fix(recovery): preserve controlled drain lane assets

scripts/reboot-recovery/awoooi-startup-110.sh

@@ -342,6 +342,47 @@ EOF
     rm -f "$tmp"
 }
 
+install_controlled_cd_lane_drain_unit() {
+    local unit_file="/etc/systemd/system/$CD_LANE_DRAIN_SERVICE"
+    local tmp
+    chattr -i "$unit_file" "$CD_LANE_DRAIN_BINARY" >/dev/null 2>&1 || true
+    if [ -L "$unit_file" ] && [ "$(readlink "$unit_file" 2>/dev/null || true)" = "/dev/null" ]; then
+        rm -f "$unit_file" >/dev/null 2>&1 || true
+    fi
+    tmp="$(mktemp)"
+    cat >"$tmp" <<EOF
+[Unit]
+Description=AWOOOI controlled CD lane drain bypass for old queued guards
+After=network-online.target docker.service
+Wants=network-online.target
+Requires=docker.service
+
+[Service]
+Type=simple
+User=wooo
+WorkingDirectory=${CD_LANE_DRAIN_DIR}/data
+Environment=HOME=/home/wooo
+Environment=AWOOOI_CONTROLLED_RUNNER_OPEN=1
+Environment=HOST_WEB_BUILD_PRESSURE_ATTEMPTS=1
+Environment=HOST_WEB_BUILD_PRESSURE_SLEEP_SECONDS=1
+ExecStart=${CD_LANE_DRAIN_BINARY} daemon --config ${CD_LANE_DRAIN_CONFIG}
+Restart=always
+RestartSec=10
+KillSignal=SIGINT
+TimeoutStopSec=3700
+SuccessExitStatus=0 130 143
+CPUQuota=250%
+MemoryHigh=8G
+MemoryMax=12G
+TasksMax=512
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    install -o root -g root -m 0644 "$tmp" "$unit_file" >/dev/null 2>&1 || true
+    rm -f "$tmp"
+}
+
 cd_lane_config_path_is_controlled() {
     local config_path="$1"
     [ -f "$config_path" ] || return 1
@@ -371,6 +412,12 @@ cd_lane_drain_is_controlled_open() {
     return 0
 }
 
+cd_lane_drain_is_controlled_available() {
+    cd_lane_drain_config_is_controlled || return 1
+    file "$CD_LANE_DRAIN_BINARY" 2>/dev/null | grep -qi "ELF" || return 1
+    return 0
+}
+
 quarantine_cd_lane_registration_fail_closed() {
     local quarantine_dir
     local lane_dir
@@ -403,14 +450,20 @@ quarantine_cd_lane_registration_fail_closed() {
 
 apply_cd_lane_fail_closed_guard() {
     local unit
-    if cd_lane_drain_is_controlled_open; then
-        log "✅ controlled cd-lane drain verifier passed; preserving drain lane and fail-closing regular lane only"
+    if cd_lane_drain_is_controlled_available; then
+        if cd_lane_drain_is_controlled_open; then
+            log "✅ controlled cd-lane drain verifier passed; preserving drain lane and fail-closing regular lane only"
+        else
+            log "✅ controlled cd-lane drain assets verified; restoring drain unit and fail-closing regular lane only"
+        fi
         systemctl kill --signal=SIGKILL "$CD_LANE_SERVICE" >/dev/null 2>&1 || true
         systemctl stop "$CD_LANE_SERVICE" >/dev/null 2>&1 || true
         systemctl disable "$CD_LANE_SERVICE" >/dev/null 2>&1 || true
         install_cd_lane_fail_closed_unit
         pkill -KILL -f "^${CD_LANE_BINARY} daemon" >/dev/null 2>&1 || true
+        install_controlled_cd_lane_drain_unit
         systemctl daemon-reload >/dev/null 2>&1 || true
+        systemctl enable --now "$CD_LANE_DRAIN_SERVICE" >/dev/null 2>&1 || true
         return 0
     fi
     if { [ -e "$CD_LANE_ENABLE_SENTINEL" ] || [ -e "/run/awoooi-cd-lane-controlled-open" ] || [ "$START_CONTROLLED_CD_LANE" = "1" ]; } \