initial implementation: multi-user Steam shared library via bwrap overlay

Share one Steam game library across multiple Linux users with fully
isolated Proton prefixes. Uses bubblewrap to create a per-user kernel
overlay on /opt/steam/steamapps/compatdata/ so game files stay shared
while Proton prefixes are isolated per user, with no compatibility
tool selection or per-game configuration required.

Includes:
- steam-shared launcher that sets up the per-user overlay and execs
  Steam inside a bwrap mount namespace
- activate/uninstall scripts plus an add-user helper for steamshare
  group membership
- permission watcher (steam-fix-perms.path/.service) to keep ACLs
  correct under pressure-vessel's restrictive mode bits
- .desktop override that routes the system Steam launcher through
  steam-shared
- Nix flake exposing activate, uninstall, and add-user packages
- design doc and implementation plan covering the approach

scripts/fix-perms.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# fix-perms.sh — fix permissions on the shared Steam library
+# Called by systemd path unit when pressure-vessel creates dirs with
+# restrictive permissions. Also safe to run manually.
+
+set -uo pipefail
+
+STEAM_DIR="/opt/steam"
+STEAM_GROUP="steamshare"
+
+# fix dirs missing group rwx (pressure-vessel tmp-*, var/, etc.)
+find "$STEAM_DIR/steamapps" -type d ! -perm -g+rwx -exec chmod 2775 {} +
+
+# fix files missing group rw
+find "$STEAM_DIR/steamapps" -type f ! -perm -g+rw -exec chmod g+rw {} +
+
+# restore execute bits on ELF binaries and shebang scripts
+find "$STEAM_DIR/steamapps" -type f ! -perm -a+x -exec sh -c '
+	for f; do
+		head -c4 "$f" 2>/dev/null | grep -qP "^\x7fELF|^#!" && chmod a+x "$f"
+	done
+' _ {} +
+
+# fix group ownership (skip broken symlinks)
+find "$STEAM_DIR/steamapps" -not -type l ! -group "$STEAM_GROUP" -exec chown root:"$STEAM_GROUP" {} +
+find "$STEAM_DIR/steamapps" -type l ! -group "$STEAM_GROUP" -exec chown -h root:"$STEAM_GROUP" {} + 2>/dev/null || true