docs(web): reflect field fixes + code signing

- spec: document --source winget (msstore cert bypass), Atera service
  detection, UCPD stop -> WARN on Win11 24H2, CZ+US keyboard layout,
  Network Discovery resource string, clean Windows Update log output, and
  the Trusted Signing step in the architecture section.
- descriptions.json: update 02-software (winget source, Atera) and
  10-network (Network Discovery resource string); add the keyboard layout
  item to 04-default-profile.
- navod + index: note that xetup.exe is now digitally signed (publisher
  X9.cz s.r.o.), so SmartScreen/UAC show a verified publisher.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

web/data/descriptions.json

@@ -23,12 +23,12 @@
   },
   "02-software": {
     "synopsis": "Installs standard business software via winget, sets Adobe PDF default, and installs Atera RMM agent.",
-    "description": "Uses winget to install the standard X9.cz MSP software bundle. Checks winget\navailability before running. Each install is logged. After Adobe Acrobat Reader,\ntemporarily stops the UCPD driver (User Choice Protection Driver, present since\nWin11 23H2 / Win10 22H2 update) to allow the HKCR file association write, sets\n.pdf -> AcroRd32, then restarts UCPD. Atera RMM agent is installed for MSP\nmonitoring, remote access, and ticketing integration.",
+    "description": "Uses winget to install the standard X9.cz MSP software bundle. Checks winget\navailability before running. Each install is logged. After Adobe Acrobat Reader,\ntemporarily stops the UCPD driver (User Choice Protection Driver, present since\nWin11 23H2 / Win10 22H2 update) to allow the HKCR file association write, sets\n.pdf -> AcroRd32, then restarts UCPD. Atera RMM agent is installed for MSP\nmonitoring, remote access, and ticketing integration.\n\nEvery winget install uses --source winget to bypass the msstore source: on fresh Win11 ISOs the bundled App Installer ships a stale pinned certificate and msstore fails with 0x8a15005e (server certificate did not match), which aborts the install. The same flag is applied in step 11 (Dell Command Update).",
     "items": {
       "7-zip-7zip-7zip": "Installs 7-Zip (winget ID: 7zip.7zip). Used for archive management. Silent install with --accept-package-agreements --accept-source-agreements flags required for unattended deployment.",
       "adobe-acrobat-reader-64-bit-adobe-acroba": "Installs Adobe Acrobat Reader DC 64-bit (Adobe.Acrobat.Reader.64-bit). Required as the default PDF viewer to prevent Edge from handling PDFs in browser mode, which limits functionality.",
       "openvpn-connect-openvpntechnologies-open": "Installs OpenVPN Connect client. Used for client VPN access when the client network requires a VPN. The ovpn profile and credentials are configured separately per client.",
-      "atera-agent-install": "Downloads Atera MSI from x9.servicedesk.atera.com and installs via msiexec /qn. During install the Atera MSI shows an interactive MFA window - the technician enters the 2FA code to complete agent registration. Agent enables MSP monitoring, remote access, and ticketing integration with the Atera dashboard.",
+      "atera-agent-install": "Atera RMM agent downloaded from x9.servicedesk.atera.com and installed via msiexec /qb. During install, Atera MSI shows an interactive MFA window - technician enters the code to complete registration. Install is verified primarily via the AteraAgent service (Get-Service AteraAgent), which is reliable regardless of install path - Atera now sometimes lands under C:\\ProgramData instead of Program Files; a path check (incl. ProgramData) is the fallback. Agent enables MSP monitoring, remote access, and ticketing integration.",
       "adobe-pdf-default-pdf-acrord32-po-instal": "Sets .pdf -> AcroRd32 file association after Acrobat install via HKCR (system-wide, no UserChoice hash issue). UCPD driver is stopped immediately before the write and restarted after to ensure the association persists across Edge updates.",
       "ucpd-sys-kernel-driver-od-feb-2024-bloku": "UCPD.sys (User Choice Protection Driver) is stopped before the PDF association write and restarted after. Pattern: Stop-Service ucpd -> set HKCR\\.pdf -> Start-Service ucpd. Implemented in this script."
     }
@@ -71,7 +71,8 @@
       "accent-barva-na-titulnich-listech-colorp": "ColorPrevalence = 1 in Personalize key. Shows the X9.cz accent color (#223B47) on window title bars and borders. Gives all windows a consistent branded appearance.",
       "onedrive-runonce-klic-je-tady-smazat": "REMOVED. The RunOnce key deletion and Explorer namespace CLSID removal were deleted - those registry tweaks prevented a freshly installed OneDrive (e.g. for M365) from launching. OneDrive AppX uninstall in step 01 is intentional; blocking re-launch is not.",
       "explorer-showrecent-0-showfrequent-0": "ShowRecent=0 and ShowFrequent=0 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer. Hides Recent files and Frequent folders from Quick Access. Privacy improvement and cleaner File Explorer on fresh deployments.",
-      "explorer-fullpath-1-cabinetstate": "FullPath=1 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState. Displays the full directory path (e.g. C:\\Users\\jan\\Documents\\Projekty) in the File Explorer title bar instead of just the folder name."
+      "explorer-fullpath-1-cabinetstate": "FullPath=1 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState. Displays the full directory path (e.g. C:\\Users\\jan\\Documents\\Projekty) in the File Explorer title bar instead of just the folder name.",
+      "klavesnice-cz-primarni-us-sekundarni": "Sets the keyboard/input layout to Czech primary + US English secondary. Applied via Set-WinUserLanguageList (cs-CZ + en-US) for the current user, plus the Preload key (1=00000405 Czech, 2=00000409 US) written into both the Default profile hive (so every new user inherits it) and HKU\\.DEFAULT (welcome screen and system/service accounts). Applied unconditionally - the US secondary layout is harmless and CZ stays primary."
     }
   },
   "07-backinfo": {
@@ -123,7 +124,7 @@
     "items": {
       "nastavit-sitovy-profil-private": "Sets all connected network profiles to Private via Set-NetConnectionProfile. Public profile blocks most LAN features. Private is required for file sharing, printer sharing, and network discovery. Applied to all currently connected adapters.",
       "povolit-ping-icmp-firewall": "Enables \"File and Printer Sharing (Echo Request)\" firewall rules for ICMPv4 and ICMPv6. ICMP echo is disabled by default on clean Windows. Required for network diagnostics, monitoring tools, and basic connectivity verification.",
-      "zapnout-network-discovery": "Enables the Network Discovery firewall rule group (FPS-NB_Name-In-UDP, LLMNR, etc.) for Private and Domain profiles via Set-NetFirewallRule. Allows this PC to appear in Network Neighborhood and browse other machines."
+      "zapnout-network-discovery": "Enables the Network Discovery firewall rule group via Set-NetFirewallRule -Group \"@FirewallAPI.dll,-32752\" (a language-independent resource string) for Private/Any profiles, with a netsh fallback. The resource string is used instead of -DisplayGroup \"Network Discovery\" because the display name is localized (e.g. \"Zjistovani site\" on Czech Windows), which made the old DisplayGroup match fail on non-English installs."
     }
   },
   "11-dell-update": {

web/index.html

@@ -192,7 +192,7 @@
     <button id="copy-btn" onclick="copyCmd()">Kopirovat</button>
   </div>
   <p style="color:var(--muted);font-size:.78rem;margin-top:.5rem">
-    Pokud ve stazeni brani antivirus, pouzijte curl &ndash; staci bezny prikazovy radek, neni potreba administrator.
+    Binarka je digitalne podepsana (vydavatel X9.cz s.r.o.). Pokud ve stazeni presto brani antivirus, pouzijte curl &ndash; staci bezny prikazovy radek, neni potreba administrator.
   </p>
 
   <!-- Dynamic download strip – filled by JS from Forgejo releases API -->

web/navod/index.html

@@ -137,7 +137,8 @@
       <h2>Stahni xetup.exe</h2>
     </div>
     <p>Stahni <a href="https://xetup.x9.cz/dl" style="color:var(--blue)">xetup.x9.cz/dl</a> na cilovy pocitac.</p>
-    <p>Antivirus (hlavne Windows Defender) <code>xetup.exe</code> casto smazne nebo zablokuje. V tom pripade otevri <strong>prikazovy radek</strong> (cmd) a stahni pres curl:</p>
+    <p><code>xetup.exe</code> je digitalne podepsany (Azure Trusted Signing, vydavatel <strong>X9.cz s.r.o.</strong>) &ndash; SmartScreen i UAC ukazuji overeneho vydavatele a Defender by mel blokovat min nez drive.</p>
+    <p>Pokud ho antivirus presto smazne nebo zablokuje, otevri <strong>prikazovy radek</strong> (cmd) a stahni pres curl:</p>
     <p><code>curl -Lo xetup.exe https://xetup.x9.cz/dl</code></p>
     <p>Curl soubor jenom stahne &ndash; pak je treba spustit rucne:</p>
     <p><code>xetup</code> + Enter</p>

web/spec/index.html

@@ -601,9 +601,11 @@
           <tr class="flag-done"><td>OpenVPN Connect (<code>OpenVPNTechnologies.OpenVPNConnect</code>)</td><td>OK</td></tr>
           <tr class="flag-done"><td>Atera Agent install</td><td>Invoke-WebRequest + <code>msiexec /i /qb</code> &ndash; /qb umozni zobrazeni MFA okna</td></tr>
           <tr class="flag-done"><td>Adobe PDF default: .pdf -&gt; AcroRd32 po instalaci</td><td>OK &ndash; UCPD stop/start kolem zapisu asociace</td></tr>
-          <tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem</td></tr>
+          <tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze &ndash; logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak.</td></tr>
           <tr class="flag-done"><td>Winget parallel joby: timeout 600s + kill zavislych</td><td>Wait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu</td></tr>
           <tr class="flag-done"><td>Winget cesta explicitne predavana do parallel jobu</td><td>Opraveno &ndash; Start-Job nezdedi PATH; winget.exe fullpath preda jako argument. Exit 3010 (success+reboot) nyni vyhodnocen jako OK.</td></tr>
+          <tr class="flag-done"><td>Winget: <code>--source winget</code> u kazde instalace</td><td>Field fix &ndash; fresh Win11 ISO ma App Installer se starym pinned certem, msstore source padá na <code>0x8a15005e</code> a instalaci prerusi. <code>--source winget</code> msstore obejde. Plati i pro krok 11 (Dell).</td></tr>
+          <tr class="flag-done"><td>Atera: detekce pres sluzbu <code>Get-Service AteraAgent</code></td><td>Field fix &ndash; agent se obcas instaluje do <code>C:\ProgramData\</code>; existence sluzby je spolehlivejsi nez kontrola souboru. Fallback na cesty vc. ProgramData.</td></tr>
         </table>
         <div class="note">
           <strong>Atera Agent URL:</strong><br>
@@ -668,6 +670,7 @@
           <tr class="flag-done"><td>Start menu: zakaz Bing vyhledavani</td><td>DisableSearchBoxSuggestions = 1</td></tr>
           <tr class="flag-done"><td>Copilot: zakaz (TurnOffWindowsCopilot = 1)</td><td>OK</td></tr>
           <tr class="flag-done"><td>NumLock zapnout pri startu (InitialKeyboardIndicators = 2)</td><td>OK</td></tr>
+          <tr class="flag-done"><td>Klavesnice: CZ primarni + US sekundarni</td><td>Field fix &ndash; Set-WinUserLanguageList (cs-CZ + en-US) pro aktualniho uzivatele; Preload (<code>1=00000405</code> CZ, <code>2=00000409</code> US) do Default hive i <code>HKU\.DEFAULT</code> (welcome screen + systemove ucty). Aplikuje se vzdy automaticky.</td></tr>
           <tr class="flag-done"><td>System tema (taskbar, Start): Dark</td><td>OK</td></tr>
           <tr class="flag-done"><td>Aplikacni tema: Light</td><td>OK</td></tr>
           <tr class="flag-done"><td>Accent barva: #223B47 (tmave modroseda)</td><td>AccentColor DWORD = 0xFF473B22 (ABGR)</td></tr>
@@ -776,7 +779,7 @@
         <table class="items">
           <tr class="flag-done"><td>Nastavit sitovy profil jako Private (ne Public)</td><td>Set-NetConnectionProfile pro vsechny pripojene adaptery</td></tr>
           <tr class="flag-done"><td>Povolit ping (ICMP) pro diagnostiku</td><td>Enable-NetFirewallRule: FPS-ICMP4-ERQ-In + FPS-ICMP6-ERQ-In</td></tr>
-          <tr class="flag-done"><td>Zapnout Network Discovery pro Private profil</td><td>Set-NetFirewallRule + netsh advfirewall jako fallback</td></tr>
+          <tr class="flag-done"><td>Zapnout Network Discovery pro Private profil</td><td>Set-NetFirewallRule <code>-Group "@FirewallAPI.dll,-32752"</code> (resource string, nezavisly na jazyku) + netsh fallback. Field fix: drivejsi <code>-DisplayGroup "Network Discovery"</code> selhalo na ceske lokalizaci Win11.</td></tr>
         </table>
       </div>
       <div class="step-footer">
@@ -821,7 +824,7 @@
       <div class="step-body">
         <table class="items">
           <tr class="flag-done"><td>Instalace NuGet providera + PSWindowsUpdate modulu ze PSGallery</td><td>Install-PackageProvider + Install-Module PSWindowsUpdate -Force</td></tr>
-          <tr class="flag-done"><td>Prvni pruchod aktualizaci (bez rebootu)</td><td>Install-WindowsUpdate -AcceptAll -IgnoreReboot</td></tr>
+          <tr class="flag-done"><td>Prvni pruchod aktualizaci (bez rebootu)</td><td>Install-WindowsUpdate -AcceptAll -IgnoreReboot. Vystup formatovan pres <code>$_.Result</code> + <code>$_.Title</code> (drive log zaplaval radky "System.__ComObject").</td></tr>
           <tr class="flag-done"><td>Reboot cyklus (exit 9) &ndash; pokracovani pres xetup resume</td><td>Exit 9 = reboot needed; xetup ulozi stav, nastavi autologon + X9-Resume task, restartuje</td></tr>
           <tr class="flag-done"><td>Automaticky restart po skonceni deploymetu (GUI odpocet)</td><td>xetup.exe zobrazi 60s odpocet + tlacitka "Restartovat ted" / "Zrusit restart"</td></tr>
         </table>
@@ -888,6 +891,7 @@
           <tr class="flag-done"><td>E-mail report: 3 pokusy + lokalni HTML fallback</td><td>Backoff 0/1/5s; vzdy ulozi <code>C:\X9\report.html</code> bez ohledu na SMTP</td></tr>
           <tr class="flag-done"><td>Hive unload retry (5 pokusu, GC pred kazdym)</td><td>Prevence "hive in use" chyby pri reg unload ntuser.dat</td></tr>
           <tr class="flag-done"><td>Resume fix: StepsByIDs nyni nastavuje Enabled=true</td><td>Opravena kriticka chyba &ndash; resume mode preskakoval vsechny kroky</td></tr>
+          <tr class="flag-done"><td>Code signing: Azure Trusted Signing (jsign)</td><td>CI podepise <code>xetup.exe</code> certem <strong>X9.cz s.r.o.</strong> + RFC3161 timestamp. Trusted Signing cert je kratkodoby (~3 dny) &ndash; timestamp udrzi podpis platny i po expiraci. SmartScreen/UAC pak ukaze overeneho vydavatele.</td></tr>
           <tr class="flag-todo"><td>Self-update: stahnout novou verzi z xetup.x9.cz/dl</td><td>Overit hash pred spustenim</td></tr>
           <tr class="flag-future"><td>config.json: per-klient preset na USB</td><td>Jmeno PC prefix, SW seznam, klic &ndash; lezi vedle .exe</td></tr>
         </table>
@@ -895,7 +899,7 @@
           <strong>Struktura:</strong> <code>cmd/xetup/</code>, <code>internal/config/</code>, <code>internal/gui/</code>, <code>internal/runner/</code><br><br>
           <strong>Go zavislosti:</strong> github.com/lxn/walk (Win32 GUI), golang.org/x/sys<br><br>
           <strong>Build:</strong> <code>CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64 go build -ldflags="-s -w -H windowsgui" ./cmd/xetup/</code><br>
-          CI (Forgejo Actions) sestavi a publikuje automaticky pri kazdem push na main.<br><br>
+          CI (Forgejo Actions) sestavi, <strong>podepise</strong> (Azure Trusted Signing, cert X9.cz s.r.o. + RFC3161 timestamp pres jsign) a publikuje automaticky pri kazdem push na main.<br><br>
           <strong>Spolehlivost (v0.6):</strong> Watchdog zabiji zavisle skripty po 30 min ticha. Reboot-loop ochrana omezi opakovani kazdeho kroku na 5 restartu.
           State file se zapisuje atomicky (tmp+rename). E-mail report se zkusi 3x s backoff a vzdy ulozi lokalni HTML kopii.
         </div>