diff --git a/MEMORY.md b/MEMORY.md
index 7f637fd..d37e4ac 100644
--- a/MEMORY.md
+++ b/MEMORY.md
@@ -165,10 +165,13 @@ Two patches must be reapplied to `dist/` files after each OpenClaw update:
 1. **Scope preservation** (`dist/gateway-cli-DbznSfRg.js`): `if (scopes.length > 0)` → `if (scopes.length > 0 && !disableControlUiDeviceAuth)` — prevents `dangerouslyDisableDeviceAuth` from clearing scopes
 2. **Deleted transcript indexing** (`dist/sqlite-C54NeA1C.js`): `.filter((name) => name.endsWith(".jsonl"))` → add `|| name.includes(".jsonl.deleted.")` — makes memory_search find old sessions
 
-### ⚠️ sessions_spawn Scope Issue (every restart)
-`operator.write+read` scopes are stripped from device-auth.json on EVERY gateway restart (not just OC updates).
-**Fix each time:** patch 3 files: `~/.openclaw/identity/device-auth.json`, `devices/paired.json`, `devices/pending.json` → set `"scopes": ["operator.write", "operator.read"]`, then restart gateway.
-**TODO:** automate as a post-start hook so this stops being manual.
+### ✅ sessions_spawn Scope Issue — AUTOMATED (Feb 22)
+`operator.write+read` scopes were stripped from device-auth.json on every gateway restart.
+**Fixed:** `oc-scope-watchdog.service` runs continuously, restores scopes within 30s of any restart.
+- Service: `systemctl --user status oc-scope-watchdog`
+- Script: `~/clawd/scripts/scope-watchdog.py`
+- Enabled on boot via `default.target.wants/`
+No manual intervention needed anymore.
 
 ### Network
 - Home lab behind UDM-Pro + Caddy
@@ -808,11 +811,9 @@ Shannon's successful deployment and scan completion demonstrates security toolin
 - Immich, ClickHouse, Jellyfin, Signal: all updated on 192.168.1.253
 - qbittorrent-vpn: pulled only
 
-### 🔧 sessions_spawn Scope Issue (ongoing)
-- Every OpenClaw gateway restart strips `operator.write+read` scopes from device-auth.json
-- Fix: patch `/home/johan/.openclaw/identity/device-auth.json` + `devices/paired.json` + `devices/pending.json` after EVERY restart
-- This is not just post-update — it happens on every gateway restart
-- **TODO:** automate scope restoration as a post-start hook
+### 🔧 sessions_spawn Scope Issue — FIXED (Feb 22)
+- Gateway was stripping `operator.write+read` scopes from device-auth.json on every restart
+- **Fixed via `oc-scope-watchdog.service`** — auto-restores within 30s, runs on boot
 
 ---