fix(doctor): reconcile gateway service token drift after re-pair

`openclaw doctor` audited gateway service runtime/path settings but did not check whether the daemon's `OPENCLAW_GATEWAY_TOKEN` matched `gateway.auth.token` in `openclaw.json`. After re-pairing or token rotation, the config token and service env token can drift. The daemon may keep running with a stale service token, leading to unauthorized handshake failures for cron/tool clients. Add a gateway service audit check for token drift and pass `cfg.gateway.auth.token` into service audits so doctor treats config as the source of truth when deciding whether to reinstall the service. Key design decisions: - Use `gateway.auth.token` from `openclaw.json` as the authority for service token drift detection - Only flag mismatch when an authoritative config token exists - Keep fix in existing doctor service-repair flow (no separate migration step) - Add focused tests for both audit mismatch behavior and doctor wiring Fixes #18175
2026-05-13 02:32:56 +00:00 · 2026-02-16 13:37:04 -08:00
parent 5f821ed067
commit d799a3994f
4 changed files with 179 additions and 0 deletions
--- a/src/daemon/service-audit.ts
+++ b/src/daemon/service-audit.ts
@@ -34,6 +34,7 @@ export const SERVICE_AUDIT_CODES = {
  gatewayPathMissing: "gateway-path-missing",
  gatewayPathMissingDirs: "gateway-path-missing-dirs",
  gatewayPathNonMinimal: "gateway-path-nonminimal",
+  gatewayTokenMismatch: "gateway-token-mismatch",
  gatewayRuntimeBun: "gateway-runtime-bun",
  gatewayRuntimeNodeVersionManager: "gateway-runtime-node-version-manager",
  gatewayRuntimeNodeSystemMissing: "gateway-runtime-node-system-missing",
@@ -200,6 +201,28 @@ function auditGatewayCommand(programArguments: string[] | undefined, issues: Ser
  }
 }

+function auditGatewayToken(
+  command: GatewayServiceCommand,
+  issues: ServiceConfigIssue[],
+  expectedGatewayToken?: string,
+) {
+  const expectedToken = expectedGatewayToken?.trim();
+  if (!expectedToken) {
+    return;
+  }
+  const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN?.trim();
+  if (serviceToken === expectedToken) {
+    return;
+  }
+  issues.push({
+    code: SERVICE_AUDIT_CODES.gatewayTokenMismatch,
+    message:
+      "Gateway service OPENCLAW_GATEWAY_TOKEN does not match gateway.auth.token in openclaw.json",
+    detail: serviceToken ? "service token is stale" : "service token is missing",
+    level: "recommended",
+  });
+}
+
 function isNodeRuntime(execPath: string): boolean {
  const base = path.basename(execPath).toLowerCase();
  return base === "node" || base === "node.exe";
@@ -341,11 +364,13 @@ export async function auditGatewayServiceConfig(params: {
  env: Record<string, string | undefined>;
  command: GatewayServiceCommand;
  platform?: NodeJS.Platform;
+  expectedGatewayToken?: string;
 }): Promise<ServiceConfigAudit> {
  const issues: ServiceConfigIssue[] = [];
  const platform = params.platform ?? process.platform;

  auditGatewayCommand(params.command?.programArguments, issues);
+  auditGatewayToken(params.command, issues, params.expectedGatewayToken);
  auditGatewayServicePath(params.command, issues, params.env, platform);
  await auditGatewayRuntime(params.env, params.command, issues, platform);