Fix OpenClaw template: secrets, auto-detect origin, all AI providers

[GeoSegun]

Changes

1. Fixed missing OPENCLAW_GATEWAY_TOKEN

The token was missing from the deployment's environment variables and was incorrectly configured as a secret attachment with no secret_name. The deployment on the platform has been corrected. The recipe now defines it as a proper secret slot.

2. Updated recipe to new schema format (saturn.json)

• Schema version bumped to 2024.04.01
• File structure updated to { type, spec } format matching the Saturn Cloud API
• Image updated from full ECR URI to saturncloud/saturn-python:2025.05.01
• Sensitive vars (OPENCLAW_GATEWAY_TOKEN, API keys) moved from environment_variables to secrets[]
• Git repository updated with public: true, reference, reference_type, on_restart fields
• Added start_dind, token_scope, routes: [], viewers: []

3. Auto-detect OPENCLAW_PUBLIC_ORIGIN (bootstrap-openclaw.sh)

Previously, users had to manually copy their deployment URL into OPENCLAW_PUBLIC_ORIGIN before starting. If they forgot, OpenClaw rejected all Control UI connections with an origin error that gave no useful hint about the cause.

Investigation: We first checked what environment variables Saturn Cloud injects into containers. Workspaces get SATURN_JUPYTER_BASE_DOMAIN (a Jupyter-specific variable), but deployments do not. Deployments get SATURN_TOKEN (a JWT) and SATURN_BASE_URL instead.

Solution: The bootstrap script now auto-detects the public origin at startup by:

1. Decoding the SATURN_TOKEN JWT payload to extract the deployment ID from the resource claim
2. Calling the Saturn API (https://app.community.saturnenterprise.io/api/deployments/) to retrieve the deployment's public URL
3. Using that URL as gateway.controlUi.allowedOrigins

[openclaw] auto-detecting public origin via Saturn API...
[openclaw] auto-detected public origin: https://pd-xxx.community.saturnenterprise.io

If OPENCLAW_PUBLIC_ORIGIN is explicitly set to a real URL, that takes precedence (custom domain support). OPENCLAW_PUBLIC_ORIGIN in the recipe is now blank — users never need to touch it.

Tested by deleting the deployment entirely, creating a fresh one from the recipe with OPENCLAW_PUBLIC_ORIGIN blank, and starting it — auto-detection worked correctly on first boot.

4. All AI providers exposed in the recipe

The template previously only showed ANTHROPIC_API_KEY as a secret slot. OpenClaw supports 5 providers but users had no way to discover that from the template UI.

Added secret slots for all supported providers, each with a clear description:

• ANTHROPIC_API_KEY
• OPENAI_API_KEY
• GEMINI_API_KEY
• MISTRAL_API_KEY
• OPENROUTER_API_KEY

Only one needs to be linked — the bootstrap script auto-detects which key is set.

5. Updated template registry (title + weight)

• Title: OpenClaw (Deployment) → OpenClaw Beta
• Weight: 1950 → 10 (moves to top of template list)

6. Rewrote README with full user journey

Complete rewrite covering the entire user experience from template discovery to using OpenClaw:

• What You'll End Up With — sets expectations upfront (working gateway in under 10 min)
• Step 1 — what the user sees when creating from template, what's pre-filled
• Step 2 — creating secrets: openssl rand -hex 32 for the gateway token, all 5 provider options with their default models
• Step 3 — linking secrets to the deployment: which slots to fill, which to leave empty
• Step 4 — optional configuration: model override, env vars for Telegram/WhatsApp
• Step 5 — starting the deployment: what to expect, actual log output they'll see, what an error means
• Step 6 — opening the Control UI: how to find the URL, how to authenticate
• Step 7 — using OpenClaw: what they can do inside the Control UI
• Enabling Telegram — full setup including BotFather and userinfobot
• Enabling WhatsApp — full setup including QR code scanning
• How It Works — bootstrap script flow as a table for technical users
• Troubleshooting — the 4 most likely failure modes with clear fixes

---

Testing

Tested end-to-end on a fresh deployment (deleted and re-created from the recipe):

• OPENCLAW_PUBLIC_ORIGIN left blank — Saturn API auto-detection picked up the correct URL on first boot
• Control UI loaded and accepted the gateway token
• Anthropic model responded correctly
• No manual configuration required beyond creating and linking two secrets