modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr

modules/programs/default.nix

@@ -105,21 +105,33 @@ let
             null;
           allowedPaths = expandSymlinks allowedPaths;
         };
-      in
-        makeSandboxed {
+        defaultProfile = sandboxProfilesFor config.sane.defaultUser;
+        makeSandboxedArgs = {
           inherit pkgName package;
           inherit (sandbox)
             binMap
             embedSandboxer
             wrapperType
           ;
-          # extraSandboxerArgs = lib.optionals sandbox.embedProfile [
-          #   "--sane-sandbox-profile-dir" "${profilePkg}/share/sane-sandboxed/profiles"
-          # ];
+        };
+      in
+        makeSandboxed (makeSandboxedArgs // {
           passthru = {
             inherit sandboxProfilesFor;
+            withEmbeddedSandboxer = makeSandboxed (makeSandboxedArgs // {
+              # embed the sandboxer AND a profile, whichever profile the package would have if installed by the default user.
+              # useful to iterate a package's sandbox config without redeploying.
+              embedSandboxer = true;
+              extraSandboxerArgs = [
+                "--sane-sandbox-profile-dir" "${defaultProfile}/share/sane-sandboxed/profiles"
+              ];
+            });
+            withEmbeddedSandboxerOnly = makeSandboxed (makeSandboxedArgs // {
+              # embed the sandboxer but no profile. useful pretty much only for testing changes within the actual sandboxer.
+              embedSandboxer = true;
+            });
           };
-        }
+        })
   );
   pkgSpec = with lib; types.submodule ({ config, name, ... }: {
     options = {

modules/programs/make-sandboxed.nix

@@ -276,7 +276,6 @@ let
       # allow the user to build this package, but sandboxed in a different manner.
       # e.g. `<pkg>.sandboxedBy.inplace`.
       inherit sandboxedBy;
-      withEmbeddedSandboxer = make-sandboxed (args // { embedSandboxer = true; });
     })
   ;
 in make-sandboxed