feat(security): commandsSyncKey is a required channel-config field (Guild C-2)

The slash-command sync secret now comes from
channels.fabric.commandsSyncKey (configSchema marks it required) and
is no longer read from FABRIC_COMMANDS_SYNC_KEY env. command-sync
resolves it from config and threads it into client.syncCommands;
when absent, sync is skipped with a clear warning. README updated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/command-sync.ts

@@ -11,6 +11,7 @@ import {
   resolveCommandArgChoices,
 } from 'openclaw/plugin-sdk/native-command-registry';
 import type { FabricClient } from './fabric-client.js';
+import { resolveCommandsSyncKey } from './accounts.js';
 
 type Logger = { info: (m: string) => void; warn: (m: string) => void };
 
@@ -102,6 +103,17 @@ export async function syncFabricCommands(
   accounts: Array<{ agentId: string; fabricApiKey: string }>,
   log: Logger,
 ): Promise<void> {
+  // Guild C-2: the sync key comes from the channel config only (schema
+  // marks it required). Without it the guild rejects the catalog write.
+  const syncKey = resolveCommandsSyncKey(cfg as never);
+  if (!syncKey) {
+    log.warn(
+      'fabric: channels.fabric.commandsSyncKey is not set — skipping ' +
+        'slash-command sync (set it to the guild FABRIC_BACKEND_GUILD_COMMANDS_SYNC_KEY)',
+    );
+    return;
+  }
+
   let specs: FabricCommand[];
   try {
     specs = buildFabricCommandSpecs(cfg);
@@ -126,7 +138,7 @@ export async function syncFabricCommands(
       )?.token;
       if (!tok) continue;
       try {
-        await client.syncCommands(g.endpoint, tok, specs);
+        await client.syncCommands(g.endpoint, tok, specs, syncKey);
         done.add(g.nodeId);
         log.info(`fabric: synced ${specs.length} slash command(s) -> ${g.nodeId}`);
       } catch (err) {