feat(thunderbird): migrate to flatpak with NMH + PKCS#11 bridges

Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).

Three cross-sandbox glue points handled in repo:

- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
  ~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
  over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
  cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
  external-editor-revived's native messaging host into the sandbox via
  a flatpak-spawn --host wrapper + relocated manifest

Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.

Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.

1 files changed, 3 insertions, 2 deletions

diff --git a/meta/mail.txt b/meta/mail.txt
index 1e65dca..74f6214 100644
--- a/meta/mail.txt
+++ b/meta/mail.txt
@@ -1,8 +1,9 @@
+# Host-side bits the org.mozilla.Thunderbird flatpak depends on.
 protonmail-bridge-core
-thunderbird
 # git send-email Perl prereqs (SMTP via local Bridge on 127.0.0.1:1025)
 perl-authen-sasl
 perl-mime-tools
 perl-net-smtp-ssl
-# Edit messages in nvim (kernel-style inline patch review without TB mangling)
+# Native messaging host binary for External Editor Revived; bridged into the
+# TB flatpak by run_onchange_after_deploy-tb-eer.sh.tmpl.
 external-editor-revived