refactor: centralize gateway auth env credential readers

src/commands/dashboard.ts

@@ -1,6 +1,7 @@
 import { readConfigFileSnapshot, resolveGatewayPort } from "../config/config.js";
 import type { OpenClawConfig } from "../config/types.js";
 import { resolveSecretInputRef } from "../config/types.secrets.js";
+import { readGatewayTokenEnv } from "../gateway/credentials.js";
 import { copyToClipboard } from "../infra/clipboard.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { defaultRuntime } from "../runtime.js";
@@ -17,15 +18,6 @@ type DashboardOptions = {
   noOpen?: boolean;
 };
 
-function readGatewayTokenEnv(env: NodeJS.ProcessEnv): string | undefined {
-  const primary = env.OPENCLAW_GATEWAY_TOKEN?.trim();
-  if (primary) {
-    return primary;
-  }
-  const legacy = env.CLAWDBOT_GATEWAY_TOKEN?.trim();
-  return legacy || undefined;
-}
-
 async function resolveDashboardToken(
   cfg: OpenClawConfig,
   env: NodeJS.ProcessEnv = process.env,

src/commands/doctor-gateway-auth-token.ts

@@ -1,15 +1,10 @@
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveSecretInputRef } from "../config/types.secrets.js";
 export { shouldRequireGatewayTokenForInstall } from "../gateway/auth-install-policy.js";
+import { readGatewayTokenEnv } from "../gateway/credentials.js";
 import { secretRefKey } from "../secrets/ref-contract.js";
 import { resolveSecretRefValues } from "../secrets/resolve.js";
 
-function readGatewayTokenEnv(env: NodeJS.ProcessEnv): string | undefined {
-  const value = env.OPENCLAW_GATEWAY_TOKEN ?? env.CLAWDBOT_GATEWAY_TOKEN;
-  const trimmed = value?.trim();
-  return trimmed || undefined;
-}
-
 export async function resolveGatewayAuthTokenForService(
   cfg: OpenClawConfig,
   env: NodeJS.ProcessEnv,

src/commands/gateway-install-token.ts

@@ -4,6 +4,7 @@ import { resolveSecretInputRef } from "../config/types.secrets.js";
 import { shouldRequireGatewayTokenForInstall } from "../gateway/auth-install-policy.js";
 import { hasAmbiguousGatewayAuthModeConfig } from "../gateway/auth-mode-policy.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
+import { readGatewayTokenEnv } from "../gateway/credentials.js";
 import { secretRefKey } from "../secrets/ref-contract.js";
 import { resolveSecretRefValues } from "../secrets/resolve.js";
 import { randomToken } from "./onboard-helpers.js";
@@ -45,8 +46,7 @@ export async function resolveGatewayInstallToken(
       ? undefined
       : cfg.gateway.auth.token.trim() || undefined;
   const explicitToken = options.explicitToken?.trim() || undefined;
-  const envToken =
-    options.env.OPENCLAW_GATEWAY_TOKEN?.trim() || options.env.CLAWDBOT_GATEWAY_TOKEN?.trim();
+  const envToken = readGatewayTokenEnv(options.env);
 
   if (hasAmbiguousGatewayAuthModeConfig(cfg)) {
     return {

src/commands/gateway-status/helpers.ts

@@ -1,6 +1,7 @@
 import { resolveGatewayPort } from "../../config/config.js";
 import type { OpenClawConfig, ConfigFileSnapshot } from "../../config/types.js";
 import { hasConfiguredSecretInput } from "../../config/types.secrets.js";
+import { readGatewayPasswordEnv, readGatewayTokenEnv } from "../../gateway/credentials.js";
 import type { GatewayProbeResult } from "../../gateway/probe.js";
 import { resolveConfiguredSecretInputString } from "../../gateway/resolve-configured-secret-input-string.js";
 import { pickPrimaryTailnetIPv4 } from "../../infra/tailnet.js";
@@ -146,16 +147,6 @@ export function sanitizeSshTarget(value: unknown): string | null {
   return trimmed.replace(/^ssh\\s+/, "");
 }
 
-function readGatewayTokenEnv(env: NodeJS.ProcessEnv = process.env): string | undefined {
-  const token = env.OPENCLAW_GATEWAY_TOKEN?.trim() || env.CLAWDBOT_GATEWAY_TOKEN?.trim();
-  return token || undefined;
-}
-
-function readGatewayPasswordEnv(env: NodeJS.ProcessEnv = process.env): string | undefined {
-  const password = env.OPENCLAW_GATEWAY_PASSWORD?.trim() || env.CLAWDBOT_GATEWAY_PASSWORD?.trim();
-  return password || undefined;
-}
-
 export async function resolveAuthForTarget(
   cfg: OpenClawConfig,
   target: GatewayStatusTarget,