x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 5 Packages Wiki Activity Actions

docs: sync SPEC.md + CLAUDE.md with this session's changes

Browse source 
Bring the in-repo spec and Claude guide up to date: winget --source winget,
Network Discovery resource string, CZ+US keyboard, Atera under SYSTEM (no MFA),
Windows Update log formatting, Explorer AUMID pin, AccentPalette / all-profile
theme, BackInfo background color, and Azure Trusted Signing in CI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
X9 Dev 2026-06-02 10:45:42 +02:00
parent 917fc89068
commit 41f6d27275
2 changed files with 55 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
CLAUDE.md
View file

@ -160,6 +160,24 @@ xetup.exe start
### Parallel winget ### Parallel winget
- 02-software.ps1 launches all winget installs as background jobs (Start-Job) - 02-software.ps1 launches all winget installs as background jobs (Start-Job)
- Jobs run simultaneously, results collected after all complete - Jobs run simultaneously, results collected after all complete
- Every install passes `--source winget` (msstore source fails on fresh Win11 ISOs: 0x8a15005e)
### Atera agent
- Installed under NT AUTHORITY\SYSTEM via a one-shot scheduled task (msiexec /qn) - under SYSTEM
there is no interactive MFA prompt. Verified via the AteraAgent service (path check fallback).
### Keyboard + accent (step 04)
- Keyboard: CZ primary + US secondary (Set-WinUserLanguageList + Preload in Default hive and HKU\.DEFAULT)
- Accent #223B47 needs AccentColor AND AccentPalette (REG_BINARY) or Win11 drops it on Start/taskbar
- Theme written to Default hive + current HKCU + HKU\.DEFAULT so all profiles match
- File Explorer pinned via AUMID (Microsoft.Windows.Explorer), not a custom .lnk (avoids 2nd Explorer)
- BackInfo.ini BackgroundColor is 0xRRGGBB decimal (RGB, not COLORREF): #223B47 = 2243399
### Code signing
- CI signs xetup.exe via Azure Trusted Signing (cert "X9.cz s.r.o.") + jsign + RFC3161 timestamp
- Certs are short-lived (~3 days); the timestamp keeps signatures valid past expiry
- Only AZURE_CLIENT_SECRET is a Forgejo Actions secret; the SP is shared across X9 projects - do NOT rotate
- jsign auth needs the Trusted Signing token; runner-config mounts the docker socket for the deploy.json step
--- ---

45
SPEC.md
View file

@ -67,7 +67,8 @@ Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.),
## Step 02 - Software installation ## Step 02 - Software installation
Parallel winget installs (Start-Job): Parallel winget installs (Start-Job). Every install uses `--source winget` to bypass the
msstore source, which fails on fresh Win11 ISOs (stale App Installer cert, 0x8a15005e):
| Software | Winget ID | | Software | Winget ID |
|---|---| |---|---|
@ -76,8 +77,13 @@ Parallel winget installs (Start-Job):
| OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect | | OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect |
After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted. After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted.
On Win11 24H2 UCPD is a protected service and the stop fails (logged WARN, not ERROR); the
system-wide HKCR write succeeds regardless.
Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec /qn with -Wait. Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed under NT AUTHORITY\SYSTEM
via a one-shot scheduled task (msiexec /qn). Under SYSTEM the agent registers silently with no
interactive MFA prompt. Verified via the AteraAgent service (Get-Service), with a path check
(incl. C:\ProgramData) as fallback.
--- ---
@ -104,12 +110,20 @@ Single hive load of C:\Users\Default\NTUSER.DAT. All changes applied to both Def
hive and current HKCU. Feature-toggled sections: hive and current HKCU. Feature-toggled sections:
- **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all - **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all
tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on.
File Explorer is pinned via its AppUserModelID (DesktopApplicationID="Microsoft.Windows.Explorer"),
not a custom .lnk - a hand-made shortcut launched a second Explorer and could not be unpinned.
- **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR - **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR
- **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path - **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path
Personalization (always): dark shell / light apps, accent #223B47, transparency off, Keyboard (always): CZ primary + US secondary - Set-WinUserLanguageList (current user) plus
solid wallpaper #223B47 (BackInfo overwrites on logon). the Preload key (1=00000405 CZ, 2=00000409 US) in the Default hive and HKU\.DEFAULT.
Personalization (always): Custom mode (dark shell / light apps), accent #223B47 set via
AccentColor AND AccentPalette (the palette is required or Win11 drops the custom accent on
Start/taskbar), ColorPrevalence on for Start/taskbar and title bars/borders, transparency off,
solid wallpaper #223B47 (BackInfo overwrites on logon). Written to the Default hive (new users),
the current user (HKCU) and HKU\.DEFAULT (lock/welcome screen) so all profiles match.
--- ---
@ -117,14 +131,17 @@ solid wallpaper #223B47 (BackInfo overwrites on logon).
Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to
registry. Creates startup shortcut for all users. BackInfo renders system info BMP as registry. Creates startup shortcut for all users. BackInfo renders system info BMP as
desktop wallpaper on every logon. desktop wallpaper on every logon. Background is solid #223B47 (BackInfo.ini
BackgroundColor = 2243399; BackInfo reads the value as 0xRRGGBB / RGB, not COLORREF/BGR).
--- ---
## Step 10 - Network ## Step 10 - Network
Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network
Discovery firewall rules. Discovery firewall rules. Network Discovery is matched by its resource-string group
(-Group "@FirewallAPI.dll,-32752"), not the localized display name, so it works on
non-English (e.g. Czech) Windows.
--- ---
@ -149,7 +166,8 @@ from current. Exit 9 only when rename actually happened (restart required).
Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed
(reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles (reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles
the reboot cycle automatically. the reboot cycle automatically. Installed updates are logged via their Result/Title
properties (logging the raw objects printed "System.__ComObject").
--- ---
@ -174,3 +192,14 @@ the reboot cycle automatically.
Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps, Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps,
OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME". OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME".
From: xetup@x9.cz, To: net@x9.cz. From: xetup@x9.cz, To: net@x9.cz.
---
## Code signing (CI)
The Forgejo Actions release workflow signs xetup.exe on every push to main (and via
workflow_dispatch): build → sign → publish. Signing uses Azure Trusted Signing (certificate
"X9.cz s.r.o.") through jsign, with an RFC3161 timestamp (timestamp.acs.microsoft.com).
Trusted Signing certs are short-lived (~3 days); the timestamp keeps the signature valid past
expiry. Only the Entra client secret is a Forgejo secret (AZURE_CLIENT_SECRET); the signed
binary is published as the "latest" release asset.