The stable and dogfood OpenClaw source pins need different public-surface hardlink patch shapes while upstream is still catching up. Select the right patch per source and make package contents import the OpenAI provider policy public surface, which is the path the gateway uses before a model run.
Tests: nix fmt --accept-flake-config; git diff --check; remote mac-mini nix build .#checks.aarch64-darwin.package-contents-dogfood --no-link; remote mac-mini nix build .#checks.aarch64-darwin.package-contents --no-link
Co-authored-by: Codex <noreply@openai.com>
Dogfood now points at an OpenClaw commit with the broader plugin hardlink work merged, but the bundled public-surface loader still needs nix-openclaw's package-root hardlink compatibility patch. Keep that patch active for dogfood and add a package-content check that fails if the compiled loader rejects hardlinked package files again.
Tests: nix fmt --accept-flake-config; git diff --check; remote mac-mini nix build .#checks.aarch64-darwin.package-contents-dogfood --no-link; remote mac-mini nix build .#checks.aarch64-darwin.package-contents --no-link; remote mac-mini nix build .#checks.aarch64-darwin.default-instance --no-link
Co-authored-by: Codex <noreply@openai.com>
What:\n- expose temporary dogfood package outputs pinned to an upstream OpenClaw commit with the Nix-mode fixes merged\n- let source pins disable downstream patches that are already upstream\n- build current upstream plugin assets through upstream asset hooks, while keeping the 2026.5.7 path working\n- supply the fs-safe Git dependency as an immutable Nix source for the dogfood build\n\nWhy:\n- private deployments need to dogfood upstream fixes before the next OpenClaw release without making the published stable package depend on runtime npm work\n\nTests:\n- remote Mac mini: nix build --accept-flake-config .#openclaw-gateway-dogfood --no-link\n- remote Mac mini: nix build --accept-flake-config .#openclaw-dogfood --no-link\n- remote Mac mini: nix build --accept-flake-config .#checks.aarch64-darwin.default-instance --no-link\n- remote Mac mini: nix build --accept-flake-config .#checks.aarch64-darwin.package-contents --no-link\n\nCo-authored-by: Codex <noreply@openai.com>
Add a hash-backed npm runtime plugin path that lowers OpenClaw-style npm sources into immutable plugin roots and wires them through the existing Home Manager plugin resolver. Keep flake-backed customPlugins unchanged and document the boundary for agents and maintainers.
Tests: nix build .#checks.aarch64-darwin.default-instance --no-link; nix flake check --no-build; git diff --check
Co-authored-by: Codex <noreply@openai.com>
Move the default-instance check into the common check set so Darwin evaluates the plugin/config generation path too. Keep the Linux systemd assertion and add the Darwin launchd assertion for the Home Manager module.
Tests:
- nix build --accept-flake-config .#checks.aarch64-darwin.default-instance .#checks.aarch64-darwin.package-contents .#checks.aarch64-darwin.config-validity --no-link --option narinfo-cache-negative-ttl 0
- nix build --accept-flake-config .#checks.x86_64-linux.default-instance --no-link --option narinfo-cache-negative-ttl 0
- nix build --accept-flake-config .#checks.aarch64-darwin.ci --no-link --option narinfo-cache-negative-ttl 0
- nix build --impure --accept-flake-config .#darwinConfigurations.mac-mini.system --no-link --override-input nix-openclaw path:/Users/josh/code/nix/nix-openclaw --option narinfo-cache-negative-ttl 0
Co-authored-by: Codex <noreply@openai.com>
Align the openclawPlugin.plugins contract with OpenClaw itself: load paths control discovery, while plugins.entries.<id>.enabled controls activation.
Rename the contract field to enabled, reject the accidental enable spelling, and keep plugin roots on plugins.load.paths even when their generated activation default is false.
Extend the eval fixture to prove enabled=false defaults, user overrides from true to false, and user overrides from false to true.
Tests: nix build --accept-flake-config .#checks.x86_64-linux.default-instance --no-link --print-out-paths; nix eval --accept-flake-config --raw .#checks.aarch64-darwin.package-contents.drvPath; nix build --accept-flake-config .#checks.aarch64-darwin.package-contents --no-link --dry-run; nix build --impure --accept-flake-config .#darwinConfigurations.mac-mini.system --no-link --override-input nix-openclaw path:/Users/josh/code/nix/nix-openclaw --dry-run
Upstream review: fetched openclaw/openclaw origin/main at 36f847a60e and checked plugin discovery/config semantics before finalizing the contract.
Co-authored-by: Codex <noreply@openai.com>
Install and validate OpenClaw's dist-runtime tree so bundled runtime plugins such as ACPX are present in the Nix gateway output.
Extend the existing plugin flake contract with immutable OpenClaw plugin roots, wire those roots into generated config, and add eval fixtures proving default enablement, user overrides, and disabled entries.
Document the boundary: curated plugin artifacts are CI/Garnix-cached by nix-openclaw, while arbitrary npm or ClawHub specs need deterministic lock/hash-backed Nix artifacts cached by the user's store/cache instead of runtime npm installs.
Tests: nix build --accept-flake-config .#checks.x86_64-linux.default-instance --no-link --print-out-paths; nix eval --accept-flake-config --raw .#checks.aarch64-darwin.package-contents.drvPath; nix build --accept-flake-config .#checks.aarch64-darwin.package-contents --no-link --dry-run; nix build --impure --accept-flake-config .#darwinConfigurations.mac-mini.system --no-link --override-input nix-openclaw path:/Users/josh/code/nix/nix-openclaw --dry-run
Co-authored-by: Codex <noreply@openai.com>
What:
- update nix-openclaw to the latest stable OpenClaw source release
- refresh generated config options from that source
- keep the macOS app pin on the newest public app artifact
Why:
- keep source-built OpenClaw current without blocking on public macOS app asset lag
Tests:
- nix build .#checks.x86_64-linux.ci --accept-flake-config
- nix build .#checks.aarch64-darwin.ci --accept-flake-config
- scripts/hm-activation-macos.sh
What:
- update nix-openclaw to the latest stable OpenClaw source release
- refresh generated config options from that source
- keep the macOS app pin on the newest public app artifact
Why:
- keep source-built OpenClaw current without blocking on public macOS app asset lag
Tests:
- nix build .#checks.x86_64-linux.ci --accept-flake-config
- nix build .#checks.aarch64-darwin.ci --accept-flake-config
- scripts/hm-activation-macos.sh
What:
- update nix-openclaw to the latest stable OpenClaw source release
- refresh generated config options from that source
- keep the macOS app pin on the newest public app artifact
Why:
- keep source-built OpenClaw current without blocking on public macOS app asset lag
Tests:
- nix build .#checks.x86_64-linux.ci --accept-flake-config
- nix build .#checks.aarch64-darwin.ci --accept-flake-config
- scripts/hm-activation-macos.sh
Configured OpenClaw documents and skills are Nix-owned targets. Replace them during activation instead of blocking on stale copied files from older generations.
Tests: manual materializer smoke replacing an existing writable target; nix build --accept-flake-config .#checks.aarch64-darwin.ci --no-link
Allow the workspace materializer to replace read-only existing targets when the state manifest is missing, while still refusing writable user-owned files. This keeps Nix-owned OpenClaw docs deployable across module upgrades.
Tests: manual materializer smoke for read-only adopt and writable refusal; nix build --accept-flake-config .#checks.aarch64-darwin.ci --no-link
Home Manager should replace the generated openclaw.json target because Nix owns that file. Without force=true, Darwin deploys can fail when the existing config symlink points at the previous generation.
Tests: nix build --accept-flake-config .#checks.aarch64-darwin.ci --no-link
Render TOOLS.md from actual package outputs instead of requested tool attrs, and include per-instance runtime packages so agent docs match the commands on PATH.
Tests: nix build --accept-flake-config .#checks.aarch64-darwin.ci --no-link
Do not require the nix-openclaw overlay when a downstream Home Manager config explicitly supplies the OpenClaw package. This keeps consumer hosts thin and lets them use flake package outputs directly.
Tests: nix eval --accept-flake-config .#checks.x86_64-linux.default-instance.drvPath; nix build --accept-flake-config .#checks.aarch64-darwin.config-validity --no-link
Point Home Manager bundled plugin sources at the current nix-openclaw-tools commit so Darwin QMD plugin installs use the fixed packaged tool.
Tests: nix eval --accept-flake-config .#checks.x86_64-linux.default-instance.drvPath; nix build --accept-flake-config .#checks.aarch64-darwin.config-validity --no-link
Add Home Manager runtimePackages/environment options that feed the gateway wrapper without polluting the user PATH. Link the same runtime package set into Codex's isolated agent home so shell calls from the Codex harness see Nix-managed plugin and helper CLIs.
Tests: ./scripts/check-flake-lock-owners.sh; nix flake show --accept-flake-config; nix build --accept-flake-config .#checks.aarch64-darwin.ci --no-link; nix build --accept-flake-config .#checks.aarch64-darwin.qmd-runtime .#checks.aarch64-darwin.bin-surface .#checks.aarch64-darwin.package-contents --no-link; nix eval --accept-flake-config .#checks.x86_64-linux.default-instance.drvPath; ./scripts/hm-activation-macos.sh
The gateway runtime loads built plugins from dist/extensions, so the source extensions tree only needs manifest metadata for compatibility. Copy only openclaw.plugin.json files and assert the memory-core manifest exists in both compatibility and runtime trees.
Tests: sh -n nix/scripts/gateway-install.sh nix/scripts/check-package-contents.sh; git diff --check; nix build --dry-run .#checks.aarch64-darwin.package-contents .#checks.x86_64-linux.package-contents --accept-flake-config
Use a normal temporary build root and copy only final runtime outputs into the Nix output. This avoids the Garnix stall caused by recursively deleting the temporary OpenClaw source tree from inside $out during install.
Tests: sh -n nix/scripts/build-root.sh nix/scripts/gateway-install.sh; git diff --check; nix build --dry-run .#checks.aarch64-darwin.qmd-runtime .#checks.x86_64-linux.qmd-runtime --accept-flake-config
Move the temporary output build root out of the final output instead of recursively deleting it during install, and time the final wrapper/cleanup steps so Garnix logs show where gateway builds stall.
Tests: sh -n nix/scripts/build-root.sh nix/scripts/gateway-install.sh; git diff --check; nix build --dry-run .#checks.aarch64-darwin.qmd-runtime .#checks.x86_64-linux.qmd-runtime --accept-flake-config
Use NIX_BUILD_CORES for zstd extraction instead of --threads=0. Garnix macOS builders were hanging in the pnpm-store extraction step on the fresh OpenClaw gateway build.
Tests: git diff --check. Full package proof is delegated to Garnix because the fresh v2026.5.5 gateway source build is intentionally not run locally.
Remove the install-phase patchShebangs pass over node_modules/.bin. The build phase already runs patchShebangs before packaging, and the second pass can hang Garnix while not materially changing the output.
Tests: git diff --check. Full package proof is delegated to Garnix because the fresh v2026.5.5 gateway source build is intentionally not run locally.
What:
- update nix-openclaw to the latest stable OpenClaw source release
- refresh generated config options from that source
- keep the macOS app pin on the newest public app artifact
Why:
- keep source-built OpenClaw current without blocking on public macOS app asset lag
Tests:
- nix build .#checks.x86_64-linux.ci --accept-flake-config
- nix build .#checks.aarch64-darwin.ci --accept-flake-config
- scripts/hm-activation-macos.sh
Use QMD's real update/embed/query commands instead of the nonexistent qmd pull path, and keep the activation script in nix/scripts instead of inline Nix.
Tests: nix build .#checks.aarch64-darwin.config-validity .#checks.aarch64-darwin.qmd-runtime --no-link; nix eval .#checks.x86_64-linux.qmd-runtime.name; scripts/check-flake-lock-owners.sh; git diff --check
Bundle a Nix Python path inside the OpenClaw batteries wrapper for the safe-write helper. This avoids macOS /usr/bin/python3 triggering the Xcode command-line-tools shim on headless hosts, without exposing Python on the user PATH.
Tests: nix build .#checks.aarch64-darwin.qmd-runtime --no-link; nix eval .#checks.x86_64-linux.qmd-runtime.name; scripts/check-flake-lock-owners.sh; git diff --check
Keep upstream tobi/qmd as the Linux QMD package while retaining the nix-openclaw-tools Darwin repair package until upstream Darwin is fixed. This preserves the batteries-included runtime path without forking the Linux package surface.
Tests: nix build '.#checks.aarch64-darwin.qmd-runtime' --accept-flake-config --no-link; nix eval --option eval-cache false --raw '.#checks.x86_64-linux.qmd-runtime.name' --accept-flake-config; nix eval --option eval-cache false --raw '.#checks.aarch64-darwin.qmd-runtime.name' --accept-flake-config; git diff --check
What:
- consume QMD from nix-openclaw-tools instead of a separate upstream flake input
- expose QMD as an internal OpenClaw battery on Darwin and Linux
- add an opt-in Home Manager qmd model prewarm activation
- keep plugin packages off the user's shell PATH by default while preserving the runtime PATH
Why:
- nix-openclaw-tools owns reproducible tool packages and cacheable plugin metadata
- nixos-config should configure OpenClaw, not hand-wire runtime tools
Tests:
- nix build .#checks.aarch64-darwin.package-contents --accept-flake-config --no-link
- nix build .#checks.aarch64-darwin.qmd-runtime --accept-flake-config --no-link
- nix build .#checks.aarch64-darwin.bin-surface .#checks.aarch64-darwin.config-validity .#checks.aarch64-darwin.gateway-smoke --accept-flake-config --no-link
- nix eval .#checks.x86_64-linux.default-instance.drvPath --accept-flake-config
What:
- run upstream runtime-postbuild after tsdown in the gateway build
- assert runtime-model-auth stable alias points at a real generated target
Why:
- bundled provider auth imports need the upstream stable runtime alias materialized in the Nix package
- package-contents should catch missing runtime aliases before deployment
Tests:
- nix build .#checks.aarch64-darwin.package-contents --accept-flake-config --no-link
- nix build .#checks.aarch64-darwin.qmd-runtime --accept-flake-config --no-link
- nix build .#checks.aarch64-darwin.bin-surface .#checks.aarch64-darwin.config-validity .#checks.aarch64-darwin.gateway-smoke --accept-flake-config --no-link
What:
- make the downstream Nix-mode auto-enable patch runtime-only and remove broken degraded-state references
- allow plugin-owned channels.<id> config in generated Home Manager options
- add Telegram channel config coverage to the config validity check
- document the Nix/OpenClaw boundary in AGENTS.md
Why:
- Nix-owned openclaw.json must not be mutated at runtime
- plugin channel config should stay valid even when upstream core schema does not type every plugin-owned channel key
- future agents need the boundary documented in the packaging repo
Tests:
- patch -d /tmp/openclaw-v2026.5.4 -p1 --dry-run < nix/patches/skip-plugin-auto-enable-persist-in-nix-mode.patch: passed
- generator round-trip against OpenClaw 325df3ef produced no diff: passed
- nix eval --accept-flake-config --raw .#checks.aarch64-darwin.config-validity.drvPath: passed
- nix eval --accept-flake-config --raw .#checks.x86_64-linux.config-options.drvPath: passed
- nix build --accept-flake-config .#checks.aarch64-darwin.config-validity --no-link --print-build-logs: passed
Make QMD the Nix-supported batteries-included local memory backend by pinning the upstream QMD flake and adding qmd to the private openclaw wrapper PATH.
Keep QMD opt-in through upstream OpenClaw config with memory.backend = qmd, and document that builtin memorySearch.provider = local remains an escape hatch rather than the primary supported Nix path.
Also point nix run .#openclaw at the batteries-included bundle so app execution gets the same internal runtime PATH as the package.
Tests: sh -n nix/scripts/check-openclaw-qmd-runtime.sh; scripts/check-flake-lock-owners.sh; git diff --check; nix flake show --accept-flake-config --json; nix build .#checks.aarch64-darwin.qmd-runtime .#checks.aarch64-darwin.bin-surface .#packages.aarch64-darwin.openclaw --accept-flake-config --no-link --print-out-paths; nix build .#checks.x86_64-linux.qmd-runtime --accept-flake-config --no-link --print-out-paths; nix build .#checks.aarch64-darwin.ci --accept-flake-config --no-link --print-out-paths; nix build .#packages.x86_64-linux.openclaw .#checks.x86_64-linux.bin-surface --accept-flake-config --no-link --print-out-paths; scripts/hm-activation-macos.sh; nix build .#checks.x86_64-linux.gateway-smoke --accept-flake-config --no-link --print-out-paths; nix run .#openclaw --accept-flake-config -- --version; bash -n scripts/update-pins.sh; node --check scripts/select-openclaw-release.mjs; node --check scripts/select-openclaw-release.test.mjs; node scripts/select-openclaw-release.test.mjs
OpenClaw v2026.5.4 resolves bundled plugin public artifacts under the package-root extension surface. In the Nix store those artifacts may be hardlinked, so allow hardlinks for resolved module paths inside OPENCLAW_PACKAGE_ROOT while keeping the existing hardlink rejection elsewhere.
Tests: nix build .#checks.aarch64-darwin.gateway-smoke --accept-flake-config --no-link --print-out-paths; nix build .#checks.aarch64-darwin.ci --accept-flake-config --no-link --print-out-paths; nix build .#packages.x86_64-linux.openclaw .#checks.x86_64-linux.bin-surface .#checks.x86_64-linux.gateway-smoke --accept-flake-config --no-link --print-out-paths; scripts/check-flake-lock-owners.sh; scripts/hm-activation-macos.sh
What:
- update nix-openclaw to the latest stable OpenClaw source release
- refresh generated config options from that source
- keep the macOS app pin on the newest public app artifact
Why:
- keep source-built OpenClaw current without blocking on public macOS app asset lag
Tests:
- nix build .#checks.x86_64-linux.ci --accept-flake-config
- nix build .#checks.aarch64-darwin.ci --accept-flake-config
- scripts/hm-activation-macos.sh
Expose only the openclaw command from the default package while keeping bundled runtime tools on the wrapper PATH. Remove the public openclaw-tools package output and document runtime tools as implementation detail.
Tests: nix build .#packages.aarch64-darwin.openclaw .#checks.aarch64-darwin.bin-surface .#packages.x86_64-linux.openclaw .#checks.x86_64-linux.bin-surface --accept-flake-config --no-link --print-out-paths; nix build .#checks.aarch64-darwin.ci --accept-flake-config --no-link --print-out-paths; git diff --check --cached
Patch the gateway startup path so OPENCLAW_NIX_MODE skips plugin auto-enable persistence instead of replacing a Nix-managed config symlink.
Plugins remain a declarative Nix config choice under the Home Manager module; runtime auto-enable can still report what it would have changed.
Tests: git diff --cached --check; patch -p1 --dry-run against pinned OpenClaw source; nix build .#packages.aarch64-darwin.openclaw-gateway --accept-flake-config --no-link --print-out-paths; OPENCLAW_NIX_MODE symlink-clobber smoke against the native gateway; nix build .#packages.x86_64-linux.openclaw-gateway --accept-flake-config --no-link --print-out-paths
Generate a Nix-owned source/target manifest for workspace documents and skills, then pass that manifest to the activation helper.
This keeps document and plugin source paths in the Home Manager generation closure so the NixOS VM can actually copy them during activation.
Tests: helper smoke; git diff --check; nix build .#checks.x86_64-linux.default-instance --accept-flake-config --no-link --print-out-paths; nix build .#checks.x86_64-linux.hm-activation.nodes.machine.system.build.toplevel --accept-flake-config --no-link --print-out-paths
What:
- copy Nix-managed documents and skills into the OpenClaw workspace as real files
- replace Home Manager symlink installs with an activation-time materialization helper
- extend checks to assert custom plugin skills and document files are not symlinks
Why:
- OpenClaw rejects workspace files that resolve back into the Nix store
- custom plugin skills and documents must satisfy the gateway workspace boundary
Tests:
- git diff --cached --check: passed
- nix/modules/home-manager/openclaw-materialize-workspace-files.sh smoke: copied docs and skill dirs as non-symlinks, rerun idempotent
- temporary worktree with only this staged patch: nix build #checks.x86_64-linux.default-instance --accept-flake-config --no-link --print-out-paths: /nix/store/2zihci7mhlk3mcbczmyw0s401n162vk7-openclaw-default-instance-1
- temporary worktree with only this staged patch: nix build #checks.x86_64-linux.hm-activation --accept-flake-config --no-link --print-out-paths: materialization assertions passed; later gateway open-port wait timed out under local TCG VM after 900s
What:
- copy upstream bundled skills into the gateway package output
- make package-contents require bundled SKILL.md files under lib/openclaw/skills
Why:
- upstream bundled skills are part of the runnable OpenClaw package contract
- package checks should catch missing skills before users hit runtime failures
Tests:
- git diff --cached --check: passed
- temporary worktree with only this staged patch: nix build #checks.x86_64-linux.package-contents --accept-flake-config --no-link --print-out-paths: /nix/store/zqwb4x85cwww8fx5gzj0asxy1ic5i373-openclaw-package-contents-unstable-8b2a6e57
What:
- flatten source-discriminated object unions when the variants have different fields
- regenerate secrets.providers as one submodule with a source enum and nullable variant fields
- add a default-instance regression for file-backed secret providers
Why:
- Nix cannot reliably merge attrsOf oneOf submodules for secrets.providers
- the generated module should preserve upstream config shape while staying evaluable
Tests:
- git diff --cached --check: passed
- temporary worktree with only this staged patch: nix build #checks.x86_64-linux.default-instance --accept-flake-config --no-link --print-out-paths: /nix/store/2zihci7mhlk3mcbczmyw0s401n162vk7-openclaw-default-instance-1
- temporary worktree with only this staged patch: nix build #checks.x86_64-linux.config-options --accept-flake-config --no-link --print-out-paths: /nix/store/4yrjhllg88ydyf70yqnkdmndbrv7y2c6-openclaw-source-checks-unstable-8b2a6e57
What:
- strip generated null defaults before merging user and instance OpenClaw config
- assert the default generated config keeps gateway.mode = "local"
Why:
- generated submodule defaults should not silently erase package-owned base config
- the default Home Manager instance must remain runnable without extra gateway config
Tests:
- git diff --cached --check: passed
- temporary worktree with only this staged patch: nix build #checks.x86_64-linux.default-instance --accept-flake-config --no-link --print-out-paths: /nix/store/2zihci7mhlk3mcbczmyw0s401n162vk7-openclaw-default-instance-1
What:
- replace the misleading gateway test check with a source-checks build/config-options check
- remove the full upstream Vitest suite from the hard Nix promotion gate
- document that yolo validates the Nix-owned package contract, not upstream source test health
Why:
- the current full packageable upstream release builds as a package but has failing upstream Vitest cases when rebuilt from source
- nix-openclaw should block on packaging, smoke startup, config generation, module activation, and app artifacts rather than an upstream-owned unit test suite
Tests:
- git diff --check
- bash -n scripts/update-pins.sh scripts/hm-activation-macos.sh nix/modules/home-manager/openclaw-launchd-relink.sh nix/scripts/source-checks-build.sh nix/scripts/source-checks-check.sh nix/scripts/config-options-check.sh
- ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml"); YAML.load_file(".github/workflows/yolo-update.yml")'
- nix eval --accept-flake-config --raw .#checks.x86_64-linux.source-checks.drvPath
- nix eval --accept-flake-config --raw .#checks.x86_64-linux.ci.drvPath
- nix flake show --accept-flake-config --all-systems --json
- scripts/check-flake-lock-owners.sh
- node scripts/select-openclaw-release.test.mjs
- scripts/hm-activation-macos.sh
- nix build --accept-flake-config -L .#checks.aarch64-darwin.ci
Fix the documented minimal Home Manager plugin option to use customPlugins, remove the stale duplicate skill-file builder, and assert duplicate plugin skill paths against the paths Home Manager actually installs.
Add local plugin fixtures so the default-instance check covers the agent-facing customPlugins path and duplicate skill collisions.
OpenClaw v2026.4.14 moved the gateway Vitest config under test/vitest/, but
our Nix gateway test seam still hard-coded the old root-level path. Linux CI
therefore failed before tests even started.
Prefer the old path when present, but fall back to the new upstream path so the
stable release mirror works across both layouts.
Tests:
- bash -n nix/scripts/gateway-tests-check.sh
The stable mirror had advanced main to v2026.4.14 with an app hash that only
matched prefetch output, not the unpacked tree hash that fetchzip validates.
That left macOS CI red on the pinned stable release.
Compute the app hash from the unpacked zip contents in update-pins.sh and fix
the current v2026.4.14 app pin to the actual fetchzip hash.
Tests:
- bash -n scripts/update-pins.sh
- nix build .#openclaw-app --accept-flake-config -L
What:
- restore the direct vitest entrypoint lookup in nix/scripts/gateway-tests-check.sh
- execute the discovered vitest module with node instead of relying on pnpm exec lookup
Why:
- the history rewrite dropped one real recovery fix and reintroduced the gateway-tests runner failure on Linux
- the green line already proved the direct-entrypoint approach works reliably in the Nix check environment
Tests:
- verified failing CI run 24246896697: ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL Command "vitest" not found
