Skip to content

fix(sandbox): add credentials directory to writable state layout#1126

Open
latenighthackathon wants to merge 1 commit intoNVIDIA:mainfrom
latenighthackathon:fix/sandbox-credentials-dir
Open

fix(sandbox): add credentials directory to writable state layout#1126
latenighthackathon wants to merge 1 commit intoNVIDIA:mainfrom
latenighthackathon:fix/sandbox-credentials-dir

Conversation

@latenighthackathon
Copy link
Copy Markdown
Contributor

@latenighthackathon latenighthackathon commented Mar 30, 2026
edited
Loading

Summary

OpenClaw creates ~/.openclaw/credentials at runtime for storing auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked read-only via Landlock + root-owned DAC, the mkdir fails with EACCES: permission denied.

Same root cause pattern as the memory directory bug fixed in #1061.

Scope note: This PR addresses the credentials directory EACCES (error 3 in #1114). The openclaw.json.*.tmp EACCES errors (errors 1-2 in #1114) are a separate issue — OpenClaw's atomic config write creates temp files in the locked .openclaw/ directory, which requires a different fix (either redirecting temp writes to .openclaw-data/ or unlocking openclaw.json ownership to the sandbox user).

Related Issue

Partially addresses #1114 (fixes credential directory access; openclaw.json temp file writes remain)

Changes

  • Added /sandbox/.openclaw-data/credentials to the writable state directory layout in Dockerfile.base
  • Added symlink /sandbox/.openclaw/credentials -> /sandbox/.openclaw-data/credentials
  • Follows the existing pattern for memory, agents, extensions, etc.

Testing

  • npx prek run --all-files passes (all checks pass; hadolint and ESLint failures are pre-existing on main)
  • npm test passes (38 passed, 1 failed — same baseline as main)

Executed:

  • Full make check equivalent in Docker (Linux): shellcheck, shfmt, hadolint, ESLint, gitleaks, markdownlint, Vitest all pass
  • hadolint Dockerfile.base passes clean (no warnings from our change)
  • No new test failures introduced

Checklist

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

@latenighthackathon
fix(sandbox): add credentials directory to writable state layout
1fcc80c 
OpenClaw creates ~/.openclaw/credentials at runtime for storing
auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked
read-only (Landlock + root-owned DAC), the mkdir fails with EACCES.

Add credentials to the .openclaw-data writable layout with a symlink,
matching the pattern used for memory, agents, extensions, etc.

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 30, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Modified Dockerfile.base to create a new writable state directory at /sandbox/.openclaw-data/credentials with a corresponding symlink from /sandbox/.openclaw/credentials. This follows the existing symlink-based pattern for writable paths, extending the read-only config surface to include credential storage.

Changes

Cohort / File(s) Summary
Docker Filesystem Configuration
Dockerfile.base		 Created /sandbox/.openclaw-data/credentials writable directory and established symlink from /sandbox/.openclaw/credentials to support credential storage following the existing writable-state pattern.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A symlink's dance, so neat and fine,
Credentials tucked where they align,
From writable depths to config's face,
Permissions fixed in the right place! 🔑

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR addresses only the infrastructure setup part of issue #1114 (adding the directory structure), but does not address the core coding requirements: robust error handling for permission failures, user-facing messages, file I/O fixes, or testing. Implement error handling, permission failure messages, and complete file I/O fixes in OpenClaw code. Add tests validating non-root execution and WhatsApp credential storage, or clarify if this is a prerequisite PR.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix(sandbox): add credentials directory to writable state layout' accurately describes the main change: adding a credentials directory to the sandbox writable state layout following existing patterns.
Out of Scope Changes check ✅ Passed The changes are appropriately scoped: only adding a credentials directory and symlink to the Dockerfile.base, directly supporting the writable state layout requirement from issue #1114.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@cv cv assigned cv and ericksoa Mar 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cv cv

@ericksoa ericksoa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@latenighthackathon @cv @ericksoa