fix(sandbox): add .openclaw/memory dir and symlink to base image

[jneeee]

The sandbox Dockerfile.base was missing the memory directory from the .openclaw-data writable state layout. OpenClaw stores its SQLite memory index under ~/.openclaw/memory, but this path was neither created nor symlinked during image build.

Since .openclaw is locked read-only (Landlock + DAC) at runtime, the sandbox user (uid 998) could not create ~/.openclaw/memory on the fly, causing every agent message to fail with:
400 No connected db

Fix: add /sandbox/.openclaw-data/memory to the mkdir -p block and add the corresponding symlink /sandbox/.openclaw/memory -> .openclaw-data/memory, consistent with all other writable OpenClaw state directories.

Tested: docker run on node:22-slim confirmed memory symlink is created and sandbox user can write files through it.

Fixes #1053

Summary

Related Issue

Changes

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

Summary by CodeRabbit

• Chores
  • Updated base image configuration to establish dedicated memory storage infrastructure for OpenClaw CLI operations, enabling enhanced data persistence capabilities within the sandbox environment.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 28beddfe-8a31-4526-8ef8-467fb92559c9

📥 Commits

Reviewing files that changed from the base of the PR and between eb4ba8c and 29b3e3b.

📒 Files selected for processing (1)

• Dockerfile.base

---

📝 Walkthrough

Walkthrough

Added a writable memory subdirectory /sandbox/.openclaw-data/memory to the base Dockerfile with a corresponding symlink /sandbox/.openclaw/memory. This extends the existing symlink structure and provides the necessary directory ownership for the sandbox user.

Changes

Cohort / File(s)	Summary
Base Dockerfile Configuration Dockerfile.base	Added creation of /sandbox/.openclaw-data/memory directory and symlink /sandbox/.openclaw/memory to ensure proper directory structure and ownership for sandbox user memory storage.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops around the memory directory with glee

A symlink here, a directory there,
The rabbit hops with utmost care—
Memory flows where sandbox can write,
No more 400 errors in sight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding a .openclaw/memory directory and symlink to the base image to fix the missing directory issue.
Linked Issues check	✅ Passed	The PR directly addresses issue #1053 by creating /sandbox/.openclaw-data/memory and the corresponding symlink, enabling the sandbox user to write the SQLite memory index without permission errors.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing the missing memory directory issue; no unrelated modifications are present in the Dockerfile.base changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kjw3]

@jneeee Thanks for the fix here. I checked the change against #1053, and the code itself looks correct.

To be able to merge this PR, you need to fix the verified signatures on your commits. Once the branch is updated with fully verified signed commit(s), this can be re-reviewed.