1 files changed, 46 insertions, 0 deletions

diff --git a/dot_config/waybar/executable_arch-audit-status.sh b/dot_config/waybar/executable_arch-audit-status.sh
new file mode 100755
index 0000000..73edf6f
--- /dev/null
+++ b/dot_config/waybar/executable_arch-audit-status.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+# Waybar custom/arch-audit: shows count of installed packages with known
+# CVEs that already have a fix available in the repos. Source of truth
+# is /run/arch-audit.txt, refreshed daily by arch-audit.timer (system
+# scope). Hidden when zero or report missing.
+#
+# Mako throttled to once per 24h via a stamp in $XDG_RUNTIME_DIR.
+
+set -eu
+
+REPORT=/run/arch-audit.txt
+STATE=${XDG_RUNTIME_DIR:-/tmp}/waybar-arch-audit-notified
+
+emit_empty() {
+  printf '{"text":"","class":"fresh","tooltip":""}\n'
+  exit 0
+}
+
+[ -r "$REPORT" ] || emit_empty
+
+count=$(grep -c . "$REPORT" 2>/dev/null || :)
+case "$count" in '' | *[!0-9]*) count=0 ;; esac
+
+[ "$count" -eq 0 ] && emit_empty
+
+text="CVE ${count}"
+tooltip="${count} package(s) with fixable CVEs — click to view, then run \`just update\`"
+printf '{"text":"%s","class":"critical","tooltip":"%s"}\n' "$text" "$tooltip"
+
+now=$(date +%s)
+last_notified=0
+if [ -f "$STATE" ]; then
+  last_notified=$(cat "$STATE" 2>/dev/null || printf 0)
+  case "$last_notified" in '' | *[!0-9]*) last_notified=0 ;; esac
+fi
+
+if [ $((now - last_notified)) -ge 86400 ] &&
+  command -v notify-send >/dev/null 2>&1; then
+  notify-send \
+    --app-name=arch-audit \
+    --urgency=critical \
+    --icon=security-medium \
+    "Security updates available" \
+    "${count} installed package(s) have fixable CVEs. Run \`just update\`."
+  printf '%s\n' "$now" >"$STATE"
+fi