From 066df8cc91966a0fbe5b2a32c45ad984fd9ae468 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Mon, 15 Jun 2026 00:55:44 +0100
Subject: Use absolute editor commands under sudo

Resolve nvim before exporting editor and pager variables so sudo-rs env_keep does not depend on root's secure_path.

Update the Waybar pacdiff action to pass an absolute DIFFPROG through sudo.
---
 dot_config/waybar/executable_pacdiff-status.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'dot_config/waybar/executable_pacdiff-status.sh')

diff --git a/dot_config/waybar/executable_pacdiff-status.sh b/dot_config/waybar/executable_pacdiff-status.sh
index 92eb6a8..9712993 100755
--- a/dot_config/waybar/executable_pacdiff-status.sh
+++ b/dot_config/waybar/executable_pacdiff-status.sh
@@ -5,9 +5,9 @@
 # from "no problems" to "non-zero" (i.e. on the post-`pacman -Syu`
 # settle), so you're nudged exactly once per upgrade wave.
 #
-# Click handler runs `DIFFPROG='nvim -d' sudo pacdiff` in a floating
-# ghostty. DIFFPROG is propagated through sudo-rs by the env_keep policy
-# in etc/sudoers-rs (no -E needed — env_keep is unconditional pass-through).
+# Click handler resolves nvim to an absolute path, then runs sudo pacdiff with
+# DIFFPROG set to that absolute editor. sudo-rs keeps DIFFPROG, but root's
+# secure_path deliberately does not include the user's nix profile.
 
 set -eu
 
-- 
cgit v1.3.1