From 64a07e0ed674066b52b7d3897c8edc5b4f13321a Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Fri, 3 Apr 2026 01:54:25 +0200
Subject: [PATCH] docs(service): clarify ACL setup requirements for service and
 interactive user access

---
 server/crates/arbiter-server/src/service/windows.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/crates/arbiter-server/src/service/windows.rs b/server/crates/arbiter-server/src/service/windows.rs
index 382ef4d..ce8ebcc 100644
--- a/server/crates/arbiter-server/src/service/windows.rs
+++ b/server/crates/arbiter-server/src/service/windows.rs
@@ -203,8 +203,9 @@ fn ensure_admin_rights() -> miette::Result<()> {
 }
 
 fn ensure_token_acl_contract(data_dir: &Path) -> miette::Result<()> {
-    // IMPORTANT: This ACL setup is intentionally explicit and should not be simplified away,
-    // because service-account and interactive-user access requirements are different in production.
+    // IMPORTANT: Keep this ACL setup explicit.
+    // The service account needs write access, while the interactive user only needs read access
+    // to the bootstrap token and service data directory.
     let target = data_dir.as_os_str();
 
     let status = Command::new("icacls")