feat(gui): Gateway Lifecycle GUI Controls

discord-fix-patch.diff

@@ -0,0 +1,130 @@
+diff --git a/README.md b/README.md
+index 3d2f74d..0347944 100644
+--- a/README.md
++++ b/README.md
+@@ -517,6 +517,7 @@ We've extended the original into a full management platform by:
+ - Implementing an **extensions catalog** for installing integrations (Discord, Telegram, Slack, etc.) with network policies, credentials, and in-sandbox packages
+ - Implementing a **bidirectional WebSocket proxy** tunnelling the React frontend to the OpenClaw gateway daemon via gRPC `ExecSandbox` stdin/stdout for real-time agent tool-use approvals
+ - Building **feature parity** with the upstream NemoClaw reference implementation: exec approvals, skills viewer, plugin manager, memory search, and cron scheduler — all backed by the sandboxed OpenClaw gateway API
++- **Resolving upstream OpenClaw 2026.3.11 bugs** with strict configuration schema validation, bypassing buggy CLI operations to explicitly inject Discord and other extension properties correctly into the agent runtime configuration.
+
+ The core sandbox security model — Landlock, seccomp, network namespace isolation, and policy-enforced egress — remains as NVIDIA designed it.
+
+diff --git a/gui/server/index.js b/gui/server/index.js
+index ee1bef3..6096e2f 100644
+--- a/gui/server/index.js
++++ b/gui/server/index.js
+@@ -1573,6 +1573,8 @@ app.post('/api/chat/message', async (req, res) => {
+     // that don't inherit the gRPC-injected top-level environment.
+     // Also source the persistent .channel-env file written during install.
+     const envExports = [
++        // Point OpenClaw at the writable config we created during extension sync
++        'export OPENCLAW_CONFIG_PATH=/sandbox/.openclaw-data/openclaw.json',
+         // Source the persistent env file written by the install/sync-channel route
+         '[ -f /sandbox/.openclaw-data/.channel-env ] && . /sandbox/.openclaw-data/.channel-env',
+         // Export each extension credential explicitly
+diff --git a/gui/server/routes/extensions.js b/gui/server/routes/extensions.js
+index 8b62911..fccfda2 100644
+--- a/gui/server/routes/extensions.js
++++ b/gui/server/routes/extensions.js
+@@ -141,7 +141,7 @@ function collectExecResult(stream) {
+  * @param {string} token      - bot token to inject
+  * @returns {Promise<{ok: boolean, message: string}>}
+  */
+-async function configureChannelInSandbox(sandboxId, channelKey, token) {
++async function configureChannelInSandbox(sandboxId, sandboxName, channelKey, token) {
+     // Map channel key to its env var name (openclaw env fallback convention)
+     const envVarMap = {
+         discord: 'DISCORD_BOT_TOKEN',
+@@ -153,7 +153,7 @@ async function configureChannelInSandbox(sandboxId, channelKey, token) {
+     // Step 1: Write a persistent env file inside the sandbox data volume.
+     // Token is passed as argv[1] to Python to bypass all shell quoting hazards.
+     const pyScript = [
+-        'import os, sys, json',
++        'import os, sys, json, shutil',
+         "env_dir = '/sandbox/.openclaw-data'",
+         'os.makedirs(env_dir, exist_ok=True)',
+         "env_file = os.path.join(env_dir, '.channel-env')",
+@@ -162,15 +162,23 @@ async function configureChannelInSandbox(sandboxId, channelKey, token) {
+         `    f.write("export ${envVar}=" + repr(tok) + "\\n")`,
+         'os.chmod(env_file, 0o600)',
+         '',
+-        '# Directly enable the channel in openclaw.json to bypass doctor CLI bugs',
+-        "config_file = '/sandbox/.openclaw/openclaw.json'",
+-        'if os.path.exists(config_file):',
++        '# Clone read-only openclaw.json to a writable volume so doctor can fix it',
++        "orig_config = '/sandbox/.openclaw/openclaw.json'",
++        "writable_config = os.path.join(env_dir, 'openclaw.json')",
++        'if os.path.exists(orig_config):',
+         '    try:',
+-        '        with open(config_file, "r") as f: data = json.load(f)',
++        '        with open(orig_config, "r") as f: data = json.load(f)',
++        '        ',
++        '        # Ensure channel is explicitly enabled in config',
++        `        ch = "${channelKey}"`,
+         '        if "channels" not in data: data["channels"] = {}',
+-        '        if "defaults" not in data["channels"]: data["channels"]["defaults"] = {}',
+-        `        data["channels"]["defaults"]["${channelKey}"] = True`,
+-        '        with open(config_file, "w") as f: json.dump(data, f, indent=2)',
++        '        if ch not in data["channels"]: data["channels"][ch] = {}',
++        '        data["channels"][ch]["enabled"] = True',
++        '        ',
++        '        # Remove plugins field if it exists, as stock plugins do not need it and it trips the validator',
++        '        if "plugins" in data: del data["plugins"]',
++        '        ',
++        '        with open(writable_config, "w") as f: json.dump(data, f, indent=2)',
+         '    except Exception as e: print("Config warning:", e)',
+         '',
+         'print("ENV_WRITTEN")',
+@@ -198,15 +206,15 @@ async function configureChannelInSandbox(sandboxId, channelKey, token) {
+         // so it survives in the daemon's env regardless of sourcing.
+         const restartCmd = [
+             // Source the env file so this shell has the token
+-            '. /sandbox/.openclaw-data/.channel-env 2>/dev/null || true',
+-            // Kill any existing gateway
+-            'pkill -f "openclaw gateway" 2>/dev/null || pkill -f "nemoclaw-gateway" 2>/dev/null || true',
++            '[ -f /sandbox/.openclaw-data/.channel-env ] && . /sandbox/.openclaw-data/.channel-env || true',
++            // Kill any existing gateway, accounting for process name truncation
++            'pkill -f "gateway run" 2>/dev/null || pkill -f "openclaw-gatewa" 2>/dev/null || pkill -f "openclaw gateway" 2>/dev/null || true',
+             'sleep 1',
+             // Find the openclaw binary wherever it lives
+             'OPENCLAW_BIN=$(which openclaw 2>/dev/null || ls /usr/local/bin/openclaw /usr/bin/openclaw /root/.local/bin/openclaw /home/user/.local/bin/openclaw 2>/dev/null | head -1)',
+             // Start the gateway with the token explicitly in its env using the `env` trick
+             // nohup ensures it keeps running after this shell exits
+-            `[ -n "$OPENCLAW_BIN" ] && nohup env ${envVar}=$${envVar} "$OPENCLAW_BIN" gateway run --allow-unconfigured --auth none > /tmp/gateway.log 2>&1 & echo "GATEWAY_STARTED:$!" || echo "GATEWAY_BIN_NOT_FOUND"`,
++            `[ -n "$OPENCLAW_BIN" ] && export OPENCLAW_CONFIG_PATH=/sandbox/.openclaw-data/openclaw.json && export ${envVar}=$${envVar} && nohup "$OPENCLAW_BIN" gateway run --allow-unconfigured --auth none > /tmp/gateway.log 2>&1 & echo "GATEWAY_STARTED:$!" || echo "GATEWAY_BIN_NOT_FOUND"`,
+         ].join('; ');
+
+         const restartStream = grpcClient.execSandbox(sandboxId, [
+@@ -233,11 +241,11 @@ async function configureChannelInSandbox(sandboxId, channelKey, token) {
+     // updateConfig uses settingKey/settingValue to set sandbox-scoped settings.
+     try {
+         if (typeof grpcClient.updateConfig === 'function') {
+-            await grpcClient.updateConfig(sandboxId, {
++            await grpcClient.updateConfig(sandboxName, {
+                 settingKey: envVar,
+                 settingValue: { stringValue: token },
+             });
+-            await grpcClient.updateConfig(sandboxId, {
++            await grpcClient.updateConfig(sandboxName, {
+                 settingKey: `channels.defaults.${channelKey}`,
+                 settingValue: { boolValue: true },
+             });
+@@ -398,7 +406,7 @@ router.post('/api/extensions/install', async (req, res) => {
+                 sandboxId = resp.sandbox?.id || sandboxName;
+             } catch { /* fall back to name */ }
+
+-            const cfgResult = await configureChannelInSandbox(sandboxId, ext.channelName, credential);
++            const cfgResult = await configureChannelInSandbox(sandboxId, sandboxName, ext.channelName, credential);
+             steps.push({
+                 step: 'channel',
+                 status: cfgResult.ok ? 'complete' : 'warning',
+@@ -650,7 +658,7 @@ router.post('/api/extensions/sync-channel', async (req, res) => {
+             sandboxId = resp.sandbox?.id || sandboxName;
+         } catch { /* use name as fallback */ }
+
+-        const result = await configureChannelInSandbox(sandboxId, ext.channelName, credential);
++        const result = await configureChannelInSandbox(sandboxId, sandboxName, ext.channelName, credential);
+
+         res.json({
+             ok: result.ok,