fix(waybar): pacdiff click — set DIFFPROG inside the root shell

sudo-rs scrubs the env by default, so neither `DIFFPROG=… sudo pacdiff`
nor `sudo DIFFPROG=… pacdiff` reaches pacdiff with the variable set.
Sidestep the env-policy question entirely by running

  sudo sh -c 'DIFFPROG="nvim -d" pacdiff'

so the assignment happens inside the privileged shell, after the
env-scrubbing boundary. No sudoers-rs change required, and the same
form works identically under stock sudo if the user ever switches
back.

2 files changed, 5 insertions, 3 deletions

diff --git a/dot_config/waybar/config.jsonc b/dot_config/waybar/config.jsonc
index 12d1255..a68278f 100644
--- a/dot_config/waybar/config.jsonc
+++ b/dot_config/waybar/config.jsonc
@@ -227,7 +227,7 @@
     "exec": "~/.config/waybar/pacdiff-status.sh",
     "return-type": "json",
     "interval": 300,
-    "on-click": "ghostty --class=floating -e sh -c 'sudo DIFFPROG=\"nvim -d\" pacdiff; printf \"\\n[done — press enter] \"; read _'",
+    "on-click": "ghostty --class=floating -e sh -c 'sudo sh -c \"DIFFPROG=\\\"nvim -d\\\" pacdiff\"; printf \"\\n[done — press enter] \"; read _'",
     "tooltip": true,
   },
 
diff --git a/dot_config/waybar/executable_pacdiff-status.sh b/dot_config/waybar/executable_pacdiff-status.sh
index dad3166..e1a2291 100755
--- a/dot_config/waybar/executable_pacdiff-status.sh
+++ b/dot_config/waybar/executable_pacdiff-status.sh
@@ -5,8 +5,10 @@
 # from "no problems" to "non-zero" (i.e. on the post-`pacman -Syu`
 # settle), so you're nudged exactly once per upgrade wave.
 #
-# Click handler runs `sudo DIFFPROG='nvim -d' pacdiff` in a floating
-# ghostty.
+# Click handler hands off to a root shell that sets DIFFPROG before
+# invoking pacdiff (sudo-rs scrubs the env by default, so passing
+# `DIFFPROG=… sudo pacdiff` or `sudo DIFFPROG=… pacdiff` doesn't
+# survive — but `sudo sh -c 'DIFFPROG=… pacdiff'` does).
 
 set -eu