From c1519b3eb5bc6554e0007bd2273dc6e5321f34a3 Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Sat, 27 Dec 2025 14:18:28 +0100
Subject: [PATCH] Update ROADMAP: Document Phase 6 lessons learned

Key discoveries during systemd service implementation:
- AmbientCapabilities doesn't work in user services
- NoNewPrivileges prevents file capabilities
- Must use setcap with readlink -f on actual binary
---
 ROADMAP.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ROADMAP.md b/ROADMAP.md
index e0a5b7f..4741003 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -289,11 +289,17 @@ config/sensorpajen.env
 - User service for easier management (no sudo required)
 - Service ready for installation on Raspberry Pi
 - Comprehensive documentation provided
+- **Important discoveries**:
+  - `AmbientCapabilities` does NOT work in user services (only system services)
+  - Must use `setcap` on the Python binary instead
+  - `NoNewPrivileges=true` prevents file capabilities from working - must be disabled
+  - Capabilities must be set on actual binary, not symlinks: `setcap ... $(readlink -f python3)`
 
 #### Tasks:
 - ✅ Created systemd/sensorpajen.service
 - ✅ Created systemd/README.md with full documentation
 - ✅ Service management and troubleshooting guides included
+- ✅ Tested and verified working on Raspberry Pi
 
 ---