Skip to content

feat(kiloclaw): bump openclaw to version 2026.3.8#939

Merged
pandemicsyn merged 3 commits intomainfrom
feat/bump-openclaw-2026.3.8
Mar 10, 2026
Merged

feat(kiloclaw): bump openclaw to version 2026.3.8#939
pandemicsyn merged 3 commits intomainfrom
feat/bump-openclaw-2026.3.8

Conversation

@kilo-code-bot
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot Bot commented Mar 9, 2026
edited by pandemicsyn
Loading

Summary

Bumps openclaw from 2026.3.2 to 2026.3.8 in kiloclaw/Dockerfile.

Verification

  • Dockerfile updated with new openclaw version
  • Build tested locally (manual verification recommended before merge)

Visual Changes

N/A

Reviewer Notes

The following changes in v2026.3.8 may be relevant to our deployment:

Potentially impactful changes

Docker image size reduction

  • Dev dependencies are pruned and build-only dist metadata is stripped for smaller Docker images. This is a direct improvement for our image build.

Gateway restart behavior changes

  • Gateway now exits non-zero when restart-triggered shutdown drains time out, so launchd/systemd will restart the gateway instead of treating a failed restart as a clean stop. This changes container restart semantics — ensure our Fly.io restart policy handles non-zero exits as expected.
  • Gateway now validates config before service start/restart and keeps post-SIGUSR1 startup failures from crashing the gateway process. This reduces invalid-config restart loops. Our start-openclaw.sh config setup should be reviewed to ensure it produces valid config before the gateway starts.

Config/secrets handling change

  • Secrets-runtime-resolved config and auth-profile snapshots are now kept intact after config writes, so follow-up reads still see file-backed secret values while picking up the persisted config update. If start-openclaw.sh writes config at startup, verify that secret resolution still works as expected.

Security: system.run script binding

  • Approved bun and deno run script operands are now bound to on-disk file snapshots so post-approval script rewrites are denied before execution. This is a security hardening change — if any agent workflows rely on modifying scripts between approval and execution, they will be blocked.

Browser/SSRF hardening

  • Private-network intermediate redirect hops are now blocked in strict browser navigation flows. If any tools or integrations use browser navigation through private network redirects, they may be affected.

MS Teams authz change

  • groupPolicy: "allowlist" now enforces sender allowlists even when a team/channel route allowlist is configured. If we have Teams integrations with route allowlists, verify that the sender allowlist behavior is still correct.

@kilo-code-bot
Copy link
Copy Markdown
Contributor Author

kilo-code-bot Bot commented Mar 9, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)
  • kiloclaw/Dockerfile
  • src/app/(app)/claw/components/changelog-data.ts

@pandemicsyn pandemicsyn merged commit 56174c6 into main Mar 10, 2026
19 checks passed
@pandemicsyn pandemicsyn deleted the feat/bump-openclaw-2026.3.8 branch March 10, 2026 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeanduplessis jeanduplessis jeanduplessis approved these changes

Assignees

@pandemicsyn pandemicsyn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeanduplessis @pandemicsyn