feat(security): commandsSyncKey is a required channel-config field (Guild C-2)

The slash-command sync secret now comes from
channels.fabric.commandsSyncKey (configSchema marks it required) and
is no longer read from FABRIC_COMMANDS_SYNC_KEY env. command-sync
resolves it from config and threads it into client.syncCommands;
when absent, sync is skipped with a clear warning. README updated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dist/fabric/src/fabric-client.js

@@ -75,12 +75,11 @@ export class FabricClient {
     // Register the OpenClaw slash-command catalog with this guild (idempotent
     // full replace). The frontend GETs it for `/` autocomplete; execution
     // still flows as a normal /<cmd> message into OpenClaw's command system.
-    syncCommands(guildEndpoint, guildToken, commands) {
-        // Guild C-2: when the operator sets a shared sync key on both sides
-        // (FABRIC_COMMANDS_SYNC_KEY here / FABRIC_BACKEND_GUILD_COMMANDS_SYNC_KEY
-        // on the guild), the catalog write is restricted to this plugin.
-        const key = process.env.FABRIC_COMMANDS_SYNC_KEY;
-        return this.req('PUT', `${guildEndpoint}/api/commands`, guildToken, { commands }, key ? { 'x-commands-sync-key': key } : undefined);
+    syncCommands(guildEndpoint, guildToken, commands, syncKey) {
+        // Guild C-2: the shared key is sourced from the channel config
+        // (channels.fabric.commandsSyncKey) and must equal the guild's
+        // FABRIC_BACKEND_GUILD_COMMANDS_SYNC_KEY for the catalog write.
+        return this.req('PUT', `${guildEndpoint}/api/commands`, guildToken, { commands }, syncKey ? { 'x-commands-sync-key': syncKey } : undefined);
     }
     // [{ userId, bypass }] — bypass is true only for discuss/work bypass-list
     channelMembers(guildEndpoint, guildToken, channelId) {