The stage auth initial token generation is done using the hardcoded stage_user. It should instead use the STAGE_USER variable.
(see line calling make-auth-token.py in stage script)
The manager python should also be in the script hashbang so that we don't have to permit running the manager env's python as stage_user. The snapshot restore process can then call just that file as well, which will restrict slightly the amount of damage that cfyuser can do to stage_user.