Summary

• Bumps OpenClaw from 2026.5.26 to 2026.6.1 in services/kiloclaw/Dockerfile.
• Updates the bundled plugin stage-root comment to reference the new version.
• Increments the build cache bust counter (v69 → v70) to invalidate COPY layers.

The existing Dockerfile patches are retained unchanged:

• KiloCode model discovery timeout (DISCOVERY_TIMEOUT_MS 5e3 → 60e3): Still required; no configurable override surfaced in this release.
• actionRequiresTarget null-safety patch (MESSAGE_ACTION_TARGET_MODE[action] !== "none" → nullish coalesce): Still required; the channel-target fix is not listed as upstreamed in these release notes.

Note: At the time of this PR, v2026.6.1 does not yet appear as a stable GitHub release or on npm (latest stable is 2026.5.28; latest pre-release is 2026.6.1-beta.3). Release notes below are sourced from v2026.6.1-beta.3 as the closest available signal for what the final release will contain.

Potential deployment concerns from release notes

The following changes in this release warrant attention for our deployment:

1. Plugin install index moved to SQLite

"Plugins: persist the plugin install index in SQLite so installed package lookup survives reloads with less filesystem scanning."

Our bundled plugin deps are baked into OPENCLAW_PLUGIN_STAGE_DIR at image build time via resolveExternalBundledRuntimeDepsInstallRoot(). If OpenClaw now uses a SQLite-backed install index to locate those deps, the path resolution logic for the stage dir must still be compatible with the baked layout. The stage-root comment in the Dockerfile is updated to reference 2026.6.1. If the smoke test's openclaw doctor / plugin load phase fails on first boot, this is the first place to investigate.

2. Doctor JSON probe changes

"Doctor: add disk space health checks and stabilize post-upgrade JSON probes."

The controller's bootstrap relies on openclaw doctor output to detect healthy startup. Changes to doctor JSON output format could break our structured parsing. Verify doctor output in the smoke test.

3. channel-target-*.js nullish coalesce patch guard
Our existing patch (MESSAGE_ACTION_TARGET_MODE[action] !== "none" → (MESSAGE_ACTION_TARGET_MODE[action] ?? "none") !== "none") uses a strict string match. If the minified output format changed in this release, the sed guard in the Dockerfile will catch it (exits non-zero if the original pattern is not found) and the image build will fail. This is working-as-intended safety, but monitor the CI build.

4. Memory subsystem changes

"Memory: serialize QMD update/embed writes per store, reduce Linux watcher fan-out, retry transient FileProvider-backed reads, preserve phase signals on read errors, harden envelope metadata sanitization, reattach Linux native watchers when directories are recreated..."

Significant changes to the memory/vector subsystem on Linux. Our machines use Fly Volumes mounted at /root/.openclaw — the Linux watcher fan-out reduction and native watcher reattachment on directory recreation are directly relevant to our persistent-volume deployment model. Verify that memory/search state is intact after a persisted-root restart in smoke testing.

5. Gateway static asset serving change

"Control UI: serve static assets asynchronously after safe-open checks so large UI files do not block Gateway request handling."

This changes the gateway's static-file serving path to be async. Our controller health-check probes the gateway's Control UI HTML. Ensure readiness detection in the controller still works correctly after this change.

Verification

• Build the candidate image: docker buildx build --build-context workspace=../.. --load -t kiloclaw:test .
• Run controller smoke test: bash services/kiloclaw/scripts/controller-openclaw-upgrade-smoke-test.sh
• Confirm installed OpenClaw version before/after, openclaw doctor output, and plugin load in smoke output.

Visual Changes

N/A

Reviewer Notes

• v2026.6.1 is not yet published as a stable release at the time of this PR (only v2026.6.1-beta.3 exists). The Dockerfile pin will cause npm install -g openclaw@2026.6.1 to fail until the stable release is published. Merge only once the stable release is live on npm.
• Both existing Dockerfile patches (timeout and channel-target null-safety) have strict guards that will cause an image build failure if the patched expressions change in the new version — this is intentional and will surface immediately in CI.