feat(waybar): snx-rs VPN status indicator + click toggle

New custom/snx-vpn module sits next to custom/vpn (the wireguard one):

- snx-vpn-status.sh shells out to `snxctl status` (timeout 2s) and maps
  the output to three states: down (grey strikethrough), connecting/MFA
  (amber), up (green). Tooltip shows the full status block when up.
- snx-vpn-toggle.sh disconnects when up, runs snxctl-chromium detached
  when down (so SAML lands in the flatpak ungoogled-chromium without
  blocking waybar). Both paths refresh the module via SIGRTMIN+9.

3 files changed, 57 insertions, 0 deletions

diff --git a/dot_config/waybar/config.jsonc b/dot_config/waybar/config.jsonc
index e5ea09b..80eb560 100644
--- a/dot_config/waybar/config.jsonc
+++ b/dot_config/waybar/config.jsonc
@@ -10,6 +10,7 @@
     "temperature",
     "custom/memory",
     "custom/vpn",
+    "custom/snx-vpn",
     "network#bond",
     "custom/dock",
     "battery",
@@ -119,6 +120,14 @@
     "on-click": "~/.config/waybar/vpn-toggle.sh",
   },
 
+  "custom/snx-vpn": {
+    "exec": "~/.config/waybar/snx-vpn-status.sh",
+    "return-type": "json",
+    "interval": 5,
+    "signal": 9,
+    "on-click": "~/.config/waybar/snx-vpn-toggle.sh",
+  },
+
   "battery": {
     "format": "{icon} {capacity}%",
     "format-charging": "󰂄 {capacity}%",
diff --git a/dot_config/waybar/executable_snx-vpn-status.sh b/dot_config/waybar/executable_snx-vpn-status.sh
new file mode 100644
index 0000000..9088630
--- /dev/null
+++ b/dot_config/waybar/executable_snx-vpn-status.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Waybar custom/snx-vpn module: report the snx-rs (Check Point) tunnel
+# state. `snxctl status` is fast (talks over a local UDS to the daemon)
+# but might briefly stall during connect; cap it with `timeout`.
+
+# Bail out if the daemon socket isn't even there (snx-rs.service stopped).
+out=$(timeout 2 snxctl status 2>/dev/null) || out=
+
+case "$out" in
+  '' | *"Disconnected"*)
+    printf '{"text":"<span color=\\"#928374\\"><s>󰌾 SNX</s></span>","class":"down","tooltip":"snx-rs disconnected — click to connect"}\n'
+    ;;
+  *"Connecting"* | *"MFA pending"*)
+    printf '{"text":"<span color=\\"#fabd2f\\">󰌾 SNX…</span>","class":"connecting","tooltip":"%s"}\n' "$(echo "$out" | head -1)"
+    ;;
+  *)
+    tooltip=$(echo "$out" | sed 's/"/\\"/g' | awk 'BEGIN{ORS="\\n"}{print}')
+    printf '{"text":"<span color=\\"#b8bb26\\">󰌾 SNX</span>","class":"up","tooltip":"%s"}\n' "$tooltip"
+    ;;
+esac
diff --git a/dot_config/waybar/executable_snx-vpn-toggle.sh b/dot_config/waybar/executable_snx-vpn-toggle.sh
new file mode 100644
index 0000000..f42690d
--- /dev/null
+++ b/dot_config/waybar/executable_snx-vpn-toggle.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+# Toggle the snx-rs (Check Point) tunnel. Connect goes through the
+# snxctl-chromium wrapper so SAML lands in the flatpak ungoogled
+# chromium (LibreWolf blocks the 127.0.0.1:7779 callback).
+#
+# Refresh the waybar custom/snx-vpn module immediately with SIGRTMIN+9.
+set -eu
+
+state=$(timeout 2 snxctl status 2>/dev/null || echo Disconnected)
+
+case "$state" in
+  *"Disconnected"*)
+    # Detach so waybar doesn't block waiting for SAML. The inner script
+    # re-signals waybar when the connect attempt finishes so the badge
+    # flips immediately to its final state.
+    # shellcheck disable=SC2016
+    setsid -f sh -c '
+      "$HOME/.local/bin/snxctl-chromium" >/tmp/snxctl-chromium.log 2>&1
+      pid=$(pidof waybar) && kill -SIGRTMIN+9 $pid 2>/dev/null || true
+    '
+    ;;
+  *)
+    snxctl disconnect >/dev/null 2>&1 || true
+    ;;
+esac
+
+pid=$(pidof waybar || true)
+[ -n "$pid" ] && kill -SIGRTMIN+9 "$pid" 2>/dev/null || true