feat(kiloclaw): bump openclaw to version 2026.3.31

[kilo-code-bot]

Summary

• Bumps openclaw from 2026.3.13 to 2026.3.31 in kiloclaw/Dockerfile.

Release notes highlights — potential deployment impact

The following changes in v2026.3.31 may affect KiloClaw deployments:

Breaking: Gateway/auth — trusted-proxy rejects mixed shared-token configs

trusted-proxy now rejects mixed shared-token configs, and local-direct fallback requires the configured token instead of implicitly authenticating same-host callers.

KiloClaw uses a per-user HMAC gateway token (OPENCLAW_GATEWAY_TOKEN) and the controller sets up trusted-proxy mode. This change means any residual implicit same-host auth is no longer accepted — only the configured token is valid. If the controller's bootstrap or any runtime path relies on implicit loopback auth without a token, it will break after this upgrade. Verify controller/src/bootstrap.ts correctly injects OPENCLAW_GATEWAY_TOKEN on all code paths before deploying.

Breaking: Gateway/node commands — disabled until node pairing is approved

Node commands now stay disabled until node pairing is approved, so device pairing alone is no longer enough to expose declared node commands.

If any KiloClaw flows rely on node commands being available immediately after device pairing (before explicit node-pairing approval), those flows will silently stop working.

Breaking: Gateway/node events — node-originated runs on a reduced trusted surface

Node-originated runs now stay on a reduced trusted surface, so notification-driven or node-triggered flows that previously relied on broader host/session tool access may need adjustment.

Automated node-triggered or notification-driven agent flows may have reduced tool access after this upgrade.

Breaking: Skills/install and Plugins/install — dangerous-code findings now fail closed

Built-in dangerous-code critical findings and install-time scan failures now fail closed by default; plugin installs and gateway-backed skill dependency installs may now require --dangerously-force-unsafe-install to proceed.

If any skills bundled in kiloclaw/skills/ or plugins installed at runtime trigger critical scan findings, their install will now fail instead of proceeding. Review bundled skills and plugin install flows.

Security fix: Exec/env — proxy and TLS env override blocking

Blocks proxy, TLS, and Docker endpoint env overrides in host execution so request-scoped commands cannot silently reroute outbound traffic or trust attacker-supplied certificate settings.

Positive security hardening, but could break any legitimate exec flows that set HTTP_PROXY, HTTPS_PROXY, SSL_CERT_FILE, or similar env vars in agent-invoked commands.

Verification

• Dockerfile edited and syntax verified by inspection.
• Pre-push hooks passed: pnpm format:check, scripts/lint-all.sh, scripts/typecheck-all.sh --changes-only all green.

Visual Changes

N/A

Reviewer Notes

The gateway/auth breaking change around trusted-proxy is the highest-risk item for this deployment. Recommend verifying the controller bootstrap correctly sets the gateway token before merging and deploying. All other breaking changes are lower risk given KiloClaw's current usage patterns, but worth a smoke test via scripts/controller-smoke-test.sh after image build.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)

• kiloclaw/Dockerfile

---

_{Reviewed by gpt-5.4-20260305 · 492,747 tokens}