fix(daemon): add Nix Home Manager PATH support to service environment

[jerome-benoit]

Summary

• Problem: openclaw gateway install generates a service plist/unit that misses Nix-managed binaries from PATH. Skills depending on Nix-installed binaries (e.g. aoe, tmux, claude) are reported as blocked at boot.
• Why it matters: Users on Nix/Home Manager cannot use Nix-installed tools through the gateway without manual PATH workarounds.
• What changed: Add addNixProfileBinDirs() to service-env.ts that resolves Nix profile bin directories from NIX_PROFILES (respecting right-to-left precedence) with a ~/.nix-profile/bin fallback when the env var is absent.
• What did NOT change (scope boundary): No changes to gateway install, systemd unit generation, or plist templates. Only the PATH resolution logic is affected.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: openclaw gateway install does not capture Nix (Home Manager) PATH entries in LaunchAgent plist #44402
• Related fix(daemon): add Nix Home Manager PATH support to service environment #44433 (superseded)
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: getMinimalServicePathParts() had no knowledge of Nix profile directories. The LaunchAgent/systemd service PATH is constructed from a static list of known bin dirs, and Nix paths were missing entirely.
• Missing detection / guardrail: No test coverage for Nix profile resolution in the service environment.
• Contributing context (if known): Nix Home Manager symlinks binaries under ~/.nix-profile/bin and sets NIX_PROFILES with a space-separated list of profile paths. The daemon service environment doesn't source shell init scripts, so these paths must be resolved explicitly.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/daemon/service-env.test.ts
• Scenario the test should lock in: Nix profile directories appear in the service PATH with correct precedence (rightmost NIX_PROFILES entry = highest priority), and fallback to ~/.nix-profile/bin when NIX_PROFILES is absent.
• Why this is the smallest reliable guardrail: Unit tests on getMinimalServicePathParts / getMinimalServicePathPartsFromEnv directly validate the PATH resolution without requiring a running gateway or service installation.
• Existing test that already covers this (if any): None before this PR.
• If no new test is added, why not: 7 new tests added.

User-visible / Behavior Changes

• Nix-installed binaries are now discoverable by the gateway service on Linux and macOS.
• hasBinary() checks at boot will find Nix-managed tools without manual PATH configuration.

Diagram (if applicable)

Before:
[gateway boot] -> [service PATH: system + user dirs] -> [Nix binaries missing] -> [skills blocked]

After:
[gateway boot] -> [service PATH: Nix profiles + user + system dirs] -> [Nix binaries found] -> [skills available]

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: Linux or macOS with Nix/Home Manager installed
• Runtime/container: Node 22+
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): NIX_PROFILES="/nix/var/nix/profiles/default ~/.nix-profile"

Steps

1. Install Nix with Home Manager
2. Run openclaw gateway install
3. Check openclaw channels status --probe for blocked skills

Expected

• Nix-installed binaries resolve correctly in the service PATH.

Actual

• Before this PR: binaries under ~/.nix-profile/bin are missing from the service PATH.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

7 new unit tests validate the added behavior: fallback (Linux/macOS), two-profile precedence (Linux/macOS), single profile (Linux/macOS), three-profile precedence ordering. No pre-existing tests existed for this code path.

Human Verification (required)

• Verified scenarios: pnpm check (0 warnings, 0 errors), pnpm test scoped to service-env.test.ts (7/7 Nix tests pass).
• Edge cases checked: Three-profile ordering validates that intermediate profiles maintain correct Nix precedence (rightmost = highest priority, verified against NixOS/nix source scripts/nix-profile-daemon.sh.in).
• What you did not verify: End-to-end gateway install on a Nix system.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

4 Codex review comments about NIX_PROFILES precedence are addressed by the latest commit but not yet resolved on GitHub — pending maintainer review.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Risks and Mitigations

• Risk: NIX_PROFILES contains unexpected entries (e.g. non-existent paths).
  • Mitigation: addNonEmptyDir + appendSubdir guard against empty/malformed paths. Non-existent directories in PATH are harmless (skipped by the OS at lookup time).

Key difference from #44433

Uses appendSubdir(profile, "bin") instead of raw template literal ${profile}/bin, consistent with all other env-configured bin dirs in the file, and guards against double /bin paths.

[greptile-apps]

Greptile Summary

Adds addNixProfileBinDirs() to service-env.ts so that Nix Home Manager binary paths (~/.nix-profile/bin and all paths in NIX_PROFILES) are included in the LaunchAgent/systemd service PATH at install time. The implementation is consistent with the existing pattern of eagerly listing candidate dirs and relying on getMinimalServicePathParts for deduplication.

Confidence Score: 5/5

Safe to merge — logic is correct, well-tested, and consistent with existing patterns.

The implementation correctly resolves the default ~/.nix-profile/bin and all NIX_PROFILES-listed profile paths, uses appendSubdir for the /bin suffix guard, and forwards env properly through the existing call chain. The only minor observation is that addNixProfileBinDirs can produce duplicate entries in the intermediate dirs array when NIX_PROFILES includes ~/.nix-profile, but deduplication already happens at getMinimalServicePathParts and this is the established pattern throughout the file. Six new tests cover the key scenarios.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(daemon): add Nix Home Manager PATH s..." | Re-trigger Greptile}

[Copilot]

Pull request overview

Adds Nix Home Manager profile bin directories into the daemon’s computed service PATH so LaunchAgent/systemd environments can locate Nix-installed binaries (addressing missing ~/.nix-profile/bin in generated service envs).

Changes:

• Introduce addNixProfileBinDirs() to add ~/.nix-profile/bin and NIX_PROFILES-derived */bin entries into user PATH dir resolution.
• Invoke the new helper from both macOS and Linux user-bin resolution paths.
• Add unit tests validating default and NIX_PROFILES-based Nix PATH entries.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/daemon/service-env.ts	Adds shared Nix profile PATH resolution and wires it into Darwin/Linux user PATH assembly.
src/daemon/service-env.test.ts	Adds tests asserting ~/.nix-profile/bin and NIX_PROFILES-derived bin dirs appear in minimal service PATH parts.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 946e82eebe

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cb5d6078bc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 71d7e65ea0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use modern Nix profile path in fallback

When NIX_PROFILES is unset, this fallback always injects ~/.nix-profile/bin, but newer Nix installs can use ${XDG_STATE_HOME:-$HOME/.local/state}/nix/profile as the active user profile and may not keep a legacy ~/.nix-profile link. In that environment the daemon still misses Nix-managed binaries, so the bug this patch targets remains reproducible for users on the newer profile layout.

Useful? React with 👍 / 👎.