feat(pteid): bridge PKCS#11 into LibreWolf flatpak

Cartão de cidadão web authentication needs the libpteidpkcs11.so module
loaded into LibreWolf's NSS database. With both apps now sandboxed in
separate flatpaks, neither can see the other by default.

Add a chezmoi onchange script that, when both flatpaks are installed:
- Resolves the pt.gov.autenticacao install dir + .so path on the host
- Grants LibreWolf flatpak read-only filesystem access to that dir,
  --socket=pcsc, and an LD_LIBRARY_PATH so the bundled deps (libxerces,
  libcjose, etc.) resolve at dlopen time
- Registers the module in each LibreWolf NSS profile via modutil, with
  the path rewritten to /run/host/... as seen from inside the sandbox
- Skips silently when LibreWolf is running (modutil would corrupt the DB)

Hash gate includes the pt.gov.autenticacao line from meta/flatpak.txt so
the override + registration auto-refresh on bundle bumps. Idempotent.

Also explicit pcsc-lite + ccid in meta/extra.txt — they were transitive
deps of the removed autenticacao-gov-pt-bin AUR package; pcscd.socket
in systemd-units/system/base.txt would otherwise fail to activate.

1 files changed, 62 insertions, 0 deletions

diff --git a/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl
new file mode 100644
index 0000000..b6c3b6c
--- /dev/null
+++ b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl
@@ -0,0 +1,62 @@
+#!/bin/sh
+# Bridge the pt.gov.autenticacao flatpak's PKCS#11 module into the LibreWolf
+# flatpak's NSS database so cartão de cidadão authentication works in the
+# browser despite the cross-sandbox isolation.
+#
+# Idempotent. Re-runs whenever this script or the pt.gov.autenticacao entry
+# in meta/flatpak.txt changes.
+#
+# pteid entry hash: {{ output "sh" "-c" (printf "grep '^pt\\.gov\\.autenticacao' %q/meta/flatpak.txt 2>/dev/null || true" .chezmoi.sourceDir) | sha256sum }}
+set -eu
+
+PTEID_APP=pt.gov.autenticacao
+BROWSER_APP=io.gitlab.librewolf-community
+MODULE_NAME=pteid-mw
+
+flatpak info --user "$PTEID_APP" >/dev/null 2>&1 || exit 0
+flatpak info --user "$BROWSER_APP" >/dev/null 2>&1 || exit 0
+
+PTEID_LOC=$(flatpak info --user --show-location "$PTEID_APP" 2>/dev/null)
+[ -d "$PTEID_LOC/files" ] || exit 0
+
+SO=$(find "$PTEID_LOC/files" -name 'libpteidpkcs11.so' -type f 2>/dev/null | head -1)
+[ -n "$SO" ] && [ -f "$SO" ] || exit 0
+SO_DIR=$(dirname "$SO")
+
+# flatpak --filesystem mounts host paths under /run/host inside the sandbox.
+SO_IN_SANDBOX="/run/host$SO"
+SO_DIR_IN_SANDBOX="/run/host$SO_DIR"
+
+flatpak override --user \
+    --filesystem="$PTEID_LOC/files:ro" \
+    --socket=pcsc \
+    --env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \
+    "$BROWSER_APP"
+
+command -v modutil >/dev/null 2>&1 || {
+    echo "pteid-pkcs11: modutil not found (install nss); skipping NSS registration." >&2
+    exit 0
+}
+
+PROFILES_DIR="$HOME/.var/app/$BROWSER_APP/.librewolf"
+[ -d "$PROFILES_DIR" ] || exit 0
+
+registered=0
+skipped=0
+for prof in "$PROFILES_DIR"/*/; do
+    [ -f "$prof/cert9.db" ] || continue
+    if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then
+        skipped=$((skipped + 1))
+        continue
+    fi
+    if pgrep -u "$(id -u)" -x librewolf >/dev/null 2>&1; then
+        echo "pteid-pkcs11: LibreWolf is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2
+        exit 0
+    fi
+    modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null
+    registered=$((registered + 1))
+done
+
+if [ "$registered" -gt 0 ]; then
+    echo "pteid-pkcs11: registered $MODULE_NAME in $registered LibreWolf profile(s)."
+fi