chore(memory): update boot last run and startup health data

memory/2026-03-08.md

@@ -0,0 +1,8 @@
+## OpenClaw maintenance
+
+- Ran `openclaw doctor` triage and fixed the gateway service issue by reinstalling the gateway service; this cleared the outdated entrypoint and embedded service token warnings.
+- Replaced Telegram `channels.telegram.groups["*"]` with explicit numeric group IDs to clear the wildcard membership-probing warning. Current explicit Telegram group IDs in config: `-1003673132186`, `-5137521925`, `-5138922002`, `-5175865898`.
+- Telegram config-side security warnings are now clean; the remaining Telegram doctor warning is only BotFather privacy mode (`/setprivacy -> Disable`) if unmentioned group messages should reach the bot.
+- Installed local CLI deps to improve bundled skill readiness: `ffmpeg`, `gh`, `yt-dlp`, `sox`, and a local `fd` shim at `~/.local/bin/fd -> /usr/bin/fdfind`.
+- Narrowed `skills.allowBundled` so doctor tracks only relevant bundled skills on this Linux host. After the allowlist change, remaining tracked missing skills are: `blogwatcher`, `discord`, `gog`, `nano-pdf`, `obsidian`, and `summarize`.
+- Confirmed there is already a whisper service running on the LAN, so `whisper-local-safe` is the preferred transcription path here; no need to prioritize extra Whisper/OpenAI transcription skills right now.

memory/boot-last-run.json

@@ -1,4 +1,4 @@
 {
-  "last_run_utc": "2026-03-09T03:32:32Z",
-  "status": "ok"
+  "last_run_utc": "2026-03-09T17:31:00Z",
+  "status": "warn"
 }

memory/startup-health.json

@@ -1,29 +1,25 @@
 {
-  "last_run_utc": "2026-03-09T03:32:32Z",
-  "status": "ok",
+  "last_run_utc": "2026-03-09T17:31:00Z",
+  "status": "warn",
   "checks_passed": [
-    "core workspace files present",
-    "required local skill folders present",
-    "task state exists (memory/tasks.json)",
-    "hook ready: session-memory",
-    "hook ready: command-logger",
-    "hook ready: boot-md",
-    "~/.openclaw permissions are 700",
-    "credential file permissions are 600",
-    "gateway bind is local-only",
-    "service reachable: openclaw-gateway",
-    "service reachable: whisper-server",
-    "service reachable: brave-search-mcp",
-    "service reachable: searxng",
-    "service reachable: minio",
-    "backup signal fresh (<8h)",
-    "security audit --deep refreshed (<24h)",
-    "update status read: up-to-date"
+    "workspace_files_present",
+    "required_skill_folders_present",
+    "tasks_state_present",
+    "required_hooks_ready",
+    "permissions_ok_home_and_credentials",
+    "gateway_local_only_listener",
+    "expected_service_posture_ok",
+    "backup_signal_fresh_within_8h",
+    "security_audit_fresh_within_24h",
+    "update_status_checked"
   ],
   "checks_failed": [],
-  "warnings": [],
+  "warnings": [
+    "security_audit_warn: security.trust_model.multi_user_heuristic",
+    "update_available: npm 2026.3.8"
+  ],
   "gateway_exposure": "local-only",
-  "last_backup_age_hours": 3.26,
+  "last_backup_age_hours": 5.44,
   "last_security_audit_age_hours": 0.0,
-  "update_status": "up-to-date (2026.3.7)"
+  "update_status": "available (npm 2026.3.8)"
 }

memory/startup-health.md

@@ -9,3 +9,5 @@
 [2026-03-05T21:42:00Z] RESOLVED security-audit-findings: `openclaw security audit --deep` now reports 0 critical, 0 warn, 1 info.
 [2026-03-09T00:16:00 UTC] WARN security-audit-freshness: latest deep audit is ~74.56h old; run `openclaw security audit --deep`.
 [2026-03-09T00:16:00 UTC] WARN expected-service-posture: ports 18801/18802/18803 unreachable on localhost; verify containers are running or bound on expected LAN IPs.
+2026-03-09T17:43:56Z | warning | security.trust_model.multi_user_heuristic | Review trust boundary; if multi-user, set agents.defaults.sandbox.mode=all and restrict runtime/fs tools.
+2026-03-09T17:43:56Z | warning | update_available | Update available (npm 2026.3.8); run 'openclaw update' when approved.