Fix critical and high bugs B1-B6

- B1: Replace recursive get_timezone_mount/get_gpu_devices with literal YAML strings
- B3: Expand /home/*/hops glob via compgen -G instead of storing as array literal;
  fix eval echo ~$SUDO_USER -> getent passwd in uninstall
- B4: Correct services source path in setup_firewall (hops_service_definitions.sh -> services)
- B5: Replace all ((x++)) with x=$((x + 1)) to avoid set -e abort on zero pre-increment
- B6: Add Linux-only guard at top of hops entry point

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

TODO.md

@@ -17,12 +17,10 @@ Generated by codebase audit (2026-06-10). Ranked by severity.
 
 ## CRITICAL BUGS (breaks primary use cases)
 
-### B1 -- Infinite recursion in `services` on Linux [CRITICAL]
+### B1 -- Infinite recursion in `services` on Linux [CRITICAL] -- RESOLVED
 - File: `services:25-46`
-- `get_timezone_mount()` and `get_gpu_devices()` call themselves on the non-Darwin
-  branch via `echo "$(get_timezone_mount)"`. Hits bash FUNCNEST limit on every
-  Linux compose generation. Main `./hops` install is broken on Linux.
-- Fix: replace the recursive calls with the literal YAML strings they should emit.
+- `get_timezone_mount()` and `get_gpu_devices()` called themselves on the non-Darwin
+  branch. Fixed: both functions now return literal YAML strings directly.
 
 ### B2 -- Brace mismatch in `lib/privileges.sh` [CRITICAL] -- RESOLVED: delete file
 - File: `lib/privileges.sh:429,612`
@@ -32,32 +30,22 @@ Generated by codebase audit (2026-06-10). Ranked by severity.
 
 ## HIGH BUGS
 
-### B3 -- Glob stored as string, directory detection always fails [HIGH]
+### B3 -- Glob stored as string, directory detection always fails [HIGH] -- RESOLVED
 - Files: `hops:154-166`, `uninstall:127-147`
-- `homelab_dirs=( "/home/*/hops" )` stores a literal glob; the quoted for-loop
-  never expands it. Multi-user detection is broken, `cd "$HOMELAB_DIR"` fails
-  under `set -e`.
-- Fix: iterate unquoted or use `compgen -G "/home/*/hops"`.
+- Glob removed from array; expanded separately via `compgen -G "/home/*/hops"`.
+  Also fixed `eval echo "~$SUDO_USER"` -> `getent passwd` in `uninstall`.
 
-### B4 -- Missing service definitions file reference [HIGH]
+### B4 -- Missing service definitions file reference [HIGH] -- RESOLVED
 - File: `install:916`
-- `setup_firewall()` sources `"$SCRIPT_DIR/hops_service_definitions.sh"` which
-  does not exist (the file is named `services`). Per-service firewall rules are
-  silently never applied.
-- Fix: correct the filename to `services`.
+- Corrected source path from `hops_service_definitions.sh` to `services`.
 
-### B5 -- `((x++))` aborts script under `set -e` [HIGH]
-- Files: `hops:299,317`, `install:784`, and others
-- `((running_count++))` returns exit code 1 when the pre-increment value is 0,
-  which kills the script under `set -e`.
-- Fix: use `running_count=$((running_count + 1))` or append `|| true`.
+### B5 -- `((x++))` aborts script under `set -e` [HIGH] -- RESOLVED
+- Files: `hops`, `install`
+- All `((x++))` occurrences replaced with `x=$((x + 1))`.
 
-### B6 -- `hops` entry point is Linux-only despite macOS library support [HIGH]
-- File: `hops:108-136,263`
-- `check_dependencies` requires `systemctl`, `check_system_requirements` calls
-  `free` and `df -BG`, `show_service_status` calls `systemctl`. All Linux-only.
-  The documented entry point fails immediately on macOS.
-- Fix: add OS guards or document `hops` as Linux-only.
+### B6 -- `hops` entry point is Linux-only despite macOS library support [HIGH] -- RESOLVED
+- File: `hops`
+- Added Linux-only guard at top of script; exits immediately with a clear error on non-Linux.
 
 ### B7 -- Port collisions not detected within a selection [HIGH]
 - File: `services` (port map)