fix(sudoers-rs,waybar): pass DIFFPROG (and friends) through sudo-rs

The previous fix sidestepped sudo-rs's env scrubbing by setting
DIFFPROG inside a nested root shell. That works but it's the wrong
shape — every command that wants to honour a user UX env var would
have to do the same dance. Configure the policy once instead.

etc/sudoers-rs:
  Defaults env_keep += "DIFFPROG"
  Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
  Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
  Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"

env_keep is the unconditional pass-through list, so no '-E' is needed
on the call site — `DIFFPROG='nvim -d' sudo pacdiff` Just Works, same
as it does for `EDITOR=nvim sudo systemctl edit foo`,
`PAGER=less sudo journalctl …`, etc. None of these vars influence
privilege boundaries; they only configure user-facing program
behaviour, so widening env_keep to cover them carries no security
trade-off worth accounting for. The existing per-visudo env_keep
lines are kept for documentation value (they're now subsumed by the
global rule but make the intent explicit at the visudo call sites).

The waybar pacdiff click handler reverts to the canonical form
`DIFFPROG='nvim -d' sudo pacdiff`, matching the recipe pacman.git
ships in /usr/share/doc/pacman/.

Will take effect after the next `chezmoi apply` redeploys
/etc/sudoers-rs (the run_onchange_after_deploy-etc.sh.tmpl script
re-installs it with mode 0440 whenever its hash changes).

0 files changed, 0 insertions, 0 deletions