diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx
index 0717703..3e562c7 100644
--- a/content/docs/changelog.mdx
+++ b/content/docs/changelog.mdx
@@ -8,6 +8,24 @@ Entries are published daily at 23:50 UTC.
 
 ---
 
+## 2026-05-17
+
+### 🔧 Fixes
+
+- **OpenClaw template adapter routing: fresh provisions now serve correctly**: OpenClaw workspace provisions were failing immediately after launch — the adapter had no routing path for the default model, causing every new workspace to be non-functional on first boot. The adapter now coerces an unroutable model to a known-good default, ensuring new OpenClaw workspaces are immediately usable without manual configuration. (`molecule-ai-workspace-template-openclaw` [#18](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/18))
+- **OpenClaw template MiniMax and Kimi-For-Coding API keys routed to correct endpoints**: the OpenClaw adapter was routing all Minimax (`sk-cp-*` keys) and Kimi-For-Coding (`sk-kimi-*` keys) API calls to the wrong endpoints, causing HTTP 401 errors on every chat turn. Minimax calls now route to the Anthropic-compatible gateway; Kimi-For-Coding calls route via Moonshot's Anthropic-compat endpoint, mirroring the existing MiniMax fix. (`molecule-ai-workspace-template-openclaw` [#14](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/14), [#17](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/17))
+- **OpenClaw template now shows molecule platform peers**: OpenClaw workspaces were not returning molecule platform peers in `list_peers` responses — the model was answering via its own native `sessions_list` instead of querying the molecule A2A registry. The adapter now correctly registers the molecule A2A MCP server, so `list_peers` returns platform peers as expected. (`molecule-ai-workspace-template-openclaw` [#16](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/16))
+- **Poll-mode canvas user messages now persist correctly before returning 200**: canvas chat messages sent via workspaces running in poll mode (`runtime=external`) were occasionally lost when the user exited the chat before the agent processed the message. The root cause was a previous assertion that poll-mode workspaces were unaffected by message-persistence issues — in fact, `logA2AReceiveQueued` (which was assumed to persist at ingest) only wrote to the in-memory queue, not to durable storage. The persist call is now correctly placed before the poll-mode short-circuit, ensuring messages are durable before the canvas receives a `200`. (`molecule-core` [#1350](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1350))
+- **Inbox poller self-echo loop fixed**: when a workspace delegates a task to a target that never picks it up, the platform's `report_activity("a2a_receive")` call records the activity with the sender's workspace UUID as `source_id` (per spoof-defense design). The sender's inbox poller was incorrectly processing this as an incoming message from itself — causing an infinite self-echo loop that flooded the inbox. A new `_is_self_echo_row()` predicate now skips `a2a_receive` rows where `source_id == workspace_id`, breaking the loop. (`molecule-core` [#1348](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1348))
+- **Hermes workspace runtime now runs as agent uid 1000, not root**: production Hermes workspaces were returning HTTP 401 on `list_peers` because the runtime was running as root. The `start.sh` now runs `molecule-runtime` as agent uid 1000 (via `gosu agent`), preserving the uid-1000 + `/configs/.auth_token` contract that the platform expects. Previously the runtime was accidentally running as root inside the container, breaking token-based auth. (`molecule-ai-workspace-template-hermes` [#24](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-hermes/pulls/24))
+- **Hermes workspace T4 host-root escalation leg added**: Hermes now gains full parity with the Claude Code template on T4 tier — an additive uid-0 escalation leg provides a wired path to host root inside the privileged container sandbox (`sudo` + `nsenter` + `docker` group membership) while preserving the uid-1000 agent identity and the agent-owned `/configs/.auth_token` contract. The CI `t4-conformance` gate was also hardened: previously it asserted token-file ownership by creating the file itself (a tautology), so it stayed green even if `exec gosu agent` regressed. It now probes the real boot-path exec of `start.sh` under `MOLECULE_SMOKE_MODE=1` to verify that `molecule-runtime` genuinely runs as uid 1000 — fail-closed on regression. (`molecule-ai-workspace-template-hermes` [#26](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-hermes/pulls/26))
+- **OpenClaw T4 host-root escalation leg added**: OpenClaw now gains full parity with the Claude Code template on T4 tier — an additive uid-0 escalation leg provides a wired path to host root inside the privileged container sandbox while preserving the uid-1000 agent identity and the agent-owned `/configs/.auth_token` contract. Also atomically fixes `list_peers` by ensuring the runtime runs as agent uid 1000 (previously ran as root). (`molecule-ai-workspace-template-openclaw` [#19](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/19))
+- **OpenClaw template default model coercion now uses a keyed target**: the OpenClaw adapter's model coercion was finding a routable model but not a keyed one, causing the coercion to fail silently and leave the adapter in a non-functional state. The coercion target must now be both routable AND keyed in the registry. (`molecule-ai-workspace-template-openclaw` [#20](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/20))
+- **Workspace Tokens tab no longer crashes with HTTP 500 when no node is selected**: Settings → Workspace Tokens was returning `500` on both GET (list tokens) and POST (create token) whenever the canvas had no node selected. The canvas was passing the literal sentinel `"global"` as the workspace ID in that state, which the backend interpreted as a UUID column value — Postgres threw `invalid input syntax for type uuid: "global"` → 500. The token handlers now correctly handle the `"global"` sentinel, returning an empty token list for GET and prompting the user to select a workspace for POST. (`molecule-core` [#1415](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1415))
+- **A2A delegation now fails closed on delivery-mode lookup errors instead of silently misrouting**: when a workspace-to-workspace `delegate_task` request arrived with a cancelled request context (e.g. the HTTP connection timed out before the delegation goroutine acquired its own context), `lookupDeliveryMode` returned a context error, which the proxy was silently converting to a `DeliveryModePush` fallback. This caused the poll-mode short-circuit to be skipped — poll-mode workspaces would never receive the `a2a_receive` inbox row, silently losing the delegation. `lookupDeliveryMode` now propagates context errors explicitly; the proxy fails the delegation with HTTP 503 (marking it retryable) instead of silently misrouting it. Other database errors retain the existing fail-open-to-push behavior. (`molecule-core` [#1446](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1446))
+
+---
+
 ## 2026-05-12
 
 ### 🔒 Security