ci: add Forgejo Actions workflow (eval + lint)

Pillar 7 first step. `.forgejo/workflows/check.yml` runs on every push
to main and every PR. Three sequential checks in one job:

1. `nix flake check --no-build`
   Catches eval regressions: broken option references, missing imports,
   stale module argument shapes. The same command AGENT.md tells humans
   to run by hand before declaring a change done.

2. `bash -n` + `shellcheck --severity=error` over every `nomarchy-*`
   bash script.
   Mirrors what `.githooks/pre-commit` does locally, but across the
   whole tree on every push — so a branch that bypasses the hook (via
   `--no-verify` or a fresh clone without `core.hooksPath` set) still
   gets gated. Severity is capped at error to match the hook; the long
   tail of style/info warnings can be cleaned up incrementally.

3. `docs/SCRIPTS.md` drift check.
   Regenerates the audit doc to a temp file and `diff`s against the
   committed version. Fails loudly with the fix command if a script
   add/remove/rename didn't include the regeneration step.

Dry-run results on the current tree:
- `nix flake check --no-build`: pass (only pre-existing warnings).
- shellcheck across 159 scripts at severity=error: pass.
- SCRIPTS.md drift: clean.

Activation:
Forgejo Actions isn't enabled on the repo yet, so the workflow lands
dormant. To activate: enable Actions on the repo in Forgejo's settings
and register a `forgejo-runner` on any Docker-capable Linux host. The
workflow uses `ubuntu-latest` and installs Nix itself via
`DeterminateSystems/nix-installer-action`, so no special runner image
is needed.

Deferred to a follow-up batch (needs binary cache infra):
- Building ISOs in CI (`nomarchy-installer`, `nomarchy-live`, default).
- Release pipeline (`vYY.MM.x` tags publishing ISOs as artifacts).
- `nixosTest` per palette with golden-image screenshot diffs.

`docs/STRUCTURE.md` now documents `.forgejo/` and `.githooks/` so future
agents and contributors can find both.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.forgejo/workflows/check.yml

@@ -0,0 +1,79 @@
+# Nomarchy CI — eval + lint.
+#
+# Catches the regressions that hurt today:
+#   1. Flake stops evaluating (broken option ref, missing import, etc.).
+#   2. A `nomarchy-*` shell script has a syntax error or a shellcheck
+#      error-severity issue.
+#   3. `docs/SCRIPTS.md` drifts from the repo state because somebody
+#      added / removed / renamed a script and didn't run the generator
+#      (the pre-commit hook handles this, but only when enabled per-clone).
+#
+# Doesn't build ISOs — that needs a binary cache. Add a separate job
+# once Cachix/Attic is in place.
+
+name: Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  eval-and-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          # Match the runner's effective channel. Nomarchy itself tracks
+          # nixos-25.11 via flake.nix; the installer-action default is fine.
+          extra-conf: |
+            experimental-features = nix-command flakes
+
+      - name: nix flake check --no-build
+        run: nix flake check --no-build
+
+      - name: Lint nomarchy-* scripts (bash -n + shellcheck)
+        run: |
+          # Mirror what .githooks/pre-commit runs locally, but across the
+          # whole tree instead of just changed files. Pre-commit gates
+          # individual commits; CI gates branches (including --no-verify
+          # bypasses).
+          set -e
+          fail=0
+          while IFS= read -r script; do
+            [[ -f "$script" ]] || continue
+            # Python helpers ship under the same nomarchy- prefix
+            # (e.g. nomarchy-haptic-touchpad). Skip non-bash.
+            head -1 "$script" | grep -qE '^#!.*\bbash\b' || continue
+            if ! bash -n "$script"; then
+              echo "::error file=$script::bash syntax error"
+              fail=1
+            fi
+            if ! nix shell nixpkgs#shellcheck --command shellcheck \
+                  --severity=error --shell=bash "$script"; then
+              echo "::error file=$script::shellcheck error-severity issue"
+              fail=1
+            fi
+          done < <(find features/scripts/utils core/system/scripts \
+                        themes/engine/scripts \
+                        -maxdepth 1 -type f -name 'nomarchy-*')
+          exit "$fail"
+
+      - name: docs/SCRIPTS.md is up to date
+        run: |
+          # Regenerate to a temp file and compare. If different, the
+          # contributor forgot to run the generator (or skipped the
+          # pre-commit hook). Fail loudly and tell them the fix.
+          ./bin/utils/nomarchy-docs-scripts --out /tmp/SCRIPTS.regen.md
+          if ! diff -q docs/SCRIPTS.md /tmp/SCRIPTS.regen.md >/dev/null; then
+            echo "::error::docs/SCRIPTS.md is stale."
+            echo "Run: ./bin/utils/nomarchy-docs-scripts --out docs/SCRIPTS.md"
+            echo "Then commit the regenerated file."
+            echo "--- diff ---"
+            diff -u docs/SCRIPTS.md /tmp/SCRIPTS.regen.md || true
+            exit 1
+          fi

docs/ROADMAP.md

@@ -121,6 +121,7 @@ Each PR description should reference the row(s) in `docs/SCRIPTS.md` it closes,
 
 (Move items here when they land — keep them brief, link the commit/PR.)
 
+- _2026-05-18_ — Pillar 7 first step: Forgejo Actions CI (eval + lint). New `.forgejo/workflows/check.yml` runs on every push to `main` and every PR: (1) `nix flake check --no-build` to catch eval regressions, (2) `bash -n` + `shellcheck --severity=error` over every `nomarchy-*` bash script (whole-tree, not just changed files — gates branches that bypass the pre-commit hook), (3) `docs/SCRIPTS.md` drift check (fails loudly if a script change didn't regenerate the audit doc). All three checks pass locally on the current tree. Activation requires enabling Actions on the Forgejo repo and registering a `forgejo-runner`; the workflow itself is dormant until then. ISO build job is intentionally deferred — needs a binary cache (Cachix/Attic) to be tractable.
 - _2026-05-18_ — **Pillar 3 Phase B: complete.** Final batch (restart/sudo/theme/misc clusters) cleared the last 13 `unused?` rows. Deleted five truly dead scripts: `nomarchy-restart-{hyprctl,mako}` (theme switching calls `hyprctl reload`/`makoctl reload` directly now), `nomarchy-restart-tmux` (one-liner of marginal value), `nomarchy-battery-present` (battery monitor checks `/sys/class/power_supply/BAT*` inline), `nomarchy-sudo-keepalive` (intended-to-be-sourced building block with no users). Surfaced eight useful tools in `SKILL.md` so the audit catches them as `kept` and AI assistants can discover them: `nomarchy-restart-trackpad` (intel_quicki2c reload), `nomarchy-sudo-{passwordless-toggle,reset}`, `nomarchy-theme-{bg-install,refresh,remove}`, `nomarchy-refresh-fastfetch`, `nomarchy-windows-vm` (new Virtualization section). Final state: 159 scripts, all `kept`, `unused?` = 0, missing references = 0.
 - _2026-05-18_ — Pillar 3 Phase B: webapp/tui/voxtype install-remove pair triage. Deleted two dead webapp URI handlers (`nomarchy-webapp-handler-hey`, `nomarchy-webapp-handler-zoom`) — no `.desktop` MimeType registration anywhere routed `mailto:`/`zoom:` URIs to them, so the handlers could never fire. Surfaced six useful CLI tools in `SKILL.md` "Common Tasks" so they're discoverable by AI assistants and tagged `kept` by the audit: `nomarchy-webapp-{remove,remove-all}`, `nomarchy-tui-{remove,remove-all}`, `nomarchy-voxtype-{install,remove}`. Script count 166 → 164; `unused?` 21 → 13.
 - _2026-05-18_ — Pillar 3 Phase B: dead-code sweep (NixOS-irrelevant Omarchy ports). Deleted five scripts that duplicated NixOS-native facilities or referenced infrastructure Nomarchy doesn't ship: `nomarchy-rollback` (boot-menu generations + `nixos-rebuild rollback` already cover this), `nomarchy-snapshot` (used `snapper`; impermanence and BTRFS subvolumes are the Nomarchy answer), `nomarchy-migrate-state` (one-shot pre-unification migration, no current callers), `nomarchy-config-direct-boot` (added an EFI entry for a UKI we never build), and `nomarchy-npx-install` (Arch idiom — `nix-shell -p nodejs` is the NixOS path). Kept `nomarchy-build-iso` and `nomarchy-build-live-iso` and surfaced them in README §2 so the audit tags them `kept`. Script count 171 → 166.

docs/STRUCTURE.md

@@ -37,6 +37,8 @@ While the system is defined declaratively, Nomarchy uses a small, local state fi
 - **`STRUCTURE.md`**: (This file) Detailed architectural documentation.
 - **`README.md`**: Project overview, installation instructions, and basic usage.
 - **`TODO.md`**: Roadmap and pending tasks.
+- **`.forgejo/workflows/`**: Forgejo Actions CI. Runs `nix flake check --no-build`, lints every `nomarchy-*` bash script with `bash -n` + `shellcheck --severity=error`, and verifies `docs/SCRIPTS.md` is up to date on every push to `main` and every PR. To activate: enable Actions on the repo in Forgejo and register a `forgejo-runner` (any Docker-capable Linux host works; the workflow uses `ubuntu-latest` and installs Nix itself).
+- **`.githooks/`**: Optional per-clone git hooks (`pre-commit` lints changed scripts and regenerates `docs/SCRIPTS.md`). Enable with `git config core.hooksPath .githooks`. CI enforces the same invariants tree-wide.
 
 ---