From 1fcc80cd9c0e8501416c47e5f9f5b51e96b9f935 Mon Sep 17 00:00:00 2001
From: latenighthackathon <latenighthackathon@users.noreply.github.com>
Date: Mon, 30 Mar 2026 18:23:15 -0500
Subject: [PATCH] fix(sandbox): add credentials directory to writable state
 layout

OpenClaw creates ~/.openclaw/credentials at runtime for storing
auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked
read-only (Landlock + root-owned DAC), the mkdir fails with EACCES.

Add credentials to the .openclaw-data writable layout with a symlink,
matching the pattern used for memory, agents, extensions, etc.

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
---
 Dockerfile.base | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile.base b/Dockerfile.base
index 3fd658485..b361c2c02 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -102,6 +102,7 @@ RUN mkdir -p /sandbox/.openclaw-data/agents/main/agent \
         /sandbox/.openclaw-data/canvas \
         /sandbox/.openclaw-data/cron \
         /sandbox/.openclaw-data/memory \
+        /sandbox/.openclaw-data/credentials \
     && mkdir -p /sandbox/.openclaw \
     && ln -s /sandbox/.openclaw-data/agents /sandbox/.openclaw/agents \
     && ln -s /sandbox/.openclaw-data/extensions /sandbox/.openclaw/extensions \
@@ -113,6 +114,7 @@ RUN mkdir -p /sandbox/.openclaw-data/agents/main/agent \
     && ln -s /sandbox/.openclaw-data/canvas /sandbox/.openclaw/canvas \
     && ln -s /sandbox/.openclaw-data/cron /sandbox/.openclaw/cron \
     && ln -s /sandbox/.openclaw-data/memory /sandbox/.openclaw/memory \
+    && ln -s /sandbox/.openclaw-data/credentials /sandbox/.openclaw/credentials \
     && touch /sandbox/.openclaw-data/update-check.json \
     && ln -s /sandbox/.openclaw-data/update-check.json /sandbox/.openclaw/update-check.json \
     && chown -R sandbox:sandbox /sandbox/.openclaw /sandbox/.openclaw-data