fix: audit remediation — security, quality and performance fixes

- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)

defaults/etc/systemd/user/cliphist-text.service

@@ -0,0 +1,17 @@
+# ABOUTME: systemd user service for text clipboard history via cliphist + wl-paste.
+# ABOUTME: Wipes history on start, stores text entries in XDG_RUNTIME_DIR.
+
+[Unit]
+Description=Clipboard history manager (text)
+PartOf=graphical-session.target
+After=graphical-session.target
+
+[Service]
+Type=simple
+ExecStartPre=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && /usr/bin/cliphist wipe'
+ExecStart=/usr/bin/wl-paste --watch cliphist -db-path %t/cliphist/db store
+Restart=on-failure
+RestartSec=3
+
+[Install]
+WantedBy=graphical-session.target