feat(kiloclaw): bump openclaw to version 2026.3.7

[kilo-code-bot]

Summary

Bumps openclaw from 2026.3.2 to 2026.3.7 in kiloclaw/Dockerfile.

Verification

• Dockerfile updated: openclaw@2026.3.2 → openclaw@2026.3.7
• Version comparison confirmed: 2026.3.7 > 2026.3.2 (upgrade warranted)

Visual Changes

N/A

Reviewer Notes

⚠️ Potential Deployment Issues

The following changes in this release may require attention before or after deploying:

1. BREAKING — Gateway auth mode now required when both token and password are configured (#35094): If kiloclaw/start-openclaw.sh or the openclaw config sets both gateway.auth.token and gateway.auth.password (including SecretRefs), you must now explicitly set gateway.auth.mode to either token or password. Without this, the gateway will fail to start, pairing will break, and TUI will fail. Check the openclaw config before deploying.

2. Security/Config — Fail closed on config validation errors (#9040): Invalid configs no longer silently fall back to permissive runtime defaults. If the openclaw config has any validation errors, the gateway will now refuse to start rather than starting with defaults. Ensure the config is valid before deploying.

3. Config/invalid-load fail-closed (#28140): INVALID_CONFIG no longer converts to an empty runtime config. Unknown keys or malformed config will now fail closed. This could cause startup failures if the config has any unrecognized fields.

4. Docker/multi-stage build (#38479): openclaw's own upstream Dockerfile has been restructured as a multi-stage build. This does not directly affect our kiloclaw/Dockerfile, but if we ever sync from upstream, be aware of the structural change.

5. Docker/OPENCLAW_EXTENSIONS (#32223): New OPENCLAW_EXTENSIONS build arg allows pre-installing bundled extension npm dependencies into the image. Not a breaking change, but available if we want faster/more reproducible extension startup.

---

Release Notes (v2026.3.7)

Full release notes from openclaw/openclaw v2026.3.7

Changes

• Agents/context engine plugin interface: add ContextEngine plugin slot with full lifecycle hooks (bootstrap, ingest, assemble, compact, afterTurn, prepareSubagentSpawn, onSubagentEnded), slot-based registry with config-driven resolution, LegacyContextEngine wrapper preserving existing compaction behavior, scoped subagent runtime for plugin runtimes via AsyncLocalStorage, and sessions.get gateway method. Enables plugins like lossless-claw to provide alternative context management strategies without modifying core compaction logic. Zero behavior change when no context engine plugin is configured. (#22201) thanks @jalehman.
• ACP/persistent channel bindings: add durable Discord channel and Telegram topic binding storage, routing resolution, and CLI/docs support so ACP thread targets survive restarts and can be managed consistently. (#34873) Thanks @dutifulbob.
• Telegram/ACP topic bindings: accept Telegram Mac Unicode dash option prefixes in /acp spawn, support Telegram topic thread binding (--thread here|auto), route bound-topic follow-ups to ACP sessions, add actionable Telegram approval buttons with prefixed approval-id resolution, and pin successful bind confirmations in-topic. (#36683) Thanks @huntharo.
• Telegram/topic agent routing: support per-topic agentId overrides in forum groups and DM topics so topics can route to dedicated agents with isolated sessions. (#33647; based on #31513) Thanks @kesor and @Sid-Qin.
• Web UI/i18n: add Spanish (es) locale support in the Control UI, including locale detection, lazy loading, and language picker labels across supported locales. (#35038) Thanks @DaoPromociones.
• Onboarding/web search: add provider selection step and full provider list in configure wizard, with SecretRef ref-mode support during onboarding. (#34009) Thanks @kesku and @thewilloftheshadow.
• Tools/Web search: switch Perplexity provider to Search API with structured results plus new language/region/time filters. (#33822) Thanks @kesku.
• Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails. (#35094) Thanks @joshavant.
• Docker/Podman extension dependency baking: add OPENCLAW_EXTENSIONS so container builds can preinstall selected bundled extension npm dependencies into the image for faster and more reproducible startup in container deployments. (#32223) Thanks @sallyom.
• Plugins/before_prompt_build system-context fields: add prependSystemContext and appendSystemContext so static plugin guidance can be placed in system prompt space for provider caching and lower repeated prompt token cost. (#35177) thanks @maweibin.
• Plugins/hook policy: add plugins.entries.<id>.hooks.allowPromptInjection, validate unknown typed hook names at runtime, and preserve legacy before_agent_start model/provider overrides while stripping prompt-mutating fields when prompt injection is disabled. (#36567) thanks @gumadeiras.
• Hooks/Compaction lifecycle: emit session:compact:before and session:compact:after internal events plus plugin compaction callbacks with session/count metadata, so automations can react to compaction runs consistently. (#16788) thanks @vincentkoc.
• Agents/compaction post-context configurability: add agents.defaults.compaction.postCompactionSections so deployments can choose which AGENTS.md sections are re-injected after compaction, while preserving legacy fallback behavior when the documented default pair is configured in any order. (#34556) thanks @efe-arv.
• TTS/OpenAI-compatible endpoints: add messages.tts.openai.baseUrl config support with config-over-env precedence, endpoint-aware directive validation, and OpenAI TTS request routing to the resolved base URL. (#34321) thanks @RealKai42.
• Slack/DM typing feedback: add channels.slack.typingReaction so Socket Mode DMs can show reaction-based processing status even when Slack native assistant typing is unavailable. (#19816) Thanks @dalefrieswthat.
• Discord/allowBots mention gating: add allowBots: "mentions" to only accept bot-authored messages that mention the bot. Thanks @thewilloftheshadow.
• Agents/tool-result truncation: preserve important tail diagnostics by using head+tail truncation for oversized tool results while keeping configurable truncation options. (#20076) thanks @jlwestsr.
• Cron/job snapshot persistence: skip backup during normalization persistence in ensureLoaded so jobs.json.bak keeps the pre-edit snapshot for recovery, while preserving backup creation on explicit user-driven writes. (#35234) Thanks @0xsline.
• CLI: make read-only SecretRef status flows degrade safely (#37023) thanks @joshavant.
• Docker/multi-stage build: restructure Dockerfile as a multi-stage build to produce a minimal runtime image without build tools, source code, or Bun; add OPENCLAW_VARIANT=slim build arg for a bookworm-slim variant. (#38479) Thanks @sallyom.
• Google/Gemini 3.1 Flash-Lite: add first-class google/gemini-3.1-flash-lite-preview support across model-id normalization, default aliases, media-understanding image lookups, Google Gemini CLI forward-compat fallback, and docs.

Breaking

• BREAKING: Gateway auth now requires explicit gateway.auth.mode when both gateway.auth.token and gateway.auth.password are configured (including SecretRefs). Set gateway.auth.mode to token or password before upgrade to avoid startup/pairing/TUI failures. (#35094) Thanks @joshavant.

Fixes

(See full release notes at https://github.com/openclaw/openclaw/releases/tag/v2026.3.7)

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)

• kiloclaw/Dockerfile