programs: mpv: tighten the /run/user portion of the sandbox

hosts/common/programs/mpv.nix

@@ -66,6 +66,8 @@ in
     sandbox.autodetectCliPaths = true;
     sandbox.net = "all";
     sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
+    sandbox.whitelistDbus = true;  #< mpris
+    sandbox.whitelistAudio = true;
     sandbox.extraHomePaths = [
       ".config/mpv"  #< else mpris plugin crashes on launch
       # it's common for album (or audiobook, podcast) images/lyrics/metadata to live adjacent to the primary file.
@@ -74,6 +76,7 @@ in
       "Videos"
       "Books"
     ];
+    sandbox.extraRuntimePaths = [];
 
     persist.byStore.plaintext = [ ".local/state/mpv/watch_later" ];
     fs.".config/mpv/input.conf".symlink.text = let