fix: Update installation scripts and docs for inventory path

- Create /var/lib/systemmanager directory in install scripts
- Add /var/lib/systemmanager to ReadWritePaths in systemd service
- Update all documentation to use correct inventory path
- Add ProtectHome=yes to systemd service for consistency
- Update README.md, docs/inventory.md, INVENTORY_IMPLEMENTATION.md
- Fixes deployment issue where inventory couldn't be saved

This ensures the inventory feature works correctly on fresh installations.

Author: mdlmarkham

INVENTORY_IMPLEMENTATION.md

@@ -263,7 +263,7 @@ Knows what needs to be moved and where data is stored.
 
 ### Inventory Storage
 
-**File:** `/opt/systemmanager/inventory.json`
+**File:** `/var/lib/systemmanager/inventory.json`
 
 **Format:**
 ```json
@@ -368,7 +368,7 @@ print(response.json())
 EOF
 
 # 4. View inventory file
-ssh root@dev1.tailf9480.ts.net "cat /opt/systemmanager/inventory.json"
+ssh root@dev1.tailf9480.ts.net "cat /var/lib/systemmanager/inventory.json"
 ```
 
 ---

README.md

@@ -360,7 +360,7 @@ When managing multiple LXC containers with a single AI:
 1. Each system gets a unique identifier: `hostname-containerID` (e.g., `dev1-103`)
 2. The inventory tracks what's running on each system
 3. AI provides context-aware suggestions based on what you have installed
-4. Inventory stored in `/opt/systemmanager/inventory.json` per system
+4. Inventory stored in `/var/lib/systemmanager/inventory.json` per system
 
 ### Benefits
 

ct/install.sh

@@ -146,19 +146,30 @@ fi
 chmod 600 $INSTALL_DIR/.env
 msg_ok "Configured Authentication ($AUTH_MODE)"
 
+msg_info "Creating Inventory Directory"
+mkdir -p /var/lib/systemmanager
+chown root:root /var/lib/systemmanager
+chmod 755 /var/lib/systemmanager
+msg_ok "Created Inventory Directory"
+
 msg_info "Creating Systemd Service"
 cat > /etc/systemd/system/systemmanager-mcp.service << EOF
 [Unit]
-Description=SystemManager MCP Server
+Description=SystemManager MCP Server with OAuth/OIDC
+Documentation=https://github.com/mdlmarkham/SystemManager
 After=network-online.target docker.service
 Wants=network-online.target
 
 [Service]
 Type=simple
 User=root
+Group=root
 WorkingDirectory=$INSTALL_DIR
 Environment="PATH=$INSTALL_DIR/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Load secrets from protected environment file
 EnvironmentFile=$INSTALL_DIR/.env
+
 ExecStart=$INSTALL_DIR/venv/bin/python -m src.mcp_server
 Restart=on-failure
 RestartSec=10
@@ -168,7 +179,8 @@ StandardError=journal
 # Security hardening
 PrivateTmp=yes
 ProtectSystem=strict
-ReadWritePaths=$INSTALL_DIR
+ProtectHome=yes
+ReadWritePaths=$INSTALL_DIR /var/lib/systemmanager
 NoNewPrivileges=true
 
 [Install]

docs/inventory.md

@@ -190,7 +190,7 @@ add_application_to_inventory(
 
 ## Inventory File Format
 
-The inventory is stored as JSON at `/opt/systemmanager/inventory.json`:
+The inventory is stored as JSON at `/var/lib/systemmanager/inventory.json`:
 
 ```json
 {
@@ -275,7 +275,7 @@ Get complete inventory (system identity + applications + stacks).
   },
   "applications": {...},
   "stacks": {...},
-  "inventory_path": "/opt/systemmanager/inventory.json"
+  "inventory_path": "/var/lib/systemmanager/inventory.json"
 }
 ```
 
@@ -458,12 +458,12 @@ add_application_to_inventory(name="app-name", version="correct-version", ...)
 
 ### Multiple Systems Using Same Inventory File
 
-Each SystemManager instance should have its own inventory file. By default, it's stored at `/opt/systemmanager/inventory.json` on each LXC container.
+Each SystemManager instance should have its own inventory file. By default, it's stored at `/var/lib/systemmanager/inventory.json` on each LXC container.
 
 If running multiple instances on the same host (not recommended), set different paths:
 
 ```bash
-export SYSTEMMANAGER_INVENTORY="/opt/systemmanager/inventory-dev1.json"
+export SYSTEMMANAGER_INVENTORY="/var/lib/systemmanager/inventory-dev1.json"
 ```
 
 ## Future Enhancements

install.sh

@@ -146,19 +146,30 @@ fi
 chmod 600 $INSTALL_DIR/.env
 msg_ok "Configured Authentication ($AUTH_MODE)"
 
+msg_info "Creating Inventory Directory"
+mkdir -p /var/lib/systemmanager
+chown root:root /var/lib/systemmanager
+chmod 755 /var/lib/systemmanager
+msg_ok "Created Inventory Directory"
+
 msg_info "Creating Systemd Service"
 cat > /etc/systemd/system/systemmanager-mcp.service << EOF
 [Unit]
-Description=SystemManager MCP Server
+Description=SystemManager MCP Server with OAuth/OIDC
+Documentation=https://github.com/mdlmarkham/SystemManager
 After=network-online.target docker.service
 Wants=network-online.target
 
 [Service]
 Type=simple
 User=root
+Group=root
 WorkingDirectory=$INSTALL_DIR
 Environment="PATH=$INSTALL_DIR/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Load secrets from protected environment file
 EnvironmentFile=$INSTALL_DIR/.env
+
 ExecStart=$INSTALL_DIR/venv/bin/python -m src.mcp_server
 Restart=on-failure
 RestartSec=10
@@ -168,7 +179,8 @@ StandardError=journal
 # Security hardening
 PrivateTmp=yes
 ProtectSystem=strict
-ReadWritePaths=$INSTALL_DIR
+ProtectHome=yes
+ReadWritePaths=$INSTALL_DIR /var/lib/systemmanager
 NoNewPrivileges=true
 
 [Install]