From 600f1f933c893325d62163e6057cdf8b9d66ffa8 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 20 Jun 2026 20:25:55 +0000
Subject: [PATCH] Create Claude auth state directories

The first live renewal run showed systemd could not create state beneath a read-only home sandbox. Provision each user's writable state directory before enabling the timer so automatic renewal can run.
---
 scripts/t3-provision-users.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/scripts/t3-provision-users.sh b/scripts/t3-provision-users.sh
index 04e90158..bd06b8e8 100644
--- a/scripts/t3-provision-users.sh
+++ b/scripts/t3-provision-users.sh
@@ -272,6 +272,15 @@ install_claude_auth_sync() {
   token_file="$cfg/vault-token"
   policy="workstation-claude-$user"
 
+  # The service sandbox makes the rest of $HOME read-only. Pre-create every
+  # writable path before systemd enters that sandbox; ReadWritePaths cannot
+  # create a missing child beneath a read-only parent.
+  if [[ "$DRY_RUN" == 1 ]]; then
+    echo "[dry-run] ensure Claude-auth state dirs -> $user"
+  else
+    install -d -o "$user" -g "$user" -m 0700 "$cfg" "$home/.local/state/claude-auth-sync"
+  fi
+
   if [[ ! -s "$token_file" ]]; then
     if [[ "$DRY_RUN" == 1 ]]; then
       echo "[dry-run] mint scoped Claude-auth Vault token -> $user"