refactor(snxctl-chromium): drop daemon drop-in, override snxctl's PATH

snx-rs.service is a system unit, not --user, so the prior approach of
overriding the daemon's PATH via a systemd drop-in could never apply.
And it wasn't needed anyway: snxctl itself runs opener::open(url)
in-process, so prepending the shim dir to snxctl's PATH is enough.

- Drop dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf.
- snxctl-chromium now just sets PATH and exec's snxctl connect.
- xdg-open shim no longer forces --new-window so chromium can reuse a
  warm window (faster SAML round-trip).

2 files changed, 15 insertions, 32 deletions

diff --git a/dot_local/bin/executable_snxctl-chromium b/dot_local/bin/executable_snxctl-chromium
index d52ddfb..c97b026 100644..100755
--- a/dot_local/bin/executable_snxctl-chromium
+++ b/dot_local/bin/executable_snxctl-chromium
@@ -1,37 +1,21 @@
 #!/bin/sh
 # snxctl-chromium: `snxctl connect` with the flatpak ungoogled-chromium as
 # the SAML browser. Bypasses LibreWolf's loopback HTTPS-upgrade + LNA block
-# that prevent snx-rs's 127.0.0.1:7779 SAML callback from completing.
+# that stop snx-rs's 127.0.0.1:7779 SAML callback from completing.
 #
-# How it works
-# ------------
-# A tracked drop-in
-# (~/.config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) prepends
-# ~/.local/share/snx-rs/bin to the daemon's PATH. That directory contains
-# an `xdg-open` shim that flatpak-runs ungoogled-chromium. snx-rs uses the
-# `opener` crate which spawns `xdg-open` — the shim wins.
-#
-# This script just makes sure the daemon picks up the override (it only
-# loads Environment= at start time, so a freshly-edited drop-in needs a
-# daemon-reload + service restart) and then runs `snxctl connect`.
+# snxctl runs `opener::open(url)` in-process; opener on Linux execs
+# `xdg-open` first. We prepend a private bin dir containing only an
+# `xdg-open` shim that flatpak-runs ungoogled-chromium. No daemon
+# tweaks needed — the override is scoped to this snxctl invocation.
 set -eu
 
-SERVICE=snx-rs.service
+SHIM_DIR="$HOME/.local/share/snx-rs/bin"
 
-if ! systemctl --user cat "$SERVICE" >/dev/null 2>&1; then
-  printf '%s: %s is not a known user unit; aborting.\n' "${0##*/}" "$SERVICE" >&2
+if [ ! -x "$SHIM_DIR/xdg-open" ]; then
+  printf '%s: missing xdg-open shim at %s\n' "${0##*/}" "$SHIM_DIR/xdg-open" >&2
   exit 1
 fi
 
-current_path=$(systemctl --user show -p Environment --value "$SERVICE")
-case "$current_path" in
-  *"$HOME/.local/share/snx-rs/bin"*) ;;
-  *)
-    echo "${0##*/}: applying chromium SAML drop-in (daemon-reload + restart)…" >&2
-    systemctl --user daemon-reload
-    systemctl --user restart "$SERVICE"
-    sleep 1
-    ;;
-esac
-
+PATH="$SHIM_DIR:$PATH"
+export PATH
 exec snxctl connect "$@"
diff --git a/dot_local/share/snx-rs/bin/executable_xdg-open b/dot_local/share/snx-rs/bin/executable_xdg-open
index 5577b10..f646200 100644
--- a/dot_local/share/snx-rs/bin/executable_xdg-open
+++ b/dot_local/share/snx-rs/bin/executable_xdg-open
@@ -1,11 +1,10 @@
 #!/bin/sh
 # xdg-open shim that hands every URL to the flatpak ungoogled-chromium.
 #
-# Used by snx-rs (which calls `xdg-open` via the `opener` crate) to land
-# the SAML callback inside a browser that won't HTTPS-upgrade or LNA-block
-# the loopback handoff to 127.0.0.1:7779. Wired up via a systemd --user
-# drop-in (dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf)
-# that prepends this directory to the daemon's PATH — it does NOT shadow
+# Used by `snxctl connect` (via the snxctl-chromium wrapper) so the
+# Check Point SAML callback lands in a browser that won't HTTPS-upgrade
+# or LNA-block the loopback handoff to 127.0.0.1:7779. The wrapper
+# prepends this directory to snxctl's PATH — this file does NOT shadow
 # the system-wide xdg-open for any other process.
 exec flatpak run io.github.ungoogled_software.ungoogled_chromium \
-  --new-window "$@"
+  "$@"