fix: audit remediation — security, quality and performance fixes

- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)

defaults/bin/moonarch-batsaver-toggle

@@ -10,6 +10,7 @@ CONSERVATION_LIMIT=80
 [[ -f "$THRESHOLD_FILE" ]] || exit 1
 
 CURRENT=$(cat "$THRESHOLD_FILE")
+[[ "$CURRENT" =~ ^[0-9]+$ ]] || exit 1
 
 if [[ "$CURRENT" -le "$CONSERVATION_LIMIT" ]]; then
     NEW=100
@@ -22,7 +23,7 @@ echo "$NEW" > "$THRESHOLD_FILE" || exit 1
 
 # Persist for next boot
 mkdir -p "$STATE_DIR"
-echo "$NEW" > "$STATE_FILE"
+echo "$NEW" > "$STATE_FILE" || exit 1
 
 # Signal Waybar to refresh the batsaver module (SIGRTMIN+9)
 pkill -RTMIN+9 waybar

defaults/bin/moonarch-cpugov

@@ -60,11 +60,12 @@ fi
 # check if choice exists
 if test "${COMMANDS[$choice]+isset}"
 then
-    # Execute the choice — eval required because COMMANDS values contain
-    # multi-word strings that must be interpreted as full commands.
-    eval "${COMMANDS[$choice]}"
+    ${COMMANDS[$choice]}
 
     notify-send -h string:x-canonical-private-synchronous:cpugov -i cpu "CPU Mode" "Set to $choice ${LABELS[$choice]}"
+
+    # Signal Waybar to refresh the cpugov module (SIGRTMIN+10)
+    pkill -RTMIN+10 waybar
 else
     notify-send -u critical "CPU Governor" "Unknown command: ${choice}"
 fi