#13737: Docker: harden UID/GID remap and docker-setup flow, convenience update to PATH for tool shims

#### Summary Harden Docker UID/GID remapping and docker-setup so bind-mounted volumes don’t silently keep `node` at UID 1000 (which breaks permissions). Also clarify the utility of having `/home/node/.openclaw/bin` on PATH for tool shims. (e.g. rg if its not on the docker container, but available via a local install and mounted in the container) lobster-biscuit FTW #### Repro Steps 1. Build with `OPENCLAW_UID` set to a UID already used by a different user in the base image. 2. Run with bind-mounted state/workspace. 3. Previously, build succeeded but `node` remained UID 1000, leaving permissions broken. #### Root Cause - UID remap skipped `usermod` when the target UID belonged to a different user, silently leaving `node` at UID 1000. - docker-setup accepted non-numeric IDs without validation. #### Behavior Changes - **Dockerfile** - Accepts `OPENCLAW_UID`/`OPENCLAW_GID` build args. - Prepends `/home/node/.openclaw/bin` so tool shims in the mounted state volume are discoverable. - Hard-fails if `OPENCLAW_UID` collides with a different user. - **docker-setup.sh** - Adds `--build-only` mode. - Validates numeric UID/GID (falls back to defaults if `id -u/-g` fails). - Persists `OPENCLAW_UID/GID` in `.env` and passes them into docker build args. - **Docs** - `docs/install/docker.md` now explains that `/home/node/.openclaw/bin` contains shim scripts that exec tools under `/home/node/.openclaw/tools/...`, with a concrete example. #### Tests Not run (Dockerfile + shell script + docs changes only). #### Manual Testing (omit if N/A) N/A ### Prerequisites - Docker + Docker Compose installed. ### Steps 1. Build with a colliding `OPENCLAW_UID` (expect failure with explicit error). 2. Build with a free UID/GID (expect success and remapped `node` user). <!-- greptile_comment --> <h3>Greptile Summary</h3> Hardens Docker UID/GID remapping to prevent bind-mount permission issues and adds `/home/node/.openclaw/bin` to PATH for tool shims. The PR adds explicit collision detection for `OPENCLAW_UID` and `OPENCLAW_GID` build args, ensuring the `node` user gets remapped correctly instead of silently staying at UID 1000. The `docker-setup.sh` script now validates numeric IDs, persists them to `.env`, and passes them as build args. Major improvements: - `docker-setup.sh` gains `--build-only` mode and robust ID validation with fallback defaults - `Dockerfile` fails fast when UID/GID collides with existing users/groups (preventing silent permission breakage) - PATH includes `/home/node/.openclaw/bin` so agent-installed tool shims are discoverable **Critical issues identified (see inline comments):** - GID collision detection is incomplete - it doesn't fail when `OPENCLAW_GID` matches a pre-existing non-`node` group, silently adding `node` to that group - Groupmod sequencing may fail on some base images when the group is "in use" These issues could grant `node` unintended permissions or cause build failures depending on the base image. <h3>Confidence Score: 2/5</h3> - PR has critical GID collision logic flaws that could grant unintended permissions or cause build failures - The UID collision detection works correctly, but the GID path has two critical flaws already identified in previous review threads: (1) it doesn't fail when GID collides with a different group, instead silently switching `node` into that existing group which could grant unintended permissions, and (2) the groupmod sequencing can fail on some distros when the group is in use. The docker-setup.sh validation is solid, but these Dockerfile issues are blocking. - Dockerfile lines 44-53 (GID remapping logic) require fixes before merge _{Last reviewed commit: 2e796cc} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->