fix(firmware): grant bfkiosk write access to binary dir + align marker path

/opt/betterframe/kiosk/ now owned bfkiosk:bfkiosk so OTA can write
.new/.prev files. Marker path in Rust code aligned with rollback
script expectation (/var/lib/betterframe/kiosk/firmware-applying.json).

deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh

@@ -14,8 +14,10 @@ for grp in video render input audio; do
 done
 
 # --- Binary ---
-install -d -m 755 /opt/betterframe/kiosk
+install -d -o bfkiosk -g bfkiosk -m 755 /opt/betterframe/kiosk
 install -m 755 /tmp/bf-files/betterframe-kiosk /opt/betterframe/kiosk/betterframe-kiosk
+# State dir for firmware marker file (rollback script reads this)
+install -d -o bfkiosk -g bfkiosk -m 755 /var/lib/betterframe/kiosk
 
 # --- Systemd unit + PAM + rollback hook ---
 install -m 644 /tmp/bf-files/betterframe-kiosk.service /etc/systemd/system/betterframe-kiosk.service

deploy/scripts/setup-pi-kiosk.sh

@@ -189,8 +189,9 @@ if [ "${INSTALL_KIOSK}" = "1" ]; then
     exit 1
   fi
 
-  install -d -m 755 "${BIN_DST_DIR}"
+  install -d -o bfkiosk -g bfkiosk -m 755 "${BIN_DST_DIR}"
   install -m 755 "${BIN_SRC}" "${BIN_DST}"
+  install -d -o bfkiosk -g bfkiosk -m 755 /var/lib/betterframe/kiosk
   echo "    installed → ${BIN_DST}"
 
   # --------------------------------------------------------------------------

deploy/tmpfiles/betterframe-kiosk.conf

@@ -1 +1,2 @@
 d /run/betterframe 0755 bfkiosk bfkiosk -
+d /var/lib/betterframe/kiosk 0755 bfkiosk bfkiosk -

kiosk/src/firmware.rs

@@ -37,6 +37,7 @@ pub const ARCH: &str = match option_env!("BF_BUILD_ARCH") {
 };
 
 const DEFAULT_BIN_PATH: &str = "/opt/betterframe/kiosk/betterframe-kiosk";
+const FIRMWARE_MARKER: &str = "/var/lib/betterframe/kiosk/firmware-applying.json";
 
 fn binary_path() -> PathBuf {
     std::env::var("BF_KIOSK_BINARY")
@@ -163,8 +164,8 @@ pub fn apply(server: &str, key: &str, info: &UpdateInfo) -> Result<(), String> {
     // failed first boot of the new binary. We delete it after a clean boot
     // (see `mark_firmware_applied()`). If we crash before that, next start
     // sees a stale marker → restores .prev.
-    if let Some(dir) = bin.parent() {
-        let marker = dir.join("firmware-applying.json");
+    {
+        let marker = PathBuf::from(FIRMWARE_MARKER);
         let payload = serde_json::json!({
             "version": info.version,
             "attempt_at": chrono_now_iso(),
@@ -210,13 +211,10 @@ fn verify_signature(public_key_pem: &str, sha256_hex: &str, sig_b64url: &str) ->
 /// Clear the in-progress marker. Call after the kiosk has booted cleanly and
 /// reported back to the server — proves the new binary survives startup.
 pub fn mark_firmware_applied() {
-    let bin = binary_path();
-    if let Some(dir) = bin.parent() {
-        let marker = dir.join("firmware-applying.json");
+    let marker = PathBuf::from(FIRMWARE_MARKER);
     if marker.exists() {
         let _ = fs::remove_file(marker);
     }
-    }
 }
 
 fn chrono_now_iso() -> String {