fix: enforce hooks token separation from gateway auth (#20813)

* fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): remove stale test-link artifact from patch Remove accidental a2ui test-link artifact from the tracked diff and keep startup auth enforcement centralized in startup-auth.ts.
2026-05-07 22:41:25 +00:00 · 2026-02-19 02:48:08 -08:00
parent 267bb3c81c
commit f7a7a28c56
4 changed files with 114 additions and 4 deletions
--- a/src/security/audit-extra.sync.ts
+++ b/src/security/audit-extra.sync.ts
@@ -441,7 +441,7 @@ export function collectHooksHardeningFindings(
  if (token && gatewayToken && token === gatewayToken) {
    findings.push({
      checkId: "hooks.token_reuse_gateway_token",
-      severity: "warn",
+      severity: "critical",
      title: "Hooks token reuses the Gateway token",
      detail:
        "hooks.token matches gateway.auth token; compromise of hooks expands blast radius to the Gateway API.",
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -1356,7 +1356,7 @@ describe("security audit", () => {
    );
  });

-  it("warns when hooks token reuses the gateway env token", async () => {
+  it("flags hooks token reuse of the gateway env token as critical", async () => {
    const prevToken = process.env.OPENCLAW_GATEWAY_TOKEN;
    process.env.OPENCLAW_GATEWAY_TOKEN = "shared-gateway-token-1234567890";
    const cfg: OpenClawConfig = {
@@ -1372,7 +1372,10 @@ describe("security audit", () => {

      expect(res.findings).toEqual(
        expect.arrayContaining([
-          expect.objectContaining({ checkId: "hooks.token_reuse_gateway_token", severity: "warn" }),
+          expect.objectContaining({
+            checkId: "hooks.token_reuse_gateway_token",
+            severity: "critical",
+          }),
        ]),
      );
    } finally {