fix: allow AF_NETLINK in systemd unit

Author: dedene

docs/INSTALL.md

@@ -199,11 +199,26 @@ Common symptoms:
 |---------|-------|-----|
 | V8/Node.js crash (`ENOMEM` in `SetPermissions`) | `MemoryDenyWriteExecute=true` | Set to `false` |
 | "token invalid" / network errors | `RestrictAddressFamilies=AF_UNIX` | Add `AF_INET AF_INET6` |
+| Node/libuv fails enumerating interfaces after a runtime update | `RestrictAddressFamilies` missing `AF_NETLINK` | Add `AF_NETLINK` |
 | Tool hangs or gets killed | `SystemCallFilter` too strict | Check `journalctl` for SECCOMP audit messages |
 | "Read-only file system" on git fetch/push | `ProtectHome=read-only` blocks workspace writes | Add `ReadWritePaths=/path/to/workspace` |
 
 After changes: `sudo systemctl daemon-reload && sudo systemctl restart claw-wrap`
 
+If you installed an older copy of the unit before this fix landed, update the service
+or add an override:
+
+```bash
+sudo systemctl edit claw-wrap.service
+```
+
+Add:
+
+```ini
+[Service]
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+```
+
 ### Workspace write failures (git, file operations)
 
 The default unit has `ProtectHome=read-only`, which makes `/home` read-only for the daemon

init/claw-wrap.service

@@ -47,9 +47,10 @@ SystemCallFilter=@system-service
 # TOOL-DEPENDENT — adjust based on your configured tools:
 #
 # Network access: tools that call external APIs (gh, gog, strawpoll)
-# need AF_INET/AF_INET6. Only use AF_UNIX alone if ALL tools are
-# local/offline.
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+# need AF_INET/AF_INET6. Node/libuv may also need AF_NETLINK to
+# enumerate network interfaces. Only use AF_UNIX alone if ALL tools
+# are local/offline.
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 #
 # JIT memory: Node.js (bird), Python, and other runtimes with JIT
 # compilers need writable+executable memory. Set to true only if