fix(doctor): reconcile gateway service token drift after re-pair

`openclaw doctor` audited gateway service runtime/path settings but did not
check whether the daemon's `OPENCLAW_GATEWAY_TOKEN` matched
`gateway.auth.token` in `openclaw.json`.

After re-pairing or token rotation, the config token and service env token can
drift. The daemon may keep running with a stale service token, leading to
unauthorized handshake failures for cron/tool clients.

Add a gateway service audit check for token drift and pass
`cfg.gateway.auth.token` into service audits so doctor treats config as the
source of truth when deciding whether to reinstall the service.

Key design decisions:
- Use `gateway.auth.token` from `openclaw.json` as the authority for service
  token drift detection
- Only flag mismatch when an authoritative config token exists
- Keep fix in existing doctor service-repair flow (no separate migration step)
- Add focused tests for both audit mismatch behavior and doctor wiring

Fixes #18175

src/commands/doctor-gateway-services.test.ts

@@ -0,0 +1,117 @@
+import { describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../config/config.js";
+
+const mocks = vi.hoisted(() => ({
+  readCommand: vi.fn(),
+  install: vi.fn(),
+  auditGatewayServiceConfig: vi.fn(),
+  buildGatewayInstallPlan: vi.fn(),
+  resolveGatewayPort: vi.fn(() => 18789),
+  resolveIsNixMode: vi.fn(() => false),
+  note: vi.fn(),
+}));
+
+vi.mock("../config/paths.js", () => ({
+  resolveGatewayPort: mocks.resolveGatewayPort,
+  resolveIsNixMode: mocks.resolveIsNixMode,
+}));
+
+vi.mock("../daemon/inspect.js", () => ({
+  findExtraGatewayServices: vi.fn().mockResolvedValue([]),
+  renderGatewayServiceCleanupHints: vi.fn().mockReturnValue([]),
+}));
+
+vi.mock("../daemon/runtime-paths.js", () => ({
+  renderSystemNodeWarning: vi.fn().mockReturnValue(undefined),
+  resolveSystemNodeInfo: vi.fn().mockResolvedValue(null),
+}));
+
+vi.mock("../daemon/service-audit.js", () => ({
+  auditGatewayServiceConfig: mocks.auditGatewayServiceConfig,
+  needsNodeRuntimeMigration: vi.fn(() => false),
+  SERVICE_AUDIT_CODES: {
+    gatewayEntrypointMismatch: "gateway-entrypoint-mismatch",
+  },
+}));
+
+vi.mock("../daemon/service.js", () => ({
+  resolveGatewayService: () => ({
+    readCommand: mocks.readCommand,
+    install: mocks.install,
+  }),
+}));
+
+vi.mock("../terminal/note.js", () => ({
+  note: mocks.note,
+}));
+
+vi.mock("./daemon-install-helpers.js", () => ({
+  buildGatewayInstallPlan: mocks.buildGatewayInstallPlan,
+}));
+
+import { maybeRepairGatewayServiceConfig } from "./doctor-gateway-services.js";
+
+describe("maybeRepairGatewayServiceConfig", () => {
+  it("treats gateway.auth.token as source of truth for service token repairs", async () => {
+    mocks.readCommand.mockResolvedValue({
+      programArguments: ["/usr/bin/node", "/usr/local/bin/openclaw", "gateway", "--port", "18789"],
+      environment: {
+        OPENCLAW_GATEWAY_TOKEN: "stale-token",
+      },
+    });
+    mocks.auditGatewayServiceConfig.mockResolvedValue({
+      ok: false,
+      issues: [
+        {
+          code: "gateway-token-mismatch",
+          message: "Gateway service OPENCLAW_GATEWAY_TOKEN does not match gateway.auth.token",
+          level: "recommended",
+        },
+      ],
+    });
+    mocks.buildGatewayInstallPlan.mockResolvedValue({
+      programArguments: ["/usr/bin/node", "/usr/local/bin/openclaw", "gateway", "--port", "18789"],
+      workingDirectory: "/tmp",
+      environment: {
+        OPENCLAW_GATEWAY_TOKEN: "config-token",
+      },
+    });
+    mocks.install.mockResolvedValue(undefined);
+
+    const cfg: OpenClawConfig = {
+      gateway: {
+        auth: {
+          mode: "token",
+          token: "config-token",
+        },
+      },
+    };
+
+    await maybeRepairGatewayServiceConfig(
+      cfg,
+      "local",
+      { log: vi.fn(), error: vi.fn(), exit: vi.fn() },
+      {
+        confirm: vi.fn().mockResolvedValue(true),
+        confirmRepair: vi.fn().mockResolvedValue(true),
+        confirmAggressive: vi.fn().mockResolvedValue(true),
+        confirmSkipInNonInteractive: vi.fn().mockResolvedValue(true),
+        select: vi.fn().mockResolvedValue("node"),
+        shouldRepair: false,
+        shouldForce: false,
+      },
+    );
+
+    expect(mocks.auditGatewayServiceConfig).toHaveBeenCalledWith(
+      expect.objectContaining({
+        expectedGatewayToken: "config-token",
+      }),
+    );
+    expect(mocks.buildGatewayInstallPlan).toHaveBeenCalledWith(
+      expect.objectContaining({
+        token: "config-token",
+      }),
+    );
+    expect(mocks.install).toHaveBeenCalledTimes(1);
+  });
+});

src/commands/doctor-gateway-services.ts

@@ -118,6 +118,7 @@ export async function maybeRepairGatewayServiceConfig(
   const audit = await auditGatewayServiceConfig({
     env: process.env,
     command,
+    expectedGatewayToken: cfg.gateway?.auth?.token,
   });
   const needsNodeRuntime = needsNodeRuntimeMigration(audit.issues);
   const systemNodeInfo = needsNodeRuntime