[Linux] Hardcoded `~/Library/Application Support/` path breaks data dir, cert download, and systemd service on Linux

[s3bc40]

Hey 👋

I was trying to explore the open source projects from Dataiku and I see the 575Lab project, so I decided to give it a go with the Getting Started first. I had some trouble while installing, still not critical I think.

---

Reproduction steps

• Follow along the guide for Linux standalone backend
• When reaching the certificate step, assess the issue in the systemctl kiji restart service

> sudo journalctl -u kiji-proxy -n 50 --no-pager

Apr 19 12:00:59 pop-os kiji-proxy[46991]: 2026/04/19 12:00:59 Fatal error: failed to create server with embedded files: failed to create proxy handler: failed to initialize SQLite database: failed to create database directory: mkdir /home/kiji: permission denied
Apr 19 12:00:59 pop-os systemd[1]: kiji-proxy.service: Main process exited, code=exited, status=1/FAILURE
Apr 19 12:00:59 pop-os systemd[1]: kiji-proxy.service: Failed with result 'exit-code'.
Apr 19 12:00:59 pop-os systemd[1]: kiji-proxy.service: Consumed 1.330s CPU time.

• Running .run.sh locally seems to work at first but we see the path adapted for Darwin systems

2026/04/19 12:02:04 Using SQLite database at /home/s3bc40/Library/Application Support/Kiji Privacy Proxy/kiji_privacy_proxy.db
2026/04/19 12:02:04 PAC server starting on http://localhost:9090/proxy.pac
2026/04/19 12:02:04 ⚠️  Warning: Failed to enable system proxy: system proxy configuration only supported on macOS
2026/04/19 12:02:04 ⚠️  You may need to run with sudo or set HTTP_PROXY manually:
2026/04/19 12:02:04     export HTTP_PROXY=http://127.0.0.1:8081
2026/04/19 12:02:04     export HTTPS_PROXY=http://127.0.0.1:8081
2026/04/19 12:02:04 Starting transparent proxy on port :8081
2026/04/19 12:02:04 Intercepting domains: [api.anthropic.com api.openai.com generativelanguage.googleapis.com api.mistral.ai]
2026/04/19 12:02:04 CA certificate path: /home/s3bc40/Library/Application Support/Kiji Privacy Proxy/certs/ca.crt
2026/04/19 12:02:04 [DEBUG] Using embedded UI filesystem
2026/04/19 12:02:04 [DEBUG] Embedded FS root contains 0 entries:
2026/04/19 12:02:04 [DEBUG] Successfully created sub-filesystem from 'frontend/dist'

Current vs. Expected behavior

Symptom 1: Cert install command documented at wrong path

Docs say (docs/01-getting-started.md, at Installing CA Certificate (Required for HTTPS)):

# Ubuntu/Debian
sudo cp ~/.kiji-proxy/certs/ca.crt /usr/local/share/ca-certificates/kiji-proxy-ca.crt
sudo update-ca-certificates

Binary actually writes the cert to (resolved at runtime):
~/Library/Application Support/Kiji Privacy Proxy/certs/ca.crt

The ~/.kiji-proxy/ path shown in documentation does not exist. Any trust/update-ca-certificates command that references the documented path fails silently because the file is never at that location.

Symptom 2 — systemd service crashes immediately on start

When running as a dedicated system user created with useradd -r (no home directory), the binary attempts to resolve ~ via os.UserHomeDir(), gets /home/kiji, then tries to mkdir inside it:

Fatal error: failed to create server with embedded files:
failed to create proxy handler:
failed to initialize SQLite database:
failed to create database directory:
mkdir /home/kiji: permission denied

Three hardcoded filepath.Join(homeDir, "Library", …) blocks in:

• src/backend/config/config.go:189
• src/backend/pii/database.go:98
• src/backend/server/server.go:736

Immediate workaround:

sudo mkdir -p /home/kiji
sudo chown kiji:kiji /home/kiji

This unblocks the service but still leaves it using a non-standard path.

Kiji Privacy Proxy version and system specs

Kiji Version: v0.4.11
OS: Pop!_OS 22.04 (Ubuntu 24 base), Linux x86_64
Kernel: 6.18.7-76061807-generic
Binary: kiji-proxy standalone backend (Linux release)
Shell: zsh

Model provider details

• Anthropic Claude
• Claude Sonnet 4.6

(not related to the issue but that's what I am working with)

[s3bc40]

I brainstormed a little with Claude Code after investigation, I can install my dev env and see how it goes since I have a Linux env.

We address the OS difference with a potential helper in GO (though I would need to double check since I do not have XP with GO...):

  import "runtime"

  func platformDataDir() (string, error) {
      homeDir, err := os.UserHomeDir()
      if err != nil {
          return "", err
      }
      switch runtime.GOOS {
      case "darwin":
          return filepath.Join(homeDir, "Library", "Application Support", "Kiji Privacy Proxy"), nil
      default: // linux and others — XDG Base Directory Specification
          if xdg := os.Getenv("XDG_DATA_HOME"); xdg != "" {
              return filepath.Join(xdg, "kiji-privacy-proxy"), nil
          }
          return filepath.Join(homeDir, ".local", "share", "kiji-privacy-proxy"), nil
      }
  }

We could also add windows but it's not the topic and I need to double check anyway.
The goal would be to replace hardcoded blocks:

# filepath.Join(homeDir, "Library", …)
  - src/backend/config/config.go:189
  - src/backend/pii/database.go:98
  - src/backend/server/server.go:736

There is also the /src/backend/config/config.development.json to take into account.

---

Anyway, tell me if you are interested if I explore or address the issue or if you need any other relevant help. I would be glad to contribute to Dataiku open source projects. I am here to learn too 🙏