diff --git a/memory/2026-03-09.md b/memory/2026-03-09.md
new file mode 100644
index 0000000..9e204b5
--- /dev/null
+++ b/memory/2026-03-09.md
@@ -0,0 +1,9 @@
+# 2026-03-09
+
+- OpenClaw stability check: gateway is currently stable enough to continue skill work after verification of systemd service, hook readiness (`5/5`), loopback-only gateway bind, and healthy `openclaw status --deep` / `security audit --deep` results.
+- Applied config hardening to reduce shared-surface risk: `agents.defaults.sandbox.mode=non-main`, `agents.defaults.sandbox.workspaceAccess=none`, `agents.defaults.sandbox.sessionToolsVisibility=spawned`, and `tools.fs.workspaceOnly=true`.
+- Confirmed the earlier Gemini repair for the gateway issue was primarily a runtime hook/dependency repair in `~/.openclaw` (large JS symlink layer), not a clean systemd-unit-only fix.
+- Moved LiteLLM auth in OpenClaw config from inline `env.vars.LITELLM_API_KEY` to the existing file-based secret store (`secrets.providers.filemain` via `/models/providers/litellm/apiKey`) to improve secret hygiene.
+- Remaining bundled skill requirements still missing: `blogwatcher`, `discord` (needs `channels.discord.token`), `gog`, `nano-pdf`, `obsidian`, and `summarize`.
+- Attempt to install missing skill dependencies was blocked by Linuxbrew ownership/permission drift: `/home/linuxbrew/.linuxbrew` is owned by `claw:claw`, so brew taps/formulas could not be installed as `openclaw`.
+- Follow-up still needed: regenerate/reinstall the gateway systemd service cleanly after the LiteLLM secret move so the unit file no longer embeds the old `LITELLM_API_KEY`, then revisit missing bundled skill installs once Linuxbrew permissions are fixed.