From b648163055b76bee9d7c4229f97b0716af0d41f4 Mon Sep 17 00:00:00 2001
From: Charlie Savage <cfis@savagexi.com>
Date: Thu, 30 Apr 2026 21:10:57 -0700
Subject: [PATCH] fix: write CA certs to XDG_RUNTIME_DIR for per-user isolation

---
 src/container/ca.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/container/ca.ts b/src/container/ca.ts
index 0d526b9..52a0eba 100644
--- a/src/container/ca.ts
+++ b/src/container/ca.ts
@@ -9,12 +9,17 @@ const SYSTEM_CA_PATHS = [
   "/etc/pki/tls/certs/ca-bundle.crt", // RHEL / CentOS / Fedora
 ];
 
+/** Per-user cache dir. XDG_RUNTIME_DIR is per-user on Linux; tmpdir() fallback covers macOS/Windows. */
+function caCacheDir(): string {
+  return process.env.XDG_RUNTIME_DIR ?? tmpdir();
+}
+
 /**
- * Write the proxy CA certificate PEM to a temp file on the host.
+ * Write the proxy CA certificate PEM to a per-user file on the host.
  * Returns the path to the written file.
  */
 export function writeCaCertificate(caCertificate: string): string {
-  const outPath = join(tmpdir(), "onecli-proxy-ca.pem");
+  const outPath = join(caCacheDir(), "onecli-proxy-ca.pem");
   writeFileSync(outPath, caCertificate);
   return outPath;
 }
@@ -28,7 +33,7 @@ export function buildCombinedCaBundle(caCertificate: string): string | null {
     try {
       const sysCa = readFileSync(sysPath, "utf8");
       const combined = sysCa.trimEnd() + "\n" + caCertificate.trimEnd() + "\n";
-      const outPath = join(tmpdir(), "onecli-combined-ca.pem");
+      const outPath = join(caCacheDir(), "onecli-combined-ca.pem");
       writeFileSync(outPath, combined);
       return outPath;
     } catch {