refactor(gateway): dedupe origin seeding and plugin route auth matching

src/commands/configure.gateway.ts

@@ -1,13 +1,12 @@
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveGatewayPort } from "../config/config.js";
 import {
-  appendAllowedOrigin,
-  buildTailnetHttpsOrigin,
+  maybeAddTailnetOriginToControlUiAllowedOrigins,
   TAILSCALE_DOCS_LINES,
   TAILSCALE_EXPOSURE_OPTIONS,
   TAILSCALE_MISSING_BIN_NOTE_LINES,
 } from "../gateway/gateway-config-prompts.shared.js";
-import { findTailscaleBinary, getTailnetHostname } from "../infra/tailscale.js";
+import { findTailscaleBinary } from "../infra/tailscale.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { validateIPv4AddressInput } from "../shared/net/ipv4.js";
 import { note } from "../terminal/note.js";
@@ -289,27 +288,11 @@ export async function promptGatewayConfig(
     },
   };
 
-  // Auto-add Tailscale origin to controlUi.allowedOrigins so the Control UI
-  // is accessible via the Tailscale hostname without manual config.
-  if (tailscaleMode === "serve" || tailscaleMode === "funnel") {
-    const tsOrigin = await getTailnetHostname(undefined, tailscaleBin ?? undefined)
-      .then((host) => buildTailnetHttpsOrigin(host))
-      .catch(() => null);
-    if (tsOrigin) {
-      const existing = next.gateway?.controlUi?.allowedOrigins ?? [];
-      const updatedOrigins = appendAllowedOrigin(existing, tsOrigin);
-      next = {
-        ...next,
-        gateway: {
-          ...next.gateway,
-          controlUi: {
-            ...next.gateway?.controlUi,
-            allowedOrigins: updatedOrigins,
-          },
-        },
-      };
-    }
-  }
+  next = await maybeAddTailnetOriginToControlUiAllowedOrigins({
+    config: next,
+    tailscaleMode,
+    tailscaleBin,
+  });
 
   return { config: next, port, token: gatewayToken };
 }