From 31e2f63f1bc5f7dacd8b3aff82b14bf1beab4992 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 18 Apr 2026 12:43:08 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20[nomad-step-5]=20S5-fix-5=20=E2=80=94=20?=
 =?UTF-8?q?chat.hcl=20tmpfs=20syntax:=20use=20mount=20block=20not=20tmpfs?=
 =?UTF-8?q?=20argument=20(#1012)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nomad/jobs/chat.hcl | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/nomad/jobs/chat.hcl b/nomad/jobs/chat.hcl
index ead8e71..ad18cec 100644
--- a/nomad/jobs/chat.hcl
+++ b/nomad/jobs/chat.hcl
@@ -89,13 +89,18 @@ job "chat" {
       config {
         image      = "disinto/chat:local"
         force_pull = false
-        # Sandbox hardening (#706): cap_drop ALL (no Linux capabilities)
-        # tmpfs /tmp for runtime files (64MB)
-        # pids_limit 128 (prevent fork bombs)
+        # Sandbox hardening (#706): cap_drop ALL, pids_limit 128, tmpfs /tmp
         # ReadonlyRootfs enforced via entrypoint script (fails if running as root)
         cap_drop   = ["ALL"]
-        tmpfs      = ["/tmp:size=64m"]
         pids_limit = 128
+        mount {
+          type     = "tmpfs"
+          target   = "/tmp"
+          readonly = false
+          tmpfs_options {
+            size = 67108864  # 64MB in bytes
+          }
+        }
         # Security options for sandbox hardening
         # apparmor=unconfined needed for Claude CLI ptrace access
         # no-new-privileges prevents privilege escalation
-- 
2.49.1