initial implementation: multi-user Steam shared library via bwrap overlay

Share one Steam game library across multiple Linux users with fully
isolated Proton prefixes. Uses bubblewrap to create a per-user kernel
overlay on /opt/steam/steamapps/compatdata/ so game files stay shared
while Proton prefixes are isolated per user, with no compatibility
tool selection or per-game configuration required.

Includes:
- steam-shared launcher that sets up the per-user overlay and execs
  Steam inside a bwrap mount namespace
- activate/uninstall scripts plus an add-user helper for steamshare
  group membership
- permission watcher (steam-fix-perms.path/.service) to keep ACLs
  correct under pressure-vessel's restrictive mode bits
- .desktop override that routes the system Steam launcher through
  steam-shared
- Nix flake exposing activate, uninstall, and add-user packages
- design doc and implementation plan covering the approach

scripts/add-user.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# add-user.sh — add a user to the shared Steam library
+# Requires sudo.
+set -euo pipefail
+
+STEAM_GROUP="steamshare"
+
+if [[ $EUID -ne 0 ]]; then
+	echo "error: run this script with sudo" >&2
+	exit 1
+fi
+
+if [[ $# -eq 0 ]]; then
+	echo "usage: $0 <username> [username...]" >&2
+	exit 1
+fi
+
+if ! getent group "$STEAM_GROUP" >/dev/null 2>&1; then
+	echo "error: group '$STEAM_GROUP' does not exist — run activate first" >&2
+	exit 1
+fi
+
+for user in "$@"; do
+	if ! id "$user" &>/dev/null; then
+		echo "  $user: user does not exist, skipping" >&2
+		continue
+	fi
+
+	if id -nG "$user" | grep -qw "$STEAM_GROUP"; then
+		echo "  $user: already in $STEAM_GROUP"
+	else
+		usermod -aG "$STEAM_GROUP" "$user"
+		echo "  $user: added to $STEAM_GROUP (log out and back in to take effect)"
+	fi
+done