fix(nordvpn-client): validate live utun persistence before dns pinning

skills/nordvpn-client/SKILL.md

@@ -41,6 +41,11 @@ node scripts/nordvpn-client.js status --debug
   - use NordLynx/WireGuard through `wireguard-go` and `wireguard-tools`
   - `install` bootstraps them with Homebrew
   - `login` validates the token for the WireGuard backend
+  - the generated WireGuard config stays free of `DNS = ...`
+  - `connect` now requires a bounded persistence gate plus a verified exit before success is declared
+  - the skill snapshots and applies NordVPN DNS only to eligible physical services while connected
+  - NordVPN DNS is applied only after the tunnel remains up and the final liveness check still shows the requested exit
+  - `disconnect` restores the saved DNS/search-domain state even if the tunnel state is stale
   - Tailscale is suspended before connect and resumed after disconnect or failed connect
   - `NordVPN.app` may remain installed but is only the manual fallback
 
@@ -75,6 +80,10 @@ Exact `visudo` rule for the installed OpenClaw skill:
 stefano ALL=(root) NOPASSWD: /Users/stefano/.openclaw/workspace/skills/nordvpn-client/scripts/nordvpn-wireguard-helper.sh probe, /Users/stefano/.openclaw/workspace/skills/nordvpn-client/scripts/nordvpn-wireguard-helper.sh up, /Users/stefano/.openclaw/workspace/skills/nordvpn-client/scripts/nordvpn-wireguard-helper.sh down
 ```
 
+Operational note:
+
+- the persistence gate reuses the already-allowed `probe` action to confirm the live `utun*` WireGuard runtime and does not require extra sudoers actions beyond `probe`, `up`, and `down`
+
 ## Agent Guidance
 
 - run `status` first when the machine state is unclear
@@ -83,6 +92,7 @@ stefano ALL=(root) NOPASSWD: /Users/stefano/.openclaw/workspace/skills/nordvpn-c
 - use `connect` before location-sensitive skills such as `web-automation`
 - use `verify` after connect when you need an explicit location check
 - use `disconnect` after the follow-up task
+- if `connect` fails its persistence or final verification gate, treat that as a safe rollback, not a partial success
 
 ## Output Rules
 
@@ -98,6 +108,7 @@ stefano ALL=(root) NOPASSWD: /Users/stefano/.openclaw/workspace/skills/nordvpn-c
 - connect succeeds but final state looks inconsistent:
   - rely on the verified public IP/location first
   - then inspect `status --debug`
+- `verified: true` but `persistence.stable: false` should not happen anymore; if it does, the skill should roll back instead of pinning DNS
 - disconnect should leave:
   - normal public IP restored
   - no active WireGuard state

skills/nordvpn-client/scripts/nordvpn-client.js

@@ -781,6 +781,7 @@ function parseMacWireguardHelperStatus(output) {
   return {
     active: ["1", "true", "yes", "on"].includes(`${parsed.active || ""}`.toLowerCase()),
     interfaceName: parsed.interfaceName || MAC_WG_INTERFACE,
+    wireguardInterface: parsed.wireguardInterface || null,
     configPath: parsed.configPath || null,
     raw: `${output || ""}`.trim(),
   };
@@ -788,7 +789,7 @@ function parseMacWireguardHelperStatus(output) {
 
 async function getMacWireguardHelperStatus(installProbe, options = {}) {
   const runSudoWireguardFn = options.runSudoWireguard || runSudoWireguard;
-  const result = await runSudoWireguardFn(installProbe, "status");
+  const result = await runSudoWireguardFn(installProbe, "probe");
   const parsed = parseMacWireguardHelperStatus(result.stdout || result.stderr || "");
   return {
     ...parsed,
@@ -1012,8 +1013,7 @@ async function probeMacWireguard() {
   const helperPath = fileExists(MAC_WG_HELPER_PATH) ? MAC_WG_HELPER_PATH : null;
   const helperSecurity = inspectMacWireguardHelperSecurity(helperPath);
   const sudoProbe = helperPath ? await runExec("sudo", ["-n", helperPath, "probe"]) : { ok: false };
-  const helperStatus =
-    helperPath && sudoProbe.ok ? parseMacWireguardHelperStatus((await runExec("sudo", ["-n", helperPath, "status"])).stdout) : null;
+  const helperStatus = helperPath && sudoProbe.ok ? parseMacWireguardHelperStatus(sudoProbe.stdout || sudoProbe.stderr || "") : null;
   let active = false;
   let showRaw = "";
   let endpoint = "";
@@ -1668,7 +1668,6 @@ async function disconnectNordvpn(installProbe) {
     if (!down.ok) {
       const message = (down.stderr || down.stdout || down.error).trim();
       if (isBenignMacWireguardAbsentError(message)) {
-        await runSudoWireguard(installProbe, "cleanup");
         const dnsState = await restoreMacDnsIfNeeded();
         const cleaned = cleanupMacWireguardAndDnsState();
         const tailscale = await resumeMacTailscaleIfNeeded();
@@ -1683,7 +1682,6 @@ async function disconnectNordvpn(installProbe) {
       }
       throw new Error(message || "wg-quick down failed");
     }
-    await runSudoWireguard(installProbe, "cleanup");
     const dnsState = await restoreMacDnsIfNeeded();
     const cleaned = cleanupMacWireguardAndDnsState();
     const tailscale = await resumeMacTailscaleIfNeeded();

skills/nordvpn-client/scripts/nordvpn-wireguard-helper.sh

@@ -18,21 +18,30 @@ WG_INTERFACE="nordvpnctl"
 PATH="/opt/homebrew/bin:/usr/bin:/bin:/usr/sbin:/sbin"
 export PATH
 
-if [ "$ACTION" = "probe" ]; then
+if [ "$ACTION" = "probe" ] || [ "$ACTION" = "status" ]; then
   test -x "$WG_QUICK"
-  exit 0
-fi
-
-if [ "$ACTION" = "status" ]; then
   ACTIVE=0
-  if [ -x "$WG" ] && "$WG" show "$WG_INTERFACE" >/dev/null 2>&1; then
+  RUNTIME_INTERFACE=""
+  if [ -x "$WG" ]; then
+    RUNTIME_INTERFACE=$("$WG" show interfaces 2>/dev/null | awk 'NF { print $1; exit }')
+  fi
+  if [ -n "$RUNTIME_INTERFACE" ]; then
+    ACTIVE=1
+  elif [ -x "$WG" ] && "$WG" show "$WG_INTERFACE" >/dev/null 2>&1; then
     ACTIVE=1
   elif /sbin/ifconfig "$WG_INTERFACE" >/dev/null 2>&1; then
     ACTIVE=1
+  elif pgrep -f "wg-quick up $WG_CONFIG" >/dev/null 2>&1; then
+    ACTIVE=1
+  elif pgrep -f "wireguard-go utun" >/dev/null 2>&1; then
+    ACTIVE=1
   fi
 
   echo "active=$ACTIVE"
   echo "interfaceName=$WG_INTERFACE"
+  if [ -n "$RUNTIME_INTERFACE" ]; then
+    echo "wireguardInterface=$RUNTIME_INTERFACE"
+  fi
   if [ -f "$WG_CONFIG" ]; then
     echo "configPath=$WG_CONFIG"
   fi