feat(meta): add arch-audit, kernel-modules-hook, lostfiles to base

Three small extra-repo packages, each anchoring one strand of the new
'remind, never auto-fix' system-health story:

- arch-audit: queries security.archlinux.org for CVEs against installed
  versions and prints those that already have a fix in the repos. Driven
  by etc/systemd/system/arch-audit.timer (daily refresh into
  /run/arch-audit.txt) and surfaced through custom/arch-audit in waybar.

- lostfiles: enumerates filesystem entries under tracked dirs (/etc,
  /usr, /var…) that aren't owned by any pacman package and aren't on
  its built-in safe-list. Driven by etc/systemd/system/lostfiles.timer
  (weekly refresh into /run/lostfiles.txt) and surfaced through
  custom/lostfiles in waybar.

- kernel-modules-hook: ships its own /usr/share/libalpm/hooks entries
  that copy the running kernel's modules to /usr/lib/modules/$(uname -r)
  on upgrade and prune them on shutdown, so modprobe (USB devices, vfat
  mounts, etc.) keeps working between a kernel upgrade and the next
  reboot. No further config — drop-in fix.

1 files changed, 4 insertions, 0 deletions

diff --git a/meta/base.txt b/meta/base.txt
index 81b93c7..2ee74bd 100644
--- a/meta/base.txt
+++ b/meta/base.txt
@@ -1,5 +1,6 @@
 # --- core ---
 acpid
+arch-audit
 base
 base-devel
 bash-completion
@@ -21,7 +22,9 @@ glow
 htop
 iwd
 jq
+kernel-modules-hook
 linux-firmware
+lostfiles
 lsd
 lshw
 man-db
@@ -246,3 +249,4 @@ tesseract-data-por
 # WHISPER_MODEL in the script's environment to use a different ggml model.
 whisper.cpp-vulkan
 whisper.cpp-model-base
+act