feat(privesc): migrate from opendoas to sudo-rs

doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.

- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
  at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
  su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
  pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention

No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.

3 files changed, 13 insertions, 15 deletions

diff --git a/dot_config/nvim/lua/config/keymaps.lua b/dot_config/nvim/lua/config/keymaps.lua
index a0dc19e..b3362a3 100644
--- a/dot_config/nvim/lua/config/keymaps.lua
+++ b/dot_config/nvim/lua/config/keymaps.lua
@@ -78,15 +78,15 @@ nmap("yp", function()
   vim.fn.setreg("+", vim.fn.expand("%"))
 end, "[Y]ank [P]ath")
 
-local doas_exec = function(_cmd)
+local sudo_exec = function(_cmd)
   vim.fn.inputsave()
   local password = vim.fn.inputsecret("Password: ")
   vim.fn.inputrestore()
   if not password or #password == 0 then
-    vim.notify("Invalid password, doas aborted", vim.log.levels.WARN)
+    vim.notify("Invalid password, sudo aborted", vim.log.levels.WARN)
     return false
   end
-  local out = vim.fn.system(string.format("doas -S %s", _cmd), password .. "\n")
+  local out = vim.fn.system(string.format("sudo -S %s", _cmd), password .. "\n")
   if vim.v.shell_error ~= 0 then
     print("\r\n")
     vim.notify(out, vim.log.levels.ERROR)
@@ -95,7 +95,7 @@ local doas_exec = function(_cmd)
   return true
 end
 
-vim.api.nvim_create_user_command("DoasWrite", function(opts)
+vim.api.nvim_create_user_command("SudoWrite", function(opts)
   local tmpfile = vim.fn.tempname()
   local filepath
   if #opts.fargs == 1 then
@@ -116,7 +116,7 @@ vim.api.nvim_create_user_command("DoasWrite", function(opts)
   )
   -- no need to check error as this fails the entire function
   vim.api.nvim_exec2(string.format("write! %s", tmpfile), { output = true })
-  if doas_exec(_cmd) then
+  if sudo_exec(_cmd) then
     -- refreshes the buffer and prints the "written" message
     vim.cmd.checktime()
     -- exit command mode
@@ -129,5 +129,5 @@ vim.api.nvim_create_user_command("DoasWrite", function(opts)
   vim.fn.delete(tmpfile)
 end, {
   nargs = "?",
-  desc = "Write using doas permissions",
+  desc = "Write using sudo permissions",
 })
diff --git a/dot_config/sway/config b/dot_config/sway/config
index 3dba142..73d505c 100644
--- a/dot_config/sway/config
+++ b/dot_config/sway/config
@@ -124,8 +124,8 @@ bindsym $mod+Shift+c reload
 bindsym $mod+Shift+e exec swaynag -t warning -m 'Session' \
   -B 'Lock' 'playerctl -a pause; swaylock -f -e -c 282828' \
   -B 'Logout' 'swaymsg exit' \
-  -B 'Reboot' 'doas /usr/bin/reboot' \
-  -B 'Poweroff' 'doas /usr/bin/poweroff'
+  -B 'Reboot' 'sudo /usr/bin/reboot' \
+  -B 'Poweroff' 'sudo /usr/bin/poweroff'
 
 # ── Personal keybinds ─────────────────────────────────────────────────────────
 
diff --git a/dot_config/zsh/dot_zshrc b/dot_config/zsh/dot_zshrc
index e8fca42..3bce27c 100644
--- a/dot_config/zsh/dot_zshrc
+++ b/dot_config/zsh/dot_zshrc
@@ -53,7 +53,7 @@ zstyle ':completion:*:functions' ignored-patterns '_*'         # hide internal c
 zstyle ':completion:*:*:kill:*' menu yes select                # interactive menu for kill completion
 zstyle ':completion:*:kill:*' force-list always                # always show process list for kill
 zstyle ':completion:*:cd:*' ignore-parents parent pwd          # cd never completes . or ..
-zstyle ':completion::complete:*' gain-privileges 1             # use doas/sudo for privileged completions
+zstyle ':completion::complete:*' gain-privileges 1             # use sudo for privileged completions
 zstyle -e ':completion:*:approximate:*' \
 	max-errors 'reply=($((($#PREFIX+$#SUFFIX)/3))numeric)'    # allow 1 typo per 3 chars typed
 
@@ -200,13 +200,11 @@ alias ip="ip -color=auto"
 alias lsip="ip -human -color=auto --brief address show"
 alias ipa="ip -stats -details -human -color=auto address show"
 alias ipecho='curl ipecho.net/plain'
-alias ss='doas ss -tupnl'
+alias ss='sudo ss -tupnl'
 
 # Privilege escalation
-alias sudo='doas'
-alias sudoedit='doasedit'
-alias gimme='doas chown $USER:$(id -gn $USER)'
-alias pacdiff='doas pacdiff'
+alias gimme='sudo chown $USER:$(id -gn $USER)'
+alias pacdiff='sudo pacdiff'
 
 # Pacman
 alias pacopt='comm -13 <(pacman -Qqdt | sort) <(pacman -Qqdtt | sort)'
@@ -216,7 +214,7 @@ alias g='git'
 
 # Systemd
 alias sys='systemctl'
-alias ssys='doas systemctl'
+alias ssys='sudo systemctl'
 alias sysu='systemctl --user'
 
 # Navigation