kept in sync with validConfigNames.
-var orderedConfigNames = []string{"niri", "hyprland", "ghostty", "kitty", "alacritty"}
-
-// Config holds all CLI parameters for unattended installation.
-type Config struct {
-	Compositor        string // "niri" or "hyprland"
-	Terminal          string // "ghostty", "kitty", or "alacritty"
-	IncludeDeps       []string
-	ExcludeDeps       []string
-	ReplaceConfigs    []string // specific configs to deploy (e.g. "niri", "ghostty")
-	ReplaceConfigsAll bool     // deploy/replace all configurations
-	Yes               bool
-}
-
-// Runner orchestrates unattended (headless) installation.
-type Runner struct {
-	cfg     Config
-	logChan chan string
-}
-
-// NewRunner creates a new headless runner.
-func NewRunner(cfg Config) *Runner {
-	return &Runner{
-		cfg:     cfg,
-		logChan: make(chan string, 1000),
-	}
-}
-
-// GetLogChan returns the log channel for file logging.
-func (r *Runner) GetLogChan() <-chan string {
-	return r.logChan
-}
-
-// Run executes the full unattended installation flow.
-func (r *Runner) Run() error {
-	r.log("Starting headless installation")
-
-	// 1. Parse compositor and terminal selections
-	wm, err := r.parseWindowManager()
-	if err != nil {
-		return err
-	}
-
-	terminal, err := r.parseTerminal()
-	if err != nil {
-		return err
-	}
-
-	// 2. Build replace-configs map
-	replaceConfigs, err := r.buildReplaceConfigs()
-	if err != nil {
-		return err
-	}
-
-	// 3. Detect OS
-	r.log("Detecting operating system...")
-	osInfo, err := distros.GetOSInfo()
-	if err != nil {
-		return fmt.Errorf("OS detection failed: %w", err)
-	}
-
-	if distros.IsUnsupportedDistro(osInfo.Distribution.ID, osInfo.VersionID) {
-		return fmt.Errorf("unsupported distribution: %s %s", osInfo.PrettyName, osInfo.VersionID)
-	}
-
-	fmt.Fprintf(os.Stdout, "Detected: %s (%s)\n", osInfo.PrettyName, osInfo.Architecture)
-
-	// 4. Create distribution instance
-	distro, err := distros.NewDistribution(osInfo.Distribution.ID, r.logChan)
-	if err != nil {
-		return fmt.Errorf("failed to initialize distribution: %w", err)
-	}
-
-	// 5. Detect dependencies
-	r.log("Detecting dependencies...")
-	fmt.Fprintln(os.Stdout, "Detecting dependencies...")
-	dependencies, err := distro.DetectDependenciesWithTerminal(context.Background(), wm, terminal)
-	if err != nil {
-		return fmt.Errorf("dependency detection failed: %w", err)
-	}
-
-	// 5. Apply include/exclude filters and build the disabled-items map.
-	// Headless mode does not currently collect any explicit reinstall selections,
-	// so keep reinstallItems nil instead of constructing an always-empty map.
-	disabledItems, err := r.buildDisabledItems(dependencies)
-	if err != nil {
-		return err
-	}
-	var reinstallItems map[string]bool
-
-	// Print dependency summary
-	fmt.Fprintln(os.Stdout, "\nDependencies:")
-	for _, dep := range dependencies {
-		marker := "  "
-		status := ""
-		if disabledItems[dep.Name] {
-			marker = "  SKIP "
-			status = "(disabled)"
-		} else {
-			switch dep.Status {
-			case deps.StatusInstalled:
-				marker = "  OK   "
-				status = "(installed)"
-			case deps.StatusMissing:
-				marker = "  NEW  "
-				status = "(will install)"
-			case deps.StatusNeedsUpdate:
-				marker = "  UPD  "
-				status = "(will update)"
-			case deps.StatusNeedsReinstall:
-				marker = "  RE   "
-				status = "(will reinstall)"
-			}
-		}
-		fmt.Fprintf(os.Stdout, "%s%-30s %s\n", marker, dep.Name, status)
-	}
-	fmt.Fprintln(os.Stdout)
-
-	// 6b. Require explicit confirmation unless --yes is set
-	if !r.cfg.Yes {
-		if replaceConfigs == nil {
-			// --replace-configs-all
-			fmt.Fprintln(os.Stdout, "Packages will be installed and all configurations will be replaced.")
-			fmt.Fprintln(os.Stdout, "Existing config files will be backed up before replacement.")
-		} else if r.anyConfigEnabled(replaceConfigs) {
-			var names []string
-			for _, cliName := range orderedConfigNames {
-				deployerKey := validConfigNames[cliName]
-				if replaceConfigs[deployerKey] {
-					names = append(names, deployerKey)
-				}
-			}
-			fmt.Fprintf(os.Stdout, "Packages will be installed. The following configurations will be replaced (with backups): %s\n", strings.Join(names, ", "))
-		} else {
-			fmt.Fprintln(os.Stdout, "Packages will be installed. No configurations will be deployed.")
-		}
-		fmt.Fprintln(os.Stdout, "Re-run with --yes (-y) to proceed.")
-		r.log("Aborted: --yes not set")
-		return ErrConfirmationRequired
-	}
-
-	// 7. Authenticate sudo
-	sudoPassword, err := r.resolveSudoPassword()
-	if err != nil {
-		return err
-	}
-
-	// 8. Install packages
-	fmt.Fprintln(os.Stdout, "Installing packages...")
-	r.log("Starting package installation")
-
-	progressChan := make(chan distros.InstallProgressMsg, 100)
-
-	installErr := make(chan error, 1)
-	go func() {
-		defer close(progressChan)
-		installErr <- distro.InstallPackages(
-			context.Background(),
-			dependencies,
-			wm,
-			sudoPassword,
-			reinstallItems,
-			disabledItems,
-			false, // skipGlobalUseFlags
-			progressChan,
-		)
-	}()
-
-	// Consume progress messages and print them
-	for msg := range progressChan {
-		if msg.Error != nil {
-			fmt.Fprintf(os.Stderr, "Error: %v\n", msg.Error)
-		} else if msg.Step != "" {
-			fmt.Fprintf(os.Stdout, "  [%3.0f%%] %s\n", msg.Progress*100, msg.Step)
-		}
-		if msg.LogOutput != "" {
-			r.log(msg.LogOutput)
-			fmt.Fprintf(os.Stdout, "    %s\n", msg.LogOutput)
-		}
-	}
-
-	if err := <-installErr; err != nil {
-		return fmt.Errorf("package installation failed: %w", err)
-	}
-
-	// 9. Greeter setup (if dms-greeter was included)
-	if !disabledItems["dms-greeter"] && r.depExists(dependencies, "dms-greeter") {
-		compositorName := "niri"
-		if wm == deps.WindowManagerHyprland {
-			compositorName = "Hyprland"
-		}
-		fmt.Fprintln(os.Stdout, "Configuring DMS greeter...")
-		logFunc := func(line string) {
-			r.log(line)
-			fmt.Fprintf(os.Stdout, "  greeter: %s\n", line)
-		}
-		if err := greeter.AutoSetupGreeter(compositorName, sudoPassword, logFunc); err != nil {
-			// Non-fatal, matching TUI behavior
-			fmt.Fprintf(os.Stderr, "Warning: greeter setup issue (non-fatal): %v\n", err)
-		}
-	}
-
-	// 10. Deploy configurations
-	fmt.Fprintln(os.Stdout, "Deploying configurations...")
-	r.log("Starting configuration deployment")
-
-	deployer := config.NewConfigDeployer(r.logChan)
-	results, err := deployer.DeployConfigurationsSelectiveWithReinstalls(
-		context.Background(),
-		wm,
-		terminal,
-		dependencies,
-		replaceConfigs,
-		reinstallItems,
-	)
-	if err != nil {
-		return fmt.Errorf("configuration deployment failed: %w", err)
-	}
-
-	for _, result := range results {
-		if result.Deployed {
-			msg := fmt.Sprintf("  Deployed: %s", result.ConfigType)
-			if result.BackupPath != "" {
-				msg += fmt.Sprintf(" (backup: %s)", result.BackupPath)
-			}
-			fmt.Fprintln(os.Stdout, msg)
-		}
-		if result.Error != nil {
-			fmt.Fprintf(os.Stderr, "  Error deploying %s: %v\n", result.ConfigType, result.Error)
-		}
-	}
-
-	fmt.Fprintln(os.Stdout, "\nInstallation complete!")
-	r.log("Headless installation completed successfully")
-	return nil
-}
-
-// buildDisabledItems computes the set of dependencies that should be skipped
-// during installation, applying the --include-deps and --exclude-deps filters.
-// dms-greeter is disabled by default (opt-in), matching TUI behavior.
-func (r *Runner) buildDisabledItems(dependencies []deps.Dependency) (map[string]bool, error) {
-	disabledItems := make(map[string]bool)
-
-	// dms-greeter is opt-in (disabled by default), matching TUI behavior
-	for i := range dependencies {
-		if dependencies[i].Name == "dms-greeter" {
-			disabledItems["dms-greeter"] = true
-			break
-		}
-	}
-
-	// Process --include-deps (enable items that are disabled by default)
-	for _, name := range r.cfg.IncludeDeps {
-		name = strings.TrimSpace(name)
-		if name == "" {
-			continue
-		}
-		if !r.depExists(dependencies, name) {
-			return nil, fmt.Errorf("--include-deps: unknown dependency %q", name)
-		}
-		delete(disabledItems, name)
-	}
-
-	// Process --exclude-deps (disable items)
-	for _, name := range r.cfg.ExcludeDeps {
-		name = strings.TrimSpace(name)
-		if name == "" {
-			continue
-		}
-		if !r.depExists(dependencies, name) {
-			return nil, fmt.Errorf("--exclude-deps: unknown dependency %q", name)
-		}
-		// Don't allow excluding DMS itself
-		if name == "dms (DankMaterialShell)" {
-			return nil, fmt.Errorf("--exclude-deps: cannot exclude required package %q", name)
-		}
-		disabledItems[name] = true
-	}
-
-	return disabledItems, nil
-}
-
-// buildReplaceConfigs converts the --replace-configs / --replace-configs-all
-// flags into the map[string]bool consumed by the config deployer.
-//
-// Returns:
-//   - nil when --replace-configs-all is set (deployer treats nil as "replace all")
-//   - a map with all known configs set to false when neither flag is set (deploy only if config file is missing on disk)
-//   - a map with requested configs true, all others false for --replace-configs
-//   - an error when both flags are set or an invalid config name is given
-func (r *Runner) buildReplaceConfigs() (map[string]bool, error) {
-	hasSpecific := len(r.cfg.ReplaceConfigs) > 0
-	if hasSpecific && r.cfg.ReplaceConfigsAll {
-		return nil, fmt.Errorf("--replace-configs and --replace-configs-all are mutually exclusive")
-	}
-
-	if r.cfg.ReplaceConfigsAll {
-		return nil, nil
-	}
-
-	// Build a map with all known configs explicitly set to false
-	result := make(map[string]bool, len(validConfigNames))
-	for _, cliName := range orderedConfigNames {
-		result[validConfigNames[cliName]] = false
-	}
-
-	// Enable only the requested configs
-	for _, name := range r.cfg.ReplaceConfigs {
-		name = strings.TrimSpace(name)
-		if name == "" {
-			continue
-		}
-		deployerKey, ok := validConfigNames[strings.ToLower(name)]
-		if !ok {
-			return nil, fmt.Errorf("--replace-configs: unknown config %q; valid values: niri, hyprland, ghostty, kitty, alacritty", name)
-		}
-		result[deployerKey] = true
-	}
-
-	return result, nil
-}
-
-func (r *Runner) log(message string) {
-	select {
-	case r.logChan <- message:
-	default:
-	}
-}
-
-func (r *Runner) parseWindowManager() (deps.WindowManager, error) {
-	switch strings.ToLower(r.cfg.Compositor) {
-	case "niri":
-		return deps.WindowManagerNiri, nil
-	case "hyprland":
-		return deps.WindowManagerHyprland, nil
-	default:
-		return 0, fmt.Errorf("invalid --compositor value %q: must be 'niri' or 'hyprland'", r.cfg.Compositor)
-	}
-}
-
-func (r *Runner) parseTerminal() (deps.Terminal, error) {
-	switch strings.ToLower(r.cfg.Terminal) {
-	case "ghostty":
-		return deps.TerminalGhostty, nil
-	case "kitty":
-		return deps.TerminalKitty, nil
-	case "alacritty":
-		return deps.TerminalAlacritty, nil
-	default:
-		return 0, fmt.Errorf("invalid --term value %q: must be 'ghostty', 'kitty', or 'alacritty'", r.cfg.Terminal)
-	}
-}
-
-func (r *Runner) resolveSudoPassword() (string, error) {
-	tool, err := privesc.Detect()
-	if err != nil {
-		return "", err
-	}
-
-	if err := privesc.CheckCached(context.Background()); err == nil {
-		r.log(fmt.Sprintf("%s cache is valid, no password needed", tool.Name()))
-		fmt.Fprintf(os.Stdout, "%s: using cached credentials\n", tool.Name())
-		return "", nil
-	}
-
-	switch tool {
-	case privesc.ToolSudo:
-		return "", fmt.Errorf(
-			"sudo authentication required but no cached credentials found\n" +
-				"Options:\n" +
-				"  1. Run 'sudo -v' before dankinstall to cache credentials\n" +
-				"  2. Configure passwordless sudo for your user",
-		)
-	case privesc.ToolDoas:
-		return "", fmt.Errorf(
-			"doas authentication required but no cached credentials found\n" +
-				"Options:\n" +
-				"  1. Run 'doas true' before dankinstall to cache credentials (requires 'persist' in /etc/doas.conf)\n" +
-				"  2. Configure a 'nopass' rule in /etc/doas.conf for your user",
-		)
-	case privesc.ToolRun0:
-		return "", fmt.Errorf(
-			"run0 authentication required but no cached credentials found\n" +
-				"Configure a polkit rule granting your user passwordless privilege\n" +
-				"(see `man polkit` for details on rules in /etc/polkit-1/rules.d/)",
-		)
-	default:
-		return "", fmt.Errorf("unsupported privilege tool: %s", tool)
-	}
-}
-
-func (r *Runner) anyConfigEnabled(m map[string]bool) bool {
-	for _, v := range m {
-		if v {
-			return true
-		}
-	}
-	return false
-}
-
-func (r *Runner) depExists(dependencies []deps.Dependency, name string) bool {
-	for _, dep := range dependencies {
-		if dep.Name == name {
-			return true
-		}
-	}
-	return false
-}
--- a/core/internal/headless/runner_test.go
+++ b/core/internal/headless/runner_test.go
@@ -1,459 +0,0 @@
-package headless
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
-)
-
-func TestParseWindowManager(t *testing.T) {
-	tests := []struct {
-		name    string
-		input   string
-		want    deps.WindowManager
-		wantErr bool
-	}{
-		{"niri lowercase", "niri", deps.WindowManagerNiri, false},
-		{"niri mixed case", "Niri", deps.WindowManagerNiri, false},
-		{"hyprland lowercase", "hyprland", deps.WindowManagerHyprland, false},
-		{"hyprland mixed case", "Hyprland", deps.WindowManagerHyprland, false},
-		{"invalid", "sway", 0, true},
-		{"empty", "", 0, true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := NewRunner(Config{Compositor: tt.input})
-			got, err := r.parseWindowManager()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("parseWindowManager() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !tt.wantErr && got != tt.want {
-				t.Errorf("parseWindowManager() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestParseTerminal(t *testing.T) {
-	tests := []struct {
-		name    string
-		input   string
-		want    deps.Terminal
-		wantErr bool
-	}{
-		{"ghostty lowercase", "ghostty", deps.TerminalGhostty, false},
-		{"ghostty mixed case", "Ghostty", deps.TerminalGhostty, false},
-		{"kitty lowercase", "kitty", deps.TerminalKitty, false},
-		{"alacritty lowercase", "alacritty", deps.TerminalAlacritty, false},
-		{"alacritty uppercase", "ALACRITTY", deps.TerminalAlacritty, false},
-		{"invalid", "wezterm", 0, true},
-		{"empty", "", 0, true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := NewRunner(Config{Terminal: tt.input})
-			got, err := r.parseTerminal()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("parseTerminal() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !tt.wantErr && got != tt.want {
-				t.Errorf("parseTerminal() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestDepExists(t *testing.T) {
-	dependencies := []deps.Dependency{
-		{Name: "niri", Status: deps.StatusInstalled},
-		{Name: "ghostty", Status: deps.StatusMissing},
-		{Name: "dms (DankMaterialShell)", Status: deps.StatusInstalled},
-		{Name: "dms-greeter", Status: deps.StatusMissing},
-	}
-
-	tests := []struct {
-		name string
-		dep  string
-		want bool
-	}{
-		{"existing dep", "niri", true},
-		{"existing dep with special chars", "dms (DankMaterialShell)", true},
-		{"existing optional dep", "dms-greeter", true},
-		{"non-existing dep", "firefox", false},
-		{"empty name", "", false},
-	}
-
-	r := NewRunner(Config{})
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := r.depExists(dependencies, tt.dep); got != tt.want {
-				t.Errorf("depExists(%q) = %v, want %v", tt.dep, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestNewRunner(t *testing.T) {
-	cfg := Config{
-		Compositor:  "niri",
-		Terminal:    "ghostty",
-		IncludeDeps: []string{"dms-greeter"},
-		ExcludeDeps: []string{"some-pkg"},
-		Yes:         true,
-	}
-	r := NewRunner(cfg)
-
-	if r == nil {
-		t.Fatal("NewRunner returned nil")
-	}
-	if r.cfg.Compositor != "niri" {
-		t.Errorf("cfg.Compositor = %q, want %q", r.cfg.Compositor, "niri")
-	}
-	if r.cfg.Terminal != "ghostty" {
-		t.Errorf("cfg.Terminal = %q, want %q", r.cfg.Terminal, "ghostty")
-	}
-	if !r.cfg.Yes {
-		t.Error("cfg.Yes = false, want true")
-	}
-	if r.logChan == nil {
-		t.Error("logChan is nil")
-	}
-}
-
-func TestGetLogChan(t *testing.T) {
-	r := NewRunner(Config{})
-	ch := r.GetLogChan()
-	if ch == nil {
-		t.Fatal("GetLogChan returned nil")
-	}
-
-	// Verify the channel is readable by sending a message
-	go func() {
-		r.logChan <- "test message"
-	}()
-	msg := <-ch
-	if msg != "test message" {
-		t.Errorf("received %q, want %q", msg, "test message")
-	}
-}
-
-func TestLog(t *testing.T) {
-	r := NewRunner(Config{})
-
-	// log should not block even if channel is full
-	for i := 0; i < 1100; i++ {
-		r.log("message")
-	}
-	// If we reach here without hanging, the non-blocking send works
-}
-
-func TestRunRequiresYes(t *testing.T) {
-	// Verify that ErrConfirmationRequired is a distinct sentinel error
-	if ErrConfirmationRequired == nil {
-		t.Fatal("ErrConfirmationRequired should not be nil")
-	}
-	expected := "confirmation required: pass --yes to proceed"
-	if ErrConfirmationRequired.Error() != expected {
-		t.Errorf("ErrConfirmationRequired = %q, want %q", ErrConfirmationRequired.Error(), expected)
-	}
-}
-
-func TestConfigYesStoredCorrectly(t *testing.T) {
-	// Yes=false (default) should be stored
-	rNo := NewRunner(Config{Compositor: "niri", Terminal: "ghostty", Yes: false})
-	if rNo.cfg.Yes {
-		t.Error("cfg.Yes = true, want false")
-	}
-
-	// Yes=true should be stored
-	rYes := NewRunner(Config{Compositor: "niri", Terminal: "ghostty", Yes: true})
-	if !rYes.cfg.Yes {
-		t.Error("cfg.Yes = false, want true")
-	}
-}
-
-func TestValidConfigNamesCompleteness(t *testing.T) {
-	// orderedConfigNames and validConfigNames must stay in sync.
-	if len(orderedConfigNames) != len(validConfigNames) {
-		t.Fatalf("orderedConfigNames has %d entries but validConfigNames has %d",
-			len(orderedConfigNames), len(validConfigNames))
-	}
-
-	// Every entry in orderedConfigNames must exist in validConfigNames.
-	for _, name := range orderedConfigNames {
-		if _, ok := validConfigNames[name]; !ok {
-			t.Errorf("orderedConfigNames contains %q which is missing from validConfigNames", name)
-		}
-	}
-
-	// validConfigNames must have no extra keys not in orderedConfigNames.
-	ordered := make(map[string]bool, len(orderedConfigNames))
-	for _, name := range orderedConfigNames {
-		ordered[name] = true
-	}
-	for key := range validConfigNames {
-		if !ordered[key] {
-			t.Errorf("validConfigNames contains %q which is missing from orderedConfigNames", key)
-		}
-	}
-}
-
-func TestBuildReplaceConfigs(t *testing.T) {
-	allDeployerKeys := []string{"Niri", "Hyprland", "Ghostty", "Kitty", "Alacritty"}
-
-	tests := []struct {
-		name           string
-		replaceConfigs []string
-		replaceAll     bool
-		wantNil        bool     // expect nil (replace all)
-		wantEnabled    []string // deployer keys that should be true
-		wantErr        bool
-	}{
-		{
-			name:        "neither flag set",
-			wantNil:     false,
-			wantEnabled: nil, // all should be false
-		},
-		{
-			name:       "replace-configs-all",
-			replaceAll: true,
-			wantNil:    true,
-		},
-		{
-			name:           "specific configs",
-			replaceConfigs: []string{"niri", "ghostty"},
-			wantNil:        false,
-			wantEnabled:    []string{"Niri", "Ghostty"},
-		},
-		{
-			name:           "both flags set",
-			replaceConfigs: []string{"niri"},
-			replaceAll:     true,
-			wantErr:        true,
-		},
-		{
-			name:           "invalid config name",
-			replaceConfigs: []string{"foo"},
-			wantErr:        true,
-		},
-		{
-			name:           "case insensitive",
-			replaceConfigs: []string{"NIRI", "Ghostty"},
-			wantNil:        false,
-			wantEnabled:    []string{"Niri", "Ghostty"},
-		},
-		{
-			name:           "single config",
-			replaceConfigs: []string{"kitty"},
-			wantNil:        false,
-			wantEnabled:    []string{"Kitty"},
-		},
-		{
-			name:           "whitespace entry",
-			replaceConfigs: []string{"  ", "niri"},
-			wantNil:        false,
-			wantEnabled:    []string{"Niri"},
-		},
-		{
-			name:           "duplicate entry",
-			replaceConfigs: []string{"niri", "niri"},
-			wantNil:        false,
-			wantEnabled:    []string{"Niri"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := NewRunner(Config{
-				ReplaceConfigs:    tt.replaceConfigs,
-				ReplaceConfigsAll: tt.replaceAll,
-			})
-			got, err := r.buildReplaceConfigs()
-			if (err != nil) != tt.wantErr {
-				t.Fatalf("buildReplaceConfigs() error = %v, wantErr %v", err, tt.wantErr)
-			}
-			if tt.wantErr {
-				return
-			}
-			if tt.wantNil {
-				if got != nil {
-					t.Fatalf("buildReplaceConfigs() = %v, want nil", got)
-				}
-				return
-			}
-			if got == nil {
-				t.Fatal("buildReplaceConfigs() = nil, want non-nil map")
-			}
-
-			// All known deployer keys must be present
-			for _, key := range allDeployerKeys {
-				if _, exists := got[key]; !exists {
-					t.Errorf("missing deployer key %q in result map", key)
-				}
-			}
-
-			// Build enabled set for easy lookup
-			enabledSet := make(map[string]bool)
-			for _, k := range tt.wantEnabled {
-				enabledSet[k] = true
-			}
-
-			for _, key := range allDeployerKeys {
-				want := enabledSet[key]
-				if got[key] != want {
-					t.Errorf("replaceConfigs[%q] = %v, want %v", key, got[key], want)
-				}
-			}
-		})
-	}
-}
-
-func TestConfigReplaceConfigsStoredCorrectly(t *testing.T) {
-	r := NewRunner(Config{
-		Compositor:        "niri",
-		Terminal:          "ghostty",
-		ReplaceConfigs:    []string{"niri", "ghostty"},
-		ReplaceConfigsAll: false,
-	})
-	if len(r.cfg.ReplaceConfigs) != 2 {
-		t.Errorf("len(ReplaceConfigs) = %d, want 2", len(r.cfg.ReplaceConfigs))
-	}
-	if r.cfg.ReplaceConfigsAll {
-		t.Error("ReplaceConfigsAll = true, want false")
-	}
-
-	r2 := NewRunner(Config{
-		Compositor:        "niri",
-		Terminal:          "ghostty",
-		ReplaceConfigsAll: true,
-	})
-	if !r2.cfg.ReplaceConfigsAll {
-		t.Error("ReplaceConfigsAll = false, want true")
-	}
-	if len(r2.cfg.ReplaceConfigs) != 0 {
-		t.Errorf("len(ReplaceConfigs) = %d, want 0", len(r2.cfg.ReplaceConfigs))
-	}
-}
-
-func TestBuildDisabledItems(t *testing.T) {
-	dependencies := []deps.Dependency{
-		{Name: "niri", Status: deps.StatusInstalled},
-		{Name: "ghostty", Status: deps.StatusMissing},
-		{Name: "dms (DankMaterialShell)", Status: deps.StatusInstalled},
-		{Name: "dms-greeter", Status: deps.StatusMissing},
-		{Name: "waybar", Status: deps.StatusMissing},
-	}
-
-	tests := []struct {
-		name         string
-		includeDeps  []string
-		excludeDeps  []string
-		deps         []deps.Dependency // nil means use the shared fixture
-		wantErr      bool
-		errContains  string   // substring expected in error message
-		wantDisabled []string // dep names that should be in disabledItems
-		wantEnabled  []string // dep names that should NOT be in disabledItems (extra check)
-	}{
-		{
-			name:         "no flags set, dms-greeter disabled by default",
-			wantDisabled: []string{"dms-greeter"},
-			wantEnabled:  []string{"niri", "ghostty", "waybar"},
-		},
-		{
-			name:        "include dms-greeter enables it",
-			includeDeps: []string{"dms-greeter"},
-			wantEnabled: []string{"dms-greeter"},
-		},
-		{
-			name:         "exclude a regular dep",
-			excludeDeps:  []string{"waybar"},
-			wantDisabled: []string{"dms-greeter", "waybar"},
-		},
-		{
-			name:        "include unknown dep returns error",
-			includeDeps: []string{"nonexistent"},
-			wantErr:     true,
-			errContains: "--include-deps",
-		},
-		{
-			name:        "exclude unknown dep returns error",
-			excludeDeps: []string{"nonexistent"},
-			wantErr:     true,
-			errContains: "--exclude-deps",
-		},
-		{
-			name:        "exclude DMS itself is forbidden",
-			excludeDeps: []string{"dms (DankMaterialShell)"},
-			wantErr:     true,
-			errContains: "cannot exclude required package",
-		},
-		{
-			name:         "include and exclude same dep",
-			includeDeps:  []string{"dms-greeter"},
-			excludeDeps:  []string{"dms-greeter"},
-			wantDisabled: []string{"dms-greeter"},
-		},
-		{
-			name:        "whitespace entries are skipped",
-			includeDeps: []string{"  ", "dms-greeter"},
-			wantEnabled: []string{"dms-greeter"},
-		},
-		{
-			name: "no dms-greeter in deps, nothing disabled by default",
-			deps: []deps.Dependency{
-				{Name: "niri", Status: deps.StatusInstalled},
-			},
-			wantEnabled: []string{"niri"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := NewRunner(Config{
-				IncludeDeps: tt.includeDeps,
-				ExcludeDeps: tt.excludeDeps,
-			})
-			d := tt.deps
-			if d == nil {
-				d = dependencies
-			}
-			got, err := r.buildDisabledItems(d)
-			if (err != nil) != tt.wantErr {
-				t.Fatalf("buildDisabledItems() error = %v, wantErr %v", err, tt.wantErr)
-			}
-			if tt.wantErr {
-				if tt.errContains != "" && !strings.Contains(err.Error(), tt.errContains) {
-					t.Errorf("error %q does not contain %q", err.Error(), tt.errContains)
-				}
-				return
-			}
-			if got == nil {
-				t.Fatal("buildDisabledItems() returned nil map, want non-nil")
-			}
-
-			// Check expected disabled items
-			for _, name := range tt.wantDisabled {
-				if !got[name] {
-					t.Errorf("expected %q to be disabled, but it is not", name)
-				}
-			}
-
-			// Check expected enabled items (should not be in the map or be false)
-			for _, name := range tt.wantEnabled {
-				if got[name] {
-					t.Errorf("expected %q to NOT be disabled, but it is", name)
-				}
-			}
-
-			// If wantDisabled is empty, the map should have length 0
-			if len(tt.wantDisabled) == 0 && len(got) != 0 {
-				t.Errorf("expected empty disabledItems map, got %v", got)
-			}
-		})
-	}
-}
--- a/core/internal/log/filelogger.go
+++ b/core/internal/log/filelogger.go
@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"fmt"
 	"os"
-	"path/filepath"
 	"regexp"
 	"sync"
 	"time"
@@ -22,16 +21,7 @@ type FileLogger struct {

 func NewFileLogger() (*FileLogger, error) {
 	timestamp := time.Now().Unix()
-
-	// Use DANKINSTALL_LOG_DIR if set, otherwise fall back to /tmp.
-	logDir := os.Getenv("DANKINSTALL_LOG_DIR")
-	if logDir == "" {
-		logDir = "/tmp"
-	}
-	if err := os.MkdirAll(logDir, 0o755); err != nil {
-		return nil, fmt.Errorf("failed to create log directory: %w", err)
-	}
-	logPath := filepath.Join(logDir, fmt.Sprintf("dankinstall-%d.log", timestamp))
+	logPath := fmt.Sprintf("/tmp/dankinstall-%d.log", timestamp)

 	file, err := os.Create(logPath)
 	if err != nil {
--- a/core/internal/matugen/matugen.go
+++ b/core/internal/matugen/matugen.go
@@ -99,7 +99,6 @@ type Options struct {
 	Mode                ColorMode
 	IconTheme           string
 	MatugenType         string
-	Contrast            float64
 	RunUserTemplates    bool
 	ColorsOnly          bool
 	StockColors         string
@@ -229,7 +228,6 @@ func buildOnce(opts *Options) (bool, error) {

 		log.Info("Running matugen color hex with stock color overrides")
 		args := []string{"color", "hex", primaryDark, "-m", string(opts.Mode), "-t", opts.MatugenType, "-c", cfgFile.Name()}
-		args = appendContrastArg(args, opts.Contrast)
 		args = append(args, importArgs...)
 		if err := runMatugen(args); err != nil {
 			return false, err
@@ -266,7 +264,6 @@ func buildOnce(opts *Options) (bool, error) {
 			args = []string{opts.Kind, opts.Value}
 		}
 		args = append(args, "-m", string(opts.Mode), "-t", opts.MatugenType, "-c", cfgFile.Name())
-		args = appendContrastArg(args, opts.Contrast)
 		args = append(args, importArgs...)
 		if err := runMatugen(args); err != nil {
 			return false, err
@@ -302,13 +299,6 @@ func buildOnce(opts *Options) (bool, error) {
 	return true, nil
 }

-func appendContrastArg(args []string, contrast float64) []string {
-	if contrast == 0 {
-		return args
-	}
-	return append(args, "--contrast", strconv.FormatFloat(contrast, 'f', -1, 64))
-}
-
 func buildMergedConfig(opts *Options, cfgFile *os.File, tmpDir string) error {
 	userConfigPath := filepath.Join(opts.ConfigDir, "matugen", "config.toml")

@@ -697,7 +687,6 @@ func execDryRun(opts *Options, flags matugenFlags) (string, error) {
 		baseArgs = []string{opts.Kind, opts.Value}
 	}
 	baseArgs = append(baseArgs, "-m", "dark", "-t", opts.MatugenType, "--json", "hex", "--dry-run")
-	baseArgs = appendContrastArg(baseArgs, opts.Contrast)
 	if flags.isV4 {
 		baseArgs = append(baseArgs, "--source-color-index", "0", "--old-json-output")
 	}
--- a/core/internal/mocks/geolocation/mock_Client.go
+++ b/core/internal/mocks/geolocation/mock_Client.go
@@ -1,203 +0,0 @@
-// Code generated by mockery v2.53.5. DO NOT EDIT.
-
-package mocks_geolocation
-
-import (
-	geolocation "github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockClient is an autogenerated mock type for the Client type
-type MockClient struct {
-	mock.Mock
-}
-
-type MockClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockClient) EXPECT() *MockClient_Expecter {
-	return &MockClient_Expecter{mock: &_m.Mock}
-}
-
-// Close provides a mock function with no fields
-func (_m *MockClient) Close() {
-	_m.Called()
-}
-
-// MockClient_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
-type MockClient_Close_Call struct {
-	*mock.Call
-}
-
-// Close is a helper method to define mock.On call
-func (_e *MockClient_Expecter) Close() *MockClient_Close_Call {
-	return &MockClient_Close_Call{Call: _e.mock.On("Close")}
-}
-
-func (_c *MockClient_Close_Call) Run(run func()) *MockClient_Close_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockClient_Close_Call) Return() *MockClient_Close_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockClient_Close_Call) RunAndReturn(run func()) *MockClient_Close_Call {
-	_c.Run(run)
-	return _c
-}
-
-// GetLocation provides a mock function with no fields
-func (_m *MockClient) GetLocation() (geolocation.Location, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetLocation")
-	}
-
-	var r0 geolocation.Location
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (geolocation.Location, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() geolocation.Location); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(geolocation.Location)
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockClient_GetLocation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetLocation'
-type MockClient_GetLocation_Call struct {
-	*mock.Call
-}
-
-// GetLocation is a helper method to define mock.On call
-func (_e *MockClient_Expecter) GetLocation() *MockClient_GetLocation_Call {
-	return &MockClient_GetLocation_Call{Call: _e.mock.On("GetLocation")}
-}
-
-func (_c *MockClient_GetLocation_Call) Run(run func()) *MockClient_GetLocation_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockClient_GetLocation_Call) Return(_a0 geolocation.Location, _a1 error) *MockClient_GetLocation_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockClient_GetLocation_Call) RunAndReturn(run func() (geolocation.Location, error)) *MockClient_GetLocation_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Subscribe provides a mock function with given fields: id
-func (_m *MockClient) Subscribe(id string) chan geolocation.Location {
-	ret := _m.Called(id)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Subscribe")
-	}
-
-	var r0 chan geolocation.Location
-	if rf, ok := ret.Get(0).(func(string) chan geolocation.Location); ok {
-		r0 = rf(id)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(chan geolocation.Location)
-		}
-	}
-
-	return r0
-}
-
-// MockClient_Subscribe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Subscribe'
-type MockClient_Subscribe_Call struct {
-	*mock.Call
-}
-
-// Subscribe is a helper method to define mock.On call
-//   - id string
-func (_e *MockClient_Expecter) Subscribe(id interface{}) *MockClient_Subscribe_Call {
-	return &MockClient_Subscribe_Call{Call: _e.mock.On("Subscribe", id)}
-}
-
-func (_c *MockClient_Subscribe_Call) Run(run func(id string)) *MockClient_Subscribe_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockClient_Subscribe_Call) Return(_a0 chan geolocation.Location) *MockClient_Subscribe_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockClient_Subscribe_Call) RunAndReturn(run func(string) chan geolocation.Location) *MockClient_Subscribe_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Unsubscribe provides a mock function with given fields: id
-func (_m *MockClient) Unsubscribe(id string) {
-	_m.Called(id)
-}
-
-// MockClient_Unsubscribe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Unsubscribe'
-type MockClient_Unsubscribe_Call struct {
-	*mock.Call
-}
-
-// Unsubscribe is a helper method to define mock.On call
-//   - id string
-func (_e *MockClient_Expecter) Unsubscribe(id interface{}) *MockClient_Unsubscribe_Call {
-	return &MockClient_Unsubscribe_Call{Call: _e.mock.On("Unsubscribe", id)}
-}
-
-func (_c *MockClient_Unsubscribe_Call) Run(run func(id string)) *MockClient_Unsubscribe_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockClient_Unsubscribe_Call) Return() *MockClient_Unsubscribe_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockClient_Unsubscribe_Call) RunAndReturn(run func(string)) *MockClient_Unsubscribe_Call {
-	_c.Run(run)
-	return _c
-}
-
-// NewMockClient creates a new instance of MockClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockClient(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockClient {
-	mock := &MockClient{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/core/internal/mocks/network/mock_Backend.go
+++ b/core/internal/mocks/network/mock_Backend.go
@@ -1062,62 +1062,6 @@ func (_c *MockBackend_GetWiFiNetworkDetails_Call) RunAndReturn(run func(string)
 	return _c
 }

-// GetWiFiQRCodeContent provides a mock function with given fields: ssid
-func (_m *MockBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	ret := _m.Called(ssid)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetWiFiQRCodeContent")
-	}
-
-	var r0 string
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
-		return rf(ssid)
-	}
-	if rf, ok := ret.Get(0).(func(string) string); ok {
-		r0 = rf(ssid)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	if rf, ok := ret.Get(1).(func(string) error); ok {
-		r1 = rf(ssid)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockBackend_GetWiFiQRCodeContent_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetWiFiQRCodeContent'
-type MockBackend_GetWiFiQRCodeContent_Call struct {
-	*mock.Call
-}
-
-// GetWiFiQRCodeContent is a helper method to define mock.On call
-//   - ssid string
-func (_e *MockBackend_Expecter) GetWiFiQRCodeContent(ssid interface{}) *MockBackend_GetWiFiQRCodeContent_Call {
-	return &MockBackend_GetWiFiQRCodeContent_Call{Call: _e.mock.On("GetWiFiQRCodeContent", ssid)}
-}
-
-func (_c *MockBackend_GetWiFiQRCodeContent_Call) Run(run func(ssid string)) *MockBackend_GetWiFiQRCodeContent_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockBackend_GetWiFiQRCodeContent_Call) Return(_a0 string, _a1 error) *MockBackend_GetWiFiQRCodeContent_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockBackend_GetWiFiQRCodeContent_Call) RunAndReturn(run func(string) (string, error)) *MockBackend_GetWiFiQRCodeContent_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // GetWiredConnections provides a mock function with no fields
 func (_m *MockBackend) GetWiredConnections() ([]network.WiredConnection, error) {
 	ret := _m.Called()
--- a/core/internal/pam/pam.go
+++ b/core/internal/pam/pam.go
@@ -1,874 +0,0 @@
-package pam
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
-)
-
-const (
-	GreeterPamManagedBlockStart = "# BEGIN DMS GREETER AUTH (managed by dms greeter sync)"
-	GreeterPamManagedBlockEnd   = "# END DMS GREETER AUTH"
-
-	LockscreenPamManagedBlockStart = "# BEGIN DMS LOCKSCREEN AUTH (managed by dms greeter sync)"
-	LockscreenPamManagedBlockEnd   = "# END DMS LOCKSCREEN AUTH"
-
-	LockscreenU2FPamManagedBlockStart = "# BEGIN DMS LOCKSCREEN U2F AUTH (managed by dms auth sync)"
-	LockscreenU2FPamManagedBlockEnd   = "# END DMS LOCKSCREEN U2F AUTH"
-
-	legacyGreeterPamFprintComment = "# DMS greeter fingerprint"
-	legacyGreeterPamU2FComment    = "# DMS greeter U2F"
-
-	GreetdPamPath       = "/etc/pam.d/greetd"
-	DankshellPamPath    = "/etc/pam.d/dankshell"
-	DankshellU2FPamPath = "/etc/pam.d/dankshell-u2f"
-)
-
-var includedPamAuthFiles = []string{
-	"system-auth",
-	"common-auth",
-	"password-auth",
-	"system-login",
-	"system-local-login",
-	"common-auth-pc",
-	"login",
-}
-
-type AuthSettings struct {
-	EnableFprint        bool `json:"enableFprint"`
-	EnableU2f           bool `json:"enableU2f"`
-	GreeterEnableFprint bool `json:"greeterEnableFprint"`
-	GreeterEnableU2f    bool `json:"greeterEnableU2f"`
-}
-
-type SyncAuthOptions struct {
-	HomeDir          string
-	ForceGreeterAuth bool
-}
-
-type syncDeps struct {
-	pamDir                             string
-	greetdPath                         string
-	dankshellPath                      string
-	dankshellU2fPath                   string
-	isNixOS                            func() bool
-	readFile                           func(string) ([]byte, error)
-	stat                               func(string) (os.FileInfo, error)
-	createTemp                         func(string, string) (*os.File, error)
-	removeFile                         func(string) error
-	runSudoCmd                         func(string, string, ...string) error
-	pamModuleExists                    func(string) bool
-	fingerprintAvailableForCurrentUser func() bool
-}
-
-type lockscreenPamIncludeDirective struct {
-	target     string
-	filterType string
-}
-
-type lockscreenPamResolver struct {
-	pamDir   string
-	readFile func(string) ([]byte, error)
-}
-
-func defaultSyncDeps() syncDeps {
-	return syncDeps{
-		pamDir:           "/etc/pam.d",
-		greetdPath:       GreetdPamPath,
-		dankshellPath:    DankshellPamPath,
-		dankshellU2fPath: DankshellU2FPamPath,
-		isNixOS:          IsNixOS,
-		readFile:         os.ReadFile,
-		stat:             os.Stat,
-		createTemp:       os.CreateTemp,
-		removeFile:       os.Remove,
-		runSudoCmd: func(password, command string, args ...string) error {
-			return privesc.Run(context.Background(), password, append([]string{command}, args...)...)
-		},
-		pamModuleExists:                    pamModuleExists,
-		fingerprintAvailableForCurrentUser: FingerprintAuthAvailableForCurrentUser,
-	}
-}
-
-func IsNixOS() bool {
-	_, err := os.Stat("/etc/NIXOS")
-	return err == nil
-}
-
-func ReadAuthSettings(homeDir string) (AuthSettings, error) {
-	settingsPath := filepath.Join(homeDir, ".config", "DankMaterialShell", "settings.json")
-	data, err := os.ReadFile(settingsPath)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return AuthSettings{}, nil
-		}
-		return AuthSettings{}, fmt.Errorf("failed to read settings at %s: %w", settingsPath, err)
-	}
-	if strings.TrimSpace(string(data)) == "" {
-		return AuthSettings{}, nil
-	}
-
-	var settings AuthSettings
-	if err := json.Unmarshal(data, &settings); err != nil {
-		return AuthSettings{}, fmt.Errorf("failed to parse settings at %s: %w", settingsPath, err)
-	}
-	return settings, nil
-}
-
-func ReadGreeterAuthToggles(homeDir string) (enableFprint bool, enableU2f bool, err error) {
-	settings, err := ReadAuthSettings(homeDir)
-	if err != nil {
-		return false, false, err
-	}
-	return settings.GreeterEnableFprint, settings.GreeterEnableU2f, nil
-}
-
-func SyncAuthConfig(logFunc func(string), sudoPassword string, options SyncAuthOptions) error {
-	return syncAuthConfigWithDeps(logFunc, sudoPassword, options, defaultSyncDeps())
-}
-
-func RemoveManagedGreeterPamBlock(logFunc func(string), sudoPassword string) error {
-	return removeManagedGreeterPamBlockWithDeps(logFunc, sudoPassword, defaultSyncDeps())
-}
-
-func syncAuthConfigWithDeps(logFunc func(string), sudoPassword string, options SyncAuthOptions, deps syncDeps) error {
-	homeDir := strings.TrimSpace(options.HomeDir)
-	if homeDir == "" {
-		var err error
-		homeDir, err = os.UserHomeDir()
-		if err != nil {
-			return fmt.Errorf("failed to get user home directory: %w", err)
-		}
-	}
-
-	settings, err := ReadAuthSettings(homeDir)
-	if err != nil {
-		return err
-	}
-
-	if err := syncLockscreenPamConfigWithDeps(logFunc, sudoPassword, deps); err != nil {
-		return err
-	}
-	if err := syncLockscreenU2FPamConfigWithDeps(logFunc, sudoPassword, settings.EnableU2f, deps); err != nil {
-		return err
-	}
-
-	if _, err := deps.stat(deps.greetdPath); err != nil {
-		if os.IsNotExist(err) {
-			logFunc("ℹ /etc/pam.d/greetd not found. Skipping greeter PAM sync.")
-			return nil
-		}
-		return fmt.Errorf("failed to inspect %s: %w", deps.greetdPath, err)
-	}
-
-	if err := syncGreeterPamConfigWithDeps(logFunc, sudoPassword, settings, options.ForceGreeterAuth, deps); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func removeManagedGreeterPamBlockWithDeps(logFunc func(string), sudoPassword string, deps syncDeps) error {
-	if deps.isNixOS() {
-		return nil
-	}
-
-	data, err := deps.readFile(deps.greetdPath)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return fmt.Errorf("failed to read %s: %w", deps.greetdPath, err)
-	}
-
-	originalContent := string(data)
-	stripped, removed := stripManagedGreeterPamBlock(originalContent)
-	strippedAgain, removedLegacy := stripLegacyGreeterPamLines(stripped)
-	if !removed && !removedLegacy {
-		return nil
-	}
-
-	if err := writeManagedPamFile(strippedAgain, deps.greetdPath, sudoPassword, deps); err != nil {
-		return fmt.Errorf("failed to write %s: %w", deps.greetdPath, err)
-	}
-
-	logFunc("✓ Removed DMS managed PAM block from " + deps.greetdPath)
-	return nil
-}
-
-func ParseManagedGreeterPamAuth(pamText string) (managed bool, fingerprint bool, u2f bool, legacy bool) {
-	if pamText == "" {
-		return false, false, false, false
-	}
-
-	lines := strings.Split(pamText, "\n")
-	inManaged := false
-	for _, line := range lines {
-		trimmed := strings.TrimSpace(line)
-		switch trimmed {
-		case GreeterPamManagedBlockStart:
-			managed = true
-			inManaged = true
-			continue
-		case GreeterPamManagedBlockEnd:
-			inManaged = false
-			continue
-		}
-
-		if strings.HasPrefix(trimmed, legacyGreeterPamFprintComment) || strings.HasPrefix(trimmed, legacyGreeterPamU2FComment) {
-			legacy = true
-		}
-		if !inManaged {
-			continue
-		}
-		if strings.Contains(trimmed, "pam_fprintd") {
-			fingerprint = true
-		}
-		if strings.Contains(trimmed, "pam_u2f") {
-			u2f = true
-		}
-	}
-
-	return managed, fingerprint, u2f, legacy
-}
-
-func StripManagedGreeterPamContent(pamText string) (string, bool) {
-	stripped, removed := stripManagedGreeterPamBlock(pamText)
-	stripped, removedLegacy := stripLegacyGreeterPamLines(stripped)
-	return stripped, removed || removedLegacy
-}
-
-func PamTextIncludesFile(pamText, filename string) bool {
-	lines := strings.Split(pamText, "\n")
-	for _, line := range lines {
-		trimmed := strings.TrimSpace(line)
-		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
-			continue
-		}
-		if strings.Contains(trimmed, filename) &&
-			(strings.Contains(trimmed, "include") || strings.Contains(trimmed, "substack") || strings.HasPrefix(trimmed, "@include")) {
-			return true
-		}
-	}
-	return false
-}
-
-func PamFileHasModule(pamFilePath, module string) bool {
-	data, err := os.ReadFile(pamFilePath)
-	if err != nil {
-		return false
-	}
-	return pamContentHasModule(string(data), module)
-}
-
-func DetectIncludedPamModule(pamText, module string) string {
-	return detectIncludedPamModule(pamText, module, defaultSyncDeps())
-}
-
-func detectIncludedPamModule(pamText, module string, deps syncDeps) string {
-	for _, includedFile := range includedPamAuthFiles {
-		if !PamTextIncludesFile(pamText, includedFile) {
-			continue
-		}
-		path := filepath.Join(deps.pamDir, includedFile)
-		data, err := deps.readFile(path)
-		if err != nil {
-			continue
-		}
-		if pamContentHasModule(string(data), module) {
-			return includedFile
-		}
-	}
-	return ""
-}
-
-func pamContentHasModule(content, module string) bool {
-	lines := strings.Split(content, "\n")
-	for _, line := range lines {
-		trimmed := strings.TrimSpace(line)
-		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
-			continue
-		}
-		if strings.Contains(trimmed, module) {
-			return true
-		}
-	}
-	return false
-}
-
-func hasManagedLockscreenPamFile(content string) bool {
-	return strings.Contains(content, LockscreenPamManagedBlockStart) &&
-		strings.Contains(content, LockscreenPamManagedBlockEnd)
-}
-
-func hasManagedLockscreenU2FPamFile(content string) bool {
-	return strings.Contains(content, LockscreenU2FPamManagedBlockStart) &&
-		strings.Contains(content, LockscreenU2FPamManagedBlockEnd)
-}
-
-func pamDirectiveType(line string) string {
-	fields := strings.Fields(line)
-	if len(fields) == 0 {
-		return ""
-	}
-
-	directiveType := strings.TrimPrefix(fields[0], "-")
-	switch directiveType {
-	case "auth", "account", "password", "session":
-		return directiveType
-	default:
-		return ""
-	}
-}
-
-func isExcludedLockscreenPamLine(line string) bool {
-	for _, field := range strings.Fields(line) {
-		if strings.HasPrefix(field, "#") {
-			break
-		}
-		if strings.Contains(field, "pam_u2f") || strings.Contains(field, "pam_fprintd") {
-			return true
-		}
-	}
-	return false
-}
-
-func parseLockscreenPamIncludeDirective(trimmed string, inheritedFilter string) (lockscreenPamIncludeDirective, bool) {
-	fields := strings.Fields(trimmed)
-	if len(fields) >= 2 && fields[0] == "@include" {
-		return lockscreenPamIncludeDirective{
-			target:     fields[1],
-			filterType: inheritedFilter,
-		}, true
-	}
-
-	if len(fields) >= 3 && (fields[1] == "include" || fields[1] == "substack") {
-		lineType := pamDirectiveType(trimmed)
-		if lineType == "" {
-			return lockscreenPamIncludeDirective{}, false
-		}
-		return lockscreenPamIncludeDirective{
-			target:     fields[2],
-			filterType: lineType,
-		}, true
-	}
-
-	if len(fields) >= 3 && fields[1] == "@include" {
-		lineType := pamDirectiveType(trimmed)
-		if lineType == "" {
-			return lockscreenPamIncludeDirective{}, false
-		}
-		return lockscreenPamIncludeDirective{
-			target:     fields[2],
-			filterType: lineType,
-		}, true
-	}
-
-	return lockscreenPamIncludeDirective{}, false
-}
-
-func resolveLockscreenPamIncludePath(pamDir, target string) (string, error) {
-	if strings.TrimSpace(target) == "" {
-		return "", fmt.Errorf("empty PAM include target")
-	}
-
-	cleanPamDir := filepath.Clean(pamDir)
-	if filepath.IsAbs(target) {
-		cleanTarget := filepath.Clean(target)
-		if filepath.Dir(cleanTarget) != cleanPamDir {
-			return "", fmt.Errorf("unsupported PAM include outside %s: %s", cleanPamDir, target)
-		}
-		return cleanTarget, nil
-	}
-
-	cleanTarget := filepath.Clean(target)
-	if cleanTarget == "." || cleanTarget == ".." || strings.HasPrefix(cleanTarget, ".."+string(os.PathSeparator)) {
-		return "", fmt.Errorf("invalid PAM include target: %s", target)
-	}
-
-	return filepath.Join(cleanPamDir, cleanTarget), nil
-}
-
-func (r lockscreenPamResolver) resolveService(serviceName string, filterType string, stack []string) ([]string, error) {
-	path, err := resolveLockscreenPamIncludePath(r.pamDir, serviceName)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, seen := range stack {
-		if seen == path {
-			chain := append(append([]string{}, stack...), path)
-			display := make([]string, 0, len(chain))
-			for _, item := range chain {
-				display = append(display, filepath.Base(item))
-			}
-			return nil, fmt.Errorf("cyclic PAM include detected: %s", strings.Join(display, " -> "))
-		}
-	}
-
-	data, err := r.readFile(path)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read PAM file %s: %w", path, err)
-	}
-
-	var resolved []string
-	for _, rawLine := range strings.Split(strings.ReplaceAll(string(data), "\r\n", "\n"), "\n") {
-		rawLine = strings.TrimRight(rawLine, "\r")
-		trimmed := strings.TrimSpace(rawLine)
-		if trimmed == "" || strings.HasPrefix(trimmed, "#") || trimmed == "#%PAM-1.0" {
-			continue
-		}
-
-		if include, ok := parseLockscreenPamIncludeDirective(trimmed, filterType); ok {
-			lineType := pamDirectiveType(trimmed)
-			if filterType != "" && lineType != "" && lineType != filterType {
-				continue
-			}
-
-			nested, err := r.resolveService(include.target, include.filterType, append(stack, path))
-			if err != nil {
-				return nil, err
-			}
-			resolved = append(resolved, nested...)
-			continue
-		}
-
-		lineType := pamDirectiveType(trimmed)
-		if lineType == "" {
-			return nil, fmt.Errorf("unsupported PAM directive in %s: %s", filepath.Base(path), trimmed)
-		}
-		if filterType != "" && lineType != filterType {
-			continue
-		}
-		if isExcludedLockscreenPamLine(trimmed) {
-			continue
-		}
-
-		resolved = append(resolved, rawLine)
-	}
-
-	return resolved, nil
-}
-
-func buildManagedLockscreenPamContent(pamDir string, readFile func(string) ([]byte, error)) (string, error) {
-	resolver := lockscreenPamResolver{
-		pamDir:   pamDir,
-		readFile: readFile,
-	}
-
-	resolvedLines, err := resolver.resolveService("login", "", nil)
-	if err != nil {
-		return "", err
-	}
-	if len(resolvedLines) == 0 {
-		return "", fmt.Errorf("no auth directives remained after filtering %s", filepath.Join(pamDir, "login"))
-	}
-
-	hasAuth := false
-	for _, line := range resolvedLines {
-		if pamDirectiveType(strings.TrimSpace(line)) == "auth" {
-			hasAuth = true
-			break
-		}
-	}
-	if !hasAuth {
-		return "", fmt.Errorf("no auth directives remained after filtering %s", filepath.Join(pamDir, "login"))
-	}
-
-	var b strings.Builder
-	b.WriteString("#%PAM-1.0\n")
-	b.WriteString(LockscreenPamManagedBlockStart + "\n")
-	for _, line := range resolvedLines {
-		b.WriteString(line)
-		b.WriteByte('\n')
-	}
-	b.WriteString(LockscreenPamManagedBlockEnd + "\n")
-	return b.String(), nil
-}
-
-func buildManagedLockscreenU2FPamContent() string {
-	var b strings.Builder
-	b.WriteString("#%PAM-1.0\n")
-	b.WriteString(LockscreenU2FPamManagedBlockStart + "\n")
-	b.WriteString("auth    required    pam_u2f.so  cue nouserok timeout=10\n")
-	b.WriteString(LockscreenU2FPamManagedBlockEnd + "\n")
-	return b.String()
-}
-
-func syncLockscreenPamConfigWithDeps(logFunc func(string), sudoPassword string, deps syncDeps) error {
-	if deps.isNixOS() {
-		logFunc("ℹ NixOS detected. DMS continues to use /etc/pam.d/login for lock screen password auth on NixOS unless you declare security.pam.services.dankshell yourself. U2F and fingerprint are handled separately and should not be included in dankshell.")
-		return nil
-	}
-
-	existingData, err := deps.readFile(deps.dankshellPath)
-	if err == nil {
-		if !hasManagedLockscreenPamFile(string(existingData)) {
-			logFunc("ℹ Custom /etc/pam.d/dankshell found (no DMS block). Skipping.")
-			return nil
-		}
-	} else if !os.IsNotExist(err) {
-		return fmt.Errorf("failed to read %s: %w", deps.dankshellPath, err)
-	}
-
-	content, err := buildManagedLockscreenPamContent(deps.pamDir, deps.readFile)
-	if err != nil {
-		return fmt.Errorf("failed to build %s from %s: %w", deps.dankshellPath, filepath.Join(deps.pamDir, "login"), err)
-	}
-
-	if err := writeManagedPamFile(content, deps.dankshellPath, sudoPassword, deps); err != nil {
-		return fmt.Errorf("failed to write %s: %w", deps.dankshellPath, err)
-	}
-
-	logFunc("✓ Created or updated /etc/pam.d/dankshell for lock screen authentication")
-	return nil
-}
-
-func syncLockscreenU2FPamConfigWithDeps(logFunc func(string), sudoPassword string, enabled bool, deps syncDeps) error {
-	if deps.isNixOS() {
-		logFunc("ℹ NixOS detected. DMS does not manage /etc/pam.d/dankshell-u2f on NixOS. Keep using the bundled U2F helper or configure a custom PAM service yourself.")
-		return nil
-	}
-
-	existingData, err := deps.readFile(deps.dankshellU2fPath)
-	if err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("failed to read %s: %w", deps.dankshellU2fPath, err)
-	}
-
-	if enabled {
-		if err == nil && !hasManagedLockscreenU2FPamFile(string(existingData)) {
-			logFunc("ℹ Custom /etc/pam.d/dankshell-u2f found (no DMS block). Skipping.")
-			return nil
-		}
-		if err := writeManagedPamFile(buildManagedLockscreenU2FPamContent(), deps.dankshellU2fPath, sudoPassword, deps); err != nil {
-			return fmt.Errorf("failed to write %s: %w", deps.dankshellU2fPath, err)
-		}
-		logFunc("✓ Created or updated /etc/pam.d/dankshell-u2f for lock screen security-key authentication")
-		return nil
-	}
-
-	if os.IsNotExist(err) {
-		return nil
-	}
-	if err == nil && !hasManagedLockscreenU2FPamFile(string(existingData)) {
-		logFunc("ℹ Custom /etc/pam.d/dankshell-u2f found (no DMS block). Leaving it untouched.")
-		return nil
-	}
-
-	if err := deps.runSudoCmd(sudoPassword, "rm", "-f", deps.dankshellU2fPath); err != nil {
-		return fmt.Errorf("failed to remove %s: %w", deps.dankshellU2fPath, err)
-	}
-	logFunc("✓ Removed DMS-managed /etc/pam.d/dankshell-u2f")
-	return nil
-}
-
-func stripManagedGreeterPamBlock(content string) (string, bool) {
-	lines := strings.Split(content, "\n")
-	filtered := make([]string, 0, len(lines))
-	inManagedBlock := false
-	removed := false
-
-	for _, line := range lines {
-		trimmed := strings.TrimSpace(line)
-		if trimmed == GreeterPamManagedBlockStart {
-			inManagedBlock = true
-			removed = true
-			continue
-		}
-		if trimmed == GreeterPamManagedBlockEnd {
-			inManagedBlock = false
-			removed = true
-			continue
-		}
-		if inManagedBlock {
-			removed = true
-			continue
-		}
-		filtered = append(filtered, line)
-	}
-
-	return strings.Join(filtered, "\n"), removed
-}
-
-func stripLegacyGreeterPamLines(content string) (string, bool) {
-	lines := strings.Split(content, "\n")
-	filtered := make([]string, 0, len(lines))
-	removed := false
-
-	for i := 0; i < len(lines); i++ {
-		trimmed := strings.TrimSpace(lines[i])
-		if strings.HasPrefix(trimmed, legacyGreeterPamFprintComment) || strings.HasPrefix(trimmed, legacyGreeterPamU2FComment) {
-			removed = true
-			if i+1 < len(lines) {
-				nextLine := strings.TrimSpace(lines[i+1])
-				if strings.HasPrefix(nextLine, "auth") &&
-					(strings.Contains(nextLine, "pam_fprintd") || strings.Contains(nextLine, "pam_u2f")) {
-					i++
-				}
-			}
-			continue
-		}
-		filtered = append(filtered, lines[i])
-	}
-
-	return strings.Join(filtered, "\n"), removed
-}
-
-func insertManagedGreeterPamBlock(content string, blockLines []string, greetdPamPath string) (string, error) {
-	lines := strings.Split(content, "\n")
-	for i, line := range lines {
-		trimmed := strings.TrimSpace(line)
-		if trimmed != "" && !strings.HasPrefix(trimmed, "#") && strings.HasPrefix(trimmed, "auth") {
-			block := strings.Join(blockLines, "\n")
-			prefix := strings.Join(lines[:i], "\n")
-			suffix := strings.Join(lines[i:], "\n")
-			switch {
-			case prefix == "":
-				return block + "\n" + suffix, nil
-			case suffix == "":
-				return prefix + "\n" + block, nil
-			default:
-				return prefix + "\n" + block + "\n" + suffix, nil
-			}
-		}
-	}
-	return "", fmt.Errorf("no auth directive found in %s", greetdPamPath)
-}
-
-func syncGreeterPamConfigWithDeps(logFunc func(string), sudoPassword string, settings AuthSettings, forceAuth bool, deps syncDeps) error {
-	var wantFprint, wantU2f bool
-	fprintToggleEnabled := forceAuth
-	u2fToggleEnabled := forceAuth
-	if forceAuth {
-		wantFprint = deps.pamModuleExists("pam_fprintd.so")
-		wantU2f = deps.pamModuleExists("pam_u2f.so")
-	} else {
-		fprintToggleEnabled = settings.GreeterEnableFprint
-		u2fToggleEnabled = settings.GreeterEnableU2f
-		fprintModule := deps.pamModuleExists("pam_fprintd.so")
-		u2fModule := deps.pamModuleExists("pam_u2f.so")
-		wantFprint = settings.GreeterEnableFprint && fprintModule
-		wantU2f = settings.GreeterEnableU2f && u2fModule
-		if settings.GreeterEnableFprint && !fprintModule {
-			logFunc("⚠ Warning: greeter fingerprint toggle is enabled, but pam_fprintd.so was not found.")
-		}
-		if settings.GreeterEnableU2f && !u2fModule {
-			logFunc("⚠ Warning: greeter security key toggle is enabled, but pam_u2f.so was not found.")
-		}
-	}
-
-	if deps.isNixOS() {
-		logFunc("ℹ NixOS detected: PAM config is managed by NixOS modules. Skipping DMS PAM block write.")
-		logFunc("  Configure fingerprint/U2F auth via your greetd NixOS module options (e.g. security.pam.services.greetd).")
-		return nil
-	}
-
-	pamData, err := deps.readFile(deps.greetdPath)
-	if err != nil {
-		return fmt.Errorf("failed to read %s: %w", deps.greetdPath, err)
-	}
-	originalContent := string(pamData)
-	content, _ := stripManagedGreeterPamBlock(originalContent)
-	content, _ = stripLegacyGreeterPamLines(content)
-
-	includedFprintFile := detectIncludedPamModule(content, "pam_fprintd.so", deps)
-	includedU2fFile := detectIncludedPamModule(content, "pam_u2f.so", deps)
-	fprintAvailableForCurrentUser := deps.fingerprintAvailableForCurrentUser()
-	if wantFprint && includedFprintFile != "" {
-		logFunc("⚠ pam_fprintd already present in included " + includedFprintFile + " (managed by authselect/pam-auth-update). Skipping DMS fprint block to avoid double-fingerprint auth.")
-		wantFprint = false
-	}
-	if wantU2f && includedU2fFile != "" {
-		logFunc("⚠ pam_u2f already present in included " + includedU2fFile + " (managed by authselect/pam-auth-update). Skipping DMS U2F block to avoid double security-key auth.")
-		wantU2f = false
-	}
-	if !wantFprint && includedFprintFile != "" {
-		if fprintToggleEnabled {
-			logFunc("ℹ Fingerprint auth is still enabled via included " + includedFprintFile + ".")
-			if fprintAvailableForCurrentUser {
-				logFunc("  DMS toggle is enabled, and effective auth is provided by the included PAM stack.")
-			} else {
-				logFunc("  No enrolled fingerprints detected for the current user; password auth remains the effective path.")
-			}
-		} else {
-			if fprintAvailableForCurrentUser {
-				logFunc("ℹ Fingerprint auth is active via included " + includedFprintFile + " while DMS fingerprint toggle is off.")
-				logFunc("  Password login will work but may be delayed while the fingerprint module runs first.")
-				logFunc("  To eliminate the delay, " + pamManagerHintForCurrentDistro())
-			} else {
-				logFunc("ℹ pam_fprintd is present via included " + includedFprintFile + ", but no enrolled fingerprints were detected for the current user.")
-				logFunc("  Password auth remains the effective login path.")
-			}
-		}
-	}
-	if !wantU2f && includedU2fFile != "" {
-		if u2fToggleEnabled {
-			logFunc("ℹ Security-key auth is still enabled via included " + includedU2fFile + ".")
-			logFunc("  DMS toggle is enabled, but effective auth is provided by the included PAM stack.")
-		} else {
-			logFunc("⚠ Security-key auth is active via included " + includedU2fFile + " while DMS security-key toggle is off.")
-			logFunc("  " + pamManagerHintForCurrentDistro())
-		}
-	}
-
-	if wantFprint || wantU2f {
-		blockLines := []string{GreeterPamManagedBlockStart}
-		if wantFprint {
-			blockLines = append(blockLines, "auth sufficient pam_fprintd.so max-tries=1 timeout=5")
-		}
-		if wantU2f {
-			blockLines = append(blockLines, "auth sufficient pam_u2f.so cue nouserok timeout=10")
-		}
-		blockLines = append(blockLines, GreeterPamManagedBlockEnd)
-
-		content, err = insertManagedGreeterPamBlock(content, blockLines, deps.greetdPath)
-		if err != nil {
-			return err
-		}
-	}
-
-	if content == originalContent {
-		return nil
-	}
-
-	if err := writeManagedPamFile(content, deps.greetdPath, sudoPassword, deps); err != nil {
-		return fmt.Errorf("failed to install updated PAM config at %s: %w", deps.greetdPath, err)
-	}
-	if wantFprint || wantU2f {
-		logFunc("✓ Configured greetd PAM for fingerprint/U2F")
-	} else {
-		logFunc("✓ Cleared DMS-managed greeter PAM auth block")
-	}
-	return nil
-}
-
-func writeManagedPamFile(content string, destPath string, sudoPassword string, deps syncDeps) error {
-	tmpFile, err := deps.createTemp("", "dms-pam-*.conf")
-	if err != nil {
-		return err
-	}
-	tmpPath := tmpFile.Name()
-	defer func() {
-		_ = deps.removeFile(tmpPath)
-	}()
-
-	if _, err := tmpFile.WriteString(content); err != nil {
-		tmpFile.Close()
-		return err
-	}
-	if err := tmpFile.Close(); err != nil {
-		return err
-	}
-	if err := deps.runSudoCmd(sudoPassword, "cp", tmpPath, destPath); err != nil {
-		return err
-	}
-	if err := deps.runSudoCmd(sudoPassword, "chmod", "644", destPath); err != nil {
-		return fmt.Errorf("failed to set permissions on %s: %w", destPath, err)
-	}
-	return nil
-}
-
-func pamManagerHintForCurrentDistro() string {
-	osInfo, err := distros.GetOSInfo()
-	if err != nil {
-		return "Disable it in your PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
-	}
-	config, exists := distros.Registry[osInfo.Distribution.ID]
-	if !exists {
-		return "Disable it in your PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
-	}
-
-	switch config.Family {
-	case distros.FamilyFedora:
-		return "Disable it in authselect to force password-only greeter login."
-	case distros.FamilyDebian, distros.FamilyUbuntu:
-		return "Disable it in pam-auth-update to force password-only greeter login."
-	default:
-		return "Disable it in your distro PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
-	}
-}
-
-func pamModuleExists(module string) bool {
-	for _, libDir := range []string{
-		"/usr/lib64/security",
-		"/usr/lib/security",
-		"/lib64/security",
-		"/lib/security",
-		"/lib/x86_64-linux-gnu/security",
-		"/usr/lib/x86_64-linux-gnu/security",
-		"/lib/aarch64-linux-gnu/security",
-		"/usr/lib/aarch64-linux-gnu/security",
-		"/run/current-system/sw/lib64/security",
-		"/run/current-system/sw/lib/security",
-	} {
-		if _, err := os.Stat(filepath.Join(libDir, module)); err == nil {
-			return true
-		}
-	}
-	return false
-}
-
-func hasEnrolledFingerprintOutput(output string) bool {
-	lower := strings.ToLower(output)
-	if strings.Contains(lower, "no fingers enrolled") ||
-		strings.Contains(lower, "no fingerprints enrolled") ||
-		strings.Contains(lower, "no prints enrolled") {
-		return false
-	}
-	if strings.Contains(lower, "has fingers enrolled") ||
-		strings.Contains(lower, "has fingerprints enrolled") {
-		return true
-	}
-	for _, line := range strings.Split(lower, "\n") {
-		trimmed := strings.TrimSpace(line)
-		if strings.HasPrefix(trimmed, "finger:") {
-			return true
-		}
-		if strings.HasPrefix(trimmed, "- ") && strings.Contains(trimmed, "finger") {
-			return true
-		}
-	}
-	return false
-}
-
-func FingerprintAuthAvailableForCurrentUser() bool {
-	username := strings.TrimSpace(os.Getenv("SUDO_USER"))
-	if username == "" {
-		username = strings.TrimSpace(os.Getenv("USER"))
-	}
-	if username == "" {
-		out, err := exec.Command("id", "-un").Output()
-		if err == nil {
-			username = strings.TrimSpace(string(out))
-		}
-	}
-	return fingerprintAuthAvailableForUser(username)
-}
-
-func fingerprintAuthAvailableForUser(username string) bool {
-	username = strings.TrimSpace(username)
-	if username == "" {
-		return false
-	}
-	if !pamModuleExists("pam_fprintd.so") {
-		return false
-	}
-	if _, err := exec.LookPath("fprintd-list"); err != nil {
-		return false
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-	out, err := exec.CommandContext(ctx, "fprintd-list", username).CombinedOutput()
-	if err != nil {
-		return false
-	}
-	return hasEnrolledFingerprintOutput(string(out))
-}
--- a/core/internal/pam/pam_test.go
+++ b/core/internal/pam/pam_test.go
@@ -1,671 +0,0 @@
-package pam
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-)
-
-func writeTestFile(t *testing.T, path string, content string) {
-	t.Helper()
-	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
-		t.Fatalf("failed to create parent dir for %s: %v", path, err)
-	}
-	if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
-		t.Fatalf("failed to write %s: %v", path, err)
-	}
-}
-
-type pamTestEnv struct {
-	pamDir               string
-	greetdPath           string
-	dankshellPath        string
-	dankshellU2fPath     string
-	tmpDir               string
-	homeDir              string
-	availableModules     map[string]bool
-	fingerprintAvailable bool
-}
-
-func newPamTestEnv(t *testing.T) *pamTestEnv {
-	t.Helper()
-
-	root := t.TempDir()
-	pamDir := filepath.Join(root, "pam.d")
-	tmpDir := filepath.Join(root, "tmp")
-	homeDir := filepath.Join(root, "home")
-
-	for _, dir := range []string{pamDir, tmpDir, homeDir} {
-		if err := os.MkdirAll(dir, 0o755); err != nil {
-			t.Fatalf("failed to create %s: %v", dir, err)
-		}
-	}
-
-	return &pamTestEnv{
-		pamDir:           pamDir,
-		greetdPath:       filepath.Join(pamDir, "greetd"),
-		dankshellPath:    filepath.Join(pamDir, "dankshell"),
-		dankshellU2fPath: filepath.Join(pamDir, "dankshell-u2f"),
-		tmpDir:           tmpDir,
-		homeDir:          homeDir,
-		availableModules: map[string]bool{},
-	}
-}
-
-func (e *pamTestEnv) writePamFile(t *testing.T, name string, content string) {
-	t.Helper()
-	writeTestFile(t, filepath.Join(e.pamDir, name), content)
-}
-
-func (e *pamTestEnv) writeSettings(t *testing.T, content string) {
-	t.Helper()
-	writeTestFile(t, filepath.Join(e.homeDir, ".config", "DankMaterialShell", "settings.json"), content)
-}
-
-func (e *pamTestEnv) deps(isNixOS bool) syncDeps {
-	return syncDeps{
-		pamDir:           e.pamDir,
-		greetdPath:       e.greetdPath,
-		dankshellPath:    e.dankshellPath,
-		dankshellU2fPath: e.dankshellU2fPath,
-		isNixOS:          func() bool { return isNixOS },
-		readFile:         os.ReadFile,
-		stat:             os.Stat,
-		createTemp: func(_ string, pattern string) (*os.File, error) {
-			return os.CreateTemp(e.tmpDir, pattern)
-		},
-		removeFile: os.Remove,
-		runSudoCmd: func(_ string, command string, args ...string) error {
-			switch command {
-			case "cp":
-				if len(args) != 2 {
-					return fmt.Errorf("unexpected cp args: %v", args)
-				}
-				data, err := os.ReadFile(args[0])
-				if err != nil {
-					return err
-				}
-				if err := os.MkdirAll(filepath.Dir(args[1]), 0o755); err != nil {
-					return err
-				}
-				return os.WriteFile(args[1], data, 0o644)
-			case "chmod":
-				if len(args) != 2 {
-					return fmt.Errorf("unexpected chmod args: %v", args)
-				}
-				return nil
-			case "rm":
-				if len(args) != 2 || args[0] != "-f" {
-					return fmt.Errorf("unexpected rm args: %v", args)
-				}
-				if err := os.Remove(args[1]); err != nil && !os.IsNotExist(err) {
-					return err
-				}
-				return nil
-			default:
-				return fmt.Errorf("unexpected sudo command: %s %v", command, args)
-			}
-		},
-		pamModuleExists: func(module string) bool {
-			return e.availableModules[module]
-		},
-		fingerprintAvailableForCurrentUser: func() bool {
-			return e.fingerprintAvailable
-		},
-	}
-}
-
-func readFileString(t *testing.T, path string) string {
-	t.Helper()
-	data, err := os.ReadFile(path)
-	if err != nil {
-		t.Fatalf("failed to read %s: %v", path, err)
-	}
-	return string(data)
-}
-
-func TestHasManagedLockscreenPamFile(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		content string
-		want    bool
-	}{
-		{
-			name: "both markers present",
-			content: "#%PAM-1.0\n" +
-				LockscreenPamManagedBlockStart + "\n" +
-				"auth sufficient pam_unix.so\n" +
-				LockscreenPamManagedBlockEnd + "\n",
-			want: true,
-		},
-		{
-			name: "missing end marker is not managed",
-			content: "#%PAM-1.0\n" +
-				LockscreenPamManagedBlockStart + "\n" +
-				"auth sufficient pam_unix.so\n",
-			want: false,
-		},
-		{
-			name:    "custom file is not managed",
-			content: "#%PAM-1.0\nauth sufficient pam_unix.so\n",
-			want:    false,
-		},
-	}
-
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			if got := hasManagedLockscreenPamFile(tt.content); got != tt.want {
-				t.Fatalf("hasManagedLockscreenPamFile() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestBuildManagedLockscreenPamContent(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name            string
-		files           map[string]string
-		wantContains    []string
-		wantNotContains []string
-		wantCounts      map[string]int
-		wantErr         string
-	}{
-		{
-			name: "preserves custom modules and strips direct u2f and fprint directives",
-			files: map[string]string{
-				"login": "#%PAM-1.0\n" +
-					"auth include system-auth\n" +
-					"account include system-auth\n" +
-					"session include system-auth\n",
-				"system-auth": "auth requisite pam_nologin.so\n" +
-					"auth sufficient pam_unix.so try_first_pass nullok\n" +
-					"auth sufficient pam_u2f.so cue\n" +
-					"auth sufficient pam_fprintd.so max-tries=1\n" +
-					"auth required pam_radius_auth.so conf=/etc/raddb/server\n" +
-					"account required pam_access.so\n" +
-					"session optional pam_lastlog.so silent\n",
-			},
-			wantContains: []string{
-				"#%PAM-1.0",
-				LockscreenPamManagedBlockStart,
-				LockscreenPamManagedBlockEnd,
-				"auth requisite pam_nologin.so",
-				"auth sufficient pam_unix.so try_first_pass nullok",
-				"auth required pam_radius_auth.so conf=/etc/raddb/server",
-				"account required pam_access.so",
-				"session optional pam_lastlog.so silent",
-			},
-			wantNotContains: []string{
-				"pam_u2f",
-				"pam_fprintd",
-			},
-			wantCounts: map[string]int{
-				"auth required pam_radius_auth.so conf=/etc/raddb/server": 1,
-				"account required pam_access.so":                          1,
-			},
-		},
-		{
-			name: "resolves nested include substack and @include transitively",
-			files: map[string]string{
-				"login": "#%PAM-1.0\n" +
-					"auth include system-auth\n" +
-					"account include system-auth\n" +
-					"password include system-auth\n" +
-					"session include system-auth\n",
-				"system-auth": "auth substack custom-auth\n" +
-					"account include custom-auth\n" +
-					"password include custom-auth\n" +
-					"session @include common-session\n",
-				"custom-auth": "auth required pam_custom.so one=two\n" +
-					"account required pam_custom_account.so\n" +
-					"password required pam_custom_password.so\n",
-				"common-session": "session optional pam_fprintd.so max-tries=1\n" +
-					"session optional pam_lastlog.so silent\n",
-			},
-			wantContains: []string{
-				"auth required pam_custom.so one=two",
-				"account required pam_custom_account.so",
-				"password required pam_custom_password.so",
-				"session optional pam_lastlog.so silent",
-			},
-			wantNotContains: []string{
-				"pam_fprintd",
-			},
-			wantCounts: map[string]int{
-				"auth required pam_custom.so one=two":      1,
-				"account required pam_custom_account.so":   1,
-				"password required pam_custom_password.so": 1,
-				"session optional pam_lastlog.so silent":   1,
-			},
-		},
-		{
-			name: "missing include fails",
-			files: map[string]string{
-				"login": "#%PAM-1.0\nauth include missing-auth\n",
-			},
-			wantErr: "failed to read PAM file",
-		},
-		{
-			name: "cyclic include fails",
-			files: map[string]string{
-				"login":       "#%PAM-1.0\nauth include system-auth\n",
-				"system-auth": "auth include login\n",
-			},
-			wantErr: "cyclic PAM include detected",
-		},
-		{
-			name: "no auth directives remain after filtering fails",
-			files: map[string]string{
-				"login":       "#%PAM-1.0\nauth include system-auth\n",
-				"system-auth": "auth sufficient pam_u2f.so cue\n",
-			},
-			wantErr: "no auth directives remained after filtering",
-		},
-	}
-
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			env := newPamTestEnv(t)
-			for name, content := range tt.files {
-				env.writePamFile(t, name, content)
-			}
-
-			content, err := buildManagedLockscreenPamContent(env.pamDir, os.ReadFile)
-			if tt.wantErr != "" {
-				if err == nil {
-					t.Fatalf("expected error containing %q, got nil", tt.wantErr)
-				}
-				if !strings.Contains(err.Error(), tt.wantErr) {
-					t.Fatalf("error = %q, want substring %q", err.Error(), tt.wantErr)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatalf("buildManagedLockscreenPamContent returned error: %v", err)
-			}
-
-			for _, want := range tt.wantContains {
-				if !strings.Contains(content, want) {
-					t.Errorf("missing expected string %q in output:\n%s", want, content)
-				}
-			}
-			for _, notWant := range tt.wantNotContains {
-				if strings.Contains(content, notWant) {
-					t.Errorf("unexpected string %q found in output:\n%s", notWant, content)
-				}
-			}
-			for want, wantCount := range tt.wantCounts {
-				if gotCount := strings.Count(content, want); gotCount != wantCount {
-					t.Errorf("count for %q = %d, want %d\noutput:\n%s", want, gotCount, wantCount, content)
-				}
-			}
-		})
-	}
-}
-
-func TestSyncLockscreenPamConfigWithDeps(t *testing.T) {
-	t.Parallel()
-
-	t.Run("custom dankshell file is skipped untouched", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		customContent := "#%PAM-1.0\nauth required pam_unix.so\n"
-		env.writePamFile(t, "dankshell", customContent)
-
-		var logs []string
-		err := syncLockscreenPamConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", env.deps(false))
-		if err != nil {
-			t.Fatalf("syncLockscreenPamConfigWithDeps returned error: %v", err)
-		}
-
-		if got := readFileString(t, env.dankshellPath); got != customContent {
-			t.Fatalf("custom dankshell content changed\ngot:\n%s\nwant:\n%s", got, customContent)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[0], "Custom /etc/pam.d/dankshell found") {
-			t.Fatalf("expected custom-file skip log, got %v", logs)
-		}
-	})
-
-	t.Run("managed dankshell file is rewritten from resolved login stack", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.writePamFile(t, "login", "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n")
-		env.writePamFile(t, "system-auth", "auth sufficient pam_unix.so try_first_pass nullok\nauth sufficient pam_u2f.so cue\naccount required pam_access.so\n")
-		env.writePamFile(t, "dankshell", "#%PAM-1.0\n"+LockscreenPamManagedBlockStart+"\nauth required pam_env.so\n"+LockscreenPamManagedBlockEnd+"\n")
-
-		var logs []string
-		err := syncLockscreenPamConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", env.deps(false))
-		if err != nil {
-			t.Fatalf("syncLockscreenPamConfigWithDeps returned error: %v", err)
-		}
-
-		output := readFileString(t, env.dankshellPath)
-		for _, want := range []string{
-			LockscreenPamManagedBlockStart,
-			"auth sufficient pam_unix.so try_first_pass nullok",
-			"account required pam_access.so",
-			LockscreenPamManagedBlockEnd,
-		} {
-			if !strings.Contains(output, want) {
-				t.Errorf("missing expected string %q in rewritten dankshell:\n%s", want, output)
-			}
-		}
-		if strings.Contains(output, "pam_u2f") {
-			t.Errorf("rewritten dankshell still contains pam_u2f:\n%s", output)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[len(logs)-1], "Created or updated /etc/pam.d/dankshell") {
-			t.Fatalf("expected success log, got %v", logs)
-		}
-	})
-
-	t.Run("mutable systems fail when login stack cannot be converted safely", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		err := syncLockscreenPamConfigWithDeps(func(string) {}, "", env.deps(false))
-		if err == nil {
-			t.Fatal("expected error when login PAM file is missing, got nil")
-		}
-		if !strings.Contains(err.Error(), "failed to build") {
-			t.Fatalf("error = %q, want substring %q", err.Error(), "failed to build")
-		}
-	})
-
-	t.Run("NixOS remains informational and does not write dankshell", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		var logs []string
-
-		err := syncLockscreenPamConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", env.deps(true))
-		if err != nil {
-			t.Fatalf("syncLockscreenPamConfigWithDeps returned error on NixOS path: %v", err)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[0], "NixOS detected") || !strings.Contains(logs[0], "/etc/pam.d/login") {
-			t.Fatalf("expected NixOS informational log mentioning /etc/pam.d/login, got %v", logs)
-		}
-		if _, err := os.Stat(env.dankshellPath); !os.IsNotExist(err) {
-			t.Fatalf("expected no dankshell file to be written on NixOS path, stat err = %v", err)
-		}
-	})
-}
-
-func TestSyncLockscreenU2FPamConfigWithDeps(t *testing.T) {
-	t.Parallel()
-
-	t.Run("enabled creates managed file", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		var logs []string
-
-		err := syncLockscreenU2FPamConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", true, env.deps(false))
-		if err != nil {
-			t.Fatalf("syncLockscreenU2FPamConfigWithDeps returned error: %v", err)
-		}
-
-		got := readFileString(t, env.dankshellU2fPath)
-		if got != buildManagedLockscreenU2FPamContent() {
-			t.Fatalf("unexpected managed dankshell-u2f content:\n%s", got)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[len(logs)-1], "Created or updated /etc/pam.d/dankshell-u2f") {
-			t.Fatalf("expected create log, got %v", logs)
-		}
-	})
-
-	t.Run("enabled rewrites existing managed file", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.writePamFile(t, "dankshell-u2f", "#%PAM-1.0\n"+LockscreenU2FPamManagedBlockStart+"\nauth required pam_u2f.so old\n"+LockscreenU2FPamManagedBlockEnd+"\n")
-
-		if err := syncLockscreenU2FPamConfigWithDeps(func(string) {}, "", true, env.deps(false)); err != nil {
-			t.Fatalf("syncLockscreenU2FPamConfigWithDeps returned error: %v", err)
-		}
-		if got := readFileString(t, env.dankshellU2fPath); got != buildManagedLockscreenU2FPamContent() {
-			t.Fatalf("managed dankshell-u2f was not rewritten:\n%s", got)
-		}
-	})
-
-	t.Run("disabled removes DMS-managed file", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.writePamFile(t, "dankshell-u2f", buildManagedLockscreenU2FPamContent())
-
-		var logs []string
-		err := syncLockscreenU2FPamConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", false, env.deps(false))
-		if err != nil {
-			t.Fatalf("syncLockscreenU2FPamConfigWithDeps returned error: %v", err)
-		}
-		if _, err := os.Stat(env.dankshellU2fPath); !os.IsNotExist(err) {
-			t.Fatalf("expected managed dankshell-u2f to be removed, stat err = %v", err)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[len(logs)-1], "Removed DMS-managed /etc/pam.d/dankshell-u2f") {
-			t.Fatalf("expected removal log, got %v", logs)
-		}
-	})
-
-	t.Run("disabled preserves custom file", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		customContent := "#%PAM-1.0\nauth required pam_u2f.so cue\n"
-		env.writePamFile(t, "dankshell-u2f", customContent)
-
-		var logs []string
-		err := syncLockscreenU2FPamConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", false, env.deps(false))
-		if err != nil {
-			t.Fatalf("syncLockscreenU2FPamConfigWithDeps returned error: %v", err)
-		}
-		if got := readFileString(t, env.dankshellU2fPath); got != customContent {
-			t.Fatalf("custom dankshell-u2f content changed\ngot:\n%s\nwant:\n%s", got, customContent)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[0], "Custom /etc/pam.d/dankshell-u2f found") {
-			t.Fatalf("expected custom-file log, got %v", logs)
-		}
-	})
-}
-
-func TestSyncGreeterPamConfigWithDeps(t *testing.T) {
-	t.Parallel()
-
-	t.Run("adds managed block for enabled auth modules", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.availableModules["pam_fprintd.so"] = true
-		env.availableModules["pam_u2f.so"] = true
-		env.writePamFile(t, "greetd", "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n")
-		env.writePamFile(t, "system-auth", "auth sufficient pam_unix.so\naccount required pam_unix.so\n")
-
-		settings := AuthSettings{GreeterEnableFprint: true, GreeterEnableU2f: true}
-		if err := syncGreeterPamConfigWithDeps(func(string) {}, "", settings, false, env.deps(false)); err != nil {
-			t.Fatalf("syncGreeterPamConfigWithDeps returned error: %v", err)
-		}
-
-		got := readFileString(t, env.greetdPath)
-		for _, want := range []string{
-			GreeterPamManagedBlockStart,
-			"auth sufficient pam_fprintd.so max-tries=1 timeout=5",
-			"auth sufficient pam_u2f.so cue nouserok timeout=10",
-			GreeterPamManagedBlockEnd,
-		} {
-			if !strings.Contains(got, want) {
-				t.Errorf("missing expected string %q in greetd PAM:\n%s", want, got)
-			}
-		}
-		if strings.Index(got, GreeterPamManagedBlockStart) > strings.Index(got, "auth include system-auth") {
-			t.Fatalf("managed block was not inserted before first auth line:\n%s", got)
-		}
-	})
-
-	t.Run("avoids duplicate fingerprint when included stack already provides it", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.availableModules["pam_fprintd.so"] = true
-		env.fingerprintAvailable = true
-		original := "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n"
-		env.writePamFile(t, "greetd", original)
-		env.writePamFile(t, "system-auth", "auth sufficient pam_fprintd.so max-tries=1\nauth sufficient pam_unix.so\n")
-
-		settings := AuthSettings{GreeterEnableFprint: true}
-		if err := syncGreeterPamConfigWithDeps(func(string) {}, "", settings, false, env.deps(false)); err != nil {
-			t.Fatalf("syncGreeterPamConfigWithDeps returned error: %v", err)
-		}
-
-		got := readFileString(t, env.greetdPath)
-		if got != original {
-			t.Fatalf("greetd PAM changed despite included pam_fprintd stack\ngot:\n%s\nwant:\n%s", got, original)
-		}
-		if strings.Contains(got, GreeterPamManagedBlockStart) {
-			t.Fatalf("managed block should not be inserted when included stack already has pam_fprintd:\n%s", got)
-		}
-	})
-}
-
-func TestRemoveManagedGreeterPamBlockWithDeps(t *testing.T) {
-	t.Parallel()
-
-	env := newPamTestEnv(t)
-	env.writePamFile(t, "greetd", "#%PAM-1.0\n"+
-		legacyGreeterPamFprintComment+"\n"+
-		"auth sufficient pam_fprintd.so max-tries=1\n"+
-		GreeterPamManagedBlockStart+"\n"+
-		"auth sufficient pam_u2f.so cue nouserok timeout=10\n"+
-		GreeterPamManagedBlockEnd+"\n"+
-		"auth include system-auth\n")
-
-	if err := removeManagedGreeterPamBlockWithDeps(func(string) {}, "", env.deps(false)); err != nil {
-		t.Fatalf("removeManagedGreeterPamBlockWithDeps returned error: %v", err)
-	}
-
-	got := readFileString(t, env.greetdPath)
-	if strings.Contains(got, GreeterPamManagedBlockStart) || strings.Contains(got, legacyGreeterPamFprintComment) {
-		t.Fatalf("managed or legacy DMS auth lines remained in greetd PAM:\n%s", got)
-	}
-	if !strings.Contains(got, "auth include system-auth") {
-		t.Fatalf("expected non-DMS greetd auth lines to remain:\n%s", got)
-	}
-}
-
-func TestSyncAuthConfigWithDeps(t *testing.T) {
-	t.Parallel()
-
-	t.Run("creates lockscreen targets and skips greetd when greeter is not installed", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.writeSettings(t, `{"enableU2f":true}`)
-		env.writePamFile(t, "login", "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n")
-		env.writePamFile(t, "system-auth", "auth sufficient pam_unix.so try_first_pass nullok\naccount required pam_access.so\n")
-
-		var logs []string
-		err := syncAuthConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", SyncAuthOptions{HomeDir: env.homeDir}, env.deps(false))
-		if err != nil {
-			t.Fatalf("syncAuthConfigWithDeps returned error: %v", err)
-		}
-
-		if _, err := os.Stat(env.dankshellPath); err != nil {
-			t.Fatalf("expected dankshell to be created: %v", err)
-		}
-		if got := readFileString(t, env.dankshellU2fPath); got != buildManagedLockscreenU2FPamContent() {
-			t.Fatalf("unexpected dankshell-u2f content:\n%s", got)
-		}
-		if len(logs) == 0 || !strings.Contains(logs[len(logs)-1], "greetd not found") {
-			t.Fatalf("expected greetd skip log, got %v", logs)
-		}
-	})
-
-	t.Run("separate greeter and lockscreen toggles are respected", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.availableModules["pam_fprintd.so"] = true
-		env.writeSettings(t, `{"enableU2f":false,"greeterEnableFprint":true,"greeterEnableU2f":false}`)
-		env.writePamFile(t, "login", "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n")
-		env.writePamFile(t, "system-auth", "auth sufficient pam_unix.so try_first_pass nullok\naccount required pam_access.so\n")
-		env.writePamFile(t, "greetd", "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n")
-
-		err := syncAuthConfigWithDeps(func(string) {}, "", SyncAuthOptions{HomeDir: env.homeDir}, env.deps(false))
-		if err != nil {
-			t.Fatalf("syncAuthConfigWithDeps returned error: %v", err)
-		}
-
-		dankshell := readFileString(t, env.dankshellPath)
-		if strings.Contains(dankshell, "pam_fprintd") || strings.Contains(dankshell, "pam_u2f") {
-			t.Fatalf("lockscreen PAM should strip fingerprint and U2F modules:\n%s", dankshell)
-		}
-		if _, err := os.Stat(env.dankshellU2fPath); !os.IsNotExist(err) {
-			t.Fatalf("expected dankshell-u2f to remain absent when enableU2f is false, stat err = %v", err)
-		}
-
-		greetd := readFileString(t, env.greetdPath)
-		if !strings.Contains(greetd, "auth sufficient pam_fprintd.so max-tries=1 timeout=5") {
-			t.Fatalf("expected greetd PAM to receive fingerprint auth block:\n%s", greetd)
-		}
-		if strings.Contains(greetd, "auth sufficient pam_u2f.so cue nouserok timeout=10") {
-			t.Fatalf("did not expect greetd PAM to receive U2F auth block:\n%s", greetd)
-		}
-	})
-
-	t.Run("NixOS remains informational and non-mutating", func(t *testing.T) {
-		t.Parallel()
-
-		env := newPamTestEnv(t)
-		env.availableModules["pam_fprintd.so"] = true
-		env.availableModules["pam_u2f.so"] = true
-		env.writeSettings(t, `{"enableU2f":true,"greeterEnableFprint":true,"greeterEnableU2f":true}`)
-		originalGreetd := "#%PAM-1.0\nauth include system-auth\naccount include system-auth\n"
-		env.writePamFile(t, "greetd", originalGreetd)
-
-		var logs []string
-		err := syncAuthConfigWithDeps(func(msg string) {
-			logs = append(logs, msg)
-		}, "", SyncAuthOptions{HomeDir: env.homeDir}, env.deps(true))
-		if err != nil {
-			t.Fatalf("syncAuthConfigWithDeps returned error: %v", err)
-		}
-
-		if _, err := os.Stat(env.dankshellPath); !os.IsNotExist(err) {
-			t.Fatalf("expected dankshell to remain absent on NixOS path, stat err = %v", err)
-		}
-		if _, err := os.Stat(env.dankshellU2fPath); !os.IsNotExist(err) {
-			t.Fatalf("expected dankshell-u2f to remain absent on NixOS path, stat err = %v", err)
-		}
-		if got := readFileString(t, env.greetdPath); got != originalGreetd {
-			t.Fatalf("expected greetd PAM to remain unchanged on NixOS path\ngot:\n%s\nwant:\n%s", got, originalGreetd)
-		}
-		if len(logs) < 2 || !strings.Contains(strings.Join(logs, "\n"), "NixOS detected") {
-			t.Fatalf("expected informational NixOS logs, got %v", logs)
-		}
-	})
-}
--- a/core/internal/screenshot/region.go
+++ b/core/internal/screenshot/region.go
@@ -113,11 +113,7 @@ func NewRegionSelector(s *Screenshoter) *RegionSelector {
 }

 func (r *RegionSelector) Run() (*CaptureResult, bool, error) {
-	if r.screenshoter != nil && r.screenshoter.config.Reset {
-		r.preSelect = Region{}
-	} else {
-		r.preSelect = GetLastRegion()
-	}
+	r.preSelect = GetLastRegion()

 	if err := r.connect(); err != nil {
 		return nil, false, fmt.Errorf("wayland connect: %w", err)
--- a/core/internal/screenshot/region_input.go
+++ b/core/internal/screenshot/region_input.go
@@ -114,9 +114,6 @@ func (r *RegionSelector) setupPointerHandlers() {
 				for _, os := range r.surfaces {
 					r.redrawSurface(os)
 				}
-				if r.screenshoter != nil && r.screenshoter.config.NoConfirm && r.selection.hasSelection {
-					r.finishSelection()
-				}
 			}
 		default:
 			r.cancelled = true
--- a/core/internal/screenshot/region_render.go
+++ b/core/internal/screenshot/region_render.go
@@ -138,13 +138,9 @@ func (r *RegionSelector) drawHUD(data []byte, stride, bufW, bufH int, format uin
 	if !r.showCapturedCursor {
 		cursorLabel = "show"
 	}
-	captureKey := "Space/Enter"
-	if r.screenshoter != nil && r.screenshoter.config.NoConfirm {
-		captureKey = "Drag+Release"
-	}

 	items := []struct{ key, desc string }{
-		{captureKey, "capture"},
+		{"Space/Enter", "capture"},
 		{"P", cursorLabel + " cursor"},
 		{"Esc", "cancel"},
 	}
--- a/core/internal/screenshot/screenshot.go
+++ b/core/internal/screenshot/screenshot.go
@@ -107,12 +107,6 @@ func (s *Screenshoter) captureLastRegion() (*CaptureResult, error) {
 }

 func (s *Screenshoter) captureRegion() (*CaptureResult, error) {
-	if s.config.Reset {
-		if err := SaveLastRegion(Region{}); err != nil {
-			log.Debug("failed to reset last region", "err", err)
-		}
-	}
-
 	selector := NewRegionSelector(s)
 	result, cancelled, err := selector.Run()
 	if err != nil {
--- a/core/internal/screenshot/types.go
+++ b/core/internal/screenshot/types.go
@@ -52,8 +52,6 @@ type Config struct {
 	Mode       Mode
 	OutputName string
 	Cursor     CursorMode
-	NoConfirm  bool
-	Reset      bool
 	Format     Format
 	Quality    int
 	OutputDir  string
@@ -68,8 +66,6 @@ func DefaultConfig() Config {
 	return Config{
 		Mode:      ModeRegion,
 		Cursor:    CursorOff,
-		NoConfirm: false,
-		Reset:     false,
 		Format:    FormatPNG,
 		Quality:   90,
 		OutputDir: "",
--- a/core/internal/server/brightness/udev.go
+++ b/core/internal/server/brightness/udev.go
@@ -6,20 +6,12 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"time"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/pilebones/go-udev/netlink"
 )

-const (
-	udevRecvBufSize = 8 * 1024 * 1024
-	udevMaxRetries  = 5
-	udevBaseDelay   = 2 * time.Second
-	udevMaxDelay    = 60 * time.Second
-)
-
 type UdevMonitor struct {
 	stop          chan struct{}
 	rescanMutex   sync.Mutex
@@ -37,6 +29,13 @@ func NewUdevMonitor(manager *Manager) *UdevMonitor {
 }

 func (m *UdevMonitor) run(manager *Manager) {
+	conn := &netlink.UEventConn{}
+	if err := conn.Connect(netlink.UdevEvent); err != nil {
+		log.Errorf("Failed to connect to udev netlink: %v", err)
+		return
+	}
+	defer conn.Close()
+
 	matcher := &netlink.RuleDefinitions{
 		Rules: []netlink.RuleDefinition{
 			{Env: map[string]string{"SUBSYSTEM": "backlight"}},
@@ -49,46 +48,6 @@ func (m *UdevMonitor) run(manager *Manager) {
 		return
 	}

-	failures := 0
-	for {
-		if err := m.monitorLoop(manager, matcher); err != nil {
-			log.Errorf("Udev monitor error: %v", err)
-		}
-
-		select {
-		case <-m.stop:
-			return
-		default:
-		}
-
-		failures++
-		if failures > udevMaxRetries {
-			log.Errorf("Udev monitor exceeded %d retries, giving up", udevMaxRetries)
-			return
-		}
-
-		delay := min(udevBaseDelay*time.Duration(1<<(failures-1)), udevMaxDelay)
-		log.Infof("Udev monitor reconnecting in %v (attempt %d/%d)", delay, failures, udevMaxRetries)
-
-		select {
-		case <-m.stop:
-			return
-		case <-time.After(delay):
-		}
-	}
-}
-
-func (m *UdevMonitor) monitorLoop(manager *Manager, matcher *netlink.RuleDefinitions) error {
-	conn := &netlink.UEventConn{}
-	if err := conn.Connect(netlink.UdevEvent); err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	if err := syscall.SetsockoptInt(conn.Fd, syscall.SOL_SOCKET, syscall.SO_RCVBUF, udevRecvBufSize); err != nil {
-		log.Warnf("Failed to set udev socket receive buffer: %v", err)
-	}
-
 	events := make(chan netlink.UEvent)
 	errs := make(chan error)
 	conn.Monitor(events, errs, matcher)
@@ -98,9 +57,10 @@ func (m *UdevMonitor) monitorLoop(manager *Manager, matcher *netlink.RuleDefinit
 	for {
 		select {
 		case <-m.stop:
-			return nil
+			return
 		case err := <-errs:
-			return err
+			log.Errorf("Udev monitor error: %v", err)
+			return
 		case event := <-events:
 			m.handleEvent(manager, event)
 		}
--- a/core/internal/server/clipboard/manager.go
+++ b/core/internal/server/clipboard/manager.go
@@ -212,9 +212,10 @@ func (m *Manager) setupDataDeviceSync() {
 		}

 		var offer any
-		if e.Id != nil {
+		switch {
+		case e.Id != nil:
 			offer = e.Id
-		} else if e.OfferId != 0 {
+		case e.OfferId != 0:
 			m.offerMutex.RLock()
 			offer = m.offerRegistry[e.OfferId]
 			m.offerMutex.RUnlock()
@@ -224,10 +225,6 @@ func (m *Manager) setupDataDeviceSync() {
 		wasOwner := m.isOwner
 		m.ownerLock.Unlock()

-		if offer == nil {
-			return
-		}
-
 		if wasOwner {
 			return
 		}
@@ -236,9 +233,11 @@ func (m *Manager) setupDataDeviceSync() {
 		m.currentOffer = offer

 		if prevOffer != nil && prevOffer != offer {
-			m.offerMutex.Lock()
-			delete(m.offerMimeTypes, prevOffer)
-			m.offerMutex.Unlock()
+			m.releaseOffer(prevOffer)
+		}
+
+		if offer == nil {
+			return
 		}

 		m.offerMutex.RLock()
@@ -292,6 +291,33 @@ func (m *Manager) setupDataDeviceSync() {
 	log.Info("Data device setup complete")
 }

+func (m *Manager) releaseOffer(offer any) {
+	if offer == nil {
+		return
+	}
+	typedOffer, ok := offer.(*ext_data_control.ExtDataControlOfferV1)
+	if !ok {
+		return
+	}
+	m.offerMutex.Lock()
+	delete(m.offerMimeTypes, offer)
+	delete(m.offerRegistry, typedOffer.ID())
+	m.offerMutex.Unlock()
+	typedOffer.Destroy()
+}
+
+func (m *Manager) releaseCurrentSource() {
+	if m.currentSource == nil {
+		return
+	}
+	source, ok := m.currentSource.(*ext_data_control.ExtDataControlSourceV1)
+	m.currentSource = nil
+	if !ok {
+		return
+	}
+	source.Destroy()
+}
+
 func (m *Manager) readAndStore(r *os.File, mimeType string) {
 	defer r.Close()

@@ -395,7 +421,7 @@ func (m *Manager) deduplicateInTx(b *bolt.Bucket, hash uint64) error {
 		if extractHash(v) != hash {
 			continue
 		}
-		entry, err := decodeEntry(v)
+		entry, err := decodeEntryMeta(v)
 		if err == nil && entry.Pinned {
 			continue
 		}
@@ -413,7 +439,7 @@ func (m *Manager) trimLengthInTx(b *bolt.Bucket) error {
 	c := b.Cursor()
 	var count int
 	for k, v := c.Last(); k != nil; k, v = c.Prev() {
-		entry, err := decodeEntry(v)
+		entry, err := decodeEntryMeta(v)
 		if err == nil && entry.Pinned {
 			continue
 		}
@@ -456,6 +482,14 @@ func encodeEntry(e Entry) ([]byte, error) {
 }

 func decodeEntry(data []byte) (Entry, error) {
+	return decodeEntryFields(data, true)
+}
+
+func decodeEntryMeta(data []byte) (Entry, error) {
+	return decodeEntryFields(data, false)
+}
+
+func decodeEntryFields(data []byte, withData bool) (Entry, error) {
 	buf := bytes.NewReader(data)
 	var e Entry

@@ -463,8 +497,15 @@ func decodeEntry(data []byte) (Entry, error) {

 	var dataLen uint32
 	binary.Read(buf, binary.BigEndian, &dataLen)
-	e.Data = make([]byte, dataLen)
-	buf.Read(e.Data)
+	switch {
+	case withData:
+		e.Data = make([]byte, dataLen)
+		buf.Read(e.Data)
+	default:
+		if _, err := buf.Seek(int64(dataLen), io.SeekCurrent); err != nil {
+			return e, err
+		}
+	}

 	var mimeLen uint32
 	binary.Read(buf, binary.BigEndian, &mimeLen)
@@ -668,14 +709,9 @@ func sizeStr(size int) string {
 func (m *Manager) updateState() {
 	history := m.GetHistory()

-	for i := range history {
-		history[i].Data = nil
-	}
-
 	var current *Entry
 	if len(history) > 0 {
 		c := history[0]
-		c.Data = nil
 		current = &c
 	}

@@ -750,7 +786,7 @@ func (m *Manager) GetHistory() []Entry {
 		c := b.Cursor()

 		for k, v := c.Last(); k != nil; k, v = c.Prev() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
@@ -935,7 +971,7 @@ func (m *Manager) ClearHistory() {
 		var toDelete [][]byte
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil || !entry.Pinned {
 				toDelete = append(toDelete, k)
 			}
@@ -958,7 +994,7 @@ func (m *Manager) ClearHistory() {
 		if b != nil {
 			c := b.Cursor()
 			for k, v := c.First(); k != nil; k, v = c.Next() {
-				entry, _ := decodeEntry(v)
+				entry, _ := decodeEntryMeta(v)
 				if entry.Pinned {
 					pinnedCount++
 				}
@@ -1066,6 +1102,7 @@ func (m *Manager) SetClipboard(data []byte, mimeType string) error {
 			m.ownerLock.Unlock()
 		})

+		m.releaseCurrentSource()
 		m.currentSource = source
 		m.sourceMutex.Lock()
 		m.sourceMimeTypes = []string{mimeType}
@@ -1145,9 +1182,11 @@ func (m *Manager) Close() {
 	m.subscribers = make(map[string]chan State)
 	m.subMutex.Unlock()

-	if m.currentSource != nil {
-		source := m.currentSource.(*ext_data_control.ExtDataControlSourceV1)
-		source.Destroy()
+	m.releaseCurrentSource()
+
+	if m.currentOffer != nil {
+		m.releaseOffer(m.currentOffer)
+		m.currentOffer = nil
 	}

 	if m.dataDevice != nil {
@@ -1191,11 +1230,10 @@ func (m *Manager) clearOldEntries(days int) error {
 		var toDelete [][]byte
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
-			// Skip pinned entries
 			if entry.Pinned {
 				continue
 			}
@@ -1310,7 +1348,7 @@ func (m *Manager) Search(params SearchParams) SearchResult {

 		c := b.Cursor()
 		for k, v := c.Last(); k != nil; k, v = c.Prev() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
@@ -1335,7 +1373,6 @@ func (m *Manager) Search(params SearchParams) SearchResult {
 				continue
 			}

-			entry.Data = nil
 			all = append(all, entry)
 		}
 		return nil
@@ -1510,7 +1547,7 @@ func (m *Manager) PinEntry(id uint64) error {
 		}
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil || !entry.Pinned {
 				continue
 			}
@@ -1528,7 +1565,6 @@ func (m *Manager) PinEntry(id uint64) error {
 		return nil
 	}

-	// Check pinned count
 	cfg := m.getConfig()
 	pinnedCount := 0
 	if err := m.db.View(func(tx *bolt.Tx) error {
@@ -1538,7 +1574,7 @@ func (m *Manager) PinEntry(id uint64) error {
 		}
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err == nil && entry.Pinned {
 				pinnedCount++
 			}
@@ -1629,12 +1665,11 @@ func (m *Manager) GetPinnedEntries() []Entry {

 		c := b.Cursor()
 		for k, v := c.Last(); k != nil; k, v = c.Prev() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
 			if entry.Pinned {
-				entry.Data = nil
 				pinned = append(pinned, entry)
 			}
 		}
@@ -1660,7 +1695,7 @@ func (m *Manager) GetPinnedCount() int {

 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err == nil && entry.Pinned {
 				count++
 			}
@@ -1779,6 +1814,7 @@ func (m *Manager) CopyFile(filePath string) error {
 			m.ownerLock.Unlock()
 		})

+		m.releaseCurrentSource()
 		m.currentSource = source

 		m.ownerLock.Lock()
--- a/core/internal/server/cups/actions.go
+++ b/core/internal/server/cups/actions.go
@@ -2,10 +2,8 @@ package cups

 import (
 	"errors"
-	"fmt"
 	"net"
 	"net/url"
-	"os/exec"
 	"strings"
 	"time"

@@ -277,42 +275,13 @@ func (m *Manager) GetClasses() ([]PrinterClass, error) {
 	return classes, nil
 }

-func createPrinterViaLpadmin(name, deviceURI, ppd, information, location string) error {
-	args := []string{"-p", name, "-E", "-v", deviceURI, "-m", ppd}
-	if information != "" {
-		args = append(args, "-D", information)
-	}
-	if location != "" {
-		args = append(args, "-L", location)
-	}
-	out, err := exec.Command("lpadmin", args...).CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("lpadmin failed: %s: %w", strings.TrimSpace(string(out)), err)
-	}
-	return nil
-}
-
-func deletePrinterViaLpadmin(name string) error {
-	out, err := exec.Command("lpadmin", "-x", name).CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("lpadmin failed: %s: %w", strings.TrimSpace(string(out)), err)
-	}
-	return nil
-}
-
 func (m *Manager) CreatePrinter(name, deviceURI, ppd string, shared bool, errorPolicy, information, location string) error {
 	usedPkHelper := false

 	err := m.client.CreatePrinter(name, deviceURI, ppd, shared, errorPolicy, information, location)
 	if isAuthError(err) && m.pkHelper != nil {
 		if err = m.pkHelper.PrinterAdd(name, deviceURI, ppd, information, location); err != nil {
-			// pkHelper failed (e.g., no polkit agent), try lpadmin as last resort.
-			// lpadmin -E enables the printer, so no further setup needed.
-			if lpadminErr := createPrinterViaLpadmin(name, deviceURI, ppd, information, location); lpadminErr != nil {
-				return err
-			}
-			m.RefreshState()
-			return nil
+			return err
 		}
 		usedPkHelper = true
 	} else if err != nil {
@@ -339,12 +308,6 @@ func (m *Manager) DeletePrinter(printerName string) error {
 	err := m.client.DeletePrinter(printerName)
 	if isAuthError(err) && m.pkHelper != nil {
 		err = m.pkHelper.PrinterDelete(printerName)
-		if err != nil {
-			// pkHelper failed, try lpadmin as last resort
-			if lpadminErr := deletePrinterViaLpadmin(printerName); lpadminErr == nil {
-				err = nil
-			}
-		}
 	}
 	if err == nil {
 		m.RefreshState()
--- a/core/internal/server/cups/handlers.go
+++ b/core/internal/server/cups/handlers.go
@@ -70,8 +70,6 @@ func HandleRequest(conn net.Conn, req models.Request, manager *Manager) {
 		handleRestartJob(conn, req, manager)
 	case "cups.holdJob":
 		handleHoldJob(conn, req, manager)
-	case "cups.testConnection":
-		handleTestConnection(conn, req, manager)
 	default:
 		models.RespondError(conn, req.ID, fmt.Sprintf("unknown method: %s", req.Method))
 	}
@@ -466,22 +464,3 @@ func handleHoldJob(conn net.Conn, req models.Request, manager *Manager) {
 	}
 	models.Respond(conn, req.ID, models.SuccessResult{Success: true, Message: "job held"})
 }
-
-func handleTestConnection(conn net.Conn, req models.Request, manager *Manager) {
-	host, err := params.StringNonEmpty(req.Params, "host")
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	port := params.IntOpt(req.Params, "port", 631)
-	protocol := params.StringOpt(req.Params, "protocol", "ipp")
-
-	result, err := manager.TestRemotePrinter(host, port, protocol)
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	models.Respond(conn, req.ID, result)
-}
--- a/core/internal/server/cups/test_connection.go
+++ b/core/internal/server/cups/test_connection.go
@@ -1,176 +0,0 @@
-package cups
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/ipp"
-)
-
-var validProtocols = map[string]bool{
-	"ipp":    true,
-	"ipps":   true,
-	"lpd":    true,
-	"socket": true,
-}
-
-func validateTestConnectionParams(host string, port int, protocol string) error {
-	if host == "" {
-		return errors.New("host is required")
-	}
-	if strings.ContainsAny(host, " \t\n\r/\\") {
-		return errors.New("host contains invalid characters")
-	}
-	if port < 1 || port > 65535 {
-		return errors.New("port must be between 1 and 65535")
-	}
-	if protocol != "" && !validProtocols[protocol] {
-		return errors.New("protocol must be one of: ipp, ipps, lpd, socket")
-	}
-	return nil
-}
-
-const probeTimeout = 10 * time.Second
-
-func probeRemotePrinter(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-	addr := net.JoinHostPort(host, fmt.Sprintf("%d", port))
-
-	// Fast fail: TCP reachability check
-	conn, err := net.DialTimeout("tcp", addr, probeTimeout)
-	if err != nil {
-		return &RemotePrinterInfo{
-			Reachable: false,
-			Error:     fmt.Sprintf("cannot reach %s: %s", addr, err.Error()),
-		}, nil
-	}
-	conn.Close()
-
-	// Create a temporary IPP client pointing at the remote host.
-	// The TCP dial above provides fast-fail for unreachable hosts.
-	// The IPP adapter's ResponseHeaderTimeout (90s) bounds stalling servers.
-	client := ipp.NewIPPClient(host, port, "", "", useTLS)
-
-	// Try /ipp/print first (modern driverless printers), then / (legacy)
-	info, err := probeIPPEndpoint(client, host, port, useTLS, "/ipp/print")
-	if err != nil {
-		// If we got an auth error, the printer exists but requires credentials.
-		// Report it as reachable with the URI that triggered the auth challenge.
-		if isAuthError(err) {
-			proto := "ipp"
-			if useTLS {
-				proto = "ipps"
-			}
-			return &RemotePrinterInfo{
-				Reachable: true,
-				URI:       fmt.Sprintf("%s://%s:%d/ipp/print", proto, host, port),
-				Info:      "authentication required",
-			}, nil
-		}
-		info, err = probeIPPEndpoint(client, host, port, useTLS, "/")
-	}
-	if err != nil {
-		if isAuthError(err) {
-			proto := "ipp"
-			if useTLS {
-				proto = "ipps"
-			}
-			return &RemotePrinterInfo{
-				Reachable: true,
-				URI:       fmt.Sprintf("%s://%s:%d/", proto, host, port),
-				Info:      "authentication required",
-			}, nil
-		}
-		// TCP reachable but not an IPP printer
-		return &RemotePrinterInfo{
-			Reachable: true,
-			Error:     fmt.Sprintf("host is reachable but does not appear to be an IPP printer: %s", err.Error()),
-		}, nil
-	}
-
-	return info, nil
-}
-
-func probeIPPEndpoint(client *ipp.IPPClient, host string, port int, useTLS bool, resourcePath string) (*RemotePrinterInfo, error) {
-	proto := "ipp"
-	if useTLS {
-		proto = "ipps"
-	}
-	printerURI := fmt.Sprintf("%s://%s:%d%s", proto, host, port, resourcePath)
-
-	httpProto := "http"
-	if useTLS {
-		httpProto = "https"
-	}
-	httpURL := fmt.Sprintf("%s://%s:%d%s", httpProto, host, port, resourcePath)
-
-	req := ipp.NewRequest(ipp.OperationGetPrinterAttributes, 1)
-	req.OperationAttributes[ipp.AttributePrinterURI] = printerURI
-	req.OperationAttributes[ipp.AttributeRequestedAttributes] = []string{
-		ipp.AttributePrinterName,
-		ipp.AttributePrinterMakeAndModel,
-		ipp.AttributePrinterState,
-		ipp.AttributePrinterInfo,
-		ipp.AttributePrinterUriSupported,
-	}
-
-	resp, err := client.SendRequest(httpURL, req, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(resp.PrinterAttributes) == 0 {
-		return nil, errors.New("no printer attributes returned")
-	}
-
-	attrs := resp.PrinterAttributes[0]
-
-	return &RemotePrinterInfo{
-		Reachable: true,
-		MakeModel: getStringAttr(attrs, ipp.AttributePrinterMakeAndModel),
-		Name:      getStringAttr(attrs, ipp.AttributePrinterName),
-		Info:      getStringAttr(attrs, ipp.AttributePrinterInfo),
-		State:     parsePrinterState(attrs),
-		URI:       printerURI,
-	}, nil
-}
-
-// TestRemotePrinter validates inputs and probes a remote printer via IPP.
-// For lpd/socket protocols, only TCP reachability is tested.
-func (m *Manager) TestRemotePrinter(host string, port int, protocol string) (*RemotePrinterInfo, error) {
-	if protocol == "" {
-		protocol = "ipp"
-	}
-
-	if err := validateTestConnectionParams(host, port, protocol); err != nil {
-		return nil, err
-	}
-
-	// For non-IPP protocols, only check TCP reachability
-	if protocol == "lpd" || protocol == "socket" {
-		addr := net.JoinHostPort(host, fmt.Sprintf("%d", port))
-		conn, err := net.DialTimeout("tcp", addr, probeTimeout)
-		if err != nil {
-			return &RemotePrinterInfo{
-				Reachable: false,
-				Error:     fmt.Sprintf("cannot reach %s: %s", addr, err.Error()),
-			}, nil
-		}
-		conn.Close()
-		return &RemotePrinterInfo{
-			Reachable: true,
-			URI:       fmt.Sprintf("%s://%s:%d", protocol, host, port),
-		}, nil
-	}
-
-	useTLS := protocol == "ipps"
-
-	probeFn := m.probeRemoteFn
-	if probeFn == nil {
-		probeFn = probeRemotePrinter
-	}
-
-	return probeFn(host, port, useTLS)
-}
--- a/core/internal/server/cups/test_connection_test.go
+++ b/core/internal/server/cups/test_connection_test.go
@@ -1,397 +0,0 @@
-package cups
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"testing"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/ipp"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestValidateTestConnectionParams(t *testing.T) {
-	tests := []struct {
-		name     string
-		host     string
-		port     int
-		protocol string
-		wantErr  string
-	}{
-		{
-			name:     "valid ipp",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "",
-		},
-		{
-			name:     "valid ipps",
-			host:     "printer.local",
-			port:     443,
-			protocol: "ipps",
-			wantErr:  "",
-		},
-		{
-			name:     "valid lpd",
-			host:     "10.0.0.1",
-			port:     515,
-			protocol: "lpd",
-			wantErr:  "",
-		},
-		{
-			name:     "valid socket",
-			host:     "10.0.0.1",
-			port:     9100,
-			protocol: "socket",
-			wantErr:  "",
-		},
-		{
-			name:     "empty host",
-			host:     "",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host is required",
-		},
-		{
-			name:     "port too low",
-			host:     "192.168.0.5",
-			port:     0,
-			protocol: "ipp",
-			wantErr:  "port must be between 1 and 65535",
-		},
-		{
-			name:     "port too high",
-			host:     "192.168.0.5",
-			port:     70000,
-			protocol: "ipp",
-			wantErr:  "port must be between 1 and 65535",
-		},
-		{
-			name:     "invalid protocol",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "ftp",
-			wantErr:  "protocol must be one of: ipp, ipps, lpd, socket",
-		},
-		{
-			name:     "empty protocol treated as ipp",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "",
-			wantErr:  "",
-		},
-		{
-			name:     "host with slash",
-			host:     "192.168.0.5/admin",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host contains invalid characters",
-		},
-		{
-			name:     "host with space",
-			host:     "192.168.0.5 ",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host contains invalid characters",
-		},
-		{
-			name:     "host with newline",
-			host:     "192.168.0.5\n",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host contains invalid characters",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := validateTestConnectionParams(tt.host, tt.port, tt.protocol)
-			if tt.wantErr == "" {
-				assert.NoError(t, err)
-			} else {
-				assert.EqualError(t, err, tt.wantErr)
-			}
-		})
-	}
-}
-
-func TestManager_TestRemotePrinter_Validation(t *testing.T) {
-	m := NewTestManager(nil, nil)
-
-	tests := []struct {
-		name     string
-		host     string
-		port     int
-		protocol string
-		wantErr  string
-	}{
-		{
-			name:     "empty host returns error",
-			host:     "",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host is required",
-		},
-		{
-			name:     "invalid port returns error",
-			host:     "192.168.0.5",
-			port:     0,
-			protocol: "ipp",
-			wantErr:  "port must be between 1 and 65535",
-		},
-		{
-			name:     "invalid protocol returns error",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "ftp",
-			wantErr:  "protocol must be one of: ipp, ipps, lpd, socket",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			_, err := m.TestRemotePrinter(tt.host, tt.port, tt.protocol)
-			assert.EqualError(t, err, tt.wantErr)
-		})
-	}
-}
-
-func TestManager_TestRemotePrinter_IPP(t *testing.T) {
-	tests := []struct {
-		name      string
-		protocol  string
-		probeRet  *RemotePrinterInfo
-		probeErr  error
-		wantTLS   bool
-		wantReach bool
-		wantModel string
-	}{
-		{
-			name:     "successful ipp probe",
-			protocol: "ipp",
-			probeRet: &RemotePrinterInfo{
-				Reachable: true,
-				MakeModel: "HP OfficeJet 8010",
-				Name:      "OfficeJet",
-				State:     "idle",
-				URI:       "ipp://192.168.0.5:631/ipp/print",
-			},
-			wantTLS:   false,
-			wantReach: true,
-			wantModel: "HP OfficeJet 8010",
-		},
-		{
-			name:     "successful ipps probe",
-			protocol: "ipps",
-			probeRet: &RemotePrinterInfo{
-				Reachable: true,
-				MakeModel: "HP OfficeJet 8010",
-				URI:       "ipps://192.168.0.5:631/ipp/print",
-			},
-			wantTLS:   true,
-			wantReach: true,
-			wantModel: "HP OfficeJet 8010",
-		},
-		{
-			name:     "unreachable host",
-			protocol: "ipp",
-			probeRet: &RemotePrinterInfo{
-				Reachable: false,
-				Error:     "cannot reach 192.168.0.5:631: connection refused",
-			},
-			wantReach: false,
-		},
-		{
-			name:     "empty protocol defaults to ipp",
-			protocol: "",
-			probeRet: &RemotePrinterInfo{
-				Reachable: true,
-				MakeModel: "Test Printer",
-			},
-			wantTLS:   false,
-			wantReach: true,
-			wantModel: "Test Printer",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var capturedTLS bool
-			m := NewTestManager(nil, nil)
-			m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-				capturedTLS = useTLS
-				return tt.probeRet, tt.probeErr
-			}
-
-			result, err := m.TestRemotePrinter("192.168.0.5", 631, tt.protocol)
-			if tt.probeErr != nil {
-				assert.Error(t, err)
-				return
-			}
-			assert.NoError(t, err)
-			assert.Equal(t, tt.wantReach, result.Reachable)
-			assert.Equal(t, tt.wantModel, result.MakeModel)
-			assert.Equal(t, tt.wantTLS, capturedTLS)
-		})
-	}
-}
-
-func TestManager_TestRemotePrinter_AuthRequired(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		// Simulate what happens when the printer returns HTTP 401
-		return probeRemotePrinterWithAuthError(host, port, useTLS)
-	}
-
-	result, err := m.TestRemotePrinter("192.168.0.107", 631, "ipp")
-	assert.NoError(t, err)
-	assert.True(t, result.Reachable)
-	assert.Equal(t, "authentication required", result.Info)
-	assert.Contains(t, result.URI, "ipp://192.168.0.107:631")
-}
-
-// probeRemotePrinterWithAuthError simulates a probe where the printer
-// returns HTTP 401 on both endpoints.
-func probeRemotePrinterWithAuthError(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-	// This simulates what probeRemotePrinter does when both endpoints
-	// return auth errors. We test the auth detection logic directly.
-	err := ipp.HTTPError{Code: 401}
-	if isAuthError(err) {
-		proto := "ipp"
-		if useTLS {
-			proto = "ipps"
-		}
-		return &RemotePrinterInfo{
-			Reachable: true,
-			URI:       fmt.Sprintf("%s://%s:%d/ipp/print", proto, host, port),
-			Info:      "authentication required",
-		}, nil
-	}
-	return nil, err
-}
-
-func TestManager_TestRemotePrinter_NonIPPProtocol(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	probeCalled := false
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		probeCalled = true
-		return nil, nil
-	}
-
-	// These will fail at TCP dial (no real server), but the important
-	// thing is that probeRemoteFn is NOT called for lpd/socket.
-	m.TestRemotePrinter("192.168.0.5", 9100, "socket")
-	assert.False(t, probeCalled, "probe function should not be called for socket protocol")
-
-	m.TestRemotePrinter("192.168.0.5", 515, "lpd")
-	assert.False(t, probeCalled, "probe function should not be called for lpd protocol")
-}
-
-func TestHandleTestConnection_Success(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		return &RemotePrinterInfo{
-			Reachable: true,
-			MakeModel: "HP OfficeJet 8010",
-			Name:      "OfficeJet",
-			State:     "idle",
-			URI:       "ipp://192.168.0.5:631/ipp/print",
-		}, nil
-	}
-
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{
-			"host": "192.168.0.5",
-		},
-	}
-
-	handleTestConnection(conn, req, m)
-
-	var resp models.Response[RemotePrinterInfo]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp.Result)
-	assert.True(t, resp.Result.Reachable)
-	assert.Equal(t, "HP OfficeJet 8010", resp.Result.MakeModel)
-}
-
-func TestHandleTestConnection_MissingHost(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{},
-	}
-
-	handleTestConnection(conn, req, m)
-
-	var resp models.Response[any]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.Nil(t, resp.Result)
-	assert.NotNil(t, resp.Error)
-}
-
-func TestHandleTestConnection_CustomPortAndProtocol(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		assert.Equal(t, 9631, port)
-		assert.True(t, useTLS)
-		return &RemotePrinterInfo{Reachable: true, URI: "ipps://192.168.0.5:9631/ipp/print"}, nil
-	}
-
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{
-			"host":     "192.168.0.5",
-			"port":     float64(9631),
-			"protocol": "ipps",
-		},
-	}
-
-	handleTestConnection(conn, req, m)
-
-	var resp models.Response[RemotePrinterInfo]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp.Result)
-	assert.True(t, resp.Result.Reachable)
-}
-
-func TestHandleRequest_TestConnection(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		return &RemotePrinterInfo{Reachable: true}, nil
-	}
-
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{"host": "192.168.0.5"},
-	}
-
-	HandleRequest(conn, req, m)
-
-	var resp models.Response[RemotePrinterInfo]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp.Result)
-	assert.True(t, resp.Result.Reachable)
-}
--- a/core/internal/server/cups/types.go
+++ b/core/internal/server/cups/types.go
@@ -55,16 +55,6 @@ type PPD struct {
 	Type            string `json:"type"`
 }

-type RemotePrinterInfo struct {
-	Reachable bool   `json:"reachable"`
-	MakeModel string `json:"makeModel"`
-	Name      string `json:"name"`
-	Info      string `json:"info"`
-	State     string `json:"state"`
-	URI       string `json:"uri"`
-	Error     string `json:"error,omitempty"`
-}
-
 type PrinterClass struct {
 	Name     string   `json:"name"`
 	URI      string   `json:"uri"`
@@ -87,7 +77,6 @@ type Manager struct {
 	notifierWg        sync.WaitGroup
 	lastNotifiedState *CUPSState
 	baseURL           string
-	probeRemoteFn     func(host string, port int, useTLS bool) (*RemotePrinterInfo, error)
 }

 type SubscriptionManagerInterface interface {
--- a/core/internal/server/evdev/manager.go
+++ b/core/internal/server/evdev/manager.go
@@ -391,7 +391,7 @@ func (m *Manager) Close() {

 func InitializeManager() (*Manager, error) {
 	if os.Getuid() != 0 && !hasInputGroupAccess() {
-		return nil, fmt.Errorf("insufficient permissions to access input devices")
+		return nil, fmt.Errorf("insufficient permissions to access input devices. Add your user to the 'input' group: `sudo usermod -a -G input $USER` or run `dms setup`")
 	}

 	return NewManager()
--- a/core/internal/server/freedesktop/screensaver.go
+++ b/core/internal/server/freedesktop/screensaver.go
@@ -104,7 +104,7 @@ func (m *Manager) claimScreensaverName(handler *screensaverHandler, name, iface
 		return false
 	}
 	if reply != dbus.RequestNameReplyPrimaryOwner {
-		log.Warnf("Screensaver name %s already owned by another process", name)
+		log.Infof("Screensaver name %s already owned by another process (e.g. hypridle/swayidle)", name)
 		return false
 	}
 	if err := m.exportScreensaverOnPaths(handler, iface, paths...); err != nil {
--- a/core/internal/server/location/handlers.go
+++ b/core/internal/server/location/handlers.go
@@ -1,61 +0,0 @@
-package location
-
-import (
-	"encoding/json"
-	"fmt"
-	"net"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
-)
-
-type LocationEvent struct {
-	Type string `json:"type"`
-	Data State  `json:"data"`
-}
-
-func HandleRequest(conn net.Conn, req models.Request, manager *Manager) {
-	switch req.Method {
-	case "location.getState":
-		handleGetState(conn, req, manager)
-	case "location.subscribe":
-		handleSubscribe(conn, req, manager)
-
-	default:
-		models.RespondError(conn, req.ID, fmt.Sprintf("unknown method: %s", req.Method))
-	}
-}
-
-func handleGetState(conn net.Conn, req models.Request, manager *Manager) {
-	models.Respond(conn, req.ID, manager.GetState())
-}
-
-func handleSubscribe(conn net.Conn, req models.Request, manager *Manager) {
-	clientID := fmt.Sprintf("client-%p", conn)
-	stateChan := manager.Subscribe(clientID)
-	defer manager.Unsubscribe(clientID)
-
-	initialState := manager.GetState()
-	event := LocationEvent{
-		Type: "state_changed",
-		Data: initialState,
-	}
-
-	if err := json.NewEncoder(conn).Encode(models.Response[LocationEvent]{
-		ID:     req.ID,
-		Result: &event,
-	}); err != nil {
-		return
-	}
-
-	for state := range stateChan {
-		event := LocationEvent{
-			Type: "state_changed",
-			Data: state,
-		}
-		if err := json.NewEncoder(conn).Encode(models.Response[LocationEvent]{
-			Result: &event,
-		}); err != nil {
-			return
-		}
-	}
-}
--- a/core/internal/server/location/manager.go
+++ b/core/internal/server/location/manager.go
@@ -1,175 +0,0 @@
-package location
-
-import (
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-)
-
-func NewManager(client geolocation.Client) (*Manager, error) {
-	currLocation, err := client.GetLocation()
-	if err != nil {
-		log.Warnf("Failed to get initial location: %v", err)
-	}
-
-	m := &Manager{
-		client:   client,
-		dirty:    make(chan struct{}),
-		stopChan: make(chan struct{}),
-
-		state: &State{
-			Latitude:  currLocation.Latitude,
-			Longitude: currLocation.Longitude,
-		},
-	}
-
-	if err := m.startSignalPump(); err != nil {
-		return nil, err
-	}
-
-	m.notifierWg.Add(1)
-	go m.notifier()
-
-	return m, nil
-}
-
-func (m *Manager) Close() {
-	close(m.stopChan)
-	m.notifierWg.Wait()
-
-	m.sigWG.Wait()
-
-	m.subscribers.Range(func(key string, ch chan State) bool {
-		close(ch)
-		m.subscribers.Delete(key)
-		return true
-	})
-}
-
-func (m *Manager) Subscribe(id string) chan State {
-	ch := make(chan State, 64)
-	m.subscribers.Store(id, ch)
-	return ch
-}
-
-func (m *Manager) Unsubscribe(id string) {
-	if ch, ok := m.subscribers.LoadAndDelete(id); ok {
-		close(ch)
-	}
-}
-
-func (m *Manager) startSignalPump() error {
-	m.sigWG.Add(1)
-	go func() {
-		defer m.sigWG.Done()
-
-		subscription := m.client.Subscribe("locationManager")
-		defer m.client.Unsubscribe("locationManager")
-
-		for {
-			select {
-			case <-m.stopChan:
-				return
-			case location, ok := <-subscription:
-				if !ok {
-					return
-				}
-
-				m.handleLocationChange(location)
-			}
-		}
-	}()
-
-	return nil
-}
-
-func (m *Manager) handleLocationChange(location geolocation.Location) {
-	m.stateMutex.Lock()
-	defer m.stateMutex.Unlock()
-
-	m.state.Latitude = location.Latitude
-	m.state.Longitude = location.Longitude
-
-	m.notifySubscribers()
-}
-
-func (m *Manager) notifySubscribers() {
-	select {
-	case m.dirty <- struct{}{}:
-	default:
-	}
-}
-
-func (m *Manager) GetState() State {
-	m.stateMutex.RLock()
-	defer m.stateMutex.RUnlock()
-	if m.state == nil {
-		return State{
-			Latitude:  0.0,
-			Longitude: 0.0,
-		}
-	}
-	stateCopy := *m.state
-	return stateCopy
-}
-
-func (m *Manager) notifier() {
-	defer m.notifierWg.Done()
-	const minGap = 200 * time.Millisecond
-	timer := time.NewTimer(minGap)
-	timer.Stop()
-	var pending bool
-
-	for {
-		select {
-		case <-m.stopChan:
-			timer.Stop()
-			return
-		case <-m.dirty:
-			if pending {
-				continue
-			}
-			pending = true
-			timer.Reset(minGap)
-		case <-timer.C:
-			if !pending {
-				continue
-			}
-
-			currentState := m.GetState()
-
-			if m.lastNotified != nil && !stateChanged(m.lastNotified, &currentState) {
-				pending = false
-				continue
-			}
-
-			m.subscribers.Range(func(key string, ch chan State) bool {
-				select {
-				case ch <- currentState:
-				default:
-					log.Warn("Location: subscriber channel full, dropping update")
-				}
-				return true
-			})
-
-			stateCopy := currentState
-			m.lastNotified = &stateCopy
-			pending = false
-		}
-	}
-}
-
-func stateChanged(old, new *State) bool {
-	if old == nil || new == nil {
-		return true
-	}
-	if old.Latitude != new.Latitude {
-		return true
-	}
-	if old.Longitude != new.Longitude {
-		return true
-	}
-
-	return false
-}
--- a/core/internal/server/location/types.go
+++ b/core/internal/server/location/types.go
@@ -1,28 +0,0 @@
-package location
-
-import (
-	"sync"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
-)
-
-type State struct {
-	Latitude  float64 `json:"latitude"`
-	Longitude float64 `json:"longitude"`
-}
-
-type Manager struct {
-	state      *State
-	stateMutex sync.RWMutex
-
-	client geolocation.Client
-
-	stopChan chan struct{}
-	sigWG    sync.WaitGroup
-
-	subscribers  syncmap.Map[string, chan State]
-	dirty        chan struct{}
-	notifierWg   sync.WaitGroup
-	lastNotified *State
-}
--- a/core/internal/server/loginctl/types.go
+++ b/core/internal/server/loginctl/types.go
@@ -35,7 +35,12 @@ type SessionState struct {
 type EventType string

 const (
-	EventStateChanged EventType = "state_changed"
+	EventStateChanged      EventType = "state_changed"
+	EventLock              EventType = "lock"
+	EventUnlock            EventType = "unlock"
+	EventPrepareForSleep   EventType = "prepare_for_sleep"
+	EventIdleHintChanged   EventType = "idle_hint_changed"
+	EventLockedHintChanged EventType = "locked_hint_changed"
 )

 type SessionEvent struct {
--- a/core/internal/server/loginctl/types_test.go
+++ b/core/internal/server/loginctl/types_test.go
@@ -8,6 +8,11 @@ import (

 func TestEventType_Constants(t *testing.T) {
 	assert.Equal(t, EventType("state_changed"), EventStateChanged)
+	assert.Equal(t, EventType("lock"), EventLock)
+	assert.Equal(t, EventType("unlock"), EventUnlock)
+	assert.Equal(t, EventType("prepare_for_sleep"), EventPrepareForSleep)
+	assert.Equal(t, EventType("idle_hint_changed"), EventIdleHintChanged)
+	assert.Equal(t, EventType("locked_hint_changed"), EventLockedHintChanged)
 }

 func TestSessionState_Struct(t *testing.T) {
@@ -35,11 +40,11 @@ func TestSessionEvent_Struct(t *testing.T) {
 	}

 	event := SessionEvent{
-		Type: EventStateChanged,
+		Type: EventLock,
 		Data: state,
 	}

-	assert.Equal(t, EventStateChanged, event.Type)
+	assert.Equal(t, EventLock, event.Type)
 	assert.Equal(t, "1", event.Data.SessionID)
 	assert.True(t, event.Data.Locked)
 }
--- a/core/internal/server/matugen_handler.go
+++ b/core/internal/server/matugen_handler.go
@@ -29,7 +29,6 @@ func handleMatugenQueue(conn net.Conn, req models.Request) {
 		SyncModeWithPortal:  models.GetOr(req, "syncModeWithPortal", false),
 		TerminalsAlwaysDark: models.GetOr(req, "terminalsAlwaysDark", false),
 		SkipTemplates:       models.GetOr(req, "skipTemplates", ""),
-		Contrast:            models.GetOr(req, "contrast", 0.0),
 	}

 	wait := models.GetOr(req, "wait", true)
--- a/core/internal/server/network/backend.go
+++ b/core/internal/server/network/backend.go
@@ -10,7 +10,6 @@ type Backend interface {
 	ScanWiFi() error
 	ScanWiFiDevice(device string) error
 	GetWiFiNetworkDetails(ssid string) (*NetworkInfoResponse, error)
-	GetWiFiQRCodeContent(ssid string) (string, error)
 	GetWiFiDevices() []WiFiDevice

 	ConnectWiFi(req ConnectionRequest) error
--- a/core/internal/server/network/backend_hybrid_iwd_networkd.go
+++ b/core/internal/server/network/backend_hybrid_iwd_networkd.go
@@ -111,10 +111,6 @@ func (b *HybridIwdNetworkdBackend) GetWiFiNetworkDetails(ssid string) (*NetworkI
 	return b.wifi.GetWiFiNetworkDetails(ssid)
 }

-func (b *HybridIwdNetworkdBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	return b.wifi.GetWiFiQRCodeContent(ssid)
-}
-
 func (b *HybridIwdNetworkdBackend) ConnectWiFi(req ConnectionRequest) error {
 	if err := b.wifi.ConnectWiFi(req); err != nil {
 		return err
--- a/core/internal/server/network/backend_iwd_unimplemented.go
+++ b/core/internal/server/network/backend_iwd_unimplemented.go
@@ -1,9 +1,6 @@
 package network

-import (
-	"fmt"
-	"os"
-)
+import "fmt"

 func (b *IWDBackend) GetWiredConnections() ([]WiredConnection, error) {
 	return nil, fmt.Errorf("wired connections not supported by iwd")
@@ -115,19 +112,3 @@ func (b *IWDBackend) getWiFiDevicesLocked() []WiFiDevice {
 		Networks:  b.state.WiFiNetworks,
 	}}
 }
-
-func (b *IWDBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	path := iwdConfigPath(ssid)
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return "", fmt.Errorf("no saved iwd config for `%s`: %w", ssid, err)
-	}
-
-	passphrase, err := parseIWDPassphrase(string(data))
-	if err != nil {
-		return "", fmt.Errorf("failed to read passphrase for `%s`: %w", ssid, err)
-	}
-
-	return FormatWiFiQRString("WPA", ssid, passphrase), nil
-}
--- a/core/internal/server/network/backend_networkd_unimplemented.go
+++ b/core/internal/server/network/backend_networkd_unimplemented.go
@@ -18,10 +18,6 @@ func (b *SystemdNetworkdBackend) GetWiFiNetworkDetails(ssid string) (*NetworkInf
 	return nil, fmt.Errorf("WiFi details not supported by networkd backend")
 }

-func (b *SystemdNetworkdBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	return "", fmt.Errorf("WiFi QR Code not supported by networkd backend")
-}
-
 func (b *SystemdNetworkdBackend) ConnectWiFi(req ConnectionRequest) error {
 	return fmt.Errorf("WiFi connect not supported by networkd backend")
 }
--- a/core/internal/server/network/backend_networkmanager_wifi.go
+++ b/core/internal/server/network/backend_networkmanager_wifi.go
@@ -204,65 +204,6 @@ func (b *NetworkManagerBackend) GetWiFiNetworkDetails(ssid string) (*NetworkInfo
 	}, nil
 }

-func (b *NetworkManagerBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	conn, err := b.findConnection(ssid)
-	if err != nil {
-		return "", fmt.Errorf("no saved connection for `%s`: %w", ssid, err)
-	}
-
-	connSettings, err := conn.GetSettings()
-	if err != nil {
-		return "", fmt.Errorf("failed to get settings for `%s`: %w", ssid, err)
-	}
-
-	secSettings, ok := connSettings["802-11-wireless-security"]
-	if !ok {
-		return "", fmt.Errorf("network `%s` has no security settings", ssid)
-	}
-
-	keyMgmt, ok := secSettings["key-mgmt"].(string)
-	if !ok {
-		return "", fmt.Errorf("failed to identify security type of network `%s`", ssid)
-	}
-
-	var securityType string
-	switch keyMgmt {
-	case "none":
-		authAlg, _ := secSettings["auth-alg"].(string)
-		switch authAlg {
-		case "open":
-			securityType = "nopass"
-		default:
-			securityType = "WEP"
-		}
-	case "ieee8021x":
-		securityType = "WEP"
-	default:
-		securityType = "WPA"
-	}
-
-	if securityType != "WPA" {
-		return "", fmt.Errorf("QR code generation only supports WPA connections, `%s` uses %s", ssid, securityType)
-	}
-
-	secrets, err := conn.GetSecrets("802-11-wireless-security")
-	if err != nil {
-		return "", fmt.Errorf("failed to retrieve connection secrets for `%s`: %w", ssid, err)
-	}
-
-	secSecrets, ok := secrets["802-11-wireless-security"]
-	if !ok {
-		return "", fmt.Errorf("failed to retrieve password for `%s`", ssid)
-	}
-
-	psk, ok := secSecrets["psk"].(string)
-	if !ok {
-		return "", fmt.Errorf("failed to retrieve password for `%s`", ssid)
-	}
-
-	return FormatWiFiQRString(securityType, ssid, psk), nil
-}
-
 func (b *NetworkManagerBackend) ConnectWiFi(req ConnectionRequest) error {
 	devInfo, err := b.getWifiDeviceForConnection(req.Device)
 	if err != nil {
--- a/core/internal/server/network/handlers.go
+++ b/core/internal/server/network/handlers.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"os"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
@@ -41,10 +40,6 @@ func HandleRequest(conn net.Conn, req models.Request, manager *Manager) {
 		handleSetPreference(conn, req, manager)
 	case "network.info":
 		handleGetNetworkInfo(conn, req, manager)
-	case "network.qrcode":
-		handleGetNetworkQRCode(conn, req, manager)
-	case "network.delete-qrcode":
-		handleDeleteQRCode(conn, req, manager)
 	case "network.ethernet.info":
 		handleGetWiredNetworkInfo(conn, req, manager)
 	case "network.subscribe":
@@ -325,42 +320,6 @@ func handleGetNetworkInfo(conn net.Conn, req models.Request, manager *Manager) {
 	models.Respond(conn, req.ID, network)
 }

-func handleGetNetworkQRCode(conn net.Conn, req models.Request, manager *Manager) {
-	ssid, err := params.String(req.Params, "ssid")
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	content, err := manager.GetNetworkQRCode(ssid)
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	models.Respond(conn, req.ID, content)
-}
-
-func handleDeleteQRCode(conn net.Conn, req models.Request, _ *Manager) {
-	path, err := params.String(req.Params, "path")
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	if !isValidQRCodePath(path) {
-		models.RespondError(conn, req.ID, "invalid QR code path")
-		return
-	}
-
-	if err := os.Remove(path); err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	models.Respond(conn, req.ID, models.SuccessResult{Success: true, Message: "QR code file deleted"})
-}
-
 func handleGetWiredNetworkInfo(conn net.Conn, req models.Request, manager *Manager) {
 	uuid, err := params.String(req.Params, "uuid")
 	if err != nil {
--- a/core/internal/server/network/manager.go
+++ b/core/internal/server/network/manager.go
@@ -6,8 +6,6 @@ import (
 	"time"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	"github.com/yeqown/go-qrcode/v2"
-	"github.com/yeqown/go-qrcode/writer/standard"
 )

 func NewManager() (*Manager, error) {
@@ -440,43 +438,6 @@ func (m *Manager) GetNetworkInfoDetailed(ssid string) (*NetworkInfoResponse, err
 	return m.backend.GetWiFiNetworkDetails(ssid)
 }

-func (m *Manager) GetNetworkQRCode(ssid string) ([2]string, error) {
-	content, err := m.backend.GetWiFiQRCodeContent(ssid)
-	if err != nil {
-		return [2]string{}, err
-	}
-
-	qrc, err := qrcode.New(content)
-	if err != nil {
-		return [2]string{}, fmt.Errorf("failed to create QR code for `%s`: %w", ssid, err)
-	}
-
-	pathThemed, pathNormal := qrCodePaths(ssid)
-
-	wThemed, err := standard.New(
-		pathThemed,
-		standard.WithBuiltinImageEncoder(standard.PNG_FORMAT),
-		standard.WithBgTransparent(),
-		standard.WithFgColorRGBHex("#ffffff"),
-	)
-	if err != nil {
-		return [2]string{}, fmt.Errorf("failed to create QR code writer: %w", err)
-	}
-	if err := qrc.Save(wThemed); err != nil {
-		return [2]string{}, fmt.Errorf("failed to save QR code for `%s`: %w", ssid, err)
-	}
-
-	wNormal, err := standard.New(pathNormal, standard.WithBuiltinImageEncoder(standard.PNG_FORMAT))
-	if err != nil {
-		return [2]string{}, fmt.Errorf("failed to create QR code writer: %w", err)
-	}
-	if err := qrc.Save(wNormal); err != nil {
-		return [2]string{}, fmt.Errorf("failed to save QR code for `%s`: %w", ssid, err)
-	}
-
-	return [2]string{pathThemed, pathNormal}, nil
-}
-
 func (m *Manager) ToggleWiFi() error {
 	enabled, err := m.backend.GetWiFiEnabled()
 	if err != nil {
--- a/core/internal/server/network/wifi_qrcode.go
+++ b/core/internal/server/network/wifi_qrcode.go
@@ -1,59 +0,0 @@
-package network
-
-import (
-	"fmt"
-	"path/filepath"
-	"regexp"
-	"strings"
-)
-
-const qrCodeTmpPrefix = "/tmp/dank-wifi-qrcode-"
-
-func FormatWiFiQRString(securityType, ssid, password string) string {
-	return fmt.Sprintf("WIFI:T:%s;S:%s;P:%s;;", securityType, ssid, password)
-}
-
-func qrCodePaths(ssid string) (themed, normal string) {
-	safe := sanitizeSSIDForPath(ssid)
-	themed = fmt.Sprintf("%s%s-themed.png", qrCodeTmpPrefix, safe)
-	normal = fmt.Sprintf("%s%s-normal.png", qrCodeTmpPrefix, safe)
-	return
-}
-
-func isValidQRCodePath(path string) bool {
-	clean := filepath.Clean(path)
-	return strings.HasPrefix(clean, qrCodeTmpPrefix) && strings.HasSuffix(clean, ".png")
-}
-
-var safePathChar = regexp.MustCompile(`[^a-zA-Z0-9_-]`)
-
-func sanitizeSSIDForPath(ssid string) string {
-	return safePathChar.ReplaceAllString(ssid, "_")
-}
-
-var iwdVerbatimSSID = regexp.MustCompile(`^[a-zA-Z0-9 _-]+$`)
-
-func iwdConfigPath(ssid string) string {
-	switch {
-	case iwdVerbatimSSID.MatchString(ssid):
-		return fmt.Sprintf("/var/lib/iwd/%s.psk", ssid)
-	default:
-		return fmt.Sprintf("/var/lib/iwd/=%x.psk", []byte(ssid))
-	}
-}
-
-func parseIWDPassphrase(data string) (string, error) {
-	inSecurity := false
-	for _, line := range strings.Split(data, "\n") {
-		line = strings.TrimSpace(line)
-		switch {
-		case line == "[Security]":
-			inSecurity = true
-		case strings.HasPrefix(line, "["):
-			inSecurity = false
-		case inSecurity && strings.HasPrefix(line, "Passphrase="):
-			return strings.TrimPrefix(line, "Passphrase="), nil
-		}
-	}
-	return "", fmt.Errorf("no passphrase found in iwd config")
-}
--- a/core/internal/server/router.go
+++ b/core/internal/server/router.go
@@ -15,7 +15,6 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/evdev"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/extworkspace"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/freedesktop"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/location"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/network"
@@ -193,15 +192,6 @@ func RouteRequest(conn net.Conn, req models.Request) {
 		return
 	}

-	if strings.HasPrefix(req.Method, "location.") {
-		if locationManager == nil {
-			models.RespondError(conn, req.ID, "location manager not initialized")
-			return
-		}
-		location.HandleRequest(conn, req, locationManager)
-		return
-	}
-
 	switch req.Method {
 	case "ping":
 		models.Respond(conn, req.ID, "pong")
--- a/core/internal/server/server.go
+++ b/core/internal/server/server.go
@@ -14,7 +14,6 @@ import (
 	"syscall"
 	"time"

-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/apppicker"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/bluez"
@@ -26,12 +25,10 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/evdev"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/extworkspace"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/freedesktop"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/location"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/network"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/thememode"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/trayrecovery"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/wayland"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/wlcontext"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/wlroutput"
@@ -73,9 +70,6 @@ var clipboardManager *clipboard.Manager
 var dbusManager *serverDbus.Manager
 var wlContext *wlcontext.SharedContext
 var themeModeManager *thememode.Manager
-var trayRecoveryManager *trayrecovery.Manager
-var locationManager *location.Manager
-var geoClientInstance geolocation.Client

 const dbusClientID = "dms-dbus-client"

@@ -396,31 +390,6 @@ func InitializeThemeModeManager() error {
 	return nil
 }

-func InitializeTrayRecoveryManager() error {
-	manager, err := trayrecovery.NewManager()
-	if err != nil {
-		return err
-	}
-
-	trayRecoveryManager = manager
-
-	log.Info("TrayRecovery manager initialized")
-	return nil
-}
-
-func InitializeLocationManager(geoClient geolocation.Client) error {
-	manager, err := location.NewManager(geoClient)
-	if err != nil {
-		log.Warnf("Failed to initialize location manager: %v", err)
-		return err
-	}
-
-	locationManager = manager
-
-	log.Info("Location manager initialized")
-	return nil
-}
-
 func handleConnection(conn net.Conn) {
 	defer conn.Close()

@@ -568,10 +537,6 @@ func getServerInfo() ServerInfo {
 		caps = append(caps, "theme.auto")
 	}

-	if locationManager != nil {
-		caps = append(caps, "location")
-	}
-
 	if dbusManager != nil {
 		caps = append(caps, "dbus")
 	}
@@ -1339,18 +1304,9 @@ func cleanupManagers() {
 	if themeModeManager != nil {
 		themeModeManager.Close()
 	}
-	if trayRecoveryManager != nil {
-		trayRecoveryManager.Close()
-	}
 	if wlContext != nil {
 		wlContext.Close()
 	}
-	if locationManager != nil {
-		locationManager.Close()
-	}
-	if geoClientInstance != nil {
-		geoClientInstance.Close()
-	}
 }

 func Start(printDocs bool) error {
@@ -1532,9 +1488,6 @@ func Start(printDocs bool) error {
 		log.Info(" clipboard.getConfig                   - Get clipboard configuration")
 		log.Info(" clipboard.setConfig                   - Set configuration (params: maxHistory?, maxEntrySize?, autoClearDays?, clearAtStartup?)")
 		log.Info(" clipboard.subscribe                   - Subscribe to clipboard state changes (streaming)")
-		log.Info("Location:")
-		log.Info(" location.getState                      - Get current location state")
-		log.Info(" location.subscribe                     - Subscribe to location changes (streaming)")
 		log.Info("")
 	}
 	log.Info("Initializing managers...")
@@ -1614,49 +1567,6 @@ func Start(printDocs bool) error {
 		log.Warnf("Wayland manager unavailable: %v", err)
 	}

-	if err := InitializeThemeModeManager(); err != nil {
-		log.Warnf("Theme mode manager unavailable: %v", err)
-	} else {
-		notifyCapabilityChange()
-		go func() {
-			<-loginctlReady
-			if loginctlManager == nil {
-				return
-			}
-			themeModeManager.WatchLoginctl(loginctlManager)
-		}()
-	}
-
-	go func() {
-		<-loginctlReady
-		if loginctlManager == nil {
-			return
-		}
-		if err := InitializeTrayRecoveryManager(); err != nil {
-			log.Warnf("TrayRecovery manager unavailable: %v", err)
-		} else {
-			trayRecoveryManager.WatchLoginctl(loginctlManager)
-		}
-	}()
-
-	go func() {
-		geoClient := geolocation.NewClient()
-		geoClientInstance = geoClient
-
-		if waylandManager != nil {
-			waylandManager.SetGeoClient(geoClient)
-		}
-		if themeModeManager != nil {
-			themeModeManager.SetGeoClient(geoClient)
-		}
-
-		if err := InitializeLocationManager(geoClient); err != nil {
-			log.Warnf("Location manager unavailable: %v", err)
-		} else {
-			notifyCapabilityChange()
-		}
-	}()
-
 	go func() {
 		if err := InitializeBluezManager(); err != nil {
 			log.Warnf("Bluez manager unavailable: %v", err)
@@ -1685,6 +1595,19 @@ func Start(printDocs bool) error {
 		log.Debugf("WlrOutput manager unavailable: %v", err)
 	}

+	if err := InitializeThemeModeManager(); err != nil {
+		log.Warnf("Theme mode manager unavailable: %v", err)
+	} else {
+		notifyCapabilityChange()
+		go func() {
+			<-loginctlReady
+			if loginctlManager == nil {
+				return
+			}
+			themeModeManager.WatchLoginctl(loginctlManager)
+		}()
+	}
+
 	fatalErrChan := make(chan error, 1)
 	if wlrOutputManager != nil {
 		go func() {
--- a/core/internal/server/thememode/manager.go
+++ b/core/internal/server/thememode/manager.go
@@ -5,7 +5,6 @@ import (
 	"sync"
 	"time"

-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/wayland"
 	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
@@ -33,8 +32,6 @@ type Manager struct {
 	cachedIPLat   *float64
 	cachedIPLon   *float64

-	geoClient geolocation.Client
-
 	stopChan      chan struct{}
 	updateTrigger chan struct{}
 	wg            sync.WaitGroup
@@ -314,10 +311,6 @@ func (m *Manager) getConfig() Config {
 	return m.config
 }

-func (m *Manager) SetGeoClient(client geolocation.Client) {
-	m.geoClient = client
-}
-
 func (m *Manager) getLocation(config Config) (*float64, *float64) {
 	if config.Latitude != nil && config.Longitude != nil {
 		return config.Latitude, config.Longitude
@@ -325,9 +318,6 @@ func (m *Manager) getLocation(config Config) (*float64, *float64) {
 	if !config.UseIPLocation {
 		return nil, nil
 	}
-	if m.geoClient == nil {
-		return nil, nil
-	}

 	m.locationMutex.RLock()
 	if m.cachedIPLat != nil && m.cachedIPLon != nil {
@@ -337,17 +327,17 @@ func (m *Manager) getLocation(config Config) (*float64, *float64) {
 	}
 	m.locationMutex.RUnlock()

-	location, err := m.geoClient.GetLocation()
+	lat, lon, err := wayland.FetchIPLocation()
 	if err != nil {
 		return nil, nil
 	}

 	m.locationMutex.Lock()
-	m.cachedIPLat = &location.Latitude
-	m.cachedIPLon = &location.Longitude
+	m.cachedIPLat = lat
+	m.cachedIPLon = lon
 	m.locationMutex.Unlock()

-	return m.cachedIPLat, m.cachedIPLon
+	return lat, lon
 }

 func statesEqual(a, b *State) bool {
--- a/core/internal/server/trayrecovery/manager.go
+++ b/core/internal/server/trayrecovery/manager.go
@@ -1,115 +0,0 @@
-package trayrecovery
-
-import (
-	"fmt"
-	"sync"
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
-	"github.com/godbus/dbus/v5"
-	"golang.org/x/sys/unix"
-)
-
-const resumeDelay = 3 * time.Second
-
-type Manager struct {
-	conn     *dbus.Conn
-	stopChan chan struct{}
-	wg       sync.WaitGroup
-}
-
-func NewManager() (*Manager, error) {
-	conn, err := dbus.ConnectSessionBus()
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to session bus: %w", err)
-	}
-
-	m := &Manager{
-		conn:     conn,
-		stopChan: make(chan struct{}),
-	}
-
-	// Only run a startup scan when the system has been suspended at least once.
-	// On a fresh boot CLOCK_BOOTTIME ≈ CLOCK_MONOTONIC (difference ~0).
-	// After any suspend/resume cycle the difference grows by the time spent
-	// sleeping.  This avoids duplicate registrations on normal boot where apps
-	// are still starting up and will register their own tray icons shortly.
-	if timeSuspended() > 5*time.Second {
-		go m.scheduleRecovery()
-	}
-
-	return m, nil
-}
-
-// WatchLoginctl subscribes to loginctl session state changes and triggers
-// tray recovery after resume from suspend (PrepareForSleep false transition).
-// This handles the case where the process survives suspend.
-func (m *Manager) WatchLoginctl(lm *loginctl.Manager) {
-	ch := lm.Subscribe("tray-recovery")
-	m.wg.Add(1)
-	go func() {
-		defer m.wg.Done()
-		defer lm.Unsubscribe("tray-recovery")
-
-		wasSleeping := false
-		for {
-			select {
-			case <-m.stopChan:
-				return
-			case state, ok := <-ch:
-				if !ok {
-					return
-				}
-				if state.PreparingForSleep {
-					wasSleeping = true
-					continue
-				}
-				if wasSleeping {
-					wasSleeping = false
-					go m.scheduleRecovery()
-				}
-			}
-		}
-	}()
-}
-
-func (m *Manager) scheduleRecovery() {
-	select {
-	case <-time.After(resumeDelay):
-		m.recoverTrayItems()
-	case <-m.stopChan:
-	}
-}
-
-func (m *Manager) Close() {
-	select {
-	case <-m.stopChan:
-		return
-	default:
-		close(m.stopChan)
-	}
-	m.wg.Wait()
-	if m.conn != nil {
-		m.conn.Close()
-	}
-	log.Info("TrayRecovery manager closed")
-}
-
-// timeSuspended returns how long the system has spent in suspend since boot.
-// It is the difference between CLOCK_BOOTTIME (includes suspend) and
-// CLOCK_MONOTONIC (excludes suspend).
-func timeSuspended() time.Duration {
-	var bt, mt unix.Timespec
-	if err := unix.ClockGettime(unix.CLOCK_BOOTTIME, &bt); err != nil {
-		return 0
-	}
-	if err := unix.ClockGettime(unix.CLOCK_MONOTONIC, &mt); err != nil {
-		return 0
-	}
-	diff := (bt.Sec-mt.Sec)*int64(time.Second) + (bt.Nsec - mt.Nsec)
-	if diff < 0 {
-		return 0
-	}
-	return time.Duration(diff)
-}
--- a/core/internal/server/trayrecovery/recovery.go
+++ b/core/internal/server/trayrecovery/recovery.go
@@ -1,262 +0,0 @@
-package trayrecovery
-
-import (
-	"context"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	"github.com/godbus/dbus/v5"
-)
-
-const (
-	sniWatcherDest   = "org.kde.StatusNotifierWatcher"
-	sniWatcherPath   = "/StatusNotifierWatcher"
-	sniWatcherIface  = "org.kde.StatusNotifierWatcher"
-	sniItemIface     = "org.kde.StatusNotifierItem"
-	dbusIface        = "org.freedesktop.DBus"
-	propsIface       = "org.freedesktop.DBus.Properties"
-	probeTimeout     = 300 * time.Millisecond
-	connProbeTimeout = 150 * time.Millisecond
-	batchSize        = 30
-)
-
-var excludedPrefixes = []string{
-	"org.freedesktop.",
-	"org.gnome.",
-	"org.kde.StatusNotifier",
-	"com.canonical.AppMenu",
-	"org.mpris.",
-	"org.pipewire.",
-	"org.pulseaudio",
-	"fi.epitaph",
-	"quickshell",
-	"org.kde.quickshell",
-}
-
-func (m *Manager) recoverTrayItems() {
-	registeredItems := m.getRegisteredItems()
-	allNames := m.getDBusNames()
-	if allNames == nil {
-		return
-	}
-
-	registeredConnIDs := m.buildRegisteredConnIDs(registeredItems)
-
-	count := len(registeredItems)
-	log.Infof("TrayRecoveryService: scanning DBus for unregistered SNI items (%d already registered)...", count)
-
-	m.scanWellKnownNames(allNames, registeredItems, registeredConnIDs)
-	m.scanConnectionIDs(allNames, registeredItems, registeredConnIDs)
-}
-
-func (m *Manager) getRegisteredItems() []string {
-	obj := m.conn.Object(sniWatcherDest, sniWatcherPath)
-	variant, err := obj.GetProperty(sniWatcherIface + ".RegisteredStatusNotifierItems")
-	if err != nil {
-		log.Warnf("TrayRecoveryService: failed to get registered items: %v", err)
-		return nil
-	}
-
-	switch v := variant.Value().(type) {
-	case []string:
-		return v
-	case []any:
-		items := make([]string, 0, len(v))
-		for _, elem := range v {
-			if s, ok := elem.(string); ok {
-				items = append(items, s)
-			}
-		}
-		return items
-	}
-	return nil
-}
-
-func (m *Manager) getDBusNames() []string {
-	var names []string
-	err := m.conn.BusObject().Call(dbusIface+".ListNames", 0).Store(&names)
-	if err != nil {
-		log.Warnf("TrayRecoveryService: failed to list bus names: %v", err)
-		return nil
-	}
-	return names
-}
-
-func (m *Manager) getNameOwner(name string) string {
-	var owner string
-	err := m.conn.BusObject().Call(dbusIface+".GetNameOwner", 0, name).Store(&owner)
-	if err != nil {
-		return ""
-	}
-	return owner
-}
-
-// buildRegisteredConnIDs resolves every registered SNI item (well-known name
-// or :1.xxx connection ID) to a canonical connection ID. This prevents
-// duplicates in both directions.
-func (m *Manager) buildRegisteredConnIDs(registeredItems []string) map[string]bool {
-	connIDs := make(map[string]bool, len(registeredItems))
-	for _, item := range registeredItems {
-		name := extractName(item)
-		if strings.HasPrefix(name, ":1.") {
-			connIDs[name] = true
-		} else {
-			owner := m.getNameOwner(name)
-			if owner != "" {
-				connIDs[owner] = true
-			}
-		}
-	}
-	return connIDs
-}
-
-// scanWellKnownNames probes well-known names (e.g. DinoX, nm-applet) for
-// unregistered SNI items and re-registers them.
-func (m *Manager) scanWellKnownNames(allNames []string, registeredItems []string, registeredConnIDs map[string]bool) {
-	registeredRaw := strings.Join(registeredItems, "\n")
-
-	for _, name := range allNames {
-		if strings.HasPrefix(name, ":") {
-			continue
-		}
-
-		if strings.Contains(registeredRaw, name) {
-			continue
-		}
-
-		// Skip if this name's connection ID is already in the registered set
-		// (handles the case where the app registered via connection ID instead)
-		connForName := m.getNameOwner(name)
-		if connForName != "" && registeredConnIDs[connForName] {
-			continue
-		}
-
-		if isExcludedName(name) {
-			continue
-		}
-
-		short := shortName(name)
-		objectPaths := []string{
-			"/StatusNotifierItem",
-			"/org/ayatana/NotificationItem/" + short,
-		}
-
-		for _, objPath := range objectPaths {
-			if m.probeSNI(name, objPath, probeTimeout) {
-				m.registerSNI(name)
-				// Update set so the connection-ID section won't double-register this app
-				if connForName != "" {
-					registeredConnIDs[connForName] = true
-				}
-				break
-			}
-		}
-	}
-}
-
-// scanConnectionIDs probes all :1.xxx connections in parallel for unregistered
-// SNI items (e.g. Vesktop, Electron apps). Most non-SNI connections return an
-// error instantly, so this is fast.
-func (m *Manager) scanConnectionIDs(allNames []string, registeredItems []string, registeredConnIDs map[string]bool) {
-	registeredRaw := strings.Join(registeredItems, "\n")
-	registeredLower := strings.ToLower(registeredRaw)
-
-	var wg sync.WaitGroup
-	sem := make(chan struct{}, batchSize)
-
-	for _, name := range allNames {
-		if !strings.HasPrefix(name, ":1.") {
-			continue
-		}
-		if registeredConnIDs[name] {
-			continue
-		}
-
-		sem <- struct{}{}
-		wg.Add(1)
-		go func(conn string) {
-			defer wg.Done()
-			defer func() { <-sem }()
-
-			sniID := m.getSNIId(conn, connProbeTimeout)
-			if sniID == "" {
-				return
-			}
-
-			// Skip if an item with the same Id is already registered (case-insensitive)
-			if strings.Contains(registeredLower, strings.ToLower(sniID)) {
-				return
-			}
-
-			m.registerSNI(conn)
-			log.Infof("TrayRecovery: re-registered %s (Id: %s)", conn, sniID)
-		}(name)
-	}
-	wg.Wait()
-}
-
-func (m *Manager) probeSNI(dest, path string, timeout time.Duration) bool {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	obj := m.conn.Object(dest, dbus.ObjectPath(path))
-	var props map[string]dbus.Variant
-	err := obj.CallWithContext(ctx, propsIface+".GetAll", 0, sniItemIface).Store(&props)
-	if err != nil {
-		return false
-	}
-
-	_, hasID := props["Id"]
-	return hasID
-}
-
-func (m *Manager) getSNIId(dest string, timeout time.Duration) string {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	obj := m.conn.Object(dest, "/StatusNotifierItem")
-	var variant dbus.Variant
-	err := obj.CallWithContext(ctx, propsIface+".Get", 0, sniItemIface, "Id").Store(&variant)
-	if err != nil {
-		return ""
-	}
-
-	id, _ := variant.Value().(string)
-	return id
-}
-
-func (m *Manager) registerSNI(name string) {
-	obj := m.conn.Object(sniWatcherDest, sniWatcherPath)
-	call := obj.Call(sniWatcherIface+".RegisterStatusNotifierItem", 0, name)
-	if call.Err != nil {
-		log.Warnf("TrayRecovery: failed to register %s: %v", name, call.Err)
-		return
-	}
-	log.Infof("TrayRecovery: re-registered %s", name)
-}
-
-func extractName(item string) string {
-	if idx := strings.IndexByte(item, '/'); idx != -1 {
-		return item[:idx]
-	}
-	return item
-}
-
-func shortName(name string) string {
-	parts := strings.Split(name, ".")
-	if len(parts) > 0 {
-		return parts[len(parts)-1]
-	}
-	return name
-}
-
-func isExcludedName(name string) bool {
-	for _, prefix := range excludedPrefixes {
-		if strings.HasPrefix(name, prefix) {
-			return true
-		}
-	}
-	return false
-}
--- a/core/internal/server/wayland/manager.go
+++ b/core/internal/server/wayland/manager.go
@@ -3,11 +3,8 @@ package wayland
 import (
 	"bytes"
 	"encoding/binary"
-	"errors"
 	"fmt"
-	"io"
 	"os"
-	"slices"
 	"syscall"
 	"time"

@@ -16,7 +13,6 @@ import (
 	"golang.org/x/sys/unix"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/errdefs"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/proto/wlr_gamma_control"
 )
@@ -76,10 +72,7 @@ func NewManager(display wlclient.WaylandDisplay, config Config) (*Manager, error
 		m.post(func() {
 			log.Info("Gamma control enabled at startup")
 			gammaMgr := m.gammaControl.(*wlr_gamma_control.ZwlrGammaControlManagerV1)
-			m.availOutputsMu.RLock()
-			outs := slices.Clone(m.availableOutputs)
-			m.availOutputsMu.RUnlock()
-			if err := m.setupOutputControls(outs, gammaMgr); err != nil {
+			if err := m.setupOutputControls(m.availableOutputs, gammaMgr); err != nil {
 				log.Errorf("Failed to initialize gamma controls: %v", err)
 				return
 			}
@@ -176,7 +169,6 @@ func (m *Manager) setupRegistry() error {
 			})
 			if gammaMgr != nil {
 				outputs = append(outputs, output)
-				m.addAvailableOutput(output)
 			}
 			m.outputRegNames.Store(outputID, e.Name)

@@ -211,11 +203,6 @@ func (m *Manager) setupRegistry() error {
 			}
 			if foundOut.gammaControl != nil {
 				foundOut.gammaControl.(*wlr_gamma_control.ZwlrGammaControlV1).Destroy()
-				foundOut.gammaControl = nil
-			}
-			m.removeAvailableOutput(foundOut.output)
-			if foundOut.output != nil && !foundOut.output.IsZombie() {
-				_ = foundOut.output.Release()
 			}
 			m.outputs.Delete(foundID)

@@ -300,28 +287,14 @@ func (m *Manager) setupControlHandlers(state *outputState, control *wlr_gamma_co
 			if !ok {
 				return
 			}
-			if ctrl, ok := out.gammaControl.(*wlr_gamma_control.ZwlrGammaControlV1); ok && ctrl != nil && !ctrl.IsZombie() {
-				ctrl.Destroy()
-			}
-			out.gammaControl = nil
 			out.failed = true
 			out.rampSize = 0
 			out.retryCount++
 			out.lastFailTime = time.Now()

-			if !m.outputStillValid(out) {
-				return
-			}
-
 			backoff := time.Duration(300<<uint(min(out.retryCount-1, 4))) * time.Millisecond
 			time.AfterFunc(backoff, func() {
 				m.post(func() {
-					if !m.outputStillValid(out) {
-						return
-					}
-					if _, stillTracked := m.outputs.Load(outputID); !stillTracked {
-						return
-					}
 					m.recreateOutputControl(out)
 				})
 			})
@@ -329,75 +302,12 @@ func (m *Manager) setupControlHandlers(state *outputState, control *wlr_gamma_co
 	})
 }

-func (m *Manager) addAvailableOutput(o *wlclient.Output) {
-	if o == nil {
-		return
-	}
-	m.availOutputsMu.Lock()
-	defer m.availOutputsMu.Unlock()
-	if slices.Contains(m.availableOutputs, o) {
-		return
-	}
-	m.availableOutputs = append(m.availableOutputs, o)
-}
-
-func (m *Manager) removeAvailableOutput(o *wlclient.Output) {
-	if o == nil {
-		return
-	}
-	m.availOutputsMu.Lock()
-	defer m.availOutputsMu.Unlock()
-	m.availableOutputs = slices.DeleteFunc(m.availableOutputs, func(existing *wlclient.Output) bool {
-		return existing == o
-	})
-}
-
-func (m *Manager) outputStillValid(out *outputState) bool {
-	switch {
-	case out == nil:
-		return false
-	case out.output == nil:
-		return false
-	case out.output.IsZombie():
-		return false
-	}
-	m.availOutputsMu.RLock()
-	defer m.availOutputsMu.RUnlock()
-	return slices.Contains(m.availableOutputs, out.output)
-}
-
-func isConnectionDeadErr(err error) bool {
-	switch {
-	case err == nil:
-		return false
-	case errors.Is(err, syscall.EPIPE):
-		return true
-	case errors.Is(err, syscall.ECONNRESET):
-		return true
-	case errors.Is(err, syscall.EBADF):
-		return true
-	case errors.Is(err, io.EOF):
-		return true
-	}
-	return false
-}
-
 func (m *Manager) addOutputControl(output *wlclient.Output) error {
-	switch {
-	case m.connectionDead.Load():
-		return nil
-	case output == nil || output.IsZombie():
-		return nil
-	}
-
 	outputID := output.ID()
 	gammaMgr := m.gammaControl.(*wlr_gamma_control.ZwlrGammaControlManagerV1)

 	control, err := gammaMgr.GetGammaControl(output)
 	if err != nil {
-		if isConnectionDeadErr(err) {
-			m.markConnectionDead(err)
-		}
 		return err
 	}

@@ -418,37 +328,26 @@ func (m *Manager) recreateOutputControl(out *outputState) error {
 	enabled := m.config.Enabled
 	m.configMutex.RUnlock()

-	switch {
-	case m.connectionDead.Load():
-		return nil
-	case !enabled || !m.controlsInitialized:
-		return nil
-	case out.isVirtual:
-		return nil
-	case out.retryCount >= 10:
-		return nil
-	case !m.outputStillValid(out):
+	if !enabled || !m.controlsInitialized {
 		return nil
 	}
 	if _, ok := m.outputs.Load(out.id); !ok {
 		return nil
 	}
+	if out.isVirtual {
+		return nil
+	}
+	if out.retryCount >= 10 {
+		return nil
+	}

 	gammaMgr, ok := m.gammaControl.(*wlr_gamma_control.ZwlrGammaControlManagerV1)
 	if !ok {
 		return fmt.Errorf("no gamma manager")
 	}

-	if existing, ok := out.gammaControl.(*wlr_gamma_control.ZwlrGammaControlV1); ok && existing != nil && !existing.IsZombie() {
-		existing.Destroy()
-		out.gammaControl = nil
-	}
-
 	control, err := gammaMgr.GetGammaControl(out.output)
 	if err != nil {
-		if isConnectionDeadErr(err) {
-			m.markConnectionDead(err)
-		}
 		return err
 	}

@@ -458,13 +357,6 @@ func (m *Manager) recreateOutputControl(out *outputState) error {
 	return nil
 }

-func (m *Manager) markConnectionDead(err error) {
-	if m.connectionDead.Swap(true) {
-		return
-	}
-	log.Errorf("gamma: wayland connection appears dead (%v); pausing gamma operations", err)
-}
-
 func (m *Manager) recalcSchedule(now time.Time) {
 	m.configMutex.RLock()
 	config := m.config
@@ -528,10 +420,6 @@ func (m *Manager) recalcSchedule(now time.Time) {
 	}
 }

-func (m *Manager) SetGeoClient(client geolocation.Client) {
-	m.geoClient = client
-}
-
 func (m *Manager) getLocation() (*float64, *float64) {
 	m.configMutex.RLock()
 	config := m.config
@@ -540,31 +428,26 @@ func (m *Manager) getLocation() (*float64, *float64) {
 	if config.Latitude != nil && config.Longitude != nil {
 		return config.Latitude, config.Longitude
 	}
-	if !config.UseIPLocation {
-		return nil, nil
-	}
-	if m.geoClient == nil {
-		return nil, nil
-	}
-
-	m.locationMutex.RLock()
-	if m.cachedIPLat != nil && m.cachedIPLon != nil {
-		lat, lon := m.cachedIPLat, m.cachedIPLon
+	if config.UseIPLocation {
+		m.locationMutex.RLock()
+		if m.cachedIPLat != nil && m.cachedIPLon != nil {
+			lat, lon := m.cachedIPLat, m.cachedIPLon
+			m.locationMutex.RUnlock()
+			return lat, lon
+		}
 		m.locationMutex.RUnlock()
+
+		lat, lon, err := FetchIPLocation()
+		if err != nil {
+			return nil, nil
+		}
+		m.locationMutex.Lock()
+		m.cachedIPLat = lat
+		m.cachedIPLon = lon
+		m.locationMutex.Unlock()
 		return lat, lon
 	}
-	m.locationMutex.RUnlock()
-
-	location, err := m.geoClient.GetLocation()
-	if err != nil {
-		return nil, nil
-	}
-
-	m.locationMutex.Lock()
-	m.cachedIPLat = &location.Latitude
-	m.cachedIPLon = &location.Longitude
-	m.locationMutex.Unlock()
-	return m.cachedIPLat, m.cachedIPLon
+	return nil, nil
 }

 func (m *Manager) hasValidSchedule() bool {
@@ -797,12 +680,11 @@ func (m *Manager) applyGamma(temp int) {
 	gamma := m.config.Gamma
 	m.configMutex.RUnlock()

-	switch {
-	case m.connectionDead.Load():
+	if !m.controlsInitialized {
 		return
-	case !m.controlsInitialized:
-		return
-	case m.lastAppliedTemp == temp && m.lastAppliedGamma == gamma:
+	}
+
+	if m.lastAppliedTemp == temp && m.lastAppliedGamma == gamma {
 		return
 	}

@@ -822,14 +704,7 @@ func (m *Manager) applyGamma(temp int) {
 	var jobs []job

 	for _, out := range outs {
-		switch {
-		case out.failed:
-			continue
-		case out.rampSize == 0:
-			continue
-		case out.gammaControl == nil:
-			continue
-		case !m.outputStillValid(out):
+		if out.failed || out.rampSize == 0 {
 			continue
 		}
 		ramp := GenerateGammaRamp(out.rampSize, temp, gamma)
@@ -847,16 +722,18 @@ func (m *Manager) applyGamma(temp int) {
 	}

 	for _, j := range jobs {
-		err := m.setGammaBytes(j.out, j.data)
-		if err == nil {
-			continue
-		}
-		log.Warnf("gamma: failed to set output %d: %v", j.out.id, err)
-		j.out.failed = true
-		j.out.rampSize = 0
-		if isConnectionDeadErr(err) {
-			m.markConnectionDead(err)
-			return
+		if err := m.setGammaBytes(j.out, j.data); err != nil {
+			log.Warnf("gamma: failed to set output %d: %v", j.out.id, err)
+			j.out.failed = true
+			j.out.rampSize = 0
+			outID := j.out.id
+			time.AfterFunc(300*time.Millisecond, func() {
+				m.post(func() {
+					if out, ok := m.outputs.Load(outID); ok && out.failed {
+						m.recreateOutputControl(out)
+					}
+				})
+			})
 		}
 	}

@@ -865,14 +742,6 @@ func (m *Manager) applyGamma(temp int) {
 }

 func (m *Manager) setGammaBytes(out *outputState, data []byte) error {
-	if out.gammaControl == nil {
-		return fmt.Errorf("no gamma control")
-	}
-	ctrl, ok := out.gammaControl.(*wlr_gamma_control.ZwlrGammaControlV1)
-	if !ok || ctrl == nil || ctrl.IsZombie() {
-		return fmt.Errorf("gamma control invalid")
-	}
-
 	fd, err := MemfdCreate("gamma-ramp", 0)
 	if err != nil {
 		return err
@@ -895,6 +764,7 @@ func (m *Manager) setGammaBytes(out *outputState, data []byte) error {
 	}
 	syscall.Seek(fd, 0, 0)

+	ctrl := out.gammaControl.(*wlr_gamma_control.ZwlrGammaControlV1)
 	return ctrl.SetGamma(fd)
 }

@@ -1002,10 +872,10 @@ func (m *Manager) dbusMonitor() {
 }

 func (m *Manager) handleDBusSignal(sig *dbus.Signal) {
-	switch {
-	case sig.Name != "org.freedesktop.login1.Manager.PrepareForSleep":
+	if sig.Name != "org.freedesktop.login1.Manager.PrepareForSleep" {
 		return
-	case len(sig.Body) == 0:
+	}
+	if len(sig.Body) == 0 {
 		return
 	}
 	preparing, ok := sig.Body[0].(bool)
@@ -1019,34 +889,27 @@ func (m *Manager) handleDBusSignal(sig *dbus.Signal) {
 		return
 	}
 	time.AfterFunc(500*time.Millisecond, func() {
-		m.post(m.handleResume)
+		m.post(func() {
+			m.configMutex.RLock()
+			stillEnabled := m.config.Enabled
+			m.configMutex.RUnlock()
+			if !stillEnabled || !m.controlsInitialized {
+				return
+			}
+			m.outputs.Range(func(_ uint32, out *outputState) bool {
+				if out.gammaControl != nil {
+					out.gammaControl.(*wlr_gamma_control.ZwlrGammaControlV1).Destroy()
+					out.gammaControl = nil
+				}
+				out.retryCount = 0
+				out.failed = false
+				m.recreateOutputControl(out)
+				return true
+			})
+		})
 	})
 }

-func (m *Manager) handleResume() {
-	m.configMutex.RLock()
-	stillEnabled := m.config.Enabled
-	m.configMutex.RUnlock()
-
-	switch {
-	case !stillEnabled:
-		return
-	case !m.controlsInitialized:
-		return
-	case m.connectionDead.Load():
-		return
-	}
-
-	// Compositors (Niri, Hyprland, wlroots-based) re-apply the cached gamma
-	// ramp to DRM on resume; gamma_control objects stay valid. We just need
-	// to force a resend so the schedule catches up with the current time of
-	// day — the original #1235 regression was caused by lastAppliedTemp
-	// matching and the send being skipped.
-	m.recalcSchedule(time.Now())
-	m.lastAppliedTemp = 0
-	m.applyCurrentTemp("resume")
-}
-
 func (m *Manager) triggerUpdate() {
 	select {
 	case m.updateTrigger <- struct{}{}:
@@ -1185,10 +1048,7 @@ func (m *Manager) SetEnabled(enabled bool) {
 	case enabled && !m.controlsInitialized:
 		m.post(func() {
 			gammaMgr := m.gammaControl.(*wlr_gamma_control.ZwlrGammaControlManagerV1)
-			m.availOutputsMu.RLock()
-			outs := slices.Clone(m.availableOutputs)
-			m.availOutputsMu.RUnlock()
-			if err := m.setupOutputControls(outs, gammaMgr); err != nil {
+			if err := m.setupOutputControls(m.availableOutputs, gammaMgr); err != nil {
 				log.Errorf("gamma: failed to create controls: %v", err)
 				return
 			}
--- a/core/internal/server/wayland/types.go
+++ b/core/internal/server/wayland/types.go
@@ -3,11 +3,9 @@ package wayland
 import (
 	"math"
 	"sync"
-	"sync/atomic"
 	"time"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/errdefs"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	wlclient "github.com/AvengeMedia/DankMaterialShell/core/pkg/go-wayland/wayland/client"
 	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
 	"github.com/godbus/dbus/v5"
@@ -72,11 +70,9 @@ type Manager struct {
 	registry            *wlclient.Registry
 	gammaControl        any
 	availableOutputs    []*wlclient.Output
-	availOutputsMu      sync.RWMutex
 	outputRegNames      syncmap.Map[uint32, uint32]
 	outputs             syncmap.Map[uint32, *outputState]
 	controlsInitialized bool
-	connectionDead      atomic.Bool

 	cmdq  chan cmd
 	alive bool
@@ -101,8 +97,6 @@ type Manager struct {
 	dbusConn   *dbus.Conn
 	dbusSignal chan *dbus.Signal

-	geoClient geolocation.Client
-
 	lastAppliedTemp  int
 	lastAppliedGamma float64
 }
--- a/core/internal/tui/views_config.go
+++ b/core/internal/tui/views_config.go
@@ -40,7 +40,7 @@ func (m Model) viewDeployingConfigs() string {

 	spinner := m.spinner.View()
 	status := m.styles.Normal.Render("Setting up configuration files...")
-	fmt.Fprintf(&b, "%s %s", spinner, status)
+	b.WriteString(fmt.Sprintf("%s %s", spinner, status))
 	b.WriteString("\n\n")

 	// Show progress information
--- a/core/internal/tui/views_dependencies.go
+++ b/core/internal/tui/views_dependencies.go
@@ -23,7 +23,7 @@ func (m Model) viewDetectingDeps() string {

 	spinner := m.spinner.View()
 	status := m.styles.Normal.Render("Scanning system for existing packages and configurations...")
-	fmt.Fprintf(&b, "%s %s", spinner, status)
+	b.WriteString(fmt.Sprintf("%s %s", spinner, status))

 	return b.String()
 }
--- a/core/internal/tui/views_install.go
+++ b/core/internal/tui/views_install.go
@@ -52,7 +52,7 @@ func (m Model) viewInstallingPackages() string {
 	if !m.packageProgress.isComplete {
 		spinner := m.spinner.View()
 		status := m.styles.Normal.Render(m.packageProgress.step)
-		fmt.Fprintf(&b, "%s %s", spinner, status)
+		b.WriteString(fmt.Sprintf("%s %s", spinner, status))
 		b.WriteString("\n\n")

 		// Show progress bar
@@ -387,7 +387,7 @@ func (m Model) viewDebugLogs() string {

 		for i := startIdx; i < len(allLogs); i++ {
 			if allLogs[i] != "" {
-				fmt.Fprintf(&b, "%d: %s\n", i, allLogs[i])
+				b.WriteString(fmt.Sprintf("%d: %s\n", i, allLogs[i]))
 			}
 		}

--- a/core/internal/tui/views_password.go
+++ b/core/internal/tui/views_password.go
@@ -76,7 +76,7 @@ func (m Model) viewFingerprintAuth() string {

 		spinner := m.spinner.View()
 		status := m.styles.Normal.Render("Waiting for fingerprint...")
-		fmt.Fprintf(&b, "%s %s", spinner, status)
+		b.WriteString(fmt.Sprintf("%s %s", spinner, status))
 	}

 	return b.String()
--- a/core/internal/tui/views_welcome.go
+++ b/core/internal/tui/views_welcome.go
@@ -132,9 +132,9 @@ func (m Model) viewWelcome() string {
 					contentStyle = contentStyle.Bold(true)
 				}

-				fmt.Fprintf(&b, "  %s %s\n",
+				b.WriteString(fmt.Sprintf("  %s %s\n",
 					prefixStyle.Render(prefix),
-					contentStyle.Render(content))
+					contentStyle.Render(content)))
 			}

 			b.WriteString("\n")
@@ -158,7 +158,7 @@ func (m Model) viewWelcome() string {
 	} else if m.isLoading {
 		spinner := m.spinner.View()
 		loading := m.styles.Normal.Render("Detecting system...")
-		fmt.Fprintf(&b, "%s %s\n\n", spinner, loading)
+		b.WriteString(fmt.Sprintf("%s %s\n\n", spinner, loading))
 	}

 	// Footer with better visual separation
--- a/core/internal/version/version_test.go
+++ b/core/internal/version/version_test.go
@@ -2,10 +2,12 @@ package version

 import (
 	"os"
+	"os/exec"
 	"path/filepath"
 	"testing"

 	mocks_version "github.com/AvengeMedia/DankMaterialShell/core/internal/mocks/version"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 )

 func TestCompareVersions(t *testing.T) {
@@ -148,6 +150,76 @@ func TestGetCurrentDMSVersion_NotInstalled(t *testing.T) {
 	}
 }

+func TestGetCurrentDMSVersion_GitTag(t *testing.T) {
+	if !utils.CommandExists("git") {
+		t.Skip("git not available")
+	}
+
+	tempDir := t.TempDir()
+	dmsPath := filepath.Join(tempDir, ".config", "quickshell", "dms")
+	os.MkdirAll(dmsPath, 0o755)
+
+	originalHome := os.Getenv("HOME")
+	defer os.Setenv("HOME", originalHome)
+	os.Setenv("HOME", tempDir)
+
+	exec.Command("git", "init", dmsPath).Run()
+	exec.Command("git", "-C", dmsPath, "config", "user.email", "test@test.com").Run()
+	exec.Command("git", "-C", dmsPath, "config", "user.name", "Test User").Run()
+
+	testFile := filepath.Join(dmsPath, "test.txt")
+	os.WriteFile(testFile, []byte("test"), 0o644)
+	exec.Command("git", "-C", dmsPath, "add", ".").Run()
+	exec.Command("git", "-C", dmsPath, "commit", "-m", "initial").Run()
+	exec.Command("git", "-C", dmsPath, "tag", "v0.1.0").Run()
+
+	version, err := GetCurrentDMSVersion()
+	if err != nil {
+		t.Fatalf("GetCurrentDMSVersion() failed: %v", err)
+	}
+
+	if version != "v0.1.0" {
+		t.Errorf("Expected version v0.1.0, got %s", version)
+	}
+}
+
+func TestGetCurrentDMSVersion_GitBranch(t *testing.T) {
+	if !utils.CommandExists("git") {
+		t.Skip("git not available")
+	}
+
+	tempDir := t.TempDir()
+	dmsPath := filepath.Join(tempDir, ".config", "quickshell", "dms")
+	os.MkdirAll(dmsPath, 0o755)
+
+	originalHome := os.Getenv("HOME")
+	defer os.Setenv("HOME", originalHome)
+	os.Setenv("HOME", tempDir)
+
+	exec.Command("git", "init", dmsPath).Run()
+	exec.Command("git", "-C", dmsPath, "config", "user.email", "test@test.com").Run()
+	exec.Command("git", "-C", dmsPath, "config", "user.name", "Test User").Run()
+	exec.Command("git", "-C", dmsPath, "checkout", "-b", "master").Run()
+
+	testFile := filepath.Join(dmsPath, "test.txt")
+	os.WriteFile(testFile, []byte("test"), 0o644)
+	exec.Command("git", "-C", dmsPath, "add", ".").Run()
+	exec.Command("git", "-C", dmsPath, "commit", "-m", "initial").Run()
+
+	version, err := GetCurrentDMSVersion()
+	if err != nil {
+		t.Fatalf("GetCurrentDMSVersion() failed: %v", err)
+	}
+
+	if version == "" {
+		t.Error("Expected non-empty version")
+	}
+
+	if len(version) < 7 {
+		t.Errorf("Expected version with branch@commit format, got %s", version)
+	}
+}
+
 func TestVersionInfo_IsGit(t *testing.T) {
 	tests := []struct {
 		current  string
--- a/distro/debian/dms-git/debian/rules
+++ b/distro/debian/dms-git/debian/rules
@@ -27,12 +27,12 @@ override_dh_auto_build:
 	# Verify core directory exists (native package format has source at root)
 	test -d core || (echo "ERROR: core directory not found!" && exit 1)

-	# Pin go.mod and vendor/modules.txt to the installed Go toolchain version
-	GO_INSTALLED=$$(go version | grep -oP 'go\K[0-9]+\.[0-9]+'); \
-	sed -i "s/^go [0-9]\+\.[0-9]\+\(\.[0-9]*\)\?$$/go $${GO_INSTALLED}/" core/go.mod; \
-	sed -i "s/^\(## explicit; go \)[0-9]\+\.[0-9]\+\(\.[0-9]*\)\?$$/\1$${GO_INSTALLED}/" core/vendor/modules.txt
+	# Patch go.mod to use Go 1.24 base version (Debian 13 has 1.23.x, may vary)
+	sed -i 's/^go 1\.24\.[0-9]*/go 1.24/' core/go.mod

-	# Build dms-cli (single shell to preserve variables; arch: Debian amd64/arm64 -> Makefile amd64/arm64)
+	# Build dms-cli from source using vendored dependencies
+	# Extract version info and build in single shell to preserve variables
+	# Architecture mapping: Debian amd64/arm64 -> Makefile amd64/arm64
 	VERSION="$(UPSTREAM_VERSION)"; \
 	COMMIT=$$(echo "$(UPSTREAM_VERSION)" | grep -oP '(?<=git)[0-9]+\.[a-f0-9]+' | cut -d. -f2 | head -c8 || echo "unknown"); \
 	if [ "$(DEB_HOST_ARCH)" = "amd64" ]; then \
--- a/distro/debian/dms-greeter/_service
+++ b/distro/debian/dms-greeter/_service
@@ -3,7 +3,7 @@
  <service name="download_url">
    <param name="protocol">https</param>
    <param name="host">github.com</param>
-    <param name="path">/AvengeMedia/DankMaterialShell/releases/download/v1.4.3/dms-qml.tar.gz</param>
+    <param name="path">/AvengeMedia/DankMaterialShell/releases/download/v1.4.2/dms-qml.tar.gz</param>
    <param name="filename">dms-qml.tar.gz</param>
  </service>
 </services>
--- a/distro/debian/dms-greeter/debian/changelog
+++ b/distro/debian/dms-greeter/debian/changelog
@@ -1,5 +1,6 @@
-dms-greeter (1.4.3db1) unstable; urgency=medium
+dms-greeter (1.4.2db8) unstable; urgency=medium

-  * Update to v1.4.3 stable release
+  * Initial Debian OBS package
+  * Port from Ubuntu/Fedora packaging

- -- Avenge Media <AvengeMedia.US@gmail.com>  Tue, 25 Feb 2026 02:40:00 +0000
+ -- Avenge Media <AvengeMedia.US@gmail.com>  Sat, 21 Feb 2026 00:00:00 +0000
--- a/distro/fedora/dms-git.spec
+++ b/distro/fedora/dms-git.spec
@@ -3,7 +3,6 @@
 %global debug_package %{nil}
 %global version {{{ git_repo_version }}}
 %global pkg_summary DankMaterialShell - Material 3 inspired shell for Wayland compositors
-%global go_toolchain_version 1.26.1

 Name:           dms
 Epoch:          2
@@ -15,12 +14,12 @@ License:        MIT
 URL:            https://github.com/AvengeMedia/DankMaterialShell
 VCS:            {{{ git_repo_vcs }}}
 Source0:        {{{ git_repo_pack }}}
-Source1:        https://go.dev/dl/go%{go_toolchain_version}.linux-amd64.tar.gz
-Source2:        https://go.dev/dl/go%{go_toolchain_version}.linux-arm64.tar.gz

 BuildRequires:  git-core
 BuildRequires:  gzip
+BuildRequires:  golang >= 1.24
 BuildRequires:  make
+BuildRequires:  wget
 BuildRequires:  systemd-rpm-macros

 # Core requirements
@@ -29,7 +28,7 @@ Requires:       accountsservice
 Requires:       dms-cli = %{epoch}:%{version}-%{release}
 Requires:       dgop

-# Core utilities (Recommended for DMS functionality)
+# Core utilities (Highly recommended for DMS functionality)
 Recommends:     cava
 Recommends:     danksearch
 Recommends:     matugen
@@ -67,28 +66,6 @@ Provides native DBus bindings, NetworkManager integration, and system utilities.
 VERSION="%{version}"
 COMMIT=$(echo "%{version}" | grep -oP '[a-f0-9]{7,}' | head -n1 || echo "unknown")

-# Use pinned bundled Go toolchain (deterministic across chroots)
-case "%{_arch}" in
-  x86_64)
-    GO_TARBALL="%{_sourcedir}/go%{go_toolchain_version}.linux-amd64.tar.gz"
-    ;;
-  aarch64)
-    GO_TARBALL="%{_sourcedir}/go%{go_toolchain_version}.linux-arm64.tar.gz"
-    ;;
-  *)
-    echo "Unsupported architecture for bundled Go: %{_arch}"
-    exit 1
-    ;;
-esac
-
-rm -rf .go
-tar -xzf "$GO_TARBALL"
-mv go .go
-export GOROOT="$PWD/.go"
-export PATH="$GOROOT/bin:$PATH"
-export GOTOOLCHAIN=local
-go version
-
 cd core
 make dist VERSION="$VERSION" COMMIT="$COMMIT"

--- a/distro/nix/default.nix
+++ b/distro/nix/default.nix
@@ -1,11 +0,0 @@
-(import (
-  let
-    lock = builtins.fromJSON (builtins.readFile ../../flake.lock);
-  in
-  fetchTarball {
-    url =
-      lock.nodes.flake-compat.locked.url
-        or "https://github.com/NixOS/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-    sha256 = lock.nodes.flake-compat.locked.narHash;
-  }
-) { src = ../..; }).defaultNix
--- a/distro/nix/greeter.nix
+++ b/distro/nix/greeter.nix
@@ -139,13 +139,6 @@ in
        '';
      }
    ];
-    # DMS currently relies on /etc/pam.d/login for lock screen password auth on NixOS.
-    # Declare security.pam.services.dankshell only if you want to override that runtime fallback.
-    # U2F and fingerprint are handled separately by DMS — do not add pam_u2f or pam_fprintd here.
-    # security.pam.services.dankshell = {
-    #   # Example: add faillock
-    #   faillock.enable = true;
-    # };
    services.greetd = {
      enable = lib.mkDefault true;
      settings.default_session.command = lib.mkDefault (lib.getExe greeterScript);
--- a/distro/nix/niri.nix
+++ b/distro/nix/niri.nix
@@ -2,9 +2,11 @@
  config,
  lib,
  ...
-}: let
+}:
+let
  cfg = config.programs.dank-material-shell;
-in {
+in
+{
  imports = [
    ./dms-rename.nix
  ];
@@ -14,11 +16,9 @@ in {
      enableKeybinds = lib.mkEnableOption "DankMaterialShell niri keybinds";
      enableSpawn = lib.mkEnableOption "DankMaterialShell niri spawn-at-startup";
      includes = {
-        enable =
-          (lib.mkEnableOption "includes for niri-flake")
-          // {
-            default = true;
-          };
+        enable = (lib.mkEnableOption "includes for niri-flake") // {
+          default = true;
+        };
        override = lib.mkOption {
          type = lib.types.bool;
          description = ''
@@ -44,10 +44,8 @@ in {
            "alttab"
            "binds"
            "colors"
-            "cursor"
            "layout"
            "outputs"
-            "windowrules"
            "wpblur"
          ];
          example = [
@@ -72,21 +70,24 @@ in {
      let
        cfg' = cfg.niri.includes;

-        withOriginalConfig = dmsFiles:
-          if cfg'.override
-          then [cfg'.originalFileName] ++ dmsFiles
-          else dmsFiles ++ [cfg'.originalFileName];
+        withOriginalConfig =
+          dmsFiles:
+          if cfg'.override then
+            [ cfg'.originalFileName ] ++ dmsFiles
+          else
+            dmsFiles ++ [ cfg'.originalFileName ];

        fixes = map (fix: "\n${fix}") (
          lib.optional (cfg'.enable && config.programs.niri.settings.layout.border.enable)
-          # kdl
-          ''
-            // Border fix
-            // See https://yalter.github.io/niri/Configuration%3A-Include.html#border-special-case for details
-            layout { border { on; }; }
-          ''
+            # kdl
+            ''
+              // Border fix
+              // See https://yalter.github.io/niri/Configuration%3A-Include.html#border-special-case for details
+              layout { border { on; }; }
+            ''
        );
-      in {
+      in
+      {
        niri-config.target = lib.mkForce "niri/${cfg'.originalFileName}.kdl";
        niri-config-dms = {
          target = "niri/config.kdl";
@@ -103,9 +104,11 @@ in {

    programs.niri.settings = lib.mkMerge [
      (lib.mkIf cfg.niri.enableKeybinds {
-        binds = with config.lib.niri.actions; let
-          dms-ipc = spawn "dms" "ipc";
-        in
+        binds =
+          with config.lib.niri.actions;
+          let
+            dms-ipc = spawn "dms" "ipc";
+          in
          {
            "Mod+Space" = {
              action = dms-ipc "spotlight" "toggle";
--- a/distro/nix/nixos.nix
+++ b/distro/nix/nixos.nix
@@ -48,7 +48,6 @@ in

    services.power-profiles-daemon.enable = lib.mkDefault true;
    services.accounts-daemon.enable = lib.mkDefault true;
-    services.geoclue2.enable = lib.mkDefault true;
    security.polkit.enable = lib.mkDefault true;
  };
 }
--- a/Show More
+++ b/Show More