openclaw.json locked root:root 444 at build time blocks post-onboard channel configuration

[harrism]

Summary

openclaw.json is baked into the sandbox image as root:root 444 at build time.
This is intentional for protecting auth tokens and CORS config, but it also blocks
any post-onboard configuration that writes to the same file — specifically, adding
channel integrations (Telegram, WhatsApp, etc.).

Steps to reproduce

1. Run nemoclaw onboard (no channels configured at this stage)
2. Inside the sandbox, run openclaw channels add --channel telegram --token <token>
3. Result: "Unknown channel: telegram" — because channels.telegram must
   pre-exist in openclaw.json before channels add can update it
4. Attempt to add channels.telegram directly to openclaw.json:
   — file is root:root 444, unwritable by the sandbox user

Workaround

Requires raw kubectl exec from the host, where <sandbox-name> is the name
given to the sandbox at onboard time (e.g. the value passed to nemoclaw onboard):

docker exec openshell-cluster-nemoclaw \
  kubectl exec -n openshell <sandbox-name> -- \
  chmod 644 /sandbox/.openclaw/openclaw.json

docker exec openshell-cluster-nemoclaw \
  kubectl exec -n openshell <sandbox-name> -- \
  chown sandbox:sandbox /sandbox/.openclaw/openclaw.json

Then manually edit openclaw.json to add the channel config, and restart the gateway.
This access path is undocumented and requires knowledge of the internal k3s cluster
structure that NemoClaw manages.

Expected behavior

Either:

• nemoclaw onboard accepts channel tokens as arguments and pre-populates `openclaw.json`
  before locking it, OR
• A supported command exists (e.g. nemoclaw config set channels.telegram.token <token>)
  that can write to the protected file with appropriate privilege, OR
• The channel config section of openclaw.json is separated from the auth/CORS config
  and stored in /sandbox/.openclaw-data (already writable by sandbox)

Environment

• NemoClaw v0.1.0
• OpenShell v0.0.14

[dknos]

Workaround: push channel config to the writable agents directory via SSH

The openclaw.json is locked at root:root 444, but the agents directory at /sandbox/.openclaw/agents/main/agent/ is writable. You can push model and auth config there without touching the protected file.

For channel/model config that survives the locked root file:

SSH_CONF=$(mktemp)
openshell sandbox ssh-config my-assistant > "$SSH_CONF"

# Push models.json to the writable agents dir
cat > /tmp/models.json << 'EOF2'
{"primary":"your-provider/your-model"}
EOF2
ssh -T -F "$SSH_CONF" "openshell-my-assistant" \
  "mkdir -p /sandbox/.openclaw/agents/main/agent"
ssh -T -F "$SSH_CONF" "openshell-my-assistant" \
  "cat > /sandbox/.openclaw/agents/main/agent/models.json" < /tmp/models.json

# Set via CLI inside sandbox
ssh -T -F "$SSH_CONF" "openshell-my-assistant" \
  "openclaw models set your-provider/your-model 2>/dev/null || true"

rm -f "$SSH_CONF"

For Telegram/Discord channel tokens specifically: rather than modifying openclaw.json, run standalone bridge processes on the host that communicate with the agent via openclaw agent --message over SSH. This bypasses the locked config entirely and has proven more reliable than the built-in channel system on WSL2. See #979 and #1046 for the host-bridge pattern.

[ericksoa]

The primary pain point here — messaging channel configuration blocked by the locked openclaw.json — is now worked around by #1081: channels are baked into the image at build time via NEMOCLAW_MESSAGING_CHANNELS_B64, and credentials flow through the OpenShell provider system. No post-onboard writes to openclaw.json are needed for messaging.

The broader root:root 444 immutability issue remains open. Draft PR #940 is the candidate fix for runtime config mutability, but it's still a draft — working on upstream alignment to avoid requiring shim patches to land.