#6638: fix: make Dockerfile work on container platforms (Render, Railway, etc.)

## Summary This PR fixes several issues that prevent the Dockerfile from working on container platforms like Render, Railway, Fly.io, etc. ### Changes 1. **Add `gateway` subcommand to CMD** - The current CMD runs `node dist/index.js` without a subcommand 2. **Add `--allow-unconfigured` flag** - Gateway refuses to start without config on first run 3. **Add `--bind lan`** - Binds to `0.0.0.0` instead of localhost (required for platform health checks) 4. **Use `${PORT:-10000}`** - Respects platform's PORT environment variable 5. **Add entrypoint script** - Enables runtime configuration from environment variables 6. **Support `OPENAI_API_KEY` env var** - Easy LLM setup without mounting config files ### Problem The current Dockerfile doesn't work on container platforms because: - CMD is missing the `gateway` subcommand - Gateway refuses to start without a config file - Gateway binds to localhost only, so platform health checks fail and containers get killed ### Testing Successfully deployed and tested on Render with this Dockerfile. The gateway starts correctly, health checks pass, and OpenAI chat works via the Control UI. ### Environment Variables Users can configure the gateway with these env vars: - `OPENAI_API_KEY` - OpenAI API key for LLM - `OPENCLAW_STATE_DIR` - State directory (default: `$HOME/.openclaw`) - `OPENCLAW_RESET_CONFIG` - Set to `true` to reset config on restart - `PORT` - HTTP port (default: 10000) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR updates the container startup flow so the built `dist/index.js` is invoked with the `gateway` subcommand and flags needed for common PaaS/container platforms (bind to LAN, allow unconfigured startup, and use the platform `PORT` env var). It also adds a generated entrypoint script that creates a minimal `~/.openclaw/openclaw.json` on first run and optionally includes OpenAI configuration from `OPENAI_API_KEY`, aiming to remove the need to mount config files on first boot. Overall this fits into existing gateway CLI behavior (`openclaw gateway run` / `node dist/index.js gateway …`) but there are a couple of container-specific gotchas around shell/runtime user home paths, secrets handling, and gateway auth requirements when binding beyond loopback. <h3>Confidence Score: 2/5</h3> - This PR is not safe to merge as-is because the default command path likely fails gateway auth when binding to LAN without a token/password configured. - The Dockerfile changes are straightforward, but the entrypoint’s default `--bind lan` combined with `auth.mode=token` and no token value will cause the gateway CLI to exit. There are also portability and security concerns (bash dependency and persisting API keys in a plaintext config file). - Dockerfile <!-- greptile_other_comments_section --> <!-- /greptile_comment -->