fix: dnsmasq path detection and WiFi rfkill persistence

- dns-hijack.js: replace `which` with multi-path search (/usr/sbin etc.)
  since dnsmasq is often not in normal user PATH
- install.sh: auto-enable NetworkManager for WiFi provisioning
- install.sh: unblock WiFi rfkill at install time
- install.sh: create clawd-rfkill.service for persistent boot-time unlock

Made-with: Cursor

lib/dns-hijack.js

@@ -64,15 +64,14 @@ class DnsHijack {
     // 终止系统可能残留的 dnsmasq
     try { execSync('pkill -f "dnsmasq.*clawd"', { timeout: 3000 }); } catch (_) {}
 
-    // 检查 dnsmasq 是否安装
-    try {
-      execSync('which dnsmasq', { timeout: 3000 });
-    } catch (_) {
+    // 查找 dnsmasq 二进制（/usr/sbin 可能不在普通用户 PATH 中）
+    const dnsmasqBin = findBin('dnsmasq');
+    if (!dnsmasqBin) {
       log.error('dns', 'dnsmasq 未安装，请运行: apt install dnsmasq');
       return;
     }
 
-    this._watchdog = new Watchdog('dns', 'dnsmasq', [
+    this._watchdog = new Watchdog('dns', dnsmasqBin, [
       '--no-daemon',
       `--conf-file=${DNSMASQ_CONF}`,
     ], {
@@ -96,4 +95,16 @@ class DnsHijack {
   }
 }
 
+function findBin(name) {
+  const searchPaths = ['/usr/sbin', '/usr/bin', '/sbin', '/bin', '/usr/local/sbin', '/usr/local/bin'];
+  for (const dir of searchPaths) {
+    const full = path.join(dir, name);
+    if (fs.existsSync(full)) return full;
+  }
+  // 兜底尝试 which（PATH 可能已包含）
+  try {
+    return execSync(`which ${name}`, { encoding: 'utf8', timeout: 3000 }).trim() || null;
+  } catch (_) { return null; }
+}
+
 module.exports = { DnsHijack, CAPTIVE_DOMAIN };