Minor cleanups: gitignore out/, expect() messages, comment wording

- .gitignore: ignore the /out/ ISO build dir
- bos-settings: use expect() with messages over unwrap() for piped stdio;
  drop a stray blank line
- pacman.conf: reword the SigLevel=Never TODO as a future-improvement note

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitignore

@@ -27,6 +27,7 @@ secrets/
 # archiso build artifacts (these are large and reproducible)
 /iso-build/
 /iso-out/
+/out/
 *.iso
 *.img
 

bos-settings/src/ui/views/breadbar.rs

@@ -6,7 +6,6 @@ fn css_path() -> PathBuf {
     crate::config::config_dir().join("breadbar/style.css")
 }
 
-
 pub fn build() -> GBox {
     let path = css_path();
     let existing_css = std::fs::read_to_string(&path).unwrap_or_default();

bos-settings/src/ui/views/packages.rs

@@ -50,9 +50,10 @@ fn stream_command(args: &[&str], log_buf: gtk4::TextBuffer) {
             }
         };
 
-        // Merge stderr into the channel too
-        let stdout = child.stdout.take().unwrap();
-        let stderr = child.stderr.take().unwrap();
+        // Merge stderr into the channel too.
+        // Both are Some because we spawned with Stdio::piped() above.
+        let stdout = child.stdout.take().expect("stdout piped");
+        let stderr = child.stderr.take().expect("stderr piped");
 
         let tx2 = sender.clone();
         std::thread::spawn(move || {

iso/airootfs/etc/calamares/post-install.sh

@@ -24,23 +24,46 @@ userdel -r liveuser 2>/dev/null || true
 passwd -l root || true
 
 # ---------------------------------------------------------------------------
-# Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Done
-# BEFORE grub so grub.cfg picks up the new cmdline and the rebuilt initramfs.
-# All best-effort: if anything here fails the system still boots (just without
-# the splash) — the initramfs the initcpio module already built stays valid.
+# Pacman keyring. The live medium's /etc/pacman.d/gnupg doesn't reliably carry
+# over to the target (unpackfs may skip it / perms differ), leaving the installed
+# system unable to verify package signatures — the first `pacman -Syu` then dies
+# with "keyring is not writable / required key missing". Initialise it here so a
+# fresh install can update out of the box. archlinux-keyring is already present;
+# [breadway] is SigLevel=Never so it needs no key.
 # ---------------------------------------------------------------------------
-if command -v plymouth-set-default-theme &>/dev/null; then
-    # Ensure the plymouth hook is in HOOKS (plymouthcfg/initcpiocfg usually add it;
-    # this is the belt). Handle both the udev and systemd initramfs styles.
-    if ! grep -q 'plymouth' /etc/mkinitcpio.conf 2>/dev/null; then
-        if grep -qE '^HOOKS=.*\bsystemd\b' /etc/mkinitcpio.conf; then
-            sed -i 's/^\(HOOKS=.*\bsystemd\b\)/\1 sd-plymouth/' /etc/mkinitcpio.conf \
-                || echo "WARN: adding sd-plymouth hook failed"
-        else
+if command -v pacman-key &>/dev/null; then
+    pacman-key --init || echo "WARN: pacman-key --init failed"
+    pacman-key --populate archlinux || echo "WARN: pacman-key --populate failed"
+fi
+
+# ---------------------------------------------------------------------------
+# Initramfs HOOKS: microcode + plymouth. Edit HOOKS first, rebuild once below.
+#   microcode — embeds the (autodetect-pruned) CPU microcode into the initramfs
+#     so it loads at early boot. The live ISO embeds ucode the same way, so the
+#     ISO /boot carries no separate ucode image and bos-copy-kernel stages none
+#     onto the target — the installed initramfs must therefore carry it itself.
+#     Must sit AFTER `autodetect` so it's pruned to the running CPU's microcode.
+#   plymouth — the BOS boot splash. Only the udev `plymouth` hook exists (there
+#     is NO `sd-plymouth`), so always insert it after `udev`.
+# All best-effort: a failure here still leaves a bootable initramfs.
+# ---------------------------------------------------------------------------
+if [[ -f /etc/mkinitcpio.conf ]]; then
+    if ! grep -qE '^HOOKS=.*\bmicrocode\b' /etc/mkinitcpio.conf; then
+        sed -i 's/^\(HOOKS=.*\bautodetect\b\)/\1 microcode/' /etc/mkinitcpio.conf \
+            || echo "WARN: adding microcode hook failed"
+    fi
+    if command -v plymouth-set-default-theme &>/dev/null \
+       && ! grep -qE '^HOOKS=.*\bplymouth\b' /etc/mkinitcpio.conf; then
         sed -i 's/^\(HOOKS=.*\budev\b\)/\1 plymouth/' /etc/mkinitcpio.conf \
             || echo "WARN: adding plymouth hook failed"
     fi
 fi
+
+# ---------------------------------------------------------------------------
+# Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Set the
+# theme + cmdline BEFORE grub so grub.cfg picks up the new cmdline.
+# ---------------------------------------------------------------------------
+if command -v plymouth-set-default-theme &>/dev/null; then
     # Clean boot: splash activates plymouth; hiding systemd status removes the
     # "[ OK ] Started ..." text (what looked like kernel output) even if the
     # splash itself doesn't grab the display (e.g. in some VMs).
@@ -48,10 +71,13 @@ if command -v plymouth-set-default-theme &>/dev/null; then
         sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT="\)/\1splash quiet vt.global_cursor_default=0 systemd.show_status=false rd.systemd.show_status=false rd.udev.log_level=3 /' \
             /etc/default/grub || echo "WARN: adding splash cmdline failed"
     fi
-    # Set the BOS theme and rebuild the initramfs (-R) with the plymouth hook.
-    plymouth-set-default-theme -R bos || echo "WARN: plymouth-set-default-theme failed"
+    plymouth-set-default-theme bos || echo "WARN: plymouth-set-default-theme failed"
 fi
 
+# Rebuild every preset (default + fallback that bos-copy-kernel wrote) so the
+# microcode + plymouth HOOKS above are actually baked into the initramfs.
+mkinitcpio -P || echo "WARN: mkinitcpio -P failed"
+
 # ---------------------------------------------------------------------------
 # Install GRUB (UEFI). /boot now has the kernel + initramfs, and the mount
 # module has bind-mounted /proc /sys /dev /run + efivars into this chroot, so

iso/airootfs/etc/pacman.conf

@@ -35,7 +35,8 @@ Include = /etc/pacman.d/mirrorlist
 #
 # Forgejo signs the repo db with a key pacman can't look up, so TrustAll
 # fails. SigLevel = Never skips verification (acceptable for this private
-# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
+# repo over TLS). Future improvement: import Forgejo's signing key and
+# switch to SigLevel = Required for full package verification.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.

iso/airootfs/etc/skel/.config/hypr/hyprland.lua

@@ -90,6 +90,7 @@ end
 -- ---------------------------------------------------------------------------
 hl.window_rule({ name = "bos-keybinds", match = { class = "^(bos-keybinds)$" }, float = true, size = { 760, 720 } })
 hl.window_rule({ name = "bos-welcome",  match = { class = "^(bos-welcome)$" },  float = true, size = { 700, 560 } })
+hl.window_rule({ name = "bos-netsetup", match = { class = "^(bos-netsetup)$" }, float = true, size = { 700, 560 } })
 
 -- ---------------------------------------------------------------------------
 -- Environment (vendor-neutral; no GPU-specific vars so it works on Intel/AMD).

iso/airootfs/usr/local/bin/bos-welcome

@@ -10,6 +10,25 @@ set -u
 marker="${XDG_CONFIG_HOME:-$HOME/.config}/bos/.welcomed"
 [[ -f "$marker" ]] && exit 0
 mkdir -p "$(dirname "$marker")"
+
+# First-run network check. A fresh install usually boots with no connection
+# (Wi-Fi isn't configured during install), and the first `bos-update`/pacman run
+# then fails with confusing DNS/"could not resolve host" errors. If
+# NetworkManager reports we're not fully online, open nmtui so the user can join
+# a network before anything else. Best-effort: missing nmcli/nmtui/kitty, or the
+# user quitting nmtui, must never block the welcome below.
+if command -v nmcli &>/dev/null; then
+    conn="$(nmcli networking connectivity check 2>/dev/null)"
+    if [[ "$conn" != "full" ]]; then
+        notify-send -u normal "BOS" "No internet yet — opening network setup so updates work." 2>/dev/null || true
+        if command -v nmtui &>/dev/null; then
+            kitty --class bos-netsetup --title "Connect to a network" -- nmtui connect 2>/dev/null || true
+        fi
+    fi
+fi
+
+# Mark welcomed only now, so an interrupted/aborted network step still re-prompts
+# next login rather than being suppressed forever.
 touch "$marker"
 
 exec kitty --class bos-welcome --title "Welcome to BOS" -- less -R /usr/share/bos/welcome.txt

iso/packages.x86_64

@@ -139,10 +139,13 @@ file-roller
 
 # GUI applications a general desktop is expected to have out of the box.
 # gnome-text-editor: graphical editor (terminal editors aside); gnome-calculator:
-# calculator; loupe: Wayland-native image viewer (default for image files).
+# calculator; loupe: Wayland-native image viewer (default for image files);
+# zathura(+pdf-mupdf): lightweight Wayland PDF viewer (BOS had no PDF reader).
 gnome-text-editor
 gnome-calculator
 loupe
+zathura
+zathura-pdf-mupdf
 # Media player — BOS ships gstreamer codecs but otherwise has no player app.
 vlc
 # Web browser (served from the [Breadway] repo; AUR zen-browser-bin republished
@@ -190,6 +193,12 @@ plymouth
 gst-plugins-good
 gst-plugins-bad
 gst-plugins-ugly
+# Hardware video acceleration (VA-API) — lets the AMD/Intel GPU decode H.264/HEVC/
+# VP9 in mpv, VLC, and browsers instead of the CPU (cooler, longer battery on
+# video). The open Mesa VA-API backend (radeonsi_drv_video.so etc.) now ships in
+# the `mesa` package itself (pulled in already), so only libva (deps) + the
+# `vainfo` verification tool need listing here.
+libva-utils
 # GUI audio mixer — useful when output device needs manual switching.
 pavucontrol
 

iso/pacman.conf

@@ -35,7 +35,8 @@ Include = /etc/pacman.d/mirrorlist
 #
 # Forgejo signs the repo db with a key pacman can't look up, so TrustAll
 # fails. SigLevel = Never skips verification (acceptable for this private
-# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
+# repo over TLS). Future improvement: import Forgejo's signing key and
+# switch to SigLevel = Required for full package verification.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.