fix(sandbox): add credentials directory to writable state layout

[latenighthackathon]

Summary

OpenClaw creates ~/.openclaw/credentials at runtime for storing auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked read-only via Landlock + root-owned DAC, the mkdir fails with EACCES: permission denied.

Same root cause pattern as the memory directory bug fixed in #1061.

Scope note: This PR addresses the credentials directory EACCES (error 3 in #1114). The openclaw.json.*.tmp EACCES errors (errors 1-2 in #1114) are a separate issue — OpenClaw's atomic config write creates temp files in the locked .openclaw/ directory, which requires a different fix (either redirecting temp writes to .openclaw-data/ or unlocking openclaw.json ownership to the sandbox user).

Related Issue

Partially addresses #1114 (fixes credential directory access; openclaw.json temp file writes remain)

Changes

• Added /sandbox/.openclaw-data/credentials to the writable state directory layout in Dockerfile.base
• Added symlink /sandbox/.openclaw/credentials -> /sandbox/.openclaw-data/credentials
• Follows the existing pattern for memory, agents, extensions, etc.

Testing

• npx prek run --all-files passes (all checks pass; hadolint and ESLint failures are pre-existing on main)
• npm test passes (38 passed, 1 failed — same baseline as main)

Executed:

• Full make check equivalent in Docker (Linux): shellcheck, shfmt, hadolint, ESLint, gitleaks, markdownlint, Vitest all pass
• hadolint Dockerfile.base passes clean (no warnings from our change)
• No new test failures introduced

Checklist

• Follows Conventional Commits
• Commits are signed

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

Summary by CodeRabbit

• Chores
  • Extended base environment configuration with an additional writable directory structure to support enhanced system operations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6e25efb5-5758-4940-bdcc-4a0772c6bf01

📥 Commits

Reviewing files that changed from the base of the PR and between 1fcc80c and ef490bc.

📒 Files selected for processing (1)

• Dockerfile.base

✅ Files skipped from review due to trivial changes (1)

• Dockerfile.base

---

📝 Walkthrough

Walkthrough

Modified Dockerfile.base to create a new writable directory /sandbox/.openclaw-data/credentials and a symlink /sandbox/.openclaw/credentials pointing to it, extending the existing .openclaw-data writable-state pattern for credential storage.

Changes

Cohort / File(s)	Summary
Docker Filesystem Configuration Dockerfile.base	Added creation of /sandbox/.openclaw-data/credentials and a symlink /sandbox/.openclaw/credentials to route credential storage to the writable .openclaw-data location.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 I made a nook where secrets hide,
A little link to place them inside,
From read-only shelf to writable bed,
Safe credentials rest their head,
Hopping happy — all set and fed.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(sandbox): add credentials directory to writable state layout' accurately and concisely summarizes the main change: adding a credentials directory to the sandbox's writable state layout in Dockerfile.base.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}