Set XDG_RUNTIME_DIR before any podman call in non-login shells

Podman uses XDG_RUNTIME_DIR for its RunRoot, events dirs, and default
socket path. Without it pointing to a writable location, podman fails
with 'mkdir /run/user/<uid>: permission denied' even before the socket
is created. Export it to /tmp/podman-<uid> when unset.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH

infra/start.sh

@@ -62,15 +62,19 @@ echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 # ── Ensure Podman socket is active ────────────────────────────────────────────
 # systemctl --user requires a D-Bus session (not available in non-interactive
 # shells). Use podman system service directly instead.
-# /run/user/<uid> is only created by PAM/logind during a real login session.
+# /run/user/<uid> is created by PAM/logind and doesn't exist in non-login
-# Fall back to /tmp when XDG_RUNTIME_DIR is not set.
+# shells. Podman uses XDG_RUNTIME_DIR for RunRoot, events dirs, and the
-_SOCK_DIR="${XDG_RUNTIME_DIR:-/tmp/podman-$(id -u)}"
+# default socket path, so we must set it to something writable before any
-PODMAN_SOCK="${_SOCK_DIR}/podman.sock"
+# podman invocation.
+if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
+    export XDG_RUNTIME_DIR="/tmp/podman-$(id -u)"
+    mkdir -p "$XDG_RUNTIME_DIR"
+fi
+PODMAN_SOCK="${XDG_RUNTIME_DIR}/podman.sock"
 export PODMAN_SOCK
 export DOCKER_HOST="unix://${PODMAN_SOCK}"
 if [ ! -S "$PODMAN_SOCK" ]; then
     echo "[hiy] Starting Podman socket via podman system service…"
-    mkdir -p "$_SOCK_DIR"
     podman system service --time=0 "unix://${PODMAN_SOCK}" &
     # Wait up to 5 s for the socket to appear
     for i in 1 2 3 4 5; do