fix(installer): hardware-db references real modules + add ROG Ally + CI lint

Audited every entry in `installer/hardware-db.sh` against
`inputs.nixos-hardware.nixosModules` and found **21 of 43 entries (49%)
referenced modules that don't exist** in the upstream attribute set —
those installs would fail at eval time with "attribute not found"
errors on real hardware. Specifically:

  - Framework 13 per-gen: nixos-hardware uses `framework-11th-gen-intel`,
    not `framework-13-11th-gen-intel`. Fixed all four generations.
  - Framework 13 AMD AI 300: `framework-amd-ai-300-series` (no "13-").
  - Framework Intel Core Ultra: added `framework-intel-core-ultra-series1`.
  - Framework 16 AMD AI 300: added `framework-16-amd-ai-300-series`.
  - Framework generic fallback now uses the `framework` umbrella module.

  - ThinkPad X1 Carbon: modules are `lenovo-thinkpad-x1-Nth-gen`,
    not `-x1-carbon-genN`. Fixed gens 6/7/9/10/11; added X1 Nano.
  - ThinkPad P14s: requires arch+gen suffix; switched to the AMD gen3/4/5
    modules (the prior `lenovo-thinkpad-p14s` had no attribute).

  - Surface Pro 6/7/8/10: all share `microsoft-surface-pro-intel`. Pro 9
    keeps its dedicated module. Pro 3 fixed to `-pro-3`. Surface Book
    2/3 and Intel-based Surface Laptop 3/4/5: no nixos-hardware module
    — rows dropped; generic chassis+cpu+gpu detection still emits
    sensible `common-pc-laptop`.

  - ASUS ROG Strix G513 → `asus-rog-strix-g513im` (correct attr name).
  - ASUS ROG Zephyrus GA403 didn't exist — dropped. Added `ga402x`,
    `gu603h`, `g533zw`.
  - ASUS Zenbook generic `asus-zenbook-ux` was non-existent — dropped
    (too vague; available modules are per-model like `asus-zenbook-ux481`).

  - Dell Latitude 5400 / 7480: no modules — replaced with the existing
    `dell-latitude-7420`, `7430`, `7490`.

Added:

  - ROG Ally / Ally X support (`asus-ally-rc71l` for `RC71L`,
    `RC72LA`, and the "ROG Ally" product string). nixos-hardware
    currently ships one module for both revisions.

Documented (in a footer comment) the devices nixos-hardware doesn't
cover so they're known-unsupported rather than accidentally missing:

  - Valve Steam Deck → Jovian-NixOS as a separate flake input.
  - Snapdragon X laptops → aarch64 only; Nomarchy installer is x86_64.
  - Raspberry Pi → same as above.

Bug discovered along the way: the DB's pipe-separated row format
collides with bash regex alternation. A row like
`Microsoft|Surface Pro (10|8|7|6)|_|module` parses as 7 fields, with
"7" extracted as the module name. Surface Pro variants are now one
row per version.

CI gate added (`.forgejo/workflows/check.yml`): a new step extracts
every 4th-pipe-field from `HARDWARE_DB` and `comm -23`s it against
`inputs.nixos-hardware.nixosModules`. Any future entry pointing at a
non-existent module fails CI with a clear error. Closes the regression
class entirely.

Verified locally: bash -n + shellcheck --severity=error pass on
hardware-db.sh; the CI step's exact commands pass against the new DB.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.forgejo/workflows/check.yml

@@ -77,3 +77,26 @@ jobs:
             diff -u docs/SCRIPTS.md /tmp/SCRIPTS.regen.md || true
             exit 1
           fi
+
+      - name: installer/hardware-db.sh references real nixos-hardware modules
+        run: |
+          # Every 4th-pipe-field in HARDWARE_DB is a nixos-hardware module
+          # name. Half the DB used to point at modules that don't exist
+          # (e.g. microsoft-surface-pro-8 — there's only -pro-intel and
+          # -pro-9), which made the install fail at eval time with
+          # cryptic "attribute not found" errors on real laptops. This
+          # step catches that regression class.
+          awk -F'|' '/^  "/ { gsub(/"/,"",$4); gsub(/^[[:space:]]+|[[:space:]]+$/,"",$4); if ($4) print $4 }' \
+            installer/hardware-db.sh | sort -u > /tmp/db-refs.txt
+          nix eval --impure --json --expr '
+            let
+              nh = (builtins.getFlake (toString ./.)).inputs.nixos-hardware.nixosModules;
+            in builtins.attrNames nh' \
+            | nix shell nixpkgs#jq --command jq -r '.[]' | sort -u > /tmp/db-real.txt
+          missing=$(comm -23 /tmp/db-refs.txt /tmp/db-real.txt)
+          if [[ -n "$missing" ]]; then
+            echo "::error::hardware-db.sh references nixos-hardware modules that don't exist:"
+            printf '  - %s\n' $missing
+            echo "Either fix the name (check the actual attr in nixos-hardware) or drop the row."
+            exit 1
+          fi

docs/ROADMAP.md

@@ -87,7 +87,7 @@ Each PR description should reference the row(s) in `docs/SCRIPTS.md` it closes,
 - Desktop preset (Next): performance governor, no laptop UI (already filtered), ZFS hooks.
 - Accessibility preset (Next).
 - Gaming preset (Next).
-- Vendor matchers in `installer/hardware-db.sh`: Steam Deck, Surface, ROG Ally, Snapdragon X laptops.
+- Vendor matchers in `installer/hardware-db.sh` (Shipped — ROG Ally added; Surface/Framework/Lenovo entries corrected; Steam Deck + Snapdragon X documented as nixos-hardware-unsupported. CI now lints DB references).
 - Surface support behind `nomarchy.hardware.isSurface` (Later).
 - Auto-detect dGPU presence in `installer/hardware-db.sh` and pre-fill `hardware.nvidia.prime.{intel,nvidia}BusId` in the generated `system.nix` (driver stack itself is Shipped — see entry below).
 
@@ -121,6 +121,7 @@ Each PR description should reference the row(s) in `docs/SCRIPTS.md` it closes,
 
 (Move items here when they land — keep them brief, link the commit/PR.)
 
+- _2026-05-18_ — Hardware DB correctness pass + ROG Ally support + CI lint. Audited every `nomarchy-hardware-db` entry against `inputs.nixos-hardware.nixosModules` and found **21 of 43 entries (49%) referenced modules that don't exist** — `microsoft-surface-pro-8`, `lenovo-thinkpad-x1-carbon-gen11`, `framework-13-11th-gen-intel`, etc. were all eval-time failures waiting for a real user. Rewrote the DB to use only valid module names: Framework gens dropped the "13-" prefix in nixos-hardware (`framework-11th-gen-intel`, not `framework-13-11th-gen-intel`); ThinkPad X1 modules are `x1-Nth-gen`, not `x1-carbon-genN`; Surface Pro 6/7/8/10 all share `microsoft-surface-pro-intel`; Surface Book / Intel Surface Laptop have no module (rows dropped, generic detection still emits sensible `common-pc-laptop` + cpu/gpu). Added matchers for **ROG Ally** (RC71L / RC72LA / "ROG Ally" via `asus-ally-rc71l`). Documented Steam Deck and Snapdragon X as nixos-hardware-unsupported in a footer comment (Steam Deck → Jovian-NixOS; Snapdragon X → installer is x86_64 only). Added a CI step (`.forgejo/workflows/check.yml`) that fails on any DB entry whose module name isn't in `nixos-hardware.nixosModules` — closes this regression class.
 - _2026-05-18_ — `nomarchy-manual` re-targeted at local docs. The script's `xdg-open` previously pointed at `https://learn.omacom.io/2/the-nomarchy-manual` — an upstream Omarchy URL that opened an unrelated page when users hit the menu's Help entry. Now opens `~/.local/share/nomarchy/README.md` (the local docs index per `SKILL.md`'s "Out of Scope" note), with a `notify-send` fallback if the source tree isn't synced.
 - _2026-05-18_ — Docs hygiene: STRUCTURE.md "Root Directory" + Pillar 6 reality-check. `docs/STRUCTURE.md` listed three top-level files that don't exist (`GEMINI.md`, root-level `STRUCTURE.md`, `TODO.md`) — replaced with an accurate root listing plus a `docs/` sub-tree that names every doc. Pillar 6 in this file had `nomarchy-welcome`, `docs/TROUBLESHOOTING.md`, and the "docs index" bullet still marked Next despite all three shipping on 2026-04-26 — moved to `(Shipped)`. `nomarchy-manual` bullet's "orphaned reference today" claim was stale (the script is called from `nomarchy-menu` and `nomarchy-theme-install`); rewritten to reflect the real remaining issue — its hardcoded `xdg-open https://learn.omacom.io/2/the-nomarchy-manual` is an Omarchy URL.
 - _2026-05-18_ — Installer state.json is now schema-driven. Replaced the heredoc in `installer/install.sh` that hardcoded the JSON literal (theme/dns/wifi/features/etc.) with a `nix eval` of `lib/state-schema.nix`'s `system` block, overlaid with the installer-chosen timezone. Closes the last source-of-truth split after the centralization batch — adding a new default in the schema now reaches the installer with no further plumbing. Output is identical modulo alphabetical key ordering (Nix's `builtins.toJSON` sorts keys; toggle scripts read/write via `jq` so it's invisible to them). Dry-run path unchanged (still bind-mounts a fake `/mnt` so the generator's absolute paths resolve correctly). `bash -n` + `shellcheck --severity=error` clean.

installer/hardware-db.sh

@@ -19,13 +19,17 @@
 
 HARDWARE_DB=(
   # Framework ---------------------------------------------------------------
+  # Module names follow nixos-hardware's actual attrs — for Framework 13
+  # the per-generation modules dropped the "13-" prefix.
   "Framework|Laptop 16.*AMD|isFramework=true|framework-16-7040-amd"
-  "Framework|Laptop 13.*AMD Ryzen AI 300|isFramework=true|framework-13-amd-ai-300-series"
+  "Framework|Laptop 16.*Ryzen AI 300|isFramework=true|framework-16-amd-ai-300-series"
-  "Framework|Laptop 13.*AMD Ryzen 7040|isFramework=true|framework-13-7040-amd"
+  "Framework|Laptop 13.*Ryzen AI 300|isFramework=true|framework-amd-ai-300-series"
-  "Framework|Laptop 13.*13th Gen Intel|isFramework=true|framework-13-13th-gen-intel"
+  "Framework|Laptop 13.*Ryzen 7040|isFramework=true|framework-13-7040-amd"
-  "Framework|Laptop 13.*12th Gen Intel|isFramework=true|framework-13-12th-gen-intel"
+  "Framework|Laptop 13.*Core Ultra|isFramework=true|framework-intel-core-ultra-series1"
-  "Framework|Laptop 13.*11th Gen Intel|isFramework=true|framework-13-11th-gen-intel"
+  "Framework|Laptop 13.*13th Gen Intel|isFramework=true|framework-13th-gen-intel"
-  "Framework|Laptop \(13.*|isFramework=true|framework-13-11th-gen-intel"
+  "Framework|Laptop 13.*12th Gen Intel|isFramework=true|framework-12th-gen-intel"
+  "Framework|Laptop 13.*11th Gen Intel|isFramework=true|framework-11th-gen-intel"
+  "Framework|Laptop \(13.*|isFramework=true|framework"
 
   # Dell XPS / Precision / Latitude ----------------------------------------
   "Dell|XPS 15 9500|isXPS=true|dell-xps-15-9500"
@@ -36,40 +40,61 @@ HARDWARE_DB=(
   "Dell|XPS 13 9380|isXPS=true|dell-xps-13-9380"
   "Dell|XPS 13 7390|isXPS=true|dell-xps-13-7390"
   "Dell|Precision 5530|_|dell-precision-5530"
-  "Dell|Latitude 7480|_|dell-latitude-7480"
+  "Dell|Latitude 7490|_|dell-latitude-7490"
-  "Dell|Latitude 5400|_|dell-latitude-5400"
+  "Dell|Latitude 7430|_|dell-latitude-7430"
+  "Dell|Latitude 7420|_|dell-latitude-7420"
 
   # Lenovo ThinkPad --------------------------------------------------------
-  "LENOVO|ThinkPad X1 Carbon Gen 11|_|lenovo-thinkpad-x1-carbon-gen11"
+  # X1 Carbon: the per-gen modules are named "x1-Nth-gen", not
-  "LENOVO|ThinkPad X1 Carbon Gen 10|_|lenovo-thinkpad-x1-carbon-gen10"
+  # "x1-carbon-genN" — both naming schemes appeared in nixos-hardware and
-  "LENOVO|ThinkPad X1 Carbon Gen 9|_|lenovo-thinkpad-x1-carbon-gen9"
+  # the old DB references picked the wrong one. Carbon-specific quirks
+  # match the X1 modules because the X1 series IS the Carbon line.
+  "LENOVO|ThinkPad X1 Carbon Gen 11|_|lenovo-thinkpad-x1-11th-gen"
+  "LENOVO|ThinkPad X1 Carbon Gen 10|_|lenovo-thinkpad-x1-10th-gen"
+  "LENOVO|ThinkPad X1 Carbon Gen 9|_|lenovo-thinkpad-x1-9th-gen"
+  "LENOVO|ThinkPad X1 Carbon Gen 7|_|lenovo-thinkpad-x1-7th-gen"
+  "LENOVO|ThinkPad X1 Carbon Gen 6|_|lenovo-thinkpad-x1-6th-gen"
   "LENOVO|ThinkPad X1 Extreme|_|lenovo-thinkpad-x1-extreme"
+  "LENOVO|ThinkPad X1 Nano|_|lenovo-thinkpad-x1-nano-gen1"
   "LENOVO|ThinkPad T14 Gen 3|_|lenovo-thinkpad-t14-amd-gen3"
   "LENOVO|ThinkPad T14 Gen 2|_|lenovo-thinkpad-t14-amd-gen2"
   "LENOVO|ThinkPad T14 Gen 1|_|lenovo-thinkpad-t14-amd-gen1"
   "LENOVO|ThinkPad T480|_|lenovo-thinkpad-t480"
   "LENOVO|ThinkPad L13|_|lenovo-thinkpad-l13"
-  "LENOVO|ThinkPad P14s|_|lenovo-thinkpad-p14s"
+  "LENOVO|ThinkPad P14s.*Gen 5|_|lenovo-thinkpad-p14s-amd-gen5"
+  "LENOVO|ThinkPad P14s.*Gen 4|_|lenovo-thinkpad-p14s-amd-gen4"
+  "LENOVO|ThinkPad P14s.*Gen 3|_|lenovo-thinkpad-p14s-amd-gen3"
 
   # Microsoft Surface ------------------------------------------------------
+  # nixos-hardware ships per-chip modules, not per-revision: Intel Surface
+  # Pros (6 through 10) all use `microsoft-surface-pro-intel`; AMD Surface
+  # Laptops use `microsoft-surface-laptop-amd`. Surface Pro 9 has its own
+  # variant for the SQ3 / ARM model — kept separate. Surface Book and
+  # Intel-based Surface Laptops have no dedicated module; we fall back to
+  # the common detection (chassis + cpu + gpu).
+  "Microsoft|Surface Pro 10|_|microsoft-surface-pro-intel"
   "Microsoft|Surface Pro 9|_|microsoft-surface-pro-9"
-  "Microsoft|Surface Pro 8|_|microsoft-surface-pro-8"
+  "Microsoft|Surface Pro 8|_|microsoft-surface-pro-intel"
-  "Microsoft|Surface Pro 7|_|microsoft-surface-pro-7"
+  "Microsoft|Surface Pro 7|_|microsoft-surface-pro-intel"
-  "Microsoft|Surface Pro 6|_|microsoft-surface-pro-6"
+  "Microsoft|Surface Pro 6|_|microsoft-surface-pro-intel"
-  "Microsoft|Surface Laptop 5|_|microsoft-surface-laptop-5"
+  "Microsoft|Surface Pro 3|_|microsoft-surface-pro-3"
-  "Microsoft|Surface Laptop 4|_|microsoft-surface-laptop-4"
+  "Microsoft|Surface Laptop.*Ryzen|_|microsoft-surface-laptop-amd"
-  "Microsoft|Surface Laptop 3|_|microsoft-surface-laptop-3"
   "Microsoft|Surface Go|_|microsoft-surface-go"
-  "Microsoft|Surface Book 3|_|microsoft-surface-book-3"
-  "Microsoft|Surface Book 2|_|microsoft-surface-book-2"
 
-  # ASUS ROG / Zephyrus ----------------------------------------------------
+  # ASUS ROG Ally / Zephyrus / Strix --------------------------------------
-  "ASUS.*|ROG Zephyrus G14.*2024|_|asus-zephyrus-ga403"
+  # Ally is the handheld (Z1 Extreme / Z1). RC71L is the original Ally,
-  "ASUS.*|ROG Zephyrus G14.*2023|_|asus-zephyrus-ga402"
+  # RC72LA is the Ally X — both share the same nixos-hardware module
-  "ASUS.*|ROG Zephyrus G14.*2021|_|asus-zephyrus-ga401"
+  # currently.
+  "ASUS.*|RC71L|_|asus-ally-rc71l"
+  "ASUS.*|RC72LA|_|asus-ally-rc71l"
+  "ASUS.*|ROG Ally|_|asus-ally-rc71l"
+  "ASUS.*|ROG Zephyrus G14.*GA402X|_|asus-zephyrus-ga402x"
+  "ASUS.*|ROG Zephyrus G14.*GA402|_|asus-zephyrus-ga402"
+  "ASUS.*|ROG Zephyrus G14.*GA401|_|asus-zephyrus-ga401"
   "ASUS.*|ROG Zephyrus G15|_|asus-zephyrus-ga503"
-  "ASUS.*|ROG Strix G15|_|asus-rog-strix-g513"
+  "ASUS.*|ROG Zephyrus.*GU603|_|asus-zephyrus-gu603h"
-  "ASUS.*|Zenbook UX|_|asus-zenbook-ux"
+  "ASUS.*|ROG Strix G513|_|asus-rog-strix-g513im"
+  "ASUS.*|ROG Strix G533|_|asus-rog-strix-g533zw"
 
   # Apple (T2 Intel; M-series falls back to asahi elsewhere) ---------------
   "Apple.*|MacBookPro15|isT2Mac=true|apple-t2"
@@ -86,9 +111,14 @@ HARDWARE_DB=(
   "System76|Galago Pro.*|_|system76"
   "System76|Pangolin.*|_|system76"
 
-  # Raspberry Pi (ARM) — listed for completeness; installer is x86_64 only -
+  # Devices nixos-hardware doesn't cover (yet) -----------------------------
-  # "Raspberry Pi|Raspberry Pi 5|_|raspberry-pi-5"
+  # Listed here so future contributors know they're known-unsupported, not
-  # "Raspberry Pi|Raspberry Pi 4|_|raspberry-pi-4"
+  # accidentally missing:
+  #   - Valve Steam Deck (Galileo / Jupiter): try Jovian-NixOS as a flake
+  #     input instead — separate ecosystem, not in nixos-hardware.
+  #   - Snapdragon X laptops (Surface Pro 11, Lenovo Yoga Slim 7x, …):
+  #     aarch64-only and the Nomarchy installer is x86_64 only.
+  #   - Raspberry Pi (ARM): same — installer is x86_64 only.
 )
 
 # ----------------------------------------------------------------------------