fix: OpenClaw 2026.4.1 compatibility — full exec permissions & open Telegram

- Set exec-approvals defaults to security=full during deploy (fixes gateway approval timeout)
- Change Telegram dmPolicy default from "pairing" to "open" (fixes DM blocking)
- Add allowFrom: ["*"] to Telegram channel config
- Add tools.profile: "full" to generated openclaw.json
- Auto-update OpenClaw & refresh gateway token on re-deploy (fixes stale embedded token)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: iPythoning

deploy/config.sh.example

@@ -45,7 +45,7 @@ WHATSAPP_DEBOUNCE_MS=5000
 # ─── Channel: Telegram ───────────────────────────────────
 TELEGRAM_ENABLED=false
 TELEGRAM_BOT_TOKEN=""       # Get from @BotFather
-TELEGRAM_DM_POLICY="pairing"
+TELEGRAM_DM_POLICY="open"
 TELEGRAM_GROUP_POLICY="open"
 
 # ─── Admin Whitelist (comma-separated) ───────────────────

deploy/deploy.sh

@@ -127,8 +127,30 @@ if echo "$OPENCLAW_INSTALLED" | grep -q "NOT_INSTALLED"; then
   fi
 else
   log "OpenClaw already installed: $(echo "$OPENCLAW_INSTALLED" | tail -1)"
+  if [ "$INSTALL_OPENCLAW" = true ]; then
+    info "  Updating OpenClaw & refreshing gateway token..."
+    remote "npm install -g openclaw@latest 2>&1 | tail -3"
+    remote "openclaw gateway install --force 2>&1 | tail -3"
+    log "  OpenClaw updated, gateway token refreshed"
+  fi
 fi
 
+# Ensure exec-approvals are set to full (required since 2026.4.1)
+info "  Setting exec approvals to full..."
+remote "cat > /root/.openclaw/exec-approvals.json << 'EAEOF'
+{
+  \"version\": 1,
+  \"defaults\": {
+    \"security\": \"full\",
+    \"ask\": \"off\",
+    \"askFallback\": \"full\"
+  },
+  \"agents\": {}
+}
+EAEOF
+chmod 600 /root/.openclaw/exec-approvals.json"
+log "  Exec approvals configured (security=full)"
+
 # ─── Step 3: Check Node.js ───────────────────────────────
 info "Step 3/7: Checking Node.js..."
 NODE_CHECK=$(remote "node --version 2>/dev/null || echo 'NOT_INSTALLED'")

deploy/generate-config.sh

@@ -161,6 +161,7 @@ $PROVIDERS
     "telegram": {
       "enabled": $TELEGRAM_ENABLED,
       "dmPolicy": "$TELEGRAM_DM_POLICY",
+      "allowFrom": ["*"],
       "botToken": "${TELEGRAM_BOT_TOKEN:-}",
       "groupPolicy": "$TELEGRAM_GROUP_POLICY"
     }
@@ -172,6 +173,10 @@ $PROVIDERS
     "auth": {"mode": "token", "token": "$GATEWAY_TOKEN"},
     "controlUi": {"allowedOrigins": ["*"]}
   },
+  "tools": {
+    "profile": "full",
+    "sessions": {"visibility": "all"}
+  },
   "skills": {"install": {"nodeManager": "npm"}},
   "hooks": {
     "internal": {