fix: [nomad-step-5] S5-fix-5 — chat.hcl tmpfs syntax: use mount block not tmpfs argument (#1012)

nomad/jobs/chat.hcl

@@ -89,17 +89,19 @@ job "chat" {
       config {
         image      = "disinto/chat:local"
         force_pull = false
-        # Sandbox hardening (#706): cap_drop ALL (no Linux capabilities)
+        # Sandbox hardening (#706):
-        # tmpfs /tmp for runtime files (64MB)
+        #   - cap_drop ALL (no Linux capabilities)
-        # pids_limit 128 (prevent fork bombs)
+        #   - tmpfs /tmp for runtime files (64MB)
+        #   - pids_limit 128 (prevent fork bombs)
         # ReadonlyRootfs enforced via entrypoint script (fails if running as root)
-        cap_drop   = ["ALL"]
+        # Security options:
-        tmpfs      = ["/tmp:size=64m"]
+        #   - apparmor=unconfined for Claude CLI ptrace access
-        pids_limit = 128
+        #   - no-new-privileges prevents privilege escalation
-        # Security options for sandbox hardening
+        cap_drop    = ["ALL"]
-        # apparmor=unconfined needed for Claude CLI ptrace access
+        pids_limit  = 128
-        # no-new-privileges prevents privilege escalation
         security_opt = ["apparmor=unconfined", "no-new-privileges"]
+        # tmpfs mounts via volumes config (Nomad Docker driver)
+        volumes = ["tmpfs:/tmp:size=64m"]
       }
 
       # ── Volume mounts ──────────────────────────────────────────────────────