feat: teams autostart, llama-cpp-vulkan ignore, snxctl-chromium wrapper

systemd/user/teams-{sii,xsight}.service: autostart both Teams flatpak
profiles on sway-session.target login. KillMode=mixed so SIGTERM hits
only the wrapper process — both instances share the same flatpak app
id, so killing by app id would take down the sibling instance. A 15s
SIGKILL fallback covers the case where Electron tray-hides instead of
quitting. Both units listed in systemd-units/user.txt.

etc/pacman.conf: IgnorePkg = llama-cpp-vulkan. The AUR package rebuilds
on every llama.cpp commit (multi-hour build). Update manually with
`paru -S llama-cpp-vulkan` when intended.

snxctl-chromium wrapper:
- dot_local/share/snx-rs/bin/xdg-open: shim that flatpak-runs
  ungoogled-chromium, used only by snx-rs.
- dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf:
  drop-in prepending that dir to the daemon's PATH so snx-rs's
  opener-crate call to xdg-open lands in chromium, without affecting
  xdg-open for any other process.
- dot_local/bin/snxctl-chromium: convenience wrapper that
  daemon-reloads and restarts snx-rs.service if the drop-in isn't yet
  applied, then execs `snxctl connect`.

firefox/user-overrides.js: revert the dom.security.https_only_mode.
upgrade_local and network.lna.local-network-to-localhost.skip-checks
prefs — they didn't actually fix the SAML flow. Replaced with a
comment pointing to the wrapper instead.

8 files changed, 127 insertions, 9 deletions

diff --git a/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf b/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf
new file mode 100644
index 0000000..a5380e3
--- /dev/null
+++ b/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf
@@ -0,0 +1,10 @@
+[Service]
+# Force snx-rs to use the flatpak ungoogled-chromium as its SAML browser.
+# snx-rs calls `xdg-open <url>` via the `opener` crate. Prepending a private
+# PATH dir that contains an `xdg-open` shim makes the daemon find our shim
+# first, without affecting xdg-open for any other user process.
+#
+# Why not the system default browser?  LibreWolf force-upgrades loopback to
+# HTTPS and enables LNA blocking, both of which break snx-rs's plain-HTTP
+# 127.0.0.1:7779 SAML callback. See firefox/user-overrides.js comments.
+Environment=PATH=%h/.local/share/snx-rs/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
diff --git a/dot_config/systemd/user/teams-sii.service b/dot_config/systemd/user/teams-sii.service
new file mode 100644
index 0000000..df0453e
--- /dev/null
+++ b/dot_config/systemd/user/teams-sii.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Microsoft Teams — Sii account (flatpak)
+PartOf=graphical-session.target
+After=graphical-session.target
+ConditionEnvironment=WAYLAND_DISPLAY
+
+[Service]
+Type=simple
+# Mirrors the Exec= line in teams-sii.desktop. --user-data-dir isolates this
+# instance from teams-xsight; --class is for sway window matching.
+ExecStart=/usr/bin/flatpak run com.github.IsmaelMartinez.teams_for_linux \
+  --class=teams-sii \
+  --user-data-dir=%h/.var/app/com.github.IsmaelMartinez.teams_for_linux/config/profile-sii \
+  --appIcon=%h/.local/share/icons/hicolor/256x256/apps/teams-sii.png \
+  "--appTitle=Teams — Sii"
+# Both Teams instances share the same flatpak app id, so we can't use
+# `flatpak kill <app-id>` in ExecStop (it would also kill the xsight one).
+# KillMode=mixed sends SIGTERM to the main process only — teams-for-linux
+# treats that as a real Quit (not tray-hide), and SIGKILL hits stragglers
+# after the stop timeout if Electron misbehaves.
+KillMode=mixed
+Restart=on-failure
+RestartSec=5s
+TimeoutStopSec=15s
+
+[Install]
+WantedBy=sway-session.target
diff --git a/dot_config/systemd/user/teams-xsight.service b/dot_config/systemd/user/teams-xsight.service
new file mode 100644
index 0000000..478f734
--- /dev/null
+++ b/dot_config/systemd/user/teams-xsight.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Microsoft Teams — XSight account (flatpak)
+PartOf=graphical-session.target
+After=graphical-session.target
+ConditionEnvironment=WAYLAND_DISPLAY
+
+[Service]
+Type=simple
+# Mirrors the Exec= line in teams-xsight.desktop. --user-data-dir isolates
+# this instance from teams-sii; --class is for sway window matching.
+ExecStart=/usr/bin/flatpak run com.github.IsmaelMartinez.teams_for_linux \
+  --class=teams-xsight \
+  --user-data-dir=%h/.var/app/com.github.IsmaelMartinez.teams_for_linux/config/profile-xsight \
+  --appIcon=%h/.local/share/icons/hicolor/256x256/apps/teams-xsight.png \
+  "--appTitle=Teams — XSight"
+# Both Teams instances share the same flatpak app id, so we can't use
+# `flatpak kill <app-id>` in ExecStop (it would also kill the sii one).
+# KillMode=mixed sends SIGTERM to the main process only — teams-for-linux
+# treats that as a real Quit (not tray-hide), and SIGKILL hits stragglers
+# after the stop timeout if Electron misbehaves.
+KillMode=mixed
+Restart=on-failure
+RestartSec=5s
+TimeoutStopSec=15s
+
+[Install]
+WantedBy=sway-session.target
diff --git a/dot_local/bin/executable_snxctl-chromium b/dot_local/bin/executable_snxctl-chromium
new file mode 100644
index 0000000..d52ddfb
--- /dev/null
+++ b/dot_local/bin/executable_snxctl-chromium
@@ -0,0 +1,37 @@
+#!/bin/sh
+# snxctl-chromium: `snxctl connect` with the flatpak ungoogled-chromium as
+# the SAML browser. Bypasses LibreWolf's loopback HTTPS-upgrade + LNA block
+# that prevent snx-rs's 127.0.0.1:7779 SAML callback from completing.
+#
+# How it works
+# ------------
+# A tracked drop-in
+# (~/.config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) prepends
+# ~/.local/share/snx-rs/bin to the daemon's PATH. That directory contains
+# an `xdg-open` shim that flatpak-runs ungoogled-chromium. snx-rs uses the
+# `opener` crate which spawns `xdg-open` — the shim wins.
+#
+# This script just makes sure the daemon picks up the override (it only
+# loads Environment= at start time, so a freshly-edited drop-in needs a
+# daemon-reload + service restart) and then runs `snxctl connect`.
+set -eu
+
+SERVICE=snx-rs.service
+
+if ! systemctl --user cat "$SERVICE" >/dev/null 2>&1; then
+  printf '%s: %s is not a known user unit; aborting.\n' "${0##*/}" "$SERVICE" >&2
+  exit 1
+fi
+
+current_path=$(systemctl --user show -p Environment --value "$SERVICE")
+case "$current_path" in
+  *"$HOME/.local/share/snx-rs/bin"*) ;;
+  *)
+    echo "${0##*/}: applying chromium SAML drop-in (daemon-reload + restart)…" >&2
+    systemctl --user daemon-reload
+    systemctl --user restart "$SERVICE"
+    sleep 1
+    ;;
+esac
+
+exec snxctl connect "$@"
diff --git a/dot_local/share/snx-rs/bin/executable_xdg-open b/dot_local/share/snx-rs/bin/executable_xdg-open
new file mode 100644
index 0000000..5577b10
--- /dev/null
+++ b/dot_local/share/snx-rs/bin/executable_xdg-open
@@ -0,0 +1,11 @@
+#!/bin/sh
+# xdg-open shim that hands every URL to the flatpak ungoogled-chromium.
+#
+# Used by snx-rs (which calls `xdg-open` via the `opener` crate) to land
+# the SAML callback inside a browser that won't HTTPS-upgrade or LNA-block
+# the loopback handoff to 127.0.0.1:7779. Wired up via a systemd --user
+# drop-in (dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf)
+# that prepends this directory to the daemon's PATH — it does NOT shadow
+# the system-wide xdg-open for any other process.
+exec flatpak run io.github.ungoogled_software.ungoogled_chromium \
+  --new-window "$@"
diff --git a/etc/pacman.conf b/etc/pacman.conf
index f6e7e64..8adc5ae 100644
--- a/etc/pacman.conf
+++ b/etc/pacman.conf
@@ -22,7 +22,9 @@ HoldPkg     = pacman glibc
 Architecture = auto
 
 # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
-#IgnorePkg   =
+# llama-cpp-vulkan: AUR rebuilds on every llama.cpp commit (1-2 hour build);
+# pin and update manually with `paru -S llama-cpp-vulkan` when intended.
+IgnorePkg   = llama-cpp-vulkan
 #IgnoreGroup =
 
 #NoUpgrade   =
diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js
index 6265f95..52059c2 100644
--- a/firefox/user-overrides.js
+++ b/firefox/user-overrides.js
@@ -29,14 +29,16 @@ user_pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/%VERSI
 /** Network **/
 user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled
 
-/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/
-// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:<port>/<token>.
-// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling
-// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox /
-// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local
-// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962.
-user_pref("dom.security.https_only_mode.upgrade_local", false);
-user_pref("network.lna.local-network-to-localhost.skip-checks", true);
+// NOTE on snx-rs SAML loopback callbacks (Check Point VPN):
+// LibreWolf force-upgrades http://127.0.0.1:<port>/<token> to HTTPS and
+// enables LNA blocking, which both break the snx-rs SAML handoff.
+// `dom.security.https_only_mode.upgrade_local = false` and
+// `network.lna.local-network-to-localhost.skip-checks = true` were tried
+// here and did NOT actually fix the SAML flow — left disabled. The
+// working fix is the wrapper script ~/.local/bin/snxctl-chromium, which
+// routes snx-rs's xdg-open through flatpak ungoogled-chromium via a
+// systemd --user drop-in. See dot_local/share/snx-rs/bin/xdg-open and
+// dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf.
 
 /** Resist Fingerprinting **/
 user_pref("privacy.resistFingerprinting.testGranularityMask", 4);
diff --git a/systemd-units/user.txt b/systemd-units/user.txt
index 8badf82..009b2b3 100644
--- a/systemd-units/user.txt
+++ b/systemd-units/user.txt
@@ -11,6 +11,8 @@ pass-secret-service.service
 signal.service
 swayidle.service
 swayrd.service
+teams-sii.service
+teams-xsight.service
 waybar.service
 wob.service