fix(kiloclaw): avoid Control UI pairing on fresh installs

[pandemicsyn]

Summary

• Upgrade the shipped OpenClaw image and bundled plugin pins from 2026.5.22 to 2026.5.26 so KiloClaw picks up the upstream Control UI gateway-token pairing restoration.
• Normalize the controller WebSocket proxy boundary before the local OpenClaw hop by stripping every x-forwarded-* header. OpenClaw 5.22+ treats any forwarded proxy metadata as evidence of a remote client, so new Fly/Cloudflare headers could cause fresh Control UI sessions to enter the device pairing flow instead of the local token-backed path in future versions.

Verification

• Ran the persisted-root OpenClaw upgrade smoke with environment-backed credentials against 2026.5.22 -> 2026.5.26. Both the baseline and upgraded images validated config, served proxied Control UI HTML, loaded the kilo-chat plugin, and completed a live Auto Free agent turn.

=== before-image: kiloclaw:openclaw-upgrade-before ===
PASS: OpenClaw version (got 2026.5.22)
PASS: OpenClaw config validate (got valid)
PASS: gateway status (bearer auth) -> 200 (got 200)
PASS: proxied Control UI HTML (got ready)
PASS: configured live smoke model (got kilocode/kilo-auto/free)
PASS: kilo-chat config patched (got ok)
PASS: kilo-chat plugin inspect (got loaded)
PASS: kilo-chat webhook unknown event -> 400 (got 400)
PASS: kilo-chat webhook error body (got Unknown webhook type)
PASS: live Auto Free agent turn (got nonce returned)

=== after-image persisted-root: kiloclaw:openclaw-upgrade-after ===
PASS: OpenClaw version (got 2026.5.26)
PASS: OpenClaw config validate (got valid)
PASS: gateway status (bearer auth) -> 200 (got 200)
PASS: proxied Control UI HTML (got ready)
PASS: configured live smoke model (got kilocode/kilo-auto/free)
PASS: kilo-chat config patched (got ok)
PASS: kilo-chat plugin inspect (got loaded)
PASS: kilo-chat webhook unknown event -> 400 (got 400)
PASS: kilo-chat webhook error body (got Unknown webhook type)
PASS: live Auto Free agent turn (got nonce returned)

=== Results: 22 passed, 0 failed ===

• Add any additional manual verification details here.

Visual Changes

N/A

Reviewer Notes

• The important behavior change is in the controller WebSocket upgrade path: it now removes all x-forwarded-* headers before forwarding to the loopback OpenClaw gateway.
• OpenClaw 2026.5.26 restores Control UI gateway-token pairing behavior, but that path still depends on the request being treated as local, so the header normalization remains necessary for Fly/Cloudflare traffic.
• No dangerous device-auth bypass flags were added. The smoke run still reports the pre-existing kilo-chat channelConfigs cosmetic warning, but it does not affect the upgrade result.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Incremental review of the single changed file confirms the deployHint correction from redeploy_suggested → upgrade_required is correct and uses a valid union member; all previously reviewed files are unchanged and continue to pass.

Files Reviewed (9 files)

• apps/web/src/app/(app)/claw/components/changelog-data.ts — deployHint for 2026-06-01 entry corrected to upgrade_required (valid union member; appropriate since the OpenClaw binary version itself is bumped, requiring an image rebuild/upgrade rather than a simple redeploy)
• services/kiloclaw/controller/src/proxy.ts — header-stripping loop is correct; Object.keys() snapshot is safe for in-loop deletion; x-real-ip and forwarded (RFC 7239) still stripped explicitly before the loop (unchanged)
• services/kiloclaw/controller/src/proxy.test.ts — two new assertions added for x-forwarded-port and x-forwarded-ssl; test input updated to include both headers (unchanged)
• services/kiloclaw/Dockerfile — openclaw@2026.5.26, comment/cache-bust counter bumped correctly (unchanged)
• services/kiloclaw/plugins/kilo-chat/package.json — peer + dev dep bumped to 2026.5.26 (unchanged)
• services/kiloclaw/plugins/kiloclaw-morning-briefing/package.json — same (unchanged)
• services/kiloclaw/e2e/docker-image-testing.md — version comment updated (unchanged)
• pnpm-lock.yaml — lockfile updated consistently with package.json changes (unchanged)

---

_{Reviewed by claude-sonnet-4.6 · 239,524 tokens}

_{Review guidance: REVIEW.md from base branch main}