chore(workspace): install all 4 bundled hooks + model default update

- Installed hooks: boot-md, session-memory, command-logger, bootstrap-extra-files
- Updated default model to litellm/copilot-claude-sonnet-4.6
- Added memory/startup-health.json + boot-last-run.json from boot check
- Added memory/startup-health.md warning log
- Captured new session memory files (2026-03-04/05)
- Minor MEMORY.md + USER.md: added git preference line

memory/2026-03-04-git-workflow.md

@@ -0,0 +1,249 @@
+# Session: 2026-03-04 23:30:26 UTC
+
+- **Session Key**: agent:main:main
+- **Session ID**: 8e27dc5c-a962-4c29-b6be-2973dafd8c65
+- **Source**: gateway:sessions.reset
+
+## Conversation Summary
+
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:14 UTC] Also, we want to merge rebase, add this to the instructions
+assistant: [[reply_to_current]] Done — added ✅
+
+I updated the instructions to enforce:
+
+- **Rebase-first workflow** (`git pull --rebase`)
+- **Rebase onto latest `origin/main` before push/PR**
+- **Preferred PR merge mode: Rebase and merge**
+- Avoid merge commits unless explicitly needed
+
+Updated files:
+- `AGENTS.md`
+- `scripts/openclaw-upstream-workflow.md`
+
+Committed on workspace branch:
+- `b36ab89`
+- `docs(workflow): require rebase-first + rebase-and-merge policy`
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:18 UTC] Also, when we rebase we need to delete the feature/fix branch...
+assistant: [[reply_to_current]] Agreed — added ✅
+
+I updated the instructions to require branch cleanup after rebase-merge:
+
+- **`AGENTS.md`**: policy now says feature/fix branches are temporary and must be deleted after merge.
+- **`scripts/openclaw-upstream-workflow.md`**: added a **Post-merge branch cleanup (required)** section with commands for:
+  - updating `main`
+  - deleting remote branch
+  - deleting local branch
+  - safe note about `-D` only when needed
+
+Committed as:
+- `49f9c0c`
+- `docs(workflow): require branch deletion after rebase-merge`
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:21 UTC] Check updates for OpenClaw git upstream
+assistant: [[reply_to_current]] Checked.
+
+- **OpenClaw runtime update status:** stable channel, latest is **2026.3.2** (no update available via `openclaw update status`).
+- **Git upstream (`external/openclaw-upstream`)**:
+  - `main` is **fully up to date** with `origin/main` (`ahead/behind: 0/0`).
+  - Your working branch `fix/tui-hide-internal-runtime-context` is **1 commit ahead** of `origin/main` (the TUI fix commit), as expected.
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:23 UTC] Let's make sure we fetch upstream before implementing, that make sense?
+assistant: [[reply_to_current]] Yep — 100% makes sense. That should be the default habit.
+
+I’ve already baked that into the workflow docs (`git fetch --all --prune` + update `main` before branch work), but we can make it even stricter:
+
+- **Rule:** no code changes until fetch+sync succeeds.
+- **Preflight command block:**
+  - `git fetch --all --prune`
+  - `git checkout main`
+  - `git pull --rebase`
+  - verify clean state, then branch.
+
+If you want, I’ll add a tiny `scripts/openclaw-upstream-preflight.sh` that enforces this automatically.
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:24 UTC] Sure
+user: You are running a boot check. Follow BOOT.md instructions exactly.
+
+BOOT.md:
+# BOOT.md
+
+On gateway startup, run a silent security + readiness check for this workspace.
+
+## Startup checklist
+
+1. Confirm core workspace files exist:
+   - `AGENTS.md`, `SOUL.md`, `USER.md`, `TOOLS.md`, `HEARTBEAT.md`
+2. Confirm required local skill folders exist:
+   - `skills/searxng-local-search`
+   - `skills/telegram-ops`
+   - `skills/homelab-service-health`
+   - `skills/task-capture-and-followup`
+   - `skills/daily-brief`
+   - `skills/calendar-sentinel`
+   - `skills/inbox-triage`
+3. Ensure task state exists:
+   - `memory/tasks.json` (create `[]` if missing)
+
+## Security checks
+
+4. Check internal hooks enabled state:
+   - `session-memory`
+   - `command-logger`
+   - `bootstrap-extra-files`
+   - `boot-md`
+   - if any are disabled/missing, record warning with exact hook name
+5. Check permissions:
+   - `~/.openclaw` should be `700`
+   - credential files under `~/.openclaw/credentials/` should be `600`
+   - if drift is found, log it as warning; do not auto-fix unless explicitly requested later
+6. Check network exposure:
+   - verify gateway is not unexpectedly exposed on `0.0.0.0`
+   - capture a compact listener snapshot for OpenClaw-related ports
+7. Check expected-service posture:
+   - expected local services should be present/reachable (OpenClaw runtime + documented core services)
+   - flag unexpected listeners only when confidence is high
+8. Check backup signal freshness:
+   - verify `memory/minio-backup.log` contains `Backup complete:` within last 8 hours
+9. Check security-audit freshness:
+   - verify a recent `openclaw security audit --deep` result exists (target: within 24 hours)
+   - if stale/missing, record reminder (warning level)
+10. Check update status:
+   - run/read `openclaw update status`
+   - record whether update is available
+
+## State recording
+
+11. Write/update machine-readable status file: `memory/startup-health.json` with:
+    - `last_run_utc`
+    - `status` (`ok|warn|critical`)
+    - `checks_passed` (array)
+    - `checks_failed` (array)
+    - `warnings` (array)
+    - `gateway_exposure` (e.g., `local-only|public|unknown`)
+    - `last_backup_age_hours`
+    - `last_security_audit_age_hours`
+    - `update_status` (short text)
+12. Write/update `memory/boot-last-run.json` with UTC timestamp + overall status.
+
+## Notification policy
+
+13. Stay silent when status is `ok` or non-actionable `warn`.
+14. Send one short proactive alert only for **critical** conditions:
+    - credential permission drift on sensitive files,
+    - unexpected public exposure of gateway,
+    - backup signal stale/missing beyond threshold,
+    - missing critical workspace files preventing normal operation.
+
+## Critical issue logging
+
+If any warning/critical issue is found, append a concise line to `memory/startup-health.md` with UTC timestamp, failing check, and suggested fix.
+
+If BOOT.md asks you to send a message, use the message tool (action=send with channel + target).
+Use the `target` field (not `to`) for message tool destinations.
+After sending with the message tool, reply with ONLY: NO_REPLY.
+If nothing needs attention, reply with ONLY: NO_REPLY.
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:25 UTC] done?
+assistant: [[reply_to_current]] Almost.
+
+- ✅ **Done:** instructions now explicitly require fetch/sync before coding.
+- ❌ **Not done yet:** I haven’t added the optional auto-enforcing preflight script.
+
+If you want, I can add that script now in one quick commit.
+user: Sender (untrusted metadata):
+```json
+{
+  "label": "openclaw-tui (gateway-client)",
+  "id": "gateway-client",
+  "name": "openclaw-tui",
+  "username": "openclaw-tui"
+}
+```
+
+[Wed 2026-03-04 23:27 UTC] Finish the script and commit
+assistant: NO_REPLY
+assistant: [[reply_to_current]] Done — finished and committed.
+
+### ✅ Added script
+- `scripts/openclaw-upstream-preflight.sh`
+
+What it does:
+- Verifies `external/openclaw-upstream` exists
+- Runs:
+  - `git fetch --all --prune`
+  - `git checkout main`
+  - `git pull --rebase`
+- Refuses to proceed if `main` isn’t clean
+- Optional branch arg:
+  - creates branch if missing
+  - or switches + rebases existing branch onto `origin/main`
+
+Usage:
+```bash
+scripts/openclaw-upstream-preflight.sh
+scripts/openclaw-upstream-preflight.sh fix/my-change
+```
+
+### ✅ Docs wired
+- `AGENTS.md`
+- `scripts/openclaw-upstream-workflow.md`
+
+### ✅ Commit
+- `d31bb80`
+- `chore(workflow): add upstream preflight sync script`