feat(pteid): bridge PKCS#11 into LibreWolf flatpak

Cartão de cidadão web authentication needs the libpteidpkcs11.so module
loaded into LibreWolf's NSS database. With both apps now sandboxed in
separate flatpaks, neither can see the other by default.

Add a chezmoi onchange script that, when both flatpaks are installed:
- Resolves the pt.gov.autenticacao install dir + .so path on the host
- Grants LibreWolf flatpak read-only filesystem access to that dir,
  --socket=pcsc, and an LD_LIBRARY_PATH so the bundled deps (libxerces,
  libcjose, etc.) resolve at dlopen time
- Registers the module in each LibreWolf NSS profile via modutil, with
  the path rewritten to /run/host/... as seen from inside the sandbox
- Skips silently when LibreWolf is running (modutil would corrupt the DB)

Hash gate includes the pt.gov.autenticacao line from meta/flatpak.txt so
the override + registration auto-refresh on bundle bumps. Idempotent.

Also explicit pcsc-lite + ccid in meta/extra.txt — they were transitive
deps of the removed autenticacao-gov-pt-bin AUR package; pcscd.socket
in systemd-units/system/base.txt would otherwise fail to activate.

1 files changed, 5 insertions, 0 deletions

diff --git a/meta/extra.txt b/meta/extra.txt
index 3936385..3e8def9 100644
--- a/meta/extra.txt
+++ b/meta/extra.txt
@@ -6,6 +6,11 @@ udisks2
 # Flatpak runtime (apps tracked in meta/flatpak.txt)
 flatpak
 
+# Smartcard stack (cartão de cidadão reader + PKCS#11 bridge into flatpak browsers).
+# pcscd.socket is enabled by systemd-units/system/base.txt.
+pcsc-lite
+ccid
+
 # OCR (used by ~/.local/bin/ocr)
 tesseract
 tesseract-data-eng