diff --git a/.gitignore b/.gitignore
index 693a6d1..25b3b3b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,7 @@ secrets/
 # archiso build artifacts (these are large and reproducible)
 /iso-build/
 /iso-out/
+/out/
 *.iso
 *.img
 
diff --git a/bos-settings/src/ui/views/breadbar.rs b/bos-settings/src/ui/views/breadbar.rs
index dd49a52..355890a 100644
--- a/bos-settings/src/ui/views/breadbar.rs
+++ b/bos-settings/src/ui/views/breadbar.rs
@@ -6,7 +6,6 @@ fn css_path() -> PathBuf {
     crate::config::config_dir().join("breadbar/style.css")
 }
 
-
 pub fn build() -> GBox {
     let path = css_path();
     let existing_css = std::fs::read_to_string(&path).unwrap_or_default();
diff --git a/bos-settings/src/ui/views/packages.rs b/bos-settings/src/ui/views/packages.rs
index 1281c44..feee584 100644
--- a/bos-settings/src/ui/views/packages.rs
+++ b/bos-settings/src/ui/views/packages.rs
@@ -50,9 +50,10 @@ fn stream_command(args: &[&str], log_buf: gtk4::TextBuffer) {
             }
         };
 
-        // Merge stderr into the channel too
-        let stdout = child.stdout.take().unwrap();
-        let stderr = child.stderr.take().unwrap();
+        // Merge stderr into the channel too.
+        // Both are Some because we spawned with Stdio::piped() above.
+        let stdout = child.stdout.take().expect("stdout piped");
+        let stderr = child.stderr.take().expect("stderr piped");
 
         let tx2 = sender.clone();
         std::thread::spawn(move || {
diff --git a/iso/airootfs/etc/pacman.conf b/iso/airootfs/etc/pacman.conf
index 90e4517..20c5242 100644
--- a/iso/airootfs/etc/pacman.conf
+++ b/iso/airootfs/etc/pacman.conf
@@ -35,7 +35,8 @@ Include = /etc/pacman.d/mirrorlist
 #
 # Forgejo signs the repo db with a key pacman can't look up, so TrustAll
 # fails. SigLevel = Never skips verification (acceptable for this private
-# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
+# repo over TLS). Future improvement: import Forgejo's signing key and
+# switch to SigLevel = Required for full package verification.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.
diff --git a/iso/pacman.conf b/iso/pacman.conf
index 90e4517..20c5242 100644
--- a/iso/pacman.conf
+++ b/iso/pacman.conf
@@ -35,7 +35,8 @@ Include = /etc/pacman.d/mirrorlist
 #
 # Forgejo signs the repo db with a key pacman can't look up, so TrustAll
 # fails. SigLevel = Never skips verification (acceptable for this private
-# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
+# repo over TLS). Future improvement: import Forgejo's signing key and
+# switch to SigLevel = Required for full package verification.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.