bonsai: place the socket in a subdirectory to improve sandboxing

hosts/common/programs/bonsai.nix

@@ -103,11 +103,19 @@ in
       };
     };
 
+    packageUnwrapped = pkgs.bonsai.overrideAttrs (upstream: {
+      # patch to place the socket in a subdirectory where it can be sandboxed
+      postPatch = (upstream.postPatch or "") + ''
+        substituteInPlace cmd/{bonsaictl,bonsaid}/main.ha \
+          --replace-fail 'path::set(&buf, statedir, "bonsai")' 'path::set(&buf, statedir, "bonsai/bonsai")'
+      '';
+    });
+
     fs.".config/bonsai/bonsai_tree.json".symlink.text = builtins.toJSON cfg.config.transitions;
 
     sandbox.method = "bwrap";
     sandbox.extraRuntimePaths = [
-      "/"  #< just needs "bonsai", but needs to create it first...
+      "bonsai"
     ];
 
     services.bonsaid = {
@@ -115,10 +123,13 @@ in
       dependencyOf = [ "sway" ];  # to ensure `$XDG_RUNTIME_DIR/bonsai` exists before sway binds it
       partOf = [ "graphical-session" ];
       # nice -n -11 chosen arbitrarily. i hope this will allow for faster response to inputs, but without audio underruns (pipewire is -21, dino -15-ish)
-      command = "nice -n -11 bonsaid -t $HOME/.config/bonsai/bonsai_tree.json";
+      command = pkgs.writeShellScript "bonsai-start" ''
-      cleanupCommand = "rm -f $XDG_RUNTIME_DIR/bonsai";
+        mkdir -p $XDG_RUNTIME_DIR/bonsai
+        exec nice -n -11 bonsaid -t $HOME/.config/bonsai/bonsai_tree.json
+      '';
+      cleanupCommand = "rm -f $XDG_RUNTIME_DIR/bonsai/bonsai";
       readiness.waitExists = [
-        "$XDG_RUNTIME_DIR/bonsai"
+        "$XDG_RUNTIME_DIR/bonsai/bonsai"
       ];
     };
   };