16 changed files with 79 additions and 385 deletions
--- a/.claude/memory/MEMORY.md
+++ b/.claude/memory/MEMORY.md
@ -7,8 +7,7 @@
 - [Communication preferences](feedback_preferences.md) - Czech, discussion first, interactive reviews, phased approach
 ## Project
- [Xetup v0.9 release and CI/ops findings](project_v0.9_release.md) - bloatware toggles, release-via-dispatch, Forgejo UI, pwsh (as of 2026-06-03)
+- [Xetup project state](project_xetup_state.md) - Current state, architecture decisions, what's next (as of 2026-04-15)
 - [Xetup project state](project_xetup_state.md) - Current high-level snapshot: what it is, architecture, scripts, infra, status (as of 2026-06-03)
 - [Technical findings](project_technical_findings.md) - Deep code analysis, UCPD issue, Win11 compatibility, tools research
 ## Reference
--- a/.claude/memory/project_v0.9_release.md
+++ b/.claude/memory/project_v0.9_release.md
@ -1,62 +0,0 @@
 ---
 name: Xetup v0.9 release and CI/ops findings as of 2026-06-03
 description: What shipped in v0.9 (bloatware toggles), how releases really trigger, Forgejo UI customization, dev tooling
 type: project
 ---
 ## v0.9 shipped (2026-06-03)
 Tag `v0.9`, named non-prerelease, signed `xetup.exe` published. Also on rolling `latest`.
 ### Bloatware feature toggles (step 01)
 The bloatware step now has three independent GUI checkboxes (in `runner.StepFeatures()`
 under `bloatware`, defaults in `config.go` + `config.json`):
 - `standardBloatware` (default on) - the bulk AppX/capability/feature list.
 - `removeNewOutlook` (default on) - the new Outlook for Windows app
  (`Microsoft.OutlookForWindows`). Classic Outlook from M365 is a Win32 app, never
  touched - only the bundled UWP new Outlook is.
 - `removeSnippingTool` (default OFF) - **Snipping Tool is now KEPT by default**.
  Spans three list entries: `Microsoft.ScreenSketch` (the modern app), the legacy
  capability `Microsoft.Windows.SnippingTool`, and the optional feature
  `Microsoft-SnippingTool`. Kept like Calculator (common productivity tool).
 Gating logic is `Test-RemovalAllowed` in `scripts/01-bloatware.ps1`: each item is
 governed by its own flag, so toggles are independent (a single feature off does not
 disable the whole step).
 ### Latent bug fixed
 The Go `Config` struct had no `Bloatware` field, so the GUI's runtime-config
 regeneration silently dropped `bloatware.keepPackages` - the script's keep-list merge
 was effectively dead when run via xetup.exe. Added the field.
 ## CI / release mechanics (important)
 - `release.yml` triggers on push to `main` ONLY for paths `**.go`, `scripts/**`,
  `assets/**`, `embed.go`, `app.manifest`, `release.yml`. Docs-only / `web/**` pushes
  do NOT trigger a build.
 - **Version tags release via `workflow_dispatch` on the tag ref, NOT a plain tag push.**
  A `vX.Y` tag usually points at a docs-only "release X.Y" commit, which the `paths`
  filter blocks - so `git push <tag>` does nothing. Dispatch instead:
  `POST /api/v1/repos/x9/xetup/actions/workflows/release.yml/dispatches {"ref":"vX.Y"}`.
  This is how v0.8 and v0.9 were built. `github.ref = refs/tags/vX.Y` -> named release.
 - Release notes come from the matching `## [X.Y]` section in `CHANGELOG.md`. Move the
  `[Unreleased]` content into a dated `## [X.Y] - DATE` section before tagging.
 ## Forgejo UI customization
 - Top-left Forgejo brand logo (`#navbar-logo`) is replaced with a back-link to
  `xetup.x9.cz` via `templates/custom/header.tmpl` (CSS + small JS retargeting href).
 - Forgejo custom path is `GITEA_CUSTOM=/data/gitea` inside the `xetup-forgejo`
  container; templates live in the `xetup_forgejo-data` volume (NOT git by itself).
 - Source is versioned in the repo at `deploy/forgejo/` (mirror + README). Deploy =
  `docker cp` into the container + `docker restart xetup-forgejo` (templates load at
  startup). Runner reconnects on its own.
 ## Dev tooling
 - `pwsh` (PowerShell 7.6.2) is installed on the dev box (Debian 12) via the Microsoft
  apt repo. Use it for PS syntax/parse checks:
  `[System.Management.Automation.Language.Parser]::ParseFile(...)`. Note: Windows-only
  cmdlets (Remove-AppxPackage, Get-WindowsCapability...) cannot run here.
 ## Still open
 - v0.9 / `latest` are NOT smoke-tested on real Windows yet. Recommend VM test
  (snapshot -> run -> revert) before a technician deploys to a client. Revert path:
  `git revert <sha>` + push (CI rebuilds `latest`).
--- a/.claude/memory/project_xetup_state.md
+++ b/.claude/memory/project_xetup_state.md
@ -1,72 +1,73 @@
 ---
-name: Xetup project state as of 2026-06-03
+name: Xetup project state as of 2026-04-15
-description: Current state of the xetup Windows deployment project - what it is, architecture, status, what is shipped vs open
+description: Current state of the xetup Windows deployment project - architecture decisions, what exists, what's planned
 type: project
 ---
 ## What xetup is
-Automated Windows 10/11 setup for X9.cz MSP clients - replaces hours of manual
+Automated Windows 10/11 setup for X9.cz MSP clients. Replaces ~3 hours of manual work with a single script/tool.
 prep on a new machine with a single signed binary the technician runs on-site as
 Administrator. ~20 machines/month, various clients. `xetup.exe` is the SOLE entry
 point (no CLI script entry point - do NOT create Deploy-Windows.ps1).
-Detailed architecture, conventions and per-step notes live in `CLAUDE.md` and
+## Current repo structure (cleaned 2026-04-15)
 `SPEC.md` - this file is the high-level current-state snapshot.
 ## Architecture (as built)
 - **Go GUI launcher** (`xetup.exe`) - single binary, embeds `scripts/` + `assets/`
  via `embed.go`. Extracts to temp, loads config, runs PS scripts sequentially,
  handles reboot-resume cycles, sends an HTML email report (SMTP2Go) at the end.
 - **GUI is Walk** (Windows-only, CGO required) - NOT a charmbracelet TUI (that was
  an early-planning idea that did not ship). Cross-compiled with mingw:
  `CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64`.
 - Three GUI phases: config form -> live log -> summary with reboot countdown.
 - **Steps with sub-features**: GUI checkboxes map to `config.features[step][feature]`
  (missing key defaults to true). Step is enabled if >=1 of its features is checked.
 - **Reboot-resume**: steps exit code 9 = "reboot required"; runner persists state,
  sets autologon for `adminx9` + an `X9-Resume` scheduled task, reboots, resumes.
  Steps 09 (pcIdentity on rename) and 12 (windowsUpdate) can trigger it.
 ## Current scripts (step order)
 ```
-00 admin-account     (adminx9, no password, hidden, FullName "X9.cz s.r.o.")
+xetup/
-08 activation         (OA3 -> config key -> GVLK)
+├── review.html                  ← interactive review page v2 (with colleague comments)
-01 bloatware          (AppX + Capabilities + Optional Features; feature-gated)
+├── xetup-review.md             ← exported review v1 results from colleague
-02 software           (parallel winget + Adobe PDF default + Atera under SYSTEM)
+├── xetup-win-setup-spec.md     ← original spec from colleague
-03 system-registry    (HKLM tweaks, Edge policies, OneDrive, powercfg)
+├── xetup-win-setup-novinky.md  ← v2 additions from colleague (taskbar pins, explorer, network, admin desc)
-04 default-profile    (NTUSER.DAT + HKCU + personalization, merged into one hive load)
+├── W11.pdf                      ← reference PDF
-07 backinfo           (BackInfo.exe + startup shortcut)
+└── windows-deployment-new/      ← the active codebase
-10 network            (Private profile, ping, Network Discovery)
+    ├── Deploy-Windows.ps1       ← master script
-11 dell-update        (Dell Command | Update, auto-skip on non-Dell)
+    ├── CLAUDE.md / SPEC.md
-09 pc-identity        (rename PC + C:\X9 folder, exit 9 on rename)
+    ├── config/config.json
-12 windows-update     (PSWindowsUpdate reboot cycle, exit 9)
+    ├── assets/
    │   ├── Backinfo/            ← BackInfo.exe + ini + ps1 (ready to use)
    │   └── Logo/                ← X9 ico + jpeg (moved here 2026-04-15)
    └── scripts/
        ├── 00-admin-account.ps1
        ├── 01-bloatware.ps1
        ├── 02-software.ps1
        ├── 03-system-registry.ps1
        ├── 04-default-profile.ps1
        ├── 05-personalization.ps1
        ├── 06-scheduled-tasks.ps1
        ├── 07-desktop-info.ps1  ← TO BE REPLACED by BackInfo
        └── 08-activation.ps1
 ```
 Note: old 05-personalization / 06-scheduled-tasks / 07-desktop-info no longer
 exist (personalization merged into 04; DesktopInfo replaced by BackInfo).
-## Infra / web (live)
+## Key decisions made (2026-04-15 session)
- **Forgejo** at git.xetup.x9.cz (container `xetup-forgejo`, v9.0.3) - git + issues +
+1. **BackInfo wins over custom DesktopInfo** - colleague prefers it (INI config, auto-update, centered text). Our 07-desktop-info.ps1 will be deleted.
-  Actions CI. Runner: `xetup-runner`. Navbar logo customized to a xetup.x9.cz
+2. **OneDrive must NOT be removed** - current code aggressively deletes it, breaks M365. Must fix 03-system-registry.ps1 and 04-default-profile.ps1.
-  back-link (see `deploy/forgejo/`).
+3. **RDP must NOT be removed** - was in SPEC but never implemented (good). Remove from SPEC entirely.
- **Static site** at xetup.x9.cz (container `xetup-web`, nginx) - bind-mounts
+4. **Colleague's spec has priority** over our implementation when they overlap.
-  `/opt/xetup/web` directly, so editing `web/**` is LIVE immediately (no deploy step).
+5. **adminx9 account: no password** (changed from config-driven password), FullName = "X9.cz s.r.o."
-  Pages: landing, spec (from `web/data/descriptions.json`), changelog (renders
+6. **Nextcloud not needed** - assets are in repo, only Atera MSI downloads from web.
-  `CHANGELOG.md` via Forgejo raw API).
+7. **Flash2 not integrated** - it's the old version of this tool, just for inspiration.
- **CI release** (`.forgejo/workflows/release.yml`): builds, signs (Azure Trusted
+8. **Atera Agent**: curl from `https://x9.servicedesk.atera.com/api/utils/agent-install/windows/?cid=31&aeid=50b72e7113e54a63ac76b96c54c7e337` then `msiexec /i setup.msi /qn`
  Signing), publishes `xetup.exe`. Push to `main` touching code/scripts -> rolling
  `latest`. Version `vX.Y` releases are triggered by `workflow_dispatch` on the tag
  ref (the `paths` filter blocks docs-only tag pushes). Signing SP is shared across
  X9 projects - do NOT rotate.
-## Status (2026-06-03)
+## Architecture direction (decided 2026-04-15)
- **Released: v0.9** - bloatware feature toggles (Outlook/Snipping/standard now
+- **Go TUI launcher** (xetup.exe) - single binary, embeds PS scripts + assets
-  independently toggleable; Snipping kept by default), `keepPackages` runtime bug
+- Charmbracelet stack: bubbletea, huh, lipgloss
-  fixed. See `project_v0.9_release.md` for detail.
+- Self-update from web (version.json check)
- CI, signing, web, changelog page all working.
+- **Web platform** at xetup.x9.cz:
  - Forgejo for git hosting + issues + CI
  - Auto-generated documentation from spec.yaml
  - Comments via Forgejo Issues API
  - Landing page + download + changelog
  - Deployment reporting dashboard (later)
 - **spec.yaml** as single source of truth for both exe and docs
-## Open / next
+## What needs to happen next
- v0.9 + `latest` NOT yet smoke-tested on real Windows - recommend VM test
+1. Create spec.yaml from all gathered specs + review
-  (snapshot -> run -> revert) before client deployment.
+2. Initialize Go project structure
- Complete winget SW list still TODO (config list may be incomplete).
+3. Fix PS scripts (OneDrive removal, admin password, BackInfo integration)
- Hard rules (from CLAUDE.md): keep Calculator; do not remove OneDrive policy-block;
+4. Set up repo (GitHub initially, Forgejo later)
-  do not remove RDP/RDS; no diacritics anywhere; no `$ErrorActionPreference=Stop`.
+5. First Go build with TUI form
 6. CI pipeline (GitHub Actions)
 7. Web landing page
 ## Technical findings from deep analysis
 - UCPD kernel driver (since Feb 2024) blocks PDF default association via UserChoice - need to disable UCPD during deployment
 - System tray "show all icons" broken in Win11 24H2 - EnableAutoTray=0 ignored
 - Edge needs ~15 more policy keys than we currently set
 - ConfigureStartPins has new applyOnce property in 24H2
 - Current code quality is solid: 3-level registry fallback, proper hive handling with GC+finally
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,50 +8,7 @@ Builds are continuous: every push to `main` produces a signed `xetup.exe` publis
 ## [Unreleased]
-### Changed
+_Nothing yet._
 - **Photos now kept** (01): `Microsoft.Windows.Photos` is added to the always-keep list
  (`KeepPackages`), so the default image viewer is no longer removed - like Calculator. It stays
  in the removal list but the keep-guard skips it and logs `KEEP Microsoft.Windows.Photos`.
 ## [0.9] - 2026-06-03
 ### Added
 - **Bloatware feature toggles** (01): the bloatware step now exposes three GUI checkboxes -
  `standardBloatware` (default on, the bulk AppX/capability/feature list), `removeNewOutlook`
  (default on, the new Outlook for Windows app `Microsoft.OutlookForWindows`) and
  `removeSnippingTool` (default OFF). Each toggle is independent, so a technician can spare
  Outlook or remove the Snipping Tool without affecting the rest.
 ### Changed
 - **Snipping Tool now kept by default** (01): `Microsoft.ScreenSketch` (the modern Snipping Tool
  app) plus the legacy capability and optional feature are no longer removed unless
  `removeSnippingTool` is checked - it is a commonly used productivity tool, like Calculator.
  Classic Outlook from M365 was never removed (it is a Win32 app, not an AppX package); only the
  bundled new Outlook is, and that is now toggleable.
 ### Fixed
 - **`bloatware.keepPackages` was dropped at runtime**: the Go `Config` struct had no `Bloatware`
  field, so the GUI's runtime-config regeneration silently discarded `keepPackages`. Added the
  field so the keep-list survives and is honored by `01-bloatware.ps1`.
 ## [0.8] - 2026-06-02
 ### Added
 - **Web changelog page** (`/changelog/`) that renders `CHANGELOG.md` from the repo (Forgejo raw
  API via the `/forgejo-api` proxy) - single source of truth. Linked from the site nav.
 - **CI release automation**: the release workflow derives the release notes from `CHANGELOG.md`,
  and a version tag (`vX.Y`) builds, signs and publishes a named (non-prerelease) release for
  that version; `main`/dispatch keep the rolling `latest` prerelease.
 ### Fixed
 - **BackInfo background color**: use the COLORREF value `4668194` for #223B47. BackInfo uses a
  COLORREF (`0x00BBGGRR` / BGR), so the 0.7 value `2243399` (`0x223B47`) was read with red/blue
  swapped and rendered olive-brown (#473B22). Reverts the 0.7 change.
 - **BackInfo black border in some profiles** (04): BackInfo paints a centered bitmap; when it is
  smaller than the screen, the surrounding desktop showed black in profiles whose
  `Control Panel\Colors\Background` was not set. The solid desktop background color (#223B47) is
  now written to HKU\.DEFAULT and to every existing user profile (loading each hive as needed),
  in addition to the Default hive and current user, so the area around the bitmap blends in.
 ## [0.7] - 2026-06-02
@ -90,8 +47,8 @@ Builds are continuous: every push to `main` produces a signed `xetup.exe` publis
  to the default. The full theme (Custom mode: dark system + light apps; accent on Start/taskbar and
  title bars/borders) is written to the Default hive, the current user (HKCU) and `HKU\.DEFAULT` so
  all profiles match. (`4d08d0c`)
- **BackInfo background color**: changed `BackgroundColor` to 2243399 (later found wrong - BackInfo
+- **BackInfo background color**: `BackgroundColor 4668194 -> 2243399`. BackInfo reads the value as
-  uses COLORREF/BGR; corrected in [Unreleased]). (`4d08d0c`)
+  0xRRGGBB (RGB), not COLORREF/BGR, so #223B47 = 2243399; the BGR value swapped red/blue. (`4d08d0c`)
 ### CI / Infra
 - deploy.json update step made non-fatal (cosmetic, runs after the release is published). (`8a7fc10`)
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -200,7 +200,6 @@ git push "http://x9:${TOKEN}@localhost:3100/x9/xetup.git" main
 - Do not use `$ErrorActionPreference = "Stop"` - scripts must survive partial failure
 - Do not remove Calculator (Microsoft.WindowsCalculator)
 - Do not remove Photos (Microsoft.Windows.Photos)
 - Do not use ARM VM for testing
 - Do not write scripts depending on specific username
 - Do not use hardcoded paths that do not exist on clean Windows
--- a/SPEC.md
+++ b/SPEC.md
@ -63,15 +63,6 @@ Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.),
 ~14 Windows Capabilities (Fax, IE, WordPad, etc.), and Optional Features
 (PowerShell 2.0, Recall). Calculator intentionally kept.
 Three GUI feature toggles gate removal:
 - `standardBloatware` (default on) - the bulk list above.
 - `removeNewOutlook` (default on) - the new Outlook for Windows app
  (`Microsoft.OutlookForWindows`). Classic Outlook from M365 is a Win32 app and
  is never touched.
 - `removeSnippingTool` (default OFF) - Snipping Tool across all three lists
  (ScreenSketch app + legacy capability + legacy feature). Kept by default as a
  common productivity tool, like Calculator.
 ---
 ## Step 02 - Software installation
@ -141,11 +132,7 @@ the current user (HKCU) and HKU\.DEFAULT (lock/welcome screen) so all profiles m
 Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to
 registry. Creates startup shortcut for all users. BackInfo renders system info BMP as
 desktop wallpaper on every logon. Background is solid #223B47 (BackInfo.ini
-BackgroundColor = 4668194; BackInfo uses a COLORREF / 0x00BBGGRR / BGR value, so
+BackgroundColor = 2243399; BackInfo reads the value as 0xRRGGBB / RGB, not COLORREF/BGR).
 #223B47 = 71*65536 + 59*256 + 34 = 4668194. The RGB value 2243399 rendered olive-brown).
 Because BackInfo paints a centered bitmap, step 04 also sets the solid desktop background color
 (#223B47) in the Default hive, the current user, HKU\.DEFAULT and every existing profile - otherwise
 a sub-screen bitmap shows a black border around it.
 ---
@ -193,7 +180,7 @@ properties (logging the raw objects printed "System.__ComObject").
  "activation": { "productKey": "", "kmsServer": "" },
  "software": { "install": [{ "name": "...", "wingetId": "..." }] },
  "steps": { "adminAccount": true, ... },
-  "features": { "bloatware": { "standardBloatware": true, "removeNewOutlook": true, "removeSnippingTool": false }, "software": { "wingetInstalls": true, ... }, ... },
+  "features": { "software": { "wingetInstalls": true, "pdfDefault": true, "ateraAgent": true }, ... },
  "bloatware": { "keepPackages": ["Microsoft.WindowsCalculator"] }
 }
 ```
--- a/assets/Backinfo/BackInfo.ini
+++ b/assets/Backinfo/BackInfo.ini
@ -56,10 +56,9 @@
 ;;
 [General]
-; #223B47 as COLORREF (0x00BBGGRR): B=71 G=59 R=34 -> 71*65536 + 59*256 + 34 = 4668194.
+; #223B47 read as 0xRRGGBB decimal: BackInfo uses RGB order here (NOT COLORREF/BGR),
-; BackInfo uses COLORREF/BGR (per its own header doc above). The RGB value 2243399
+; so 0x223B47 = 2243399. The previous BGR value (4668194) rendered with R/B swapped.
-; (0x223B47) was read as COLORREF, swapping R/B and rendering olive-brown (#473B22).
+BackgroundColor = 2243399
 BackgroundColor = 4668194
 ; AutoBackground=0: do NOT read live desktop color - unreliable during deployment
 ; (live session may not yet reflect the registry background color change)
 AutoBackground = 0
--- a/config/config.json
+++ b/config/config.json
@ -33,11 +33,6 @@
    "windowsUpdate":  true
  },
  "features": {
    "bloatware": {
      "standardBloatware":  true,
      "removeNewOutlook":   true,
      "removeSnippingTool": false
    },
    "software": {
      "wingetInstalls": true,
      "pdfDefault": true,
--- a/deploy/forgejo/README.md
+++ b/deploy/forgejo/README.md
@ -1,34 +0,0 @@
 # Forgejo customizations
 Custom UI tweaks for the `xetup-forgejo` instance (git.xetup.x9.cz). These live
 in the Forgejo data volume (`xetup_forgejo-data`), which is NOT under git, so the
 source of truth is kept here and deployed into the container.
 ## Files
 - `templates/custom/header.tmpl` - injected into `<head>` on every page. Replaces
  the meaningless Forgejo brand logo (top-left navbar) with a back-link to
  `xetup.x9.cz`. Pure CSS for the look; a small inline script retargets the
  `#navbar-logo` href.
 ## Deploy
 Custom templates are read at startup, so a restart is required after any change.
 ```bash
 # Path inside the container: GITEA_CUSTOM=/data/gitea
 docker exec xetup-forgejo sh -c 'mkdir -p /data/gitea/templates/custom'
 docker cp deploy/forgejo/templates/custom/header.tmpl \
  xetup-forgejo:/data/gitea/templates/custom/header.tmpl
 docker exec xetup-forgejo sh -c 'chown -R git:git /data/gitea/templates'
 docker restart xetup-forgejo
 ```
 The runner (`xetup-runner`) reconnects on its own after the restart.
 ## Verify
 ```bash
 curl -s http://localhost:3100/x9/xetup/releases | grep -q 'content: "xetup.x9.cz"' \
  && echo "header.tmpl injected" || echo "NOT injected"
 ```
--- a/deploy/forgejo/templates/custom/header.tmpl
+++ b/deploy/forgejo/templates/custom/header.tmpl
@ -1,33 +0,0 @@
 <style>
 	/* The Forgejo brand in the top-left has no meaning for us; turn it into a
 	   back-link to the main site (xetup.x9.cz). Pure CSS for the look, a tiny
 	   script below retargets the href. */
 	#navbar-logo img { display: none !important; }
 	#navbar-logo {
 		display: inline-flex !important;
 		align-items: center;
 		gap: .35rem;
 		padding: .35rem .7rem !important;
 		border: 1px solid var(--color-secondary, #d4d7dc);
 		border-radius: 6px;
 		font-weight: 600;
 		line-height: 1;
 		white-space: nowrap;
 	}
 	#navbar-logo::before { content: "\2190"; font-size: 1.05em; }
 	#navbar-logo::after  { content: "xetup.x9.cz"; }
 	#navbar-logo:hover {
 		background: var(--color-hover, rgba(0,0,0,.05));
 		border-color: var(--color-primary, #4078c0);
 	}
 </style>
 <script>
 	document.addEventListener('DOMContentLoaded', function () {
 		var logo = document.getElementById('navbar-logo');
 		if (logo) {
 			logo.setAttribute('href', 'https://xetup.x9.cz');
 			logo.setAttribute('aria-label', 'Zpet na xetup.x9.cz');
 			logo.setAttribute('title', 'Zpet na xetup.x9.cz');
 		}
 	});
 </script>
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -14,7 +14,6 @@ type Config struct {
 	Software      Software               `json:"software"`
 	Steps         map[string]bool        `json:"steps"`
 	Features      Features               `json:"features"`
 	Bloatware     Bloatware              `json:"bloatware"`
 }
 type Deployment struct {
@ -42,12 +41,6 @@ type Software struct {
 	Install []SoftwareItem `json:"install"`
 }
 // Bloatware holds bloatware-removal config. KeepPackages lists AppX package
 // names that must never be removed, on top of the always-kept defaults.
 type Bloatware struct {
 	KeepPackages []string `json:"keepPackages"`
 }
 // Features holds per-step, per-feature toggle flags.
 // Keys: stepID -> featureID -> enabled.
 // A missing key defaults to true (feature enabled).
@ -87,11 +80,6 @@ func DefaultConfig() Config {
 			"windowsUpdate":  true,
 		},
 		Features: Features{
 			"bloatware": {
 				"standardBloatware":  true,
 				"removeNewOutlook":   true,
 				"removeSnippingTool": false,
 			},
 			"software": {
 				"wingetInstalls": true,
 				"pdfDefault":     true,
@ -114,9 +102,6 @@ func DefaultConfig() Config {
 				"bios":    true,
 			},
 		},
 		Bloatware: Bloatware{
 			KeepPackages: []string{"Microsoft.WindowsCalculator"},
 		},
 	}
 }
--- a/internal/runner/runner.go
+++ b/internal/runner/runner.go
@ -58,11 +58,6 @@ type Feature struct {
 // have no sub-features and are controlled at the step level only.
 func StepFeatures() map[string][]Feature {
 	return map[string][]Feature{
 		"bloatware": {
 			{ID: "standardBloatware",  Label: "Standardni bloatware (AppX, capabilities, features)"},
 			{ID: "removeNewOutlook",   Label: "Novy Outlook for Windows"},
 			{ID: "removeSnippingTool", Label: "Vystrizky / Snipping Tool"},
 		},
 		"software": {
 			{ID: "wingetInstalls", Label: "Instalace SW ze seznamu (winget)"},
 			{ID: "pdfDefault",     Label: "Adobe Reader jako vychozi PDF"},
--- a/scripts/01-bloatware.ps1
+++ b/scripts/01-bloatware.ps1
@ -5,15 +5,13 @@
 .DESCRIPTION
    Removes Microsoft-bundled apps and features not needed in a business MSP deployment.
    Removal is done for all users (-AllUsers) and from the provisioning store so new
-    users do not get them either. Calculator and Photos are intentionally kept.
+    users do not get them either. Calculator is intentionally kept.
 .ITEMS
    appx-balicky-odstraneni-pro-vsechny-uziv: Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.
    zachovano-microsoft-windowscalculator: Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.
    zachovano-microsoft-windows-photos: Photos is explicitly excluded via KeepPackages. Default image viewer expected by end users; removing it leaves no built-in viewer and would require manual reinstall from Store.
    windows-capabilities-fax-ie-openssh-wmp-: Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.
    windows-optional-features-ps-2-0-mediapl: Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.
    feature-toggles: Three GUI feature flags gate removal. standardBloatware (default on) covers the bulk list. removeNewOutlook (default on) controls Microsoft.OutlookForWindows; classic Outlook from M365 is a Win32 app and is never touched. removeSnippingTool (default OFF) controls Snipping Tool across all three lists (ScreenSketch app + legacy capability + legacy feature) - kept by default as a common productivity tool, like Calculator.
 #>
 param(
    [string]$ConfigPath,
@ -23,33 +21,6 @@ param(
 . "$PSScriptRoot\common.ps1"
 $Config = Load-Config $ConfigPath
 # -----------------------------------------------------------------------
 # Feature flags (see CLAUDE.md features system)
 #   standardBloatware  - removes the bulk AppX/capability/feature list
 #   removeNewOutlook   - new Outlook for Windows (Microsoft.OutlookForWindows)
 #   removeSnippingTool - Snipping Tool, spans all three lists; default OFF
 # Outlook and Snipping items are gated by their own flag, independent of the
 # standard flag, so each GUI checkbox does exactly what it says.
 # -----------------------------------------------------------------------
 $DoStandard = Get-Feature $Config "bloatware" "standardBloatware"  $true
 $DoOutlook  = Get-Feature $Config "bloatware" "removeNewOutlook"   $true
 $DoSnipping = Get-Feature $Config "bloatware" "removeSnippingTool" $false
 # Snipping Tool appears as an AppX package (ScreenSketch, the modern app),
 # a legacy capability, and a legacy optional feature.
 $SnippingItems = @(
    "Microsoft.ScreenSketch"
    "Microsoft.Windows.SnippingTool"
    "Microsoft-SnippingTool"
 )
 function Test-RemovalAllowed {
    param([string]$Name)
    if ($Name -eq "Microsoft.OutlookForWindows") { return $DoOutlook }
    if ($SnippingItems -contains $Name)          { return $DoSnipping }
    return $DoStandard
 }
 # -----------------------------------------------------------------------
 # 1a - AppX packages
 # -----------------------------------------------------------------------
@ -105,7 +76,7 @@ $AppxToRemove = @(
 )
 # Packages to always keep
-$KeepPackages = @("Microsoft.WindowsCalculator", "Microsoft.Windows.Photos")
+$KeepPackages = @("Microsoft.WindowsCalculator")
 if ($Config -and $Config.bloatware -and $Config.bloatware.keepPackages) {
    $KeepPackages += $Config.bloatware.keepPackages
 }
@ -118,10 +89,6 @@ foreach ($pkg in $AppxToRemove) {
        Write-Log "  KEEP $pkg" -Level INFO
        continue
    }
    if (-not (Test-RemovalAllowed $pkg)) {
        Write-Log "  KEEP (feature off): $pkg" -Level INFO
        continue
    }
    # Installed packages (current user + all users)
    $installed = Get-AppxPackage -Name $pkg -AllUsers -ErrorAction SilentlyContinue
@ -178,10 +145,6 @@ Write-Log "1b - Removing Windows Capabilities" -Level STEP
 $installedCaps = Get-WindowsCapability -Online -ErrorAction SilentlyContinue
 foreach ($cap in $CapabilitiesToRemove) {
    if (-not (Test-RemovalAllowed $cap)) {
        Write-Log "  KEEP (feature off): $cap" -Level INFO
        continue
    }
    # Match by prefix (e.g. Hello.Face matches Hello.Face.20134.0.0.0)
    $matches = $installedCaps | Where-Object {
        $_.Name -like "$cap*" -and $_.State -eq "Installed"
@ -214,10 +177,6 @@ $FeaturesToDisable = @(
 Write-Log "1c - Disabling Windows Optional Features" -Level STEP
 foreach ($feat in $FeaturesToDisable) {
    if (-not (Test-RemovalAllowed $feat)) {
        Write-Log "  KEEP (feature off): $feat" -Level INFO
        continue
    }
    $feature = Get-WindowsOptionalFeature -Online -FeatureName $feat -ErrorAction SilentlyContinue
    if ($feature -and $feature.State -eq "Enabled") {
        try {
--- a/scripts/04-default-profile.ps1
+++ b/scripts/04-default-profile.ps1
@ -387,8 +387,7 @@ $pinList
        @{ Key="Software\Microsoft\Windows\DWM";                               Name="ColorPrevalence";      Val=1;                Type="DWord"  },
        @{ Key="Software\Microsoft\Windows\CurrentVersion\Explorer\Accent";    Name="AccentColorMenu";      Val=$AccentColorABGR; Type="DWord"  },
        @{ Key="Software\Microsoft\Windows\CurrentVersion\Explorer\Accent";    Name="StartColorMenu";       Val=$AccentColorABGR; Type="DWord"  },
-        @{ Key="Software\Microsoft\Windows\CurrentVersion\Explorer\Accent";    Name="AccentPalette";        Val=$AccentPalette;   Type="Binary" },
+        @{ Key="Software\Microsoft\Windows\CurrentVersion\Explorer\Accent";    Name="AccentPalette";        Val=$AccentPalette;   Type="Binary" }
        @{ Key="Control Panel\Colors";                                         Name="Background";           Val="34 59 71";       Type="String" }
    )
    foreach ($c in $defaultColors) {
        $cp = "Registry::HKU\.DEFAULT\$($c.Key)"
@ -402,51 +401,6 @@ $pinList
    }
    Write-Log "  Theme/accent mirrored to HKU\.DEFAULT" -Level OK
    # -------------------------------------------------------------------
    # Desktop background color in EVERY existing user profile
    # -------------------------------------------------------------------
    # BackInfo paints a centered bitmap; if it is smaller than the screen, the
    # area around it shows HKCU\Control Panel\Colors\Background. New users get
    # #223B47 from the Default hive and the current user from HKCU above, but
    # pre-existing profiles would show the default black border. Set the color
    # in each real user profile (loading its hive if it is not already mounted).
    Write-Log "Applying desktop background color to existing user profiles" -Level STEP
    $profileList = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
    foreach ($pl in (Get-ChildItem $profileList -ErrorAction SilentlyContinue)) {
        $sid = Split-Path $pl.Name -Leaf
        if ($sid -notmatch '^S-1-5-21-') { continue }   # real interactive users only
        $img = (Get-ItemProperty $pl.PSPath -Name ProfileImagePath -ErrorAction SilentlyContinue).ProfileImagePath
        if (-not $img) { continue }
        $hiveKeyPath = "Registry::HKU\$sid"
        $tempLoaded  = $false
        if (-not (Test-Path $hiveKeyPath)) {
            $ntuser = Join-Path $img "NTUSER.DAT"
            if (-not (Test-Path $ntuser)) { continue }
            & reg load "HKU\$sid" $ntuser 2>&1 | Out-Null
            if ($LASTEXITCODE -ne 0) {
                Write-Log "  Could not load hive for $sid (in use?) - skipped" -Level WARN
                continue
            }
            $tempLoaded = $true
        }
        try {
            $colorsKey = "$hiveKeyPath\Control Panel\Colors"
            if (-not (Test-Path $colorsKey)) { New-Item -Path $colorsKey -Force -ErrorAction Stop | Out-Null }
            Set-ItemProperty -Path $colorsKey -Name "Background" -Value "34 59 71" -Type String -Force -ErrorAction Stop
            Write-Log "  Background color set for $sid ($(Split-Path $img -Leaf))" -Level OK
        }
        catch {
            Write-Log "  Failed background color for $sid - $_" -Level WARN
        }
        finally {
            if ($tempLoaded) {
                [GC]::Collect(); [GC]::WaitForPendingFinalizers(); Start-Sleep -Milliseconds 300
                & reg unload "HKU\$sid" 2>&1 | Out-Null
            }
        }
    }
    # ===================================================================
    # KEYBOARD LAYOUTS - Czech primary, US secondary
    # ===================================================================
--- a/web/data/descriptions.json
+++ b/web/data/descriptions.json
@ -13,14 +13,12 @@
  },
  "01-bloatware": {
    "synopsis": "Removes pre-installed bloatware: AppX packages, Capabilities, and Optional Features.",
-    "description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator and Photos are intentionally kept.",
+    "description": "Removes Microsoft-bundled apps and features not needed in a business MSP deployment.\nRemoval is done for all users (-AllUsers) and from the provisioning store so new\nusers do not get them either. Calculator is intentionally kept.",
    "items": {
      "appx-balicky-odstraneni-pro-vsechny-uziv": "Uses Remove-AppxPackage -AllUsers and Remove-AppxProvisionedPackage. The provisioned removal prevents apps from reinstalling for new user profiles. Covers ~35 apps including Cortana, Copilot, Teams personal, Xbox, Skype, News, Weather, Maps.",
      "zachovano-microsoft-windowscalculator": "Calculator is explicitly excluded. Lightweight utility frequently used by technicians and end users. Removing it would require manual reinstall from Store.",
      "zachovano-microsoft-windows-photos": "Photos is explicitly excluded via KeepPackages. Default image viewer expected by end users; removing it leaves no built-in viewer and would require manual reinstall from Store.",
      "windows-capabilities-fax-ie-openssh-wmp-": "Removed via Remove-WindowsCapability: Fax & Scan, Internet Explorer mode, OpenSSH client, Windows Media Player (legacy), WordPad, Handwriting recognition, Steps Recorder, Math Input Panel, Quick Assist.",
-      "windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component.",
+      "windows-optional-features-ps-2-0-mediapl": "Disabled via Disable-WindowsOptionalFeature: PowerShell 2.0 (security risk - allows unsigned script execution bypass on older hosts), MediaPlayback, Windows Recall (AI screenshot surveillance), Snipping Tool optional component."
      "feature-toggles": "Three GUI feature flags gate removal. standardBloatware (default on) covers the bulk list. removeNewOutlook (default on) controls Microsoft.OutlookForWindows; classic Outlook from M365 is a Win32 app and is never touched. removeSnippingTool (default OFF) controls Snipping Tool across all three lists (ScreenSketch app + legacy capability + legacy feature) - kept by default as a common productivity tool, like Calculator."
    }
  },
  "02-software": {
@ -85,7 +83,7 @@
      "registry-osname-hklm-software-backinfo": "Detects Windows build number and edition, writes OSName string to HKLM\\SOFTWARE\\BackInfo\\OSName (and WOW6432Node). BackInfo.ini references %OSName% to display the correct OS on the wallpaper.",
      "startup-shortcut-backinfo-exe": "Creates a shortcut at C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\BackInfo.lnk pointing to C:\\Program Files\\Backinfo\\BackInfo.exe. Ensures BackInfo starts for every user on logon.",
      "07-desktop-info-ps1-smazat-nahrazeno": "07-desktop-info.ps1 is superseded by this script. BackInfo.exe is the preferred approach - stable on Win10 and Win11, configurable via INI, already present in assets.",
-      "backinfo-pozadi-223b47": "BackInfo.ini sets a solid #223B47 background via BackgroundColor = 4668194. BackInfo uses a Windows COLORREF (0x00BBGGRR, i.e. BGR), so #223B47 = B*65536 + G*256 + R = 71*65536 + 59*256 + 34 = 4668194. The RGB value 2243399 (0x223B47) was read as a COLORREF, swapping red/blue, and rendered olive-brown (#473B22). BackInfo paints a centered bitmap, so the solid desktop background color (#223B47) is set in the Default hive, current user, HKU\\.DEFAULT and every existing profile - otherwise the area around a sub-screen bitmap shows a black border."
+      "backinfo-pozadi-223b47": "BackInfo.ini sets a solid #223B47 background via BackgroundColor = 2243399. BackInfo reads this value as 0xRRGGBB (RGB order), not a Windows COLORREF (BGR), so 0x223B47 = 2243399; the earlier BGR value 4668194 rendered with red and blue swapped."
    }
  },
  "07-desktop-info": {
--- a/web/spec/index.html
+++ b/web/spec/index.html
@ -578,12 +578,8 @@
        <table class="items">
          <tr class="flag-done"><td>AppX balicky &ndash; odstraneni pro vsechny uzivatele a provisioned</td><td>Remove-AppxPackage -AllUsers + Remove-AppxProvisionedPackage</td></tr>
          <tr class="flag-done"><td>Zachovano: Microsoft.WindowsCalculator</td><td>Zamerny vyjimek</td></tr>
          <tr class="flag-done"><td>Zachovano: Microsoft.Windows.Photos</td><td>Zamerny vyjimek (vychozi prohlizec obrazku)</td></tr>
          <tr class="flag-done"><td>Windows Capabilities (Fax, IE, OpenSSH, WMP, WordPad, …)</td><td>Remove-WindowsCapability</td></tr>
          <tr class="flag-done"><td>Windows Optional Features (PS 2.0, MediaPlayback, Recall, …)</td><td>Disable-WindowsOptionalFeature</td></tr>
          <tr class="flag-done"><td>GUI prepinace: standardBloatware, removeNewOutlook, removeSnippingTool</td><td>Kazdy krok lze v GUI samostatne zaskrtnout/odskrtnout</td></tr>
          <tr class="flag-done"><td>Novy Outlook for Windows (Microsoft.OutlookForWindows)</td><td>Default odebran; klasicky Outlook z M365 (Win32) se nedotyka</td></tr>
          <tr class="flag-done"><td>Zachovano ve vychozim stavu: Vystrizky / Snipping Tool</td><td>ScreenSketch + legacy capability/feature; default OFF (jako Kalkulacka)</td></tr>
        </table>
      </div>
      <div class="step-footer">
@ -609,7 +605,7 @@
          <tr class="flag-done"><td>UCPD.sys (kernel driver, od Feb 2024) blokuje UserChoice</td><td>Stop-Service ucpd + 2s sleep + overeni zastaveni pred HKCR zapisem. Na Win11 24H2 je UCPD chranena sluzba a stop selze &ndash; logovano jako WARN (ne ERROR); HKCR zapis (system-wide) projde i tak.</td></tr>
          <tr class="flag-done"><td>Winget parallel joby: timeout 600s + kill zavislych</td><td>Wait-Job -Timeout 600; po vyprseni Kill + Remove zavislych jobu</td></tr>
          <tr class="flag-done"><td>Winget cesta explicitne predavana do parallel jobu</td><td>Opraveno &ndash; Start-Job nezdedi PATH; winget.exe fullpath preda jako argument. Exit 3010 (success+reboot) nyni vyhodnocen jako OK.</td></tr>
-          <tr class="flag-done"><td>Winget: <code>--source winget</code> u kazde instalace</td><td>Field fix &ndash; fresh Win11 ISO ma App Installer se starym pinned certem, msstore source pada na <code>0x8a15005e</code> a instalaci prerusi. <code>--source winget</code> msstore obejde. Plati i pro krok 11 (Dell).</td></tr>
+          <tr class="flag-done"><td>Winget: <code>--source winget</code> u kazde instalace</td><td>Field fix &ndash; fresh Win11 ISO ma App Installer se starym pinned certem, msstore source padá na <code>0x8a15005e</code> a instalaci prerusi. <code>--source winget</code> msstore obejde. Plati i pro krok 11 (Dell).</td></tr>
          <tr class="flag-done"><td>Atera: detekce pres sluzbu <code>Get-Service AteraAgent</code></td><td>Field fix &ndash; agent se obcas instaluje do <code>C:\ProgramData\</code>; existence sluzby je spolehlivejsi nez kontrola souboru. Fallback na cesty vc. ProgramData.</td></tr>
        </table>
        <div class="note">
@ -712,8 +708,7 @@
          <tr class="flag-done"><td>Spustit <code>backinfo_W11.ps1</code> (detekce OS, registry, Startup)</td><td>Logika inlinovana v 07-backinfo.ps1</td></tr>
          <tr class="flag-done"><td>BackInfo.exe v assets/Backinfo/ k dispozici</td><td>Hotovo</td></tr>
          <tr class="flag-done"><td>BackInfo auto-start pri kazdem logonu via Startup shortcut</td><td>Shortcut do ProgramData\StartUp vytvori 07-backinfo.ps1</td></tr>
-          <tr class="flag-done"><td>Pozadi #223B47 (<code>BackgroundColor = 4668194</code>)</td><td>BackInfo bere hodnotu jako COLORREF (<code>0x00BBGGRR</code>, BGR): B=71 G=59 R=34 = 4668194. Hodnota 2243399 (RGB) se cetla jako COLORREF, prohodila R/B a renderovala olivove hnedou (#473B22).</td></tr>
+          <tr class="flag-done"><td>Pozadi #223B47 (<code>BackgroundColor = 2243399</code>)</td><td>BackInfo bere hodnotu jako 0xRRGGBB (RGB), ne COLORREF/BGR &ndash; tj. <code>0x223B47 = 2243399</code>. Drivejsi BGR hodnota (4668194) renderovala prohozene R/B.</td></tr>
          <tr class="flag-done"><td>Desktopova barva pozadi #223B47 ve vsech profilech</td><td>BackInfo dela vystredenou bitmapu; kdyz je mensi nez obrazovka, okolo prosvita <code>Control Panel\Colors\Background</code>. Nastavuje se v Default hive, aktualnim HKCU, <code>HKU\.DEFAULT</code> i v kazdem existujicim profilu &ndash; jinak byl okraj cerny.</td></tr>
        </table>
        <div class="note">
          <strong>BackInfo.ini konfiguruje:</strong> hostname (velky, centrovan), uzivatelske jmeno,