Fix OpenClaw companion install and Gateway cleanup

[Mr-Lucky]

Summary

• Enable AgentGuard in both main OpenClaw config and companion workspace state during OpenClaw init
• Reuse configured OpenClaw Gateway bearer tokens for HTTP and WebSocket fallback paths
• Refresh Agent JWT account binding status in agentguard status and clear stale activation links after Cloud accepts the JWT
• Replace/remove native OpenClaw cron jobs by job ID instead of relying on unsupported openclaw cron add --force behavior
• Update changelog and release metadata for the branch changes

Tests

• Not run in this pass

[github-actions]

AgentGuard PR Review

1. severity: high — src/cli.ts / src/feed/cron.ts (patch 2, OpenClaw gateway token handling)

   • What can go wrong: The patch now reads a bearer token from OPENCLAW_CONFIG_PATH/OPENCLAW_STATE_DIR and injects it into HTTP headers and WebSocket connect params without validating that the token is intended for the current gateway or even for the current workspace. If those env vars are pointed at an attacker-controlled file/path, AgentGuard will leak the token to that endpoint.
   • Fix: Only load gateway tokens from a trusted, explicitly configured config file owned by the current user, and validate the resolved config path is within the expected OpenClaw state dir before sending it. Consider requiring the token to be provided only via env or direct CLI option, not auto-discovered from disk.

2. severity: medium — src/feed/cron.ts (patch 4, installOpenClawNativeThreatFeedCron / removeOpenClawNativeThreatFeedCron)

   • What can go wrong: The new job discovery/removal uses a regex match on arbitrary cron list output and then removes jobs by parsed UUID if present, otherwise by name. A malformed or spoofed line containing the target name plus a UUID can cause AgentGuard to remove the wrong cron entry.
   • Fix: Restrict parsing to the documented JSON output only, or require an exact structured ID field from openclaw cron list and ignore free-form text lines for destructive actions. If text parsing is unavoidable, validate the whole row format more strictly before deleting.

3. severity: medium — src/cli.ts (patch 3, refreshAgentAccountBinding)

   • What can go wrong: status now performs a live Cloud request and silently clears agentRegisterUrl on any successful fetch. If Cloud is unreachable or intermittently errors, the stale activation URL remains forever; if Cloud returns success for a JWT that is later revoked, the local config is updated as if binding is permanently valid. This changes persistent security state based on a non-authoritative, momentary check.
   • Fix: Do not persistently clear agentRegisterUrl from status; instead report binding state transiently. If you need to update config, only do so in the explicit connect/re-auth flow and require a stronger server-side confirmation tied to a binding event.