diff --git a/pkgs/additional/sane-scripts/default.nix b/pkgs/additional/sane-scripts/default.nix
index e36f36fb..b049d3a4 100644
--- a/pkgs/additional/sane-scripts/default.nix
+++ b/pkgs/additional/sane-scripts/default.nix
@@ -1,111 +1,13 @@
 { lib
 , pkgs
-, resholve
 , static-nix-shell
 , symlinkJoin
 }:
 
 let
-  shell-scripts = resholve.mkDerivation {
-    # resholve documentation:
-    # - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
-    # - generic: https://github.com/abathur/resholve
-    pname = "sane-scripts";
-    version = "0.1.0";
-
-    src = ./src;
-
-    solutions = {
-      default = {
-        # note: `scripts` refers to the store path here
-        scripts = [ "bin/*" ];
-        interpreter = "${pkgs.bash}/bin/bash";
-        inputs = with pkgs; [
-          # string is interpreted as relative path from @OUT@.
-          # this lets our scripts reference eachother.
-          # see: <https://github.com/abathur/resholve/issues/26>
-          "bin"
-          coreutils-full
-          file
-          findutils
-          gnugrep
-          gnused
-          gocryptfs
-          ifuse
-          inetutils
-          iwd
-          jq
-          openssh
-          openssl
-          nix-shell-scripts.ip-check
-          nix-shell-scripts.mount-servo
-          rmlint
-          rsync
-          ssh-to-age
-          sops
-          sudo
-          systemd
-          util-linux
-          which
-        ];
-        keep = {
-          # we write here: keep it
-          "/tmp/rmlint.sh" = true;
-          # intentionally escapes (into user code)
-          "$external_cmd" = true;
-          "$maybe_sudo" = true;
-        };
-        fake = {
-          external = [
-            # https://github.com/abathur/resholve/issues/29
-            # "umount"
-            # "/run/wrappers/bin/sudo"
-            "sudo"
-          ];
-        };
-        fix = {
-          # this replaces umount with the non-setuid-wrapper umount.
-          # not sure if/where that lack of suid causes problems.
-          umount = true;
-        };
-        prologue = "${./resholve-prologue}";
-
-        # list of programs which *can* or *cannot* exec their arguments
-        execer = with pkgs; [
-          "cannot:${git}/bin/git"
-          "cannot:${gocryptfs}/bin/gocryptfs"
-          "cannot:${ifuse}/bin/ifuse"
-          "cannot:${iwd}/bin/iwctl"
-          "cannot:${openssh}/bin/ssh-keygen"
-          "cannot:${rmlint}/bin/rmlint"
-          "cannot:${rsync}/bin/rsync"
-          "cannot:${sops}/bin/sops"
-          "cannot:${ssh-to-age}/bin/ssh-to-age"
-          "cannot:${systemd}/bin/systemctl"
-        ];
-      };
-    };
-
-    patchPhase =
-      let
-        rmPy = builtins.concatStringsSep
-          "\n"
-          (lib.mapAttrsToList (name: pkg: "rm ${pkg.pname}") nix-shell-scripts)
-        ;
-      in ''
-        # remove python library files, and python binaries  (those are packaged further below)
-        rm -rf lib/
-        ${rmPy}
-      '';
-
-    installPhase = ''
-      mkdir -p $out/bin
-      cp -R * $out/bin/
-    '';
-  };
-
   nix-shell-scripts = {
     # anything added to this attrset gets symlink-joined into `sane-scripts`
+    # and is made available through `sane-scripts.passthru`
     backup-ls = static-nix-shell.mkBash {
       pname = "sane-backup-ls";
       src = ./src;
@@ -203,8 +105,8 @@ let
       src = ./src;
       pkgs = [ "sane-scripts.private-unlock" ];
     };
-    private-unlock = static-nix-shell.mkBash {
-      pname = "sane-private-unlock";
+    private-init = static-nix-shell.mkBash {
+      pname = "sane-private-init";
       src = ./src;
       pkgs = [ "gocryptfs" ];
     };
@@ -212,8 +114,8 @@ let
       pname = "sane-private-lock";
       src = ./src;
     };
-    private-init = static-nix-shell.mkBash {
-      pname = "sane-private-init";
+    private-unlock = static-nix-shell.mkBash {
+      pname = "sane-private-unlock";
       src = ./src;
       pkgs = [ "gocryptfs" ];
     };
@@ -227,15 +129,15 @@ let
       src = ./src;
       pkgs = [ "systemd" ];
     };
+    reclaim-boot-space = static-nix-shell.mkPython3Bin {
+      pname = "sane-reclaim-boot-space";
+      src = ./src;
+    };
     reclaim-disk-space = static-nix-shell.mkBash {
       pname = "sane-reclaim-disk-space";
       src = ./src;
       pkgs = [ "nix" "rmlint" "util-linux" ];
     };
-    reclaim-boot-space = static-nix-shell.mkPython3Bin {
-      pname = "sane-reclaim-boot-space";
-      src = ./src;
-    };
     secrets-dump = static-nix-shell.mkBash {
       pname = "sane-secrets-dump";
       src = ./src;
@@ -296,14 +198,18 @@ let
       src = ./src;
       pkgs = [ "coreutils-full" "file" ];
     };
+    wipe-browser = static-nix-shell.mkBash {
+      pname = "sane-wipe-browser";
+      src = ./src;
+    };
   };
 in
 symlinkJoin {
   name = "sane-scripts";
-  paths = [ shell-scripts ] ++ lib.attrValues nix-shell-scripts;
+  paths = lib.attrValues nix-shell-scripts;
   passthru = nix-shell-scripts;
   meta = {
-    description = "collection of scripts associated with uninsane systems";
+    description = "collection of scripts associated with sane systems";
     homepage = "https://git.uninsane.org";
     platforms = lib.platforms.all;
   };
diff --git a/pkgs/additional/sane-scripts/src/sane-wipe-browser b/pkgs/additional/sane-scripts/src/sane-wipe-browser
index 1e48fa71..5b88a296 100755
--- a/pkgs/additional/sane-scripts/src/sane-wipe-browser
+++ b/pkgs/additional/sane-scripts/src/sane-wipe-browser
@@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
 # remove firefox/librewolf/chromium artifacts
 rm -rf \
   ~/.librewolf/default/* \