flake: let module callers supply pkgs so overlays reach the build (#2244)

The nixosModule/homeModule path previously called `buildDmsPkgs pkgs` but
internally referenced `self.packages.${system}.default`, which was
instantiated via `nixpkgs.legacyPackages`, an unoverlayed pkgs. That
meant downstream flakes couldn't reach through their own overlays to
the dms-shell build (e.g. to swap `kdePackages.sonnet` or trim perl
out of the aspell closure).

Extract the derivation as `mkDmsShell = pkgs: ...` at the top-level
`let`, and call it from both `packages.${system}.dms-shell` (for
direct consumers of the flake) and `buildDmsPkgs pkgs` (for module
consumers, which now pass in the system's overlayed pkgs).

Also re-checks overrideAttrs / .override still work: `mkDmsShell pkgs`
is the same `pkgs.lib.makeOverridable` wrapper as before, just
parameterized on the caller's pkgs instance.

Co-authored-by: Lucas <43530291+LuckShiba@users.noreply.github.com>

.github/workflows/run-obs.yml

@@ -9,8 +9,8 @@ on:
         type: choice
         options:
           - dms
-          - dms-greeter
           - dms-git
+          - dms-greeter
           - all
         default: "dms"
       rebuild_release:
@@ -119,8 +119,9 @@ jobs:
               echo "🔄 Manual rebuild requested: $PKG (db$REBUILD)"
 
             elif [[ "$PKG" == "all" ]]; then
-              # Check each stable package and build list of those needing updates
+              # Check each package and build list of those needing updates
               PACKAGES_TO_UPDATE=()
+              check_dms_git && PACKAGES_TO_UPDATE+=("dms-git")
               if check_dms_stable; then
                 PACKAGES_TO_UPDATE+=("dms")
                 if [[ -n "$LATEST_TAG" ]]; then
@@ -139,7 +140,7 @@ jobs:
               else
                 echo "packages=" >> $GITHUB_OUTPUT
                 echo "has_updates=false" >> $GITHUB_OUTPUT
-                echo "✓ Both packages up to date"
+                echo "✓ All packages up to date"
               fi
 
             elif [[ "$PKG" == "dms-git" ]]; then
@@ -244,7 +245,7 @@ jobs:
           fi
 
       - name: Update dms-git spec version
-        if: contains(steps.packages.outputs.packages, 'dms-git')
+        if: contains(steps.packages.outputs.packages, 'dms-git') || steps.packages.outputs.packages == 'all'
         run: |
           COMMIT_HASH=$(git rev-parse --short=8 HEAD)
           COMMIT_COUNT=$(git rev-list --count HEAD)
@@ -265,7 +266,7 @@ jobs:
           } > distro/opensuse/dms-git.spec
 
       - name: Update Debian dms-git changelog version
-        if: contains(steps.packages.outputs.packages, 'dms-git')
+        if: contains(steps.packages.outputs.packages, 'dms-git') || steps.packages.outputs.packages == 'all'
         run: |
           COMMIT_HASH=$(git rev-parse --short=8 HEAD)
           COMMIT_COUNT=$(git rev-list --count HEAD)
@@ -388,7 +389,7 @@ jobs:
           UPLOADED_PACKAGES=()
           SKIPPED_PACKAGES=()
 
-          # PACKAGES can be space-separated list (e.g., "dms dms-greeter" from "all" check)
+          # PACKAGES can be space-separated list (e.g., "dms-git dms" from "all" check)
           # Loop through each package and upload
           for PKG in $PACKAGES; do
             echo ""

.github/workflows/run-ppa.yml

@@ -4,15 +4,9 @@ on:
   workflow_dispatch:
     inputs:
       package:
-        description: "Package to upload"
-        required: true
-        type: choice
-        options:
-          - dms
-          - dms-greeter
-          - dms-git
-          - all
-        default: "dms"
+        description: "Package to upload (dms, dms-git, dms-greeter, or all)"
+        required: false
+        default: "dms-git"
       rebuild_release:
         description: "Release number for rebuilds (e.g., 2, 3, 4 for ppa2, ppa3, ppa4)"
         required: false
@@ -145,7 +139,7 @@ jobs:
             fi
           else
             # Fallback
-            echo "packages=dms" >> $GITHUB_OUTPUT
+            echo "packages=dms-git" >> $GITHUB_OUTPUT
             echo "has_updates=true" >> $GITHUB_OUTPUT
           fi
 
@@ -215,7 +209,7 @@ jobs:
             echo "✓ Using rebuild release number: ppa$REBUILD_RELEASE"
           fi
 
-          # PACKAGES can be space-separated list (e.g., "dms-git dms dms-greeter" from "all" check)
+          # PACKAGES can be space-separated list (e.g., "dms-git dms" from "all" check)
           # Loop through each package and upload
           for PKG in $PACKAGES; do
             # Map package to PPA name

.github/workflows/update-vendor-hash.yml

@@ -40,7 +40,7 @@ jobs:
             echo "Build succeeded, no hash update needed"
             exit 0
           fi
-          new_hash=$(echo "$output" | grep -oP "got:\s+\K\S+" | head -n1)
+          new_hash=$(echo "$output" | grep -oP "got:\s+\K\S+" | head -n1 || true)
           [ -n "$new_hash" ] || { echo "Could not extract new vendorHash"; echo "$output"; exit 1; }
           current_hash=$(grep -oP 'vendorHash = "\K[^"]+' flake.nix)
           [ "$current_hash" = "$new_hash" ] && { echo "vendorHash already up to date"; exit 0; }
@@ -59,8 +59,8 @@ jobs:
             git config user.email "dms-ci[bot]@users.noreply.github.com"
             git add flake.nix
             git commit -m "nix: update vendorHash for go.mod changes" || exit 0
-            git pull --rebase origin master
-            git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git HEAD:master
+            git pull --rebase origin ${{ github.ref_name }}
+            git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git HEAD:${{ github.ref_name }}
           else
             echo "No changes to flake.nix"
           fi

core/.mockery.yml

@@ -28,12 +28,6 @@ packages:
       outpkg: mocks_brightness
     interfaces:
       DBusConn:
-  github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation:
-    config:
-      dir: "internal/mocks/geolocation"
-      outpkg: mocks_geolocation
-    interfaces:
-      Client:
   github.com/AvengeMedia/DankMaterialShell/core/internal/server/network:
     config:
       dir: "internal/mocks/network"

core/cmd/dms/assets/cli-policy.default.json

@@ -3,7 +3,7 @@
   "blocked_commands": [
     "greeter install",
     "greeter enable",
-    "greeter sync",
+    "greeter uninstall",
     "setup"
   ],
   "message": "This command is disabled on immutable/image-based systems. Use your distro-native workflow for system-level changes."

core/cmd/dms/commands_blur.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/blur"
+	"github.com/spf13/cobra"
+)
+
+var blurCmd = &cobra.Command{
+	Use:   "blur",
+	Short: "Background blur utilities",
+}
+
+var blurCheckCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Check if the compositor supports background blur (ext-background-effect-v1)",
+	Args:  cobra.NoArgs,
+	Run:   runBlurCheck,
+}
+
+func init() {
+	blurCmd.AddCommand(blurCheckCmd)
+}
+
+func runBlurCheck(cmd *cobra.Command, args []string) {
+	supported, err := blur.ProbeSupport()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+	switch supported {
+	case true:
+		fmt.Println("supported")
+	default:
+		fmt.Println("unsupported")
+	}
+}

core/cmd/dms/commands_brightness.go

@@ -236,6 +236,7 @@ func runBrightnessSet(cmd *cobra.Command, args []string) {
 			defer ddc.Close()
 			time.Sleep(100 * time.Millisecond)
 			if err := ddc.SetBrightnessWithExponent(deviceID, percent, exponential, exponent, nil); err == nil {
+				ddc.WaitPending()
 				fmt.Printf("Set %s to %d%%\n", deviceID, percent)
 				return
 			}

core/cmd/dms/commands_common.go

@@ -64,9 +64,8 @@ var killCmd = &cobra.Command{
 }
 
 var ipcCmd = &cobra.Command{
-	Use:     "ipc [target] [function] [args...]",
-	Short:   "Send IPC commands to running DMS shell",
-	PreRunE: findConfig,
+	Use:   "ipc [target] [function] [args...]",
+	Short: "Send IPC commands to running DMS shell",
 	ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		_ = findConfig(cmd, args)
 		return getShellIPCCompletions(args, toComplete), cobra.ShellCompDirectiveNoFileComp
@@ -526,5 +525,6 @@ func getCommonCommands() []*cobra.Command {
 		configCmd,
 		dlCmd,
 		randrCmd,
+		blurCmd,
 	}
 }

core/cmd/dms/commands_doctor.go

@@ -11,6 +11,7 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/blur"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/clipboard"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/config"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
@@ -82,7 +83,7 @@ func (ds *DoctorStatus) OKCount() int {
 }
 
 var (
-	quickshellVersionRegex = regexp.MustCompile(`quickshell (\d+\.\d+\.\d+)`)
+	quickshellVersionRegex = regexp.MustCompile(`(?i)quickshell (\d+\.\d+\.\d+)`)
 	hyprlandVersionRegex   = regexp.MustCompile(`v?(\d+\.\d+\.\d+)`)
 	niriVersionRegex       = regexp.MustCompile(`niri (\d+\.\d+)`)
 	swayVersionRegex       = regexp.MustCompile(`sway version (\d+\.\d+)`)
@@ -90,6 +91,7 @@ var (
 	wayfireVersionRegex    = regexp.MustCompile(`wayfire (\d+\.\d+)`)
 	labwcVersionRegex      = regexp.MustCompile(`labwc (\d+\.\d+\.\d+)`)
 	mangowcVersionRegex    = regexp.MustCompile(`mango (\d+\.\d+\.\d+)`)
+	miracleVersionRegex    = regexp.MustCompile(`miracle-wm v?(\d+\.\d+\.\d+)`)
 )
 
 var doctorCmd = &cobra.Command{
@@ -468,6 +470,7 @@ func checkWindowManagers() []checkResult {
 		{"Wayfire", "wayfire", "--version", wayfireVersionRegex, []string{"wayfire"}},
 		{"labwc", "labwc", "--version", labwcVersionRegex, []string{"labwc"}},
 		{"mangowc", "mango", "-v", mangowcVersionRegex, []string{"mango"}},
+		{"Miracle WM", "miracle-wm", "--version", miracleVersionRegex, []string{"miracle-wm"}},
 	}
 
 	var results []checkResult
@@ -500,7 +503,7 @@ func checkWindowManagers() []checkResult {
 		results = append(results, checkResult{
 			catCompositor, "Compositor", statusError,
 			"No supported Wayland compositor found",
-			"Install Hyprland, niri, Sway, River, or Wayfire",
+			"Install Hyprland, niri, Sway, River, Wayfire, or miracle-wm",
 			doctorDocsURL + "#compositor-checks",
 		})
 	}
@@ -509,9 +512,24 @@ func checkWindowManagers() []checkResult {
 		results = append(results, checkResult{catCompositor, "Active", statusInfo, wm, "", doctorDocsURL + "#compositor"})
 	}
 
+	results = append(results, checkCompositorBlurSupport())
+
 	return results
 }
 
+func checkCompositorBlurSupport() checkResult {
+	supported, err := blur.ProbeSupport()
+	if err != nil {
+		return checkResult{catCompositor, "Background Blur", statusInfo, "Unable to verify", err.Error(), doctorDocsURL + "#compositor-checks"}
+	}
+
+	if supported {
+		return checkResult{catCompositor, "Background Blur", statusOK, "Supported", "Compositor supports ext-background-effect-v1", doctorDocsURL + "#compositor-checks"}
+	}
+
+	return checkResult{catCompositor, "Background Blur", statusWarn, "Unsupported", "Compositor does not support ext-background-effect-v1", doctorDocsURL + "#compositor-checks"}
+}
+
 func getVersionFromCommand(cmd, arg string, regex *regexp.Regexp) string {
 	output, err := exec.Command(cmd, arg).CombinedOutput()
 	if err != nil && len(output) == 0 {
@@ -535,6 +553,8 @@ func detectRunningWM() string {
 		return "Hyprland"
 	case os.Getenv("NIRI_SOCKET") != "":
 		return "niri"
+	case os.Getenv("MIRACLESOCK") != "":
+		return "Miracle WM"
 	case os.Getenv("XDG_CURRENT_DESKTOP") != "":
 		return os.Getenv("XDG_CURRENT_DESKTOP")
 	}
@@ -553,6 +573,7 @@ func checkQuickshellFeatures() ([]checkResult, bool) {
 	qmlContent := `
 import QtQuick
 import Quickshell
+import Quickshell.Wayland
 
 ShellRoot {
 	id: root
@@ -561,6 +582,7 @@ ShellRoot {
 	property bool idleMonitorAvailable: false
 	property bool idleInhibitorAvailable: false
 	property bool shortcutInhibitorAvailable: false
+	property bool backgroundBlurAvailable: false
 
 	Timer {
 		interval: 50
@@ -578,16 +600,18 @@ ShellRoot {
 
 			try {
 				var testItem = Qt.createQmlObject(
-					'import Quickshell.Wayland; import QtQuick; QtObject { ' +
+					'import Quickshell; import Quickshell.Wayland; import QtQuick; QtObject { ' +
 					'readonly property bool hasIdleMonitor: typeof IdleMonitor !== "undefined"; ' +
 					'readonly property bool hasIdleInhibitor: typeof IdleInhibitor !== "undefined"; ' +
-					'readonly property bool hasShortcutInhibitor: typeof ShortcutInhibitor !== "undefined" ' +
+					'readonly property bool hasShortcutInhibitor: typeof ShortcutInhibitor !== "undefined"; ' +
+					'readonly property bool hasBackgroundBlur: typeof BackgroundEffect !== "undefined" ' +
 					'}',
 					root
 				)
 				root.idleMonitorAvailable = testItem.hasIdleMonitor
 				root.idleInhibitorAvailable = testItem.hasIdleInhibitor
 				root.shortcutInhibitorAvailable = testItem.hasShortcutInhibitor
+				root.backgroundBlurAvailable = testItem.hasBackgroundBlur
 				testItem.destroy()
 			} catch (e) {}
 
@@ -596,6 +620,8 @@ ShellRoot {
 			console.warn(root.idleInhibitorAvailable ? "FEATURE:IdleInhibitor:OK" : "FEATURE:IdleInhibitor:UNAVAILABLE")
 			console.warn(root.shortcutInhibitorAvailable ? "FEATURE:ShortcutInhibitor:OK" : "FEATURE:ShortcutInhibitor:UNAVAILABLE")
 
+			console.warn(root.backgroundBlurAvailable ? "FEATURE:BackgroundBlur:OK" : "FEATURE:BackgroundBlur:UNAVAILABLE")
+
 			Quickshell.execDetached(["kill", "-TERM", String(Quickshell.processId)])
 		}
 	}
@@ -616,6 +642,7 @@ ShellRoot {
 		{"IdleMonitor", "Idle detection"},
 		{"IdleInhibitor", "Prevent idle/sleep"},
 		{"ShortcutInhibitor", "Allow shortcut management (niri)"},
+		{"BackgroundBlur", "Background blur API support in Quickshell"},
 	}
 
 	var results []checkResult
@@ -820,10 +847,14 @@ func checkOptionalDependencies() []checkResult {
 	results = append(results, checkImageFormatPlugins()...)
 
 	terminals := []string{"ghostty", "kitty", "alacritty", "foot", "wezterm"}
-	if idx := slices.IndexFunc(terminals, utils.CommandExists); idx >= 0 {
-		results = append(results, checkResult{catOptionalFeatures, "Terminal", statusOK, terminals[idx], "", optionalFeaturesURL})
+	terminals = slices.DeleteFunc(terminals, func(t string) bool {
+		return !utils.CommandExists(t)
+	})
+
+	if len(terminals) > 0 {
+		results = append(results, checkResult{catOptionalFeatures, "Terminal", statusOK, strings.Join(terminals, ", "), "", optionalFeaturesURL})
 	} else {
-		results = append(results, checkResult{catOptionalFeatures, "Terminal", statusWarn, "None found", "Install ghostty, kitty, or alacritty", optionalFeaturesURL})
+		results = append(results, checkResult{catOptionalFeatures, "Terminal", statusWarn, "None found", "Install ghostty, kitty, foot or alacritty", optionalFeaturesURL})
 	}
 
 	networkResult, err := network.DetectNetworkStack()

core/cmd/dms/commands_features.go

@@ -4,6 +4,7 @@ package main
 
 import (
 	"bufio"
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -15,6 +16,7 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/errdefs"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/version"
 	"github.com/spf13/cobra"
@@ -109,16 +111,37 @@ func updateArchLinux() error {
 	}
 
 	var packageName string
-	if isArchPackageInstalled("dms-shell-bin") {
-		packageName = "dms-shell-bin"
+	var isAUR bool
+	if isArchPackageInstalled("dms-shell") {
+		packageName = "dms-shell"
 	} else if isArchPackageInstalled("dms-shell-git") {
 		packageName = "dms-shell-git"
+		isAUR = true
+	} else if isArchPackageInstalled("dms-shell-bin") {
+		packageName = "dms-shell-bin"
+		isAUR = true
 	} else {
-		fmt.Println("Info: Neither dms-shell-bin nor dms-shell-git package found.")
+		fmt.Println("Info: No dms-shell package found.")
 		fmt.Println("Info: Falling back to git-based update method...")
 		return updateOtherDistros()
 	}
 
+	if !isAUR {
+		fmt.Printf("This will update %s using pacman.\n", packageName)
+		if !confirmUpdate() {
+			return errdefs.ErrUpdateCancelled
+		}
+
+		fmt.Printf("\nRunning: pacman -S %s\n", packageName)
+		if err := privesc.Run(context.Background(), "", "pacman", "-S", "--noconfirm", packageName); err != nil {
+			fmt.Printf("Error: Failed to update using pacman: %v\n", err)
+			return err
+		}
+
+		fmt.Println("dms successfully updated")
+		return nil
+	}
+
 	var helper string
 	var updateCmd *exec.Cmd
 
@@ -454,11 +477,7 @@ func updateDMSBinary() error {
 
 	fmt.Printf("Installing to %s...\n", currentPath)
 
-	replaceCmd := exec.Command("sudo", "install", "-m", "0755", decompressedPath, currentPath)
-	replaceCmd.Stdin = os.Stdin
-	replaceCmd.Stdout = os.Stdout
-	replaceCmd.Stderr = os.Stderr
-	if err := replaceCmd.Run(); err != nil {
+	if err := privesc.Run(context.Background(), "", "install", "-m", "0755", decompressedPath, currentPath); err != nil {
 		return fmt.Errorf("failed to replace binary: %w", err)
 	}
 

core/cmd/dms/commands_greeter.go

@@ -1,16 +1,20 @@
 package main
 
 import (
+	"bufio"
+	"context"
 	"fmt"
 	"os"
 	"os/exec"
 	"os/user"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/greeter"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 	"github.com/spf13/cobra"
 	"golang.org/x/text/cases"
@@ -27,9 +31,22 @@ var greeterInstallCmd = &cobra.Command{
 	Use:     "install",
 	Short:   "Install and configure DMS greeter",
 	Long:    "Install greetd and configure it to use DMS as the greeter interface",
-	PreRunE: requireMutableSystemCommand,
+	PreRunE: preRunPrivileged,
 	Run: func(cmd *cobra.Command, args []string) {
-		if err := installGreeter(); err != nil {
+		yes, _ := cmd.Flags().GetBool("yes")
+		term, _ := cmd.Flags().GetBool("terminal")
+		if term {
+			installCmd := "dms greeter install"
+			if yes {
+				installCmd += " --yes"
+			}
+			installCmd += "; echo; echo \"Install finished. Closing in 3 seconds...\"; sleep 3"
+			if err := runCommandInTerminal(installCmd); err != nil {
+				log.Fatalf("Error launching install in terminal: %v", err)
+			}
+			return
+		}
+		if err := installGreeter(yes); err != nil {
 			log.Fatalf("Error installing greeter: %v", err)
 		}
 	},
@@ -39,7 +56,7 @@ var greeterSyncCmd = &cobra.Command{
 	Use:     "sync",
 	Short:   "Sync DMS theme and settings with greeter",
 	Long:    "Synchronize your current user's DMS theme, settings, and wallpaper configuration with the login greeter screen",
-	PreRunE: requireMutableSystemCommand,
+	PreRunE: preRunPrivileged,
 	Run: func(cmd *cobra.Command, args []string) {
 		yes, _ := cmd.Flags().GetBool("yes")
 		auth, _ := cmd.Flags().GetBool("auth")
@@ -68,9 +85,22 @@ var greeterEnableCmd = &cobra.Command{
 	Use:     "enable",
 	Short:   "Enable DMS greeter in greetd config",
 	Long:    "Configure greetd to use DMS as the greeter",
-	PreRunE: requireMutableSystemCommand,
+	PreRunE: preRunPrivileged,
 	Run: func(cmd *cobra.Command, args []string) {
-		if err := enableGreeter(); err != nil {
+		yes, _ := cmd.Flags().GetBool("yes")
+		term, _ := cmd.Flags().GetBool("terminal")
+		if term {
+			enableCmd := "dms greeter enable"
+			if yes {
+				enableCmd += " --yes"
+			}
+			enableCmd += "; echo; echo \"Enable finished. Closing in 3 seconds...\"; sleep 3"
+			if err := runCommandInTerminal(enableCmd); err != nil {
+				log.Fatalf("Error launching enable in terminal: %v", err)
+			}
+			return
+		}
+		if err := enableGreeter(yes); err != nil {
 			log.Fatalf("Error enabling greeter: %v", err)
 		}
 	},
@@ -87,18 +117,62 @@ var greeterStatusCmd = &cobra.Command{
 	},
 }
 
-func installGreeter() error {
+var greeterUninstallCmd = &cobra.Command{
+	Use:     "uninstall",
+	Short:   "Remove DMS greeter configuration and restore previous display manager",
+	Long:    "Disable greetd, remove DMS managed configs, and restore the system to its pre-DMS-greeter state",
+	PreRunE: preRunPrivileged,
+	Run: func(cmd *cobra.Command, args []string) {
+		yes, _ := cmd.Flags().GetBool("yes")
+		term, _ := cmd.Flags().GetBool("terminal")
+		if term {
+			uninstallCmd := "dms greeter uninstall"
+			if yes {
+				uninstallCmd += " --yes"
+			}
+			uninstallCmd += "; echo; echo \"Uninstall finished. Closing in 3 seconds...\"; sleep 3"
+			if err := runCommandInTerminal(uninstallCmd); err != nil {
+				log.Fatalf("Error launching uninstall in terminal: %v", err)
+			}
+			return
+		}
+		if err := uninstallGreeter(yes); err != nil {
+			log.Fatalf("Error uninstalling greeter: %v", err)
+		}
+	},
+}
+
+func init() {
+	greeterInstallCmd.Flags().BoolP("yes", "y", false, "Non-interactive: skip confirmation prompt")
+	greeterInstallCmd.Flags().BoolP("terminal", "t", false, "Run in a new terminal (for entering sudo password)")
+	greeterEnableCmd.Flags().BoolP("yes", "y", false, "Non-interactive: skip confirmation prompt")
+	greeterEnableCmd.Flags().BoolP("terminal", "t", false, "Run in a new terminal (for entering sudo password)")
+	greeterUninstallCmd.Flags().BoolP("yes", "y", false, "Non-interactive: skip confirmation prompt")
+	greeterUninstallCmd.Flags().BoolP("terminal", "t", false, "Run in a new terminal (for entering sudo password)")
+}
+
+func installGreeter(nonInteractive bool) error {
 	fmt.Println("=== DMS Greeter Installation ===")
 
 	logFunc := func(msg string) {
 		fmt.Println(msg)
 	}
 
+	if !nonInteractive {
+		fmt.Print("\nThis will install greetd (if needed), configure the DMS greeter, and enable it. Continue? [Y/n]: ")
+		var response string
+		fmt.Scanln(&response)
+		if strings.ToLower(strings.TrimSpace(response)) == "n" || strings.ToLower(strings.TrimSpace(response)) == "no" {
+			fmt.Println("Aborted.")
+			return nil
+		}
+		fmt.Println()
+	}
+
 	if err := greeter.EnsureGreetdInstalled(logFunc, ""); err != nil {
 		return err
 	}
 
-	// Debian/openSUSE
 	greeter.TryInstallGreeterPackage(logFunc, "")
 	if isPackageOnlyGreeterDistro() && !greeter.IsGreeterPackaged() {
 		return fmt.Errorf("dms-greeter must be installed from distro packages on this distribution. %s", packageInstallHint())
@@ -107,7 +181,6 @@ func installGreeter() error {
 		return fmt.Errorf("legacy manual wrapper detected at /usr/local/bin/dms-greeter; remove it before using packaged dms-greeter: sudo rm -f /usr/local/bin/dms-greeter")
 	}
 
-	// If already fully configured, prompt the user
 	if isGreeterEnabled() {
 		fmt.Print("\nGreeter is already installed and configured. Re-run to re-sync settings and permissions? [Y/n]: ")
 		var response string
@@ -156,8 +229,14 @@ func installGreeter() error {
 		return err
 	}
 
+	if greeter.IsAppArmorEnabled() {
+		fmt.Println("\nConfiguring AppArmor profile...")
+		if err := greeter.InstallAppArmorProfile(logFunc, ""); err != nil {
+			logFunc(fmt.Sprintf("⚠ AppArmor profile setup failed: %v", err))
+		}
+	}
+
 	fmt.Println("\nConfiguring greetd...")
-	// Use empty path when packaged (greeter finds /usr/share/quickshell/dms-greeter); else use user's DMS path
 	greeterPathForConfig := ""
 	if !greeter.IsGreeterPackaged() {
 		greeterPathForConfig = dmsPath
@@ -191,22 +270,202 @@ func installGreeter() error {
 	return nil
 }
 
-func syncInTerminal(nonInteractive bool, forceAuth bool, local bool) error {
-	syncFlags := make([]string, 0, 3)
-	if nonInteractive {
-		syncFlags = append(syncFlags, "--yes")
+func uninstallGreeter(nonInteractive bool) error {
+	fmt.Println("=== DMS Greeter Uninstall ===")
+
+	logFunc := func(msg string) { fmt.Println(msg) }
+
+	if !isGreeterEnabled() {
+		fmt.Println("ℹ DMS greeter is not currently configured in /etc/greetd/config.toml.")
+		fmt.Println("  Nothing to undo for greetd configuration.")
 	}
-	if forceAuth {
-		syncFlags = append(syncFlags, "--auth")
+
+	if !nonInteractive {
+		fmt.Print("\nThis will:\n  • Stop and disable greetd\n  • Remove the DMS PAM managed block\n  • Remove the DMS AppArmor profile\n  • Restore the most recent pre-DMS greetd config (if available)\n\nContinue? [y/N]: ")
+		var response string
+		fmt.Scanln(&response)
+		if strings.ToLower(strings.TrimSpace(response)) != "y" {
+			fmt.Println("Aborted.")
+			return nil
+		}
 	}
-	if local {
-		syncFlags = append(syncFlags, "--local")
+
+	fmt.Println("\nDisabling greetd...")
+	if err := privesc.Run(context.Background(), "", "systemctl", "disable", "greetd"); err != nil {
+		fmt.Printf("  ⚠ Could not disable greetd: %v\n", err)
+	} else {
+		fmt.Println("  ✓ greetd disabled")
 	}
-	shellSyncCmd := "dms greeter sync"
-	if len(syncFlags) > 0 {
-		shellSyncCmd += " " + strings.Join(syncFlags, " ")
+
+	fmt.Println("\nRemoving DMS PAM configuration...")
+	if err := greeter.RemoveGreeterPamManagedBlock(logFunc, ""); err != nil {
+		fmt.Printf("  ⚠ PAM cleanup failed: %v\n", err)
 	}
-	shellCmd := shellSyncCmd + `; echo; echo "Sync finished. Closing in 3 seconds..."; sleep 3`
+
+	fmt.Println("\nRemoving DMS AppArmor profile...")
+	if err := greeter.UninstallAppArmorProfile(logFunc, ""); err != nil {
+		fmt.Printf("  ⚠ AppArmor cleanup failed: %v\n", err)
+	}
+
+	fmt.Println("\nRestoring greetd configuration...")
+	if err := restorePreDMSGreetdConfig(""); err != nil {
+		fmt.Printf("  ⚠ Could not restore previous greetd config: %v\n", err)
+		fmt.Println("  You may need to manually edit /etc/greetd/config.toml.")
+	}
+
+	fmt.Println("\nChecking for other display managers to re-enable...")
+	suggestDisplayManagerRestore(nonInteractive)
+
+	fmt.Println("\n=== Uninstall Complete ===")
+	fmt.Println("\nReboot to complete the uninstallation and switch to your previous display manager.")
+	fmt.Println("To re-enable DMS greeter at any time, run: dms greeter enable")
+
+	return nil
+}
+
+func restorePreDMSGreetdConfig(sudoPassword string) error {
+	const configPath = "/etc/greetd/config.toml"
+	const backupGlob = "/etc/greetd/config.toml.backup-*"
+
+	matches, _ := filepath.Glob(backupGlob)
+
+	for i := 0; i < len(matches)-1; i++ {
+		for j := i + 1; j < len(matches); j++ {
+			if matches[j] > matches[i] {
+				matches[i], matches[j] = matches[j], matches[i]
+			}
+		}
+	}
+
+	for _, candidate := range matches {
+		data, err := os.ReadFile(candidate)
+		if err != nil {
+			continue
+		}
+		if strings.Contains(string(data), "dms-greeter") {
+			continue
+		}
+		tmp, err := os.CreateTemp("", "greetd-restore-*")
+		if err != nil {
+			return fmt.Errorf("could not create temp file: %w", err)
+		}
+		tmpPath := tmp.Name()
+		defer os.Remove(tmpPath)
+		if _, err := tmp.Write(data); err != nil {
+			tmp.Close()
+			return err
+		}
+		tmp.Close()
+
+		if err := privesc.Run(context.Background(), sudoPassword, "cp", tmpPath, configPath); err != nil {
+			return fmt.Errorf("failed to restore %s: %w", candidate, err)
+		}
+		if err := privesc.Run(context.Background(), sudoPassword, "chmod", "644", configPath); err != nil {
+			return err
+		}
+		fmt.Printf("  ✓ Restored greetd config from %s\n", candidate)
+		return nil
+	}
+
+	minimal := `[terminal]
+vt = 1
+
+# DMS greeter has been uninstalled.
+# Configure a greeter command here or re-enable a display manager.
+[default_session]
+user = "greeter"
+command = "agreety --cmd /bin/bash"
+`
+	tmp, err := os.CreateTemp("", "greetd-minimal-*")
+	if err != nil {
+		return fmt.Errorf("could not create temp file: %w", err)
+	}
+	tmpPath := tmp.Name()
+	defer os.Remove(tmpPath)
+	if _, err := tmp.WriteString(minimal); err != nil {
+		tmp.Close()
+		return err
+	}
+	tmp.Close()
+
+	if err := privesc.Run(context.Background(), sudoPassword, "cp", tmpPath, configPath); err != nil {
+		return fmt.Errorf("failed to write fallback greetd config: %w", err)
+	}
+	_ = privesc.Run(context.Background(), sudoPassword, "chmod", "644", configPath)
+	fmt.Println("  ✓ Wrote minimal fallback greetd config (configure a greeter command manually if needed)")
+	return nil
+}
+
+// suggestDisplayManagerRestore scans for installed DMs and re-enables one
+func suggestDisplayManagerRestore(nonInteractive bool) {
+	knownDMs := []string{"gdm", "gdm3", "lightdm", "sddm", "lxdm", "xdm", "cosmic-greeter"}
+	var found []string
+	for _, dm := range knownDMs {
+		if utils.CommandExists(dm) || isSystemdUnitInstalled(dm) {
+			found = append(found, dm)
+		}
+	}
+	if len(found) == 0 {
+		fmt.Println("  ℹ No other display managers detected.")
+		fmt.Println("  You can install one (e.g. gdm, lightdm, sddm) and then run:")
+		fmt.Println("    sudo systemctl enable --now <dm-name>")
+		return
+	}
+
+	enableDM := func(dm string) {
+		fmt.Printf("  Enabling %s...\n", dm)
+		if err := privesc.Run(context.Background(), "", "systemctl", "enable", "--force", dm); err != nil {
+			fmt.Printf("  ⚠ Failed to enable %s: %v\n", dm, err)
+		} else {
+			fmt.Printf("  ✓ %s enabled (will take effect on next boot).\n", dm)
+		}
+	}
+
+	if len(found) == 1 || nonInteractive {
+		chosen := found[0]
+		if len(found) > 1 {
+			fmt.Printf("  ℹ Multiple display managers found (%s); enabling %s automatically.\n",
+				strings.Join(found, ", "), chosen)
+		} else {
+			fmt.Printf("  ℹ Found display manager: %s\n", chosen)
+		}
+		enableDM(chosen)
+		return
+	}
+
+	fmt.Println("  ℹ Found the following display managers:")
+	for i, dm := range found {
+		fmt.Printf("    %d) %s\n", i+1, dm)
+	}
+	fmt.Print("  Choose a number to re-enable (or press Enter to skip): ")
+
+	scanner := bufio.NewScanner(os.Stdin)
+	if !scanner.Scan() {
+		return
+	}
+	input := strings.TrimSpace(scanner.Text())
+	if input == "" {
+		fmt.Println("  Skipped. You can re-enable a display manager later with:")
+		fmt.Println("    sudo systemctl enable --now <dm-name>")
+		return
+	}
+
+	n, err := strconv.Atoi(input)
+	if err != nil || n < 1 || n > len(found) {
+		fmt.Printf("  Invalid selection %q — skipping.\n", input)
+		return
+	}
+
+	enableDM(found[n-1])
+}
+
+func isSystemdUnitInstalled(unit string) bool {
+	cmd := exec.Command("systemctl", "list-unit-files", unit+".service", "--no-legend", "--no-pager")
+	out, err := cmd.Output()
+	return err == nil && strings.Contains(string(out), unit)
+}
+
+func runCommandInTerminal(shellCmd string) error {
 	terminals := []struct {
 		name string
 		args []string
@@ -227,15 +486,43 @@ func syncInTerminal(nonInteractive bool, forceAuth bool, local bool) error {
 		cmd := exec.Command(t.name, t.args...)
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
-		if err := cmd.Start(); err != nil {
-			continue
+		if err := cmd.Run(); err != nil {
+			return err
 		}
-		_ = cmd.Process.Release()
 		return nil
 	}
 	return fmt.Errorf("no terminal emulator found (tried: gnome-terminal, konsole, xfce4-terminal, ghostty, wezterm, alacritty, kitty, xterm)")
 }
 
+func syncInTerminal(nonInteractive bool, forceAuth bool, local bool) error {
+	syncFlags := make([]string, 0, 3)
+	if nonInteractive {
+		syncFlags = append(syncFlags, "--yes")
+	}
+	if forceAuth {
+		syncFlags = append(syncFlags, "--auth")
+	}
+	if local {
+		syncFlags = append(syncFlags, "--local")
+	}
+	shellSyncCmd := "dms greeter sync"
+	if len(syncFlags) > 0 {
+		shellSyncCmd += " " + strings.Join(syncFlags, " ")
+	}
+	shellCmd := shellSyncCmd + `; echo; echo "Sync finished. Closing in 3 seconds..."; sleep 3`
+	return runCommandInTerminal(shellCmd)
+}
+
+func resolveLocalWrapperShell() (string, error) {
+	for _, shellName := range []string{"bash", "sh"} {
+		shellPath, err := exec.LookPath(shellName)
+		if err == nil {
+			return shellPath, nil
+		}
+	}
+	return "", fmt.Errorf("could not find bash or sh in PATH for local greeter wrapper")
+}
+
 func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 	if !nonInteractive {
 		fmt.Println("=== DMS Greeter Theme Sync ===")
@@ -281,7 +568,7 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 		response = strings.ToLower(strings.TrimSpace(response))
 
 		if response != "n" && response != "no" {
-			if err := enableGreeter(); err != nil {
+			if err := enableGreeter(false); err != nil {
 				return err
 			}
 		} else {
@@ -289,12 +576,13 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 		}
 	}
 
+	if greeter.IsGreeterPackaged() && greeter.HasLegacyLocalGreeterWrapper() {
+		return fmt.Errorf("legacy manual wrapper detected at /usr/local/bin/dms-greeter; remove it before using packaged dms-greeter: sudo rm -f /usr/local/bin/dms-greeter")
+	}
+
 	cacheDir := greeter.GreeterCacheDir
 	if _, err := os.Stat(cacheDir); os.IsNotExist(err) {
 		logFunc("Cache directory not found — attempting to create it...")
-		if createErr := greeter.EnsureGreeterCacheDir(logFunc, ""); createErr != nil {
-			return fmt.Errorf("greeter cache directory not found at %s and could not be created: %w\nRun: sudo mkdir -p %s && sudo chown greeter:greeter %s", cacheDir, createErr, cacheDir, cacheDir)
-		}
 	}
 
 	greeterGroup := greeter.DetectGreeterGroup()
@@ -314,27 +602,25 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 		inGreeterGroup := strings.Contains(string(groupsOutput), greeterGroup)
 		if !inGreeterGroup {
 			if nonInteractive {
-				return fmt.Errorf("user must be in the %s group; run 'dms greeter sync' from a terminal to add", greeterGroup)
-			}
-			fmt.Printf("\n⚠ Warning: You are not in the %s group.\n", greeterGroup)
-			fmt.Printf("Would you like to add your user to the %s group? (Y/n): ", greeterGroup)
-
-			var response string
-			fmt.Scanln(&response)
-			response = strings.ToLower(strings.TrimSpace(response))
-
-			if response != "n" && response != "no" {
-				fmt.Printf("\nAdding user to %s group...\n", greeterGroup)
-				addUserCmd := exec.Command("sudo", "usermod", "-aG", greeterGroup, currentUser.Username)
-				addUserCmd.Stdout = os.Stdout
-				addUserCmd.Stderr = os.Stderr
-				if err := addUserCmd.Run(); err != nil {
-					return fmt.Errorf("failed to add user to %s group: %w", greeterGroup, err)
-				}
-				fmt.Printf("✓ User added to %s group\n", greeterGroup)
-				fmt.Println("⚠ You will need to log out and back in for the group change to take effect")
+				logFunc(fmt.Sprintf("⚠ Not yet in %s group — will be added during sync (logout/login required to take effect).", greeterGroup))
 			} else {
-				return fmt.Errorf("aborted: user must be in the greeter group before syncing")
+				fmt.Printf("\n⚠ Warning: You are not in the %s group.\n", greeterGroup)
+				fmt.Printf("Would you like to add your user to the %s group? (Y/n): ", greeterGroup)
+
+				var response string
+				fmt.Scanln(&response)
+				response = strings.ToLower(strings.TrimSpace(response))
+
+				if response != "n" && response != "no" {
+					fmt.Printf("\nAdding user to %s group...\n", greeterGroup)
+					if err := privesc.Run(context.Background(), "", "usermod", "-aG", greeterGroup, currentUser.Username); err != nil {
+						return fmt.Errorf("failed to add user to %s group: %w", greeterGroup, err)
+					}
+					fmt.Printf("✓ User added to %s group\n", greeterGroup)
+					fmt.Println("⚠ You will need to log out and back in for the group change to take effect")
+				} else {
+					return fmt.Errorf("aborted: user must be in the greeter group before syncing")
+				}
 			}
 		}
 	}
@@ -370,8 +656,12 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 		localWrapperScript := filepath.Join(dmsPath, "Modules", "Greetd", "assets", "dms-greeter")
 		restoreWrapperOverride := func() {}
 		if info, statErr := os.Stat(localWrapperScript); statErr == nil && !info.IsDir() {
+			wrapperShell, shellErr := resolveLocalWrapperShell()
+			if shellErr != nil {
+				return shellErr
+			}
 			previousWrapperOverride, hadWrapperOverride := os.LookupEnv("DMS_GREETER_WRAPPER_CMD")
-			wrapperCmdOverride := "/usr/bin/bash " + localWrapperScript
+			wrapperCmdOverride := wrapperShell + " " + localWrapperScript
 			_ = os.Setenv("DMS_GREETER_WRAPPER_CMD", wrapperCmdOverride)
 			restoreWrapperOverride = func() {
 				if hadWrapperOverride {
@@ -408,15 +698,27 @@ func syncGreeter(nonInteractive bool, forceAuth bool, local bool) error {
 	}
 
 	fmt.Println("\nSetting up permissions and ACLs...")
+	greeter.RemediateStaleACLs(logFunc, "")
+	greeter.RemediateStaleAppArmor(logFunc, "")
 	if err := greeter.SetupDMSGroup(logFunc, ""); err != nil {
 		return err
 	}
+	if err := greeter.EnsureGreeterCacheDir(logFunc, ""); err != nil {
+		return fmt.Errorf("failed to ensure greeter cache directory at %s: %w\nRun: sudo mkdir -p %s && sudo chown root:%s %s && sudo chmod 2770 %s", cacheDir, err, cacheDir, greeterGroup, cacheDir, cacheDir)
+	}
 
 	fmt.Println("\nSynchronizing DMS configurations...")
 	if err := greeter.SyncDMSConfigs(dmsPath, compositor, logFunc, "", forceAuth); err != nil {
 		return err
 	}
 
+	if greeter.IsAppArmorEnabled() {
+		fmt.Println("\nConfiguring AppArmor profile...")
+		if err := greeter.InstallAppArmorProfile(logFunc, ""); err != nil {
+			logFunc(fmt.Sprintf("⚠ AppArmor profile setup failed: %v", err))
+		}
+	}
+
 	fmt.Println("\n=== Sync Complete ===")
 	fmt.Println("\nYour theme, settings, and wallpaper configuration have been synced with the greeter.")
 	if forceAuth {
@@ -531,22 +833,19 @@ func disableDisplayManager(dmName string) (bool, error) {
 	actionTaken := false
 
 	if state.NeedsDisable {
-		var disableCmd *exec.Cmd
-		var actionVerb string
-
-		if state.EnabledState == "static" {
+		var action, actionVerb string
+		switch state.EnabledState {
+		case "static":
 			fmt.Printf("  Masking %s (static service cannot be disabled)...\n", dmName)
-			disableCmd = exec.Command("sudo", "systemctl", "mask", dmName)
+			action = "mask"
 			actionVerb = "masked"
-		} else {
+		default:
 			fmt.Printf("  Disabling %s...\n", dmName)
-			disableCmd = exec.Command("sudo", "systemctl", "disable", dmName)
+			action = "disable"
 			actionVerb = "disabled"
 		}
 
-		disableCmd.Stdout = os.Stdout
-		disableCmd.Stderr = os.Stderr
-		if err := disableCmd.Run(); err != nil {
+		if err := privesc.Run(context.Background(), "", "systemctl", action, dmName); err != nil {
 			return actionTaken, fmt.Errorf("failed to disable/mask %s: %w", dmName, err)
 		}
 
@@ -587,10 +886,7 @@ func ensureGreetdEnabled() error {
 
 	if state.EnabledState == "masked" || state.EnabledState == "masked-runtime" {
 		fmt.Println("  Unmasking greetd...")
-		unmaskCmd := exec.Command("sudo", "systemctl", "unmask", "greetd")
-		unmaskCmd.Stdout = os.Stdout
-		unmaskCmd.Stderr = os.Stderr
-		if err := unmaskCmd.Run(); err != nil {
+		if err := privesc.Run(context.Background(), "", "systemctl", "unmask", "greetd"); err != nil {
 			return fmt.Errorf("failed to unmask greetd: %w", err)
 		}
 		fmt.Println("  ✓ Unmasked greetd")
@@ -602,10 +898,7 @@ func ensureGreetdEnabled() error {
 		fmt.Println("  Enabling greetd service...")
 	}
 
-	enableCmd := exec.Command("sudo", "systemctl", "enable", "--force", "greetd")
-	enableCmd.Stdout = os.Stdout
-	enableCmd.Stderr = os.Stderr
-	if err := enableCmd.Run(); err != nil {
+	if err := privesc.Run(context.Background(), "", "systemctl", "enable", "--force", "greetd"); err != nil {
 		return fmt.Errorf("failed to enable greetd: %w", err)
 	}
 
@@ -635,10 +928,7 @@ func ensureGraphicalTarget() error {
 	currentTargetStr := strings.TrimSpace(string(currentTarget))
 	if currentTargetStr != "graphical.target" {
 		fmt.Printf("\nSetting graphical.target as default (current: %s)...\n", currentTargetStr)
-		setDefaultCmd := exec.Command("sudo", "systemctl", "set-default", "graphical.target")
-		setDefaultCmd.Stdout = os.Stdout
-		setDefaultCmd.Stderr = os.Stderr
-		if err := setDefaultCmd.Run(); err != nil {
+		if err := privesc.Run(context.Background(), "", "systemctl", "set-default", "graphical.target"); err != nil {
 			fmt.Println("⚠ Warning: Failed to set graphical.target as default")
 			fmt.Println("  Greeter may not start on boot. Run manually:")
 			fmt.Println("  sudo systemctl set-default graphical.target")
@@ -709,7 +999,7 @@ func handleConflictingDisplayManagers() error {
 	return nil
 }
 
-func enableGreeter() error {
+func enableGreeter(nonInteractive bool) error {
 	fmt.Println("=== DMS Greeter Enable ===")
 	fmt.Println()
 
@@ -730,6 +1020,7 @@ func enableGreeter() error {
 	logFunc := func(msg string) {
 		fmt.Println(msg)
 	}
+	greeterGroup := greeter.DetectGreeterGroup()
 
 	if configAlreadyCorrect {
 		fmt.Println("✓ Greeter is already configured with dms-greeter")
@@ -737,8 +1028,12 @@ func enableGreeter() error {
 			fmt.Printf("✓ Configured compositor: %s\n", configuredCompositor)
 		}
 
+		fmt.Println("\nSetting up dms-greeter group and permissions...")
+		if err := greeter.SetupDMSGroup(logFunc, ""); err != nil {
+			return err
+		}
 		if err := greeter.EnsureGreeterCacheDir(logFunc, ""); err != nil {
-			fmt.Printf("⚠ Could not create cache directory: %v\n  Run: sudo mkdir -p %s && sudo chown greeter:greeter %s\n", err, greeter.GreeterCacheDir, greeter.GreeterCacheDir)
+			fmt.Printf("⚠ Could not ensure cache directory: %v\n  Run: sudo mkdir -p %s && sudo chown root:%s %s && sudo chmod 2770 %s\n", err, greeter.GreeterCacheDir, greeterGroup, greeter.GreeterCacheDir, greeter.GreeterCacheDir)
 		}
 
 		if err := ensureGraphicalTarget(); err != nil {
@@ -762,6 +1057,17 @@ func enableGreeter() error {
 		return nil
 	}
 
+	if !nonInteractive {
+		fmt.Print("\nThis will configure greetd to use the DMS greeter and may disable other display managers. Continue? [Y/n]: ")
+		var response string
+		fmt.Scanln(&response)
+		if strings.ToLower(strings.TrimSpace(response)) == "n" || strings.ToLower(strings.TrimSpace(response)) == "no" {
+			fmt.Println("Aborted.")
+			return nil
+		}
+		fmt.Println()
+	}
+
 	fmt.Println("Detecting installed compositors...")
 	compositors := greeter.DetectCompositors()
 
@@ -798,8 +1104,18 @@ func enableGreeter() error {
 		return fmt.Errorf("failed to configure greetd: %w", err)
 	}
 
+	fmt.Println("\nSetting up dms-greeter group and permissions...")
+	if err := greeter.SetupDMSGroup(logFunc, ""); err != nil {
+		return err
+	}
 	if err := greeter.EnsureGreeterCacheDir(logFunc, ""); err != nil {
-		fmt.Printf("⚠ Could not create cache directory: %v\n  Run: sudo mkdir -p %s && sudo chown greeter:greeter %s\n", err, greeter.GreeterCacheDir, greeter.GreeterCacheDir)
+		fmt.Printf("⚠ Could not ensure cache directory: %v\n  Run: sudo mkdir -p %s && sudo chown root:%s %s && sudo chmod 2770 %s\n", err, greeter.GreeterCacheDir, greeterGroup, greeter.GreeterCacheDir, greeter.GreeterCacheDir)
+	}
+
+	if greeter.IsAppArmorEnabled() {
+		if err := greeter.InstallAppArmorProfile(logFunc, ""); err != nil {
+			logFunc(fmt.Sprintf("⚠ AppArmor profile setup failed: %v", err))
+		}
 	}
 
 	if err := ensureGraphicalTarget(); err != nil {
@@ -921,7 +1237,17 @@ func extractGreeterWrapperFromCommand(command string) string {
 	if len(tokens) == 0 {
 		return ""
 	}
-	return strings.Trim(tokens[0], "\"")
+	wrapper := strings.Trim(tokens[0], "\"")
+	if wrapper == "" {
+		return ""
+	}
+	if len(tokens) > 1 {
+		next := strings.Trim(tokens[1], "\"")
+		if next != "" && (filepath.Base(wrapper) == "bash" || filepath.Base(wrapper) == "sh") && strings.Contains(filepath.Base(next), "dms-greeter") {
+			return fmt.Sprintf("%s (script: %s)", wrapper, next)
+		}
+	}
+	return wrapper
 }
 
 func extractGreeterPathOverrideFromCommand(command string) string {
@@ -1007,6 +1333,26 @@ func packageInstallHint() string {
 	}
 }
 
+func systemPamManagerRemediationHint() string {
+	osInfo, err := distros.GetOSInfo()
+	if err != nil {
+		return "Disable it in your PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
+	}
+	config, exists := distros.Registry[osInfo.Distribution.ID]
+	if !exists {
+		return "Disable it in your PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
+	}
+
+	switch config.Family {
+	case distros.FamilyFedora:
+		return "Disable it in authselect to force password-only greeter login."
+	case distros.FamilyDebian, distros.FamilyUbuntu:
+		return "Disable it in pam-auth-update to force password-only greeter login."
+	default:
+		return "Disable it in your distro PAM manager (authselect/pam-auth-update) or in the included PAM stack to force password-only greeter login."
+	}
+}
+
 func isPackageOnlyGreeterDistro() bool {
 	osInfo, err := distros.GetOSInfo()
 	if err != nil {
@@ -1086,7 +1432,7 @@ func checkGreeterStatus() error {
 			}
 		} else {
 			fmt.Println("  ✗ Greeter is NOT enabled")
-			fmt.Println("    Run 'dms greeter enable' to enable it")
+			fmt.Println("    Run 'dms greeter enable' to enable it, or use the Activate button in Settings → Greeter, then Sync.")
 			allGood = false
 		}
 	} else {
@@ -1119,6 +1465,19 @@ func checkGreeterStatus() error {
 	}
 	if stat, err := os.Stat(cacheDir); err == nil && stat.IsDir() {
 		fmt.Printf("  ✓ %s exists\n", cacheDir)
+		requiredSubdirs := []string{".local/state", ".local/share", ".cache"}
+		missingSubdirs := false
+		for _, sub := range requiredSubdirs {
+			subPath := filepath.Join(cacheDir, sub)
+			if _, err := os.Stat(subPath); os.IsNotExist(err) {
+				fmt.Printf("  ⚠ Missing required subdir: %s\n", subPath)
+				missingSubdirs = true
+			}
+		}
+		if missingSubdirs {
+			fmt.Println("    Run 'dms greeter sync' to initialize the cache directory structure.")
+			allGood = false
+		}
 	} else {
 		fmt.Printf("  ✗ %s not found\n", cacheDir)
 		fmt.Printf("    %s\n", packageInstallHint())
@@ -1126,6 +1485,20 @@ func checkGreeterStatus() error {
 	}
 
 	fmt.Println("\nConfiguration Symlinks:")
+	colorSyncInfo, colorSyncErr := greeter.ResolveGreeterColorSyncInfo(homeDir)
+	if colorSyncErr != nil {
+		fmt.Printf("  ✗ Failed to resolve expected greeter color source: %v\n", colorSyncErr)
+		allGood = false
+		colorSyncInfo = greeter.GreeterColorSyncInfo{
+			SourcePath: filepath.Join(homeDir, ".cache", "DankMaterialShell", "dms-colors.json"),
+		}
+	}
+
+	colorThemeDesc := "Color theme"
+	if colorSyncInfo.UsesDynamicWallpaperOverride {
+		colorThemeDesc = "Color theme (greeter wallpaper override)"
+	}
+
 	symlinks := []struct {
 		source string
 		target string
@@ -1142,9 +1515,9 @@ func checkGreeterStatus() error {
 			desc:   "Session state",
 		},
 		{
-			source: filepath.Join(homeDir, ".cache", "DankMaterialShell", "dms-colors.json"),
+			source: colorSyncInfo.SourcePath,
 			target: filepath.Join(cacheDir, "colors.json"),
-			desc:   "Color theme",
+			desc:   colorThemeDesc,
 		},
 	}
 
@@ -1186,6 +1559,10 @@ func checkGreeterStatus() error {
 		fmt.Printf("  ✓ %s: synced correctly\n", link.desc)
 	}
 
+	if colorSyncInfo.UsesDynamicWallpaperOverride {
+		fmt.Printf("  ℹ Dynamic theme uses greeter override colors from %s\n", colorSyncInfo.SourcePath)
+	}
+
 	fmt.Println("\nGreeter Wallpaper Override:")
 	overridePath := filepath.Join(cacheDir, "greeter_wallpaper_override.jpg")
 	if stat, err := os.Stat(overridePath); err == nil && !stat.IsDir() {
@@ -1234,22 +1611,100 @@ func checkGreeterStatus() error {
 				fmt.Println("    - security key (U2F): disabled")
 			}
 		} else {
-			fmt.Println("  ℹ No managed auth block present (fingerprint/U2F disabled for greeter)")
+			fmt.Println("  ℹ No managed auth block present (DMS-managed fingerprint/U2F lines are disabled)")
 		}
 		if legacyManaged {
 			fmt.Println("  ⚠ Legacy unmanaged DMS PAM lines detected. Run 'dms greeter sync' to normalize.")
 			allGood = false
 		}
+		enableFprintToggle, enableU2fToggle := false, false
+		if enableFprint, enableU2f, settingsErr := greeter.ReadGreeterAuthToggles(homeDir); settingsErr == nil {
+			enableFprintToggle = enableFprint
+			enableU2fToggle = enableU2f
+		} else {
+			fmt.Printf("  ℹ Could not read greeter auth toggles from settings: %v\n", settingsErr)
+		}
+
 		includedFprintFile := greeter.DetectIncludedPamModule(string(pamData), "pam_fprintd.so")
-		if managedFprint {
-			if includedFprintFile != "" {
-				fmt.Printf("  ⚠ pam_fprintd found in both DMS managed block and %s.\n", includedFprintFile)
-				fmt.Println("    Double fingerprint auth detected — run 'dms greeter sync' to resolve.")
-				allGood = false
+		includedU2fFile := greeter.DetectIncludedPamModule(string(pamData), "pam_u2f.so")
+		fprintAvailableForCurrentUser := greeter.FingerprintAuthAvailableForCurrentUser()
+
+		if managedFprint && includedFprintFile != "" {
+			fmt.Printf("  ⚠ pam_fprintd found in both DMS managed block and %s.\n", includedFprintFile)
+			fmt.Println("    Double fingerprint auth detected — run 'dms greeter sync' to resolve.")
+			allGood = false
+		}
+		if managedU2f && includedU2fFile != "" {
+			fmt.Printf("  ⚠ pam_u2f found in both DMS managed block and %s.\n", includedU2fFile)
+			fmt.Println("    Double security-key auth detected — run 'dms greeter sync' to resolve.")
+			allGood = false
+		}
+
+		if includedFprintFile != "" && !managedFprint {
+			if enableFprintToggle {
+				fmt.Printf("  ℹ Fingerprint auth is enabled via included %s.\n", includedFprintFile)
+				if fprintAvailableForCurrentUser {
+					fmt.Println("    DMS toggle is enabled, and effective auth is coming from the included PAM stack.")
+				} else {
+					fmt.Println("    No enrolled fingerprints detected for the current user; password auth remains the effective path.")
+				}
+			} else {
+				if fprintAvailableForCurrentUser {
+					fmt.Printf("  ℹ Fingerprint auth is active via included %s while DMS fingerprint toggle is off.\n", includedFprintFile)
+					fmt.Println("    Password login will work but may be delayed while the fingerprint module runs first.")
+					fmt.Printf("    To eliminate the delay, %s\n", systemPamManagerRemediationHint())
+				} else {
+					fmt.Printf("  ℹ pam_fprintd is present via included %s, but no enrolled fingerprints were detected for user %s.\n", includedFprintFile, currentUser.Username)
+					fmt.Println("    Password auth remains the effective login path.")
+				}
 			}
-		} else if includedFprintFile != "" {
-			fmt.Printf("  ℹ Fingerprint auth is enabled via included %s.\n", includedFprintFile)
-			fmt.Println("    The DMS toggle only controls the managed block; disable fingerprint in authselect/pam-auth-update for password-only greeter login.")
+		}
+		if includedU2fFile != "" && !managedU2f {
+			if enableU2fToggle {
+				fmt.Printf("  ℹ Security-key auth is enabled via included %s.\n", includedU2fFile)
+				fmt.Println("    DMS toggle is enabled, but effective auth is coming from the included PAM stack.")
+			} else {
+				fmt.Printf("  ⚠ Security-key auth is active via included %s while DMS security-key toggle is off.\n", includedU2fFile)
+				fmt.Printf("    %s\n", systemPamManagerRemediationHint())
+			}
+		}
+	}
+
+	fmt.Println("\nSecurity (AppArmor):")
+	if !greeter.IsAppArmorEnabled() {
+		fmt.Println("  ℹ AppArmor not enabled")
+	} else {
+		fmt.Println("  ℹ AppArmor is enabled")
+
+		const appArmorProfilePath = "/etc/apparmor.d/usr.bin.dms-greeter"
+		if _, err := os.Stat(appArmorProfilePath); os.IsNotExist(err) {
+			fmt.Println("  ⚠ DMS AppArmor profile not installed")
+			fmt.Println("    Run 'dms greeter sync' to install it and prevent potential TTY fallback")
+			allGood = false
+		} else {
+			mode := appArmorProfileMode("dms-greeter")
+			if mode != "" {
+				fmt.Printf("  ✓ DMS AppArmor profile installed (%s mode)\n", mode)
+			} else {
+				fmt.Println("  ✓ DMS AppArmor profile installed")
+			}
+		}
+
+		denialCount, denialSamples, denialErr := recentAppArmorGreeterDenials(3)
+		if denialErr != nil {
+			fmt.Printf("  ℹ Could not inspect AppArmor denials automatically: %v\n", denialErr)
+			fmt.Println("    If greetd falls back to TTY, run: sudo journalctl -b -k | grep 'apparmor.*DENIED'")
+		} else if denialCount > 0 {
+			fmt.Printf("  ⚠ Found %d recent AppArmor denial(s) related to greeter runtime.\n", denialCount)
+			fmt.Println("    This can cause greetd fallback to TTY (for example: 'Failed to create stream fd: Permission denied').")
+			fmt.Println("    Review denials with: sudo journalctl -b -k | grep 'apparmor.*DENIED'")
+			fmt.Println("    Then refine the profile with: sudo aa-logprof")
+			for i, sample := range denialSamples {
+				fmt.Printf("    %d) %s\n", i+1, sample)
+			}
+			allGood = false
+		} else {
+			fmt.Println("  ✓ No recent AppArmor denials detected for common greeter components")
 		}
 	}
 
@@ -1264,3 +1719,116 @@ func checkGreeterStatus() error {
 
 	return nil
 }
+
+func recentAppArmorGreeterDenials(sampleLimit int) (int, []string, error) {
+	if sampleLimit <= 0 {
+		sampleLimit = 3
+	}
+	if !utils.CommandExists("journalctl") {
+		return 0, nil, fmt.Errorf("journalctl not found")
+	}
+
+	queries := [][]string{
+		{"-b", "-k", "--no-pager", "-n", "2000", "-o", "cat"},
+		{"-b", "--no-pager", "-n", "2000", "-o", "cat"},
+	}
+
+	seen := make(map[string]bool)
+	samples := make([]string, 0, sampleLimit)
+	total := 0
+	var lastErr error
+	successfulQuery := false
+
+	for _, query := range queries {
+		cmd := exec.Command("journalctl", query...)
+		output, err := cmd.CombinedOutput()
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		successfulQuery = true
+		total += collectGreeterAppArmorDenials(string(output), seen, &samples, sampleLimit)
+	}
+
+	if !successfulQuery && lastErr != nil {
+		return 0, nil, lastErr
+	}
+
+	return total, samples, nil
+}
+
+func collectGreeterAppArmorDenials(text string, seen map[string]bool, samples *[]string, sampleLimit int) int {
+	count := 0
+	for _, rawLine := range strings.Split(text, "\n") {
+		line := strings.TrimSpace(rawLine)
+		if line == "" || !isGreeterRelatedAppArmorDenial(line) {
+			continue
+		}
+		if seen[line] {
+			continue
+		}
+		seen[line] = true
+		count++
+		if len(*samples) < sampleLimit {
+			*samples = append(*samples, line)
+		}
+	}
+	return count
+}
+
+func isGreeterRelatedAppArmorDenial(line string) bool {
+	lower := strings.ToLower(line)
+	if !strings.Contains(lower, "apparmor") || !strings.Contains(lower, "denied") {
+		return false
+	}
+
+	greeterTokens := []string{
+		"dms-greeter",
+		"/usr/bin/dms-greeter",
+		"greetd",
+		"quickshell",
+		"/usr/bin/qs",
+		"/usr/bin/quickshell",
+		"niri",
+		"hyprland",
+		"sway",
+		"mango",
+		"miracle",
+		"labwc",
+		"pipewire",
+		"wireplumber",
+		"stream fd",
+	}
+
+	for _, token := range greeterTokens {
+		if strings.Contains(lower, token) {
+			return true
+		}
+	}
+	return false
+}
+
+// appArmorProfileMode returns "complain", "enforce", or "" for a named AppArmor profile.
+func appArmorProfileMode(profileName string) string {
+	data, err := os.ReadFile("/sys/kernel/security/apparmor/profiles")
+	if err != nil {
+		return ""
+	}
+	for _, line := range strings.Split(string(data), "\n") {
+		line = strings.TrimSpace(line)
+		if !strings.Contains(line, profileName) {
+			continue
+		}
+		lower := strings.ToLower(line)
+		if strings.Contains(lower, "(complain)") {
+			return "complain"
+		}
+		if strings.Contains(lower, "(enforce)") {
+			return "enforce"
+		}
+		if strings.Contains(lower, "(kill)") {
+			return "kill"
+		}
+	}
+	return ""
+}

core/cmd/dms/commands_setup.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -11,6 +12,7 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/greeter"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/utils"
 	"github.com/spf13/cobra"
 )
@@ -19,7 +21,7 @@ var setupCmd = &cobra.Command{
 	Use:               "setup",
 	Short:             "Deploy DMS configurations",
 	Long:              "Deploy compositor and terminal configurations with interactive prompts",
-	PersistentPreRunE: requireMutableSystemCommand,
+	PersistentPreRunE: preRunPrivileged,
 	Run: func(cmd *cobra.Command, args []string) {
 		if err := runSetup(); err != nil {
 			log.Fatalf("Error during setup: %v", err)
@@ -267,6 +269,8 @@ func runSetupDmsConfig(name string) error {
 func runSetup() error {
 	fmt.Println("=== DMS Configuration Setup ===")
 
+	ensureInputGroup()
+
 	wm, wmSelected := promptCompositor()
 	terminal, terminalSelected := promptTerminal()
 	useSystemd := promptSystemd()
@@ -340,6 +344,37 @@ func runSetup() error {
 	return nil
 }
 
+// Add user to the input group for the evdev manager for inut state tracking.
+// Caps Lock OSD and the Caps Lock bar indicator.
+func ensureInputGroup() {
+	if !utils.HasGroup("input") {
+		return
+	}
+	currentUser := os.Getenv("USER")
+	if currentUser == "" {
+		currentUser = os.Getenv("LOGNAME")
+	}
+	if currentUser == "" {
+		return
+	}
+	out, err := execGroups(currentUser)
+	if err == nil && strings.Contains(out, "input") {
+		fmt.Printf("✓ %s is already in the input group (Caps Lock OSD enabled)\n", currentUser)
+		return
+	}
+	fmt.Println("Adding user to input group for Caps Lock OSD support...")
+	if err := privesc.Run(context.Background(), "", "usermod", "-aG", "input", currentUser); err != nil {
+		fmt.Printf("⚠ Could not add %s to input group (Caps Lock OSD will be unavailable): %v\n", currentUser, err)
+	} else {
+		fmt.Printf("✓ Added %s to input group (logout/login required to take effect)\n", currentUser)
+	}
+}
+
+func execGroups(user string) (string, error) {
+	out, err := exec.Command("groups", user).Output()
+	return string(out), err
+}
+
 func promptCompositor() (deps.WindowManager, bool) {
 	fmt.Println("Select compositor:")
 	fmt.Println("1) Niri")

core/cmd/dms/immutable_policy.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/spf13/cobra"
 )
 
@@ -213,7 +214,7 @@ func getImmutablePolicy() (*immutableCommandPolicy, error) {
 		immutablePolicy = immutableCommandPolicy{
 			ImmutableSystem: detectedImmutable,
 			ImmutableReason: reason,
-			BlockedCommands: []string{"greeter install", "greeter enable", "greeter sync", "setup"},
+			BlockedCommands: []string{"greeter install", "greeter enable", "setup"},
 			Message:         "This command is disabled on immutable/image-based systems. Use your distro-native workflow for system-level changes.",
 		}
 
@@ -269,3 +270,16 @@ func requireMutableSystemCommand(cmd *cobra.Command, _ []string) error {
 
 	return fmt.Errorf("%s%s\nCommand: dms %s\nPolicy files:\n  %s\n  %s", reason, policy.Message, commandPath, cliPolicyPackagedPath, cliPolicyAdminPath)
 }
+
+// preRunPrivileged combines the immutable-system check with a privesc tool
+// selection prompt (shown only when multiple tools are available and the
+// $DMS_PRIVESC env var isn't set).
+func preRunPrivileged(cmd *cobra.Command, args []string) error {
+	if err := requireMutableSystemCommand(cmd, args); err != nil {
+		return err
+	}
+	if _, err := privesc.PromptCLI(os.Stdout, os.Stdin); err != nil {
+		return err
+	}
+	return nil
+}

core/cmd/dms/main.go

@@ -5,6 +5,7 @@ package main
 import (
 	"os"
 
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/clipboard"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 )
 
@@ -16,19 +17,10 @@ func init() {
 	runCmd.Flags().Bool("session", false, "Session managed (like as a systemd unit)")
 	runCmd.Flags().MarkHidden("daemon-child")
 
-	// Add subcommands to greeter
-	greeterCmd.AddCommand(greeterInstallCmd, greeterSyncCmd, greeterEnableCmd, greeterStatusCmd)
-
-	// Add subcommands to setup
+	greeterCmd.AddCommand(greeterInstallCmd, greeterSyncCmd, greeterEnableCmd, greeterStatusCmd, greeterUninstallCmd)
 	setupCmd.AddCommand(setupBindsCmd, setupLayoutCmd, setupColorsCmd, setupAlttabCmd, setupOutputsCmd, setupCursorCmd, setupWindowrulesCmd)
-
-	// Add subcommands to update
 	updateCmd.AddCommand(updateCheckCmd)
-
-	// Add subcommands to plugins
 	pluginsCmd.AddCommand(pluginsBrowseCmd, pluginsListCmd, pluginsInstallCmd, pluginsUninstallCmd, pluginsUpdateCmd)
-
-	// Add common commands to root
 	rootCmd.AddCommand(getCommonCommands()...)
 
 	rootCmd.AddCommand(updateCmd)
@@ -37,7 +29,9 @@ func init() {
 }
 
 func main() {
-	if os.Geteuid() == 0 {
+	clipboard.MaybeServeAndExit()
+
+	if os.Geteuid() == 0 && !isReadOnlyCommand(os.Args) {
 		log.Fatal("This program should not be run as root. Exiting.")
 	}
 

core/cmd/dms/main_distro.go

@@ -5,36 +5,30 @@ package main
 import (
 	"os"
 
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/clipboard"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 )
 
 var Version = "dev"
 
 func init() {
-	// Add flags
 	runCmd.Flags().BoolP("daemon", "d", false, "Run in daemon mode")
 	runCmd.Flags().Bool("daemon-child", false, "Internal flag for daemon child process")
 	runCmd.Flags().Bool("session", false, "Session managed (like as a systemd unit)")
 	runCmd.Flags().MarkHidden("daemon-child")
 
-	// Add subcommands to greeter
-	greeterCmd.AddCommand(greeterInstallCmd, greeterSyncCmd, greeterEnableCmd, greeterStatusCmd)
-
-	// Add subcommands to setup
+	greeterCmd.AddCommand(greeterInstallCmd, greeterSyncCmd, greeterEnableCmd, greeterStatusCmd, greeterUninstallCmd)
 	setupCmd.AddCommand(setupBindsCmd, setupLayoutCmd, setupColorsCmd, setupAlttabCmd, setupOutputsCmd, setupCursorCmd, setupWindowrulesCmd)
-
-	// Add subcommands to plugins
 	pluginsCmd.AddCommand(pluginsBrowseCmd, pluginsListCmd, pluginsInstallCmd, pluginsUninstallCmd, pluginsUpdateCmd)
-
-	// Add common commands to root
 	rootCmd.AddCommand(getCommonCommands()...)
 
 	rootCmd.SetHelpTemplate(getHelpTemplate())
 }
 
 func main() {
-	// Block root
-	if os.Geteuid() == 0 {
+	clipboard.MaybeServeAndExit()
+
+	if os.Geteuid() == 0 && !isReadOnlyCommand(os.Args) {
 		log.Fatal("This program should not be run as root. Exiting.")
 	}
 

core/cmd/dms/shell.go

@@ -616,6 +616,43 @@ func getShellIPCCompletions(args []string, _ string) []string {
 	return nil
 }
 
+func getFirstDMSPID() (int, bool) {
+	dir := getRuntimeDir()
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return 0, false
+	}
+
+	for _, entry := range entries {
+		if !strings.HasPrefix(entry.Name(), "danklinux-") || !strings.HasSuffix(entry.Name(), ".pid") {
+			continue
+		}
+
+		data, err := os.ReadFile(filepath.Join(dir, entry.Name()))
+		if err != nil {
+			continue
+		}
+
+		pid, err := strconv.Atoi(strings.TrimSpace(string(data)))
+		if err != nil {
+			continue
+		}
+
+		proc, err := os.FindProcess(pid)
+		if err != nil {
+			continue
+		}
+
+		if proc.Signal(syscall.Signal(0)) != nil {
+			continue
+		}
+
+		return pid, true
+	}
+
+	return 0, false
+}
+
 func runShellIPCCommand(args []string) {
 	if len(args) == 0 {
 		printIPCHelp()
@@ -627,10 +664,21 @@ func runShellIPCCommand(args []string) {
 	}
 
 	cmdArgs := []string{"ipc"}
-	if qsHasAnyDisplay() {
-		cmdArgs = append(cmdArgs, "--any-display")
+
+	switch pid, ok := getFirstDMSPID(); {
+	case ok:
+		cmdArgs = append(cmdArgs, "--pid", strconv.Itoa(pid))
+	default:
+		if err := findConfig(nil, nil); err != nil {
+			log.Fatalf("Error finding config: %v", err)
+		}
+		// ! TODO - remove check when QS 0.3 is released
+		if qsHasAnyDisplay() {
+			cmdArgs = append(cmdArgs, "--any-display")
+		}
+		cmdArgs = append(cmdArgs, "-p", configPath)
 	}
-	cmdArgs = append(cmdArgs, "-p", configPath)
+
 	cmdArgs = append(cmdArgs, args...)
 	cmd := exec.Command("qs", cmdArgs...)
 	cmd.Stdin = os.Stdin

core/cmd/dms/utils.go

@@ -7,6 +7,22 @@ import (
 	"strings"
 )
 
+// isReadOnlyCommand returns true if the CLI args indicate a command that is
+// safe to run as root (e.g. shell completion, help).
+func isReadOnlyCommand(args []string) bool {
+	for _, arg := range args[1:] {
+		if strings.HasPrefix(arg, "-") {
+			continue
+		}
+		switch arg {
+		case "completion", "help", "__complete":
+			return true
+		}
+		return false
+	}
+	return false
+}
+
 func isArchPackageInstalled(packageName string) bool {
 	cmd := exec.Command("pacman", "-Q", packageName)
 	err := cmd.Run()

core/go.mod

@@ -16,8 +16,6 @@ require (
 	github.com/sblinch/kdl-go v0.0.0-20260121213736-8b7053306ca6
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
-	github.com/yeqown/go-qrcode/v2 v2.2.5
-	github.com/yeqown/go-qrcode/writer/standard v1.3.0
 	github.com/yuin/goldmark v1.7.16
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	go.etcd.io/bbolt v1.4.3
@@ -34,19 +32,15 @@ require (
 	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fogleman/gg v1.3.0 // indirect
 	github.com/go-git/gcfg/v2 v2.0.2 // indirect
 	github.com/go-git/go-billy/v6 v6.0.0-20260209124918-37866f83c2d3 // indirect
 	github.com/go-logfmt/logfmt v0.6.1 // indirect
-	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/kevinburke/ssh_config v1.6.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/pjbgf/sha1cd v0.5.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
-	github.com/yeqown/reedsolomon v1.0.0 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/net v0.50.0 // indirect
 )

core/go.sum

@@ -58,8 +58,6 @@ github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
-github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
-github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@@ -77,8 +75,6 @@ github.com/go-logfmt/logfmt v0.6.1/go.mod h1:EV2pOAQoZaT1ZXZbqDl5hrymndi4SY9ED9/
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -119,8 +115,6 @@ github.com/pilebones/go-udev v0.9.1 h1:uN72M1C1fgzhsVmBGEM8w9RD1JY4iVsPZpr+Z6rb3
 github.com/pilebones/go-udev v0.9.1/go.mod h1:Bgcl07crebF3JSeS4+nuaRvhWFdCeFoBhXXeAp93XNo=
 github.com/pjbgf/sha1cd v0.5.0 h1:a+UkboSi1znleCDUNT3M5YxjOnN1fz2FhN48FlwCxs0=
 github.com/pjbgf/sha1cd v0.5.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -148,12 +142,6 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
-github.com/yeqown/go-qrcode/v2 v2.2.5 h1:HCOe2bSjkhZyYoyyNaXNzh4DJZll6inVJQQw+8228Zk=
-github.com/yeqown/go-qrcode/v2 v2.2.5/go.mod h1:uHpt9CM0V1HeXLz+Wg5MN50/sI/fQhfkZlOM+cOTHxw=
-github.com/yeqown/go-qrcode/writer/standard v1.3.0 h1:chdyhEfRtUPgQtuPeaWVGQ/TQx4rE1PqeoW3U+53t34=
-github.com/yeqown/go-qrcode/writer/standard v1.3.0/go.mod h1:O4MbzsotGCvy8upYPCR91j81dr5XLT7heuljcNXW+oQ=
-github.com/yeqown/reedsolomon v1.0.0 h1:x1h/Ej/uJnNu8jaX7GLHBWmZKCAWjEJTetkqaabr4B0=
-github.com/yeqown/reedsolomon v1.0.0/go.mod h1:P76zpcn2TCuL0ul1Fso373qHRc69LKwAw/Iy6g1WiiM=
 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE=
 github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=

core/internal/blur/probe.go

@@ -0,0 +1,35 @@
+package blur
+
+import (
+	wlhelpers "github.com/AvengeMedia/DankMaterialShell/core/internal/wayland/client"
+	client "github.com/AvengeMedia/DankMaterialShell/core/pkg/go-wayland/wayland/client"
+)
+
+const extBackgroundEffectInterface = "ext_background_effect_manager_v1"
+
+func ProbeSupport() (bool, error) {
+	display, err := client.Connect("")
+	if err != nil {
+		return false, err
+	}
+	defer display.Context().Close()
+
+	registry, err := display.GetRegistry()
+	if err != nil {
+		return false, err
+	}
+
+	found := false
+	registry.SetGlobalHandler(func(e client.RegistryGlobalEvent) {
+		switch e.Interface {
+		case extBackgroundEffectInterface:
+			found = true
+		}
+	})
+
+	if err := wlhelpers.Roundtrip(display, display.Context()); err != nil {
+		return false, err
+	}
+
+	return found, nil
+}

core/internal/clipboard/clipboard.go

@@ -1,7 +1,6 @@
 package clipboard
 
 import (
-	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -13,102 +12,166 @@ import (
 	wlclient "github.com/AvengeMedia/DankMaterialShell/core/pkg/go-wayland/wayland/client"
 )
 
+const envServe = "_DMS_CLIPBOARD_SERVE"
+const envMime = "_DMS_CLIPBOARD_MIME"
+const envPasteOnce = "_DMS_CLIPBOARD_PASTE_ONCE"
+const envCacheFile = "_DMS_CLIPBOARD_CACHE"
+
+// MaybeServeAndExit intercepts before cobra when re-exec'd as a clipboard
+// child. Reads source data into memory, deletes any cache file, then serves.
+func MaybeServeAndExit() {
+	if os.Getenv(envServe) == "" {
+		return
+	}
+
+	mimeType := os.Getenv(envMime)
+	pasteOnce := os.Getenv(envPasteOnce) == "1"
+	cachePath := os.Getenv(envCacheFile)
+
+	var data []byte
+	var err error
+
+	switch {
+	case cachePath != "":
+		data, err = os.ReadFile(cachePath)
+		os.Remove(cachePath)
+	default:
+		data, err = io.ReadAll(os.Stdin)
+	}
+
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "clipboard: read source: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := serveClipboard(data, mimeType, pasteOnce); err != nil {
+		fmt.Fprintf(os.Stderr, "clipboard: serve: %v\n", err)
+		os.Exit(1)
+	}
+	os.Exit(0)
+}
+
 func Copy(data []byte, mimeType string) error {
-	return CopyReader(bytes.NewReader(data), mimeType, false, false)
+	return copyForkCached(data, mimeType, false)
 }
 
 func CopyOpts(data []byte, mimeType string, foreground, pasteOnce bool) error {
-	return CopyReader(bytes.NewReader(data), mimeType, foreground, pasteOnce)
+	if foreground {
+		return serveClipboard(data, mimeType, pasteOnce)
+	}
+	return copyForkCached(data, mimeType, pasteOnce)
 }
 
 func CopyReader(data io.Reader, mimeType string, foreground, pasteOnce bool) error {
-	if !foreground {
-		return copyFork(data, mimeType, pasteOnce)
+	if foreground {
+		buf, err := io.ReadAll(data)
+		if err != nil {
+			return fmt.Errorf("read source: %w", err)
+		}
+		return serveClipboard(buf, mimeType, pasteOnce)
 	}
-	return copyServeReader(data, mimeType, pasteOnce)
+	return copyFork(data, mimeType, pasteOnce)
 }
 
-func copyFork(data io.Reader, mimeType string, pasteOnce bool) error {
-	args := []string{os.Args[0], "cl", "copy", "--foreground"}
-	if pasteOnce {
-		args = append(args, "--paste-once")
-	}
-	args = append(args, "--type", mimeType)
-
-	cmd := exec.Command(args[0], args[1:]...)
-	cmd.Stdout = nil
+func newForkCmd(mimeType string, pasteOnce bool, extra ...string) *exec.Cmd {
+	cmd := exec.Command(os.Args[0])
 	cmd.Stderr = nil
 	cmd.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
-
-	if stdinSource, ok := data.(*os.File); ok {
-		cmd.Stdin = stdinSource
-		return cmd.Start()
+	cmd.Env = append(os.Environ(),
+		envServe+"=1",
+		envMime+"="+mimeType,
+	)
+	if pasteOnce {
+		cmd.Env = append(cmd.Env, envPasteOnce+"=1")
 	}
+	cmd.Env = append(cmd.Env, extra...)
+	return cmd
+}
 
-	stdin, err := cmd.StdinPipe()
+func waitReady(cmd *exec.Cmd) error {
+	stdout, err := cmd.StdoutPipe()
 	if err != nil {
-		return fmt.Errorf("stdin pipe: %w", err)
+		return fmt.Errorf("stdout pipe: %w", err)
 	}
-
 	if err := cmd.Start(); err != nil {
 		return fmt.Errorf("start: %w", err)
 	}
-
-	if _, err := io.Copy(stdin, data); err != nil {
-		stdin.Close()
-		return fmt.Errorf("write stdin: %w", err)
+	var buf [1]byte
+	if _, err := stdout.Read(buf[:]); err != nil {
+		return fmt.Errorf("waiting for clipboard ready: %w", err)
 	}
-	if err := stdin.Close(); err != nil {
-		return fmt.Errorf("close stdin: %w", err)
-	}
-
 	return nil
 }
 
-func copyServe(data []byte, mimeType string, pasteOnce bool) error {
-	return copyServeWithWriter(func(writer io.Writer) error {
-		total := 0
+func copyForkCached(data []byte, mimeType string, pasteOnce bool) error {
+	cacheFile, err := createClipboardCacheFile()
+	if err != nil {
+		return fmt.Errorf("create cache file: %w", err)
+	}
+	cachePath := cacheFile.Name()
 
-		for total < len(data) {
-			n, err := writer.Write(data[total:])
-			total += n
-			if err != nil {
-				return err
-			}
-		}
-		if total != len(data) {
-			return io.ErrShortWrite
-		}
-		return nil
-	}, mimeType, pasteOnce)
+	if _, err := cacheFile.Write(data); err != nil {
+		cacheFile.Close()
+		os.Remove(cachePath)
+		return fmt.Errorf("write cache file: %w", err)
+	}
+	if err := cacheFile.Close(); err != nil {
+		os.Remove(cachePath)
+		return fmt.Errorf("close cache file: %w", err)
+	}
+
+	cmd := newForkCmd(mimeType, pasteOnce, envCacheFile+"="+cachePath)
+	cmd.Stdin = nil
+	if err := waitReady(cmd); err != nil {
+		os.Remove(cachePath)
+		return err
+	}
+	return nil
 }
 
-func copyServeReader(data io.Reader, mimeType string, pasteOnce bool) error {
-	cachedData, err := createClipboardCacheFile()
-	if err != nil {
-		return fmt.Errorf("create clipboard cache file: %w", err)
-	}
-	defer os.Remove(cachedData.Name())
+func copyFork(data io.Reader, mimeType string, pasteOnce bool) error {
+	cmd := newForkCmd(mimeType, pasteOnce)
 
-	if _, err := io.Copy(cachedData, data); err != nil {
-		return fmt.Errorf("cache clipboard data: %w", err)
-	}
-	if err := cachedData.Close(); err != nil {
-		return fmt.Errorf("close temp cache file: %w", err)
-	}
+	switch src := data.(type) {
+	case *os.File:
+		cmd.Stdin = src
+		return waitReady(cmd)
 
-	return copyServeWithWriter(func(writer io.Writer) error {
-		cachedFile, err := os.Open(cachedData.Name())
+	default:
+		stdin, err := cmd.StdinPipe()
 		if err != nil {
-			return fmt.Errorf("open temp cache file: %w", err)
+			return fmt.Errorf("stdin pipe: %w", err)
 		}
-		defer cachedFile.Close()
 
-		if _, err := io.Copy(writer, cachedFile); err != nil {
-			return fmt.Errorf("write clipboard data: %w", err)
+		stdout, err := cmd.StdoutPipe()
+		if err != nil {
+			return fmt.Errorf("stdout pipe: %w", err)
+		}
+
+		if err := cmd.Start(); err != nil {
+			return fmt.Errorf("start: %w", err)
+		}
+		if _, err := io.Copy(stdin, data); err != nil {
+			stdin.Close()
+			return fmt.Errorf("write stdin: %w", err)
+		}
+		if err := stdin.Close(); err != nil {
+			return fmt.Errorf("close stdin: %w", err)
+		}
+
+		var buf [1]byte
+		if _, err := stdout.Read(buf[:]); err != nil {
+			return fmt.Errorf("waiting for clipboard ready: %w", err)
 		}
 		return nil
-	}, mimeType, pasteOnce)
+	}
+}
+
+func signalReady() {
+	if os.Getenv(envServe) == "" {
+		return
+	}
+	os.Stdout.Write([]byte{1})
 }
 
 func createClipboardCacheFile() (*os.File, error) {
@@ -131,7 +194,7 @@ func createClipboardCacheFile() (*os.File, error) {
 	return os.CreateTemp("", "dms-clipboard-*")
 }
 
-func copyServeWithWriter(writeTo func(io.Writer) error, mimeType string, pasteOnce bool) error {
+func serveClipboard(data []byte, mimeType string, pasteOnce bool) error {
 	display, err := wlclient.Connect("")
 	if err != nil {
 		return fmt.Errorf("wayland connect: %w", err)
@@ -173,12 +236,10 @@ func copyServeWithWriter(writeTo func(io.Writer) error, mimeType string, pasteOn
 	if bindErr != nil {
 		return fmt.Errorf("registry bind: %w", bindErr)
 	}
-
 	if dataControlMgr == nil {
 		return fmt.Errorf("compositor does not support ext_data_control_manager_v1")
 	}
 	defer dataControlMgr.Destroy()
-
 	if seat == nil {
 		return fmt.Errorf("no seat available")
 	}
@@ -217,18 +278,12 @@ func copyServeWithWriter(writeTo func(io.Writer) error, mimeType string, pasteOn
 
 	cancelled := make(chan struct{})
 	pasted := make(chan struct{}, 1)
-	sendErr := make(chan error, 1)
 
 	source.SetSendHandler(func(e ext_data_control.ExtDataControlSourceV1SendEvent) {
-		defer syscall.Close(e.Fd)
+		_ = syscall.SetNonblock(e.Fd, false)
 		file := os.NewFile(uintptr(e.Fd), "pipe")
 		defer file.Close()
-		if err := writeTo(file); err != nil {
-			select {
-			case sendErr <- err:
-			default:
-			}
-		}
+		_, _ = file.Write(data)
 		select {
 		case pasted <- struct{}{}:
 		default:
@@ -244,13 +299,12 @@ func copyServeWithWriter(writeTo func(io.Writer) error, mimeType string, pasteOn
 	}
 
 	display.Roundtrip()
+	signalReady()
 
 	for {
 		select {
 		case <-cancelled:
 			return nil
-		case err := <-sendErr:
-			return err
 		case <-pasted:
 			if pasteOnce {
 				return nil
@@ -504,12 +558,10 @@ func copyMultiServe(offers []Offer, pasteOnce bool) error {
 	if bindErr != nil {
 		return fmt.Errorf("registry bind: %w", bindErr)
 	}
-
 	if dataControlMgr == nil {
 		return fmt.Errorf("compositor does not support ext_data_control_manager_v1")
 	}
 	defer dataControlMgr.Destroy()
-
 	if seat == nil {
 		return fmt.Errorf("no seat available")
 	}
@@ -537,12 +589,12 @@ func copyMultiServe(offers []Offer, pasteOnce bool) error {
 	pasted := make(chan struct{}, 1)
 
 	source.SetSendHandler(func(e ext_data_control.ExtDataControlSourceV1SendEvent) {
-		defer syscall.Close(e.Fd)
+		_ = syscall.SetNonblock(e.Fd, false)
 		file := os.NewFile(uintptr(e.Fd), "pipe")
 		defer file.Close()
 
 		if data, ok := offerMap[e.MimeType]; ok {
-			file.Write(data)
+			_, _ = file.Write(data)
 		}
 
 		select {

core/internal/config/embedded/hypr-binds.conf

@@ -137,7 +137,7 @@ bind = SUPER, bracketright, layoutmsg, preselect r
 
 # === Sizing & Layout ===
 bind = SUPER, R, layoutmsg, togglesplit
-bind = SUPER CTRL, F, resizeactive, exact 100%
+bind = SUPER CTRL, F, resizeactive, exact 100% 100%
 
 # === Move/resize windows with mainMod + LMB/RMB and dragging ===
 bindmd = SUPER, mouse:272, Move window, movewindow

core/internal/config/embedded/hyprland.conf

@@ -94,6 +94,7 @@ windowrule = tile on, match:class ^(gnome-control-center)$
 windowrule = tile on, match:class ^(pavucontrol)$
 windowrule = tile on, match:class ^(nm-connection-editor)$
 
+windowrule = float on, match:class ^(org\.gnome\.Calculator)$
 windowrule = float on, match:class ^(gnome-calculator)$
 windowrule = float on, match:class ^(galculator)$
 windowrule = float on, match:class ^(blueman-manager)$

core/internal/config/embedded/niri.kdl

@@ -224,6 +224,7 @@ window-rule {
     open-floating false
 }
 window-rule {
+    match app-id=r#"^org\.gnome\.Calculator$"#
     match app-id=r#"^gnome-calculator$"#
     match app-id=r#"^galculator$"#
     match app-id=r#"^blueman-manager$"#
@@ -252,6 +253,7 @@ window-rule {
 // Open dms windows as floating by default
 window-rule {
     match app-id=r#"org.quickshell$"#
+    match app-id=r#"com.danklinux.dms$"#
     open-floating true
 }
 debug {

core/internal/distros/arch.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 func init() {
@@ -135,6 +136,42 @@ func (a *ArchDistribution) packageInstalled(pkg string) bool {
 	return err == nil
 }
 
+// parseSRCINFODeps reads a .SRCINFO file and returns runtime dep and makedep package
+func parseSRCINFODeps(srcinfoPath string) (deps []string, makedeps []string, err error) {
+	data, err := os.ReadFile(srcinfoPath)
+	if err != nil {
+		return nil, nil, err
+	}
+	for _, line := range strings.Split(string(data), "\n") {
+		line = strings.TrimSpace(line)
+		var pkg string
+		var target *[]string
+		switch {
+		case strings.HasPrefix(line, "makedepends = "):
+			pkg = strings.TrimPrefix(line, "makedepends = ")
+			target = &makedeps
+		case strings.HasPrefix(line, "depends = "):
+			pkg = strings.TrimPrefix(line, "depends = ")
+			target = &deps
+		default:
+			continue
+		}
+		// Strip version constraint (>=, <=, >, <, =) and colon-descriptions
+		if idx := strings.IndexAny(pkg, "><:="); idx >= 0 {
+			pkg = pkg[:idx]
+		}
+		pkg = strings.TrimSpace(pkg)
+		if pkg != "" {
+			*target = append(*target, pkg)
+		}
+	}
+	return deps, makedeps, nil
+}
+
+func (a *ArchDistribution) isInSystemRepo(pkg string) bool {
+	return exec.Command("pacman", "-Si", pkg).Run() == nil
+}
+
 func (a *ArchDistribution) GetPackageMapping(wm deps.WindowManager) map[string]PackageMapping {
 	return a.GetPackageMappingWithVariants(wm, make(map[string]deps.PackageVariant))
 }
@@ -206,11 +243,7 @@ func (a *ArchDistribution) getDMSMapping(variant deps.PackageVariant) PackageMap
 		return PackageMapping{Name: "dms-shell-git", Repository: RepoTypeAUR}
 	}
 
-	if a.packageInstalled("dms-shell-bin") {
-		return PackageMapping{Name: "dms-shell-bin", Repository: RepoTypeAUR}
-	}
-
-	return PackageMapping{Name: "dms-shell-bin", Repository: RepoTypeAUR}
+	return PackageMapping{Name: "dms-shell", Repository: RepoTypeSystem}
 }
 
 func (a *ArchDistribution) detectXwaylandSatellite() deps.Dependency {
@@ -260,7 +293,7 @@ func (a *ArchDistribution) InstallPrerequisites(ctx context.Context, sudoPasswor
 		LogOutput:   "Installing base-devel development tools",
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, "pacman -S --needed --noconfirm base-devel")
+	cmd := privesc.ExecCommand(ctx, sudoPassword, "pacman -S --needed --noconfirm base-devel")
 	if err := a.runWithProgress(cmd, progressChan, PhasePrerequisites, 0.08, 0.10); err != nil {
 		return fmt.Errorf("failed to install base-devel: %w", err)
 	}
@@ -292,6 +325,13 @@ func (a *ArchDistribution) InstallPackages(ctx context.Context, dependencies []d
 
 	systemPkgs, aurPkgs, manualPkgs, variantMap := a.categorizePackages(dependencies, wm, reinstallFlags, disabledFlags)
 
+	if slices.Contains(aurPkgs, "quickshell-git") && slices.Contains(systemPkgs, "dms-shell") {
+		if err := a.preinstallQuickshellGit(ctx, sudoPassword, progressChan); err != nil {
+			return fmt.Errorf("failed to preinstall quickshell-git: %w", err)
+		}
+		aurPkgs = slices.DeleteFunc(aurPkgs, func(p string) bool { return p == "quickshell-git" })
+	}
+
 	// Phase 3: System Packages
 	if len(systemPkgs) > 0 {
 		progressChan <- InstallProgressMsg{
@@ -409,6 +449,37 @@ func (a *ArchDistribution) categorizePackages(dependencies []deps.Dependency, wm
 	return systemPkgs, aurPkgs, manualPkgs, variantMap
 }
 
+func (a *ArchDistribution) preinstallQuickshellGit(ctx context.Context, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
+	if a.packageInstalled("quickshell-git") {
+		return nil
+	}
+
+	if a.packageInstalled("quickshell") {
+		progressChan <- InstallProgressMsg{
+			Phase:       PhaseAURPackages,
+			Progress:    0.15,
+			Step:        "Removing stable quickshell...",
+			IsComplete:  false,
+			NeedsSudo:   true,
+			CommandInfo: "sudo pacman -Rdd --noconfirm quickshell",
+			LogOutput:   "Removing stable quickshell so quickshell-git can be installed",
+		}
+		cmd := privesc.ExecCommand(ctx, sudoPassword, "pacman -Rdd --noconfirm quickshell")
+		if err := a.runWithProgress(cmd, progressChan, PhaseAURPackages, 0.15, 0.18); err != nil {
+			return fmt.Errorf("failed to remove stable quickshell: %w", err)
+		}
+	}
+
+	progressChan <- InstallProgressMsg{
+		Phase:       PhaseAURPackages,
+		Progress:    0.18,
+		Step:        "Building quickshell-git before system packages...",
+		IsComplete:  false,
+		CommandInfo: "Installing quickshell-git ahead of dms-shell to avoid conflict",
+	}
+	return a.installSingleAURPackage(ctx, "quickshell-git", sudoPassword, progressChan, 0.18, 0.32)
+}
+
 func (a *ArchDistribution) installSystemPackages(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
 	if len(packages) == 0 {
 		return nil
@@ -417,6 +488,9 @@ func (a *ArchDistribution) installSystemPackages(ctx context.Context, packages [
 	a.log(fmt.Sprintf("Installing system packages: %s", strings.Join(packages, ", ")))
 
 	args := []string{"pacman", "-S", "--needed", "--noconfirm"}
+	if slices.Contains(packages, "dms-shell") {
+		args = append(args, "--assume-installed", "dms-shell-compositor=1")
+	}
 	args = append(args, packages...)
 
 	progressChan <- InstallProgressMsg{
@@ -428,7 +502,7 @@ func (a *ArchDistribution) installSystemPackages(ctx context.Context, packages [
 		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	return a.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.40, 0.60)
 }
 
@@ -440,29 +514,10 @@ func (a *ArchDistribution) installAURPackages(ctx context.Context, packages []st
 	a.log(fmt.Sprintf("Installing AUR packages manually: %s", strings.Join(packages, ", ")))
 
 	hasNiri := false
-	hasQuickshell := false
 	for _, pkg := range packages {
 		if pkg == "niri-git" {
 			hasNiri = true
 		}
-		if pkg == "quickshell" || pkg == "quickshell-git" {
-			hasQuickshell = true
-		}
-	}
-
-	// If quickshell is in the list, always reinstall google-breakpad first
-	if hasQuickshell {
-		progressChan <- InstallProgressMsg{
-			Phase:       PhaseAURPackages,
-			Progress:    0.63,
-			Step:        "Reinstalling google-breakpad for quickshell...",
-			IsComplete:  false,
-			CommandInfo: "Reinstalling prerequisite AUR package for quickshell",
-		}
-
-		if err := a.installSingleAURPackage(ctx, "google-breakpad", sudoPassword, progressChan, 0.63, 0.65); err != nil {
-			return fmt.Errorf("failed to reinstall google-breakpad prerequisite for quickshell: %w", err)
-		}
 	}
 
 	// If niri is in the list, install makepkg-git-lfs-proto first if not already installed
@@ -523,7 +578,7 @@ func (a *ArchDistribution) reorderAURPackages(packages []string) []string {
 	var dmsShell []string
 
 	for _, pkg := range packages {
-		if pkg == "dms-shell-git" || pkg == "dms-shell-bin" {
+		if pkg == "dms-shell-git" {
 			dmsShell = append(dmsShell, pkg)
 		} else {
 			isDep := false
@@ -543,6 +598,16 @@ func (a *ArchDistribution) reorderAURPackages(packages []string) []string {
 }
 
 func (a *ArchDistribution) installSingleAURPackage(ctx context.Context, pkg, sudoPassword string, progressChan chan<- InstallProgressMsg, startProgress, endProgress float64) error {
+	return a.installSingleAURPackageInternal(ctx, pkg, sudoPassword, progressChan, startProgress, endProgress, make(map[string]bool))
+}
+
+func (a *ArchDistribution) installSingleAURPackageInternal(ctx context.Context, pkg, sudoPassword string, progressChan chan<- InstallProgressMsg, startProgress, endProgress float64, visited map[string]bool) error {
+	if visited[pkg] {
+		a.log(fmt.Sprintf("Skipping %s (already being installed, cycle detected)", pkg))
+		return nil
+	}
+	visited[pkg] = true
+
 	homeDir, err := os.UserHomeDir()
 	if err != nil {
 		return fmt.Errorf("failed to get user home directory: %w", err)
@@ -594,7 +659,7 @@ func (a *ArchDistribution) installSingleAURPackage(ctx context.Context, pkg, sud
 		}
 	}
 
-	if pkg == "dms-shell-git" || pkg == "dms-shell-bin" {
+	if pkg == "dms-shell-git" {
 		srcinfoPath := filepath.Join(packageDir, ".SRCINFO")
 		depsToRemove := []string{
 			"depends = quickshell",
@@ -616,54 +681,66 @@ func (a *ArchDistribution) installSingleAURPackage(ctx context.Context, pkg, sud
 		return fmt.Errorf("failed to remove optdepends from .SRCINFO for %s: %w", pkg, err)
 	}
 
-	// Skip dependency installation for dms-shell-git and dms-shell-bin
-	// since we manually manage those dependencies
-	if pkg != "dms-shell-git" && pkg != "dms-shell-bin" {
-		// Pre-install dependencies from .SRCINFO
+	srcinfoPath = filepath.Join(packageDir, ".SRCINFO")
+	{
 		progressChan <- InstallProgressMsg{
 			Phase:       PhaseAURPackages,
 			Progress:    startProgress + 0.3*(endProgress-startProgress),
-			Step:        fmt.Sprintf("Installing dependencies for %s...", pkg),
+			Step:        fmt.Sprintf("Resolving dependencies for %s...", pkg),
 			IsComplete:  false,
-			CommandInfo: "Installing package dependencies and makedepends",
+			CommandInfo: "Classifying dependencies as system or AUR",
 		}
 
-		// Install dependencies and makedepends explicitly
-		srcinfoPath = filepath.Join(packageDir, ".SRCINFO")
-
-		depsCmd := exec.CommandContext(ctx, "bash", "-c",
-			fmt.Sprintf(`
-				deps=$(grep "depends = " "%s" | grep -v "makedepends" | sed 's/.*depends = //' | tr '\n' ' ' | sed 's/[[:space:]]*$//')
-				if [[ "%s" == *"quickshell"* ]]; then
-					deps=$(echo "$deps" | sed 's/google-breakpad//g' | sed 's/  / /g' | sed 's/^ *//g' | sed 's/ *$//g')
-				fi
-				if [ ! -z "$deps" ] && [ "$deps" != " " ]; then
-					echo '%s' | sudo -S pacman -S --needed --noconfirm $deps
-				fi
-			`, srcinfoPath, pkg, sudoPassword))
-
-		if err := a.runWithProgress(depsCmd, progressChan, PhaseAURPackages, startProgress+0.3*(endProgress-startProgress), startProgress+0.35*(endProgress-startProgress)); err != nil {
-			return fmt.Errorf("FAILED to install runtime dependencies for %s: %w", pkg, err)
+		runtimeDeps, makeDeps, err := parseSRCINFODeps(srcinfoPath)
+		if err != nil {
+			return fmt.Errorf("failed to parse .SRCINFO for %s: %w", pkg, err)
 		}
 
-		makedepsCmd := exec.CommandContext(ctx, "bash", "-c",
-			fmt.Sprintf(`
-				makedeps=$(grep -E "^[[:space:]]*makedepends = " "%s" | sed 's/^[[:space:]]*makedepends = //' | tr '\n' ' ')
-				if [ ! -z "$makedeps" ]; then
-					echo '%s' | sudo -S pacman -S --needed --noconfirm $makedeps
-				fi
-			`, srcinfoPath, sudoPassword))
+		seen := make(map[string]bool)
+		var systemPkgs []string
+		var aurPkgs []string
 
-		if err := a.runWithProgress(makedepsCmd, progressChan, PhaseAURPackages, startProgress+0.35*(endProgress-startProgress), startProgress+0.4*(endProgress-startProgress)); err != nil {
-			return fmt.Errorf("FAILED to install make dependencies for %s: %w", pkg, err)
+		for _, dep := range append(runtimeDeps, makeDeps...) {
+			if seen[dep] || a.packageInstalled(dep) {
+				continue
+			}
+			seen[dep] = true
+			if a.isInSystemRepo(dep) {
+				systemPkgs = append(systemPkgs, dep)
+			} else {
+				aurPkgs = append(aurPkgs, dep)
+			}
 		}
-	} else {
-		progressChan <- InstallProgressMsg{
-			Phase:      PhaseAURPackages,
-			Progress:   startProgress + 0.35*(endProgress-startProgress),
-			Step:       fmt.Sprintf("Skipping dependency installation for %s (manually managed)...", pkg),
-			IsComplete: false,
-			LogOutput:  fmt.Sprintf("Dependencies for %s are installed separately", pkg),
+
+		if len(systemPkgs) > 0 {
+			progressChan <- InstallProgressMsg{
+				Phase:       PhaseAURPackages,
+				Progress:    startProgress + 0.32*(endProgress-startProgress),
+				Step:        fmt.Sprintf("Installing %d system dependencies for %s...", len(systemPkgs), pkg),
+				IsComplete:  false,
+				CommandInfo: fmt.Sprintf("sudo pacman -S --needed --noconfirm %s", strings.Join(systemPkgs, " ")),
+			}
+			if err := a.installSystemPackages(ctx, systemPkgs, sudoPassword, progressChan); err != nil {
+				return fmt.Errorf("failed to install system dependencies for %s: %w", pkg, err)
+			}
+		}
+
+		for _, aurDep := range aurPkgs {
+			a.log(fmt.Sprintf("Dependency %s is AUR-only, building from source...", aurDep))
+			progressChan <- InstallProgressMsg{
+				Phase:       PhaseAURPackages,
+				Progress:    startProgress + 0.35*(endProgress-startProgress),
+				Step:        fmt.Sprintf("Installing AUR dependency %s for %s...", aurDep, pkg),
+				IsComplete:  false,
+				CommandInfo: fmt.Sprintf("Building AUR dependency: %s", aurDep),
+			}
+			if err := a.installSingleAURPackageInternal(ctx, aurDep, sudoPassword, progressChan,
+				startProgress+0.35*(endProgress-startProgress),
+				startProgress+0.39*(endProgress-startProgress),
+				visited,
+			); err != nil {
+				return fmt.Errorf("failed to install AUR dependency %s for %s: %w", aurDep, pkg, err)
+			}
 		}
 	}
 
@@ -677,7 +754,7 @@ func (a *ArchDistribution) installSingleAURPackage(ctx context.Context, pkg, sud
 
 	buildCmd := exec.CommandContext(ctx, "makepkg", "--noconfirm")
 	buildCmd.Dir = packageDir
-	buildCmd.Env = append(os.Environ(), "PKGEXT=.pkg.tar") // Disable compression for speed
+	buildCmd.Env = append(os.Environ(), "PKGEXT=.pkg.tar")
 
 	if err := a.runWithProgress(buildCmd, progressChan, PhaseAURPackages, startProgress+0.4*(endProgress-startProgress), startProgress+0.7*(endProgress-startProgress)); err != nil {
 		return fmt.Errorf("failed to build %s: %w", pkg, err)
@@ -692,42 +769,9 @@ func (a *ArchDistribution) installSingleAURPackage(ctx context.Context, pkg, sud
 		CommandInfo: "sudo pacman -U built-package",
 	}
 
-	// Find .pkg.tar* files - for split packages, install the base and any installed compositor variants
 	var files []string
-	if pkg == "dms-shell-git" || pkg == "dms-shell-bin" {
-		// For DMS split packages, install base package
-		pattern := filepath.Join(packageDir, fmt.Sprintf("%s-%s*.pkg.tar*", pkg, "*"))
-		matches, err := filepath.Glob(pattern)
-		if err == nil {
-			for _, match := range matches {
-				basename := filepath.Base(match)
-				// Always include base package
-				if !strings.Contains(basename, "hyprland") && !strings.Contains(basename, "niri") {
-					files = append(files, match)
-				}
-			}
-		}
-
-		// Also update compositor-specific packages if they're installed
-		if strings.HasSuffix(pkg, "-git") {
-			if a.packageInstalled("dms-shell-hyprland-git") {
-				hyprlandPattern := filepath.Join(packageDir, "dms-shell-hyprland-git-*.pkg.tar*")
-				if hyprlandMatches, err := filepath.Glob(hyprlandPattern); err == nil && len(hyprlandMatches) > 0 {
-					files = append(files, hyprlandMatches[0])
-				}
-			}
-			if a.packageInstalled("dms-shell-niri-git") {
-				niriPattern := filepath.Join(packageDir, "dms-shell-niri-git-*.pkg.tar*")
-				if niriMatches, err := filepath.Glob(niriPattern); err == nil && len(niriMatches) > 0 {
-					files = append(files, niriMatches[0])
-				}
-			}
-		}
-	} else {
-		// For other packages, install all built packages
-		matches, _ := filepath.Glob(filepath.Join(packageDir, "*.pkg.tar*"))
-		files = matches
-	}
+	matches, _ := filepath.Glob(filepath.Join(packageDir, "*.pkg.tar*"))
+	files = matches
 
 	if len(files) == 0 {
 		return fmt.Errorf("no package files found after building %s", pkg)
@@ -736,7 +780,7 @@ func (a *ArchDistribution) installSingleAURPackage(ctx context.Context, pkg, sud
 	installArgs := []string{"pacman", "-U", "--noconfirm"}
 	installArgs = append(installArgs, files...)
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(installArgs, " "))
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(installArgs, " "))
 
 	fileNames := make([]string, len(files))
 	for i, f := range files {

core/internal/distros/base.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/version"
 )
 
@@ -55,27 +56,6 @@ func (b *BaseDistribution) logError(message string, err error) {
 	b.log(errorMsg)
 }
 
-// escapeSingleQuotes escapes single quotes in a string for safe use in bash single-quoted strings.
-// It replaces each ' with '\” which closes the quote, adds an escaped quote, and reopens the quote.
-// This prevents shell injection and syntax errors when passwords contain single quotes or apostrophes.
-func escapeSingleQuotes(s string) string {
-	return strings.ReplaceAll(s, "'", "'\\''")
-}
-
-// MakeSudoCommand creates a command string that safely passes password to sudo.
-// This helper escapes special characters in the password to prevent shell injection
-// and syntax errors when passwords contain single quotes, apostrophes, or other special chars.
-func MakeSudoCommand(sudoPassword string, command string) string {
-	return fmt.Sprintf("echo '%s' | sudo -S %s", escapeSingleQuotes(sudoPassword), command)
-}
-
-// ExecSudoCommand creates an exec.Cmd that runs a command with sudo using the provided password.
-// The password is properly escaped to prevent shell injection and syntax errors.
-func ExecSudoCommand(ctx context.Context, sudoPassword string, command string) *exec.Cmd {
-	cmdStr := MakeSudoCommand(sudoPassword, command)
-	return exec.CommandContext(ctx, "bash", "-c", cmdStr)
-}
-
 func (b *BaseDistribution) detectCommand(name, description string) deps.Dependency {
 	status := deps.StatusMissing
 	if b.commandExists(name) {
@@ -710,7 +690,7 @@ func (b *BaseDistribution) installDMSBinary(ctx context.Context, sudoPassword st
 	}
 
 	// Install to /usr/local/bin
-	installCmd := ExecSudoCommand(ctx, sudoPassword,
+	installCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("cp %s /usr/local/bin/dms", binaryPath))
 	if err := installCmd.Run(); err != nil {
 		return fmt.Errorf("failed to install DMS binary: %w", err)

core/internal/distros/debian.go

@@ -4,10 +4,10 @@ import (
 	"context"
 	"fmt"
 	"os/exec"
-	"runtime"
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 func init() {
@@ -92,9 +92,36 @@ func (d *DebianDistribution) detectDMSGreeter() deps.Dependency {
 }
 
 func (d *DebianDistribution) packageInstalled(pkg string) bool {
-	cmd := exec.Command("dpkg", "-l", pkg)
-	err := cmd.Run()
-	return err == nil
+	return debianPackageInstalledPrecisely(pkg)
+}
+
+func debianPackageInstalledPrecisely(pkg string) bool {
+	cmd := exec.Command("dpkg-query", "-W", "-f=${db:Status-Status}", pkg)
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+	return strings.TrimSpace(string(output)) == "installed"
+}
+
+func containsString(values []string, target string) bool {
+	for _, value := range values {
+		if value == target {
+			return true
+		}
+	}
+	return false
+}
+
+func debianRepoArchitecture(arch string) string {
+	switch arch {
+	case "amd64", "x86_64":
+		return "amd64"
+	case "arm64", "aarch64":
+		return "arm64"
+	default:
+		return arch
+	}
 }
 
 func (d *DebianDistribution) GetPackageMapping(wm deps.WindowManager) map[string]PackageMapping {
@@ -165,7 +192,7 @@ func (d *DebianDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 		LogOutput:  "Updating APT package lists",
 	}
 
-	updateCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get update")
+	updateCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get update")
 	if err := d.runWithProgress(updateCmd, progressChan, PhasePrerequisites, 0.06, 0.07); err != nil {
 		return fmt.Errorf("failed to update package lists: %w", err)
 	}
@@ -182,7 +209,7 @@ func (d *DebianDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 
 	checkCmd := exec.CommandContext(ctx, "dpkg", "-l", "build-essential")
 	if err := checkCmd.Run(); err != nil {
-		cmd := ExecSudoCommand(ctx, sudoPassword, "DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential")
+		cmd := privesc.ExecCommand(ctx, sudoPassword, "DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential")
 		if err := d.runWithProgress(cmd, progressChan, PhasePrerequisites, 0.08, 0.09); err != nil {
 			return fmt.Errorf("failed to install build-essential: %w", err)
 		}
@@ -194,12 +221,12 @@ func (d *DebianDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 		Step:        "Installing development dependencies...",
 		IsComplete:  false,
 		NeedsSudo:   true,
-		CommandInfo: "sudo apt-get install -y curl wget git cmake ninja-build pkg-config libxcb-cursor-dev libglib2.0-dev libpolkit-agent-1-dev",
+		CommandInfo: "sudo apt-get install -y curl wget git cmake ninja-build pkg-config gnupg libxcb-cursor-dev libglib2.0-dev libpolkit-agent-1-dev",
 		LogOutput:   "Installing additional development tools",
 	}
 
-	devToolsCmd := ExecSudoCommand(ctx, sudoPassword,
-		"DEBIAN_FRONTEND=noninteractive apt-get install -y curl wget git cmake ninja-build pkg-config libxcb-cursor-dev libglib2.0-dev libpolkit-agent-1-dev libjpeg-dev libpugixml-dev")
+	devToolsCmd := privesc.ExecCommand(ctx, sudoPassword,
+		"DEBIAN_FRONTEND=noninteractive apt-get install -y curl wget git cmake ninja-build pkg-config gnupg libxcb-cursor-dev libglib2.0-dev libpolkit-agent-1-dev libjpeg-dev libpugixml-dev")
 	if err := d.runWithProgress(devToolsCmd, progressChan, PhasePrerequisites, 0.10, 0.12); err != nil {
 		return fmt.Errorf("failed to install development tools: %w", err)
 	}
@@ -379,6 +406,14 @@ func (d *DebianDistribution) extractPackageNames(packages []PackageMapping) []st
 	return names
 }
 
+func (d *DebianDistribution) aptInstallArgs(packages []string, minimal bool) []string {
+	args := []string{"DEBIAN_FRONTEND=noninteractive", "apt-get", "install", "-y"}
+	if minimal {
+		args = append(args, "--no-install-recommends")
+	}
+	return append(args, packages...)
+}
+
 func (d *DebianDistribution) enableOBSRepos(ctx context.Context, obsPkgs []PackageMapping, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
 	enabledRepos := make(map[string]bool)
 
@@ -416,7 +451,7 @@ func (d *DebianDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Packa
 			keyringPath := fmt.Sprintf("/etc/apt/keyrings/%s.gpg", repoName)
 
 			// Create keyrings directory if it doesn't exist
-			mkdirCmd := ExecSudoCommand(ctx, sudoPassword, "mkdir -p /etc/apt/keyrings")
+			mkdirCmd := privesc.ExecCommand(ctx, sudoPassword, "mkdir -p /etc/apt/keyrings")
 			if err := mkdirCmd.Run(); err != nil {
 				d.log(fmt.Sprintf("Warning: failed to create keyrings directory: %v", err))
 			}
@@ -430,13 +465,13 @@ func (d *DebianDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Packa
 			}
 
 			keyCmd := fmt.Sprintf("bash -c 'rm -f %s && curl -fsSL %s/Release.key | gpg --batch --dearmor -o %s'", keyringPath, baseURL, keyringPath)
-			cmd := ExecSudoCommand(ctx, sudoPassword, keyCmd)
+			cmd := privesc.ExecCommand(ctx, sudoPassword, keyCmd)
 			if err := d.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.18, 0.20); err != nil {
 				return fmt.Errorf("failed to add OBS GPG key for %s: %w", pkg.RepoURL, err)
 			}
 
 			// Add repository
-			repoLine := fmt.Sprintf("deb [signed-by=%s arch=%s] %s/ /", keyringPath, runtime.GOARCH, baseURL)
+			repoLine := fmt.Sprintf("deb [signed-by=%s arch=%s] %s/ /", keyringPath, debianRepoArchitecture(osInfo.Architecture), baseURL)
 
 			progressChan <- InstallProgressMsg{
 				Phase:       PhaseSystemPackages,
@@ -446,7 +481,7 @@ func (d *DebianDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Packa
 				CommandInfo: fmt.Sprintf("echo '%s' | sudo tee %s", repoLine, listFile),
 			}
 
-			addRepoCmd := ExecSudoCommand(ctx, sudoPassword,
+			addRepoCmd := privesc.ExecCommand(ctx, sudoPassword,
 				fmt.Sprintf("bash -c \"echo '%s' | tee %s\"", repoLine, listFile))
 			if err := d.runWithProgress(addRepoCmd, progressChan, PhaseSystemPackages, 0.20, 0.22); err != nil {
 				return fmt.Errorf("failed to add OBS repo %s: %w", pkg.RepoURL, err)
@@ -466,7 +501,7 @@ func (d *DebianDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Packa
 			CommandInfo: "sudo apt-get update",
 		}
 
-		updateCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get update")
+		updateCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get update")
 		if err := d.runWithProgress(updateCmd, progressChan, PhaseSystemPackages, 0.25, 0.27); err != nil {
 			return fmt.Errorf("failed to update package lists after adding OBS repos: %w", err)
 		}
@@ -482,20 +517,46 @@ func (d *DebianDistribution) installAPTPackages(ctx context.Context, packages []
 
 	d.log(fmt.Sprintf("Installing APT packages: %s", strings.Join(packages, ", ")))
 
-	args := []string{"DEBIAN_FRONTEND=noninteractive", "apt-get", "install", "-y"}
-	args = append(args, packages...)
+	groups := orderedMinimalInstallGroups(packages)
+	totalGroups := len(groups)
 
-	progressChan <- InstallProgressMsg{
-		Phase:       PhaseSystemPackages,
-		Progress:    0.40,
-		Step:        "Installing system packages...",
-		IsComplete:  false,
-		NeedsSudo:   true,
-		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+	groupIndex := 0
+	installGroup := func(groupPackages []string, minimal bool) error {
+		if len(groupPackages) == 0 {
+			return nil
+		}
+
+		groupIndex++
+		startProgress := 0.40
+		endProgress := 0.60
+		if totalGroups > 1 {
+			if groupIndex == 1 {
+				endProgress = 0.50
+			} else {
+				startProgress = 0.50
+			}
+		}
+
+		args := d.aptInstallArgs(groupPackages, minimal)
+		progressChan <- InstallProgressMsg{
+			Phase:       PhaseSystemPackages,
+			Progress:    startProgress,
+			Step:        "Installing system packages...",
+			IsComplete:  false,
+			NeedsSudo:   true,
+			CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+		}
+
+		cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
+		return d.runWithProgress(cmd, progressChan, PhaseSystemPackages, startProgress, endProgress)
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
-	return d.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.40, 0.60)
+	for _, group := range groups {
+		if err := installGroup(group.packages, group.minimal); err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func (d *DebianDistribution) installBuildDependencies(ctx context.Context, manualPkgs []string, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
@@ -574,7 +635,7 @@ func (d *DebianDistribution) installBuildDependencies(ctx context.Context, manua
 	args := []string{"apt-get", "install", "-y"}
 	args = append(args, depList...)
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	return d.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.80, 0.82)
 }
 
@@ -592,7 +653,7 @@ func (d *DebianDistribution) installRust(ctx context.Context, sudoPassword strin
 		CommandInfo: "sudo apt-get install rustup",
 	}
 
-	rustupInstallCmd := ExecSudoCommand(ctx, sudoPassword, "DEBIAN_FRONTEND=noninteractive apt-get install -y rustup")
+	rustupInstallCmd := privesc.ExecCommand(ctx, sudoPassword, "DEBIAN_FRONTEND=noninteractive apt-get install -y rustup")
 	if err := d.runWithProgress(rustupInstallCmd, progressChan, PhaseSystemPackages, 0.82, 0.83); err != nil {
 		return fmt.Errorf("failed to install rustup: %w", err)
 	}
@@ -631,7 +692,7 @@ func (d *DebianDistribution) installGo(ctx context.Context, sudoPassword string,
 		CommandInfo: "sudo apt-get install golang-go",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, "DEBIAN_FRONTEND=noninteractive apt-get install -y golang-go")
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, "DEBIAN_FRONTEND=noninteractive apt-get install -y golang-go")
 	return d.runWithProgress(installCmd, progressChan, PhaseSystemPackages, 0.87, 0.90)
 }
 

core/internal/distros/fedora.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 func init() {
@@ -254,7 +255,7 @@ func (f *FedoraDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 
 	args := []string{"dnf", "install", "-y"}
 	args = append(args, missingPkgs...)
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		f.logError("failed to install prerequisites", err)
@@ -437,7 +438,7 @@ func (f *FedoraDistribution) enableCOPRRepos(ctx context.Context, coprPkgs []Pac
 				CommandInfo: fmt.Sprintf("sudo dnf copr enable -y %s", pkg.RepoURL),
 			}
 
-			cmd := ExecSudoCommand(ctx, sudoPassword,
+			cmd := privesc.ExecCommand(ctx, sudoPassword,
 				fmt.Sprintf("dnf copr enable -y %s 2>&1", pkg.RepoURL))
 			output, err := cmd.CombinedOutput()
 			if err != nil {
@@ -461,7 +462,7 @@ func (f *FedoraDistribution) enableCOPRRepos(ctx context.Context, coprPkgs []Pac
 					CommandInfo: fmt.Sprintf("echo \"priority=1\" | sudo tee -a %s", repoFile),
 				}
 
-				priorityCmd := ExecSudoCommand(ctx, sudoPassword,
+				priorityCmd := privesc.ExecCommand(ctx, sudoPassword,
 					fmt.Sprintf("bash -c 'echo \"priority=1\" | tee -a %s'", repoFile))
 				priorityOutput, err := priorityCmd.CombinedOutput()
 				if err != nil {
@@ -484,28 +485,7 @@ func (f *FedoraDistribution) installDNFPackages(ctx context.Context, packages []
 
 	f.log(fmt.Sprintf("Installing DNF packages: %s", strings.Join(packages, ", ")))
 
-	args := []string{"dnf", "install", "-y"}
-
-	for _, pkg := range packages {
-		if pkg == "niri" || pkg == "niri-git" {
-			args = append(args, "--setopt=install_weak_deps=False")
-			break
-		}
-	}
-
-	args = append(args, packages...)
-
-	progressChan <- InstallProgressMsg{
-		Phase:       PhaseSystemPackages,
-		Progress:    0.40,
-		Step:        "Installing system packages...",
-		IsComplete:  false,
-		NeedsSudo:   true,
-		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
-	}
-
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
-	return f.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.40, 0.60)
+	return f.installDNFGroups(ctx, packages, sudoPassword, progressChan, PhaseSystemPackages, "Installing system packages...", 0.40, 0.60)
 }
 
 func (f *FedoraDistribution) installCOPRPackages(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
@@ -515,26 +495,57 @@ func (f *FedoraDistribution) installCOPRPackages(ctx context.Context, packages [
 
 	f.log(fmt.Sprintf("Installing COPR packages: %s", strings.Join(packages, ", ")))
 
-	args := []string{"dnf", "install", "-y"}
+	return f.installDNFGroups(ctx, packages, sudoPassword, progressChan, PhaseAURPackages, "Installing COPR packages...", 0.70, 0.85)
+}
 
-	for _, pkg := range packages {
-		if pkg == "niri" || pkg == "niri-git" {
-			args = append(args, "--setopt=install_weak_deps=False")
-			break
+func (f *FedoraDistribution) dnfInstallArgs(packages []string, minimal bool) []string {
+	args := []string{"dnf", "install", "-y"}
+	if minimal {
+		args = append(args, "--setopt=install_weak_deps=False")
+	}
+	return append(args, packages...)
+}
+
+func (f *FedoraDistribution) installDNFGroups(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg, phase InstallPhase, step string, startProgress float64, endProgress float64) error {
+	groups := orderedMinimalInstallGroups(packages)
+	totalGroups := len(groups)
+
+	groupIndex := 0
+	installGroup := func(groupPackages []string, minimal bool) error {
+		if len(groupPackages) == 0 {
+			return nil
+		}
+
+		groupIndex++
+		groupStart := startProgress
+		groupEnd := endProgress
+		if totalGroups > 1 {
+			midpoint := startProgress + ((endProgress - startProgress) / 2)
+			if groupIndex == 1 {
+				groupEnd = midpoint
+			} else {
+				groupStart = midpoint
+			}
+		}
+
+		args := f.dnfInstallArgs(groupPackages, minimal)
+		progressChan <- InstallProgressMsg{
+			Phase:       phase,
+			Progress:    groupStart,
+			Step:        step,
+			IsComplete:  false,
+			NeedsSudo:   true,
+			CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+		}
+
+		cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
+		return f.runWithProgress(cmd, progressChan, phase, groupStart, groupEnd)
+	}
+
+	for _, group := range groups {
+		if err := installGroup(group.packages, group.minimal); err != nil {
+			return err
 		}
 	}
-
-	args = append(args, packages...)
-
-	progressChan <- InstallProgressMsg{
-		Phase:       PhaseAURPackages,
-		Progress:    0.70,
-		Step:        "Installing COPR packages...",
-		IsComplete:  false,
-		NeedsSudo:   true,
-		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
-	}
-
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
-	return f.runWithProgress(cmd, progressChan, PhaseAURPackages, 0.70, 0.85)
+	return nil
 }

core/internal/distros/gentoo.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 var GentooGlobalUseFlags = []string{
@@ -201,9 +202,9 @@ func (g *GentooDistribution) setGlobalUseFlags(ctx context.Context, sudoPassword
 
 	var cmd *exec.Cmd
 	if hasUse {
-		cmd = ExecSudoCommand(ctx, sudoPassword, fmt.Sprintf("sed -i 's/^USE=\"\\(.*\\)\"/USE=\"\\1 %s\"/' /etc/portage/make.conf", useFlags))
+		cmd = privesc.ExecCommand(ctx, sudoPassword, fmt.Sprintf("sed -i 's/^USE=\"\\(.*\\)\"/USE=\"\\1 %s\"/' /etc/portage/make.conf", useFlags))
 	} else {
-		cmd = ExecSudoCommand(ctx, sudoPassword, fmt.Sprintf("bash -c \"echo 'USE=\\\"%s\\\"' >> /etc/portage/make.conf\"", useFlags))
+		cmd = privesc.ExecCommand(ctx, sudoPassword, fmt.Sprintf("bash -c \"echo 'USE=\\\"%s\\\"' >> /etc/portage/make.conf\"", useFlags))
 	}
 
 	output, err := cmd.CombinedOutput()
@@ -281,7 +282,7 @@ func (g *GentooDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 		LogOutput:   "Syncing Portage tree with emerge --sync",
 	}
 
-	syncCmd := ExecSudoCommand(ctx, sudoPassword, "emerge --sync --quiet")
+	syncCmd := privesc.ExecCommand(ctx, sudoPassword, "emerge --sync --quiet")
 	syncOutput, syncErr := syncCmd.CombinedOutput()
 	if syncErr != nil {
 		g.log(fmt.Sprintf("emerge --sync output: %s", string(syncOutput)))
@@ -302,7 +303,7 @@ func (g *GentooDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 
 	args := []string{"emerge", "--ask=n", "--quiet"}
 	args = append(args, missingPkgs...)
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		g.logError("failed to install prerequisites", err)
@@ -503,14 +504,14 @@ func (g *GentooDistribution) installPortagePackages(ctx context.Context, package
 		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	return g.runWithProgressTimeout(cmd, progressChan, PhaseSystemPackages, 0.40, 0.60, 0)
 }
 
 func (g *GentooDistribution) setPackageUseFlags(ctx context.Context, packageName, useFlags, sudoPassword string) error {
 	packageUseDir := "/etc/portage/package.use"
 
-	mkdirCmd := ExecSudoCommand(ctx, sudoPassword,
+	mkdirCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("mkdir -p %s", packageUseDir))
 	if output, err := mkdirCmd.CombinedOutput(); err != nil {
 		g.log(fmt.Sprintf("mkdir output: %s", string(output)))
@@ -524,7 +525,7 @@ func (g *GentooDistribution) setPackageUseFlags(ctx context.Context, packageName
 	if checkExistingCmd.Run() == nil {
 		g.log(fmt.Sprintf("Updating USE flags for %s from existing entry", packageName))
 		escapedPkg := strings.ReplaceAll(packageName, "/", "\\/")
-		replaceCmd := ExecSudoCommand(ctx, sudoPassword,
+		replaceCmd := privesc.ExecCommand(ctx, sudoPassword,
 			fmt.Sprintf("sed -i '/^%s /d' %s/danklinux; exit_code=$?; exit $exit_code", escapedPkg, packageUseDir))
 		if output, err := replaceCmd.CombinedOutput(); err != nil {
 			g.log(fmt.Sprintf("sed delete output: %s", string(output)))
@@ -532,7 +533,7 @@ func (g *GentooDistribution) setPackageUseFlags(ctx context.Context, packageName
 		}
 	}
 
-	appendCmd := ExecSudoCommand(ctx, sudoPassword,
+	appendCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("bash -c \"echo '%s' >> %s/danklinux\"", useFlagLine, packageUseDir))
 
 	output, err := appendCmd.CombinedOutput()
@@ -557,7 +558,7 @@ func (g *GentooDistribution) syncGURURepo(ctx context.Context, sudoPassword stri
 	}
 
 	// Enable GURU repository
-	enableCmd := ExecSudoCommand(ctx, sudoPassword,
+	enableCmd := privesc.ExecCommand(ctx, sudoPassword,
 		"eselect repository enable guru 2>&1; exit_code=$?; exit $exit_code")
 	output, err := enableCmd.CombinedOutput()
 
@@ -589,7 +590,7 @@ func (g *GentooDistribution) syncGURURepo(ctx context.Context, sudoPassword stri
 		LogOutput:   "Syncing GURU repository",
 	}
 
-	syncCmd := ExecSudoCommand(ctx, sudoPassword,
+	syncCmd := privesc.ExecCommand(ctx, sudoPassword,
 		"emaint sync --repo guru 2>&1; exit_code=$?; exit $exit_code")
 	syncOutput, syncErr := syncCmd.CombinedOutput()
 
@@ -622,7 +623,7 @@ func (g *GentooDistribution) setPackageAcceptKeywords(ctx context.Context, packa
 
 	acceptKeywordsDir := "/etc/portage/package.accept_keywords"
 
-	mkdirCmd := ExecSudoCommand(ctx, sudoPassword,
+	mkdirCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("mkdir -p %s", acceptKeywordsDir))
 	if output, err := mkdirCmd.CombinedOutput(); err != nil {
 		g.log(fmt.Sprintf("mkdir output: %s", string(output)))
@@ -636,7 +637,7 @@ func (g *GentooDistribution) setPackageAcceptKeywords(ctx context.Context, packa
 	if checkExistingCmd.Run() == nil {
 		g.log(fmt.Sprintf("Updating accept keywords for %s from existing entry", packageName))
 		escapedPkg := strings.ReplaceAll(packageName, "/", "\\/")
-		replaceCmd := ExecSudoCommand(ctx, sudoPassword,
+		replaceCmd := privesc.ExecCommand(ctx, sudoPassword,
 			fmt.Sprintf("sed -i '/^%s /d' %s/danklinux; exit_code=$?; exit $exit_code", escapedPkg, acceptKeywordsDir))
 		if output, err := replaceCmd.CombinedOutput(); err != nil {
 			g.log(fmt.Sprintf("sed delete output: %s", string(output)))
@@ -644,7 +645,7 @@ func (g *GentooDistribution) setPackageAcceptKeywords(ctx context.Context, packa
 		}
 	}
 
-	appendCmd := ExecSudoCommand(ctx, sudoPassword,
+	appendCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("bash -c \"echo '%s' >> %s/danklinux\"", keywordLine, acceptKeywordsDir))
 
 	output, err := appendCmd.CombinedOutput()
@@ -695,6 +696,6 @@ func (g *GentooDistribution) installGURUPackages(ctx context.Context, packages [
 		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	return g.runWithProgressTimeout(cmd, progressChan, PhaseAURPackages, 0.70, 0.85, 0)
 }

core/internal/distros/manual_packages.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 // ManualPackageInstaller provides methods for installing packages from source
@@ -143,7 +144,7 @@ func (m *ManualPackageInstaller) installDgop(ctx context.Context, sudoPassword s
 		CommandInfo: "sudo make install",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, "make install")
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, "make install")
 	installCmd.Dir = tmpDir
 	if err := installCmd.Run(); err != nil {
 		m.logError("failed to install dgop", err)
@@ -213,7 +214,7 @@ func (m *ManualPackageInstaller) installNiri(ctx context.Context, sudoPassword s
 		CommandInfo: "dpkg -i niri.deb",
 	}
 
-	installDebCmd := ExecSudoCommand(ctx, sudoPassword,
+	installDebCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("dpkg -i %s/target/debian/niri_*.deb", buildDir))
 
 	output, err := installDebCmd.CombinedOutput()
@@ -324,7 +325,7 @@ func (m *ManualPackageInstaller) installQuickshell(ctx context.Context, variant
 		CommandInfo: "sudo cmake --install build",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, "cmake --install build")
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, "cmake --install build")
 	installCmd.Dir = tmpDir
 	if err := installCmd.Run(); err != nil {
 		return fmt.Errorf("failed to install quickshell: %w", err)
@@ -387,7 +388,7 @@ func (m *ManualPackageInstaller) installHyprland(ctx context.Context, sudoPasswo
 		CommandInfo: "sudo make install",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, "make install")
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, "make install")
 	installCmd.Dir = tmpDir
 	if err := installCmd.Run(); err != nil {
 		return fmt.Errorf("failed to install Hyprland: %w", err)
@@ -453,7 +454,7 @@ func (m *ManualPackageInstaller) installGhostty(ctx context.Context, sudoPasswor
 		CommandInfo: "sudo cp zig-out/bin/ghostty /usr/local/bin/",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword,
+	installCmd := privesc.ExecCommand(ctx, sudoPassword,
 		fmt.Sprintf("cp %s/zig-out/bin/ghostty /usr/local/bin/", tmpDir))
 	if err := installCmd.Run(); err != nil {
 		return fmt.Errorf("failed to install Ghostty: %w", err)
@@ -492,16 +493,11 @@ func (m *ManualPackageInstaller) installMatugen(ctx context.Context, sudoPasswor
 		CommandInfo: fmt.Sprintf("sudo cp %s %s", sourcePath, targetPath),
 	}
 
-	copyCmd := exec.CommandContext(ctx, "sudo", "-S", "cp", sourcePath, targetPath)
-	copyCmd.Stdin = strings.NewReader(sudoPassword + "\n")
-	if err := copyCmd.Run(); err != nil {
+	if err := privesc.Run(ctx, sudoPassword, "cp", sourcePath, targetPath); err != nil {
 		return fmt.Errorf("failed to copy matugen to /usr/local/bin: %w", err)
 	}
 
-	// Make it executable
-	chmodCmd := exec.CommandContext(ctx, "sudo", "-S", "chmod", "+x", targetPath)
-	chmodCmd.Stdin = strings.NewReader(sudoPassword + "\n")
-	if err := chmodCmd.Run(); err != nil {
+	if err := privesc.Run(ctx, sudoPassword, "chmod", "+x", targetPath); err != nil {
 		return fmt.Errorf("failed to make matugen executable: %w", err)
 	}
 
@@ -646,15 +642,11 @@ func (m *ManualPackageInstaller) installXwaylandSatellite(ctx context.Context, s
 		CommandInfo: fmt.Sprintf("sudo cp %s %s", sourcePath, targetPath),
 	}
 
-	copyCmd := exec.CommandContext(ctx, "sudo", "-S", "cp", sourcePath, targetPath)
-	copyCmd.Stdin = strings.NewReader(sudoPassword + "\n")
-	if err := copyCmd.Run(); err != nil {
+	if err := privesc.Run(ctx, sudoPassword, "cp", sourcePath, targetPath); err != nil {
 		return fmt.Errorf("failed to copy xwayland-satellite to /usr/local/bin: %w", err)
 	}
 
-	chmodCmd := exec.CommandContext(ctx, "sudo", "-S", "chmod", "+x", targetPath)
-	chmodCmd.Stdin = strings.NewReader(sudoPassword + "\n")
-	if err := chmodCmd.Run(); err != nil {
+	if err := privesc.Run(ctx, sudoPassword, "chmod", "+x", targetPath); err != nil {
 		return fmt.Errorf("failed to make xwayland-satellite executable: %w", err)
 	}
 

core/internal/distros/minimal_install.go

@@ -0,0 +1,44 @@
+package distros
+
+type minimalInstallGroup struct {
+	packages []string
+	minimal  bool
+}
+
+func shouldPreferMinimalInstall(pkg string) bool {
+	switch pkg {
+	case "niri", "niri-git":
+		return true
+	default:
+		return false
+	}
+}
+
+func splitMinimalInstallPackages(packages []string) (normal []string, minimal []string) {
+	for _, pkg := range packages {
+		if shouldPreferMinimalInstall(pkg) {
+			minimal = append(minimal, pkg)
+			continue
+		}
+		normal = append(normal, pkg)
+	}
+	return normal, minimal
+}
+
+func orderedMinimalInstallGroups(packages []string) []minimalInstallGroup {
+	normal, minimal := splitMinimalInstallPackages(packages)
+	groups := make([]minimalInstallGroup, 0, 2)
+	if len(minimal) > 0 {
+		groups = append(groups, minimalInstallGroup{
+			packages: minimal,
+			minimal:  true,
+		})
+	}
+	if len(normal) > 0 {
+		groups = append(groups, minimalInstallGroup{
+			packages: normal,
+			minimal:  false,
+		})
+	}
+	return groups
+}

core/internal/distros/opensuse.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 func init() {
@@ -29,6 +30,8 @@ type OpenSUSEDistribution struct {
 	config DistroConfig
 }
 
+const openSUSENiriWaylandServerPackage = "libwayland-server0"
+
 func NewOpenSUSEDistribution(config DistroConfig, logChan chan<- string) *OpenSUSEDistribution {
 	base := NewBaseDistribution(logChan)
 	return &OpenSUSEDistribution{
@@ -199,35 +202,7 @@ func (o *OpenSUSEDistribution) detectAccountsService() deps.Dependency {
 }
 
 func (o *OpenSUSEDistribution) getPrerequisites() []string {
-	return []string{
-		"make",
-		"unzip",
-		"gcc",
-		"gcc-c++",
-		"cmake",
-		"ninja",
-		"pkgconf-pkg-config",
-		"git",
-		"qt6-base-devel",
-		"qt6-declarative-devel",
-		"qt6-declarative-private-devel",
-		"qt6-shadertools",
-		"qt6-shadertools-devel",
-		"qt6-wayland-devel",
-		"qt6-waylandclient-private-devel",
-		"spirv-tools-devel",
-		"cli11-devel",
-		"wayland-protocols-devel",
-		"libgbm-devel",
-		"libdrm-devel",
-		"pipewire-devel",
-		"jemalloc-devel",
-		"wayland-utils",
-		"Mesa-libGLESv3-devel",
-		"pam-devel",
-		"glib2-devel",
-		"polkit-devel",
-	}
+	return []string{}
 }
 
 func (o *OpenSUSEDistribution) InstallPrerequisites(ctx context.Context, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
@@ -275,7 +250,7 @@ func (o *OpenSUSEDistribution) InstallPrerequisites(ctx context.Context, sudoPas
 
 	args := []string{"zypper", "install", "-y"}
 	args = append(args, missingPkgs...)
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		o.logError("failed to install prerequisites", err)
@@ -297,6 +272,10 @@ func (o *OpenSUSEDistribution) InstallPackages(ctx context.Context, dependencies
 		LogOutput:  "Starting prerequisite check...",
 	}
 
+	if err := o.disableInstallMediaRepos(ctx, sudoPassword, progressChan); err != nil {
+		return fmt.Errorf("failed to disable install media repositories: %w", err)
+	}
+
 	if err := o.InstallPrerequisites(ctx, sudoPassword, progressChan); err != nil {
 		return fmt.Errorf("failed to install prerequisites: %w", err)
 	}
@@ -327,7 +306,7 @@ func (o *OpenSUSEDistribution) InstallPackages(ctx context.Context, dependencies
 			NeedsSudo:  true,
 			LogOutput:  fmt.Sprintf("Installing system packages: %s", strings.Join(systemPkgs, ", ")),
 		}
-		if err := o.installZypperPackages(ctx, systemPkgs, sudoPassword, progressChan); err != nil {
+		if err := o.installZypperPackages(ctx, systemPkgs, sudoPassword, progressChan, PhaseSystemPackages, "Installing system packages...", 0.40, 0.60); err != nil {
 			return fmt.Errorf("failed to install zypper packages: %w", err)
 		}
 	}
@@ -342,7 +321,7 @@ func (o *OpenSUSEDistribution) InstallPackages(ctx context.Context, dependencies
 			IsComplete: false,
 			LogOutput:  fmt.Sprintf("Installing OBS packages: %s", strings.Join(obsPkgNames, ", ")),
 		}
-		if err := o.installZypperPackages(ctx, obsPkgNames, sudoPassword, progressChan); err != nil {
+		if err := o.installZypperPackages(ctx, obsPkgNames, sudoPassword, progressChan, PhaseAURPackages, "Installing OBS packages...", 0.70, 0.85); err != nil {
 			return fmt.Errorf("failed to install OBS packages: %w", err)
 		}
 	}
@@ -432,9 +411,32 @@ func (o *OpenSUSEDistribution) categorizePackages(dependencies []deps.Dependency
 		}
 	}
 
+	systemPkgs = o.appendMissingSystemPackages(systemPkgs, openSUSENiriRuntimePackages(wm, disabledFlags))
+
 	return systemPkgs, obsPkgs, manualPkgs, variantMap
 }
 
+func openSUSENiriRuntimePackages(wm deps.WindowManager, disabledFlags map[string]bool) []string {
+	if wm != deps.WindowManagerNiri || disabledFlags["niri"] {
+		return nil
+	}
+
+	return []string{openSUSENiriWaylandServerPackage}
+}
+
+func (o *OpenSUSEDistribution) appendMissingSystemPackages(systemPkgs []string, extraPkgs []string) []string {
+	for _, pkg := range extraPkgs {
+		if containsString(systemPkgs, pkg) || o.packageInstalled(pkg) {
+			continue
+		}
+
+		o.log(fmt.Sprintf("Adding openSUSE runtime package: %s", pkg))
+		systemPkgs = append(systemPkgs, pkg)
+	}
+
+	return systemPkgs
+}
+
 func (o *OpenSUSEDistribution) extractPackageNames(packages []PackageMapping) []string {
 	names := make([]string, len(packages))
 	for i, pkg := range packages {
@@ -484,7 +486,7 @@ func (o *OpenSUSEDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Pac
 				CommandInfo: fmt.Sprintf("sudo zypper addrepo %s", repoURL),
 			}
 
-			cmd := ExecSudoCommand(ctx, sudoPassword,
+			cmd := privesc.ExecCommand(ctx, sudoPassword,
 				fmt.Sprintf("zypper addrepo -f %s", repoURL))
 			if err := o.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.20, 0.22); err != nil {
 				o.log(fmt.Sprintf("OBS repo %s add failed (may already exist): %v", pkg.RepoURL, err))
@@ -505,7 +507,7 @@ func (o *OpenSUSEDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Pac
 			CommandInfo: "sudo zypper --gpg-auto-import-keys refresh",
 		}
 
-		refreshCmd := ExecSudoCommand(ctx, sudoPassword, "zypper --gpg-auto-import-keys refresh")
+		refreshCmd := privesc.ExecCommand(ctx, sudoPassword, "zypper --gpg-auto-import-keys refresh")
 		if err := o.runWithProgress(refreshCmd, progressChan, PhaseSystemPackages, 0.25, 0.27); err != nil {
 			return fmt.Errorf("failed to refresh repositories: %w", err)
 		}
@@ -514,27 +516,146 @@ func (o *OpenSUSEDistribution) enableOBSRepos(ctx context.Context, obsPkgs []Pac
 	return nil
 }
 
-func (o *OpenSUSEDistribution) installZypperPackages(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
+func isOpenSUSEInstallMediaURI(uri string) bool {
+	normalizedURI := strings.ToLower(strings.TrimSpace(uri))
+
+	return strings.HasPrefix(normalizedURI, "cd:/") ||
+		strings.HasPrefix(normalizedURI, "dvd:/") ||
+		strings.HasPrefix(normalizedURI, "hd:/") ||
+		strings.HasPrefix(normalizedURI, "iso:/")
+}
+
+func parseZypperInstallMediaAliases(output string) []string {
+	var aliases []string
+
+	for _, line := range strings.Split(output, "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || !strings.Contains(line, "|") {
+			continue
+		}
+
+		parts := strings.Split(line, "|")
+		if len(parts) < 7 {
+			continue
+		}
+
+		for i := range parts {
+			parts[i] = strings.TrimSpace(parts[i])
+		}
+
+		alias := parts[1]
+		enabled := strings.ToLower(parts[3])
+		uri := parts[len(parts)-1]
+
+		if alias == "" || strings.EqualFold(alias, "alias") {
+			continue
+		}
+		if enabled != "" && enabled != "yes" {
+			continue
+		}
+		if !isOpenSUSEInstallMediaURI(uri) {
+			continue
+		}
+
+		aliases = append(aliases, alias)
+	}
+
+	return aliases
+}
+
+func (o *OpenSUSEDistribution) disableInstallMediaRepos(ctx context.Context, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
+	listCmd := exec.CommandContext(ctx, "zypper", "repos", "-u")
+	output, err := listCmd.CombinedOutput()
+	if err != nil {
+		o.log(fmt.Sprintf("Warning: failed to list zypper repositories: %s", strings.TrimSpace(string(output))))
+		return fmt.Errorf("failed to list zypper repositories: %w", err)
+	}
+
+	aliases := parseZypperInstallMediaAliases(string(output))
+	if len(aliases) == 0 {
+		return nil
+	}
+
+	o.log(fmt.Sprintf("Disabling install media repositories: %s", strings.Join(aliases, ", ")))
+	progressChan <- InstallProgressMsg{
+		Phase:       PhasePrerequisites,
+		Progress:    0.055,
+		Step:        "Disabling install media repositories...",
+		IsComplete:  false,
+		NeedsSudo:   true,
+		CommandInfo: fmt.Sprintf("sudo zypper modifyrepo -d %s", strings.Join(aliases, " ")),
+		LogOutput:   fmt.Sprintf("Disabling install media repositories: %s", strings.Join(aliases, ", ")),
+	}
+
+	for _, alias := range aliases {
+		cmd := privesc.ExecCommand(ctx, sudoPassword, fmt.Sprintf("zypper modifyrepo -d '%s'", privesc.EscapeSingleQuotes(alias)))
+		repoOutput, err := cmd.CombinedOutput()
+		if err != nil {
+			o.log(fmt.Sprintf("Failed to disable install media repo %s: %s", alias, strings.TrimSpace(string(repoOutput))))
+			return fmt.Errorf("failed to disable install media repo %s: %w", alias, err)
+		}
+		o.log(fmt.Sprintf("Disabled install media repo %s: %s", alias, strings.TrimSpace(string(repoOutput))))
+	}
+
+	return nil
+}
+
+func (o *OpenSUSEDistribution) zypperInstallArgs(packages []string, minimal bool) []string {
+	args := []string{"zypper", "install", "-y"}
+	if minimal {
+		args = append(args, "--no-recommends")
+	}
+	return append(args, packages...)
+}
+
+func (o *OpenSUSEDistribution) installZypperPackages(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg, phase InstallPhase, step string, startProgress float64, endProgress float64) error {
 	if len(packages) == 0 {
 		return nil
 	}
 
 	o.log(fmt.Sprintf("Installing zypper packages: %s", strings.Join(packages, ", ")))
 
-	args := []string{"zypper", "install", "-y"}
-	args = append(args, packages...)
+	groups := orderedMinimalInstallGroups(packages)
+	totalGroups := len(groups)
 
-	progressChan <- InstallProgressMsg{
-		Phase:       PhaseSystemPackages,
-		Progress:    0.40,
-		Step:        "Installing system packages...",
-		IsComplete:  false,
-		NeedsSudo:   true,
-		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+	groupIndex := 0
+	installGroup := func(groupPackages []string, minimal bool) error {
+		if len(groupPackages) == 0 {
+			return nil
+		}
+
+		groupIndex++
+		groupStart := startProgress
+		groupEnd := endProgress
+		if totalGroups > 1 {
+			midpoint := startProgress + ((endProgress - startProgress) / 2)
+			if groupIndex == 1 {
+				groupEnd = midpoint
+			} else {
+				groupStart = midpoint
+			}
+		}
+
+		args := o.zypperInstallArgs(groupPackages, minimal)
+		progressChan <- InstallProgressMsg{
+			Phase:       phase,
+			Progress:    groupStart,
+			Step:        step,
+			IsComplete:  false,
+			NeedsSudo:   true,
+			CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+		}
+
+		cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
+		return o.runWithProgress(cmd, progressChan, phase, groupStart, groupEnd)
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
-	return o.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.40, 0.60)
+	for _, group := range groups {
+		if err := installGroup(group.packages, group.minimal); err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func (o *OpenSUSEDistribution) installQuickshell(ctx context.Context, variant deps.PackageVariant, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
@@ -653,7 +774,7 @@ func (o *OpenSUSEDistribution) installQuickshell(ctx context.Context, variant de
 		CommandInfo: "sudo cmake --install build",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, "cmake --install build")
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, "cmake --install build")
 	installCmd.Dir = tmpDir
 	if err := installCmd.Run(); err != nil {
 		return fmt.Errorf("failed to install quickshell: %w", err)
@@ -677,7 +798,7 @@ func (o *OpenSUSEDistribution) installRust(ctx context.Context, sudoPassword str
 		CommandInfo: "sudo zypper install rustup",
 	}
 
-	rustupInstallCmd := ExecSudoCommand(ctx, sudoPassword, "zypper install -y rustup")
+	rustupInstallCmd := privesc.ExecCommand(ctx, sudoPassword, "zypper install -y rustup")
 	if err := o.runWithProgress(rustupInstallCmd, progressChan, PhaseSystemPackages, 0.82, 0.83); err != nil {
 		return fmt.Errorf("failed to install rustup: %w", err)
 	}

core/internal/distros/ubuntu.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )
 
 func init() {
@@ -100,9 +101,7 @@ func (u *UbuntuDistribution) detectDMSGreeter() deps.Dependency {
 }
 
 func (u *UbuntuDistribution) packageInstalled(pkg string) bool {
-	cmd := exec.Command("dpkg", "-l", pkg)
-	err := cmd.Run()
-	return err == nil
+	return debianPackageInstalledPrecisely(pkg)
 }
 
 func (u *UbuntuDistribution) GetPackageMapping(wm deps.WindowManager) map[string]PackageMapping {
@@ -179,7 +178,7 @@ func (u *UbuntuDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 		LogOutput:  "Updating APT package lists",
 	}
 
-	updateCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get update")
+	updateCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get update")
 	if err := u.runWithProgress(updateCmd, progressChan, PhasePrerequisites, 0.06, 0.07); err != nil {
 		return fmt.Errorf("failed to update package lists: %w", err)
 	}
@@ -197,7 +196,7 @@ func (u *UbuntuDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 	checkCmd := exec.CommandContext(ctx, "dpkg", "-l", "build-essential")
 	if err := checkCmd.Run(); err != nil {
 		// Not installed, install it
-		cmd := ExecSudoCommand(ctx, sudoPassword, "apt-get install -y build-essential")
+		cmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get install -y build-essential")
 		if err := u.runWithProgress(cmd, progressChan, PhasePrerequisites, 0.08, 0.09); err != nil {
 			return fmt.Errorf("failed to install build-essential: %w", err)
 		}
@@ -213,7 +212,7 @@ func (u *UbuntuDistribution) InstallPrerequisites(ctx context.Context, sudoPassw
 		LogOutput:   "Installing additional development tools",
 	}
 
-	devToolsCmd := ExecSudoCommand(ctx, sudoPassword,
+	devToolsCmd := privesc.ExecCommand(ctx, sudoPassword,
 		"apt-get install -y curl wget git cmake ninja-build pkg-config libglib2.0-dev libpolkit-agent-1-dev")
 	if err := u.runWithProgress(devToolsCmd, progressChan, PhasePrerequisites, 0.10, 0.12); err != nil {
 		return fmt.Errorf("failed to install development tools: %w", err)
@@ -400,7 +399,7 @@ func (u *UbuntuDistribution) extractPackageNames(packages []PackageMapping) []st
 func (u *UbuntuDistribution) enablePPARepos(ctx context.Context, ppaPkgs []PackageMapping, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
 	enabledRepos := make(map[string]bool)
 
-	installPPACmd := ExecSudoCommand(ctx, sudoPassword,
+	installPPACmd := privesc.ExecCommand(ctx, sudoPassword,
 		"apt-get install -y software-properties-common")
 	if err := u.runWithProgress(installPPACmd, progressChan, PhaseSystemPackages, 0.15, 0.17); err != nil {
 		return fmt.Errorf("failed to install software-properties-common: %w", err)
@@ -418,7 +417,7 @@ func (u *UbuntuDistribution) enablePPARepos(ctx context.Context, ppaPkgs []Packa
 				CommandInfo: fmt.Sprintf("sudo add-apt-repository -y %s", pkg.RepoURL),
 			}
 
-			cmd := ExecSudoCommand(ctx, sudoPassword,
+			cmd := privesc.ExecCommand(ctx, sudoPassword,
 				fmt.Sprintf("add-apt-repository -y %s", pkg.RepoURL))
 			if err := u.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.20, 0.22); err != nil {
 				u.logError(fmt.Sprintf("failed to enable PPA repo %s", pkg.RepoURL), err)
@@ -439,7 +438,7 @@ func (u *UbuntuDistribution) enablePPARepos(ctx context.Context, ppaPkgs []Packa
 			CommandInfo: "sudo apt-get update",
 		}
 
-		updateCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get update")
+		updateCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get update")
 		if err := u.runWithProgress(updateCmd, progressChan, PhaseSystemPackages, 0.25, 0.27); err != nil {
 			return fmt.Errorf("failed to update package lists after adding PPAs: %w", err)
 		}
@@ -454,21 +453,7 @@ func (u *UbuntuDistribution) installAPTPackages(ctx context.Context, packages []
 	}
 
 	u.log(fmt.Sprintf("Installing APT packages: %s", strings.Join(packages, ", ")))
-
-	args := []string{"apt-get", "install", "-y"}
-	args = append(args, packages...)
-
-	progressChan <- InstallProgressMsg{
-		Phase:       PhaseSystemPackages,
-		Progress:    0.40,
-		Step:        "Installing system packages...",
-		IsComplete:  false,
-		NeedsSudo:   true,
-		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
-	}
-
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
-	return u.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.40, 0.60)
+	return u.installAPTGroups(ctx, packages, sudoPassword, progressChan, PhaseSystemPackages, "Installing system packages...", 0.40, 0.60)
 }
 
 func (u *UbuntuDistribution) installPPAPackages(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
@@ -477,21 +462,59 @@ func (u *UbuntuDistribution) installPPAPackages(ctx context.Context, packages []
 	}
 
 	u.log(fmt.Sprintf("Installing PPA packages: %s", strings.Join(packages, ", ")))
+	return u.installAPTGroups(ctx, packages, sudoPassword, progressChan, PhaseAURPackages, "Installing PPA packages...", 0.70, 0.85)
+}
 
-	args := []string{"apt-get", "install", "-y"}
-	args = append(args, packages...)
+func (u *UbuntuDistribution) aptInstallArgs(packages []string, minimal bool) []string {
+	args := []string{"DEBIAN_FRONTEND=noninteractive", "apt-get", "install", "-y"}
+	if minimal {
+		args = append(args, "--no-install-recommends")
+	}
+	return append(args, packages...)
+}
 
-	progressChan <- InstallProgressMsg{
-		Phase:       PhaseAURPackages,
-		Progress:    0.70,
-		Step:        "Installing PPA packages...",
-		IsComplete:  false,
-		NeedsSudo:   true,
-		CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+func (u *UbuntuDistribution) installAPTGroups(ctx context.Context, packages []string, sudoPassword string, progressChan chan<- InstallProgressMsg, phase InstallPhase, step string, startProgress float64, endProgress float64) error {
+	groups := orderedMinimalInstallGroups(packages)
+	totalGroups := len(groups)
+
+	groupIndex := 0
+	installGroup := func(groupPackages []string, minimal bool) error {
+		if len(groupPackages) == 0 {
+			return nil
+		}
+
+		groupIndex++
+		groupStart := startProgress
+		groupEnd := endProgress
+		if totalGroups > 1 {
+			midpoint := startProgress + ((endProgress - startProgress) / 2)
+			if groupIndex == 1 {
+				groupEnd = midpoint
+			} else {
+				groupStart = midpoint
+			}
+		}
+
+		args := u.aptInstallArgs(groupPackages, minimal)
+		progressChan <- InstallProgressMsg{
+			Phase:       phase,
+			Progress:    groupStart,
+			Step:        step,
+			IsComplete:  false,
+			NeedsSudo:   true,
+			CommandInfo: fmt.Sprintf("sudo %s", strings.Join(args, " ")),
+		}
+
+		cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
+		return u.runWithProgress(cmd, progressChan, phase, groupStart, groupEnd)
 	}
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
-	return u.runWithProgress(cmd, progressChan, PhaseAURPackages, 0.70, 0.85)
+	for _, group := range groups {
+		if err := installGroup(group.packages, group.minimal); err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func (u *UbuntuDistribution) installBuildDependencies(ctx context.Context, manualPkgs []string, sudoPassword string, progressChan chan<- InstallProgressMsg) error {
@@ -569,7 +592,7 @@ func (u *UbuntuDistribution) installBuildDependencies(ctx context.Context, manua
 	args := []string{"apt-get", "install", "-y"}
 	args = append(args, depList...)
 
-	cmd := ExecSudoCommand(ctx, sudoPassword, strings.Join(args, " "))
+	cmd := privesc.ExecCommand(ctx, sudoPassword, strings.Join(args, " "))
 	return u.runWithProgress(cmd, progressChan, PhaseSystemPackages, 0.80, 0.82)
 }
 
@@ -587,7 +610,7 @@ func (u *UbuntuDistribution) installRust(ctx context.Context, sudoPassword strin
 		CommandInfo: "sudo apt-get install rustup",
 	}
 
-	rustupInstallCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get install -y rustup")
+	rustupInstallCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get install -y rustup")
 	if err := u.runWithProgress(rustupInstallCmd, progressChan, PhaseSystemPackages, 0.82, 0.83); err != nil {
 		return fmt.Errorf("failed to install rustup: %w", err)
 	}
@@ -627,7 +650,7 @@ func (u *UbuntuDistribution) installGo(ctx context.Context, sudoPassword string,
 		CommandInfo: "sudo add-apt-repository ppa:longsleep/golang-backports",
 	}
 
-	addPPACmd := ExecSudoCommand(ctx, sudoPassword,
+	addPPACmd := privesc.ExecCommand(ctx, sudoPassword,
 		"add-apt-repository -y ppa:longsleep/golang-backports")
 	if err := u.runWithProgress(addPPACmd, progressChan, PhaseSystemPackages, 0.87, 0.88); err != nil {
 		return fmt.Errorf("failed to add Go PPA: %w", err)
@@ -642,7 +665,7 @@ func (u *UbuntuDistribution) installGo(ctx context.Context, sudoPassword string,
 		CommandInfo: "sudo apt-get update",
 	}
 
-	updateCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get update")
+	updateCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get update")
 	if err := u.runWithProgress(updateCmd, progressChan, PhaseSystemPackages, 0.88, 0.89); err != nil {
 		return fmt.Errorf("failed to update package lists after adding Go PPA: %w", err)
 	}
@@ -656,7 +679,7 @@ func (u *UbuntuDistribution) installGo(ctx context.Context, sudoPassword string,
 		CommandInfo: "sudo apt-get install golang-go",
 	}
 
-	installCmd := ExecSudoCommand(ctx, sudoPassword, "apt-get install -y golang-go")
+	installCmd := privesc.ExecCommand(ctx, sudoPassword, "apt-get install -y golang-go")
 	return u.runWithProgress(installCmd, progressChan, PhaseSystemPackages, 0.89, 0.90)
 }
 

core/internal/geolocation/client.go

@@ -1,42 +0,0 @@
-package geolocation
-
-import "github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-
-func NewClient() Client {
-	geoclueClient, err := newGeoClueClient()
-	if err != nil {
-		log.Warnf("GeoClue2 unavailable: %v", err)
-		return newSeededIpClient()
-	}
-
-	loc, _ := geoclueClient.GetLocation()
-	if loc.Latitude != 0 || loc.Longitude != 0 {
-		log.Info("Using GeoClue2 location")
-		return geoclueClient
-	}
-
-	log.Info("GeoClue2 has no fix yet, seeding with IP location")
-	ipLoc, err := fetchIPLocation()
-	if err != nil {
-		log.Warnf("IP location seed failed: %v", err)
-		return geoclueClient
-	}
-
-	log.Info("Seeded GeoClue2 with IP location")
-	geoclueClient.SeedLocation(Location{Latitude: ipLoc.Latitude, Longitude: ipLoc.Longitude})
-	return geoclueClient
-}
-
-func newSeededIpClient() *IpClient {
-	client := newIpClient()
-	ipLoc, err := fetchIPLocation()
-	if err != nil {
-		log.Warnf("IP location also failed: %v", err)
-		return client
-	}
-
-	log.Info("Using IP location")
-	client.currLocation.Latitude = ipLoc.Latitude
-	client.currLocation.Longitude = ipLoc.Longitude
-	return client
-}

core/internal/geolocation/client_geoclue.go

@@ -1,243 +0,0 @@
-package geolocation
-
-import (
-	"fmt"
-	"sync"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/dbusutil"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
-	"github.com/godbus/dbus/v5"
-)
-
-const (
-	dbusGeoClueService   = "org.freedesktop.GeoClue2"
-	dbusGeoCluePath      = "/org/freedesktop/GeoClue2"
-	dbusGeoClueInterface = dbusGeoClueService
-
-	dbusGeoClueManagerPath      = dbusGeoCluePath + "/Manager"
-	dbusGeoClueManagerInterface = dbusGeoClueInterface + ".Manager"
-	dbusGeoClueManagerGetClient = dbusGeoClueManagerInterface + ".GetClient"
-
-	dbusGeoClueClientInterface       = dbusGeoClueInterface + ".Client"
-	dbusGeoClueClientDesktopId       = dbusGeoClueClientInterface + ".DesktopId"
-	dbusGeoClueClientTimeThreshold   = dbusGeoClueClientInterface + ".TimeThreshold"
-	dbusGeoClueClientTimeStart       = dbusGeoClueClientInterface + ".Start"
-	dbusGeoClueClientTimeStop        = dbusGeoClueClientInterface + ".Stop"
-	dbusGeoClueClientLocationUpdated = dbusGeoClueClientInterface + ".LocationUpdated"
-
-	dbusGeoClueLocationInterface = dbusGeoClueInterface + ".Location"
-	dbusGeoClueLocationLatitude  = dbusGeoClueLocationInterface + ".Latitude"
-	dbusGeoClueLocationLongitude = dbusGeoClueLocationInterface + ".Longitude"
-)
-
-type GeoClueClient struct {
-	currLocation  *Location
-	locationMutex sync.RWMutex
-
-	dbusConn   *dbus.Conn
-	clientPath dbus.ObjectPath
-	signals    chan *dbus.Signal
-
-	stopChan chan struct{}
-	sigWG    sync.WaitGroup
-
-	subscribers syncmap.Map[string, chan Location]
-}
-
-func newGeoClueClient() (*GeoClueClient, error) {
-	dbusConn, err := dbus.ConnectSystemBus()
-	if err != nil {
-		return nil, fmt.Errorf("system bus connection failed: %w", err)
-	}
-
-	c := &GeoClueClient{
-		dbusConn: dbusConn,
-		stopChan: make(chan struct{}),
-		signals:  make(chan *dbus.Signal, 256),
-
-		currLocation: &Location{
-			Latitude:  0.0,
-			Longitude: 0.0,
-		},
-	}
-
-	if err := c.setupClient(); err != nil {
-		dbusConn.Close()
-		return nil, err
-	}
-
-	if err := c.startSignalPump(); err != nil {
-		return nil, err
-	}
-
-	return c, nil
-}
-
-func (c *GeoClueClient) Close() {
-	close(c.stopChan)
-
-	c.sigWG.Wait()
-
-	if c.signals != nil {
-		c.dbusConn.RemoveSignal(c.signals)
-		close(c.signals)
-	}
-
-	c.subscribers.Range(func(key string, ch chan Location) bool {
-		close(ch)
-		c.subscribers.Delete(key)
-		return true
-	})
-
-	if c.dbusConn != nil {
-		c.dbusConn.Close()
-	}
-}
-
-func (c *GeoClueClient) Subscribe(id string) chan Location {
-	ch := make(chan Location, 64)
-	c.subscribers.Store(id, ch)
-	return ch
-}
-
-func (c *GeoClueClient) Unsubscribe(id string) {
-	if ch, ok := c.subscribers.LoadAndDelete(id); ok {
-		close(ch)
-	}
-}
-
-func (c *GeoClueClient) setupClient() error {
-	managerObj := c.dbusConn.Object(dbusGeoClueService, dbusGeoClueManagerPath)
-
-	if err := managerObj.Call(dbusGeoClueManagerGetClient, 0).Store(&c.clientPath); err != nil {
-		return fmt.Errorf("failed to create GeoClue2 client: %w", err)
-	}
-
-	clientObj := c.dbusConn.Object(dbusGeoClueService, c.clientPath)
-	if err := clientObj.SetProperty(dbusGeoClueClientDesktopId, "dms"); err != nil {
-		return fmt.Errorf("failed to set desktop ID: %w", err)
-	}
-
-	if err := clientObj.SetProperty(dbusGeoClueClientTimeThreshold, uint(10)); err != nil {
-		return fmt.Errorf("failed to set time threshold: %w", err)
-	}
-
-	return nil
-}
-
-func (c *GeoClueClient) startSignalPump() error {
-	c.dbusConn.Signal(c.signals)
-
-	if err := c.dbusConn.AddMatchSignal(
-		dbus.WithMatchObjectPath(c.clientPath),
-		dbus.WithMatchInterface(dbusGeoClueClientInterface),
-		dbus.WithMatchSender(dbusGeoClueClientLocationUpdated),
-	); err != nil {
-		return err
-	}
-
-	c.sigWG.Add(1)
-	go func() {
-		defer c.sigWG.Done()
-
-		clientObj := c.dbusConn.Object(dbusGeoClueService, c.clientPath)
-		clientObj.Call(dbusGeoClueClientTimeStart, 0)
-		defer clientObj.Call(dbusGeoClueClientTimeStop, 0)
-
-		for {
-			select {
-			case <-c.stopChan:
-				return
-			case sig, ok := <-c.signals:
-				if !ok {
-					return
-				}
-				if sig == nil {
-					continue
-				}
-
-				c.handleSignal(sig)
-			}
-		}
-	}()
-
-	return nil
-}
-
-func (c *GeoClueClient) handleSignal(sig *dbus.Signal) {
-	switch sig.Name {
-	case dbusGeoClueClientLocationUpdated:
-		if len(sig.Body) != 2 {
-			return
-		}
-
-		newLocationPath, ok := sig.Body[1].(dbus.ObjectPath)
-		if !ok {
-			return
-		}
-
-		if err := c.handleLocationUpdated(newLocationPath); err != nil {
-			log.Warn("GeoClue: Failed to handle location update: %v", err)
-			return
-		}
-	}
-}
-
-func (c *GeoClueClient) handleLocationUpdated(path dbus.ObjectPath) error {
-	locationObj := c.dbusConn.Object(dbusGeoClueService, path)
-
-	lat, err := locationObj.GetProperty(dbusGeoClueLocationLatitude)
-	if err != nil {
-		return err
-	}
-
-	long, err := locationObj.GetProperty(dbusGeoClueLocationLongitude)
-	if err != nil {
-		return err
-	}
-
-	c.locationMutex.Lock()
-	c.currLocation.Latitude = dbusutil.AsOr(lat, 0.0)
-	c.currLocation.Longitude = dbusutil.AsOr(long, 0.0)
-	c.locationMutex.Unlock()
-
-	c.notifySubscribers()
-	return nil
-}
-
-func (c *GeoClueClient) notifySubscribers() {
-	currentLocation, err := c.GetLocation()
-	if err != nil {
-		return
-	}
-
-	c.subscribers.Range(func(key string, ch chan Location) bool {
-		select {
-		case ch <- currentLocation:
-		default:
-			log.Warn("GeoClue: subscriber channel full, dropping update")
-		}
-		return true
-	})
-}
-
-func (c *GeoClueClient) SeedLocation(loc Location) {
-	c.locationMutex.Lock()
-	defer c.locationMutex.Unlock()
-	c.currLocation.Latitude = loc.Latitude
-	c.currLocation.Longitude = loc.Longitude
-}
-
-func (c *GeoClueClient) GetLocation() (Location, error) {
-	c.locationMutex.RLock()
-	defer c.locationMutex.RUnlock()
-	if c.currLocation == nil {
-		return Location{
-			Latitude:  0.0,
-			Longitude: 0.0,
-		}, nil
-	}
-	stateCopy := *c.currLocation
-	return stateCopy, nil
-}

core/internal/geolocation/client_ip.go

@@ -1,91 +0,0 @@
-package geolocation
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-)
-
-type IpClient struct {
-	currLocation *Location
-}
-
-type ipLocationResult struct {
-	Location
-	City string
-}
-
-type ipAPIResponse struct {
-	Status string  `json:"status"`
-	Lat    float64 `json:"lat"`
-	Lon    float64 `json:"lon"`
-	City   string  `json:"city"`
-}
-
-func newIpClient() *IpClient {
-	return &IpClient{
-		currLocation: &Location{},
-	}
-}
-
-func (c *IpClient) Subscribe(id string) chan Location {
-	ch := make(chan Location, 1)
-	if location, err := c.GetLocation(); err == nil {
-		ch <- location
-	}
-	return ch
-}
-
-func (c *IpClient) Unsubscribe(id string) {}
-
-func (c *IpClient) Close() {}
-
-func (c *IpClient) GetLocation() (Location, error) {
-	if c.currLocation.Latitude != 0 || c.currLocation.Longitude != 0 {
-		return *c.currLocation, nil
-	}
-
-	result, err := fetchIPLocation()
-	if err != nil {
-		return Location{}, err
-	}
-
-	c.currLocation.Latitude = result.Latitude
-	c.currLocation.Longitude = result.Longitude
-	return *c.currLocation, nil
-}
-
-func fetchIPLocation() (ipLocationResult, error) {
-	client := &http.Client{Timeout: 10 * time.Second}
-
-	resp, err := client.Get("http://ip-api.com/json/")
-	if err != nil {
-		return ipLocationResult{}, fmt.Errorf("failed to fetch IP location: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return ipLocationResult{}, fmt.Errorf("ip-api.com returned status %d", resp.StatusCode)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return ipLocationResult{}, fmt.Errorf("failed to read response: %w", err)
-	}
-
-	var data ipAPIResponse
-	if err := json.Unmarshal(body, &data); err != nil {
-		return ipLocationResult{}, fmt.Errorf("failed to parse response: %w", err)
-	}
-
-	if data.Status == "fail" || (data.Lat == 0 && data.Lon == 0) {
-		return ipLocationResult{}, fmt.Errorf("ip-api.com returned no location data")
-	}
-
-	return ipLocationResult{
-		Location: Location{Latitude: data.Lat, Longitude: data.Lon},
-		City:     data.City,
-	}, nil
-}

core/internal/geolocation/types.go

@@ -1,15 +0,0 @@
-package geolocation
-
-type Location struct {
-	Latitude  float64
-	Longitude float64
-}
-
-type Client interface {
-	GetLocation() (Location, error)
-
-	Subscribe(id string) chan Location
-	Unsubscribe(id string)
-
-	Close()
-}

core/internal/greeter/assets/apparmor/usr.bin.dms-greeter

@@ -0,0 +1,91 @@
+# AppArmor profile for dms-greeter
+#
+# Managed by DMS — regenerated on every `dms greeter install` / `dms greeter sync`.
+# Manual edits will be overwritten on next sync.
+#
+# Mode: complain  (denials are logged, nothing is blocked)
+# To switch to enforce after validating with `aa-logprof`:
+#   sudo aa-enforce /etc/apparmor.d/usr.bin.dms-greeter
+#
+#include <tunables/global>
+
+profile dms-greeter /usr/bin/dms-greeter flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+
+  # The launcher script itself
+  /usr/bin/dms-greeter r,
+
+  # Cache directory — created by dms greeter sync/enable with greeter:greeter ownership
+  /var/cache/dms-greeter/     rw,
+  /var/cache/dms-greeter/**   rwlk,
+
+  # DMS config — packaged path
+  /usr/share/quickshell/dms-greeter/    r,
+  /usr/share/quickshell/dms-greeter/**  r,
+  /usr/share/quickshell/               r,
+  /usr/share/quickshell/**             r,
+
+  # DMS config — system and user overrides
+  /etc/dms/    r,
+  /etc/dms/**  r,
+  /usr/share/dms/    r,
+  /usr/share/dms/**  r,
+  /home/*/.config/quickshell/    r,
+  /home/*/.config/quickshell/**  r,
+  /root/.config/quickshell/     r,
+  /root/.config/quickshell/**   r,
+
+  # greetd / PAM — read-only for session setup
+  /etc/greetd/    r,
+  /etc/greetd/**  r,
+  /etc/pam.d/     r,
+  /etc/pam.d/**   r,
+  /usr/lib/pam.d/ r,
+  /usr/lib/pam.d/** r,
+
+  # Compositor binaries — run unconfined so each compositor uses its own profile
+  /usr/bin/niri        Ux,
+  /usr/bin/hyprland    Ux,
+  /usr/bin/Hyprland    Ux,
+  /usr/bin/sway        Ux,
+  /usr/bin/labwc       Ux,
+  /usr/bin/scroll      Ux,
+  /usr/bin/miracle-wm  Ux,
+  /usr/bin/mango       Ux,
+
+  # Quickshell — run unconfined (has its own compositor profile on some distros)
+  /usr/bin/qs          Ux,
+  /usr/bin/quickshell  Ux,
+
+  # Wayland / XDG runtime (pipewire, wireplumber, wayland socket)
+  /run/user/[0-9]*/               rw,
+  /run/user/[0-9]*/**             rw,
+
+  # DRM / GPU devices (required for Wayland compositor startup)
+  /dev/dri/      r,
+  /dev/dri/*     rw,
+  /dev/udmabuf   rw,
+
+  # Input devices
+  /dev/input/    r,
+  /dev/input/*   r,
+
+  # Systemd journal / logging
+  /run/systemd/journal/socket  rw,
+  /dev/log                     rw,
+
+  # Shell helper binaries invoked by the launcher script
+  /usr/bin/env      ix,
+  /usr/bin/mkdir    ix,
+  /usr/bin/cat      ix,
+  /usr/bin/grep     ix,
+  /usr/bin/dirname  ix,
+  /usr/bin/basename ix,
+  /usr/bin/command  ix,
+  /bin/env          ix,
+  /bin/mkdir        ix,
+
+  # Signal management (compositor lifecycle)
+  signal (send, receive) set=("term", "int", "hup", "kill"),
+}

core/internal/greeter/installer_test.go

@@ -0,0 +1,98 @@
+package greeter
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func writeTestJSON(t *testing.T, path string, content string) {
+	t.Helper()
+	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+		t.Fatalf("failed to create parent dir for %s: %v", path, err)
+	}
+	if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+		t.Fatalf("failed to write %s: %v", path, err)
+	}
+}
+
+func TestResolveGreeterThemeSyncState(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name                    string
+		settingsJSON            string
+		sessionJSON             string
+		wantSourcePath          string
+		wantResolvedWallpaper   string
+		wantDynamicOverrideUsed bool
+	}{
+		{
+			name: "dynamic theme with greeter wallpaper override uses generated greeter colors",
+			settingsJSON: `{
+  "currentThemeName": "dynamic",
+  "greeterWallpaperPath": "Pictures/blue.jpg",
+  "matugenScheme": "scheme-tonal-spot",
+  "iconTheme": "Papirus"
+}`,
+			sessionJSON:             `{"isLightMode":true}`,
+			wantSourcePath:          filepath.Join(".cache", "DankMaterialShell", "greeter-colors", "dms-colors.json"),
+			wantResolvedWallpaper:   filepath.Join("Pictures", "blue.jpg"),
+			wantDynamicOverrideUsed: true,
+		},
+		{
+			name: "dynamic theme without override uses desktop colors",
+			settingsJSON: `{
+  "currentThemeName": "dynamic",
+  "greeterWallpaperPath": ""
+}`,
+			sessionJSON:             `{"isLightMode":false}`,
+			wantSourcePath:          filepath.Join(".cache", "DankMaterialShell", "dms-colors.json"),
+			wantResolvedWallpaper:   "",
+			wantDynamicOverrideUsed: false,
+		},
+		{
+			name: "non-dynamic theme keeps desktop colors even with override wallpaper",
+			settingsJSON: `{
+  "currentThemeName": "purple",
+  "greeterWallpaperPath": "/tmp/blue.jpg"
+}`,
+			sessionJSON:             `{"isLightMode":false}`,
+			wantSourcePath:          filepath.Join(".cache", "DankMaterialShell", "dms-colors.json"),
+			wantResolvedWallpaper:   "/tmp/blue.jpg",
+			wantDynamicOverrideUsed: false,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			homeDir := t.TempDir()
+			writeTestJSON(t, filepath.Join(homeDir, ".config", "DankMaterialShell", "settings.json"), tt.settingsJSON)
+			writeTestJSON(t, filepath.Join(homeDir, ".local", "state", "DankMaterialShell", "session.json"), tt.sessionJSON)
+
+			state, err := resolveGreeterThemeSyncState(homeDir)
+			if err != nil {
+				t.Fatalf("resolveGreeterThemeSyncState returned error: %v", err)
+			}
+
+			if got := state.effectiveColorsSource(homeDir); got != filepath.Join(homeDir, tt.wantSourcePath) {
+				t.Fatalf("effectiveColorsSource = %q, want %q", got, filepath.Join(homeDir, tt.wantSourcePath))
+			}
+
+			wantResolvedWallpaper := tt.wantResolvedWallpaper
+			if wantResolvedWallpaper != "" && !filepath.IsAbs(wantResolvedWallpaper) {
+				wantResolvedWallpaper = filepath.Join(homeDir, wantResolvedWallpaper)
+			}
+			if state.ResolvedGreeterWallpaperPath != wantResolvedWallpaper {
+				t.Fatalf("ResolvedGreeterWallpaperPath = %q, want %q", state.ResolvedGreeterWallpaperPath, wantResolvedWallpaper)
+			}
+
+			if state.UsesDynamicWallpaperOverride != tt.wantDynamicOverrideUsed {
+				t.Fatalf("UsesDynamicWallpaperOverride = %v, want %v", state.UsesDynamicWallpaperOverride, tt.wantDynamicOverrideUsed)
+			}
+		})
+	}
+}

core/internal/keybinds/providers/niri.go

@@ -10,7 +10,6 @@ import (
 	"strings"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/keybinds"
-	"github.com/sblinch/kdl-go"
 	"github.com/sblinch/kdl-go/document"
 )
 
@@ -292,7 +291,7 @@ func (n *NiriProvider) loadOverrideBinds() (map[string]*overrideBind, error) {
 	parser := NewNiriParser(filepath.Dir(overridePath))
 	parser.currentSource = overridePath
 
-	doc, err := kdl.Parse(strings.NewReader(string(data)))
+	doc, err := parseKDL(data)
 	if err != nil {
 		return nil, err
 	}

core/internal/keybinds/providers/niri_parser.go

@@ -50,6 +50,103 @@ type NiriParser struct {
 	conflictingConfigs map[string]*NiriKeyBinding
 }
 
+func parseKDL(data []byte) (*document.Document, error) {
+	return kdl.Parse(strings.NewReader(normalizeKDLBraces(string(data))))
+}
+
+func normalizeKDLBraces(input string) string {
+	var sb strings.Builder
+	sb.Grow(len(input))
+
+	var prev byte
+	n := len(input)
+	for i := 0; i < n; {
+		c := input[i]
+
+		switch {
+		case c == '"':
+			end := findStringEnd(input, i)
+			sb.WriteString(input[i:end])
+			prev = '"'
+			i = end
+		case c == '/' && i+1 < n && input[i+1] == '/':
+			end := findLineCommentEnd(input, i)
+			sb.WriteString(input[i:end])
+			prev = '\n'
+			i = end
+		case c == '/' && i+1 < n && input[i+1] == '*':
+			end := findBlockCommentEnd(input, i)
+			sb.WriteString(input[i:end])
+			prev = '/'
+			i = end
+		case c == '{' && prev != 0 && !isBraceAdjacentSpace(prev):
+			sb.WriteByte(' ')
+			sb.WriteByte(c)
+			prev = c
+			i++
+		default:
+			sb.WriteByte(c)
+			prev = c
+			i++
+		}
+	}
+
+	return sb.String()
+}
+
+func findStringEnd(s string, start int) int {
+	n := len(s)
+	for i := start + 1; i < n; {
+		switch s[i] {
+		case '\\':
+			i += 2
+		case '"':
+			return i + 1
+		default:
+			i++
+		}
+	}
+	return n
+}
+
+func findLineCommentEnd(s string, start int) int {
+	for i := start + 2; i < len(s); i++ {
+		if s[i] == '\n' {
+			return i
+		}
+	}
+	return len(s)
+}
+
+func findBlockCommentEnd(s string, start int) int {
+	n := len(s)
+	depth := 1
+	for i := start + 2; i < n && depth > 0; {
+		switch {
+		case i+1 < n && s[i] == '/' && s[i+1] == '*':
+			depth++
+			i += 2
+		case i+1 < n && s[i] == '*' && s[i+1] == '/':
+			depth--
+			i += 2
+			if depth == 0 {
+				return i
+			}
+		default:
+			i++
+		}
+	}
+	return n
+}
+
+func isBraceAdjacentSpace(b byte) bool {
+	switch b {
+	case ' ', '\t', '\n', '\r', '{':
+		return true
+	}
+	return false
+}
+
 func NewNiriParser(configDir string) *NiriParser {
 	return &NiriParser{
 		configDir:          configDir,
@@ -91,7 +188,7 @@ func (p *NiriParser) parseDMSBindsDirectly(dmsBindsPath string, section *NiriSec
 		return
 	}
 
-	doc, err := kdl.Parse(strings.NewReader(string(data)))
+	doc, err := parseKDL(data)
 	if err != nil {
 		return
 	}
@@ -159,7 +256,7 @@ func (p *NiriParser) parseFile(filePath, sectionName string) (*NiriSection, erro
 		return nil, fmt.Errorf("failed to read %s: %w", absPath, err)
 	}
 
-	doc, err := kdl.Parse(strings.NewReader(string(data)))
+	doc, err := parseKDL(data)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse KDL in %s: %w", absPath, err)
 	}

core/internal/keybinds/providers/niri_parser_test.go

@@ -3,9 +3,74 @@ package providers
 import (
 	"os"
 	"path/filepath"
+	"slices"
 	"testing"
 )
 
+func TestNiriParse_NoSpaceBeforeBrace(t *testing.T) {
+	config := `recent-windows {
+    binds {
+        Alt+Tab         { next-window scope="output"; }
+        Alt+Shift+Tab   { previous-window scope="output"; }
+        Alt+grave       { next-window filter="app-id"; }
+        Alt+Shift+grave { previous-window filter="app-id"; }
+        Alt+Escape      { next-window scope="all"; }
+        Alt+Shift+Escape{ previous-window scope="all"; }
+    }
+}
+`
+	tmpDir := t.TempDir()
+	if err := os.WriteFile(filepath.Join(tmpDir, "config.kdl"), []byte(config), 0o644); err != nil {
+		t.Fatalf("Failed to write test config: %v", err)
+	}
+
+	result, err := ParseNiriKeys(tmpDir)
+	if err != nil {
+		t.Fatalf("ParseNiriKeys failed on valid niri config: %v", err)
+	}
+
+	var found *NiriKeyBinding
+	for i := range result.Section.Keybinds {
+		kb := &result.Section.Keybinds[i]
+		if kb.Key == "Escape" && slices.Contains(kb.Mods, "Alt") && slices.Contains(kb.Mods, "Shift") {
+			found = kb
+			break
+		}
+	}
+	if found == nil {
+		t.Fatal("Alt+Shift+Escape bind missing — '{' without preceding space was not handled")
+	}
+	if found.Action != "previous-window" {
+		t.Errorf("Action = %q, want %q", found.Action, "previous-window")
+	}
+}
+
+func TestNormalizeKDLBraces(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		out  string
+	}{
+		{"already spaced", "node { child }\n", "node { child }\n"},
+		{"missing space", "node{ child }\n", "node { child }\n"},
+		{"niri keybind", "Alt+Shift+Escape{ previous-window; }", "Alt+Shift+Escape { previous-window; }"},
+		{"brace inside string", `node "a{b" { child }`, `node "a{b" { child }`},
+		{"brace in line comment", "// foo{bar\nnode { }", "// foo{bar\nnode { }"},
+		{"brace in block comment", "/* foo{bar */ node{ }", "/* foo{bar */ node { }"},
+		{"escaped quote in string", `node "a\"b{c" { }`, `node "a\"b{c" { }`},
+		{"leading brace", "{ child }", "{ child }"},
+		{"nested missing space", "a{b{ c }}", "a {b { c }}"},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := normalizeKDLBraces(tc.in)
+			if got != tc.out {
+				t.Errorf("normalizeKDLBraces(%q) = %q, want %q", tc.in, got, tc.out)
+			}
+		})
+	}
+}
+
 func TestNiriParseKeyCombo(t *testing.T) {
 	tests := []struct {
 		combo        string

core/internal/matugen/matugen.go

@@ -71,6 +71,7 @@ var templateRegistry = []TemplateDef{
 	{ID: "kcolorscheme", ConfigFile: "kcolorscheme.toml", RunUnconditionally: true},
 	{ID: "vscode", Kind: TemplateKindVSCode},
 	{ID: "emacs", Commands: []string{"emacs"}, ConfigFile: "emacs.toml", Kind: TemplateKindEmacs},
+	{ID: "zed", Commands: []string{"zed", "zeditor", "zedit"}, ConfigFile: "zed.toml"},
 }
 
 func (c *ColorMode) GTKTheme() string {
@@ -99,6 +100,7 @@ type Options struct {
 	IconTheme           string
 	MatugenType         string
 	RunUserTemplates    bool
+	ColorsOnly          bool
 	StockColors         string
 	SyncModeWithPortal  bool
 	TerminalsAlwaysDark bool
@@ -273,6 +275,10 @@ func buildOnce(opts *Options) (bool, error) {
 		return false, nil
 	}
 
+	if opts.ColorsOnly {
+		return true, nil
+	}
+
 	if isDMSGTKActive(opts.ConfigDir) {
 		switch opts.Mode {
 		case ColorModeLight:
@@ -330,6 +336,10 @@ output_path = '%s'
 
 `, opts.ShellDir, opts.ColorsOutput())
 
+	if opts.ColorsOnly {
+		return nil
+	}
+
 	homeDir, _ := os.UserHomeDir()
 	for _, tmpl := range templateRegistry {
 		if opts.ShouldSkipTemplate(tmpl.ID) {
@@ -596,10 +606,10 @@ func detectMatugenVersionLocked() (matugenFlags, error) {
 	matugenVersionOK = true
 
 	if matugenSupportsCOE {
-		log.Infof("Matugen %s supports --continue-on-error", versionStr)
+		log.Debugf("Matugen %s detected: continue-on-error support enabled", versionStr)
 	}
 	if matugenIsV4 {
-		log.Infof("Matugen %s: using v4 flags", versionStr)
+		log.Debugf("Matugen %s detected: using v4 compatibility flags", versionStr)
 	}
 	return matugenFlags{matugenSupportsCOE, matugenIsV4}, nil
 }

core/internal/matugen/matugen_test.go

@@ -3,6 +3,7 @@ package matugen
 import (
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	mocks_utils "github.com/AvengeMedia/DankMaterialShell/core/internal/mocks/utils"
@@ -392,3 +393,51 @@ func TestSubstituteVars(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildMergedConfigColorsOnly(t *testing.T) {
+	tempDir := t.TempDir()
+
+	shellDir := filepath.Join(tempDir, "shell")
+	configsDir := filepath.Join(shellDir, "matugen", "configs")
+	if err := os.MkdirAll(configsDir, 0o755); err != nil {
+		t.Fatalf("failed to create configs dir: %v", err)
+	}
+
+	baseConfig := "[config]\ncustom_keywords = []\n"
+	if err := os.WriteFile(filepath.Join(configsDir, "base.toml"), []byte(baseConfig), 0o644); err != nil {
+		t.Fatalf("failed to write base config: %v", err)
+	}
+
+	cfgFile, err := os.CreateTemp(tempDir, "merged-*.toml")
+	if err != nil {
+		t.Fatalf("failed to create temp config: %v", err)
+	}
+	defer os.Remove(cfgFile.Name())
+	defer cfgFile.Close()
+
+	opts := &Options{
+		ShellDir:   shellDir,
+		ConfigDir:  filepath.Join(tempDir, "config"),
+		StateDir:   filepath.Join(tempDir, "state"),
+		ColorsOnly: true,
+	}
+
+	if err := buildMergedConfig(opts, cfgFile, filepath.Join(tempDir, "templates")); err != nil {
+		t.Fatalf("buildMergedConfig failed: %v", err)
+	}
+
+	if err := cfgFile.Close(); err != nil {
+		t.Fatalf("failed to close merged config: %v", err)
+	}
+
+	output, err := os.ReadFile(cfgFile.Name())
+	if err != nil {
+		t.Fatalf("failed to read merged config: %v", err)
+	}
+
+	content := string(output)
+	assert.Contains(t, content, "[templates.dank]")
+	assert.Contains(t, content, "output_path = '"+filepath.Join(opts.StateDir, "dms-colors.json")+"'")
+	assert.NotContains(t, content, "[templates.gtk]")
+	assert.False(t, strings.Contains(content, "output_path = 'CONFIG_DIR/"), "colors-only config should not emit app template outputs")
+}

core/internal/mocks/geolocation/mock_Client.go

@@ -1,203 +0,0 @@
-// Code generated by mockery v2.53.5. DO NOT EDIT.
-
-package mocks_geolocation
-
-import (
-	geolocation "github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockClient is an autogenerated mock type for the Client type
-type MockClient struct {
-	mock.Mock
-}
-
-type MockClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockClient) EXPECT() *MockClient_Expecter {
-	return &MockClient_Expecter{mock: &_m.Mock}
-}
-
-// Close provides a mock function with no fields
-func (_m *MockClient) Close() {
-	_m.Called()
-}
-
-// MockClient_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
-type MockClient_Close_Call struct {
-	*mock.Call
-}
-
-// Close is a helper method to define mock.On call
-func (_e *MockClient_Expecter) Close() *MockClient_Close_Call {
-	return &MockClient_Close_Call{Call: _e.mock.On("Close")}
-}
-
-func (_c *MockClient_Close_Call) Run(run func()) *MockClient_Close_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockClient_Close_Call) Return() *MockClient_Close_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockClient_Close_Call) RunAndReturn(run func()) *MockClient_Close_Call {
-	_c.Run(run)
-	return _c
-}
-
-// GetLocation provides a mock function with no fields
-func (_m *MockClient) GetLocation() (geolocation.Location, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetLocation")
-	}
-
-	var r0 geolocation.Location
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (geolocation.Location, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() geolocation.Location); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(geolocation.Location)
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockClient_GetLocation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetLocation'
-type MockClient_GetLocation_Call struct {
-	*mock.Call
-}
-
-// GetLocation is a helper method to define mock.On call
-func (_e *MockClient_Expecter) GetLocation() *MockClient_GetLocation_Call {
-	return &MockClient_GetLocation_Call{Call: _e.mock.On("GetLocation")}
-}
-
-func (_c *MockClient_GetLocation_Call) Run(run func()) *MockClient_GetLocation_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockClient_GetLocation_Call) Return(_a0 geolocation.Location, _a1 error) *MockClient_GetLocation_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockClient_GetLocation_Call) RunAndReturn(run func() (geolocation.Location, error)) *MockClient_GetLocation_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Subscribe provides a mock function with given fields: id
-func (_m *MockClient) Subscribe(id string) chan geolocation.Location {
-	ret := _m.Called(id)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Subscribe")
-	}
-
-	var r0 chan geolocation.Location
-	if rf, ok := ret.Get(0).(func(string) chan geolocation.Location); ok {
-		r0 = rf(id)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(chan geolocation.Location)
-		}
-	}
-
-	return r0
-}
-
-// MockClient_Subscribe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Subscribe'
-type MockClient_Subscribe_Call struct {
-	*mock.Call
-}
-
-// Subscribe is a helper method to define mock.On call
-//   - id string
-func (_e *MockClient_Expecter) Subscribe(id interface{}) *MockClient_Subscribe_Call {
-	return &MockClient_Subscribe_Call{Call: _e.mock.On("Subscribe", id)}
-}
-
-func (_c *MockClient_Subscribe_Call) Run(run func(id string)) *MockClient_Subscribe_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockClient_Subscribe_Call) Return(_a0 chan geolocation.Location) *MockClient_Subscribe_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockClient_Subscribe_Call) RunAndReturn(run func(string) chan geolocation.Location) *MockClient_Subscribe_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Unsubscribe provides a mock function with given fields: id
-func (_m *MockClient) Unsubscribe(id string) {
-	_m.Called(id)
-}
-
-// MockClient_Unsubscribe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Unsubscribe'
-type MockClient_Unsubscribe_Call struct {
-	*mock.Call
-}
-
-// Unsubscribe is a helper method to define mock.On call
-//   - id string
-func (_e *MockClient_Expecter) Unsubscribe(id interface{}) *MockClient_Unsubscribe_Call {
-	return &MockClient_Unsubscribe_Call{Call: _e.mock.On("Unsubscribe", id)}
-}
-
-func (_c *MockClient_Unsubscribe_Call) Run(run func(id string)) *MockClient_Unsubscribe_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockClient_Unsubscribe_Call) Return() *MockClient_Unsubscribe_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockClient_Unsubscribe_Call) RunAndReturn(run func(string)) *MockClient_Unsubscribe_Call {
-	_c.Run(run)
-	return _c
-}
-
-// NewMockClient creates a new instance of MockClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockClient(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockClient {
-	mock := &MockClient{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

core/internal/mocks/network/mock_Backend.go

@@ -1062,62 +1062,6 @@ func (_c *MockBackend_GetWiFiNetworkDetails_Call) RunAndReturn(run func(string)
 	return _c
 }
 
-// GetWiFiQRCodeContent provides a mock function with given fields: ssid
-func (_m *MockBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	ret := _m.Called(ssid)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetWiFiQRCodeContent")
-	}
-
-	var r0 string
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
-		return rf(ssid)
-	}
-	if rf, ok := ret.Get(0).(func(string) string); ok {
-		r0 = rf(ssid)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	if rf, ok := ret.Get(1).(func(string) error); ok {
-		r1 = rf(ssid)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockBackend_GetWiFiQRCodeContent_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetWiFiQRCodeContent'
-type MockBackend_GetWiFiQRCodeContent_Call struct {
-	*mock.Call
-}
-
-// GetWiFiQRCodeContent is a helper method to define mock.On call
-//   - ssid string
-func (_e *MockBackend_Expecter) GetWiFiQRCodeContent(ssid interface{}) *MockBackend_GetWiFiQRCodeContent_Call {
-	return &MockBackend_GetWiFiQRCodeContent_Call{Call: _e.mock.On("GetWiFiQRCodeContent", ssid)}
-}
-
-func (_c *MockBackend_GetWiFiQRCodeContent_Call) Run(run func(ssid string)) *MockBackend_GetWiFiQRCodeContent_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockBackend_GetWiFiQRCodeContent_Call) Return(_a0 string, _a1 error) *MockBackend_GetWiFiQRCodeContent_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockBackend_GetWiFiQRCodeContent_Call) RunAndReturn(run func(string) (string, error)) *MockBackend_GetWiFiQRCodeContent_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // GetWiredConnections provides a mock function with no fields
 func (_m *MockBackend) GetWiredConnections() ([]network.WiredConnection, error) {
 	ret := _m.Called()

core/internal/notify/notify.go

@@ -6,6 +6,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/godbus/dbus/v5"
@@ -59,7 +60,11 @@ func Send(n Notification) error {
 
 	hints := map[string]dbus.Variant{}
 	if n.FilePath != "" {
-		hints["image_path"] = dbus.MakeVariant(n.FilePath)
+		imgPath := n.FilePath
+		if !strings.HasPrefix(imgPath, "file://") {
+			imgPath = "file://" + imgPath
+		}
+		hints["image_path"] = dbus.MakeVariant(imgPath)
 	}
 
 	obj := conn.Object(notifyDest, notifyPath)

core/internal/privesc/privesc.go

@@ -0,0 +1,385 @@
+package privesc
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+// Tool identifies a privilege-escalation binary.
+type Tool string
+
+const (
+	ToolSudo Tool = "sudo"
+	ToolDoas Tool = "doas"
+	ToolRun0 Tool = "run0"
+)
+
+// EnvVar selects a specific tool when set to one of: sudo, doas, run0.
+const EnvVar = "DMS_PRIVESC"
+
+var detectionOrder = []Tool{ToolSudo, ToolDoas, ToolRun0}
+
+var (
+	detectOnce   sync.Once
+	detected     Tool
+	detectErr    error
+	userSelected bool
+)
+
+// Detect returns the tool that should be used for privilege escalation.
+// The result is cached after the first call.
+func Detect() (Tool, error) {
+	detectOnce.Do(func() {
+		detected, detectErr = detectTool()
+	})
+	return detected, detectErr
+}
+
+// ResetForTesting clears cached detection state.
+func ResetForTesting() {
+	detectOnce = sync.Once{}
+	detected = ""
+	detectErr = nil
+	userSelected = false
+}
+
+// AvailableTools returns the set of supported tools that are installed on
+// PATH, in detection-precedence order.
+func AvailableTools() []Tool {
+	var out []Tool
+	for _, t := range detectionOrder {
+		if t.Available() {
+			out = append(out, t)
+		}
+	}
+	return out
+}
+
+// EnvOverride returns the tool selected by the $DMS_PRIVESC env var (if any)
+// along with ok=true when the variable is set. An empty or unset variable
+// returns ok=false.
+func EnvOverride() (Tool, bool) {
+	v := strings.ToLower(strings.TrimSpace(os.Getenv(EnvVar)))
+	if v == "" {
+		return "", false
+	}
+	return Tool(v), true
+}
+
+// SetTool forces the detected tool to t, bypassing autodetection. Intended
+// for use after the caller has prompted the user for a selection.
+func SetTool(t Tool) error {
+	if !t.Available() {
+		return fmt.Errorf("%q is not installed", t.Name())
+	}
+	detectOnce = sync.Once{}
+	detectOnce.Do(func() {
+		detected = t
+		detectErr = nil
+	})
+	userSelected = true
+	return nil
+}
+
+func detectTool() (Tool, error) {
+	switch override := strings.ToLower(strings.TrimSpace(os.Getenv(EnvVar))); override {
+	case "":
+		// fall through to autodetect
+	case string(ToolSudo), string(ToolDoas), string(ToolRun0):
+		t := Tool(override)
+		if !t.Available() {
+			return "", fmt.Errorf("%s=%s but %q is not installed", EnvVar, override, t.Name())
+		}
+		return t, nil
+	default:
+		return "", fmt.Errorf("invalid %s=%q: must be one of sudo, doas, run0", EnvVar, override)
+	}
+
+	for _, t := range detectionOrder {
+		if t.Available() {
+			return t, nil
+		}
+	}
+	return "", fmt.Errorf("no supported privilege escalation tool found (tried: sudo, doas, run0)")
+}
+
+// Name returns the binary name.
+func (t Tool) Name() string { return string(t) }
+
+// Available reports whether this tool's binary is on PATH.
+func (t Tool) Available() bool {
+	if t == "" {
+		return false
+	}
+	_, err := exec.LookPath(string(t))
+	return err == nil
+}
+
+// SupportsStdinPassword reports whether the tool can accept a password via
+// stdin. Only sudo (-S) supports this.
+func (t Tool) SupportsStdinPassword() bool {
+	return t == ToolSudo
+}
+
+// EscapeSingleQuotes escapes single quotes for safe inclusion inside a
+// bash single-quoted string.
+func EscapeSingleQuotes(s string) string {
+	return strings.ReplaceAll(s, "'", "'\\''")
+}
+
+// MakeCommand returns a bash command string that runs `command` with the
+// detected tool. When the tool supports stdin passwords and password is
+// non-empty, the password is piped in. Otherwise the tool is invoked with
+// no non-interactive flag so that an interactive TTY prompt is still
+// possible for CLI callers.
+//
+// If detection fails, the returned shell string exits 1 with an error
+// message so callers that treat the *exec.Cmd as infallible still fail
+// deterministically.
+func MakeCommand(password, command string) string {
+	t, err := Detect()
+	if err != nil {
+		return failingShell(err)
+	}
+
+	switch t {
+	case ToolSudo:
+		if password != "" {
+			return fmt.Sprintf("echo '%s' | sudo -S %s", EscapeSingleQuotes(password), command)
+		}
+		return fmt.Sprintf("sudo %s", command)
+	case ToolDoas:
+		return fmt.Sprintf("doas sh -c '%s'", EscapeSingleQuotes(command))
+	case ToolRun0:
+		return fmt.Sprintf("run0 sh -c '%s'", EscapeSingleQuotes(command))
+	default:
+		return failingShell(fmt.Errorf("unsupported privilege tool: %q", t))
+	}
+}
+
+// ExecCommand builds an exec.Cmd that runs `command` as root via the
+// detected tool. Detection errors surface at Run() time as a failing
+// command writing a clear error to stderr.
+func ExecCommand(ctx context.Context, password, command string) *exec.Cmd {
+	return exec.CommandContext(ctx, "bash", "-c", MakeCommand(password, command))
+}
+
+// ExecArgv builds an exec.Cmd that runs argv as root via the detected tool.
+// No stdin password is supplied; callers relying on non-interactive success
+// should ensure cached credentials are present (see CheckCached).
+func ExecArgv(ctx context.Context, argv ...string) *exec.Cmd {
+	if len(argv) == 0 {
+		return exec.CommandContext(ctx, "bash", "-c", failingShell(fmt.Errorf("privesc.ExecArgv: argv must not be empty")))
+	}
+	t, err := Detect()
+	if err != nil {
+		return exec.CommandContext(ctx, "bash", "-c", failingShell(err))
+	}
+
+	switch t {
+	case ToolSudo, ToolDoas:
+		return exec.CommandContext(ctx, string(t), argv...)
+	case ToolRun0:
+		return exec.CommandContext(ctx, "run0", argv...)
+	default:
+		return exec.CommandContext(ctx, "bash", "-c", failingShell(fmt.Errorf("unsupported privilege tool: %q", t)))
+	}
+}
+
+func failingShell(err error) string {
+	return fmt.Sprintf("printf 'privesc: %%s\\n' '%s' >&2; exit 1", EscapeSingleQuotes(err.Error()))
+}
+
+// CheckCached runs a non-interactive credential probe. Returns nil if the
+// tool will run commands without prompting (cached credentials, nopass, or
+// polkit rule).
+func CheckCached(ctx context.Context) error {
+	t, err := Detect()
+	if err != nil {
+		return err
+	}
+
+	var cmd *exec.Cmd
+	switch t {
+	case ToolSudo:
+		cmd = exec.CommandContext(ctx, "sudo", "-n", "true")
+	case ToolDoas:
+		cmd = exec.CommandContext(ctx, "doas", "-n", "true")
+	case ToolRun0:
+		cmd = exec.CommandContext(ctx, "run0", "--no-ask-password", "true")
+	default:
+		return fmt.Errorf("unsupported privilege tool: %q", t)
+	}
+	return cmd.Run()
+}
+
+// ClearCache invalidates any cached credentials. No-op for tools that do
+// not expose a cache-clear operation.
+func ClearCache(ctx context.Context) error {
+	t, err := Detect()
+	if err != nil {
+		return err
+	}
+	switch t {
+	case ToolSudo:
+		return exec.CommandContext(ctx, "sudo", "-k").Run()
+	default:
+		return nil
+	}
+}
+
+// ValidateWithAskpass validates cached credentials using an askpass helper
+// script. Only sudo supports this mechanism; the TUI uses it to trigger
+// fingerprint authentication via PAM.
+func ValidateWithAskpass(ctx context.Context, askpassScript string) error {
+	t, err := Detect()
+	if err != nil {
+		return err
+	}
+	if t != ToolSudo {
+		return fmt.Errorf("askpass validation requires sudo (detected: %s)", t)
+	}
+	cmd := exec.CommandContext(ctx, "sudo", "-A", "-v")
+	cmd.Env = append(os.Environ(), fmt.Sprintf("SUDO_ASKPASS=%s", askpassScript))
+	return cmd.Run()
+}
+
+// ValidatePassword validates the given password. Only sudo supports this
+// (via `sudo -S -v`); for other tools the caller should fall back to
+// CheckCached.
+func ValidatePassword(ctx context.Context, password string) error {
+	t, err := Detect()
+	if err != nil {
+		return err
+	}
+	if t != ToolSudo {
+		return fmt.Errorf("password validation requires sudo (detected: %s)", t)
+	}
+
+	cmd := exec.CommandContext(ctx, "sudo", "-S", "-v")
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return err
+	}
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	if _, err := fmt.Fprintf(stdin, "%s\n", password); err != nil {
+		stdin.Close()
+		_ = cmd.Wait()
+		return err
+	}
+	stdin.Close()
+	return cmd.Wait()
+}
+
+// QuoteArgsForShell wraps each argv element in single quotes so the result
+// can be safely passed to bash -c.
+func QuoteArgsForShell(argv []string) string {
+	parts := make([]string, len(argv))
+	for i, a := range argv {
+		parts[i] = "'" + EscapeSingleQuotes(a) + "'"
+	}
+	return strings.Join(parts, " ")
+}
+
+// Run invokes argv with privilege escalation. When the tool supports stdin
+// passwords and password is non-empty, the password is piped in. Otherwise
+// argv is invoked directly, which may prompt on a TTY.
+// Stdout and Stderr are inherited from the current process.
+func Run(ctx context.Context, password string, argv ...string) error {
+	if len(argv) == 0 {
+		return fmt.Errorf("privesc.Run: argv must not be empty")
+	}
+	t, err := Detect()
+	if err != nil {
+		return err
+	}
+
+	var cmd *exec.Cmd
+	switch {
+	case t == ToolSudo && password != "":
+		cmd = ExecCommand(ctx, password, QuoteArgsForShell(argv))
+	default:
+		cmd = ExecArgv(ctx, argv...)
+	}
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+// stdinIsTTY reports whether stdin is a character device (interactive
+// terminal) rather than a pipe or file.
+func stdinIsTTY() bool {
+	fi, err := os.Stdin.Stat()
+	if err != nil {
+		return false
+	}
+	return (fi.Mode() & os.ModeCharDevice) != 0
+}
+
+// PromptCLI interactively prompts the user to pick a privilege tool when more
+// than one is installed and $DMS_PRIVESC is not set. If stdin is not a TTY,
+// or only one tool is available, or the env var is set, the detected tool is
+// returned without any prompt.
+//
+// The prompt is written to out (typically os.Stdout/os.Stderr) and input is
+// read from in. EOF or empty input selects the first option.
+func PromptCLI(out io.Writer, in io.Reader) (Tool, error) {
+	if userSelected {
+		return Detect()
+	}
+	if _, envSet := EnvOverride(); envSet {
+		return Detect()
+	}
+
+	tools := AvailableTools()
+	switch len(tools) {
+	case 0:
+		return "", fmt.Errorf("no supported privilege tool (sudo/doas/run0) found on PATH")
+	case 1:
+		if err := SetTool(tools[0]); err != nil {
+			return "", err
+		}
+		return tools[0], nil
+	}
+
+	if !stdinIsTTY() {
+		return Detect()
+	}
+
+	fmt.Fprintln(out, "Multiple privilege escalation tools detected:")
+	for i, t := range tools {
+		fmt.Fprintf(out, "  [%d] %s\n", i+1, t.Name())
+	}
+	fmt.Fprintf(out, "Choose one [1-%d] (default 1, or set %s=<tool> to skip): ", len(tools), EnvVar)
+
+	reader := bufio.NewReader(in)
+	line, err := reader.ReadString('\n')
+	if err != nil && err != io.EOF {
+		return "", fmt.Errorf("failed to read selection: %w", err)
+	}
+	line = strings.TrimSpace(line)
+
+	idx := 1
+	if line != "" {
+		n, convErr := strconv.Atoi(line)
+		if convErr != nil || n < 1 || n > len(tools) {
+			return "", fmt.Errorf("invalid selection %q", line)
+		}
+		idx = n
+	}
+
+	chosen := tools[idx-1]
+	if err := SetTool(chosen); err != nil {
+		return "", err
+	}
+	return chosen, nil
+}

core/internal/screenshot/compositor.go

@@ -444,20 +444,21 @@ func GetFocusedMonitor() string {
 
 type outputInfo struct {
 	x, y      int32
+	scale     float64
 	transform int32
 }
 
-func getOutputInfo(outputName string) (*outputInfo, bool) {
+func getAllOutputInfos() map[string]*outputInfo {
 	display, err := client.Connect("")
 	if err != nil {
-		return nil, false
+		return nil
 	}
 	ctx := display.Context()
 	defer ctx.Close()
 
 	registry, err := display.GetRegistry()
 	if err != nil {
-		return nil, false
+		return nil
 	}
 
 	var outputManager *wlr_output_management.ZwlrOutputManagerV1
@@ -476,16 +477,17 @@ func getOutputInfo(outputName string) (*outputInfo, bool) {
 	})
 
 	if err := wlhelpers.Roundtrip(display, ctx); err != nil {
-		return nil, false
+		return nil
 	}
 
 	if outputManager == nil {
-		return nil, false
+		return nil
 	}
 
 	type headState struct {
 		name      string
 		x, y      int32
+		scale     float64
 		transform int32
 	}
 	heads := make(map[*wlr_output_management.ZwlrOutputHeadV1]*headState)
@@ -501,6 +503,9 @@ func getOutputInfo(outputName string) (*outputInfo, bool) {
 			state.x = pe.X
 			state.y = pe.Y
 		})
+		e.Head.SetScaleHandler(func(se wlr_output_management.ZwlrOutputHeadV1ScaleEvent) {
+			state.scale = se.Scale
+		})
 		e.Head.SetTransformHandler(func(te wlr_output_management.ZwlrOutputHeadV1TransformEvent) {
 			state.transform = te.Transform
 		})
@@ -511,21 +516,32 @@ func getOutputInfo(outputName string) (*outputInfo, bool) {
 
 	for !done {
 		if err := ctx.Dispatch(); err != nil {
-			return nil, false
+			return nil
 		}
 	}
 
+	result := make(map[string]*outputInfo, len(heads))
 	for _, state := range heads {
-		if state.name == outputName {
-			return &outputInfo{
-				x:         state.x,
-				y:         state.y,
-				transform: state.transform,
-			}, true
+		if state.name == "" {
+			continue
+		}
+		result[state.name] = &outputInfo{
+			x:         state.x,
+			y:         state.y,
+			scale:     state.scale,
+			transform: state.transform,
 		}
 	}
+	return result
+}
 
-	return nil, false
+func getOutputInfo(outputName string) (*outputInfo, bool) {
+	infos := getAllOutputInfos()
+	if infos == nil {
+		return nil, false
+	}
+	info, ok := infos[outputName]
+	return info, ok
 }
 
 func getDWLActiveWindow() (*WindowGeometry, error) {

core/internal/screenshot/screenshot.go

@@ -2,6 +2,7 @@ package screenshot
 
 import (
 	"fmt"
+	"math"
 	"sync"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
@@ -298,22 +299,20 @@ func (s *Screenshoter) captureAllScreens() (*CaptureResult, error) {
 	if len(outputs) == 0 {
 		return nil, fmt.Errorf("no outputs available")
 	}
-
 	if len(outputs) == 1 {
 		return s.captureWholeOutput(outputs[0])
 	}
 
-	// Capture all outputs first to get actual buffer sizes
-	type capturedOutput struct {
-		output *WaylandOutput
-		result *CaptureResult
-		physX  int
-		physY  int
-	}
-	captured := make([]capturedOutput, 0, len(outputs))
+	wlrInfos := getAllOutputInfos()
 
-	var minX, minY, maxX, maxY int
-	first := true
+	type pendingOutput struct {
+		result *CaptureResult
+		logX   float64
+		logY   float64
+		scale  float64
+	}
+	var pending []pendingOutput
+	maxScale := 1.0
 
 	for _, output := range outputs {
 		result, err := s.captureWholeOutput(output)
@@ -322,50 +321,74 @@ func (s *Screenshoter) captureAllScreens() (*CaptureResult, error) {
 			continue
 		}
 
-		outX, outY := output.x, output.y
+		logX, logY := float64(output.x), float64(output.y)
 		scale := float64(output.scale)
+
 		switch DetectCompositor() {
 		case CompositorHyprland:
 			if hx, hy, _, _, ok := GetHyprlandMonitorGeometry(output.name); ok {
-				outX, outY = hx, hy
+				logX, logY = float64(hx), float64(hy)
 			}
-			if s := GetHyprlandMonitorScale(output.name); s > 0 {
-				scale = s
+			if hs := GetHyprlandMonitorScale(output.name); hs > 0 {
+				scale = hs
 			}
-		case CompositorDWL:
-			if info, ok := getOutputInfo(output.name); ok {
-				outX, outY = info.x, info.y
+		default:
+			if wlrInfos != nil {
+				if info, ok := wlrInfos[output.name]; ok {
+					logX, logY = float64(info.x), float64(info.y)
+					if info.scale > 0 {
+						scale = info.scale
+					}
+				}
 			}
 		}
+
 		if scale <= 0 {
 			scale = 1.0
 		}
 
-		physX := int(float64(outX) * scale)
-		physY := int(float64(outY) * scale)
+		pending = append(pending, pendingOutput{result: result, logX: logX, logY: logY, scale: scale})
+		if scale > maxScale {
+			maxScale = scale
+		}
+	}
 
-		captured = append(captured, capturedOutput{
-			output: output,
-			result: result,
-			physX:  physX,
-			physY:  physY,
-		})
+	if len(pending) == 0 {
+		return nil, fmt.Errorf("failed to capture any outputs")
+	}
+	if len(pending) == 1 {
+		return pending[0].result, nil
+	}
 
-		right := physX + result.Buffer.Width
-		bottom := physY + result.Buffer.Height
+	type layoutEntry struct {
+		result  *CaptureResult
+		canvasX int
+		canvasY int
+		canvasW int
+		canvasH int
+	}
+	entries := make([]layoutEntry, len(pending))
+	var minX, minY, maxX, maxY int
 
-		if first {
-			minX, minY = physX, physY
-			maxX, maxY = right, bottom
-			first = false
+	for i, p := range pending {
+		cx := int(math.Round(p.logX * maxScale))
+		cy := int(math.Round(p.logY * maxScale))
+		cw := int(math.Round(float64(p.result.Buffer.Width) * maxScale / p.scale))
+		ch := int(math.Round(float64(p.result.Buffer.Height) * maxScale / p.scale))
+
+		entries[i] = layoutEntry{result: p.result, canvasX: cx, canvasY: cy, canvasW: cw, canvasH: ch}
+
+		right := cx + cw
+		bottom := cy + ch
+		if i == 0 {
+			minX, minY, maxX, maxY = cx, cy, right, bottom
 			continue
 		}
-
-		if physX < minX {
-			minX = physX
+		if cx < minX {
+			minX = cx
 		}
-		if physY < minY {
-			minY = physY
+		if cy < minY {
+			minY = cy
 		}
 		if right > maxX {
 			maxX = right
@@ -375,35 +398,26 @@ func (s *Screenshoter) captureAllScreens() (*CaptureResult, error) {
 		}
 	}
 
-	if len(captured) == 0 {
-		return nil, fmt.Errorf("failed to capture any outputs")
-	}
-
-	if len(captured) == 1 {
-		return captured[0].result, nil
-	}
-
 	totalW := maxX - minX
 	totalH := maxY - minY
-
-	compositeStride := totalW * 4
-	composite, err := CreateShmBuffer(totalW, totalH, compositeStride)
+	composite, err := CreateShmBuffer(totalW, totalH, totalW*4)
 	if err != nil {
-		for _, c := range captured {
-			c.result.Buffer.Close()
+		for _, e := range entries {
+			e.result.Buffer.Close()
 		}
 		return nil, fmt.Errorf("create composite buffer: %w", err)
 	}
-
 	composite.Clear()
 
 	var format uint32
-	for _, c := range captured {
+	for _, e := range entries {
 		if format == 0 {
-			format = c.result.Format
+			format = e.result.Format
 		}
-		s.blitBuffer(composite, c.result.Buffer, c.physX-minX, c.physY-minY, c.result.YInverted)
-		c.result.Buffer.Close()
+		s.blitBufferScaled(composite, e.result.Buffer,
+			e.canvasX-minX, e.canvasY-minY, e.canvasW, e.canvasH,
+			e.result.YInverted)
+		e.result.Buffer.Close()
 	}
 
 	return &CaptureResult{
@@ -413,32 +427,44 @@ func (s *Screenshoter) captureAllScreens() (*CaptureResult, error) {
 	}, nil
 }
 
-func (s *Screenshoter) blitBuffer(dst, src *ShmBuffer, dstX, dstY int, yInverted bool) {
+func (s *Screenshoter) blitBufferScaled(dst, src *ShmBuffer, dstX, dstY, dstW, dstH int, yInverted bool) {
+	if dstW <= 0 || dstH <= 0 {
+		return
+	}
+
 	srcData := src.Data()
 	dstData := dst.Data()
 
-	for srcY := 0; srcY < src.Height; srcY++ {
-		actualSrcY := srcY
-		if yInverted {
-			actualSrcY = src.Height - 1 - srcY
-		}
-
-		dy := dstY + srcY
-		if dy < 0 || dy >= dst.Height {
+	for dy := 0; dy < dstH; dy++ {
+		canvasY := dstY + dy
+		if canvasY < 0 || canvasY >= dst.Height {
 			continue
 		}
 
-		srcRowOff := actualSrcY * src.Stride
-		dstRowOff := dy * dst.Stride
+		srcY := dy * src.Height / dstH
+		if yInverted {
+			srcY = src.Height - 1 - srcY
+		}
+		if srcY < 0 || srcY >= src.Height {
+			continue
+		}
 
-		for srcX := 0; srcX < src.Width; srcX++ {
-			dx := dstX + srcX
-			if dx < 0 || dx >= dst.Width {
+		srcRowOff := srcY * src.Stride
+		dstRowOff := canvasY * dst.Stride
+
+		for dx := 0; dx < dstW; dx++ {
+			canvasX := dstX + dx
+			if canvasX < 0 || canvasX >= dst.Width {
+				continue
+			}
+
+			srcX := dx * src.Width / dstW
+			if srcX >= src.Width {
 				continue
 			}
 
 			si := srcRowOff + srcX*4
-			di := dstRowOff + dx*4
+			di := dstRowOff + canvasX*4
 
 			if si+3 >= len(srcData) || di+3 >= len(dstData) {
 				continue

core/internal/server/brightness/ddc.go

@@ -215,31 +215,34 @@ func (b *DDCBackend) SetBrightnessWithExponent(id string, value int, exponential
 		callback: callback,
 	}
 
-	if timer, exists := b.debounceTimers[id]; exists {
-		timer.Reset(200 * time.Millisecond)
-	} else {
-		b.debounceTimers[id] = time.AfterFunc(200*time.Millisecond, func() {
-			b.debounceMutex.Lock()
-			pending, exists := b.debouncePending[id]
-			if exists {
-				delete(b.debouncePending, id)
-			}
-			b.debounceMutex.Unlock()
-
-			if !exists {
-				return
-			}
-
-			err := b.setBrightnessImmediateWithExponent(id, pending.percent)
-			if err != nil {
-				log.Debugf("Failed to set brightness for %s: %v", id, err)
-			}
-
-			if pending.callback != nil {
-				pending.callback()
-			}
-		})
+	if existing, exists := b.debounceTimers[id]; exists {
+		if existing.Stop() {
+			b.debounceWg.Done()
+		}
 	}
+
+	b.debounceWg.Add(1)
+	b.debounceTimers[id] = time.AfterFunc(200*time.Millisecond, func() {
+		defer b.debounceWg.Done()
+
+		b.debounceMutex.Lock()
+		pending, hasPending := b.debouncePending[id]
+		delete(b.debouncePending, id)
+		delete(b.debounceTimers, id)
+		b.debounceMutex.Unlock()
+
+		if !hasPending {
+			return
+		}
+
+		if err := b.setBrightnessImmediateWithExponent(id, pending.percent); err != nil {
+			log.Debugf("Failed to set brightness for %s: %v", id, err)
+		}
+
+		if pending.callback != nil {
+			pending.callback()
+		}
+	})
 	b.debounceMutex.Unlock()
 
 	return nil
@@ -490,5 +493,19 @@ func (b *DDCBackend) valueToPercent(value int, max int, exponential bool) int {
 	return percent
 }
 
+func (b *DDCBackend) WaitPending() {
+	done := make(chan struct{})
+	go func() {
+		b.debounceWg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+	case <-time.After(5 * time.Second):
+		log.Debug("WaitPending timed out waiting for DDC writes")
+	}
+}
+
 func (b *DDCBackend) Close() {
 }

core/internal/server/brightness/types.go

@@ -84,6 +84,7 @@ type DDCBackend struct {
 	debounceMutex   sync.Mutex
 	debounceTimers  map[string]*time.Timer
 	debouncePending map[string]ddcPendingSet
+	debounceWg      sync.WaitGroup
 }
 
 type ddcPendingSet struct {

core/internal/server/clipboard/manager.go

@@ -212,9 +212,10 @@ func (m *Manager) setupDataDeviceSync() {
 		}
 
 		var offer any
-		if e.Id != nil {
+		switch {
+		case e.Id != nil:
 			offer = e.Id
-		} else if e.OfferId != 0 {
+		case e.OfferId != 0:
 			m.offerMutex.RLock()
 			offer = m.offerRegistry[e.OfferId]
 			m.offerMutex.RUnlock()
@@ -224,10 +225,6 @@ func (m *Manager) setupDataDeviceSync() {
 		wasOwner := m.isOwner
 		m.ownerLock.Unlock()
 
-		if offer == nil {
-			return
-		}
-
 		if wasOwner {
 			return
 		}
@@ -236,9 +233,11 @@ func (m *Manager) setupDataDeviceSync() {
 		m.currentOffer = offer
 
 		if prevOffer != nil && prevOffer != offer {
-			m.offerMutex.Lock()
-			delete(m.offerMimeTypes, prevOffer)
-			m.offerMutex.Unlock()
+			m.releaseOffer(prevOffer)
+		}
+
+		if offer == nil {
+			return
 		}
 
 		m.offerMutex.RLock()
@@ -292,6 +291,33 @@ func (m *Manager) setupDataDeviceSync() {
 	log.Info("Data device setup complete")
 }
 
+func (m *Manager) releaseOffer(offer any) {
+	if offer == nil {
+		return
+	}
+	typedOffer, ok := offer.(*ext_data_control.ExtDataControlOfferV1)
+	if !ok {
+		return
+	}
+	m.offerMutex.Lock()
+	delete(m.offerMimeTypes, offer)
+	delete(m.offerRegistry, typedOffer.ID())
+	m.offerMutex.Unlock()
+	typedOffer.Destroy()
+}
+
+func (m *Manager) releaseCurrentSource() {
+	if m.currentSource == nil {
+		return
+	}
+	source, ok := m.currentSource.(*ext_data_control.ExtDataControlSourceV1)
+	m.currentSource = nil
+	if !ok {
+		return
+	}
+	source.Destroy()
+}
+
 func (m *Manager) readAndStore(r *os.File, mimeType string) {
 	defer r.Close()
 
@@ -395,7 +421,7 @@ func (m *Manager) deduplicateInTx(b *bolt.Bucket, hash uint64) error {
 		if extractHash(v) != hash {
 			continue
 		}
-		entry, err := decodeEntry(v)
+		entry, err := decodeEntryMeta(v)
 		if err == nil && entry.Pinned {
 			continue
 		}
@@ -413,7 +439,7 @@ func (m *Manager) trimLengthInTx(b *bolt.Bucket) error {
 	c := b.Cursor()
 	var count int
 	for k, v := c.Last(); k != nil; k, v = c.Prev() {
-		entry, err := decodeEntry(v)
+		entry, err := decodeEntryMeta(v)
 		if err == nil && entry.Pinned {
 			continue
 		}
@@ -456,6 +482,14 @@ func encodeEntry(e Entry) ([]byte, error) {
 }
 
 func decodeEntry(data []byte) (Entry, error) {
+	return decodeEntryFields(data, true)
+}
+
+func decodeEntryMeta(data []byte) (Entry, error) {
+	return decodeEntryFields(data, false)
+}
+
+func decodeEntryFields(data []byte, withData bool) (Entry, error) {
 	buf := bytes.NewReader(data)
 	var e Entry
 
@@ -463,8 +497,15 @@ func decodeEntry(data []byte) (Entry, error) {
 
 	var dataLen uint32
 	binary.Read(buf, binary.BigEndian, &dataLen)
-	e.Data = make([]byte, dataLen)
-	buf.Read(e.Data)
+	switch {
+	case withData:
+		e.Data = make([]byte, dataLen)
+		buf.Read(e.Data)
+	default:
+		if _, err := buf.Seek(int64(dataLen), io.SeekCurrent); err != nil {
+			return e, err
+		}
+	}
 
 	var mimeLen uint32
 	binary.Read(buf, binary.BigEndian, &mimeLen)
@@ -668,14 +709,9 @@ func sizeStr(size int) string {
 func (m *Manager) updateState() {
 	history := m.GetHistory()
 
-	for i := range history {
-		history[i].Data = nil
-	}
-
 	var current *Entry
 	if len(history) > 0 {
 		c := history[0]
-		c.Data = nil
 		current = &c
 	}
 
@@ -750,7 +786,7 @@ func (m *Manager) GetHistory() []Entry {
 		c := b.Cursor()
 
 		for k, v := c.Last(); k != nil; k, v = c.Prev() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
@@ -935,7 +971,7 @@ func (m *Manager) ClearHistory() {
 		var toDelete [][]byte
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil || !entry.Pinned {
 				toDelete = append(toDelete, k)
 			}
@@ -958,7 +994,7 @@ func (m *Manager) ClearHistory() {
 		if b != nil {
 			c := b.Cursor()
 			for k, v := c.First(); k != nil; k, v = c.Next() {
-				entry, _ := decodeEntry(v)
+				entry, _ := decodeEntryMeta(v)
 				if entry.Pinned {
 					pinnedCount++
 				}
@@ -1066,6 +1102,7 @@ func (m *Manager) SetClipboard(data []byte, mimeType string) error {
 			m.ownerLock.Unlock()
 		})
 
+		m.releaseCurrentSource()
 		m.currentSource = source
 		m.sourceMutex.Lock()
 		m.sourceMimeTypes = []string{mimeType}
@@ -1145,9 +1182,11 @@ func (m *Manager) Close() {
 	m.subscribers = make(map[string]chan State)
 	m.subMutex.Unlock()
 
-	if m.currentSource != nil {
-		source := m.currentSource.(*ext_data_control.ExtDataControlSourceV1)
-		source.Destroy()
+	m.releaseCurrentSource()
+
+	if m.currentOffer != nil {
+		m.releaseOffer(m.currentOffer)
+		m.currentOffer = nil
 	}
 
 	if m.dataDevice != nil {
@@ -1191,11 +1230,10 @@ func (m *Manager) clearOldEntries(days int) error {
 		var toDelete [][]byte
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
-			// Skip pinned entries
 			if entry.Pinned {
 				continue
 			}
@@ -1310,7 +1348,7 @@ func (m *Manager) Search(params SearchParams) SearchResult {
 
 		c := b.Cursor()
 		for k, v := c.Last(); k != nil; k, v = c.Prev() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
@@ -1335,7 +1373,6 @@ func (m *Manager) Search(params SearchParams) SearchResult {
 				continue
 			}
 
-			entry.Data = nil
 			all = append(all, entry)
 		}
 		return nil
@@ -1510,7 +1547,7 @@ func (m *Manager) PinEntry(id uint64) error {
 		}
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil || !entry.Pinned {
 				continue
 			}
@@ -1528,7 +1565,6 @@ func (m *Manager) PinEntry(id uint64) error {
 		return nil
 	}
 
-	// Check pinned count
 	cfg := m.getConfig()
 	pinnedCount := 0
 	if err := m.db.View(func(tx *bolt.Tx) error {
@@ -1538,7 +1574,7 @@ func (m *Manager) PinEntry(id uint64) error {
 		}
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err == nil && entry.Pinned {
 				pinnedCount++
 			}
@@ -1629,12 +1665,11 @@ func (m *Manager) GetPinnedEntries() []Entry {
 
 		c := b.Cursor()
 		for k, v := c.Last(); k != nil; k, v = c.Prev() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err != nil {
 				continue
 			}
 			if entry.Pinned {
-				entry.Data = nil
 				pinned = append(pinned, entry)
 			}
 		}
@@ -1660,7 +1695,7 @@ func (m *Manager) GetPinnedCount() int {
 
 		c := b.Cursor()
 		for k, v := c.First(); k != nil; k, v = c.Next() {
-			entry, err := decodeEntry(v)
+			entry, err := decodeEntryMeta(v)
 			if err == nil && entry.Pinned {
 				count++
 			}
@@ -1779,6 +1814,7 @@ func (m *Manager) CopyFile(filePath string) error {
 			m.ownerLock.Unlock()
 		})
 
+		m.releaseCurrentSource()
 		m.currentSource = source
 
 		m.ownerLock.Lock()

core/internal/server/cups/actions.go

@@ -2,10 +2,8 @@ package cups
 
 import (
 	"errors"
-	"fmt"
 	"net"
 	"net/url"
-	"os/exec"
 	"strings"
 	"time"
 
@@ -277,42 +275,13 @@ func (m *Manager) GetClasses() ([]PrinterClass, error) {
 	return classes, nil
 }
 
-func createPrinterViaLpadmin(name, deviceURI, ppd, information, location string) error {
-	args := []string{"-p", name, "-E", "-v", deviceURI, "-m", ppd}
-	if information != "" {
-		args = append(args, "-D", information)
-	}
-	if location != "" {
-		args = append(args, "-L", location)
-	}
-	out, err := exec.Command("lpadmin", args...).CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("lpadmin failed: %s: %w", strings.TrimSpace(string(out)), err)
-	}
-	return nil
-}
-
-func deletePrinterViaLpadmin(name string) error {
-	out, err := exec.Command("lpadmin", "-x", name).CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("lpadmin failed: %s: %w", strings.TrimSpace(string(out)), err)
-	}
-	return nil
-}
-
 func (m *Manager) CreatePrinter(name, deviceURI, ppd string, shared bool, errorPolicy, information, location string) error {
 	usedPkHelper := false
 
 	err := m.client.CreatePrinter(name, deviceURI, ppd, shared, errorPolicy, information, location)
 	if isAuthError(err) && m.pkHelper != nil {
 		if err = m.pkHelper.PrinterAdd(name, deviceURI, ppd, information, location); err != nil {
-			// pkHelper failed (e.g., no polkit agent), try lpadmin as last resort.
-			// lpadmin -E enables the printer, so no further setup needed.
-			if lpadminErr := createPrinterViaLpadmin(name, deviceURI, ppd, information, location); lpadminErr != nil {
-				return err
-			}
-			m.RefreshState()
-			return nil
+			return err
 		}
 		usedPkHelper = true
 	} else if err != nil {
@@ -339,12 +308,6 @@ func (m *Manager) DeletePrinter(printerName string) error {
 	err := m.client.DeletePrinter(printerName)
 	if isAuthError(err) && m.pkHelper != nil {
 		err = m.pkHelper.PrinterDelete(printerName)
-		if err != nil {
-			// pkHelper failed, try lpadmin as last resort
-			if lpadminErr := deletePrinterViaLpadmin(printerName); lpadminErr == nil {
-				err = nil
-			}
-		}
 	}
 	if err == nil {
 		m.RefreshState()

core/internal/server/cups/handlers.go

@@ -70,8 +70,6 @@ func HandleRequest(conn net.Conn, req models.Request, manager *Manager) {
 		handleRestartJob(conn, req, manager)
 	case "cups.holdJob":
 		handleHoldJob(conn, req, manager)
-	case "cups.testConnection":
-		handleTestConnection(conn, req, manager)
 	default:
 		models.RespondError(conn, req.ID, fmt.Sprintf("unknown method: %s", req.Method))
 	}
@@ -466,22 +464,3 @@ func handleHoldJob(conn net.Conn, req models.Request, manager *Manager) {
 	}
 	models.Respond(conn, req.ID, models.SuccessResult{Success: true, Message: "job held"})
 }
-
-func handleTestConnection(conn net.Conn, req models.Request, manager *Manager) {
-	host, err := params.StringNonEmpty(req.Params, "host")
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	port := params.IntOpt(req.Params, "port", 631)
-	protocol := params.StringOpt(req.Params, "protocol", "ipp")
-
-	result, err := manager.TestRemotePrinter(host, port, protocol)
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	models.Respond(conn, req.ID, result)
-}

core/internal/server/cups/test_connection.go

@@ -1,176 +0,0 @@
-package cups
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/ipp"
-)
-
-var validProtocols = map[string]bool{
-	"ipp":    true,
-	"ipps":   true,
-	"lpd":    true,
-	"socket": true,
-}
-
-func validateTestConnectionParams(host string, port int, protocol string) error {
-	if host == "" {
-		return errors.New("host is required")
-	}
-	if strings.ContainsAny(host, " \t\n\r/\\") {
-		return errors.New("host contains invalid characters")
-	}
-	if port < 1 || port > 65535 {
-		return errors.New("port must be between 1 and 65535")
-	}
-	if protocol != "" && !validProtocols[protocol] {
-		return errors.New("protocol must be one of: ipp, ipps, lpd, socket")
-	}
-	return nil
-}
-
-const probeTimeout = 10 * time.Second
-
-func probeRemotePrinter(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-	addr := net.JoinHostPort(host, fmt.Sprintf("%d", port))
-
-	// Fast fail: TCP reachability check
-	conn, err := net.DialTimeout("tcp", addr, probeTimeout)
-	if err != nil {
-		return &RemotePrinterInfo{
-			Reachable: false,
-			Error:     fmt.Sprintf("cannot reach %s: %s", addr, err.Error()),
-		}, nil
-	}
-	conn.Close()
-
-	// Create a temporary IPP client pointing at the remote host.
-	// The TCP dial above provides fast-fail for unreachable hosts.
-	// The IPP adapter's ResponseHeaderTimeout (90s) bounds stalling servers.
-	client := ipp.NewIPPClient(host, port, "", "", useTLS)
-
-	// Try /ipp/print first (modern driverless printers), then / (legacy)
-	info, err := probeIPPEndpoint(client, host, port, useTLS, "/ipp/print")
-	if err != nil {
-		// If we got an auth error, the printer exists but requires credentials.
-		// Report it as reachable with the URI that triggered the auth challenge.
-		if isAuthError(err) {
-			proto := "ipp"
-			if useTLS {
-				proto = "ipps"
-			}
-			return &RemotePrinterInfo{
-				Reachable: true,
-				URI:       fmt.Sprintf("%s://%s:%d/ipp/print", proto, host, port),
-				Info:      "authentication required",
-			}, nil
-		}
-		info, err = probeIPPEndpoint(client, host, port, useTLS, "/")
-	}
-	if err != nil {
-		if isAuthError(err) {
-			proto := "ipp"
-			if useTLS {
-				proto = "ipps"
-			}
-			return &RemotePrinterInfo{
-				Reachable: true,
-				URI:       fmt.Sprintf("%s://%s:%d/", proto, host, port),
-				Info:      "authentication required",
-			}, nil
-		}
-		// TCP reachable but not an IPP printer
-		return &RemotePrinterInfo{
-			Reachable: true,
-			Error:     fmt.Sprintf("host is reachable but does not appear to be an IPP printer: %s", err.Error()),
-		}, nil
-	}
-
-	return info, nil
-}
-
-func probeIPPEndpoint(client *ipp.IPPClient, host string, port int, useTLS bool, resourcePath string) (*RemotePrinterInfo, error) {
-	proto := "ipp"
-	if useTLS {
-		proto = "ipps"
-	}
-	printerURI := fmt.Sprintf("%s://%s:%d%s", proto, host, port, resourcePath)
-
-	httpProto := "http"
-	if useTLS {
-		httpProto = "https"
-	}
-	httpURL := fmt.Sprintf("%s://%s:%d%s", httpProto, host, port, resourcePath)
-
-	req := ipp.NewRequest(ipp.OperationGetPrinterAttributes, 1)
-	req.OperationAttributes[ipp.AttributePrinterURI] = printerURI
-	req.OperationAttributes[ipp.AttributeRequestedAttributes] = []string{
-		ipp.AttributePrinterName,
-		ipp.AttributePrinterMakeAndModel,
-		ipp.AttributePrinterState,
-		ipp.AttributePrinterInfo,
-		ipp.AttributePrinterUriSupported,
-	}
-
-	resp, err := client.SendRequest(httpURL, req, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(resp.PrinterAttributes) == 0 {
-		return nil, errors.New("no printer attributes returned")
-	}
-
-	attrs := resp.PrinterAttributes[0]
-
-	return &RemotePrinterInfo{
-		Reachable: true,
-		MakeModel: getStringAttr(attrs, ipp.AttributePrinterMakeAndModel),
-		Name:      getStringAttr(attrs, ipp.AttributePrinterName),
-		Info:      getStringAttr(attrs, ipp.AttributePrinterInfo),
-		State:     parsePrinterState(attrs),
-		URI:       printerURI,
-	}, nil
-}
-
-// TestRemotePrinter validates inputs and probes a remote printer via IPP.
-// For lpd/socket protocols, only TCP reachability is tested.
-func (m *Manager) TestRemotePrinter(host string, port int, protocol string) (*RemotePrinterInfo, error) {
-	if protocol == "" {
-		protocol = "ipp"
-	}
-
-	if err := validateTestConnectionParams(host, port, protocol); err != nil {
-		return nil, err
-	}
-
-	// For non-IPP protocols, only check TCP reachability
-	if protocol == "lpd" || protocol == "socket" {
-		addr := net.JoinHostPort(host, fmt.Sprintf("%d", port))
-		conn, err := net.DialTimeout("tcp", addr, probeTimeout)
-		if err != nil {
-			return &RemotePrinterInfo{
-				Reachable: false,
-				Error:     fmt.Sprintf("cannot reach %s: %s", addr, err.Error()),
-			}, nil
-		}
-		conn.Close()
-		return &RemotePrinterInfo{
-			Reachable: true,
-			URI:       fmt.Sprintf("%s://%s:%d", protocol, host, port),
-		}, nil
-	}
-
-	useTLS := protocol == "ipps"
-
-	probeFn := m.probeRemoteFn
-	if probeFn == nil {
-		probeFn = probeRemotePrinter
-	}
-
-	return probeFn(host, port, useTLS)
-}

core/internal/server/cups/test_connection_test.go

@@ -1,397 +0,0 @@
-package cups
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"testing"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/ipp"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestValidateTestConnectionParams(t *testing.T) {
-	tests := []struct {
-		name     string
-		host     string
-		port     int
-		protocol string
-		wantErr  string
-	}{
-		{
-			name:     "valid ipp",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "",
-		},
-		{
-			name:     "valid ipps",
-			host:     "printer.local",
-			port:     443,
-			protocol: "ipps",
-			wantErr:  "",
-		},
-		{
-			name:     "valid lpd",
-			host:     "10.0.0.1",
-			port:     515,
-			protocol: "lpd",
-			wantErr:  "",
-		},
-		{
-			name:     "valid socket",
-			host:     "10.0.0.1",
-			port:     9100,
-			protocol: "socket",
-			wantErr:  "",
-		},
-		{
-			name:     "empty host",
-			host:     "",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host is required",
-		},
-		{
-			name:     "port too low",
-			host:     "192.168.0.5",
-			port:     0,
-			protocol: "ipp",
-			wantErr:  "port must be between 1 and 65535",
-		},
-		{
-			name:     "port too high",
-			host:     "192.168.0.5",
-			port:     70000,
-			protocol: "ipp",
-			wantErr:  "port must be between 1 and 65535",
-		},
-		{
-			name:     "invalid protocol",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "ftp",
-			wantErr:  "protocol must be one of: ipp, ipps, lpd, socket",
-		},
-		{
-			name:     "empty protocol treated as ipp",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "",
-			wantErr:  "",
-		},
-		{
-			name:     "host with slash",
-			host:     "192.168.0.5/admin",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host contains invalid characters",
-		},
-		{
-			name:     "host with space",
-			host:     "192.168.0.5 ",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host contains invalid characters",
-		},
-		{
-			name:     "host with newline",
-			host:     "192.168.0.5\n",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host contains invalid characters",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := validateTestConnectionParams(tt.host, tt.port, tt.protocol)
-			if tt.wantErr == "" {
-				assert.NoError(t, err)
-			} else {
-				assert.EqualError(t, err, tt.wantErr)
-			}
-		})
-	}
-}
-
-func TestManager_TestRemotePrinter_Validation(t *testing.T) {
-	m := NewTestManager(nil, nil)
-
-	tests := []struct {
-		name     string
-		host     string
-		port     int
-		protocol string
-		wantErr  string
-	}{
-		{
-			name:     "empty host returns error",
-			host:     "",
-			port:     631,
-			protocol: "ipp",
-			wantErr:  "host is required",
-		},
-		{
-			name:     "invalid port returns error",
-			host:     "192.168.0.5",
-			port:     0,
-			protocol: "ipp",
-			wantErr:  "port must be between 1 and 65535",
-		},
-		{
-			name:     "invalid protocol returns error",
-			host:     "192.168.0.5",
-			port:     631,
-			protocol: "ftp",
-			wantErr:  "protocol must be one of: ipp, ipps, lpd, socket",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			_, err := m.TestRemotePrinter(tt.host, tt.port, tt.protocol)
-			assert.EqualError(t, err, tt.wantErr)
-		})
-	}
-}
-
-func TestManager_TestRemotePrinter_IPP(t *testing.T) {
-	tests := []struct {
-		name      string
-		protocol  string
-		probeRet  *RemotePrinterInfo
-		probeErr  error
-		wantTLS   bool
-		wantReach bool
-		wantModel string
-	}{
-		{
-			name:     "successful ipp probe",
-			protocol: "ipp",
-			probeRet: &RemotePrinterInfo{
-				Reachable: true,
-				MakeModel: "HP OfficeJet 8010",
-				Name:      "OfficeJet",
-				State:     "idle",
-				URI:       "ipp://192.168.0.5:631/ipp/print",
-			},
-			wantTLS:   false,
-			wantReach: true,
-			wantModel: "HP OfficeJet 8010",
-		},
-		{
-			name:     "successful ipps probe",
-			protocol: "ipps",
-			probeRet: &RemotePrinterInfo{
-				Reachable: true,
-				MakeModel: "HP OfficeJet 8010",
-				URI:       "ipps://192.168.0.5:631/ipp/print",
-			},
-			wantTLS:   true,
-			wantReach: true,
-			wantModel: "HP OfficeJet 8010",
-		},
-		{
-			name:     "unreachable host",
-			protocol: "ipp",
-			probeRet: &RemotePrinterInfo{
-				Reachable: false,
-				Error:     "cannot reach 192.168.0.5:631: connection refused",
-			},
-			wantReach: false,
-		},
-		{
-			name:     "empty protocol defaults to ipp",
-			protocol: "",
-			probeRet: &RemotePrinterInfo{
-				Reachable: true,
-				MakeModel: "Test Printer",
-			},
-			wantTLS:   false,
-			wantReach: true,
-			wantModel: "Test Printer",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var capturedTLS bool
-			m := NewTestManager(nil, nil)
-			m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-				capturedTLS = useTLS
-				return tt.probeRet, tt.probeErr
-			}
-
-			result, err := m.TestRemotePrinter("192.168.0.5", 631, tt.protocol)
-			if tt.probeErr != nil {
-				assert.Error(t, err)
-				return
-			}
-			assert.NoError(t, err)
-			assert.Equal(t, tt.wantReach, result.Reachable)
-			assert.Equal(t, tt.wantModel, result.MakeModel)
-			assert.Equal(t, tt.wantTLS, capturedTLS)
-		})
-	}
-}
-
-func TestManager_TestRemotePrinter_AuthRequired(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		// Simulate what happens when the printer returns HTTP 401
-		return probeRemotePrinterWithAuthError(host, port, useTLS)
-	}
-
-	result, err := m.TestRemotePrinter("192.168.0.107", 631, "ipp")
-	assert.NoError(t, err)
-	assert.True(t, result.Reachable)
-	assert.Equal(t, "authentication required", result.Info)
-	assert.Contains(t, result.URI, "ipp://192.168.0.107:631")
-}
-
-// probeRemotePrinterWithAuthError simulates a probe where the printer
-// returns HTTP 401 on both endpoints.
-func probeRemotePrinterWithAuthError(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-	// This simulates what probeRemotePrinter does when both endpoints
-	// return auth errors. We test the auth detection logic directly.
-	err := ipp.HTTPError{Code: 401}
-	if isAuthError(err) {
-		proto := "ipp"
-		if useTLS {
-			proto = "ipps"
-		}
-		return &RemotePrinterInfo{
-			Reachable: true,
-			URI:       fmt.Sprintf("%s://%s:%d/ipp/print", proto, host, port),
-			Info:      "authentication required",
-		}, nil
-	}
-	return nil, err
-}
-
-func TestManager_TestRemotePrinter_NonIPPProtocol(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	probeCalled := false
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		probeCalled = true
-		return nil, nil
-	}
-
-	// These will fail at TCP dial (no real server), but the important
-	// thing is that probeRemoteFn is NOT called for lpd/socket.
-	m.TestRemotePrinter("192.168.0.5", 9100, "socket")
-	assert.False(t, probeCalled, "probe function should not be called for socket protocol")
-
-	m.TestRemotePrinter("192.168.0.5", 515, "lpd")
-	assert.False(t, probeCalled, "probe function should not be called for lpd protocol")
-}
-
-func TestHandleTestConnection_Success(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		return &RemotePrinterInfo{
-			Reachable: true,
-			MakeModel: "HP OfficeJet 8010",
-			Name:      "OfficeJet",
-			State:     "idle",
-			URI:       "ipp://192.168.0.5:631/ipp/print",
-		}, nil
-	}
-
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{
-			"host": "192.168.0.5",
-		},
-	}
-
-	handleTestConnection(conn, req, m)
-
-	var resp models.Response[RemotePrinterInfo]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp.Result)
-	assert.True(t, resp.Result.Reachable)
-	assert.Equal(t, "HP OfficeJet 8010", resp.Result.MakeModel)
-}
-
-func TestHandleTestConnection_MissingHost(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{},
-	}
-
-	handleTestConnection(conn, req, m)
-
-	var resp models.Response[any]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.Nil(t, resp.Result)
-	assert.NotNil(t, resp.Error)
-}
-
-func TestHandleTestConnection_CustomPortAndProtocol(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		assert.Equal(t, 9631, port)
-		assert.True(t, useTLS)
-		return &RemotePrinterInfo{Reachable: true, URI: "ipps://192.168.0.5:9631/ipp/print"}, nil
-	}
-
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{
-			"host":     "192.168.0.5",
-			"port":     float64(9631),
-			"protocol": "ipps",
-		},
-	}
-
-	handleTestConnection(conn, req, m)
-
-	var resp models.Response[RemotePrinterInfo]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp.Result)
-	assert.True(t, resp.Result.Reachable)
-}
-
-func TestHandleRequest_TestConnection(t *testing.T) {
-	m := NewTestManager(nil, nil)
-	m.probeRemoteFn = func(host string, port int, useTLS bool) (*RemotePrinterInfo, error) {
-		return &RemotePrinterInfo{Reachable: true}, nil
-	}
-
-	buf := &bytes.Buffer{}
-	conn := &mockConn{Buffer: buf}
-
-	req := models.Request{
-		ID:     1,
-		Method: "cups.testConnection",
-		Params: map[string]any{"host": "192.168.0.5"},
-	}
-
-	HandleRequest(conn, req, m)
-
-	var resp models.Response[RemotePrinterInfo]
-	err := json.NewDecoder(buf).Decode(&resp)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp.Result)
-	assert.True(t, resp.Result.Reachable)
-}

core/internal/server/cups/types.go

@@ -55,16 +55,6 @@ type PPD struct {
 	Type            string `json:"type"`
 }
 
-type RemotePrinterInfo struct {
-	Reachable bool   `json:"reachable"`
-	MakeModel string `json:"makeModel"`
-	Name      string `json:"name"`
-	Info      string `json:"info"`
-	State     string `json:"state"`
-	URI       string `json:"uri"`
-	Error     string `json:"error,omitempty"`
-}
-
 type PrinterClass struct {
 	Name     string   `json:"name"`
 	URI      string   `json:"uri"`
@@ -87,7 +77,6 @@ type Manager struct {
 	notifierWg        sync.WaitGroup
 	lastNotifiedState *CUPSState
 	baseURL           string
-	probeRemoteFn     func(host string, port int, useTLS bool) (*RemotePrinterInfo, error)
 }
 
 type SubscriptionManagerInterface interface {

core/internal/server/evdev/manager.go

@@ -391,7 +391,7 @@ func (m *Manager) Close() {
 
 func InitializeManager() (*Manager, error) {
 	if os.Getuid() != 0 && !hasInputGroupAccess() {
-		return nil, fmt.Errorf("insufficient permissions to access input devices")
+		return nil, fmt.Errorf("insufficient permissions to access input devices. Add your user to the 'input' group: `sudo usermod -a -G input $USER` or run `dms setup`")
 	}
 
 	return NewManager()

core/internal/server/freedesktop/screensaver.go

@@ -104,7 +104,7 @@ func (m *Manager) claimScreensaverName(handler *screensaverHandler, name, iface
 		return false
 	}
 	if reply != dbus.RequestNameReplyPrimaryOwner {
-		log.Warnf("Screensaver name %s already owned by another process", name)
+		log.Infof("Screensaver name %s already owned by another process (e.g. hypridle/swayidle)", name)
 		return false
 	}
 	if err := m.exportScreensaverOnPaths(handler, iface, paths...); err != nil {

core/internal/server/location/handlers.go

@@ -1,61 +0,0 @@
-package location
-
-import (
-	"encoding/json"
-	"fmt"
-	"net"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
-)
-
-type LocationEvent struct {
-	Type string `json:"type"`
-	Data State  `json:"data"`
-}
-
-func HandleRequest(conn net.Conn, req models.Request, manager *Manager) {
-	switch req.Method {
-	case "location.getState":
-		handleGetState(conn, req, manager)
-	case "location.subscribe":
-		handleSubscribe(conn, req, manager)
-
-	default:
-		models.RespondError(conn, req.ID, fmt.Sprintf("unknown method: %s", req.Method))
-	}
-}
-
-func handleGetState(conn net.Conn, req models.Request, manager *Manager) {
-	models.Respond(conn, req.ID, manager.GetState())
-}
-
-func handleSubscribe(conn net.Conn, req models.Request, manager *Manager) {
-	clientID := fmt.Sprintf("client-%p", conn)
-	stateChan := manager.Subscribe(clientID)
-	defer manager.Unsubscribe(clientID)
-
-	initialState := manager.GetState()
-	event := LocationEvent{
-		Type: "state_changed",
-		Data: initialState,
-	}
-
-	if err := json.NewEncoder(conn).Encode(models.Response[LocationEvent]{
-		ID:     req.ID,
-		Result: &event,
-	}); err != nil {
-		return
-	}
-
-	for state := range stateChan {
-		event := LocationEvent{
-			Type: "state_changed",
-			Data: state,
-		}
-		if err := json.NewEncoder(conn).Encode(models.Response[LocationEvent]{
-			Result: &event,
-		}); err != nil {
-			return
-		}
-	}
-}

core/internal/server/location/manager.go

@@ -1,175 +0,0 @@
-package location
-
-import (
-	"time"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-)
-
-func NewManager(client geolocation.Client) (*Manager, error) {
-	currLocation, err := client.GetLocation()
-	if err != nil {
-		log.Warnf("Failed to get initial location: %v", err)
-	}
-
-	m := &Manager{
-		client:   client,
-		dirty:    make(chan struct{}),
-		stopChan: make(chan struct{}),
-
-		state: &State{
-			Latitude:  currLocation.Latitude,
-			Longitude: currLocation.Longitude,
-		},
-	}
-
-	if err := m.startSignalPump(); err != nil {
-		return nil, err
-	}
-
-	m.notifierWg.Add(1)
-	go m.notifier()
-
-	return m, nil
-}
-
-func (m *Manager) Close() {
-	close(m.stopChan)
-	m.notifierWg.Wait()
-
-	m.sigWG.Wait()
-
-	m.subscribers.Range(func(key string, ch chan State) bool {
-		close(ch)
-		m.subscribers.Delete(key)
-		return true
-	})
-}
-
-func (m *Manager) Subscribe(id string) chan State {
-	ch := make(chan State, 64)
-	m.subscribers.Store(id, ch)
-	return ch
-}
-
-func (m *Manager) Unsubscribe(id string) {
-	if ch, ok := m.subscribers.LoadAndDelete(id); ok {
-		close(ch)
-	}
-}
-
-func (m *Manager) startSignalPump() error {
-	m.sigWG.Add(1)
-	go func() {
-		defer m.sigWG.Done()
-
-		subscription := m.client.Subscribe("locationManager")
-		defer m.client.Unsubscribe("locationManager")
-
-		for {
-			select {
-			case <-m.stopChan:
-				return
-			case location, ok := <-subscription:
-				if !ok {
-					return
-				}
-
-				m.handleLocationChange(location)
-			}
-		}
-	}()
-
-	return nil
-}
-
-func (m *Manager) handleLocationChange(location geolocation.Location) {
-	m.stateMutex.Lock()
-	defer m.stateMutex.Unlock()
-
-	m.state.Latitude = location.Latitude
-	m.state.Longitude = location.Longitude
-
-	m.notifySubscribers()
-}
-
-func (m *Manager) notifySubscribers() {
-	select {
-	case m.dirty <- struct{}{}:
-	default:
-	}
-}
-
-func (m *Manager) GetState() State {
-	m.stateMutex.RLock()
-	defer m.stateMutex.RUnlock()
-	if m.state == nil {
-		return State{
-			Latitude:  0.0,
-			Longitude: 0.0,
-		}
-	}
-	stateCopy := *m.state
-	return stateCopy
-}
-
-func (m *Manager) notifier() {
-	defer m.notifierWg.Done()
-	const minGap = 200 * time.Millisecond
-	timer := time.NewTimer(minGap)
-	timer.Stop()
-	var pending bool
-
-	for {
-		select {
-		case <-m.stopChan:
-			timer.Stop()
-			return
-		case <-m.dirty:
-			if pending {
-				continue
-			}
-			pending = true
-			timer.Reset(minGap)
-		case <-timer.C:
-			if !pending {
-				continue
-			}
-
-			currentState := m.GetState()
-
-			if m.lastNotified != nil && !stateChanged(m.lastNotified, &currentState) {
-				pending = false
-				continue
-			}
-
-			m.subscribers.Range(func(key string, ch chan State) bool {
-				select {
-				case ch <- currentState:
-				default:
-					log.Warn("Location: subscriber channel full, dropping update")
-				}
-				return true
-			})
-
-			stateCopy := currentState
-			m.lastNotified = &stateCopy
-			pending = false
-		}
-	}
-}
-
-func stateChanged(old, new *State) bool {
-	if old == nil || new == nil {
-		return true
-	}
-	if old.Latitude != new.Latitude {
-		return true
-	}
-	if old.Longitude != new.Longitude {
-		return true
-	}
-
-	return false
-}

core/internal/server/location/types.go

@@ -1,28 +0,0 @@
-package location
-
-import (
-	"sync"
-
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
-	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
-)
-
-type State struct {
-	Latitude  float64 `json:"latitude"`
-	Longitude float64 `json:"longitude"`
-}
-
-type Manager struct {
-	state      *State
-	stateMutex sync.RWMutex
-
-	client geolocation.Client
-
-	stopChan chan struct{}
-	sigWG    sync.WaitGroup
-
-	subscribers  syncmap.Map[string, chan State]
-	dirty        chan struct{}
-	notifierWg   sync.WaitGroup
-	lastNotified *State
-}

core/internal/server/network/backend.go

@@ -10,7 +10,6 @@ type Backend interface {
 	ScanWiFi() error
 	ScanWiFiDevice(device string) error
 	GetWiFiNetworkDetails(ssid string) (*NetworkInfoResponse, error)
-	GetWiFiQRCodeContent(ssid string) (string, error)
 	GetWiFiDevices() []WiFiDevice
 
 	ConnectWiFi(req ConnectionRequest) error

core/internal/server/network/backend_hybrid_iwd_networkd.go

@@ -111,10 +111,6 @@ func (b *HybridIwdNetworkdBackend) GetWiFiNetworkDetails(ssid string) (*NetworkI
 	return b.wifi.GetWiFiNetworkDetails(ssid)
 }
 
-func (b *HybridIwdNetworkdBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	return b.wifi.GetWiFiQRCodeContent(ssid)
-}
-
 func (b *HybridIwdNetworkdBackend) ConnectWiFi(req ConnectionRequest) error {
 	if err := b.wifi.ConnectWiFi(req); err != nil {
 		return err

core/internal/server/network/backend_iwd_unimplemented.go

@@ -1,9 +1,6 @@
 package network
 
-import (
-	"fmt"
-	"os"
-)
+import "fmt"
 
 func (b *IWDBackend) GetWiredConnections() ([]WiredConnection, error) {
 	return nil, fmt.Errorf("wired connections not supported by iwd")
@@ -115,19 +112,3 @@ func (b *IWDBackend) getWiFiDevicesLocked() []WiFiDevice {
 		Networks:  b.state.WiFiNetworks,
 	}}
 }
-
-func (b *IWDBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	path := iwdConfigPath(ssid)
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return "", fmt.Errorf("no saved iwd config for `%s`: %w", ssid, err)
-	}
-
-	passphrase, err := parseIWDPassphrase(string(data))
-	if err != nil {
-		return "", fmt.Errorf("failed to read passphrase for `%s`: %w", ssid, err)
-	}
-
-	return FormatWiFiQRString("WPA", ssid, passphrase), nil
-}

core/internal/server/network/backend_networkd_unimplemented.go

@@ -18,10 +18,6 @@ func (b *SystemdNetworkdBackend) GetWiFiNetworkDetails(ssid string) (*NetworkInf
 	return nil, fmt.Errorf("WiFi details not supported by networkd backend")
 }
 
-func (b *SystemdNetworkdBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	return "", fmt.Errorf("WiFi QR Code not supported by networkd backend")
-}
-
 func (b *SystemdNetworkdBackend) ConnectWiFi(req ConnectionRequest) error {
 	return fmt.Errorf("WiFi connect not supported by networkd backend")
 }

core/internal/server/network/backend_networkmanager_wifi.go

@@ -158,18 +158,26 @@ func (b *NetworkManagerBackend) GetWiFiNetworkDetails(ssid string) (*NetworkInfo
 
 		channel := frequencyToChannel(freq)
 
+		isConnected := ssid == currentSSID && bssid == currentBSSID
+		rate := maxBitrate / 1000
+		if isConnected {
+			if devBitrate, err := w.GetPropertyBitrate(); err == nil && devBitrate > 0 {
+				rate = devBitrate / 1000
+			}
+		}
+
 		network := WiFiNetwork{
 			SSID:        ssid,
 			BSSID:       bssid,
 			Signal:      strength,
 			Secured:     secured,
 			Enterprise:  enterprise,
-			Connected:   ssid == currentSSID && bssid == currentBSSID,
+			Connected:   isConnected,
 			Saved:       savedSSIDs[ssid],
 			Autoconnect: autoconnectMap[ssid],
 			Frequency:   freq,
 			Mode:        modeStr,
-			Rate:        maxBitrate / 1000,
+			Rate:        rate,
 			Channel:     channel,
 		}
 
@@ -196,65 +204,6 @@ func (b *NetworkManagerBackend) GetWiFiNetworkDetails(ssid string) (*NetworkInfo
 	}, nil
 }
 
-func (b *NetworkManagerBackend) GetWiFiQRCodeContent(ssid string) (string, error) {
-	conn, err := b.findConnection(ssid)
-	if err != nil {
-		return "", fmt.Errorf("no saved connection for `%s`: %w", ssid, err)
-	}
-
-	connSettings, err := conn.GetSettings()
-	if err != nil {
-		return "", fmt.Errorf("failed to get settings for `%s`: %w", ssid, err)
-	}
-
-	secSettings, ok := connSettings["802-11-wireless-security"]
-	if !ok {
-		return "", fmt.Errorf("network `%s` has no security settings", ssid)
-	}
-
-	keyMgmt, ok := secSettings["key-mgmt"].(string)
-	if !ok {
-		return "", fmt.Errorf("failed to identify security type of network `%s`", ssid)
-	}
-
-	var securityType string
-	switch keyMgmt {
-	case "none":
-		authAlg, _ := secSettings["auth-alg"].(string)
-		switch authAlg {
-		case "open":
-			securityType = "nopass"
-		default:
-			securityType = "WEP"
-		}
-	case "ieee8021x":
-		securityType = "WEP"
-	default:
-		securityType = "WPA"
-	}
-
-	if securityType != "WPA" {
-		return "", fmt.Errorf("QR code generation only supports WPA connections, `%s` uses %s", ssid, securityType)
-	}
-
-	secrets, err := conn.GetSecrets("802-11-wireless-security")
-	if err != nil {
-		return "", fmt.Errorf("failed to retrieve connection secrets for `%s`: %w", ssid, err)
-	}
-
-	secSecrets, ok := secrets["802-11-wireless-security"]
-	if !ok {
-		return "", fmt.Errorf("failed to retrieve password for `%s`", ssid)
-	}
-
-	psk, ok := secSecrets["psk"].(string)
-	if !ok {
-		return "", fmt.Errorf("failed to retrieve password for `%s`", ssid)
-	}
-
-	return FormatWiFiQRString(securityType, ssid, psk), nil
-}
-
 func (b *NetworkManagerBackend) ConnectWiFi(req ConnectionRequest) error {
 	devInfo, err := b.getWifiDeviceForConnection(req.Device)
 	if err != nil {
@@ -514,19 +463,27 @@ func (b *NetworkManagerBackend) updateWiFiNetworks() ([]WiFiNetwork, error) {
 
 		channel := frequencyToChannel(freq)
 
+		isConnected := ssid == currentSSID
+		rate := maxBitrate / 1000
+		if isConnected {
+			if devBitrate, err := w.GetPropertyBitrate(); err == nil && devBitrate > 0 {
+				rate = devBitrate / 1000
+			}
+		}
+
 		network := WiFiNetwork{
 			SSID:        ssid,
 			BSSID:       bssid,
 			Signal:      strength,
 			Secured:     secured,
 			Enterprise:  enterprise,
-			Connected:   ssid == currentSSID,
+			Connected:   isConnected,
 			Saved:       savedSSIDs[ssid],
 			Autoconnect: autoconnectMap[ssid],
 			Hidden:      hiddenSSIDs[ssid],
 			Frequency:   freq,
 			Mode:        modeStr,
-			Rate:        maxBitrate / 1000,
+			Rate:        rate,
 			Channel:     channel,
 		}
 
@@ -1062,19 +1019,27 @@ func (b *NetworkManagerBackend) updateAllWiFiDevices() {
 
 				channel := frequencyToChannel(freq)
 
+				isConnected := connected && apSSID == ssid
+				rate := maxBitrate / 1000
+				if isConnected {
+					if devBitrate, err := devInfo.wireless.GetPropertyBitrate(); err == nil && devBitrate > 0 {
+						rate = devBitrate / 1000
+					}
+				}
+
 				network := WiFiNetwork{
 					SSID:        apSSID,
 					BSSID:       apBSSID,
 					Signal:      strength,
 					Secured:     secured,
 					Enterprise:  enterprise,
-					Connected:   connected && apSSID == ssid,
+					Connected:   isConnected,
 					Saved:       savedSSIDs[apSSID],
 					Autoconnect: autoconnectMap[apSSID],
 					Hidden:      hiddenSSIDs[apSSID],
 					Frequency:   freq,
 					Mode:        modeStr,
-					Rate:        maxBitrate / 1000,
+					Rate:        rate,
 					Channel:     channel,
 					Device:      name,
 				}

core/internal/server/network/handlers.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"os"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
@@ -41,10 +40,6 @@ func HandleRequest(conn net.Conn, req models.Request, manager *Manager) {
 		handleSetPreference(conn, req, manager)
 	case "network.info":
 		handleGetNetworkInfo(conn, req, manager)
-	case "network.qrcode":
-		handleGetNetworkQRCode(conn, req, manager)
-	case "network.delete-qrcode":
-		handleDeleteQRCode(conn, req, manager)
 	case "network.ethernet.info":
 		handleGetWiredNetworkInfo(conn, req, manager)
 	case "network.subscribe":
@@ -325,42 +320,6 @@ func handleGetNetworkInfo(conn net.Conn, req models.Request, manager *Manager) {
 	models.Respond(conn, req.ID, network)
 }
 
-func handleGetNetworkQRCode(conn net.Conn, req models.Request, manager *Manager) {
-	ssid, err := params.String(req.Params, "ssid")
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	content, err := manager.GetNetworkQRCode(ssid)
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	models.Respond(conn, req.ID, content)
-}
-
-func handleDeleteQRCode(conn net.Conn, req models.Request, _ *Manager) {
-	path, err := params.String(req.Params, "path")
-	if err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	if !isValidQRCodePath(path) {
-		models.RespondError(conn, req.ID, "invalid QR code path")
-		return
-	}
-
-	if err := os.Remove(path); err != nil {
-		models.RespondError(conn, req.ID, err.Error())
-		return
-	}
-
-	models.Respond(conn, req.ID, models.SuccessResult{Success: true, Message: "QR code file deleted"})
-}
-
 func handleGetWiredNetworkInfo(conn net.Conn, req models.Request, manager *Manager) {
 	uuid, err := params.String(req.Params, "uuid")
 	if err != nil {

core/internal/server/network/manager.go

@@ -6,8 +6,6 @@ import (
 	"time"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
-	"github.com/yeqown/go-qrcode/v2"
-	"github.com/yeqown/go-qrcode/writer/standard"
 )
 
 func NewManager() (*Manager, error) {
@@ -440,43 +438,6 @@ func (m *Manager) GetNetworkInfoDetailed(ssid string) (*NetworkInfoResponse, err
 	return m.backend.GetWiFiNetworkDetails(ssid)
 }
 
-func (m *Manager) GetNetworkQRCode(ssid string) ([2]string, error) {
-	content, err := m.backend.GetWiFiQRCodeContent(ssid)
-	if err != nil {
-		return [2]string{}, err
-	}
-
-	qrc, err := qrcode.New(content)
-	if err != nil {
-		return [2]string{}, fmt.Errorf("failed to create QR code for `%s`: %w", ssid, err)
-	}
-
-	pathThemed, pathNormal := qrCodePaths(ssid)
-
-	wThemed, err := standard.New(
-		pathThemed,
-		standard.WithBuiltinImageEncoder(standard.PNG_FORMAT),
-		standard.WithBgTransparent(),
-		standard.WithFgColorRGBHex("#ffffff"),
-	)
-	if err != nil {
-		return [2]string{}, fmt.Errorf("failed to create QR code writer: %w", err)
-	}
-	if err := qrc.Save(wThemed); err != nil {
-		return [2]string{}, fmt.Errorf("failed to save QR code for `%s`: %w", ssid, err)
-	}
-
-	wNormal, err := standard.New(pathNormal, standard.WithBuiltinImageEncoder(standard.PNG_FORMAT))
-	if err != nil {
-		return [2]string{}, fmt.Errorf("failed to create QR code writer: %w", err)
-	}
-	if err := qrc.Save(wNormal); err != nil {
-		return [2]string{}, fmt.Errorf("failed to save QR code for `%s`: %w", ssid, err)
-	}
-
-	return [2]string{pathThemed, pathNormal}, nil
-}
-
 func (m *Manager) ToggleWiFi() error {
 	enabled, err := m.backend.GetWiFiEnabled()
 	if err != nil {

core/internal/server/network/wifi_qrcode.go

@@ -1,59 +0,0 @@
-package network
-
-import (
-	"fmt"
-	"path/filepath"
-	"regexp"
-	"strings"
-)
-
-const qrCodeTmpPrefix = "/tmp/dank-wifi-qrcode-"
-
-func FormatWiFiQRString(securityType, ssid, password string) string {
-	return fmt.Sprintf("WIFI:T:%s;S:%s;P:%s;;", securityType, ssid, password)
-}
-
-func qrCodePaths(ssid string) (themed, normal string) {
-	safe := sanitizeSSIDForPath(ssid)
-	themed = fmt.Sprintf("%s%s-themed.png", qrCodeTmpPrefix, safe)
-	normal = fmt.Sprintf("%s%s-normal.png", qrCodeTmpPrefix, safe)
-	return
-}
-
-func isValidQRCodePath(path string) bool {
-	clean := filepath.Clean(path)
-	return strings.HasPrefix(clean, qrCodeTmpPrefix) && strings.HasSuffix(clean, ".png")
-}
-
-var safePathChar = regexp.MustCompile(`[^a-zA-Z0-9_-]`)
-
-func sanitizeSSIDForPath(ssid string) string {
-	return safePathChar.ReplaceAllString(ssid, "_")
-}
-
-var iwdVerbatimSSID = regexp.MustCompile(`^[a-zA-Z0-9 _-]+$`)
-
-func iwdConfigPath(ssid string) string {
-	switch {
-	case iwdVerbatimSSID.MatchString(ssid):
-		return fmt.Sprintf("/var/lib/iwd/%s.psk", ssid)
-	default:
-		return fmt.Sprintf("/var/lib/iwd/=%x.psk", []byte(ssid))
-	}
-}
-
-func parseIWDPassphrase(data string) (string, error) {
-	inSecurity := false
-	for _, line := range strings.Split(data, "\n") {
-		line = strings.TrimSpace(line)
-		switch {
-		case line == "[Security]":
-			inSecurity = true
-		case strings.HasPrefix(line, "["):
-			inSecurity = false
-		case inSecurity && strings.HasPrefix(line, "Passphrase="):
-			return strings.TrimPrefix(line, "Passphrase="), nil
-		}
-	}
-	return "", fmt.Errorf("no passphrase found in iwd config")
-}

core/internal/server/router.go

@@ -15,7 +15,6 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/evdev"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/extworkspace"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/freedesktop"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/location"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/network"
@@ -193,15 +192,6 @@ func RouteRequest(conn net.Conn, req models.Request) {
 		return
 	}
 
-	if strings.HasPrefix(req.Method, "location.") {
-		if locationManager == nil {
-			models.RespondError(conn, req.ID, "location manager not initialized")
-			return
-		}
-		location.HandleRequest(conn, req, locationManager)
-		return
-	}
-
 	switch req.Method {
 	case "ping":
 		models.Respond(conn, req.ID, "pong")

core/internal/server/server.go

@@ -14,7 +14,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/apppicker"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/bluez"
@@ -26,7 +25,6 @@ import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/evdev"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/extworkspace"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/freedesktop"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/location"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/models"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/network"
@@ -72,7 +70,6 @@ var clipboardManager *clipboard.Manager
 var dbusManager *serverDbus.Manager
 var wlContext *wlcontext.SharedContext
 var themeModeManager *thememode.Manager
-var locationManager *location.Manager
 
 const dbusClientID = "dms-dbus-client"
 
@@ -191,7 +188,7 @@ func InitializeFreedeskManager() error {
 	return nil
 }
 
-func InitializeWaylandManager(geoClient geolocation.Client) error {
+func InitializeWaylandManager() error {
 	log.Info("Attempting to initialize Wayland gamma control...")
 
 	if wlContext == nil {
@@ -204,7 +201,7 @@ func InitializeWaylandManager(geoClient geolocation.Client) error {
 	}
 
 	config := wayland.DefaultConfig()
-	manager, err := wayland.NewManager(wlContext.Display(), geoClient, config)
+	manager, err := wayland.NewManager(wlContext.Display(), config)
 	if err != nil {
 		log.Errorf("Failed to initialize wayland manager: %v", err)
 		return err
@@ -385,27 +382,14 @@ func InitializeDbusManager() error {
 	return nil
 }
 
-func InitializeThemeModeManager(geoClient geolocation.Client) error {
-	manager := thememode.NewManager(geoClient)
+func InitializeThemeModeManager() error {
+	manager := thememode.NewManager()
 	themeModeManager = manager
 
 	log.Info("Theme mode automation manager initialized")
 	return nil
 }
 
-func InitializeLocationManager(geoClient geolocation.Client) error {
-	manager, err := location.NewManager(geoClient)
-	if err != nil {
-		log.Warnf("Failed to initialize location manager: %v", err)
-		return err
-	}
-
-	locationManager = manager
-
-	log.Info("Location manager initialized")
-	return nil
-}
-
 func handleConnection(conn net.Conn) {
 	defer conn.Close()
 
@@ -553,10 +537,6 @@ func getServerInfo() ServerInfo {
 		caps = append(caps, "theme.auto")
 	}
 
-	if locationManager != nil {
-		caps = append(caps, "location")
-	}
-
 	if dbusManager != nil {
 		caps = append(caps, "dbus")
 	}
@@ -1327,9 +1307,6 @@ func cleanupManagers() {
 	if wlContext != nil {
 		wlContext.Close()
 	}
-	if locationManager != nil {
-		locationManager.Close()
-	}
 }
 
 func Start(printDocs bool) error {
@@ -1511,9 +1488,6 @@ func Start(printDocs bool) error {
 		log.Info(" clipboard.getConfig                   - Get clipboard configuration")
 		log.Info(" clipboard.setConfig                   - Set configuration (params: maxHistory?, maxEntrySize?, autoClearDays?, clearAtStartup?)")
 		log.Info(" clipboard.subscribe                   - Subscribe to clipboard state changes (streaming)")
-		log.Info("Location:")
-		log.Info(" location.getState                      - Get current location state")
-		log.Info(" location.subscribe                     - Subscribe to location changes (streaming)")
 		log.Info("")
 	}
 	log.Info("Initializing managers...")
@@ -1545,9 +1519,6 @@ func Start(printDocs bool) error {
 	loginctlReady := make(chan struct{})
 	freedesktopReady := make(chan struct{})
 
-	geoClient := geolocation.NewClient()
-	defer geoClient.Close()
-
 	go func() {
 		defer close(loginctlReady)
 		if err := InitializeLoginctlManager(); err != nil {
@@ -1592,7 +1563,7 @@ func Start(printDocs bool) error {
 		}
 	}()
 
-	if err := InitializeWaylandManager(geoClient); err != nil {
+	if err := InitializeWaylandManager(); err != nil {
 		log.Warnf("Wayland manager unavailable: %v", err)
 	}
 
@@ -1624,7 +1595,7 @@ func Start(printDocs bool) error {
 		log.Debugf("WlrOutput manager unavailable: %v", err)
 	}
 
-	if err := InitializeThemeModeManager(geoClient); err != nil {
+	if err := InitializeThemeModeManager(); err != nil {
 		log.Warnf("Theme mode manager unavailable: %v", err)
 	} else {
 		notifyCapabilityChange()
@@ -1637,12 +1608,6 @@ func Start(printDocs bool) error {
 		}()
 	}
 
-	if err := InitializeLocationManager(geoClient); err != nil {
-		log.Warnf("Location manager unavailable: %v", err)
-	} else {
-		notifyCapabilityChange()
-	}
-
 	fatalErrChan := make(chan error, 1)
 	if wlrOutputManager != nil {
 		go func() {

core/internal/server/thememode/manager.go

@@ -5,7 +5,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/loginctl"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/server/wayland"
 	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
@@ -33,14 +32,12 @@ type Manager struct {
 	cachedIPLat   *float64
 	cachedIPLon   *float64
 
-	geoClient geolocation.Client
-
 	stopChan      chan struct{}
 	updateTrigger chan struct{}
 	wg            sync.WaitGroup
 }
 
-func NewManager(geoClient geolocation.Client) *Manager {
+func NewManager() *Manager {
 	m := &Manager{
 		config: Config{
 			Enabled:           false,
@@ -54,7 +51,6 @@ func NewManager(geoClient geolocation.Client) *Manager {
 		},
 		stopChan:      make(chan struct{}),
 		updateTrigger: make(chan struct{}, 1),
-		geoClient:     geoClient,
 	}
 
 	m.updateState(time.Now())
@@ -331,17 +327,17 @@ func (m *Manager) getLocation(config Config) (*float64, *float64) {
 	}
 	m.locationMutex.RUnlock()
 
-	location, err := m.geoClient.GetLocation()
+	lat, lon, err := wayland.FetchIPLocation()
 	if err != nil {
 		return nil, nil
 	}
 
 	m.locationMutex.Lock()
-	m.cachedIPLat = &location.Latitude
-	m.cachedIPLon = &location.Longitude
+	m.cachedIPLat = lat
+	m.cachedIPLon = lon
 	m.locationMutex.Unlock()
 
-	return m.cachedIPLat, m.cachedIPLon
+	return lat, lon
 }
 
 func statesEqual(a, b *State) bool {

core/internal/server/wayland/manager.go

@@ -13,14 +13,13 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/errdefs"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/proto/wlr_gamma_control"
 )
 
 const animKelvinStep = 25
 
-func NewManager(display wlclient.WaylandDisplay, geoClient geolocation.Client, config Config) (*Manager, error) {
+func NewManager(display wlclient.WaylandDisplay, config Config) (*Manager, error) {
 	if err := config.Validate(); err != nil {
 		return nil, err
 	}
@@ -41,7 +40,6 @@ func NewManager(display wlclient.WaylandDisplay, geoClient geolocation.Client, c
 		updateTrigger: make(chan struct{}, 1),
 		dirty:         make(chan struct{}, 1),
 		dbusSignal:    make(chan *dbus.Signal, 16),
-		geoClient:     geoClient,
 	}
 
 	if err := m.setupRegistry(); err != nil {
@@ -439,16 +437,15 @@ func (m *Manager) getLocation() (*float64, *float64) {
 		}
 		m.locationMutex.RUnlock()
 
-		location, err := m.geoClient.GetLocation()
+		lat, lon, err := FetchIPLocation()
 		if err != nil {
 			return nil, nil
 		}
-
 		m.locationMutex.Lock()
-		m.cachedIPLat = &location.Latitude
-		m.cachedIPLon = &location.Longitude
+		m.cachedIPLat = lat
+		m.cachedIPLon = lon
 		m.locationMutex.Unlock()
-		return m.cachedIPLat, m.cachedIPLon
+		return lat, lon
 	}
 	return nil, nil
 }

core/internal/server/wayland/manager_test.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	mocks_geolocation "github.com/AvengeMedia/DankMaterialShell/core/internal/mocks/geolocation"
 	mocks_wlclient "github.com/AvengeMedia/DankMaterialShell/core/internal/mocks/wlclient"
 )
 
@@ -391,20 +390,18 @@ func TestNotifySubscribers_NonBlocking(t *testing.T) {
 
 func TestNewManager_GetRegistryError(t *testing.T) {
 	mockDisplay := mocks_wlclient.NewMockWaylandDisplay(t)
-	mockGeoclient := mocks_geolocation.NewMockClient(t)
 
 	mockDisplay.EXPECT().Context().Return(nil)
 	mockDisplay.EXPECT().GetRegistry().Return(nil, errors.New("failed to get registry"))
 
 	config := DefaultConfig()
-	_, err := NewManager(mockDisplay, mockGeoclient, config)
+	_, err := NewManager(mockDisplay, config)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "get registry")
 }
 
 func TestNewManager_InvalidConfig(t *testing.T) {
 	mockDisplay := mocks_wlclient.NewMockWaylandDisplay(t)
-	mockGeoclient := mocks_geolocation.NewMockClient(t)
 
 	config := Config{
 		LowTemp:  500,
@@ -412,6 +409,6 @@ func TestNewManager_InvalidConfig(t *testing.T) {
 		Gamma:    1.0,
 	}
 
-	_, err := NewManager(mockDisplay, mockGeoclient, config)
+	_, err := NewManager(mockDisplay, config)
 	assert.Error(t, err)
 }

core/internal/server/wayland/types.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/errdefs"
-	"github.com/AvengeMedia/DankMaterialShell/core/internal/geolocation"
 	wlclient "github.com/AvengeMedia/DankMaterialShell/core/pkg/go-wayland/wayland/client"
 	"github.com/AvengeMedia/DankMaterialShell/core/pkg/syncmap"
 	"github.com/godbus/dbus/v5"
@@ -98,8 +97,6 @@ type Manager struct {
 	dbusConn   *dbus.Conn
 	dbusSignal chan *dbus.Signal
 
-	geoClient geolocation.Client
-
 	lastAppliedTemp  int
 	lastAppliedGamma float64
 }

core/internal/server/wlcontext/context.go

@@ -2,10 +2,10 @@ package wlcontext
 
 import (
 	"fmt"
+	"golang.org/x/sys/unix"
 	"os"
 	"sync"
-
-	"golang.org/x/sys/unix"
+	"time"
 
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/errdefs"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/log"
@@ -123,6 +123,9 @@ func (sc *SharedContext) eventDispatcher() {
 		{Fd: int32(sc.wakeR), Events: unix.POLLIN},
 	}
 
+	consecutiveErrors := 0
+	const maxConsecutiveErrors = 20
+
 	for {
 		sc.drainCmdQueue()
 
@@ -153,9 +156,19 @@ func (sc *SharedContext) eventDispatcher() {
 		}
 
 		if err := ctx.Dispatch(); err != nil && !os.IsTimeout(err) {
-			log.Errorf("Wayland connection error: %v", err)
-			return
+			consecutiveErrors++
+			log.Warnf("Wayland connection error (%d/%d): %v", consecutiveErrors, maxConsecutiveErrors, err)
+
+			if consecutiveErrors >= maxConsecutiveErrors {
+				log.Errorf("Fatal: Wayland connection unrecoverable after %d attempts. Exiting dispatcher.", maxConsecutiveErrors)
+				return
+			}
+
+			time.Sleep(100 * time.Millisecond * time.Duration(consecutiveErrors))
+			continue
 		}
+
+		consecutiveErrors = 0
 	}
 }
 

core/internal/server/wlroutput/manager.go

@@ -13,7 +13,7 @@ func NewManager(display wlclient.WaylandDisplay) (*Manager, error) {
 	m := &Manager{
 		display:    display,
 		ctx:        display.Context(),
-		cmdq:       make(chan cmd, 128),
+		cmdq:       make(chan cmd, 512),
 		stopChan:   make(chan struct{}),
 		dirty:      make(chan struct{}, 1),
 		fatalError: make(chan error, 1),

core/internal/tui/app.go

@@ -3,6 +3,7 @@ package tui
 import (
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/deps"
 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	"github.com/charmbracelet/bubbles/spinner"
 	"github.com/charmbracelet/bubbles/textinput"
 	tea "github.com/charmbracelet/bubbletea"
@@ -42,6 +43,9 @@ type Model struct {
 	sudoPassword       string
 	existingConfigs    []ExistingConfigInfo
 	fingerprintFailed  bool
+
+	availablePrivesc []privesc.Tool
+	selectedPrivesc  int
 }
 
 func NewModel(version string, logFilePath string) Model {
@@ -147,6 +151,8 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m.updateGentooUseFlagsState(msg)
 	case StateGentooGCCCheck:
 		return m.updateGentooGCCCheckState(msg)
+	case StateSelectPrivesc:
+		return m.updateSelectPrivescState(msg)
 	case StateAuthMethodChoice:
 		return m.updateAuthMethodChoiceState(msg)
 	case StateFingerprintAuth:
@@ -189,6 +195,8 @@ func (m Model) View() string {
 		return m.viewGentooUseFlags()
 	case StateGentooGCCCheck:
 		return m.viewGentooGCCCheck()
+	case StateSelectPrivesc:
+		return m.viewSelectPrivesc()
 	case StateAuthMethodChoice:
 		return m.viewAuthMethodChoice()
 	case StateFingerprintAuth:

core/internal/tui/states.go

@@ -10,6 +10,7 @@ const (
 	StateDependencyReview
 	StateGentooUseFlags
 	StateGentooGCCCheck
+	StateSelectPrivesc
 	StateAuthMethodChoice
 	StateFingerprintAuth
 	StatePasswordPrompt

core/internal/tui/views_dependencies.go

@@ -180,16 +180,7 @@ func (m Model) updateDependencyReviewState(msg tea.Msg) (tea.Model, tea.Cmd) {
 					return m, nil
 				}
 			}
-			// Check if fingerprint is enabled
-			if checkFingerprintEnabled() {
-				m.state = StateAuthMethodChoice
-				m.selectedConfig = 0 // Default to fingerprint
-				return m, nil
-			} else {
-				m.state = StatePasswordPrompt
-				m.passwordInput.Focus()
-				return m, nil
-			}
+			return m.enterAuthPhase()
 		case "esc":
 			m.state = StateSelectWindowManager
 			return m, nil

core/internal/tui/views_gentoo_use_flags.go

@@ -56,14 +56,7 @@ func (m Model) updateGentooUseFlagsState(msg tea.Msg) (tea.Model, tea.Cmd) {
 			m.state = StateGentooGCCCheck
 			return m, nil
 		}
-		if checkFingerprintEnabled() {
-			m.state = StateAuthMethodChoice
-			m.selectedConfig = 0
-		} else {
-			m.state = StatePasswordPrompt
-			m.passwordInput.Focus()
-		}
-		return m, nil
+		return m.enterAuthPhase()
 	}
 
 	if keyMsg, ok := msg.(tea.KeyMsg); ok {
@@ -75,14 +68,7 @@ func (m Model) updateGentooUseFlagsState(msg tea.Msg) (tea.Model, tea.Cmd) {
 			if m.selectedWM == 1 {
 				return m, m.checkGCCVersion()
 			}
-			if checkFingerprintEnabled() {
-				m.state = StateAuthMethodChoice
-				m.selectedConfig = 0
-			} else {
-				m.state = StatePasswordPrompt
-				m.passwordInput.Focus()
-			}
-			return m, nil
+			return m.enterAuthPhase()
 		case "esc":
 			m.state = StateDependencyReview
 			return m, nil

core/internal/tui/views_install.go

@@ -139,7 +139,7 @@ func dmsPackageName(distroID string, dependencies []deps.Dependency) string {
 		if isGit {
 			return "dms-shell-git"
 		}
-		return "dms-shell-bin"
+		return "dms-shell"
 	case distros.FamilyFedora, distros.FamilyUbuntu, distros.FamilyDebian, distros.FamilySUSE:
 		if isGit {
 			return "dms-git"

core/internal/tui/views_password.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 	tea "github.com/charmbracelet/bubbletea"
 )
 
@@ -274,8 +275,7 @@ func (m Model) delayThenReturn() tea.Cmd {
 
 func (m Model) tryFingerprint() tea.Cmd {
 	return func() tea.Msg {
-		clearCmd := exec.Command("sudo", "-k")
-		clearCmd.Run()
+		_ = privesc.ClearCache(context.Background())
 
 		tmpDir := os.TempDir()
 		askpassScript := filepath.Join(tmpDir, fmt.Sprintf("danklinux-fp-%d.sh", time.Now().UnixNano()))
@@ -289,15 +289,9 @@ func (m Model) tryFingerprint() tea.Cmd {
 		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 		defer cancel()
 
-		cmd := exec.CommandContext(ctx, "sudo", "-A", "-v")
-		cmd.Env = append(os.Environ(), fmt.Sprintf("SUDO_ASKPASS=%s", askpassScript))
-
-		err := cmd.Run()
-
-		if err != nil {
+		if err := privesc.ValidateWithAskpass(ctx, askpassScript); err != nil {
 			return passwordValidMsg{password: "", valid: false}
 		}
-
 		return passwordValidMsg{password: "", valid: true}
 	}
 }
@@ -307,32 +301,9 @@ func (m Model) validatePassword(password string) tea.Cmd {
 		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 		defer cancel()
 
-		cmd := exec.CommandContext(ctx, "sudo", "-S", "-v")
-
-		stdin, err := cmd.StdinPipe()
-		if err != nil {
+		if err := privesc.ValidatePassword(ctx, password); err != nil {
 			return passwordValidMsg{password: "", valid: false}
 		}
-
-		if err := cmd.Start(); err != nil {
-			return passwordValidMsg{password: "", valid: false}
-		}
-
-		_, err = fmt.Fprintf(stdin, "%s\n", password)
-		stdin.Close()
-		if err != nil {
-			return passwordValidMsg{password: "", valid: false}
-		}
-
-		err = cmd.Wait()
-
-		if err != nil {
-			if ctx.Err() == context.DeadlineExceeded {
-				return passwordValidMsg{password: "", valid: false}
-			}
-			return passwordValidMsg{password: "", valid: false}
-		}
-
 		return passwordValidMsg{password: password, valid: true}
 	}
 }

core/internal/tui/views_privesc.go

@@ -0,0 +1,133 @@
+package tui
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func (m Model) viewSelectPrivesc() string {
+	var b strings.Builder
+
+	b.WriteString(m.renderBanner())
+	b.WriteString("\n")
+	b.WriteString(m.styles.Title.Render("Privilege Escalation Tool"))
+	b.WriteString("\n\n")
+	b.WriteString(m.styles.Normal.Render("Multiple privilege tools are available. Choose one for installation:"))
+	b.WriteString("\n\n")
+
+	for i, t := range m.availablePrivesc {
+		label := fmt.Sprintf("%s  —  %s", t.Name(), privescToolDescription(t))
+		switch i {
+		case m.selectedPrivesc:
+			b.WriteString(m.styles.SelectedOption.Render("▶ " + label))
+		default:
+			b.WriteString(m.styles.Normal.Render("  " + label))
+		}
+		b.WriteString("\n")
+	}
+
+	b.WriteString("\n")
+	b.WriteString(m.styles.Subtle.Render(fmt.Sprintf("Set %s=<tool> to skip this prompt in future runs.", privesc.EnvVar)))
+	b.WriteString("\n\n")
+	b.WriteString(m.styles.Subtle.Render("↑/↓: Navigate, Enter: Select, Esc: Back"))
+	return b.String()
+}
+
+func (m Model) updateSelectPrivescState(msg tea.Msg) (tea.Model, tea.Cmd) {
+	keyMsg, ok := msg.(tea.KeyMsg)
+	if !ok {
+		return m, m.listenForLogs()
+	}
+
+	switch keyMsg.String() {
+	case "up":
+		if m.selectedPrivesc > 0 {
+			m.selectedPrivesc--
+		}
+	case "down":
+		if m.selectedPrivesc < len(m.availablePrivesc)-1 {
+			m.selectedPrivesc++
+		}
+	case "enter":
+		chosen := m.availablePrivesc[m.selectedPrivesc]
+		if err := privesc.SetTool(chosen); err != nil {
+			m.err = fmt.Errorf("failed to select %s: %w", chosen.Name(), err)
+			m.state = StateError
+			return m, nil
+		}
+		return m.routeToAuthAfterPrivesc()
+	case "esc":
+		m.state = StateDependencyReview
+		return m, nil
+	}
+	return m, nil
+}
+
+func privescToolDescription(t privesc.Tool) string {
+	switch t {
+	case privesc.ToolSudo:
+		return "classic sudo (supports password prompt in this installer)"
+	case privesc.ToolDoas:
+		return "OpenBSD-style doas (requires persist or nopass in /etc/doas.conf)"
+	case privesc.ToolRun0:
+		return "systemd run0 (authenticated via polkit)"
+	default:
+		return string(t)
+	}
+}
+
+// routeToAuthAfterPrivesc advances from the privesc-selection screen to the
+// right auth flow. Sudo goes through the fingerprint/password path; doas and
+// run0 skip password entry and proceed to install.
+func (m Model) routeToAuthAfterPrivesc() (tea.Model, tea.Cmd) {
+	tool, err := privesc.Detect()
+	if err != nil {
+		m.err = err
+		m.state = StateError
+		return m, nil
+	}
+
+	if tool == privesc.ToolSudo {
+		if checkFingerprintEnabled() {
+			m.state = StateAuthMethodChoice
+			m.selectedConfig = 0
+			return m, nil
+		}
+		m.state = StatePasswordPrompt
+		m.passwordInput.Focus()
+		return m, nil
+	}
+
+	m.sudoPassword = ""
+	m.packageProgress = packageInstallProgressMsg{}
+	m.state = StateInstallingPackages
+	m.isLoading = true
+	return m, tea.Batch(m.spinner.Tick, m.installPackages())
+}
+
+// enterAuthPhase is called when dependency review (or the Gentoo screens)
+// finish. It either routes directly to the sudo/fingerprint flow or shows
+// the privesc-tool selection screen when multiple tools are available and
+// no $DMS_PRIVESC override is set.
+func (m Model) enterAuthPhase() (tea.Model, tea.Cmd) {
+	tools := privesc.AvailableTools()
+	_, envSet := privesc.EnvOverride()
+
+	if len(tools) == 0 {
+		m.err = fmt.Errorf("no supported privilege tool (sudo/doas/run0) found on PATH")
+		m.state = StateError
+		return m, nil
+	}
+
+	if envSet || len(tools) == 1 {
+		return m.routeToAuthAfterPrivesc()
+	}
+
+	m.availablePrivesc = tools
+	m.selectedPrivesc = 0
+	m.state = StateSelectPrivesc
+	return m, nil
+}

distro/debian/dms-git/debian/rules

@@ -27,12 +27,12 @@ override_dh_auto_build:
 	# Verify core directory exists (native package format has source at root)
 	test -d core || (echo "ERROR: core directory not found!" && exit 1)
 
-	# Pin go.mod and vendor/modules.txt to the installed Go toolchain version
-	GO_INSTALLED=$$(go version | grep -oP 'go\K[0-9]+\.[0-9]+'); \
-	sed -i "s/^go [0-9]\+\.[0-9]\+\(\.[0-9]*\)\?$$/go $${GO_INSTALLED}/" core/go.mod; \
-	sed -i "s/^\(## explicit; go \)[0-9]\+\.[0-9]\+\(\.[0-9]*\)\?$$/\1$${GO_INSTALLED}/" core/vendor/modules.txt
+	# Patch go.mod to use Go 1.24 base version (Debian 13 has 1.23.x, may vary)
+	sed -i 's/^go 1\.24\.[0-9]*/go 1.24/' core/go.mod
 
-	# Build dms-cli (single shell to preserve variables; arch: Debian amd64/arm64 -> Makefile amd64/arm64)
+	# Build dms-cli from source using vendored dependencies
+	# Extract version info and build in single shell to preserve variables
+	# Architecture mapping: Debian amd64/arm64 -> Makefile amd64/arm64
 	VERSION="$(UPSTREAM_VERSION)"; \
 	COMMIT=$$(echo "$(UPSTREAM_VERSION)" | grep -oP '(?<=git)[0-9]+\.[a-f0-9]+' | cut -d. -f2 | head -c8 || echo "unknown"); \
 	if [ "$(DEB_HOST_ARCH)" = "amd64" ]; then \

distro/debian/dms-greeter/_service

@@ -3,7 +3,7 @@
   <service name="download_url">
     <param name="protocol">https</param>
     <param name="host">github.com</param>
-    <param name="path">/AvengeMedia/DankMaterialShell/releases/download/v1.4.3/dms-qml.tar.gz</param>
+    <param name="path">/AvengeMedia/DankMaterialShell/releases/download/v1.4.2/dms-qml.tar.gz</param>
     <param name="filename">dms-qml.tar.gz</param>
   </service>
 </services>

distro/debian/dms-greeter/debian/changelog

@@ -1,5 +1,6 @@
-dms-greeter (1.4.3db1) unstable; urgency=medium
+dms-greeter (1.4.2db8) unstable; urgency=medium
 
-  * Update to v1.4.3 stable release
+  * Initial Debian OBS package
+  * Port from Ubuntu/Fedora packaging
 
- -- Avenge Media <AvengeMedia.US@gmail.com>  Tue, 25 Feb 2026 02:40:00 +0000
+ -- Avenge Media <AvengeMedia.US@gmail.com>  Sat, 21 Feb 2026 00:00:00 +0000

distro/debian/dms-greeter/debian/control

@@ -13,7 +13,7 @@ Architecture: any
 Depends: ${misc:Depends},
   greetd,
   quickshell-git | quickshell
-Recommends: niri | hyprland | sway
+Suggests: niri | hyprland | sway
 Description: DankMaterialShell greeter for greetd
   DankMaterialShell greeter for greetd login manager. A modern, Material Design 3
   inspired greeter interface built with Quickshell for Wayland compositors.

distro/debian/dms/debian/control

@@ -9,7 +9,7 @@ Vcs-Browser: https://github.com/AvengeMedia/DankMaterialShell
 Vcs-Git: https://github.com/AvengeMedia/DankMaterialShell.git
 
 Package: dms
-Architecture: amd64
+Architecture: amd64 arm64
 Depends: ${misc:Depends},
          quickshell | quickshell-git,
          accountsservice,

distro/debian/dms/debian/source/include-binaries

@@ -1,2 +1,3 @@
 dms-distropkg-amd64.gz
+dms-distropkg-arm64.gz
 dms-source.tar.gz

distro/debian/dms/debian/source/options

@@ -1,4 +1,5 @@
 # Include files that are normally excluded by .gitignore
 # These are needed for the build process on Launchpad
 tar-ignore = !dms-distropkg-amd64.gz
+tar-ignore = !dms-distropkg-arm64.gz
 tar-ignore = !dms-source.tar.gz

distro/fedora/dms-git.spec

@@ -3,7 +3,6 @@
 %global debug_package %{nil}
 %global version {{{ git_repo_version }}}
 %global pkg_summary DankMaterialShell - Material 3 inspired shell for Wayland compositors
-%global go_toolchain_version 1.25.7
 
 Name:           dms
 Epoch:          2
@@ -15,12 +14,12 @@ License:        MIT
 URL:            https://github.com/AvengeMedia/DankMaterialShell
 VCS:            {{{ git_repo_vcs }}}
 Source0:        {{{ git_repo_pack }}}
-Source1:        https://go.dev/dl/go%{go_toolchain_version}.linux-amd64.tar.gz
-Source2:        https://go.dev/dl/go%{go_toolchain_version}.linux-arm64.tar.gz
 
 BuildRequires:  git-core
 BuildRequires:  gzip
+BuildRequires:  golang >= 1.24
 BuildRequires:  make
+BuildRequires:  wget
 BuildRequires:  systemd-rpm-macros
 
 # Core requirements
@@ -29,7 +28,7 @@ Requires:       accountsservice
 Requires:       dms-cli = %{epoch}:%{version}-%{release}
 Requires:       dgop
 
-# Core utilities (Recommended for DMS functionality)
+# Core utilities (Highly recommended for DMS functionality)
 Recommends:     cava
 Recommends:     danksearch
 Recommends:     matugen
@@ -67,28 +66,6 @@ Provides native DBus bindings, NetworkManager integration, and system utilities.
 VERSION="%{version}"
 COMMIT=$(echo "%{version}" | grep -oP '[a-f0-9]{7,}' | head -n1 || echo "unknown")
 
-# Use pinned bundled Go toolchain (deterministic across chroots)
-case "%{_arch}" in
-  x86_64)
-    GO_TARBALL="%{_sourcedir}/go%{go_toolchain_version}.linux-amd64.tar.gz"
-    ;;
-  aarch64)
-    GO_TARBALL="%{_sourcedir}/go%{go_toolchain_version}.linux-arm64.tar.gz"
-    ;;
-  *)
-    echo "Unsupported architecture for bundled Go: %{_arch}"
-    exit 1
-    ;;
-esac
-
-rm -rf .go
-tar -xzf "$GO_TARBALL"
-mv go .go
-export GOROOT="$PWD/.go"
-export PATH="$GOROOT/bin:$PATH"
-export GOTOOLCHAIN=local
-go version
-
 cd core
 make dist VERSION="$VERSION" COMMIT="$COMMIT"
 

distro/nix/greeter.nix

@@ -24,6 +24,7 @@ let
       lib.makeBinPath [
         cfg.quickshell.package
         compositorPackage
+        pkgs.glib  # provides gdbus, used by the fprintd hardware probe in GreeterContent.qml
       ]
     }
     ${
@@ -195,7 +196,9 @@ in
       fi
 
       if [ -f settings.json ]; then
-          if cp "$(${jq} -r '.customThemeFile' settings.json)" custom-theme.json; then
+          theme_file="$(${jq} -r '.customThemeFile // empty' settings.json)"
+          if [ -f "$theme_file" ] && [ -r "$theme_file" ]; then
+              cp "$theme_file" custom-theme.json
               mv settings.json settings.orig.json
               ${jq} '.customThemeFile = "${cacheDir}/custom-theme.json"' settings.orig.json > settings.json
           fi

distro/nix/nixos.nix

@@ -48,7 +48,6 @@ in
 
     services.power-profiles-daemon.enable = lib.mkDefault true;
     services.accounts-daemon.enable = lib.mkDefault true;
-    services.geoclue2.enable = lib.mkDefault true;
     security.polkit.enable = lib.mkDefault true;
   };
 }

distro/opensuse/dms-git.spec

@@ -56,10 +56,8 @@ mkdir -p $HOME $GOCACHE $GOMODCACHE
 # OBS has no network access, so use local toolchain only
 export GOTOOLCHAIN=local
 
-# Pin go.mod and vendor/modules.txt to the installed Go toolchain version
-GO_INSTALLED=$(go version | grep -oP 'go\K[0-9]+\.[0-9]+')
-sed -i "s/^go [0-9]\+\.[0-9]\+\(\.[0-9]*\)\?$/go ${GO_INSTALLED}/" core/go.mod
-sed -i "s/^\(## explicit; go \)[0-9]\+\.[0-9]\+\(\.[0-9]*\)\?$/\1${GO_INSTALLED}/" core/vendor/modules.txt
+# Patch go.mod to use base Go version (e.g., go 1.24 instead of go 1.24.6)
+sed -i 's/^go 1\.24\.[0-9]*/go 1.24/' core/go.mod
 
 # Extract version info for embedding in binary
 VERSION="%{version}"

distro/scripts/obs-upload.sh

@@ -419,9 +419,6 @@ if [[ "$UPLOAD_OPENSUSE" == true ]] && [[ -f "distro/opensuse/$PACKAGE.spec" ]];
         sed -i "s/VERSION_PLACEHOLDER/${DMS_GREETER_BASE_VERSION}/g" "$WORK_DIR/$PACKAGE.spec"
         sed -i "s/RELEASE_PLACEHOLDER/${DMS_GREETER_RELEASE}/g" "$WORK_DIR/$PACKAGE.spec"
         sed -i "s/CHANGELOG_DATE_PLACEHOLDER/${CHANGELOG_DATE}/g" "$WORK_DIR/$PACKAGE.spec"
-        # Explicitly set Version:/Release: in case the spec uses %{version} macro
-        sed -i "s/^Version:.*/Version:        ${DMS_GREETER_BASE_VERSION}/" "$WORK_DIR/$PACKAGE.spec"
-        sed -i "s/^Release:.*/Release:        ${DMS_GREETER_RELEASE}%{?dist}/" "$WORK_DIR/$PACKAGE.spec"
     fi
 
     if [[ -f "$WORK_DIR/.osc/$PACKAGE.spec" ]]; then
@@ -816,9 +813,6 @@ if [[ "$UPLOAD_DEBIAN" == true ]] && [[ -d "distro/debian/$PACKAGE/debian" ]]; t
                 sed -i "s/VERSION_PLACEHOLDER/${DMS_GREETER_BASE_VERSION}/g" "$WORK_DIR/$PACKAGE.spec"
                 sed -i "s/RELEASE_PLACEHOLDER/${DMS_GREETER_RELEASE}/g" "$WORK_DIR/$PACKAGE.spec"
                 sed -i "s/CHANGELOG_DATE_PLACEHOLDER/${CHANGELOG_DATE}/g" "$WORK_DIR/$PACKAGE.spec"
-                # Explicitly set Version:/Release: in case the spec uses %{version} macro
-                sed -i "s/^Version:.*/Version:        ${DMS_GREETER_BASE_VERSION}/" "$WORK_DIR/$PACKAGE.spec"
-                sed -i "s/^Release:.*/Release:        ${DMS_GREETER_RELEASE}%{?dist}/" "$WORK_DIR/$PACKAGE.spec"
             fi
         fi
 

distro/ubuntu/dms-greeter/debian/control

@@ -13,7 +13,7 @@ Architecture: any
 Depends: ${misc:Depends},
   greetd,
   quickshell-git | quickshell
-Recommends: niri | hyprland | sway
+Suggests: niri | hyprland | sway
 Description: DankMaterialShell greeter for greetd
   DankMaterialShell greeter for greetd login manager. A modern, Material Design 3
   inspired greeter interface built with Quickshell for Wayland compositors.