swarm-zap/memory/2026-03-09.md

2026-03-09

• OpenClaw stability check: gateway is currently stable enough to continue skill work after verification of systemd service, hook readiness (5/5), loopback-only gateway bind, and healthy openclaw status --deep / security audit --deep results.
• Applied config hardening to reduce shared-surface risk: agents.defaults.sandbox.mode=non-main, agents.defaults.sandbox.workspaceAccess=none, agents.defaults.sandbox.sessionToolsVisibility=spawned, and tools.fs.workspaceOnly=true.
• Confirmed the earlier Gemini repair for the gateway issue was primarily a runtime hook/dependency repair in ~/.openclaw (large JS symlink layer), not a clean systemd-unit-only fix.
• Moved LiteLLM auth in OpenClaw config from inline env.vars.LITELLM_API_KEY to the existing file-based secret store (secrets.providers.filemain via /models/providers/litellm/apiKey) to improve secret hygiene.
• Remaining bundled skill requirements still missing: blogwatcher, discord (needs channels.discord.token), gog, nano-pdf, obsidian, and summarize.
• Attempt to install missing skill dependencies was blocked by Linuxbrew ownership/permission drift: /home/linuxbrew/.linuxbrew is owned by claw:claw, so brew taps/formulas could not be installed as openclaw.
• Follow-up still needed: regenerate/reinstall the gateway systemd service cleanly after the LiteLLM secret move so the unit file no longer embeds the old LITELLM_API_KEY, then revisit missing bundled skill installs once Linuxbrew permissions are fixed.