fix(sandbox): add credentials directory to writable state layout

[latenighthackathon]

Summary

OpenClaw creates ~/.openclaw/credentials at runtime for storing auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked read-only via Landlock + root-owned DAC, the mkdir fails with EACCES: permission denied.

Same root cause pattern as the memory directory bug fixed in #1061.

Scope note: This PR addresses the credentials directory EACCES (error 3 in #1114). The openclaw.json.*.tmp EACCES errors (errors 1-2 in #1114) are a separate issue — OpenClaw's atomic config write creates temp files in the locked .openclaw/ directory, which requires a different fix (either redirecting temp writes to .openclaw-data/ or unlocking openclaw.json ownership to the sandbox user).

Related Issue

Partially addresses #1114 (fixes credential directory access; openclaw.json temp file writes remain)

Changes

• Added /sandbox/.openclaw-data/credentials to the writable state directory layout in Dockerfile.base
• Added symlink /sandbox/.openclaw/credentials -> /sandbox/.openclaw-data/credentials
• Follows the existing pattern for memory, agents, extensions, etc.

Testing

• npx prek run --all-files passes (all checks pass; hadolint and ESLint failures are pre-existing on main)
• npm test passes (38 passed, 1 failed — same baseline as main)

Executed:

• Full make check equivalent in Docker (Linux): shellcheck, shfmt, hadolint, ESLint, gitleaks, markdownlint, Vitest all pass
• hadolint Dockerfile.base passes clean (no warnings from our change)
• No new test failures introduced

Checklist

• Follows Conventional Commits
• Commits are signed

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified Dockerfile.base to create a new writable state directory at /sandbox/.openclaw-data/credentials with a corresponding symlink from /sandbox/.openclaw/credentials. This follows the existing symlink-based pattern for writable paths, extending the read-only config surface to include credential storage.

Changes

Cohort / File(s)	Summary
Docker Filesystem Configuration Dockerfile.base	Created /sandbox/.openclaw-data/credentials writable directory and established symlink from /sandbox/.openclaw/credentials to support credential storage following the existing writable-state pattern.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A symlink's dance, so neat and fine,
Credentials tucked where they align,
From writable depths to config's face,
Permissions fixed in the right place! 🔑

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses only the infrastructure setup part of issue #1114 (adding the directory structure), but does not address the core coding requirements: robust error handling for permission failures, user-facing messages, file I/O fixes, or testing.	Implement error handling, permission failure messages, and complete file I/O fixes in OpenClaw code. Add tests validating non-root execution and WhatsApp credential storage, or clarify if this is a prerequisite PR.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(sandbox): add credentials directory to writable state layout' accurately describes the main change: adding a credentials directory to the sandbox writable state layout following existing patterns.
Out of Scope Changes check	✅ Passed	The changes are appropriately scoped: only adding a credentials directory and symlink to the Dockerfile.base, directly supporting the writable state layout requirement from issue #1114.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}