feat(kiloclaw): bump openclaw to version 2026.6.5

[kilo-code-bot]

Summary

Bumps the packaged OpenClaw version in the KiloClaw image from 2026.5.26 to 2026.6.5: the
Dockerfile pin, the bundled plugin peer and dev deps, the lockfile, the e2e runbook version,
and a changelog entry. Prepared by automation.

Verification

Validate per the kiloclaw-openclaw-upgrade skill before marking this PR ready:

• Run the persisted-root live smoke: bash services/kiloclaw/scripts/controller-openclaw-upgrade-smoke-test.sh
• Run the skill's final submission gates (typecheck, tests, lint) and review plugin diagnostics.
• Record the upgrade evidence (before and after versions, smoke result, any diagnostics) in this PR.
• Mark this PR ready once the above pass.

Visual Changes

N/A

Reviewer Notes

Automated upgrade assessment

Span: 4 releases over 12 days (2026.5.27, 2026.5.28, 2026.6.1, 2026.6.5).

Scores: Breaking changes Low, Security Medium, Deployment Low, Behavior Medium, Span Low.

Recommendation: Review carefully.

This assessment reviewed every release from the current pin up to the target. No release body
contained injected instructions. The recommendation is capped at Review carefully because the
candidate image has not been built and the live persisted root smoke has not been run, and
merging triggers the first production image build.

Risk flags and rationale:

• Behavior (Medium): the 2026.6.1 and 2026.6.5 releases move several pieces of OpenClaw state to
  SQLite backed storage that previously lived in plain runtime files, including auth profiles,
  cron job stores, the iMessage monitor, inbound queues, the plugin install index, Matrix sync
  and crypto sidecars, and device pair notify state. On first boot against an existing volume at
  /root these run one time migrations. The doctor config preflight now migrates legacy cron JSON
  stores into SQLite before runtime reads. The session metadata SQLite migration was deliberately
  deferred from this train, so this release keeps the existing JSON backed session metadata path.
  The persisted root smoke is the right place to confirm these migrations are clean.

• Security (Medium): the span carries many hardening fixes, including rejecting untrusted
  Microsoft Teams service URLs, gating owner only HTTP tools, guarding MCP HTTP redirects,
  redacting inline image payloads before they reach stored transcripts, and requiring admin
  authority for node and device role approvals. These are improvements but touch trust and
  delivery boundaries, so they are worth a careful read.

• Breaking (Low): no install or deployment breaking changes for the packaged image. The OpenClaw
  gateway config.patch array replacement change in 2026.6.5 does not affect our controller, which
  applies its own deep merge in config-writer and writes the full openclaw.json file rather than
  relying on the gateway patch RPC merge semantics. Plugin SDK surface changes in the span affect
  external plugin authors and were checked against our bundled plugins during the bump.

• Deployment (Low): the image installs a pinned npm version through the Dockerfile and the install
  procedure is unchanged. The release train switched to YYYY.M.PATCH monthly patch numbering and
  pinned the June 2026 floor at 2026.6.5, which is a versioning note rather than a deployment
  change.

• Span (Low): four linear CalVer releases over twelve days, well within the unattended review
  limit.

Build the candidate image and run the persisted root live smoke before marking ready, then record
the evidence below.

[St0rmz1]

Validation update — local persisted-root testing of 2026.6.5

Built the candidate image locally and ran the controller smoke suite against both the fresh-install (onboard) and upgrade (doctor) paths. Two security-relevant behavior changes in 2026.6.x surfaced during testing; both are now handled in this PR.

Findings

1. Auth profiles moved to SQLite — plaintext key could land in the store on upgrade
2026.6.1+ doctor --fix imports auth-profiles.json into a per-agent openclaw-agent.sqlite, storing a plaintext key verbatim when no keyRef is present. The controller's keyRef conversion ran after doctor, so on an upgrade whose JSON still held a plaintext kilocode key, doctor baked the plaintext into the SQLite store (confirmed: the literal key was present in openclaw-agent.sqlite-wal). doctor also leaves a world-readable (0644) *.sqlite-import.*.bak that retains the plaintext — a known upstream gap (openclaw#11829 / openclaw#84761).

2. agents delete now recursively removes the workspace
2026.6.x openclaw agents delete deletes the agent's workspace directory and all its contents (older versions retained it). The controller's filesystemDisposition was hardcoded to 'unverified', which no longer reflects reality.

Work completed (this PR)

ee57ab6 — adapt controller to 2026.6.x behavior:

• Remove the plaintext *.sqlite-import.*.bak after migration (chmod 0600 fallback)
• Verify the CLI-reported workspace path on delete and report an accurate filesystemDisposition ('deleted'/'retained'); the worker schema accepts all three values so it tolerates mixed controller versions during rollout
• Update controller/entrypoint smoke tests + add unit coverage

b3d8bf5 — keep the SQLite import clean:

• Run the idempotent keyRef migration before doctor so the SQLite import lands a keyRef, never plaintext (the post-doctor call is kept for self-healing on versions that still read the JSON)
• Add a bootstrap ordering assertion (migration before doctor) + a smoke assertion that no plaintext key survives in the SQLite store after an upgrade boot

Test results (local image == this PR's pin)

• Entrypoint (doctor / upgrade) smoke: 26/26 — incl. no plaintext kilocode key in SQLite auth store, controller removed plaintext migration backup, delete reports deleted filesystem disposition, deleted agent workspace removed from disk
• Onboard (fresh install) smoke: 20/20
• Controller unit + worker/web tests pass; format:check, lint, typecheck clean

Still outstanding

• The official before→after persisted-root upgrade smoke (controller-openclaw-upgrade-smoke-test.sh) — boots the previous pin then 2026.6.5 on the same /root; needs a live KILOCODE_API_KEY. Recommend running it before marking ready.

[St0rmz1]

Status — local validation complete (fresh install + live upgrade)

Both upgrade paths are now validated against a locally-built image matching this PR's pin.

Path 1 — fresh install (onboard)

Controller onboard smoke 20/20: boots to ready, all plugins, auth stored as an env-backed keyRef in SQLite, no plaintext key on disk.

Path 2 — real persisted-volume upgrade (2026.5.26 → 2026.6.5)

Provisioned a 2026.5.26 instance through the dev stack, loaded representative state (GitHub + Google Calendar creds, vector search + dreaming, an inbound webhook, a Discord channel), then redeployed onto 2026.6.5 in place on the same volume:

• Auth → SQLite clean — auth-profiles.json migrated, keyRef preserved, no plaintext; both import backups (auth-profiles + auth-state) removed by the controller cleanup.
• No data loss — memory (vector/dreaming) preserved; flows/tasks state relocated into the consolidated state/openclaw.sqlite (originals retained as .migrated); config intact (channels, webhook, plugins).
• Functionally healthy — the migrated credential resolves in the live gateway; a real kilo-chat agent turn ran end-to-end (kilo-auto/balanced → 200, tool exec).

Migration smoke 26/26, including no plaintext kilocode key in SQLite auth store.

Tooling fix

build-local-image.sh --openclaw-tag silently built the unchanged pin (its patch sed anchored on -g openclaw@, but the line is -g pnpm openclaw@). Fixed to anchor on openclaw@<version> and fail loudly if the pin isn't rewritten — so upgrade smoke runs can't accidentally test the wrong version.

Gates

format:check, lint, typecheck, controller/worker/web unit tests all clean.