feat(waybar,sway): htop click handler, app keybinds, VPN toggle

waybar:
- cpu / custom/memory: on-click opens floating ghostty with htop
- new custom/vpn module between custom/memory and network#bond:
  shows 'VPN' coloured by interface UP flag (green up, dim down);
  on-click toggles networkctl up/down hodor; SIGRTMIN+8 used for
  instant refresh after toggle

sway:
- Super+Shift+Return -> ghostty -e yazi
- Super+Shift+b -> librewolf

vpn-toggle.sh runs networkctl (no sudo) thanks to a new polkit rule
allowing wheel-group members to invoke org.freedesktop.network1.*
without a password prompt. systemd-networkd's polkit gate is a
separate path from sudoers, so this is the idiomatic fix.

KEYBINDS.md updated for both new sway bindings.

1 files changed, 13 insertions, 0 deletions

diff --git a/etc/polkit-1/rules.d/50-networkd-wheel.rules b/etc/polkit-1/rules.d/50-networkd-wheel.rules
new file mode 100644
index 0000000..089616a
--- /dev/null
+++ b/etc/polkit-1/rules.d/50-networkd-wheel.rules
@@ -0,0 +1,13 @@
+// Allow members of the `wheel` group to manage systemd-networkd links
+// (e.g. `networkctl up/down <iface>`) without a polkit password prompt.
+// This single-user system already trusts wheel for administrative work
+// via sudo-rs; networkd's polkit gate is a separate path that does not
+// honour sudoers, so a polkit rule is the idiomatic fix.
+polkit.addRule(function (action, subject) {
+  if (
+    action.id.indexOf("org.freedesktop.network1.") === 0 &&
+    subject.isInGroup("wheel")
+  ) {
+    return polkit.Result.YES;
+  }
+});