fix(gateway): land #28428 from @l0cka

Landed from contributor PR #28428 by @l0cka.

Co-authored-by: Daniel Alkurdi <danielalkurdi@gmail.com>

src/commands/doctor-gateway-services.ts

@@ -3,7 +3,7 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { promisify } from "node:util";
-import type { OpenClawConfig } from "../config/config.js";
+import { writeConfigFile, type OpenClawConfig } from "../config/config.js";
 import { resolveGatewayPort, resolveIsNixMode } from "../config/paths.js";
 import { resolveSecretInputRef } from "../config/types.secrets.js";
 import {
@@ -25,7 +25,6 @@ import { buildGatewayInstallPlan } from "./daemon-install-helpers.js";
 import { DEFAULT_GATEWAY_DAEMON_RUNTIME, type GatewayDaemonRuntime } from "./daemon-runtime.js";
 import { resolveGatewayAuthTokenForService } from "./doctor-gateway-auth-token.js";
 import type { DoctorOptions, DoctorPrompter } from "./doctor-prompter.js";
-import { resolveGatewayInstallToken } from "./gateway-install-token.js";
 
 const execFileAsync = promisify(execFile);
 
@@ -259,24 +258,9 @@ export async function maybeRepairGatewayServiceConfig(
 
   const port = resolveGatewayPort(cfg, process.env);
   const runtimeChoice = detectGatewayRuntime(command.programArguments);
-  const installTokenResolution = await resolveGatewayInstallToken({
-    config: cfg,
-    env: process.env,
-  });
-  for (const warning of installTokenResolution.warnings) {
-    note(warning, "Gateway service config");
-  }
-  if (installTokenResolution.unavailableReason) {
-    note(
-      `Unable to verify gateway service token drift: ${installTokenResolution.unavailableReason}`,
-      "Gateway service config",
-    );
-    return;
-  }
-  const { programArguments, workingDirectory, environment } = await buildGatewayInstallPlan({
+  const { programArguments } = await buildGatewayInstallPlan({
     env: process.env,
     port,
-    token: installTokenResolution.token,
     runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
     nodePath: systemNodePath ?? undefined,
     warn: (message, title) => note(message, title),
@@ -332,13 +316,56 @@ export async function maybeRepairGatewayServiceConfig(
   if (!repair) {
     return;
   }
+  const serviceEmbeddedToken = command.environment?.OPENCLAW_GATEWAY_TOKEN?.trim() || undefined;
+  const gatewayTokenForRepair = expectedGatewayToken ?? serviceEmbeddedToken;
+  const configuredGatewayToken =
+    typeof cfg.gateway?.auth?.token === "string"
+      ? cfg.gateway.auth.token.trim() || undefined
+      : undefined;
+  let cfgForServiceInstall = cfg;
+  if (!tokenRefConfigured && !configuredGatewayToken && gatewayTokenForRepair) {
+    const nextCfg: OpenClawConfig = {
+      ...cfg,
+      gateway: {
+        ...cfg.gateway,
+        auth: {
+          ...cfg.gateway?.auth,
+          mode: cfg.gateway?.auth?.mode ?? "token",
+          token: gatewayTokenForRepair,
+        },
+      },
+    };
+    try {
+      await writeConfigFile(nextCfg);
+      cfgForServiceInstall = nextCfg;
+      note(
+        expectedGatewayToken
+          ? "Persisted gateway.auth.token from environment before reinstalling service."
+          : "Persisted gateway.auth.token from existing service definition before reinstalling service.",
+        "Gateway",
+      );
+    } catch (err) {
+      runtime.error(`Failed to persist gateway.auth.token before service repair: ${String(err)}`);
+      return;
+    }
+  }
+
+  const updatedPort = resolveGatewayPort(cfgForServiceInstall, process.env);
+  const updatedPlan = await buildGatewayInstallPlan({
+    env: process.env,
+    port: updatedPort,
+    runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
+    nodePath: systemNodePath ?? undefined,
+    warn: (message, title) => note(message, title),
+    config: cfgForServiceInstall,
+  });
   try {
     await service.install({
       env: process.env,
       stdout: process.stdout,
-      programArguments,
-      workingDirectory,
-      environment,
+      programArguments: updatedPlan.programArguments,
+      workingDirectory: updatedPlan.workingDirectory,
+      environment: updatedPlan.environment,
     });
   } catch (err) {
     runtime.error(`Gateway service update failed: ${String(err)}`);