feat: SSH agent auth for compute nodes + fix config path

[liuyixin-louis]

Summary

• Add SSH Agent as a third authentication method for compute nodes (alongside SSH Key and Password), supporting 1Password, ssh-agent, and other key agents
• Fix execSsh()/execRsync() to fall back to SSH agent instead of throwing "No authentication method configured" when no explicit key or password is set
• Move config directory from ~/.openclaw to ~/.dr-claw for consistency with the rest of the app
• Update NodeForm UI with SSH Agent button and explanatory hint text

Test plan

• Add a compute node with "SSH Agent" auth — verify no error on Test Connection
• Existing nodes with SSH Key or Password auth still work
• New nodes default to "SSH Agent" in the form
• ~/.dr-claw/compute-node.json used instead of ~/.openclaw/
• Community tools config also writes to ~/.dr-claw/

[Zhang-Henry]

Review notes

Tested CI is clean and the logic changes (SSH agent fallback in execSsh/execRsync, new auth-type UI) look correct. One concern before merging:

Missing migration: ~/.openclaw → ~/.dr-claw

Context: on main the rest of the server already writes to ~/.dr-claw (load-env.js, openrouter.js, local-gpu.js, projects.js, references.js, nanoSessionPaths.js, …). Only server/compute-node.js and server/routes/community-tools.js were still writing to ~/.openclaw, so this PR is fixing a real inconsistency — good.

However, there is no one-time migration. Existing users who already configured compute nodes or community-tools API keys with an older build have their data in ~/.openclaw/compute-node.json and ~/.openclaw/community-tools.json. After this PR lands, those files are silently ignored and they’ll see "no nodes configured" / API keys missing.

Suggested fix (either):

• On server startup, if ~/.dr-claw/compute-node.json / ~/.dr-claw/community-tools.json don’t exist but the ~/.openclaw/* counterpart does, copy or rename them (one-shot).
• Or call this out explicitly in release notes.

Minor

• GET /config now returns authType: 'agent' when a node has neither keyPath nor password. That changes the reported type for historical incomplete records — intentional, just worth noting.
• configured now only requires host + user (no credentials). Reasonable since agent is always an implicit fallback.

The execSsh/execRsync branch rewrites are logically equivalent for the existing key/password cases, confirmed by walking through each (keyPath?, password?) combination.

[liuyixin-louis]

Thanks for the review! Addressed the migration concern in 87a2f7b:

Migration logic added:

• compute-node.js: loadRawConfig() now checks for ~/.openclaw/compute-node.json when ~/.dr-claw/compute-node.json doesn't exist — copies it over on first load (one-shot).
• community-tools.js: Same pattern — migrates ~/.openclaw/community-tools.json to ~/.dr-claw/ on first read if the new path is missing.

Both log when migration happens. Tested three scenarios: legacy-only → migrates, new-path-exists → no-op, neither-exists → empty default.

Re: the minor notes — yes, authType: 'agent' for historical records without credentials and configured only requiring host+user are both intentional.