#9999: Docker: fix token mismatch and add dev setup workflow

## Summary - **Fix gateway token mismatch**: The setup scripts generated a token and passed it via `OPENCLAW_GATEWAY_TOKEN` env-var, but the gateway reads the config file token first and ignores the env-var. Both scripts now reconcile the config file after onboard to ensure the token, bind, and `controlUi.allowInsecureAuth` match. - **Fix device-pairing chicken-and-egg**: Docker routes requests through the bridge network (`172.x.x.x`), so the gateway doesn't recognise the Control UI as a local client. Sets `controlUi.allowInsecureAuth: true` so token auth alone is sufficient. - **Add dev setup workflow**: New `docker-setup.dev.sh` + `docker-compose.dev.yml` for building from local source with bind-mounted code. - **Dockerfile**: Ensure `node` user exists on Docker Desktop for Mac (may ship empty `/etc/passwd`). - **Docs**: Tokenized dashboard URL, dev mode section, explain why bind must be `lan` in containers. ## Test plan - [ ] Run `./docker-setup.sh` from scratch (delete `~/.openclaw/openclaw.json` first) — verify the printed dashboard URL connects without errors - [ ] Run `./docker-setup.dev.sh` — verify same - [ ] Re-run `./docker-setup.dev.sh` (config already exists) — verify new token is reconciled and dashboard URL works - [ ] Verify non-Docker setups are unaffected (scripts only touch config when invoked) 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR updates the Docker setup scripts to reconcile `~/.openclaw/openclaw.json` after onboarding so that `gateway.auth.token`, `gateway.bind`, and `gateway.controlUi.allowInsecureAuth` match what the scripts generate/require. It also adds a dev overlay (`docker-compose.dev.yml`) + `docker-setup.dev.sh` for running the gateway from local source via bind mounts, adjusts the Dockerfile to ensure a `node` user exists on some Docker Desktop for Mac environments, and updates Docker install docs to use a tokenized dashboard URL and document dev mode + `lan` binding. These changes primarily affect developer ergonomics around the Docker-based gateway/Control UI flow (token auth + binding behavior) and do not change the core gateway runtime except via updated config defaults written by the scripts. <h3>Confidence Score: 3/5</h3> - Mostly safe to merge, but the Docker setup scripts can fail on hosts without python3 installed. - Core changes are contained to Docker/dev scripts and docs, and the config reconciliation logic is straightforward. However, both setup scripts now unconditionally invoke `python3` to patch config; if python3 is missing, the setup flow breaks immediately after onboarding, which is a merge-blocking usability regression for Docker users. - docker-setup.sh, docker-setup.dev.sh <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->