feat(privesc): drop classic sudo via AssumeInstalled

base-devel hard-depends on the sudo package, so without help, pacman
refuses to remove it. The Arch-native fix is pacman.conf's
AssumeInstalled directive: tell pacman to pretend a virtual
sudo=99.0 is installed and base-devel's dep is satisfied without
actually pulling sudo in.

- etc/pacman.conf: AssumeInstalled = sudo=99.0
- bootstrap.sh: after 'just init' (which writes the AssumeInstalled
  line and installs sudo-rs), Rns the leftover sudo package so a
  fresh install ends up with sudo-rs only.

Also reformat bootstrap.sh and the etc deploy script with the
project's shfmt style (-i 2 -ci -s).

3 files changed, 29 insertions, 20 deletions

diff --git a/bootstrap.sh b/bootstrap.sh
index ead79e6..17f7af4 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -67,16 +67,21 @@ else
 fi
 
 # 5. run just init — this deploys chezmoi, installs the 'base' meta list
-#    (which pulls in sudo-rs), deploys /etc/sudoers-rs and /etc/pam.d/sudo,
-#    creates /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at
+#    (which pulls in sudo-rs), deploys /etc/sudoers-rs, /etc/pam.d/sudo,
+#    and the AssumeInstalled = sudo line in /etc/pacman.conf, creates
+#    /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at
 #    sudo-rs, and installs git hooks.
-#    The classic 'sudo' package installed in step 2 stays alongside
-#    sudo-rs as a safety net; remove it manually with `sudo pacman -Rns
-#    sudo` once you've verified `sudo --version` reports sudo-rs.
 cd "$DOTFILES_DIR"
 log 'running just init'
 just init
 
+# 5b. remove the classic sudo package — base-devel's dependency is
+#     satisfied by the AssumeInstalled = sudo line written above.
+if pacman -Qq sudo >/dev/null 2>&1 && pacman -Qq sudo-rs >/dev/null 2>&1; then
+  log 'removing classic sudo (sudo-rs takes over)'
+  sudo pacman -Rns --noconfirm sudo || warn 'failed to remove sudo; remove it manually later'
+fi
+
 # 6. refresh pacman mirrorlist once via reflector (config deployed by chezmoi)
 log 'refreshing pacman mirrorlist via reflector'
 sudo reflector @/etc/xdg/reflector/reflector.conf \
diff --git a/etc/pacman.conf b/etc/pacman.conf
index f6e7e64..53b684a 100644
--- a/etc/pacman.conf
+++ b/etc/pacman.conf
@@ -16,6 +16,10 @@
 #GPGDir      = /etc/pacman.d/gnupg/
 #HookDir     = /etc/pacman.d/hooks/
 HoldPkg     = pacman glibc
+# sudo-rs replaces sudo (memory-safe Rust rewrite). base-devel still
+# lists sudo as a member, so pretend it's installed to keep pacman
+# from pulling it in. See https://wiki.archlinux.org/title/Pacman#Skip_package_from_being_installed_to_system
+AssumeInstalled = sudo=99.0
 #XferCommand = /usr/bin/curl -L -C - -f -o %o %u
 #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
 #CleanMethod = KeepInstalled
diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl
index 9ba10d2..3fdb42b 100755
--- a/run_onchange_after_deploy-etc.sh.tmpl
+++ b/run_onchange_after_deploy-etc.sh.tmpl
@@ -7,21 +7,21 @@ set -eu
 
 cd "$CHEZMOI_SOURCE_DIR"
 find etc -type f ! -name .ignore | while IFS= read -r src; do
-	case "$src" in
-	*.tmpl)
-		dest="/${src%.tmpl}"
-		tmp=$(mktemp)
-		chezmoi execute-template <"$src" >"$tmp"
-		sudo install -D -m 0644 -o root -g root "$tmp" "$dest"
-		rm -f "$tmp"
-		;;
-	etc/sudoers-rs)
-		sudo install -D -m 0440 -o root -g root "$src" "/${src}"
-		;;
-	*)
-		sudo install -D -m 0644 -o root -g root "$src" "/${src}"
-		;;
-	esac
+  case "$src" in
+    *.tmpl)
+      dest="/${src%.tmpl}"
+      tmp=$(mktemp)
+      chezmoi execute-template <"$src" >"$tmp"
+      sudo install -D -m 0644 -o root -g root "$tmp" "$dest"
+      rm -f "$tmp"
+      ;;
+    etc/sudoers-rs)
+      sudo install -D -m 0440 -o root -g root "$src" "/${src}"
+      ;;
+    *)
+      sudo install -D -m 0644 -o root -g root "$src" "/${src}"
+      ;;
+  esac
 done
 
 # sudo-rs: /etc/pam.d/sudo-i is a symlink to /etc/pam.d/sudo