feat(sandbox): bwrap wrappers for mpv, yt-dlp, streamlink

These three tools are the native (non-flatpak) network parsers in the
install set — every other internet-facing app is already flatpak'd. The
threat model is a RCE in a subtitle/extractor/muxer that walks $HOME
looking for SSH keys, GPG keyring, pass store, cloud tokens, etc.

Approach (defence in depth, not full sandboxing):
- bwrap --bind / / keeps Wayland, PipeWire, DBus, GPU, hwaccel and all
  config files working transparently.
- --tmpfs over known-sensitive dirs (.ssh, .gnupg, .password-store,
  .config/gh, .config/op, .aws, .local/share/keyrings) blanks them
  from the sandbox view; a compromised parser literally cannot see them.
- inner PATH stripped of ~/.local/bin so streamlink's spawn of `mpv`
  resolves to /usr/bin/mpv and does not re-enter the sandbox.
- --die-with-parent + --new-session for tidy lifecycle.
- Escape hatch: SANDBOX=0 mpv ... bypasses for one invocation.
- Graceful degradation if bwrap is missing (warns and execs anyway).

bubblewrap added explicitly to meta/base.txt (was implicit via flatpak).

Wrappers in ~/.local/bin shadow /usr/bin via dot_zprofile:15 PATH order.
Not symlinked into the Ubuntu VM (nix/vm.nix does not touch ~/.local/bin),
which is fine: those tools on the headless VM don't need sandboxing.

1 files changed, 4 insertions, 0 deletions

diff --git a/meta/base.txt b/meta/base.txt
index 3a0a73b..1f7cdd8 100644
--- a/meta/base.txt
+++ b/meta/base.txt
@@ -171,6 +171,10 @@ xorg-xwayland # needed for zbarcam's X11 preview
 
 # Misc
 brightnessctl
+# Userspace sandbox helper (firejail-less). Used by ~/.local/bin wrappers
+# for mpv/yt-dlp/streamlink to hide secrets from network parsers; also
+# pulled transitively by flatpak.
+bubblewrap
 # Volume/brightness OSD overlay (driven by ~/.config/sway/{vol,brightness}-osd.sh
 # writing percentages to $XDG_RUNTIME_DIR/wob.sock).
 wob