pass XAUTHORITY to builds for SDL display in X11 sessions

Copy Xauthority to a world-readable temp file so nix build users
(nixbld*) can authenticate to X11. Add --option sandbox relaxed so
__noChroot derivations can access the X11 socket and xauth file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cli.nix

@@ -168,16 +168,20 @@ pkgs.writeShellScriptBin "vmix" ''
   [[ -n "$TO_REMOTE_DISK" ]] && echo "To remote:  $TO_REMOTE_DISK"
   echo ""
 
-  # pass DISPLAY to nix builds via temp file (daemon sanitizes env vars)
+  # pass DISPLAY+XAUTHORITY to nix builds via temp file (daemon sanitizes env vars)
+  # copy Xauthority world-readable so nix build users (nixbld*) can authenticate to X11
   VMIX_DISPLAY_FILE="/tmp/.vmix-display-$$"
+  VMIX_XAUTH_FILE="/tmp/.vmix-xauth-$$"
   if [[ -n "''${DISPLAY:-}" ]]; then
-    echo "$DISPLAY" > "$VMIX_DISPLAY_FILE"
-    chmod 666 "$VMIX_DISPLAY_FILE"
+    cp "''${XAUTHORITY:-''${HOME}/.Xauthority}" "$VMIX_XAUTH_FILE"
+    chmod 644 "$VMIX_XAUTH_FILE"
+    printf '%s\n' "''${DISPLAY}" "$VMIX_XAUTH_FILE" > "$VMIX_DISPLAY_FILE"
+    chmod 644 "$VMIX_DISPLAY_FILE"
   fi
-  trap 'rm -f "$VMIX_DISPLAY_FILE"' EXIT
+  trap 'rm -f "$VMIX_DISPLAY_FILE" "$VMIX_XAUTH_FILE"' EXIT
 
   echo "Building image..."
-  ${pkgs.nix}/bin/nix build --out-link "$OUT_LINK" --print-build-logs --impure --expr "
+  ${pkgs.nix}/bin/nix build --out-link "$OUT_LINK" --print-build-logs --impure --option sandbox relaxed --expr "
     let
       vmixLib = (builtins.getFlake \"$FLAKE_DIR\").lib.${system};
       image = vmixLib.$IMAGE_NAME;