feat: OpenAI-compat /v1 proxy + managed remote MCP server entry

[luckyPipewrench]

Summary

Adds two opt-in features that let AlphaClaw front an OpenClaw deployment for OpenAI-compatible clients and for OpenClaw-managed remote MCP servers, without anyone hand-editing openclaw.json.

Both default off. Existing deployments are unaffected until the relevant env vars are set.

1. OpenAI-compatible /v1/* proxy

Bearer-auth proxy from AlphaClaw's public Express to the loopback OpenClaw gateway:

• POST /v1/chat/completions
• POST /v1/responses
• POST /v1/embeddings
• GET /v1/models, GET /v1/models/<id>

Lets a self-hosted backend use this AlphaClaw deployment as its OpenAI-compatible endpoint without exposing OpenClaw's gateway port directly.

• Requires Authorization: Bearer <OPENCLAW_GATEWAY_TOKEN>. AlphaClaw enforces the header is present; OpenClaw validates the value.
• Setup cookies stripped before forwarding.
• Hop-by-hop response headers and Set-Cookie stripped on the way back out.
• Content-Encoding stripped on forwarded requests because Express has already inflated the body.
• gateway.http.endpoints.chatCompletions.enabled and responses.enabled are set in managed-onboarding writes AND backfilled on every gateway start, so existing managed deployments pick up the flags on image bump.

2. Env-driven managed mcp.servers.<name> entry

When REMOTE_MCP_URL + REMOTE_MCP_API_TOKEN are set, AlphaClaw writes a streamable-http MCP server block to openclaw.json and keeps it in sync at every gateway start.

Env var	Default	Purpose
REMOTE_MCP_URL	unset	Upstream MCP endpoint.
REMOTE_MCP_API_TOKEN	unset	Bearer token. Persisted as ${REMOTE_MCP_API_TOKEN}, not plaintext.
REMOTE_MCP_NAME	remote	Key under mcp.servers.<name>. Validated ^[A-Za-z0-9_-]{1,64}$; __proto__/constructor/prototype rejected.
REMOTE_MCP_PROXY_URL	unset	If set, OpenClaw connects here instead of REMOTE_MCP_URL. For same-host scanning proxies.

• Idempotent: only rewrites when something actually changes.
• Plaintext rewrite: any existing plaintext Authorization value gets re-scrubbed to the ${REMOTE_MCP_API_TOKEN} placeholder on next run.
• Rename cleanup: managed entries are tagged _alphaclawManaged: true. If REMOTE_MCP_NAME changes, the prior managed entry is removed. Unmarked (user-managed) entries are never touched.
• When the env vars are unset, the managed entry is removed.

Security boundary

/v1/chat/completions is an operator-access surface on OpenClaw's side: anyone holding OPENCLAW_GATEWAY_TOKEN can run any tool the agent profile allows. The README's "Security Notes" section is updated to call this out and to recommend the surface be used only for trusted server-to-server callers.

Tests

Test count moves from 619 to 637. New cases cover the /v1/* proxy (bearer-auth gate, body re-serialize, model-list path, Set-Cookie strip, hop-by-hop strip, Content-Encoding strip) and the managed MCP entry (write with placeholder, route via proxy URL, plaintext scrub, name validation + reserved-key rejection, rename cleanup, user-entry preservation, idempotency, remove-on-unset, gateway-start backfill).

npm test clean against Node 22. npm run build:ui unaffected.

Backwards compatibility

Defaults unchanged: /v1/* route only registers when configured, no managed MCP entry without env vars, no schema breaks. Existing tests still pass. The only addition to managed config writes is enabling the chat-completions and responses endpoints (the precondition for #1 to be useful).

[chrysb]

Review notes from the AlphaClaw pass. The focused and full test suites pass locally, but I think the two P1 items should be addressed before merge.

[luckyPipewrench]

Addressed review notes

[chrysb]

Looks good after the explicit API exposure toggle and local verification.