#17406: Merge

## Summary Describe the problem and fix in 2–5 bullets: - Problem: - Why it matters: - What changed: - What did NOT change (scope boundary): ## Change Type (select all) - [x] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [x] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [x] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # - Related # ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. ## Security Impact (required) - New permissions/capabilities? (`Yes/No`) - Secrets/tokens handling changed? (`Yes/No`) - New/changed network calls? (`Yes/No`) - Command/tool execution surface changed? (`Yes/No`) - Data access scope changed? (`Yes/No`) - If any `Yes`, explain risk + mitigation: ## Repro + Verification ### Environment - OS: - Runtime/container: - Model/provider: - Integration/channel (if any): - Relevant config (redacted): ### Steps 1. 2. 3. ### Expected - ### Actual - ## Evidence Attach at least one: - [ ] Failing test/log before + passing after - [ ] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: - Edge cases checked: - What you did **not** verify: ## Compatibility / Migration - Backward compatible? (`Yes/No`) - Config/env changes? (`Yes/No`) - Migration needed? (`Yes/No`) - If yes, exact upgrade steps: ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: - Files/config to restore: - Known bad symptoms reviewers should watch for: ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. - Risk: - Mitigation: <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds a complete devcontainer setup for running `systemd --user` inside GitHub Codespaces, along with a systemd service unit for the OpenClaw gateway and a minor VS Code settings change. - Adds `.devcontainer/Dockerfile`, `devcontainer.json`, and `start-systemd.sh` to bootstrap user-mode systemd (D-Bus, journald, cgroup delegation) in a privileged Codespaces container - Adds `scripts/systemd/openclaw-gateway.service` — a systemd user service for running the gateway with security hardening (`NoNewPrivileges`, `ProtectSystem=strict`, `ProtectHome=read-only`) - Adds `githubPullRequests.ignoredPullRequestBranches: ["main"]` to `.vscode/settings.json` - **Bug found**: The profile snippet in `start-systemd.sh` uses an unquoted heredoc, causing `$(id -u)` to expand as root (UID 0) at write-time. The resulting profile guard is always false, so `XDG_RUNTIME_DIR` and `DBUS_SESSION_BUS_ADDRESS` will never be set in new user shells - The PR description template is unfilled — no summary, repro steps, or security impact answers are provided despite the PR touching privileged container config and systemd setup <h3>Confidence Score: 3/5</h3> - The PR introduces devcontainer infrastructure with a confirmed bug in the profile snippet that will prevent environment variables from being set in new shells. - Score of 3 reflects that the core systemd bootstrap logic is sound and well-documented, but the profile snippet has a shell expansion bug that breaks new-shell environment setup. The PR also runs in privileged mode (justified but notable) and the PR description template is entirely unfilled, making it harder to assess intent and scope. - `start-systemd.sh` — the heredoc profile snippet bug on line 214-220 needs to be fixed before merge. _{Last reviewed commit: 99aa805} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->