feat(browser): migrate librewolf to flatpak for host-isolation

Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.

- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
  ~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path

arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.

6 files changed, 26 insertions, 26 deletions

diff --git a/README.md b/README.md
index f7c44d3..2486d11 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ My Arch Linux configuration, managed with [chezmoi](https://www.chezmoi.io/).
 | Bar / launcher     | [waybar](https://github.com/Alexays/Waybar), [fuzzel](https://codeberg.org/dnkl/fuzzel)                                                                                                                                                                                                       |
 | Notifications      | [mako](https://github.com/emersion/mako)                                                                                                                                                                                                                                                      |
 | Lock screen        | [swaylock](https://github.com/swaywm/swaylock)                                                                                                                                                                                                                                                |
-| Browser            | [LibreWolf](https://librewolf.net/), hardened via `user-overrides.js` + `userChrome.css` (kept under `firefox/` by name for recognizability)                                                                                                                                                  |
+| Browser            | [LibreWolf](https://librewolf.net/) (Flathub `io.gitlab.librewolf-community` for bubblewrap host-isolation), hardened via `user-overrides.js` + `userChrome.css` (kept under `firefox/` by name for recognizability)                                                                                                                                                  |
 | Mail               | [Thunderbird](https://www.thunderbird.net/) against [ProtonMail Bridge](https://proton.me/mail/bridge) + Radicale (CalDAV/CardDAV); non-private prefs tracked under `thunderbird/`                                                                                                            |
 | Secrets & identity | [GPG](https://gnupg.org/) (commit signing + SSH auth via gpg-agent), [pass](https://www.passwordstore.org/)                                                                                                                                                                                   |
 | Media & viewers    | [mpv](https://mpv.io/), [zathura](https://pwmt.org/projects/zathura/), [yazi](https://yazi-rs.github.io/)                                                                                                                                                                                     |
@@ -143,6 +143,6 @@ The repo is enough to rebuild a machine's tooling and configuration, but not its
 - GPG master key and subkeys (`gpg --export-secret-keys`, `gpg --export-ownertrust`). The agent also handles SSH auth, so this restores both.
 - `~/.password-store/` — the `pass` store that feeds API keys/tokens into the shell at login.
 - SSH private keys under `~/.ssh/id_*` (only `.pub` / config is in the repo).
-- LibreWolf profile data (bookmarks, history, extension state) — only the hardening policy lives in `firefox/`.
+- LibreWolf profile data (bookmarks, history, extension state) at `~/.var/app/io.gitlab.librewolf-community/.librewolf/` — only the hardening policy lives in `firefox/`.
 
 Recovery on a fresh install: run `bootstrap.sh`, then `gpg --import` + `pass init <KEYID>`, restore `~/.password-store/`, drop SSH private keys into `~/.ssh/`, and restore the LibreWolf profile.
diff --git a/dot_config/mimeapps.list b/dot_config/mimeapps.list
index 316e3d9..70143e9 100644
--- a/dot_config/mimeapps.list
+++ b/dot_config/mimeapps.list
@@ -63,7 +63,7 @@ image/x-nikon-nef=imv.desktop
 image/jpeg=imv.desktop
 image/png=imv.desktop
 image/gif=mpv.desktop
-image/svg+xml=librewolf.desktop
+image/svg+xml=io.gitlab.librewolf-community.desktop
 text/markdown=org.kde.okular.desktop
 text/plain=nvim.desktop
 text/x-python=nvim.desktop
@@ -77,16 +77,16 @@ application/rss+xml=rss.desktop
 x-scheme-handler/magnet=transmission.desktop
 x-scheme-handler/mailto=userapp-Thunderbird-CJ20N3.desktop
 application/msword-template=xdot.desktop
-x-scheme-handler/http=librewolf.desktop
-x-scheme-handler/https=librewolf.desktop
-x-scheme-handler/chrome=librewolf.desktop
-text/html=librewolf.desktop
-application/x-extension-htm=librewolf.desktop
-application/x-extension-html=librewolf.desktop
-application/x-extension-shtml=librewolf.desktop
-application/xhtml+xml=librewolf.desktop
-application/x-extension-xhtml=librewolf.desktop
-application/x-extension-xht=librewolf.desktop
+x-scheme-handler/http=io.gitlab.librewolf-community.desktop
+x-scheme-handler/https=io.gitlab.librewolf-community.desktop
+x-scheme-handler/chrome=io.gitlab.librewolf-community.desktop
+text/html=io.gitlab.librewolf-community.desktop
+application/x-extension-htm=io.gitlab.librewolf-community.desktop
+application/x-extension-html=io.gitlab.librewolf-community.desktop
+application/x-extension-shtml=io.gitlab.librewolf-community.desktop
+application/xhtml+xml=io.gitlab.librewolf-community.desktop
+application/x-extension-xhtml=io.gitlab.librewolf-community.desktop
+application/x-extension-xht=io.gitlab.librewolf-community.desktop
 message/rfc822=userapp-Thunderbird-CJ20N3.desktop
 x-scheme-handler/mid=userapp-Thunderbird-CJ20N3.desktop
 x-scheme-handler/webcal=userapp-Thunderbird-1BJ3N3.desktop
@@ -95,16 +95,16 @@ application/x-extension-ics=userapp-Thunderbird-1BJ3N3.desktop
 x-scheme-handler/webcals=userapp-Thunderbird-1BJ3N3.desktop
 
 [Added Associations]
-x-scheme-handler/http=librewolf.desktop;
-x-scheme-handler/https=librewolf.desktop;
-x-scheme-handler/chrome=librewolf.desktop;
-text/html=librewolf.desktop;
-application/x-extension-htm=librewolf.desktop;
-application/x-extension-html=librewolf.desktop;
-application/x-extension-shtml=librewolf.desktop;
-application/xhtml+xml=librewolf.desktop;
-application/x-extension-xhtml=librewolf.desktop;
-application/x-extension-xht=librewolf.desktop;
+x-scheme-handler/http=io.gitlab.librewolf-community.desktop;
+x-scheme-handler/https=io.gitlab.librewolf-community.desktop;
+x-scheme-handler/chrome=io.gitlab.librewolf-community.desktop;
+text/html=io.gitlab.librewolf-community.desktop;
+application/x-extension-htm=io.gitlab.librewolf-community.desktop;
+application/x-extension-html=io.gitlab.librewolf-community.desktop;
+application/x-extension-shtml=io.gitlab.librewolf-community.desktop;
+application/xhtml+xml=io.gitlab.librewolf-community.desktop;
+application/x-extension-xhtml=io.gitlab.librewolf-community.desktop;
+application/x-extension-xht=io.gitlab.librewolf-community.desktop;
 x-scheme-handler/mailto=userapp-Thunderbird-CJ20N3.desktop;
 x-scheme-handler/mid=userapp-Thunderbird-CJ20N3.desktop;
 x-scheme-handler/webcal=userapp-Thunderbird-1BJ3N3.desktop;
diff --git a/dot_local/bin/executable_linkhandler b/dot_local/bin/executable_linkhandler
index 747adc5..48dd6ae 100755
--- a/dot_local/bin/executable_linkhandler
+++ b/dot_local/bin/executable_linkhandler
@@ -41,7 +41,7 @@ case "$url" in
     setsid xdot "$url" >/dev/null 2>&1 &
     ;;
   http*)
-    librewolf "$url" >/dev/null 2>&1 &
+    flatpak run io.gitlab.librewolf-community "$url" >/dev/null 2>&1 &
     ;;
   *)
     $TERMINAL -e "$EDITOR" "$1"
diff --git a/meta/browser.txt b/meta/browser.txt
index ca3eb1c..de2d297 100644
--- a/meta/browser.txt
+++ b/meta/browser.txt
@@ -1,2 +1 @@
 arkenfox-user.js
-librewolf-bin
diff --git a/meta/flatpak.txt b/meta/flatpak.txt
index 4f484ed..9635831 100644
--- a/meta/flatpak.txt
+++ b/meta/flatpak.txt
@@ -1,6 +1,7 @@
 # Flathub app IDs. Managed by `just pkg-*` recipes via the magic
 # `flatpak` group name (see justfile). Installed with --user scope.
 
+io.gitlab.librewolf-community
 org.chromium.Chromium
 org.kde.okular
 org.libreoffice.LibreOffice
diff --git a/run_onchange_after_deploy-firefox.sh.tmpl b/run_onchange_after_deploy-firefox.sh.tmpl
index f5a5083..a917026 100755
--- a/run_onchange_after_deploy-firefox.sh.tmpl
+++ b/run_onchange_after_deploy-firefox.sh.tmpl
@@ -4,7 +4,7 @@
 # firefox/ content hash: {{ output "sh" "-c" (printf "cd %q && find firefox -type f -exec sha256sum {} + | LC_ALL=C sort" .chezmoi.sourceDir) | sha256sum }}
 set -eu
 
-PROFILES_DIR="$HOME/.librewolf"
+PROFILES_DIR="$HOME/.var/app/io.gitlab.librewolf-community/.librewolf"
 [ -d "$PROFILES_DIR" ] || exit 0
 
 PROFILE=$(find "$PROFILES_DIR" -maxdepth 1 -mindepth 1 -type d -name '*.default-default' | head -1)