fix(agent): regenerate proxy-env.sh guard chain during recovery (#2701)

src/lib/agent/runtime.ts

@@ -202,7 +202,12 @@ export function buildOpenClawRecoveryScript(port: number): string {
     buildGatewayLogSelection(),
     `_GATEWAY_PROC_PATTERN=${shellQuote(staleGatewayPattern)};`,
     'if [ -n "$_GATEWAY_PROC_PATTERN" ]; then pkill -TERM -f "$_GATEWAY_PROC_PATTERN" 2>/dev/null || true; for _i in 1 2 3 4 5; do pgrep -f "$_GATEWAY_PROC_PATTERN" >/dev/null 2>&1 || break; sleep 1; done; pkill -KILL -f "$_GATEWAY_PROC_PATTERN" 2>/dev/null || true; for _i in 1 2 3 4 5; do pgrep -f "$_GATEWAY_PROC_PATTERN" >/dev/null 2>&1 || break; sleep 1; done; if pgrep -f "$_GATEWAY_PROC_PATTERN" >/dev/null 2>&1; then echo GATEWAY_STALE_PROCESSES; exit 1; fi; fi;',
-    '[ "$_PE_MISSING" = "1" ] && { _W="[gateway-recovery] WARNING: /tmp/nemoclaw-proxy-env.sh missing - gateway launching without library guards (#2478)"; echo "$_W" >&2; echo "$_W" >> "$_GATEWAY_LOG"; };',
+    // #2701: When proxy-env.sh is missing, attempt to regenerate it from the
+    // preload scripts that still exist on disk rather than launching naked.
+    // This prevents the @homebridge/ciao crash loop on aarch64 / DGX Spark.
+    '[ "$_PE_MISSING" = "1" ] && { _W="[gateway-recovery] WARNING: /tmp/nemoclaw-proxy-env.sh missing — attempting guard chain regeneration (#2701)"; echo "$_W" >&2; echo "$_W" >> "$_GATEWAY_LOG"; _REGEN_OK=0; _REGEN_OPTS=""; for _f in /tmp/nemoclaw-sandbox-safety-net.js /tmp/nemoclaw-ciao-network-guard.js /tmp/nemoclaw-http-proxy-fix.js /tmp/nemoclaw-nemotron-inference-fix.js /tmp/nemoclaw-ws-proxy-fix.js /tmp/nemoclaw-seccomp-guard.js /tmp/nemoclaw-slack-channel-guard.js /tmp/nemoclaw-telegram-diagnostics.js; do [ -f "$_f" ] && _REGEN_OPTS="${_REGEN_OPTS:+$_REGEN_OPTS }--require $_f"; done; if [ -n "$_REGEN_OPTS" ]; then printf "export NODE_OPTIONS=\\"%s\\"\\n" "$_REGEN_OPTS" > /tmp/nemoclaw-proxy-env.sh && chmod 444 /tmp/nemoclaw-proxy-env.sh && . /tmp/nemoclaw-proxy-env.sh && _PE_MISSING=0 && _REGEN_OK=1; _R="[gateway-recovery] INFO: regenerated proxy-env.sh with guards: $_REGEN_OPTS"; echo "$_R" >&2; echo "$_R" >> "$_GATEWAY_LOG"; fi; [ "$_REGEN_OK" = "0" ] && { _W2="[gateway-recovery] WARNING: no preload scripts found in /tmp — launching without library guards (#2478)"; echo "$_W2" >&2; echo "$_W2" >> "$_GATEWAY_LOG"; }; };',
+    // Re-check guards after potential regeneration.
+    'if [ "$_PE_MISSING" = "0" ]; then case "${NODE_OPTIONS:-}" in *nemoclaw-sandbox-safety-net*) _SN_MISSING=0 ;; *) _SN_MISSING=1 ;; esac; case "${NODE_OPTIONS:-}" in *nemoclaw-ciao-network-guard*) _CIAO_MISSING=0 ;; *) _CIAO_MISSING=1 ;; esac; if [ "$_SN_MISSING" = "0" ] && [ "$_CIAO_MISSING" = "0" ]; then _GUARDS_MISSING=0; else _GUARDS_MISSING=1; fi; fi;',
     '[ "$_PE_MISSING" = "0" ] && [ "$_GUARDS_MISSING" = "1" ] && { _E="[gateway-recovery] ERROR: /tmp/nemoclaw-proxy-env.sh present but NODE_OPTIONS missing safety-net preload or ciao preload - refusing unguarded gateway relaunch (#2478)"; echo "$_E" >&2; echo "$_E" >> "$_GATEWAY_LOG"; exit 1; };',
     'OPENCLAW="$(command -v openclaw)";',
     'if [ -z "$OPENCLAW" ]; then echo OPENCLAW_MISSING; exit 1; fi;',
@@ -276,7 +281,11 @@ export function buildRecoveryScript(
     ...validationSteps,
     "if [ -r /tmp/nemoclaw-proxy-env.sh ]; then . /tmp/nemoclaw-proxy-env.sh; _PE_MISSING=0; else _PE_MISSING=1; fi;",
     'if [ "$_PE_MISSING" = "0" ]; then case "${NODE_OPTIONS:-}" in *nemoclaw-sandbox-safety-net*) _SN_MISSING=0 ;; *) _SN_MISSING=1 ;; esac; case "${NODE_OPTIONS:-}" in *nemoclaw-ciao-network-guard*) _CIAO_MISSING=0 ;; *) _CIAO_MISSING=1 ;; esac; if [ "$_SN_MISSING" = "0" ] && [ "$_CIAO_MISSING" = "0" ]; then _GUARDS_MISSING=0; else _GUARDS_MISSING=1; fi; else _GUARDS_MISSING=0; fi;',
-    '[ "$_PE_MISSING" = "1" ] && { _W="[gateway-recovery] WARNING: /tmp/nemoclaw-proxy-env.sh missing - gateway launching without library guards (#2478)"; echo "$_W" >&2; echo "$_W" >> "$_GATEWAY_LOG"; };',
+    // #2701: When proxy-env.sh is missing, attempt to regenerate it from the
+    // preload scripts that still exist on disk rather than launching naked.
+    '[ "$_PE_MISSING" = "1" ] && { _W="[gateway-recovery] WARNING: /tmp/nemoclaw-proxy-env.sh missing — attempting guard chain regeneration (#2701)"; echo "$_W" >&2; echo "$_W" >> "$_GATEWAY_LOG"; _REGEN_OK=0; _REGEN_OPTS=""; for _f in /tmp/nemoclaw-sandbox-safety-net.js /tmp/nemoclaw-ciao-network-guard.js /tmp/nemoclaw-http-proxy-fix.js /tmp/nemoclaw-nemotron-inference-fix.js /tmp/nemoclaw-ws-proxy-fix.js /tmp/nemoclaw-seccomp-guard.js /tmp/nemoclaw-slack-channel-guard.js /tmp/nemoclaw-telegram-diagnostics.js; do [ -f "$_f" ] && _REGEN_OPTS="${_REGEN_OPTS:+$_REGEN_OPTS }--require $_f"; done; if [ -n "$_REGEN_OPTS" ]; then printf "export NODE_OPTIONS=\\"%s\\"\\n" "$_REGEN_OPTS" > /tmp/nemoclaw-proxy-env.sh && chmod 444 /tmp/nemoclaw-proxy-env.sh && . /tmp/nemoclaw-proxy-env.sh && _PE_MISSING=0 && _REGEN_OK=1; _R="[gateway-recovery] INFO: regenerated proxy-env.sh with guards: $_REGEN_OPTS"; echo "$_R" >&2; echo "$_R" >> "$_GATEWAY_LOG"; fi; [ "$_REGEN_OK" = "0" ] && { _W2="[gateway-recovery] WARNING: no preload scripts found in /tmp — launching without library guards (#2478)"; echo "$_W2" >&2; echo "$_W2" >> "$_GATEWAY_LOG"; }; };',
+    // Re-check guards after potential regeneration.
+    'if [ "$_PE_MISSING" = "0" ]; then case "${NODE_OPTIONS:-}" in *nemoclaw-sandbox-safety-net*) _SN_MISSING=0 ;; *) _SN_MISSING=1 ;; esac; case "${NODE_OPTIONS:-}" in *nemoclaw-ciao-network-guard*) _CIAO_MISSING=0 ;; *) _CIAO_MISSING=1 ;; esac; if [ "$_SN_MISSING" = "0" ] && [ "$_CIAO_MISSING" = "0" ]; then _GUARDS_MISSING=0; else _GUARDS_MISSING=1; fi; fi;',
     '[ "$_PE_MISSING" = "0" ] && [ "$_GUARDS_MISSING" = "1" ] && { _E="[gateway-recovery] ERROR: /tmp/nemoclaw-proxy-env.sh present but NODE_OPTIONS missing safety-net preload or ciao preload - refusing unguarded gateway relaunch (#2478)"; echo "$_E" >&2; echo "$_E" >> "$_GATEWAY_LOG"; exit 1; };',
     ...(isHermes ? [buildHermesRuntimeEnvBoundaryGuard()] : []),
     launchCommand,