Pi agents fail due to systemd service having /tmp mounted read-only. Service has ProtectSystem=strict and ReadWritePaths=/var/lib/omni /var/log/agentd, but /tmp is not explicitly listed. With ProtectSystem=strict, all paths are read-only by default except those in ReadWritePaths. Need to find the nix config that generates /run/systemd/system/agentd.service (not in usual Omni/Cloud/ structure) and add /tmp to ReadWritePaths.