#14061: fix(gateway): Docker CLI container gateway connectivity and auth

## Summary - **Docker DNS resolution**: Replace hardcoded `127.0.0.1` gateway host with `OPENCLAW_GATEWAY_HOST` env var across all connection points (TUI, call, client, agents, daemon CLI, discord, node host). Set `OPENCLAW_GATEWAY_HOST=openclaw-gateway` in `docker-compose.yml` so the CLI container resolves the gateway via Docker DNS. - **Docker gateway IP verification**: Detect Docker environments via `/.dockerenv` and parse `/proc/net/route` to identify the container's default gateway IP. Only treat connections as local when the client IP matches the actual Docker bridge gateway, preventing Host header spoofing by other containers. - **Device pairing auto-approval**: Auto-approve device pairing when the client authenticates with a valid shared secret (token/password), not just for loopback clients. This lets Docker CLI containers with `OPENCLAW_GATEWAY_TOKEN` connect without manual pairing. - **Entry point fix**: Update `docker-compose.yml` and helper scripts to use `openclaw.mjs` instead of `dist/index.js`. ## Test plan - [x] `docker compose run --rm openclaw-cli tui` connects and shows "device pairing auto-approved" in gateway logs - [x] Gateway correctly rejects container-to-container spoofing (non-gateway IP + Host: localhost) - [x] Unit tests pass for `isDockerEnvironment`, `readDockerGatewayIp`, and `isLocalDirectRequest` Docker paths - [x] Non-Docker loopback connections still work as before 🤖 Generated with [Claude Code](https://claude.com/claude-code)