fix(container): MITM-compatible phantom tokens, entrypoint env sourcing, reload retry

- Use SLUICE_PHANTOM:<credname> format for env var injection instead
  of GeneratePhantomToken() random hex. The MITM proxy only recognizes
  the SLUICE_PHANTOM: prefix for byte-level replacement in HTTP
  headers and body. Previously the env phantom and MITM phantom were
  different formats, so credential swap never worked for env-injected
  keys (e.g. GEMINI_API_KEY).

- Add entrypoint wrapper in compose that sources ~/.openclaw/.env
  before starting openclaw so child processes (gemini --acp) inherit
  phantom tokens in their process environment.

- Add ReloadSecrets method to ContainerManager interface. All backends
  (Docker, Apple, Tart) implement it using a WebSocket RPC script that
  sends secrets.reload directly to the gateway. This bypasses the
  openclaw CLI which is slow in container environments.

- Add phase 2 retry loop for secrets reload after env injection.
  The gateway takes longer to start than the container, so the reload
  retries with backoff (5, 10, 20, 30, 60s) after env file is written.

- Add NODE_COMPILE_CACHE and NPM_CONFIG_PREFIX env vars in compose
  for persistent Node.js compile cache and npm global installs.

Author: nnemirovsky

cmd/sluice/main.go

@@ -345,7 +345,10 @@ func main() {
 	// (compose healthcheck ordering ensures sluice starts first).
 	if containerMgr != nil && db != nil {
 		go func() {
+			// Phase 1: write .env file into the agent container.
+			// Retry with backoff because the container may still be starting.
 			backoff := []time.Duration{0, 2 * time.Second, 5 * time.Second, 10 * time.Second, 30 * time.Second}
+			injected := false
 			for i, delay := range backoff {
 				if delay > 0 {
 					time.Sleep(delay)
@@ -358,6 +361,30 @@ func main() {
 					log.Printf("WARNING: startup env injection failed after %d attempts: %v", len(backoff), err)
 				} else {
 					log.Printf("startup env injection succeeded (attempt %d/%d)", i+1, len(backoff))
+					injected = true
+					break
+				}
+			}
+			if !injected {
+				return
+			}
+			// Phase 2: signal the agent to reload secrets.
+			// The gateway takes longer to start than the container itself,
+			// so retry the reload with a longer backoff.
+			reloadBackoff := []time.Duration{5 * time.Second, 10 * time.Second, 20 * time.Second, 30 * time.Second, 60 * time.Second}
+			for i, delay := range reloadBackoff {
+				time.Sleep(delay)
+				ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+				if err := containerMgr.ReloadSecrets(ctx); err != nil {
+					cancel()
+					if i < len(reloadBackoff)-1 {
+						log.Printf("startup secrets reload attempt %d/%d failed: %v (retrying)", i+1, len(reloadBackoff), err)
+						continue
+					}
+					log.Printf("WARNING: startup secrets reload failed after %d attempts: %v", len(reloadBackoff), err)
+				} else {
+					cancel()
+					log.Printf("startup secrets reload succeeded (attempt %d/%d)", i+1, len(reloadBackoff))
 					return
 				}
 			}
@@ -763,9 +790,10 @@ func injectEnvVarsFromStore(db *store.Store, mgr container.ContainerManager) err
 	}
 	envMap := make(map[string]string, len(envBindings))
 	for _, b := range envBindings {
-		// For OAuth credentials, the env_var maps to the access token phantom.
-		// The credential name is used to generate a format-matching phantom.
-		envMap[b.EnvVar] = vault.GeneratePhantomToken(b.Credential)
+		// Use the MITM-compatible phantom format (SLUICE_PHANTOM:<credname>)
+		// so the proxy's byte-level find-and-replace works when the agent
+		// passes the env var value in HTTP headers or request body.
+		envMap[b.EnvVar] = proxy.PhantomToken(b.Credential)
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)

cmd/sluice/main_test.go

@@ -1469,6 +1469,10 @@ func (m *mockContainerMgr) Stop(_ context.Context) error {
 	return nil
 }
 
+func (m *mockContainerMgr) ReloadSecrets(_ context.Context) error {
+	return nil
+}
+
 func (m *mockContainerMgr) Runtime() container.Runtime {
 	return container.RuntimeDocker
 }

compose.yml

@@ -67,12 +67,21 @@ services:
     restart: unless-stopped
     container_name: openclaw
     network_mode: "service:tun2proxy"
+    # Source sluice-injected env vars before starting openclaw so all child
+    # processes (e.g. gemini --acp) inherit phantom tokens in their env.
+    entrypoint: ["/bin/sh", "-c", "[ -f \"$HOME/.openclaw/.env\" ] && set -a && . \"$HOME/.openclaw/.env\" && set +a; exec docker-entrypoint.sh node openclaw.mjs gateway --allow-unconfigured"]
     environment:
       - HOME=/home/node
       - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN:-}
       - SSL_CERT_FILE=/usr/local/share/ca-certificates/sluice/sluice-ca.crt
       - REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/sluice/sluice-ca.crt
       - NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/sluice/sluice-ca.crt
+      # npm user-global directory for persistent CLI tool installs (e.g. gemini-cli).
+      # The openclaw-home volume is mounted at /home/node so these survive restarts.
+      - NPM_CONFIG_PREFIX=/home/node/.npm-global
+      - PATH=/home/node/.npm-global/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+      # Persistent V8 compile cache to speed up Node.js CLI cold starts.
+      - NODE_COMPILE_CACHE=/home/node/.node-compile-cache
     volumes:
       - openclaw-home:/home/node
       - sluice-ca:/usr/local/share/ca-certificates/sluice:ro

internal/api/server_test.go

@@ -2631,6 +2631,10 @@ func (m *mockContainerMgr) Stop(_ context.Context) error {
 	return nil
 }
 
+func (m *mockContainerMgr) ReloadSecrets(_ context.Context) error {
+	return nil
+}
+
 func (m *mockContainerMgr) Runtime() container.Runtime {
 	return container.RuntimeDocker
 }

internal/container/apple.go

@@ -230,13 +230,19 @@ func (m *AppleManager) InjectEnvVars(ctx context.Context, envMap map[string]stri
 		return fmt.Errorf("inject env vars: %w", execErr)
 	}
 
-	if _, reloadErr := m.cli.Exec(ctx, m.containerName, []string{"openclaw", "secrets", "reload"}); reloadErr != nil {
+	if reloadErr := m.ReloadSecrets(ctx); reloadErr != nil {
 		log.Printf("env vars injected but secrets reload failed: %v", reloadErr)
 	}
 
 	return nil
 }
 
+// ReloadSecrets signals the openclaw gateway to re-read secrets via WebSocket RPC.
+func (m *AppleManager) ReloadSecrets(ctx context.Context) error {
+	_, err := m.cli.Exec(ctx, m.containerName, []string{"node", "-e", reloadSecretsScript})
+	return err
+}
+
 // RestartWithEnv stops the VM, removes it, and recreates it with updated
 // environment variables merged into the existing config.
 func (m *AppleManager) RestartWithEnv(ctx context.Context, envUpdates map[string]string) error {

internal/container/docker.go

@@ -92,17 +92,19 @@ func (m *DockerManager) InjectEnvVars(ctx context.Context, envMap map[string]str
 	}
 
 	// Signal the agent to reload secrets from the updated env file.
-	// The openclaw CLI hangs in container environments (confirmed bug in
-	// 2026.4.5), so we send the secrets.reload RPC directly via WebSocket
-	// using node which is available in the openclaw container.
-	if reloadErr := m.client.ExecInContainer(ctx, m.containerName,
-		[]string{"node", "-e", reloadSecretsScript}); reloadErr != nil {
+	if reloadErr := m.ReloadSecrets(ctx); reloadErr != nil {
 		log.Printf("env vars injected but secrets reload failed: %v", reloadErr)
 	}
 
 	return nil
 }
 
+// ReloadSecrets signals the openclaw gateway to re-read secrets via WebSocket RPC.
+func (m *DockerManager) ReloadSecrets(ctx context.Context) error {
+	return m.client.ExecInContainer(ctx, m.containerName,
+		[]string{"node", "-e", reloadSecretsScript})
+}
+
 // reloadSecretsScript is a Node.js one-liner that sends a secrets.reload
 // RPC to the openclaw gateway via WebSocket. It reads the gateway config
 // from disk to discover the port and auth token. This bypasses the openclaw

internal/container/tart.go

@@ -270,13 +270,19 @@ func (m *TartManager) InjectEnvVars(ctx context.Context, envMap map[string]strin
 		return fmt.Errorf("inject env vars: %w", execErr)
 	}
 
-	if _, reloadErr := m.cli.Exec(ctx, m.vmName, []string{"openclaw", "secrets", "reload"}); reloadErr != nil {
+	if reloadErr := m.ReloadSecrets(ctx); reloadErr != nil {
 		log.Printf("env vars injected but secrets reload failed: %v", reloadErr)
 	}
 
 	return nil
 }
 
+// ReloadSecrets signals the openclaw gateway to re-read secrets via WebSocket RPC.
+func (m *TartManager) ReloadSecrets(ctx context.Context) error {
+	_, err := m.cli.Exec(ctx, m.vmName, []string{"node", "-e", reloadSecretsScript})
+	return err
+}
+
 // RestartWithEnv stops the VM and re-runs it in the background. Unlike Apple
 // Container, tart VMs persist state across stop/run cycles so we do NOT
 // delete+clone (which takes minutes for macOS images). Environment variables

internal/container/types.go

@@ -68,6 +68,9 @@ type ContainerManager interface { //nolint:revive // stuttering accepted for cla
 	// the cert is still available via env vars (SSL_CERT_FILE, etc.).
 	InjectCACert(ctx context.Context, hostCertPath, certDir string) error
 
+	// ReloadSecrets signals the agent to re-read secrets from the env file.
+	ReloadSecrets(ctx context.Context) error
+
 	// Status returns container health information.
 	Status(ctx context.Context) (ContainerStatus, error)
 

internal/telegram/approval_test.go

@@ -1743,6 +1743,10 @@ func (m *mockContainerMgr) InjectCACert(_ context.Context, _, _ string) error {
 	return nil
 }
 
+func (m *mockContainerMgr) ReloadSecrets(_ context.Context) error {
+	return nil
+}
+
 func (m *mockContainerMgr) Runtime() container.Runtime {
 	return container.RuntimeDocker
 }