From bf202cd6e33b2a77986d4a12a01c3d14d59ce5e1 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sat, 7 Mar 2026 09:42:43 -0800
Subject: [PATCH] Changelog: note gateway auth hardening

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0180b4fa219..32777b95065 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -742,6 +742,7 @@ Docs: https://docs.openclaw.ai
 - Onboarding/Custom providers: use Azure OpenAI-specific verification auth/payload shape (`api-key`, deployment-path chat completions payload) when probing Azure endpoints so valid Azure custom-provider setup no longer fails preflight. (#29421) Thanks @kunalk16.
 - Feishu/Docx editing tools: add `feishu_doc` positional insert, table row/column operations, table-cell merge, and color-text updates; switch markdown write/append/insert to Descendant API insertion with large-document batching; and harden image uploads for data URI/base64/local-path inputs with strict validation and routing-safe upload metadata. (#29411) Thanks @Elarwei001.
 - Commands/Owner-only tools: treat identified direct-chat senders as owners when no owner allowlist is configured, while preserving internal `operator.admin` owner sessions. (#26331) thanks @widingmarcus-cyber
+- Gateway/Auth hardening: add bounded `GatewayClient` request timeouts, support optional `OPENCLAW_PASSPHRASE` sealing for OpenClaw-owned auth stores (`auth-profiles.json` and legacy `oauth.json`), and re-assert `0600` permissions after mirrored transcript writes. Thanks @alamine42 and @vincentkoc.
 
 ## 2026.2.26