fix: audit remediation — security, quality and performance fixes

- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)

defaults/bin/moonarch-batsaver-toggle

@@ -10,6 +10,7 @@ CONSERVATION_LIMIT=80
 [[ -f "$THRESHOLD_FILE" ]] || exit 1
 
 CURRENT=$(cat "$THRESHOLD_FILE")
+[[ "$CURRENT" =~ ^[0-9]+$ ]] || exit 1
 
 if [[ "$CURRENT" -le "$CONSERVATION_LIMIT" ]]; then
     NEW=100
@@ -22,7 +23,7 @@ echo "$NEW" > "$THRESHOLD_FILE" || exit 1
 
 # Persist for next boot
 mkdir -p "$STATE_DIR"
-echo "$NEW" > "$STATE_FILE"
+echo "$NEW" > "$STATE_FILE" || exit 1
 
 # Signal Waybar to refresh the batsaver module (SIGRTMIN+9)
 pkill -RTMIN+9 waybar