2 files changed, 4 insertions, 4 deletions

diff --git a/dot_config/waybar/config.jsonc b/dot_config/waybar/config.jsonc
index 80eb560..2729572 100644
--- a/dot_config/waybar/config.jsonc
+++ b/dot_config/waybar/config.jsonc
@@ -236,7 +236,7 @@
     "exec": "~/.config/waybar/pacdiff-status.sh",
     "return-type": "json",
     "interval": 300,
-    "on-click": "ghostty --class=floating -e sh -c 'DIFFPROG=\"nvim -d\" sudo pacdiff; printf \"\\n[done — press enter] \"; read _'",
+    "on-click": "ghostty --class=floating -e sh -c 'nvim=$(command -v nvim); DIFFPROG=\"$nvim -d\" sudo pacdiff; printf \"\\n[done — press enter] \"; read _'",
     "tooltip": true,
   },
 
diff --git a/dot_config/waybar/executable_pacdiff-status.sh b/dot_config/waybar/executable_pacdiff-status.sh
index 92eb6a8..9712993 100755
--- a/dot_config/waybar/executable_pacdiff-status.sh
+++ b/dot_config/waybar/executable_pacdiff-status.sh
@@ -5,9 +5,9 @@
 # from "no problems" to "non-zero" (i.e. on the post-`pacman -Syu`
 # settle), so you're nudged exactly once per upgrade wave.
 #
-# Click handler runs `DIFFPROG='nvim -d' sudo pacdiff` in a floating
-# ghostty. DIFFPROG is propagated through sudo-rs by the env_keep policy
-# in etc/sudoers-rs (no -E needed — env_keep is unconditional pass-through).
+# Click handler resolves nvim to an absolute path, then runs sudo pacdiff with
+# DIFFPROG set to that absolute editor. sudo-rs keeps DIFFPROG, but root's
+# secure_path deliberately does not include the user's nix profile.
 
 set -eu