#19538: security: migrate sensitive Docker env vars to Docker secrets

## Summary - Use Docker secrets for sensitive credentials (session keys, tokens, cookies) - Add `docker-entrypoint.sh` that reads from `/run/secrets/` and exports as env vars - Update `docker-compose.yml` with secrets section pointing to local files - Update `Dockerfile` with entrypoint - Backward compatible: direct env vars still override Docker secrets ## Security Impact Prevents credential exposure in `docker-compose.yml`, `docker inspect` output, and `/proc/<pid>/environ`. ## Migration 1. Create a `./secrets/` directory (chmod 700) 2. Write each credential to its own file: `echo "your-token" > ./secrets/openclaw_gateway_token` 3. Set file permissions: `chmod 600 ./secrets/*` 4. Optionally set `OPENCLAW_SECRETS_DIR` to customize the secrets directory ## Test plan - [ ] Test Docker secrets flow with sample secrets files - [ ] Verify backward compatibility with direct env vars - [ ] Test container startup with both approaches <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR migrates sensitive Docker environment variables to Docker secrets, improving security by preventing credential exposure in `docker inspect` output and process environments. The implementation adds a shell entrypoint that loads secrets from `/run/secrets/` and falls back to environment variables for backward compatibility. **Key changes:** - Added `docker-entrypoint.sh` to load 8 secrets into env vars with fallback logic - Updated `docker-compose.yml` to use Docker secrets (but only defines 4 of the 8 secrets the entrypoint expects) - Modified `Dockerfile` to set the entrypoint **Issues found:** - **Critical mismatch**: entrypoint loads 8 secrets but compose only defines 4 (`openclaw_gateway_password`, `openai_api_key`, `anthropic_api_key`, `gemini_api_key` are missing) - **Security gap**: `secrets/` directory not in `.gitignore` - users following migration instructions could accidentally commit credentials - **Shell compatibility**: script uses `local` keyword (bash-specific) but has `#!/bin/sh` shebang - **Code injection risk**: `eval` usage in the entrypoint could be replaced with safer `printenv` <h3>Confidence Score: 2/5</h3> - This PR has critical issues that will cause runtime failures and potential security gaps - The mismatch between secrets defined in docker-compose.yml (4 secrets) and secrets loaded in the entrypoint (8 secrets) will cause container startup failures. The missing .gitignore entry creates a risk of accidental credential exposure. The eval usage and shell compatibility issues need fixing before merge. - All three files need attention: docker-compose.yml needs 4 additional secret definitions, .gitignore needs the secrets/ directory pattern, and docker-entrypoint.sh needs safer variable checking and correct shebang _{Last reviewed commit: 3a446be} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->