From 70be8ce15cf42197b78ec0f00893c1541790c7c9 Mon Sep 17 00:00:00 2001
From: ademczuk <andrew.demczuk@gmail.com>
Date: Sat, 7 Mar 2026 20:10:54 +0100
Subject: [PATCH] fix(daemon): normalise whitespace in checkTokenDrift to
 prevent false-positive warning (#39108)

---
 src/daemon/service-audit.test.ts | 18 ++++++++++++++++++
 src/daemon/service-audit.ts      | 10 ++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/daemon/service-audit.test.ts b/src/daemon/service-audit.test.ts
index 2615c90cb70..090094ed8c9 100644
--- a/src/daemon/service-audit.test.ts
+++ b/src/daemon/service-audit.test.ts
@@ -118,6 +118,24 @@ describe("checkTokenDrift", () => {
     expect(result).toBeNull();
   });
 
+  it("returns null when tokens match but service token has trailing newline", () => {
+    const result = checkTokenDrift({ serviceToken: "same-token\n", configToken: "same-token" });
+    expect(result).toBeNull();
+  });
+
+  it("returns null when tokens match but have surrounding whitespace", () => {
+    const result = checkTokenDrift({ serviceToken: "  same-token  ", configToken: "same-token" });
+    expect(result).toBeNull();
+  });
+
+  it("returns null when both tokens have different whitespace padding", () => {
+    const result = checkTokenDrift({
+      serviceToken: "same-token\r\n",
+      configToken: " same-token ",
+    });
+    expect(result).toBeNull();
+  });
+
   it("detects drift when config has token but service has different token", () => {
     const result = checkTokenDrift({ serviceToken: "old-token", configToken: "new-token" });
     expect(result).not.toBeNull();
diff --git a/src/daemon/service-audit.ts b/src/daemon/service-audit.ts
index 09e766065ec..6f86230dbc3 100644
--- a/src/daemon/service-audit.ts
+++ b/src/daemon/service-audit.ts
@@ -362,13 +362,19 @@ export function checkTokenDrift(params: {
 }): ServiceConfigIssue | null {
   const { serviceToken, configToken } = params;
 
+  // Normalise both tokens before comparing: service-file parsers (systemd,
+  // launchd) can return values with trailing newlines or whitespace that
+  // cause a false-positive mismatch against the config value.
+  const normService = serviceToken?.trim() || undefined;
+  const normConfig = configToken?.trim() || undefined;
+
   // No drift if both are undefined/empty
-  if (!serviceToken && !configToken) {
+  if (!normService && !normConfig) {
     return null;
   }
 
   // Drift: config has token, service has different or no token
-  if (configToken && serviceToken !== configToken) {
+  if (normConfig && normService !== normConfig) {
     return {
       code: SERVICE_AUDIT_CODES.gatewayTokenDrift,
       message: