feat(kiloclaw): bump openclaw to version 2026.6.1

[kilo-code-bot]

Summary

Bumps the packaged OpenClaw version in the KiloClaw image from 2026.5.26 to 2026.6.1.

This applies every release across the span, not just the newest, so the assessment below covers 2026.5.27, 2026.5.28, and 2026.6.1 cumulatively.

Touchpoints updated per the KiloClaw OpenClaw upgrade skill:

• services/kiloclaw/Dockerfile: global install pin, bundled runtime comment, and the COPY cache bust marker.
• services/kiloclaw/plugins/kilo-chat/package.json: OpenClaw peer and dev dependency.
• services/kiloclaw/plugins/kiloclaw-morning-briefing/package.json: OpenClaw peer and dev dependency.
• pnpm-lock.yaml: regenerated so the resolved plugin graph matches the new pin.
• services/kiloclaw/e2e/docker-image-testing.md: expected openclaw --version output.
• apps/web/src/app/(app)/claw/components/changelog-data.ts: user facing release note.

The pnpm-workspace.yaml release age policy already excludes openclaw, so no policy change was needed. The Dockerfile minified bundle patch guards (KiloCode discovery timeout and channel target) were left untouched, since loosening them blindly is not allowed; the candidate image build in CI exercises them.

Upgrade assessment

Span: 3 releases over 6 days, from 2026.5.26 to 2026.6.1.

Scores:

• Breaking changes: Medium
• Security: Medium
• Deployment: Medium
• Behavior: Medium
• Span: Medium

Recommendation: Review carefully

Rationale: No release in the span documents a removal of a CLI flag, config key, or invocation path that the controller relies on (onboard non interactive, gateway allow unconfigured loopback bind). The risk that warrants attention is concentrated in areas this image touches: the bundled runtime dependency install path that the Dockerfile keys off resolveExternalBundledRuntimeDepsInstallRoot, several channel and runtime refactors, stricter CLI numeric option parsing, and a shift of more state to SQLite backing. 2026.5.27 also carries a broad batch of security and content boundary hardening. None of this is High on its own, but the cumulative blast radius across a multi release jump, combined with the minified bundle patch guards that could move between releases, is enough to ask for a careful review and the live persisted root smoke before rollout.

Verification

Live persisted root upgrade smoke is pending for the engineer. It needs Docker and a live credential and is always reported as pending here. Run bash services/kiloclaw/scripts/controller-openclaw-upgrade-smoke-test.sh from this committed branch before rollout, and confirm the candidate image build still satisfies the Dockerfile bundle patch guards.

Checks summary: lockfile regenerated, pin check passed; typecheck, lint, format, and tests deferred to CI; live smoke pending for the engineer.

Visual Changes

N/A

Reviewer Notes

Risk areas: the Dockerfile minified bundle patch guards (KiloCode model discovery timeout and channel target rewrite) can break if upstream changed those bundles between 2026.5.26 and 2026.6.1; the candidate image build validates this. The bundled plugin runtime dependency staging keys off OpenClaw internals, so confirm first boot startup through the controller doctor path in the live smoke. State moving to SQLite backing in this span is worth a glance for any persisted root migration behavior.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

All issues from the previous review have been resolved in the follow-up commit (b1ec5c2ff): plugin package.json peer/dev pins are aligned to 2026.6.1, the docker-image-testing.md verify step reflects the correct version, and a changelog entry has been added.

Previous Issues — All Resolved

File	Previous Issue	Status
services/kiloclaw/plugins/kilo-chat/package.json	peerDependencies and devDependencies pinned openclaw@2026.5.26	✅ Fixed — bumped to 2026.6.1
services/kiloclaw/plugins/kiloclaw-morning-briefing/package.json	Same stale pin	✅ Fixed — bumped to 2026.6.1
services/kiloclaw/e2e/docker-image-testing.md	Verify step comment showed 2026.5.26	✅ Fixed — updated to 2026.6.1
apps/web/src/app/(app)/claw/components/changelog-data.ts	Missing changelog entry for 2026.6.1	✅ Fixed — entry added with deployHint: 'upgrade_required'

The Dockerfile guard asymmetry observation (patch verification without a positive assertion) noted in the previous review is a pre-existing pattern not introduced or worsened by this PR and remains out-of-diff.

Files Reviewed (6 files)

• apps/web/src/app/(app)/claw/components/changelog-data.ts — changelog entry added ✅
• services/kiloclaw/Dockerfile — cache-bust comment date updated, no issues
• services/kiloclaw/e2e/docker-image-testing.md — version comment corrected ✅
• services/kiloclaw/plugins/kilo-chat/package.json — pins updated to 2026.6.1 ✅
• services/kiloclaw/plugins/kiloclaw-morning-briefing/package.json — pins updated to 2026.6.1 ✅
• pnpm-lock.yaml — lockfile regenerated (generated file, not reviewed line-by-line)

---

_{Reviewed by claude-4.6-sonnet-20260217 · 298,615 tokens}

_{Review guidance: REVIEW.md from base branch main}