The agent service was running as User=erik, which meant:
- Sessions polluted erik's ~/.claude/projects/
- erik's .claude/settings.local.json (months of accumulated dev permissions
for docker/git/dotnet/etc.) was loaded by the production agent, defeating
the --allowed-tools whitelist
- Subscription rate quota mingled between human-erik's interactive Claude
Code use and the production assistant
- Theoretical access to /home/erik/.ssh, .bash_history, .gitconfig
Now:
- User=overlord-agent (system account, no shell, /var/lib/overlord-agent home)
- HOME=/var/lib/overlord-agent — claude state fully isolated from erik
- /home/erik/.claude permissions tightened to 0700 (was 0755)
- group=overlord-agent on the repo + /etc/overlord/agent.env (read-only)
Project settings:
- New strict committed .claude/settings.json: deny Bash/Read/Write/Edit/
Glob/Grep/NotebookEdit/WebSearch; allow only WebFetch(domain:acpedia.org)
- .claude/settings.local.json now gitignored (was leaking dev permissions
to the server through the deploy)
