docs: #7 exhaustive isolation — seccomp ruled out; fmcd runs standalone, orchestrator-managed fails (open)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/HANDOFF-2026-06-20-mesh-netbird.md

@@ -51,12 +51,18 @@ claude-login.html, chown 1000:1000, restart, verify sha256+health). Recreate fro
 - **#1 companion crash** — added an on-screen red error overlay (`242baf5d`) since chrome://inspect isn't
   reachable on the WebView; user reproduces → screenshots the box → that's the real error to fix on.
 - **#7 NEW: can't add Fedimint federations on `.116`** — fmcd sidecar crash-loops `Operation not permitted
-  (os error 1)` on every start (DHT can't bootstrap), so `:8178` answers HTTP 000 and `wallet.fedimint-join`
-  fails. fmcd data dir IS correctly owned (100999). NODE-SPECIFIC: fmcd WORKS on `.198` (spent notes there),
-  fails only on `.116` → likely a seccomp/rootless syscall restriction on `.116`'s kernel (6.12.74).
-  Survives container recreate (reconciler made a fresh fedimint-clientd, still EPERM). NOT the ecash code.
-  Likely fix: add `--security-opt seccomp=unconfined` (or the specific cap) to the fmcd container spec, or
-  disable the fmcd DHT. WORKAROUND: test fedimint on `.198`/`.89`, not `.116`.
+  (os error 1)`, so `:8178` answers HTTP 000 and `wallet.fedimint-join` fails. fmcd WORKS on `.198`/`.89`.
+  EXHAUSTIVE black-box isolation on `.116` (seccomp default vs unconfined; cap-drop ALL vs caps restored;
+  fresh data vs a `cp -a` COPY of the real /data; default net vs archy-net; /data 755 vs 777) — **fmcd ran
+  in EVERY standalone `podman run` config**, including full real security (cap-drop ALL + readonly +
+  no-new-priv + archy-net + copy of real data). Only the ORCHESTRATOR-created container EPERMs. So:
+  - **seccomp is NOT the cause** (default-seccomp standalone runs) — the seccomp "fix" was reverted (`63b98599`).
+  - NOT caps, NOT /data perms/ownership, NOT the existing multimint.db (the copy runs), NOT archy-net.
+  - The differentiator is something specific to the orchestrator's libpod-API create vs `podman run` that I
+    did NOT pin (a related symptom: the orchestrator's volume self-heal logs `chown /data: Operation not
+    permitted` because the container has cap-drop ALL → no CAP_CHOWN). NEXT: create fmcd via the libpod API
+    socket directly (replicating prod_orchestrator's exact body) to repro outside the orchestrator, then diff.
+  WORKAROUND for now: **test Fedimint on `.198`/`.89` (working fmcd), not `.116`.** Not the ecash code.
 - Deploy: all 6 nodes verified on `e1f2e88`; pushed gitea-vps2 (gitea-local token still 401s).
 
 ## SESSION 2 PROGRESS (2026-06-20, code-complete — NOT yet deployed; user held deploy)