diff --git a/README.md b/README.md
index d13c0d1..8753a83 100644
--- a/README.md
+++ b/README.md
@@ -115,6 +115,8 @@ See the [LICENSE](LICENSE) file for details.
 ## TODO
 
 ⏳ Make the nag patch checksum-based (auto-repatch after upgrades)
+⏳ add molecule tests to prove idempotency
+⏳ make the patch handler trigger on pve-manager upgrades
 ❌ Add kernel power-saving tunables ?
 🔄 Split into VE version–aware tags ?
 🕒 refactor  
diff --git a/handlers/main.yml b/handlers/main.yml
index 65af478..7ce84b6 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -14,3 +14,62 @@
 - name: Reload systemd
   ansible.builtin.systemd_service:
     daemon_reexec: true
+
+- name: Patch legacy proxmoxlib.js
+  block:
+    - name: Patch legacy proxmoxlib.js
+      ansible.builtin.replace:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+        regexp: "if \\(data.status !== 'Active'\\)"
+        replace: "if (false)"
+      register: patch_legacy
+      failed_when: patch_legacy.matched == 0
+      notify: Restart pveproxy
+
+    - name: Re-stat proxmoxlib.js
+      ansible.builtin.stat:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+        checksum_algorithm: sha256
+      register: proxmoxlib_js_after
+
+    - name: Store patched checksum (legacy)
+      ansible.builtin.copy:
+        dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
+        owner: root
+        group: root
+        mode: "0644"
+        content: "{{ proxmoxlib_js_after.stat.checksum }}\n"
+
+    - name: Restart pveproxy
+      ansible.builtin.systemd:
+        name: pveproxy
+        state: restarted
+
+- name: Patch minified proxmoxlib.js
+  block:
+    - name: Patch minified proxmoxlib.min.js
+      ansible.builtin.replace:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
+        regexp: "data.status!=='Active'"
+        replace: "false"
+      register: patch_minified
+      failed_when: patch_minified.matched == 0
+
+    - name: Re-stat proxmoxlib.min.js
+      ansible.builtin.stat:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
+        checksum_algorithm: sha256
+      register: proxmoxlib_min_after
+
+    - name: Store patched checksum (minified)
+      ansible.builtin.copy:
+        dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
+        owner: root
+        group: root
+        mode: "0644"
+        content: "{{ proxmoxlib_min_after.stat.checksum }}\n"
+
+    - name: Restart pveproxy
+      ansible.builtin.systemd:
+        name: pveproxy
+        state: restarted
diff --git a/tasks/repos.yml b/tasks/repos.yml
index 37da939..7033daa 100644
--- a/tasks/repos.yml
+++ b/tasks/repos.yml
@@ -1,11 +1,11 @@
 ---
-- name: repos | Remove enterprise repo files (all known locations)
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/apt/sources.list.d/pve-enterprise.list
-    - /etc/apt/sources.list.d/ceph.list
+- name: Comment out Proxmox enterprise repo lines
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list.d/pve-enterprise.list
+    regexp: '^(deb\s+)'
+    replace: '# \1'
+  when: ansible.builtin.stat(path='/etc/apt/sources.list.d/pve-enterprise.list').stat.exists
+  notify: apt update
 
 - name: repos | Enable Proxmox no-subscription repo
   ansible.builtin.copy:
diff --git a/tasks/subscription.yml b/tasks/subscription.yml
index 7f6dece..e0441f6 100644
--- a/tasks/subscription.yml
+++ b/tasks/subscription.yml
@@ -10,12 +10,6 @@
 ############################
 # Legacy proxmoxlib.js
 ############################
-- name: subscription | Read stored checksum (legacy)
-  ansible.builtin.slurp:
-    src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
-  register: proxmoxlib_js_checksum_stored
-  when: proxmoxlib_js.stat.exists
-  failed_when: false
 
 - name: subscription | Check for legacy proxmoxlib.js
   ansible.builtin.stat:
@@ -23,32 +17,21 @@
     checksum_algorithm: sha256
   register: proxmoxlib_js
 
-- name: subscription | Remove subscription nag (legacy proxmoxlib.js)
-  ansible.builtin.replace:
-    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
-    regexp: "if \\(data.status !== 'Active'\\)"
-    replace: "if (false)"
+- name: subscription | Read stored checksum (legacy)
+  ansible.builtin.slurp:
+    src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
+  register: proxmoxlib_js_checksum_stored
+  when: proxmoxlib_js.stat.exists
+  failed_when: false
+
+- name: subscription | Trigger legacy nag patch if needed
+  ansible.builtin.meta: flush_handlers
   when:
     - proxmoxlib_js.stat.exists
     - proxmoxlib_js_checksum_stored.content is not defined
-      or (proxmoxlib_js.stat.checksum
-        != (proxmoxlib_js_checksum_stored.content | b64decode | trim))
-  register: patch_legacy
-  failed_when:
-    - proxmoxlib_js.stat.exists
-    - patch_legacy.matched == 0
-  notify: restart pveproxy
-
-- name: subscription | Store patched checksum (legacy)
-  ansible.builtin.copy:
-    dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
-    owner: root
-    group: root
-    mode: "0644"
-    content: "{{ proxmoxlib_js.stat.checksum }}\n"
-  when:
-    - proxmoxlib_js.stat.exists
-    - patch_legacy is changed
+      or proxmoxlib_js.stat.checksum
+         != (proxmoxlib_js_checksum_stored.content | b64decode | trim)
+  notify: Ppatch legacy proxmoxlib.js
 
 ############################
 # Minified proxmoxlib.min.js (VE 8/9)
@@ -67,29 +50,11 @@
   when: proxmoxlib_min_js.stat.exists
   failed_when: false
 
-- name: subscription | Remove subscription nag (minified bundle for VE 8/9)
-  ansible.builtin.replace:
-    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
-    regexp: "data.status!=='Active'"
-    replace: "false"
+- name: subscription | Trigger minified nag patch if needed
+  ansible.builtin.meta: flush_handlers
   when:
     - proxmoxlib_min_js.stat.exists
     - proxmoxlib_min_checksum_stored.content is not defined
-      or (proxmoxlib_min_js.stat.checksum
-        != (proxmoxlib_min_checksum_stored.content | b64decode | trim))
-  register: patch_minified
-  failed_when:
-    - proxmoxlib_min_js.stat.exists
-    - patch_minified.matched == 0
-  notify: restart pveproxy
-
-- name: subscription | Store patched checksum (minified)
-  ansible.builtin.copy:
-    dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
-    owner: root
-    group: root
-    mode: "0644"
-    content: "{{ proxmoxlib_min_js.stat.checksum }}\n"
-  when:
-    - proxmoxlib_min_js.stat.exists
-    - patch_minified is changed
+      or proxmoxlib_min_js.stat.checksum
+         != (proxmoxlib_min_checksum_stored.content | b64decode | trim)
+  notify: Patch minified proxmoxlib.js