modules/programs: implement a whitelistSecurityKeys sandboxing option

modules/programs/default.nix

@@ -575,6 +575,15 @@ let
           allow the program to start/stop s6 services.
         '';
       };
+      sandbox.whitelistSecurityKeys = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow sandbox to freely interact with hardware security keys, like Yubikeys.
+          it would seem the protocol for interacting with these is fairly ad-hoc, and based upon USB HID.
+          so generally this option over-exposes, and grants the sandbox access to *all* USB HID devices.
+        '';
+      };
       sandbox.whitelistSendNotifications = mkOption {
         type = types.bool;
         default = false;
@@ -818,6 +827,38 @@ let
           "/sys/devices"
           "/sys/firmware"  #< for moby camera, to parse its devicetree
           # "/dev"
+        ] ++ lib.optionals config.sandbox.whitelistSecurityKeys [
+          "/dev/hidraw0"
+          "/dev/hidraw1"
+          "/dev/hidraw2"
+          "/dev/hidraw3"
+          "/dev/hidraw4"
+          "/dev/hidraw5"
+          "/dev/hidraw6"
+          "/dev/hidraw7"
+          "/dev/hidraw8"
+          "/dev/hidraw9"
+          "/dev/hidraw10"
+          "/dev/hidraw11"
+          "/dev/hidraw12"
+          "/dev/hidraw13"
+          "/dev/hidraw14"
+          "/dev/hidraw15"
+          "/dev/hidraw16"
+          "/dev/hidraw17"
+          "/dev/hidraw18"
+          "/dev/hidraw19"
+          "/dev/hidraw20"
+          "/dev/hidraw21"
+          "/dev/hidraw22"
+          "/dev/hidraw23"
+          "/dev/hidraw24"
+          "/dev/hidraw25"
+          "/dev/hidraw26"
+          "/dev/hidraw27"
+          "/dev/hidraw28"
+          "/dev/hidraw29"
+          "/sys/class/hidraw"
         ] ++ lib.optionals config.sandbox.whitelistSystemctl [
           "/run/systemd/system"  # TODO(2025-01-20): still necessary?
           "/run/systemd/private"