From bb5460427d2481f9d362eb744938a306c21e5107 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Mon, 22 Jun 2026 20:24:25 +0200
Subject: [PATCH 1/4] docs: drop sudo from flash commands, append sync

All decompress-and-write one-liners now share the same form:
  xz -dc ...img.xz | of=/dev/sdX bs=4M status=progress conv=fsync && sync

- sudo removed (operator runs as root on USB stick)
- && sync appended to all image-write commands
- /dev/zero wipe commands unchanged
- build.sh echo updated to match
---
 BUILD.md                         |  4 ++--
 FLASHING.md                      | 12 ++++++------
 README.md                        |  4 ++--
 TESTING.md                       |  4 ++--
 build.sh                         |  2 +-
 skills/iso-flash-verify/SKILL.md |  2 +-
 6 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/BUILD.md b/BUILD.md
index 40a1afc..2ba90dd 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -146,7 +146,7 @@ Published/downloaded artifacts are compressed as `.img.xz`. Stream the
 compressed image directly into `dd`:
 
 ```sh
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
@@ -163,7 +163,7 @@ curl -fL --retry 5 --retry-delay 5 -O \
 For a build-local uncompressed image, plain `dd` is also fine:
 
 ```sh
-sudo dd if=tmp/output/clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync
+dd if=tmp/output/clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
diff --git a/FLASHING.md b/FLASHING.md
index d986fe5..829f477 100644
--- a/FLASHING.md
+++ b/FLASHING.md
@@ -68,7 +68,7 @@ Flash by streaming xz into `dd`:
 
 ```sh
 set -o pipefail 2>/dev/null || true
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
@@ -116,7 +116,7 @@ sudo umount /dev/daXs* 2>/dev/null
 Flash by streaming xz into `dd`:
 
 ```sh
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
@@ -152,14 +152,14 @@ For a local build artifact that already exists as a raw image:
 ### Linux
 
 ```sh
-sudo dd if=clawdie-quindecim-0.11.0.img of=/dev/sdX bs=4M status=progress conv=fsync
+dd if=clawdie-quindecim-0.11.0.img of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
 ### FreeBSD
 
 ```sh
-sudo dd if=clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync
+dd if=clawdie-quindecim-0.11.0.img of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
@@ -189,7 +189,7 @@ Then wipe only after confirming `/dev/sdX` is the USB stick:
 
 ```sh
 sudo sgdisk --zap-all /dev/sdX
-sudo dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
+dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
 sync
 ```
 
@@ -205,7 +205,7 @@ Then wipe only after confirming `/dev/daX` is the USB stick:
 
 ```sh
 sudo gpart destroy -F /dev/daX
-sudo dd if=/dev/zero of=/dev/daX bs=16M status=progress conv=fsync
+dd if=/dev/zero of=/dev/daX bs=16M status=progress conv=fsync
 sync
 ```
 
diff --git a/README.md b/README.md
index 4317f93..038c38e 100644
--- a/README.md
+++ b/README.md
@@ -243,7 +243,7 @@ Linux:
 ```sh
 sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
@@ -252,7 +252,7 @@ FreeBSD:
 ```sh
 HASH=$(awk '{print $1}' clawdie-quindecim-0.11.0.img.xz.sha256)
 sha256 -c "$HASH" clawdie-quindecim-0.11.0.img.xz
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/daX bs=1M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/daX bs=1M status=progress conv=fsync && sync
 sync
 ```
 
diff --git a/TESTING.md b/TESTING.md
index 1a7ddbe..a9060fd 100644
--- a/TESTING.md
+++ b/TESTING.md
@@ -418,7 +418,7 @@ If you see stale labels such as `nomadbsd_zroot`, wipe the whole stick first:
 ```sh
 sudo umount /dev/sdX* 2>/dev/null || true
 sudo sgdisk --zap-all /dev/sdX
-sudo dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
+dd if=/dev/zero of=/dev/sdX bs=16M status=progress conv=fsync
 ```
 
 ### Flash the image
@@ -433,7 +433,7 @@ curl -fL --retry 5 --retry-delay 5 -O \
   https://osa.smilepowered.org/downloads/iso/clawdie-quindecim-0.11.0.img.xz.sha256
 sha256sum -c clawdie-quindecim-0.11.0.img.xz.sha256
 set -o pipefail 2>/dev/null || true
-xz -dc clawdie-quindecim-0.11.0.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc clawdie-quindecim-0.11.0.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 
diff --git a/build.sh b/build.sh
index 3252e6b..26df799 100755
--- a/build.sh
+++ b/build.sh
@@ -2527,4 +2527,4 @@ echo "    Image size : ${IMAGE_LOGICAL_SIZE}"
 echo "    Allocated  : ${IMAGE_ALLOCATED_SIZE} (sparse on build host)"
 echo ""
 echo "    Write to USB:"
-echo "    dd if=${OUTPUT_IMAGE} of=/dev/daX bs=1M status=progress"
+echo "    dd if=${OUTPUT_IMAGE} of=/dev/daX bs=1M status=progress conv=fsync && sync"
diff --git a/skills/iso-flash-verify/SKILL.md b/skills/iso-flash-verify/SKILL.md
index 3a63c35..33deeb8 100644
--- a/skills/iso-flash-verify/SKILL.md
+++ b/skills/iso-flash-verify/SKILL.md
@@ -95,7 +95,7 @@ whole-disk path with the operator before writing.
 Example for Linux, replacing `/dev/sdX` with the confirmed whole disk:
 
 ```sh
-xz -dc tmp/flash-downloads/<image>.img.xz | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync
+xz -dc tmp/flash-downloads/<image>.img.xz | dd of=/dev/sdX bs=4M status=progress conv=fsync && sync
 sync
 ```
 

From 3ef31687d953f0a105530ef2f0eaa5d3d036dc0b Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Tue, 23 Jun 2026 06:41:49 +0200
Subject: [PATCH 2/4] build: pre-stage uBlock Origin + disable default-browser
 check on live ISO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Places uBlock Origin XPI in Firefox's distribution/extensions
directory during ISO build. Also sets DontCheckDefaultBrowser via
policies.json — Firefox is the only browser on the USB so the
popup is pointless.

Firefox auto-installs the extension on first launch with no
internet required on the booted USB.
---
 build.sh | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/build.sh b/build.sh
index 26df799..c9054e1 100755
--- a/build.sh
+++ b/build.sh
@@ -870,6 +870,58 @@ install_live_runtime_packages() {
     [ "$_mounted_devfs" -eq 1 ] && umount "${MOUNT_POINT}/dev" 2>/dev/null || true
 }
 
+install_firefox_extensions() {
+    # Pre-stage uBlock Origin and Bitwarden, and apply enterprise policies
+    # (no default-browser check — Firefox is the only browser on the USB).
+    local _ff_dist="${MOUNT_POINT}/usr/local/lib/firefox/distribution"
+    local _ext_dir="${_ff_dist}/extensions"
+    local _policies="${_ff_dist}/policies.json"
+
+    echo "    Configuring Firefox..."
+
+    mkdir -p "${_ext_dir}" || {
+        echo "ERROR: failed to create Firefox distribution directory"
+        exit 1
+    }
+
+    # Disable "make default browser" popup — Firefox is the only browser.
+    cat > "${_policies}" <<'POLICIES'
+{
+  "policies": {
+    "DontCheckDefaultBrowser": true
+  }
+}
+POLICIES
+    chmod 0644 "${_policies}"
+
+    # Download a Firefox extension XPI if not already cached.
+    # Usage: _fetch_xpi <slug> <extension-id> <label>
+    _fetch_xpi() {
+        local _slug="$1" _id="$2" _label="$3"
+        local _xpi="${_ext_dir}/${_id}.xpi"
+        local _url="https://addons.mozilla.org/firefox/downloads/latest/${_slug}/latest.xpi"
+
+        if [ -f "${_xpi}" ]; then
+            echo "    ${_label} XPI already cached, skipping download"
+            return 0
+        fi
+
+        echo "    Downloading ${_label}..."
+        /usr/bin/fetch -o "${_xpi}" "${_url}" || {
+            echo "ERROR: failed to download ${_label} XPI"
+            exit 1
+        }
+    }
+
+    _fetch_xpi "ublock-origin" "uBlock0@raymondhill.net" "uBlock Origin"
+    _fetch_xpi "sponsorblock" "sponsorBlocker@ajay.app" "SponsorBlock"
+    _fetch_xpi "istilldontcareaboutcookies" "idcac-pub@guus.ninja" "I still don't care about cookies"
+    _fetch_xpi "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}" "Bitwarden"
+
+    chmod 0755 "${_ext_dir}"
+    echo "    Firefox extensions staged — auto-installed on first launch"
+}
+
 install_colibri_service() {
     [ "${FEATURE_COLIBRI:-NO}" = "YES" ] || {
         echo "    Colibri service staging disabled (FEATURE_COLIBRI=${FEATURE_COLIBRI:-NO})"
@@ -2413,6 +2465,7 @@ mkdir -p "$USB_SHARE"
 rm -f "${MOUNT_POINT}/etc/installerconfig"
 
 install_live_runtime_packages
+install_firefox_extensions
 configure_live_operator_session
 install_colibri_service
 install_zot_agent

From 380a589b112c2e5f7b55f9924cc762a03f8ed785 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Tue, 23 Jun 2026 07:02:03 +0200
Subject: [PATCH 3/4] xfce: reduce language widget scale to 50%, reorder panel
 tray

CPU graph now comes before the systray (NetworkManager + volumeicon),
followed by the keyboard layout switcher and clock. Language widget
display-scale reduced from 60 to 50 (was still too large).
---
 .../.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml b/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
index 214f23c..e06c588 100644
--- a/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
+++ b/live/operator-session/panel-skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
@@ -35,8 +35,8 @@
         <value type="int" value="5"/>
         <value type="int" value="6"/>
         <value type="int" value="7"/>
-        <value type="int" value="8"/>
         <value type="int" value="9"/>
+        <value type="int" value="8"/>
         <value type="int" value="10"/>
         <value type="int" value="12"/>
       </property>
@@ -96,7 +96,7 @@
     <property name="plugin-10" type="string" value="xkb">
       <property name="display-type" type="uint" value="0"/>
       <property name="display-name" type="uint" value="0"/>
-      <property name="display-scale" type="uint" value="60"/>
+      <property name="display-scale" type="uint" value="50"/>
       <property name="group-policy" type="uint" value="0"/>
     </property>
     <property name="plugin-12" type="string" value="clock">

From 4ee66eb45cc9192f3137f881a27f3d7fb3d87fd3 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Tue, 23 Jun 2026 07:12:47 +0200
Subject: [PATCH 4/4] build: lock networkmgr package after mdo repack

pkg lock prevents pkg upgrade from replacing the repacked
networkmgr (mdo-based) with upstream (sudo-dependent).
Run inside the chroot while devfs is still mounted.
---
 build.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/build.sh b/build.sh
index c9054e1..9bafc23 100755
--- a/build.sh
+++ b/build.sh
@@ -864,6 +864,16 @@ install_live_runtime_packages() {
         exit 1
     fi
 
+    # Lock the repacked networkmgr package so pkg upgrade doesn't replace it
+    # with the upstream version that depends on sudo. The ISO uses mdo/mac_do
+    # instead of sudo; see override_networkmgr_package() above.
+    if ! chroot "${MOUNT_POINT}" /usr/local/sbin/pkg lock -y networkmgr; then
+        [ "$_mounted_procfs" -eq 1 ] && umount "${MOUNT_POINT}/proc" 2>/dev/null || true
+        [ "$_mounted_devfs" -eq 1 ] && umount "${MOUNT_POINT}/dev" 2>/dev/null || true
+        echo "ERROR: failed to lock networkmgr package on live image"
+        exit 1
+    fi
+
     refresh_live_desktop_caches
 
     [ "$_mounted_procfs" -eq 1 ] && umount "${MOUNT_POINT}/proc" 2>/dev/null || true