feat(kiloclaw): bump openclaw to version 2026.4.2

[kilo-code-bot]

Summary

Bumps the pinned openclaw version in kiloclaw/Dockerfile from 2026.3.24 to 2026.4.2.

Verification

• Change is a single-line version pin update in the Dockerfile.
• No logic changes in the controller or worker code.

Visual Changes

N/A

Reviewer Notes

The following items from the v2026.4.2 release notes may be relevant to our deployment:

Breaking changes requiring attention

• Plugin/xAI config path change: x_search settings moved from tools.web.x_search.* to plugins.entries.xai.config.xSearch.*. Auth now uses plugins.entries.xai.config.webSearch.apiKey / XAI_API_KEY. Run openclaw doctor --fix to migrate.
• Plugin/Firecrawl web fetch config path change: Firecrawl web_fetch config moved from tools.web.fetch.firecrawl.* to plugins.entries.firecrawl.config.webFetch.*. Run openclaw doctor --fix to migrate.

Fixes relevant to our deployment

• Gateway/exec loopback (2026.3.31 regression fix): Restores legacy-role fallback for empty paired-device token maps and allows silent local role upgrades, fixing local exec and node clients failing with pairing-required errors. This directly affects KiloClaw machines.
• Agents/subagents: Fixes sessions_spawn dying with close(1008) "pairing required" on loopback scope-upgrade — relevant for agent workflows running on our machines.
• Providers/transport policy: Centralizes request auth, proxy, TLS, and header shaping; blocks insecure TLS/runtime transport overrides.
• Exec defaults: Gateway/node host exec now defaults to YOLO mode (security=full, ask=off), aligning host approval-file fallbacks. This changes exec approval behavior on machines.
• Exec/env: Blocks additional host environment override pivots for package roots, language runtimes, compiler include paths, and credential/config locations — a security hardening change.

The two breaking plugin config changes only apply if xAI or Firecrawl integrations are configured on user instances. If any users have those configured, openclaw doctor --fix will migrate them automatically on first boot after the image update.

[kilo-code-bot]

WARNING: This version bump introduces a breaking Firecrawl config migration that KiloClaw does not handle yet

openclaw@2026.4.2 moves Firecrawl web fetch auth from tools.web.fetch.firecrawl.* to plugins.entries.firecrawl.config.webFetch.*, but KiloClaw still validates and re-patches the old key via customSecretMeta/KILOCLAW_SECRET_CONFIG_PATHS (kiloclaw/packages/secret-catalog/src/catalog.ts:463, kiloclaw/controller/src/config-writer.ts:351). On restart, openclaw doctor --fix will migrate the config file and then generateBaseConfig() reintroduces the stale path, so existing Firecrawl integrations can lose their API key after this image update.

[kilo-code-bot]

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
kiloclaw/Dockerfile	45	Bumping to openclaw@2026.4.2 introduces a Firecrawl config migration that KiloClaw still rewrites back to the legacy path, which can break existing Firecrawl integrations after restart.

Fix these issues in Kilo Cloud

Other Observations (not in diff)

N/A

Files Reviewed (1 files)

• kiloclaw/Dockerfile - 1 issue

---

_{Reviewed by gpt-5.4-20260305 · 578,084 tokens}