diff --git a/MEMORY.md b/MEMORY.md
index ea2954e..8580252 100644
--- a/MEMORY.md
+++ b/MEMORY.md
@@ -165,10 +165,8 @@ Two patches must be reapplied to `dist/` files after each OpenClaw update:
 1. **Scope preservation** (`dist/gateway-cli-DbznSfRg.js`): `if (scopes.length > 0)` → `if (scopes.length > 0 && !disableControlUiDeviceAuth)` — prevents `dangerouslyDisableDeviceAuth` from clearing scopes
 2. **Deleted transcript indexing** (`dist/sqlite-C54NeA1C.js`): `.filter((name) => name.endsWith(".jsonl"))` → add `|| name.includes(".jsonl.deleted.")` — makes memory_search find old sessions
 
-### ⚠️ sessions_spawn — Partially Fixed (Feb 22)
-**Scope stripping FIXED:** `oc-scope-watchdog.service` auto-restores `operator.write+read` within 30s of gateway restart.
-
-**Bind issue REMAINS:** Gateway rejects `ws://192.168.1.16:18789` (non-loopback). Subagent spawning from conversation sessions fails with "pairing required" (1008). Cron jobs work (internal). Needs: `wss://` or local tunnel fix.
+### ✅ sessions_spawn — Working (Feb 22)
+Subagent spawning works from conversation sessions. Auth is via `tokens.operator.scopes` in `device-auth.json` + `paired.json` — both have full operator scopes. Gateway bind set to `custom/0.0.0.0` resolved the bind issue. Tested and confirmed working.
 
 ### Network
 - Home lab behind UDM-Pro + Caddy
@@ -814,9 +812,9 @@ Shannon's successful deployment and scan completion demonstrates security toolin
 - Immich, ClickHouse, Jellyfin, Signal: all updated on 192.168.1.253
 - qbittorrent-vpn: pulled only
 
-### 🔧 sessions_spawn Scope Issue — FIXED (Feb 22)
-- Gateway was stripping `operator.write+read` scopes from device-auth.json on every restart
-- **Fixed via `oc-scope-watchdog.service`** — auto-restores within 30s, runs on boot
+### ✅ sessions_spawn Scope Issue — RESOLVED (Feb 22)
+- sessions_spawn confirmed working. The top-level `scopes` key the watchdog was patching is irrelevant metadata; real auth uses `tokens.operator.scopes` (always intact). Watchdog stopped and disabled — was fighting the gateway for nothing.
+- Gateway bind `custom/0.0.0.0` + correct token scopes = sessions_spawn working from conversation sessions.
 
 ---