[Unit]
Description=Session Transcript Collector
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
User=root
Group=data-ops
WorkingDirectory=/opt/data-analyst/repo
ExecStart=/usr/local/bin/collect-sessions

# Security hardening - root needed to read /home/*/user/sessions/
ProtectSystem=strict
ReadWritePaths=/data/user_sessions
PrivateTmp=true

# Timeout for long-running collections
TimeoutStartSec=600

[Install]
WantedBy=multi-user.target