refactor(ai-stack): unified service account to autobot:autobot (#4091)

All AutoBot services on a host now use the same autobot:autobot account,
eliminating the confusing split between backend (autobot) and ai-stack (autobot-ai).

Changes:
- ai-stack role defaults: ai_user/ai_group now 'autobot' instead of 'autobot-ai'
- ai_data_dir changed from /var/lib/autobot-ai to /var/lib/autobot (shared)
- Removed separate autobot-ai account creation in ai-stack tasks
- Removed ai_user/ai_group override in setup_wizard auto-inject

Benefits:
- Simpler permissions and ownership model
- No permission conflicts during co-location
- Consistent with backend service model
- Eliminates need for auto-inject overrides

Related: #3501, #3097, #4088 (EnvironmentFile fix)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Author: mrveiss

autobot-slm-backend/ansible/roles/ai-stack/defaults/main.yml

@@ -2,15 +2,16 @@
 # Copyright (c) 2025 mrveiss
 # Author: mrveiss
 ---
-# AI Stack configuration defaults  (#926 Phase 4: per-role account + scoped dir)
-ai_service_account: autobot-ai
-ai_user: autobot-ai
-ai_group: autobot-ai
+# AI Stack configuration defaults  (#926 Phase 4: unified service account)
+# All AutoBot services on a host use autobot:autobot regardless of role (#4091).
+# This simplifies permissions and avoids ownership conflicts during co-location.
+ai_service_account: autobot
+ai_user: autobot
+ai_group: autobot
 ai_install_dir: /opt/autobot/autobot-ai-stack
 ai_log_dir: /var/log/autobot
-# Issue #3097: ai-stack gets its own /var/lib/autobot-ai to avoid ownership
-# conflict with /var/lib/autobot (owned by autobot:autobot for the backend).
-ai_data_dir: /var/lib/autobot-ai
+# Issue #3097: ai-stack and backend share /var/lib/autobot for data storage
+ai_data_dir: /var/lib/autobot
 
 # Co-located backend (used when ai-stack runs on the same host as autobot-backend)
 backend_install_dir: /opt/autobot/autobot-backend
@@ -20,7 +21,7 @@ ai_host: "0.0.0.0"
 ai_port: 8080
 
 # ChromaDB
-chromadb_persist_dir: /var/lib/autobot-ai/chromadb
+chromadb_persist_dir: /var/lib/autobot/chromadb
 chromadb_host: "0.0.0.0"
 chromadb_port: 8100
 

autobot-slm-backend/ansible/roles/ai-stack/tasks/main.yml

@@ -13,25 +13,10 @@
   tags: ['clean']
 
 # ============================================================
-# Per-role service account  (#926 Phase 4)
+# Service account setup (#926 Phase 4, #4091: unified autobot account)
 # ============================================================
-- name: "AI Stack | Create autobot-ai system group"
-  ansible.builtin.group:
-    name: "{{ ai_group }}"
-    system: true
-    state: present
-  tags: ['ai', 'users']
-
-- name: "AI Stack | Create per-role service account"
-  ansible.builtin.user:
-    name: "{{ ai_user }}"
-    system: true
-    shell: /usr/sbin/nologin
-    create_home: false
-    group: "{{ ai_group }}"
-    comment: "AutoBot AI stack service account"
-    state: present
-  tags: ['ai', 'users']
+# AI Stack uses the existing autobot:autobot account created by backend role.
+# No separate account creation needed — all AutoBot services share autobot.
 
 # ============================================================
 # Per-role env at /etc/autobot/  (#926 Phase 4)

autobot-slm-backend/api/setup_wizard.py

@@ -329,12 +329,8 @@ def _inject_co_located_ai_stack(
         if _ai_stack_roles & set(roles):
             continue
         hosts[inv_name]["node_roles"] = list(roles) + ["ai-stack"]
-        # Co-located ai-stack shares the backend venv and symlinks owned by
-        # autobot:autobot.  Override the role's default ai_user/ai_group
-        # (autobot-ai) so the systemd service runs with the correct identity
-        # and avoids permission errors on startup (#3501).
-        hosts[inv_name]["ai_user"] = "autobot"
-        hosts[inv_name]["ai_group"] = "autobot"
+        # Note: ai-stack role now defaults to autobot:autobot (not autobot-ai)
+        # per unified service account model (#4091). No override needed.
         injected.append(inv_name)
         logger.info(
             "Auto-injecting ai-stack onto %s (no dedicated AI stack node in fleet; #3461)",