#16957: fix(doctor): skip false positive permission warnings for Nix store symlinks

## Summary - Problem: `openclaw doctor` warns NixOS users that config/state directories have "too open" permissions — a false positive because symlinks always report `0o777` via `lstatSync`, regardless of the actual target permissions. - Why it matters: False positives erode trust in the diagnostic tool and cause NixOS users to ignore real warnings. - What changed: Use `lstatSync` to detect symlinks, resolve the target with `realpathSync`, and suppress the warning only when the resolved path lives in `/nix/store/` (an immutable filesystem). - What did NOT change (scope boundary): Non-symlinked paths behave identically. Symlinks to insecure targets outside `/nix/store/` still trigger warnings. lobster-biscuit ## Change Type (select all) - [x] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [x] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Supersedes #11425 (closed for fresh resubmission) ## User-visible / Behavior Changes - NixOS users running `openclaw doctor` will no longer see false permission warnings for Nix store symlinks. - All other platforms and non-symlinked paths behave identically. ## Security Impact (required) - New permissions/capabilities? `No` - Secrets/tokens handling changed? `No` - New/changed network calls? `No` - Command/tool execution surface changed? `No` - Data access scope changed? `No` ## Repro + Verification ### Environment - OS: NixOS / any Linux with Nix - Runtime/container: Node.js - Model/provider: N/A (CLI tooling) - Integration/channel (if any): N/A - Relevant config (redacted): State dir symlinked to `/nix/store/...` ### Steps 1. Install OpenClaw via Nix (state/config dirs become symlinks to `/nix/store/`) 2. Run `openclaw doctor` 3. Observe false "permissions too open" warning ### Expected - No permission warning for paths resolved to `/nix/store/` (immutable) ### Actual - Warning: "State directory permissions are too open" (false positive from symlink 777) ## Evidence - [x] Trace/log snippets: `lstatSync` on a symlink returns `mode: 0o120777` regardless of target ## Human Verification (required) - Verified scenarios: Confirmed `lstatSync` returns 777 for all symlinks on Linux, `statSync` on resolved path returns actual target permissions - Edge cases checked: Non-symlinked paths unchanged; symlinks to non-Nix-store targets still trigger warnings - What you did **not** verify: Actual NixOS hardware (verified behavior via Linux symlink semantics) ## Compatibility / Migration - Backward compatible? `Yes` - Config/env changes? `No` - Migration needed? `No` ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Revert the single commit - Files/config to restore: `src/commands/doctor-state-integrity.ts` - Known bad symptoms reviewers should watch for: Permission warnings disappearing for non-Nix symlinks ## Risks and Mitigations - Risk: A symlink to an insecure target inside `/nix/store/` could be silenced - Mitigation: `/nix/store/` is immutable by design — files there cannot be modified without Nix rebuilds --- - [x] Mark as AI-assisted in the PR title or description - [x] Note the degree of testing: fully tested, all code understood by author - [x] Confirm understanding: all code understood by author 🤖 AI-assisted PR (Claude Code) — fully tested, all code understood by author <!-- greptile_comment --> <h3>Greptile Summary</h3> Suppresses false-positive permission warnings for NixOS users by detecting symlinks to `/nix/store/` and checking target permissions instead of symlink metadata (which always reports `0o777`). The change is narrowly scoped to Nix store paths only, preserving existing behavior for all other cases. <h3>Confidence Score: 4/5</h3> - Safe to merge with minor edge case consideration - Logic correctly distinguishes between symlinks and regular paths, properly validates Nix store paths, and maintains backward compatibility. One unresolved edge case (broken symlinks) was raised in previous reviews but is handled by the existing outer try-catch, though error messaging could be clearer. - No files require special attention _{Last reviewed commit: cfa1f7c} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->