fix: audit remediation — security, quality and performance fixes

- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)

scripts/post-install.sh

@@ -125,7 +125,8 @@ log "Enabling systemd user services..."
 USER_SERVICES=(
     "kanshi"
     "stasis"
-    "cliphist"
+    "cliphist-text"
+    "cliphist-image"
 )
 
 for service in "${USER_SERVICES[@]}"; do
@@ -183,13 +184,6 @@ for entry in /boot/loader/entries/*.conf; do
     fi
 done
 
-# --- Docker-Gruppe ---
-
-if ! groups | grep -q docker; then
-    log "Adding user to docker group..."
-    sudo usermod -aG docker "$USER"
-fi
-
 # --- Screenshots directory ---
 
 mkdir -p "$HOME/Pictures/Screenshots"

scripts/transform.sh

@@ -329,7 +329,8 @@ log "Enabling systemd user services..."
 USER_SERVICES=(
     "kanshi"
     "stasis"
-    "cliphist"
+    "cliphist-text"
+    "cliphist-image"
 )
 
 for service in "${USER_SERVICES[@]}"; do
@@ -373,12 +374,6 @@ sudo ufw default deny incoming
 sudo ufw default allow outgoing
 sudo ufw --force enable
 
-# Docker group
-if ! groups | grep -q docker; then
-    log "Adding user to docker group..."
-    sudo usermod -aG docker "$USER"
-fi
-
 # Directories
 mkdir -p "$HOME/Pictures/Screenshots"
 mkdir -p "$HOME/Pictures/Wallpaper"