feat: teams autostart, llama-cpp-vulkan ignore, snxctl-chromium wrapper

systemd/user/teams-{sii,xsight}.service: autostart both Teams flatpak
profiles on sway-session.target login. KillMode=mixed so SIGTERM hits
only the wrapper process — both instances share the same flatpak app
id, so killing by app id would take down the sibling instance. A 15s
SIGKILL fallback covers the case where Electron tray-hides instead of
quitting. Both units listed in systemd-units/user.txt.

etc/pacman.conf: IgnorePkg = llama-cpp-vulkan. The AUR package rebuilds
on every llama.cpp commit (multi-hour build). Update manually with
`paru -S llama-cpp-vulkan` when intended.

snxctl-chromium wrapper:
- dot_local/share/snx-rs/bin/xdg-open: shim that flatpak-runs
  ungoogled-chromium, used only by snx-rs.
- dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf:
  drop-in prepending that dir to the daemon's PATH so snx-rs's
  opener-crate call to xdg-open lands in chromium, without affecting
  xdg-open for any other process.
- dot_local/bin/snxctl-chromium: convenience wrapper that
  daemon-reloads and restarts snx-rs.service if the drop-in isn't yet
  applied, then execs `snxctl connect`.

firefox/user-overrides.js: revert the dom.security.https_only_mode.
upgrade_local and network.lna.local-network-to-localhost.skip-checks
prefs — they didn't actually fix the SAML flow. Replaced with a
comment pointing to the wrapper instead.

2 files changed, 48 insertions, 0 deletions

diff --git a/dot_local/bin/executable_snxctl-chromium b/dot_local/bin/executable_snxctl-chromium
new file mode 100644
index 0000000..d52ddfb
--- /dev/null
+++ b/dot_local/bin/executable_snxctl-chromium
@@ -0,0 +1,37 @@
+#!/bin/sh
+# snxctl-chromium: `snxctl connect` with the flatpak ungoogled-chromium as
+# the SAML browser. Bypasses LibreWolf's loopback HTTPS-upgrade + LNA block
+# that prevent snx-rs's 127.0.0.1:7779 SAML callback from completing.
+#
+# How it works
+# ------------
+# A tracked drop-in
+# (~/.config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) prepends
+# ~/.local/share/snx-rs/bin to the daemon's PATH. That directory contains
+# an `xdg-open` shim that flatpak-runs ungoogled-chromium. snx-rs uses the
+# `opener` crate which spawns `xdg-open` — the shim wins.
+#
+# This script just makes sure the daemon picks up the override (it only
+# loads Environment= at start time, so a freshly-edited drop-in needs a
+# daemon-reload + service restart) and then runs `snxctl connect`.
+set -eu
+
+SERVICE=snx-rs.service
+
+if ! systemctl --user cat "$SERVICE" >/dev/null 2>&1; then
+  printf '%s: %s is not a known user unit; aborting.\n' "${0##*/}" "$SERVICE" >&2
+  exit 1
+fi
+
+current_path=$(systemctl --user show -p Environment --value "$SERVICE")
+case "$current_path" in
+  *"$HOME/.local/share/snx-rs/bin"*) ;;
+  *)
+    echo "${0##*/}: applying chromium SAML drop-in (daemon-reload + restart)…" >&2
+    systemctl --user daemon-reload
+    systemctl --user restart "$SERVICE"
+    sleep 1
+    ;;
+esac
+
+exec snxctl connect "$@"
diff --git a/dot_local/share/snx-rs/bin/executable_xdg-open b/dot_local/share/snx-rs/bin/executable_xdg-open
new file mode 100644
index 0000000..5577b10
--- /dev/null
+++ b/dot_local/share/snx-rs/bin/executable_xdg-open
@@ -0,0 +1,11 @@
+#!/bin/sh
+# xdg-open shim that hands every URL to the flatpak ungoogled-chromium.
+#
+# Used by snx-rs (which calls `xdg-open` via the `opener` crate) to land
+# the SAML callback inside a browser that won't HTTPS-upgrade or LNA-block
+# the loopback handoff to 127.0.0.1:7779. Wired up via a systemd --user
+# drop-in (dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf)
+# that prepends this directory to the daemon's PATH — it does NOT shadow
+# the system-wide xdg-open for any other process.
+exec flatpak run io.github.ungoogled_software.ungoogled_chromium \
+  --new-window "$@"