ava.service repeatedly logs: '/var/lib/omni/logs/ava/2026-04-14.jsonl: withBinaryFile: permission denied'. Directory permissions are /var/lib/omni/logs/ava owned by ava:users mode 0755, while ava.service runs as ben, so ben cannot create files there. This breaks audit logging to /var/lib/omni/logs/ava and hides observability for message send issues.
Committed fix in f9629d3 (Ava.nix tmpfiles perms + AuditLog fallback writes).
Implemented two-part fix. (1) Infra: updated Omni/Dev/Beryllium/Ava.nix tmpfiles modes for /var/lib/omni/logs, /var/lib/omni/logs/ava, /var/lib/omni/logs/subagents from 0755 to 2775 (ava:users) so ben-run ava.service can append logs. (2) Runtime resilience: updated Omni/Agent/AuditLog.hs to fallback-write to XDG data dir logs (~/.local/share/omni/logs/{ava,subagents}) when primary /var/lib path is not writable, and read APIs now merge primary + fallback logs. Verified with typecheck.sh Omni/Agent/AuditLog.hs and bild --test Omni/Agent/AuditLog.hs.