fix: audit remediation — security, quality and performance fixes

- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)

defaults/etc/systemd/user/cliphist-image.service

@@ -0,0 +1,16 @@
+# ABOUTME: systemd user service for image clipboard history via cliphist + wl-paste.
+# ABOUTME: Stores image clipboard entries in XDG_RUNTIME_DIR.
+
+[Unit]
+Description=Clipboard history manager (image)
+PartOf=graphical-session.target
+After=cliphist-text.service
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/wl-paste --type image --watch cliphist -db-path %t/cliphist/db store
+Restart=on-failure
+RestartSec=3
+
+[Install]
+WantedBy=graphical-session.target

defaults/etc/systemd/user/cliphist-text.service

@@ -0,0 +1,17 @@
+# ABOUTME: systemd user service for text clipboard history via cliphist + wl-paste.
+# ABOUTME: Wipes history on start, stores text entries in XDG_RUNTIME_DIR.
+
+[Unit]
+Description=Clipboard history manager (text)
+PartOf=graphical-session.target
+After=graphical-session.target
+
+[Service]
+Type=simple
+ExecStartPre=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && /usr/bin/cliphist wipe'
+ExecStart=/usr/bin/wl-paste --watch cliphist -db-path %t/cliphist/db store
+Restart=on-failure
+RestartSec=3
+
+[Install]
+WantedBy=graphical-session.target

defaults/etc/systemd/user/cliphist.service

@@ -1,16 +0,0 @@
-# ABOUTME: systemd user service for clipboard history (cliphist + wl-paste).
-# ABOUTME: Stores text and image clipboard entries, wipes history on session end.
-
-[Unit]
-Description=Clipboard history manager
-PartOf=graphical-session.target
-After=graphical-session.target
-
-[Service]
-Type=forking
-ExecStartPre=/usr/bin/cliphist wipe
-ExecStart=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && wl-paste --watch cliphist -db-path $XDG_RUNTIME_DIR/cliphist/db store & wl-paste --type image --watch cliphist -db-path $XDG_RUNTIME_DIR/cliphist/db store &'
-RemainAfterExit=yes
-
-[Install]
-WantedBy=graphical-session.target

defaults/etc/udev/rules.d/90-moonarch-battery.rules

@@ -1,4 +1,4 @@
 # ABOUTME: udev rule granting wheel group write access to battery charge threshold.
 # ABOUTME: Enables unprivileged toggling of conservation mode via moonarch-batsaver-toggle.
 
-SUBSYSTEM=="power_supply", ATTR{type}=="Battery", RUN+="/bin/sh -c 'chgrp wheel /sys%p/charge_control_end_threshold 2>/dev/null; chmod g+w /sys%p/charge_control_end_threshold 2>/dev/null'"
+SUBSYSTEM=="power_supply", ACTION=="add", ATTR{type}=="Battery", RUN+="/bin/sh -c 'chgrp wheel /sys%p/charge_control_end_threshold 2>/dev/null; chmod g+w /sys%p/charge_control_end_threshold 2>/dev/null'"