feat(kiloclaw): bump openclaw to version 2026.3.12

[kilo-code-bot]

Summary

Bumps the pinned OpenClaw version in kiloclaw/Dockerfile from 2026.3.8 to 2026.3.12.

Verification

• Confirmed current Dockerfile version (2026.3.8) is older than the target (2026.3.12), so the bump is warranted.
• Reviewed release notes for v2026.3.12.

Visual Changes

N/A

Reviewer Notes

The following items from the v2026.3.12 release notes may be relevant to our deployment:

Security fixes (multiple CVEs patched — recommend prompt rollout)

• GHSA-99qw-6mr3-36qr — Implicit workspace plugin auto-load disabled: Cloned repositories can no longer execute workspace plugin code without an explicit trust decision. Relevant because user workspaces are mounted from Fly Volumes.
• GHSA-pcqg-f7rg-xfvv — Exec approval Unicode spoofing: Invisible Unicode format characters in approval prompts now render as visible \u{...} escapes, preventing command-spoofing.
• GHSA-9r3v-37xh-2cf6 — Exec detection Unicode bypass: Normalizes compatibility Unicode and strips invisible code points before obfuscation checks.
• GHSA-f8r2-vg7x-gh8m — Exec allowlist over-matching: Fixes POSIX case sensitivity and ? path-segment scope so allowlist patterns no longer overmatch.
• GHSA-r7vr-gr74-94p8 — /config and /debug sender-ownership enforcement: Non-owner authorized senders can no longer access owner-only config/debug surfaces.
• GHSA-rqpp-rjj8-7wv8 — Gateway shared-token scope elevation: Device-less shared-token operators can no longer self-declare elevated scopes on WebSocket connect.
• GHSA-vmhq-cqm9-6p7q — Browser profile persistence via browser.request: Blocks persistent browser profile admin routes from write-scoped browser.request.
• GHSA-2rqg-gjgv-84jm — Agent workspace boundary bypass: Rejects public spawned-run lineage fields so external agent callers cannot override the gateway workspace boundary.
• GHSA-wcxr-59v9-rxr8 — session_status sandbox visibility: Sandboxed subagents can no longer inspect parent session metadata or write parent model overrides.
• GHSA-2pwv-x786-56f8 — Device token scope cap: Stale or overbroad tokens are capped to each device's approved scope baseline.
• GHSA-jv4g-m82p-2j93 / GHSA-xwx2-ppv2-wx98 — WebSocket pre-auth hardening: Shortens unauthenticated handshake retention and rejects oversized pre-auth frames.
• GHSA-6rph-mmhp-h7h9 — Proxy attachment size cap: Restores the 5 MB media-store size cap for browser proxy files.
• GHSA-jf5v-pqgw-gm5m — GIT_EXEC_PATH host env leak: Blocks inherited GIT_EXEC_PATH in sanitized host exec environments.
• GHSA-57jw-9722-6rf2 / GHSA-jvqh-rfmh-jh27 / GHSA-x7pp-23xv-mmr4 / GHSA-jc5j-vg4r-j5jx — Exec approval shell-payload bypass: Fails closed for ambiguous inline loader and shell-payload script execution, and unwraps pnpm/npm exec/npx runners before approval binding.

Device pairing change (note for start-openclaw.sh / gateway config)

• Short-lived bootstrap tokens for /pair and openclaw qr: Setup codes now use short-lived bootstrap tokens. The next release will stop embedding shared gateway credentials in chat or QR pairing payloads. This is a behaviour change in the pairing flow — worth verifying our start-openclaw.sh pairing configuration is compatible.

Subagent behaviour change

• sessions_yield: Orchestrators can now end a turn immediately and carry a hidden follow-up payload into the next session turn. No action required, but worth being aware of for debugging agent flows.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)

• kiloclaw/Dockerfile

---

_{Reviewed by gpt-5.4-20260305 · 52,158 tokens}