feat(kiloclaw): bump openclaw to version 2026.3.1

[kilo-code-bot]

Summary

Bumps openclaw from 2026.2.26 to 2026.3.1 in kiloclaw/Dockerfile.

⚠️ Potential Deployment Issues

The following changes in this release may require attention for our deployment:

1. Agents/Thinking defaults — Sets adaptive as the default thinking level for Anthropic Claude 4.6 models (including Bedrock Claude 4.6 refs). If we use Claude 4.6 models, this may change agent behavior and potentially increase token costs.

2. OpenAI/Streaming transport — Makes openai Responses WebSocket-first by default (transport: "auto" with SSE fallback). If our environment has WebSocket connectivity restrictions or if any tooling relied on SSE being the default, this could cause issues.

3. ACP/ACPX streaming — Pins ACPX plugin support to 0.1.15. If we use ACPX plugins, they may need to be updated to match this pinned version.

4. Docker/Image permissions — Normalizes /app/extensions, /app/.agent, and /app/.agents to directory mode 755 and file mode 644 during image build. If our deployment relies on specific permissions for plugin discovery in those paths, this could affect behavior.

5. Sandbox/Browser Docker — Passes OPENCLAW_BROWSER_NO_SANDBOX=1 to sandbox browser containers and bumps the sandbox browser security hash epoch. Existing sandbox browser containers will be recreated on upgrade — expect a brief disruption to browser-based tool usage on first deploy.

6. Gateway/WS — Closes repeated post-handshake unauthorized role:* request floods per connection. If any of our connected clients were previously sending repeated unauthorized requests that were tolerated, they will now be disconnected.

---

Release Notes

openclaw v2026.3.1 full release notes

Changes

• Agents/Thinking defaults: set adaptive as the default thinking level for Anthropic Claude 4.6 models (including Bedrock Claude 4.6 refs) while keeping other reasoning-capable models at low unless explicitly configured.
• Gateway/Container probes: add built-in HTTP liveness/readiness endpoints (/health, /healthz, /ready, /readyz) for Docker/Kubernetes health checks, with fallback routing so existing handlers on those paths are not shadowed. (#31272) Thanks @vincentkoc.
• Android/Nodes: add camera.list, device.permissions, device.health, and notifications.actions (open/dismiss/reply) on Android nodes, plus first-class node-tool actions for the new device/notification commands. (#28260) Thanks @obviyus.
• Discord/Thread bindings: replace fixed TTL lifecycle with inactivity (idleHours, default 24h) plus optional hard maxAgeHours lifecycle controls, and add /session idle + /session max-age commands for focused thread-bound sessions. (#27845) Thanks @osolmaz.
• Telegram/DM topics: add per-DM direct + topic config (allowlists, dmPolicy, skills, systemPrompt, requireTopic), route DM topics as distinct inbound/outbound sessions, and enforce topic-aware authorization/debounce for messages, callbacks, commands, and reactions. Landed from contributor PR #30579 by @kesor. Thanks @kesor.
• Web UI/Cron i18n: localize cron page labels, filters, form help text, and validation/error messaging in English and zh-CN. (#29315) Thanks @BUGKillerKing.
• OpenAI/Streaming transport: make openai Responses WebSocket-first by default (transport: "auto" with SSE fallback), add shared OpenAI WS stream/connection runtime wiring with per-session cleanup, and preserve server-side compaction payload mutation (store + context_management) on the WS path.
• Android/Gateway capability refresh: add live Android capability integration coverage and node canvas capability refresh wiring, plus runtime hardening for A2UI readiness retries, scoped canvas URL normalization, debug diagnostics JSON, and JavaScript MIME delivery. (#28388) Thanks @obviyus.
• Android/Nodes parity: add system.notify, photos.latest, contacts.search/contacts.add, calendar.events/calendar.add, and motion.activity/motion.pedometer, with motion sensor-aware command gating and improved activity sampling reliability. (#29398) Thanks @obviyus.
• CLI/Config: add openclaw config file to print the active config file path resolved from OPENCLAW_CONFIG_PATH or the default location. (#26256) thanks @cyb1278588254.
• Feishu/Docx tables + uploads: add feishu_doc actions for Docx table creation/cell writing (create_table, write_table_cells, create_table_with_values) and image/file uploads (upload_image, upload_file) with stricter create/upload error handling for missing document_id and placeholder cleanup failures. (#20304) Thanks @xuhao1.
• Feishu/Reactions: add inbound im.message.reaction.created_v1 handling, route verified reactions through synthetic inbound turns, and harden verification with timeout + fail-closed filtering so non-bot or unverified reactions are dropped. (#16716) Thanks @schumilin.
• Feishu/Chat tooling: add feishu_chat tool actions for chat info and member queries, with configurable enablement under channels.feishu.tools.chat. (#14674) Thanks @liuweifly.
• Feishu/Doc permissions: support optional owner permission grant fields on feishu_doc create and report permission metadata only when the grant call succeeds, with regression coverage for success/failure/omitted-owner paths. (#28295) Thanks @zhoulongchao77.
• Web UI/i18n: add German (de) locale support and auto-render language options from supported locale constants in Overview settings. (#28495) thanks @dsantoreis.
• Tools/Diffs: add a new optional diffs plugin tool for read-only diff rendering from before/after text or unified patches, with gateway viewer URLs for canvas and PNG image output. Thanks @gumadeiras.
• Memory/LanceDB: support custom OpenAI baseUrl and embedding dimensions for LanceDB memory. (#17874) Thanks @rish2jain and @vincentkoc.
• ACP/ACPX streaming: pin ACPX plugin support to 0.1.15, add configurable ACPX command/version probing, and streamline ACP stream delivery (final_only default + reduced tool-event noise) with matching runtime and test updates. (#30036) Thanks @osolmaz.
• Shell env markers: set OPENCLAW_SHELL across shell-like runtimes (exec, acp, acp-client, tui-local) so shell startup/config rules can target OpenClaw contexts consistently, and document the markers in env/exec/acp/TUI docs. Thanks @vincentkoc.
• Cron/Heartbeat light bootstrap context: add opt-in lightweight bootstrap mode for automation runs (--light-context for cron agent turns and agents.*.heartbeat.lightContext for heartbeat), keeping only HEARTBEAT.md for heartbeat runs and skipping bootstrap-file injection for cron lightweight runs. (#26064) Thanks @jose-velez.
• OpenAI/WebSocket warm-up: add optional OpenAI Responses WebSocket warm-up (response.create with generate:false), enable it by default for openai/*, and expose params.openaiWsWarmup for per-model enable/disable control.
• Agents/Subagents runtime events: replace ad-hoc subagent completion system-message handoff with typed internal completion events (task_completion) that are rendered consistently across direct and queued announce paths, with gateway/CLI plumbing for structured internalEvents.

Fixes

• Android/Nodes reliability: reject facing=both when deviceId is set to avoid mislabeled duplicate captures, allow notification open/reply on non-clearable entries while still gating dismiss, trigger listener rebind before notification actions, and scale invoke-result ack timeout to invoke budget for large clip payloads. (#28260) Thanks @obviyus.
• Windows/Plugin install: avoid spawn EINVAL on Windows npm/npx invocations by resolving to node + npm CLI scripts instead of spawning .cmd directly. Landed from contributor PR #31147 by @codertony. Thanks @codertony.
• LINE/Voice transcription: classify M4A voice media as audio/mp4 (not video/mp4) by checking the MPEG-4 ftyp major brand (M4A / M4B ), restoring voice transcription for LINE voice messages. Landed from contributor PR #31151 by @scoootscooob. Thanks @scoootscooob.
• Slack/Announce target account routing: enable session-backed announce-target lookup for Slack so multi-account announces resolve the correct accountId instead of defaulting to bot-token context. Landed from contributor PR #31028 by @taw0002. Thanks @taw0002.
• Android/Voice screen TTS: stream assistant speech via ElevenLabs WebSocket in Talk Mode, stop cleanly on speaker mute/barge-in, and ignore stale out-of-order stream events. (#29521) Thanks @gregmousseau.
• Android/Photos permissions: declare Android 14+ selected-photo access permission (READ_MEDIA_VISUAL_USER_SELECTED) and align Android permission/settings paths with current minSdk behavior for more reliable permission state handling.
• Web UI/Cron: include configured agent model defaults/fallbacks in cron model suggestions so scheduled-job model autocomplete reflects configured models. (#29709) Thanks @Sid-Qin.
• Cron/Delivery: disable the agent messaging tool when delivery.mode is "none" so cron output is not sent to Telegram or other channels. (#21808) Thanks @lailoo.
• CLI/Cron: clarify cron list output by renaming Agent to Agent ID and adding a Model column for isolated agent-turn jobs. (#26259) Thanks @openperf.
• Feishu/Reply media attachments: send Feishu reply mediaUrl/mediaUrls payloads as attachments alongside text/streamed replies in the reply dispatcher, including legacy fallback when mediaUrls is empty. (#28959) Thanks @icesword0760.
• Slack/User-token resolution: normalize Slack account user-token sourcing through resolved account metadata (SLACK_USER_TOKEN env + config) so monitor reads, Slack actions, directory lookups, onboarding allow-from resolution, and capabilities probing consistently use the effective user token. (#28103) Thanks @Glucksberg.
• Feishu/Outbound session routing: stop assuming bare oc_ identifiers are always group chats, honor explicit dm:/group: prefixes for oc_ chat IDs, and default ambiguous bare oc_ targets to direct routing to avoid DM session misclassification. (#10407) Thanks @Bermudarat.
• Feishu/Group session routing: add configurable group session scopes (group, group_sender, group_topic, group_topic_sender) with legacy topicSessionMode=enabled compatibility so Feishu group conversations can isolate sessions by sender/topic as configured. (#17798) Thanks @yfge.
• Feishu/Reply-in-thread routing: add replyInThread config (disabled|enabled) for group replies, propagate reply_in_thread across text/card/media/streaming sends, and align topic-scoped session routing so newly created reply threads stay on the same session root. (#27325) Thanks @kcinzgg.
• Feishu/Probe status caching: cache successful probeFeishu() bot-info results for 10 minutes (bounded cache with per-account keying) to reduce repeated status/onboarding probe API calls, while bypassing cache for failures and exceptions. (#28907) Thanks @Glucksberg.
• Feishu/Opus media send type: send .opus attachments with msg_type: "audio" (instead of "media") so Feishu voice messages deliver correctly while .mp4 remains msg_type: "media" and documents remain msg_type: "file". (#28269) Thanks @Glucksberg.
• Feishu/Mobile video media type: treat inbound message_type: "media" as video-equivalent for media key extraction, placeholder inference, and media download resolution so mobile-app video sends ingest correctly. (#25502) Thanks @4ier.
• Feishu/Inbound sender fallback: fall back to sender_id.user_id when sender_id.open_id is missing on inbound events, and use ID-type-aware sender lookup so mobile-delivered messages keep stable sender identity/routing. (#26703) Thanks @NewdlDewdl.
• Feishu/Reply context metadata: include inbound parent_id and root_id as ReplyToId/RootMessageId in inbound context, and parse interactive-card quote bodies into readable text when fetching replied messages. (#18529) Thanks @qiangu.
• Feishu/Post embedded media: extract media tags from inbound rich-text (post) messages and download embedded video/audio files alongside existing embedded-image handling, with regression coverage. (#21786) Thanks @laopuhuluwa.
• Feishu/Local media sends: propagate mediaLocalRoots through Feishu outbound media sending into loadWebMedia so local path attachments work with post-CVE local-root enforcement. (#27884) Thanks @joelnishanth.
• Feishu/Group wildcard policy fallback: honor channels.feishu.groups["*"] when no explicit group match exists so unmatched groups inherit wildcard reply-policy settings instead of falling back to global defaults. (#29456) Thanks @WaynePika.
• Feishu/Inbound media regression coverage: add explicit tests for message resource type mapping (image stays image, non-image maps to file) to prevent reintroducing unsupported Feishu type=audio fetches. (#16311, #8746) Thanks @Yaxuan42.
• TTS/Voice bubbles: use opus output and enable audioAsVoice routing for Feishu and WhatsApp (in addition to Telegram) so supported channels receive voice-bubble playback instead of file-style audio attachments. (#27366) Thanks @smthfoxy.
• Telegram/Reply media context: include replied media files in inbound context when replying to media, defer reply-media downloads to debounce flush, gate reply-media fetch behind DM authorization, and preserve replied media when non-vision sticker fallback runs (including cached-sticker paths). (#28488) Thanks @obviyus.
• Android/Nodes notification wake flow: enable Android system.notify default allowlist, emit notifications.changed events for posted/removed notifications (excluding OpenClaw app-owned notifications), canonicalize notification session keys before enqueue/wake routing, and skip heartbeat wakes when consecutive notification summaries dedupe. (#29440) Thanks @obviyus.
• Telegram/Voice fallback reply chunking: apply reply reference, quote text, and inline buttons only to the first fallback text chunk when voice delivery is blocked, preventing over-quoted multi-chunk replies. Landed from contributor PR #31067 by @xdanger. Thanks @xdanger.
• Feishu/Multi-account + reply reliability: add channels.feishu.defaultAccount outbound routing support with schema validation, keep quoted-message extraction text-first (post/interactive/file placeholders instead of raw JSON), route Feishu video sends as msg_type: "file", and avoid websocket event blocking by using non-blocking event handling in monitor dispatch. Landed from contributor PRs #29610, #30432, #30331, and #29501. Thanks @hclsys, @bmendonca3, @patrick-yingxi-pan, and @zwffff.
• Feishu/Inbound rich-text parsing: preserve share_chat payload summaries when available and add explicit parsing for rich-text code/code_block/pre tags so forwarded and code-heavy messages keep useful context in agent input. (#28591) Thanks @kevinWangSheng.
• Feishu/Post markdown parsing: parse rich-text post payloads through a shared markdown-aware parser with locale-wrapper support, preserved mention/image metadata extraction, and inline/fenced code fidelity for agent input rendering. (#12755) Thanks @WilsonLiu95.
• Telegram/Outbound chunking: route oversize splitting through the shared outbound pipeline (including subagents), retry Telegram sends when escaped HTML exceeds limits, and preserve boundary whitespace when retry re-splitting rendered chunks so plain-text/transcript fidelity is retained. (#29342, #27317; follow-up to #27461) Thanks @obviyus.
• Slack/Native commands: register Slack native status as /agentstatus (Slack-reserved /status) so manifest slash command registration stays valid while text /status still works. Landed from contributor PR #29032 by @maloqab. Thanks @maloqab.
• Android/Camera clip: remove camera.clip HTTP-upload fallback to base64 so clip transport is deterministic and fail-loud, and reject non-positive maxWidth values so invalid inputs fall back to the safe resize default. (#28229) Thanks @obviyus.
• Android/Gateway canvas capability refresh: send node.canvas.capability.refresh with object params ({}) from Android node runtime so gateway object-schema validation accepts refresh retries and A2UI host recovery works after scoped capability expiry. (#28413) Thanks @obviyus.
• Gateway/Control UI origins: honor gateway.controlUi.allowedOrigins: ["*"] wildcard entries (including trimmed values) and lock behavior with regression tests. Landed from contributor PR #31058 by @byungsker. Thanks @byungsker.
• Agents/Sessions list transcript paths: handle missing/non-string/relative sessions.list.path values and per-agent {agentId} templates when deriving transcriptPath, so cross-agent session listings resolve to concrete agent session files instead of workspace-relative paths. (#24775) Thanks @martinfrancois.
• Gateway/Control UI CSP: allow required Google Fonts origins in Control UI CSP. (#29279) Thanks @Glucksberg and @vincentkoc.
• CLI/Install: add an npm-link fallback to fix CLI startup Permission denied failures (exit 127) on affected installs. (#17151) Thanks @sskyu and @vincentkoc.
• Onboarding/Custom providers: improve verification reliability for slower local endpoints (for example Ollama) during setup. (#27380) Thanks @Sid-Qin.
• Plugins/NPM spec install: fix npm-spec plugin installs when npm pack output is empty by detecting newly created .tgz archives in the pack directory. (#21039) Thanks @graysurf and @vincentkoc.
• Plugins/Install: clear stale install errors when an npm package is not found so follow-up install attempts report current state correctly. (#25073) Thanks @dalefrieswthat.
• Security/Feishu webhook ingress: bound unauthenticated webhook rate-limit state with stale-window pruning and a hard key cap to prevent unbounded pre-auth memory growth from rotating source keys. (#26050) Thanks @bmendonca3.
• Gateway/macOS supervised restart: actively launchctl kickstart -k during intentional supervised restarts to bypass LaunchAgent ThrottleInterval delays, and fall back to in-process restart when kickstart fails. Landed from contributor PR #29078 by @cathrynlavery. Thanks @cathrynlavery.
• Daemon/macOS TLS certs: default LaunchAgent service env NODE_EXTRA_CA_CERTS to /etc/ssl/cert.pem (while preserving explicit overrides) so HTTPS clients no longer fail with local-issuer errors under launchd. (#27915) Thanks @Lukavyi.
• Discord/Components wildcard handlers: use distinct internal registration sentinel IDs and parse those sentinels as wildcard keys so select/user/role/channel/mentionable/modal interactions are not dropped by raw customId dedupe paths. Landed from contributor PR #29459 by @Sid-Qin. Thanks @Sid-Qin.
• Feishu/Reaction notifications: add channels.feishu.reactionNotifications (off | own | all, default own) so operators can disable reaction ingress or allow all verified reaction events (not only bot-authored message reactions). (#28529) Thanks @cowboy129.
• Feishu/Typing backoff: re-throw Feishu typing add/remove rate-limit and quota errors (429, 99991400, 99991403) and detect SDK non-throwing backoff responses so the typing keepalive circuit breaker can stop retries instead of looping indefinitely. (#28494) Thanks @guoqunabc.
• Feishu/Zalo runtime logging: replace direct console.log/error usage in Feishu typing-indicator paths and Zalo monitor paths with runtime-gated logger calls so verbosity controls are respected while preserving typing backoff behavior. (#18841) Thanks @Clawborn.
• Feishu/Group sender allowlist fallback: add global channels.feishu.groupSenderAllowFrom sender authorization for group chats, with per-group groups.<id>.allowFrom precedence and regression coverage for allow/block/precedence behavior. (#29174) Thanks @1MoreBuild.
• Feishu/Docx append/write ordering: insert converted Docx blocks sequentially (single-block creates) so Feishu append/write preserves markdown block order instead of returning shuffled sections in asynchronous batch inserts. (#26172, #26022) Thanks @echoVic.
• Feishu/Docx convert fallback chunking: recursively split oversized markdown chunks (including long no-heading sections) when document.convert hits content limits, while keeping fenced-code-aware split boundaries whenever possible. (#14402) Thanks @lml2468.
• Feishu/API quota controls: add typingIndicator and resolveSenderNames config flags (top-level and per-account) so operators can disable typing reactions and sender-name lookup requests while keeping default behavior unchanged. (#10513) Thanks @BigUncle.
• Feishu/System preview prompt leakage: stop enqueuing inbound Feishu message previews as system events so user preview text is not injected into later turns as trusted System: context. Landed from contributor PR #31209 by @stakeswky. Thanks @stakeswky.
• Feishu/Typing replay suppression: skip typing indicators for stale replayed inbound messages after compaction using message-age checks with second/millisecond timestamp normalization, preventing old-message reaction floods while preserving typing for fresh messages. Landed from contributor PR #30709 by @arkyu2077. Thanks @arkyu2077.
• Sessions/Internal routing: preserve established external lastTo/lastChannel routes for internal/non-deliverable turns, with added coverage for no-fallback internal routing behavior. Landed from contributor PR #30941 by @graysurf. Thanks @graysurf.
• Control UI/Debug log layout: render Debug Event Log payloads at full width to prevent payload JSON from being squeezed into a narrow side column. Landed from contributor PR #30978 by @stozo04. Thanks @stozo04.
• Auto-reply/NO_REPLY: strip NO_REPLY token from mixed-content messages instead of leaking raw control text to end users. Landed from contributor PR #31080 by @scoootscooob. Thanks @scoootscooob.
• Install/npm: fix npm global install deprecation warnings. (#28318) Thanks @vincentkoc.
• Update/Global npm: fallback to --omit=optional when global npm update fails so optional dependency install failures no longer abort update flows. (#24896) Thanks @xinhuagu and @vincentkoc.
• Inbound metadata/Multi-account routing: include account_id in trusted inbound metadata so multi-account channel sessions can reliably disambiguate the receiving account in prompt context. Landed from contributor PR #30984 by @Stxle2. Thanks @Stxle2.
• Model directives/Auth profiles: split /model profile suffixes at the first @ after the last slash so email-based auth profile IDs (for example OAuth profile IDs) resolve correctly. Landed from contributor PR #30932 by @haosenwang1018. Thanks @haosenwang1018.
• Cron/Delivery mode none: send explicit delivery: { mode: "none" } from cron editor for both add and update flows so previous announce delivery is actually cleared. Landed from contributor PR #31145 by @byungsker. Thanks @byungsker.
• Cron editor viewport: make the sticky cron edit form independently scrollable with viewport-bounded height so lower fields/actions are reachable on shorter screens. Landed from contributor PR #31133 by @Sid-Qin. Thanks @Sid-Qin.
• Agents/Thinking fallback: when providers reject unsupported thinking levels without enumerating alternatives, retry with think=off to avoid hard failure during model/provider fallback chains. Landed from contributor PR #31002 by @yfge. Thanks @yfge.
• Ollama/Embedded runner base URL precedence: prioritize configured provider baseUrl over model defaults for embedded Ollama runs so Docker and remote-host setups avoid localhost fetch failures. (#30964) Thanks @stakeswky.
• Agents/Failover reason classification: avoid false rate-limit classification from incidental tpm substrings by matching TPM as a standalone token/phrase and keeping auth-context errors on the auth path. Landed from contributor PR #31007 by @HOYALIM. Thanks @HOYALIM.
• Gateway/WS: close repeated post-handshake unauthorized role:* request floods per connection and sample duplicate rejection logs, preventing a single misbehaving client from degrading gateway responsiveness. (#20168) Thanks @acy103, @vibecodooor, and @vincentkoc.
• Gateway/Auth: improve device-auth v2 migration diagnostics so operators get clearer guidance when legacy clients connect. (#28305) Thanks @vincentkoc.
• CLI/Ollama config: allow config set for Ollama apiKey without predeclared provider config. (#29299) Thanks @vincentkoc.
• Ollama/Autodiscovery: harden autodiscovery and warning behavior. (#29201) Thanks @marcodelpin and @vincentkoc.
• Ollama/Context window: unify context window handling across discovery, merge, and OpenAI-compatible transport paths. (#29205) Thanks @Sid-Qin, @jimmielightner, and @vincentkoc.
• Agents/Ollama: demote empty-discovery logging from warn to debug to reduce noisy warnings in normal edge-case discovery flows. (#26379) Thanks @byungsker.
• fix(model): preserve reasoning in provider fallback resolution. (#29285) Fixes #25636. Thanks @vincentkoc.
• Docker/Image permissions: normalize /app/extensions, /app/.agent, and /app/.agents to directory mode 755 and file mode 644 during image build so plugin discovery does not block inherited world-writable paths. (#30191) Fixes #30139. Thanks @edincampara.
• OpenAI Responses/Compaction: rewrite and unify the OpenAI Responses store patches to treat empty baseUrl as non-direct, honor compat.supportsStore=false, and auto-inject server-side compaction context_management for compatible direct OpenAI models (with per-model opt-out/threshold overrides). Landed from contributor PRs #16930 (@OiPunk), #22441 (@EdwardWu7), and #25088 (@MoerAI). Thanks @OiPunk, @EdwardWu7, and @MoerAI.
• Sandbox/Browser Docker: pass OPENCLAW_BROWSER_NO_SANDBOX=1 to sandbox browser containers and bump sandbox browser security hash epoch so existing containers are recreated and pick up the env on upgrade. (#29879) Thanks @Lukavyi.
• Usage normalization: clamp negative prompt/input token values to zero (including prompt_tokens alias inputs) so /usage and TUI usage displays cannot show nonsensical negative counts. Landed from contributor PR #31211 by @scoootscooob. Thanks @scoootscooob.
• Secrets/Auth profiles: normalize inline SecretRef token/key values to canonical tokenRef/keyRef before persistence, and keep explicit keyRef precedence when inline refs are also present. Landed from contributor PR #31047 by @minupla. Thanks @minupla.
• Tools/Edit workspace boundary errors: preserve the real Path escapes workspace root failure path instead of surfacing a misleading access/file-not-found error when editing outside workspace roots. Landed from contributor PR #31015 by @haosenwang1018. Thanks @haosenwang1018.
• Browser/Open & navigate: accept url as an alias parameter for open and navigate. (#29260) Thanks @vincentkoc.
• Codex/Usage window: label weekly usage window as Week instead of Day. (#26267) Thanks @Sid-Qin.
• Signal/Sync message null-handling: treat syncMessage presence (including null) as sync envelope traffic so replayed sentTranscript payloads cannot bypass loop guards after daemon restart. Landed from contributor PR #31138 by @Sid-Qin. Thanks @Sid-Qin.
• Infra/fs-safe: sanitize directory-read failures so raw EISDIR text never leaks to messaging surfaces, with regression tests for both root-scoped and direct safe reads. Landed from contributor PR #31205 by @polooooo. Thanks @polooooo.
• Sandbox/mkdirp boundary checks: allow directory-safe boundary validation for existing in-boundary subdirectories, preventing false cannot create directories failures in sandbox write mode. (#30610) Thanks @glitch418x.
• Security/Compaction audit: remove the post-compaction audit injection message. (#28507) Thanks @fuller-stack-dev and @vincentkoc.
• Web tools/RFC2544 fake-IP compatibility: allow RFC2544 benchmark range (198.18.0.0/15) for trusted web-tool fetch endpoints so proxy fake-IP networking modes do not trigger false SSRF blocks. Landed from contributor PR #31176 by @sunkinux. Thanks @sunkinux.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 file)

• kiloclaw/Dockerfile - Version bump of OpenClaw from 2026.2.26 to 2026.3.1 with corresponding cache bust comment update. Version is properly pinned and verified with openclaw --version.