fix: pass Discord and Slack bot tokens via env vars into sandbox

[ericksoa]

Summary

• Pass DISCORD_BOT_TOKEN and SLACK_BOT_TOKEN as env vars into the sandbox at creation time
• Forward both tokens in the Brev/VM deploy path
• Disable channels.defaults.configWrites in the build-time openclaw.json to prevent channel plugins from writing to the immutable config
• Add Discord endpoints (discord.com, gateway.discord.gg, cdn.discordapp.com) to the default baseline sandbox policy

Context

PR #588 made openclaw.json immutable to prevent agent tampering with gateway auth tokens. Community users reported that OpenClaw's Discord integration fails because it tries to write the bot token to the now-immutable config.

OpenClaw already supports reading DISCORD_BOT_TOKEN from an environment variable and auto-enables the Discord channel when present. This PR passes the token through at sandbox creation time — the same pattern already used for NVIDIA_API_KEY and TELEGRAM_BOT_TOKEN.

Closes #599
Closes #606

Test plan

• Unit tests pass (187/187)
• Full E2E pass (17/17) — install, onboard, sandbox verification, live inference, cleanup
• Set DISCORD_BOT_TOKEN env var, run onboard, verify token is available inside sandbox
• Verify no EPERM errors in gateway logs from configWrites
• Verify openclaw.json remains immutable (root:root, 444)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6cb666cc-f091-4b1f-921d-ace53819ecb5

📥 Commits

Reviewing files that changed from the base of the PR and between 685d3a0 and c15cbce.

📒 Files selected for processing (1)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml

---

📝 Walkthrough

Walkthrough

Docker build now injects an extra channels.defaults.configWrites: False into generated openclaw.json. Sandbox and VM deployment paths were updated to pass Discord and Slack bot tokens as environment variables (resolved via getCredential() with env fallbacks) instead of relying on runtime writes to immutable config.

Changes

Cohort / File(s)	Summary
Docker build config Dockerfile	Inline Python that generates openclaw.json now adds channels: { defaults: { configWrites: False } }, making default channel config writes disabled in the built image.
Sandbox & onboarding runtime bin/lib/onboard.js	createSandbox(gpu) now conditionally includes DISCORD_BOT_TOKEN and SLACK_BOT_TOKEN in envArgs, each from getCredential() with process.env fallback and shell-quoted when present.
VM deployment (.env) population bin/nemoclaw.js	deploy(instanceName) now conditionally adds DISCORD_BOT_TOKEN and SLACK_BOT_TOKEN (via getCredential) to the generated Brev VM .env file when available.
Network policy additions nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Updated comment to reference Telegram and Discord; added network_policies.discord policy allowing HTTPS to discord.com, gateway.discord.gg, and cdn.discordapp.com (port 443) with tls: terminate, enforcement: enforce, and GET/POST to /**.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer/CLI
  participant Cred as Credential Store (getCredential)
  participant Docker as Docker build
  participant Sandbox as Sandbox (openshell)
  participant VM as Brev VM
  participant OpenClaw as OpenClaw runtime

  Dev->>Docker: build image (inline python -> openclaw.json)
  Docker-->>OpenClaw: image with configWrites: False

  Dev->>Cred: request DISCORD_BOT_TOKEN / SLACK_BOT_TOKEN
  Cred-->>Dev: token (if present)

  Dev->>Sandbox: createSandbox(...) with envArgs (include tokens)
  Sandbox->>OpenClaw: start runtime with env vars

  Dev->>VM: deploy(instance) -> generate .env (include tokens)
  VM->>OpenClaw: start service with .env environment

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A rabbit sniffed the locked-up file,
No scribble, no scratch, not even a style.
So I tucked tokens in envs that fly,
Through sandbox gates and VMs high,
Hopping safe where configs can’t cry. 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: passing Discord and Slack bot tokens as environment variables into the sandbox.
Linked Issues check	✅ Passed	The PR addresses issue #599 by preventing OpenClaw from writing credentials to immutable openclaw.json and instead providing tokens via environment variables, aligning with the objective to restore Discord integration without compromising immutability protections.
Out of Scope Changes check	✅ Passed	All changes are directly related to passing bot tokens via environment variables and disabling channel configuration writes, which are in scope for issue #599.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/discord-token-immutable-config

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://NVIDIA.github.io/NemoClaw/pr-preview/pr-601/
Built to branch gh-pages at 2026-03-21 19:31 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[Cervator]

Technically outside this diff, but should we add the Discord preset here as well? I realize there may be a fair bit of churn in that area right now.

(At least I assume there is a preset, based on #585 which might do well with another look with this merged)

[ericksoa]

Good point, thx for flagging

[ericksoa]

Added discord support to the PR as well.

[kjw3]

Reviewed the latest rebase and validated the end-to-end path locally.

What I checked:

• The fix direction is correct for #599: instead of reopening writes to immutable openclaw.json, this passes DISCORD_BOT_TOKEN / SLACK_BOT_TOKEN through env at sandbox creation and VM deploy time.
• The build-time config change is aligned with that model. Setting channels.defaults.configWrites: false avoids channel plugins trying to mutate immutable config at runtime.
• The default sandbox policy now includes the Discord endpoints, and that matches the existing Discord preset shape rather than inventing a new policy variant.

Validation status:

• CI is green.
• E2E validation passed locally.

Net: this preserves the immutability hardening from #588 while restoring the broken Discord integration path. Looks ready.

Let it rip 🤙

[heartsiddharth1]

@ericksoa @kjw3 any chance if the below error be fixed for all so that everthig works please help why i am getting this error

◇ Configure Discord channels access?
│ Yes
│
◇ Discord channels access
│ Open (allow all channels)
│
◇ Selected channels ────────────────────────────────────────────╮
│ │
│ Discord — very well supported right now. Docs: │
│ discord │
│ │
├────────────────────────────────────────────────────────────────╯
Error: EACCES: permission denied, copyfile '/sandbox/.openclaw/openclaw.json.1509.28a46635-f655-4913-862a-39cf98c21765.tmp' -> '/sandbox/.openclaw/openclaw.json'

this is inside the sandbox

[ericksoa]

@heartsiddharth1 This fix is already merged, but it changes how you set up Discord. Instead of configuring it inside the sandbox via openclaw onboard, set the token on the host before creating the sandbox:

export DISCORD_BOT_TOKEN=your-token-here
nemoclaw onboard

The token gets passed into the sandbox as an environment variable and OpenClaw picks it up automatically. Running openclaw onboard inside the sandbox to configure Discord won't work because the config file is intentionally locked down.

To change the token later, you'll need to recreate the sandbox with the new token set. We know that's not ideal — tracking a better workflow for runtime credential updates as a follow-up.