fix(gateway): keep restart probe auth local

vincentkoc · vincentkoc · commit 8bb983cae17d · 2026-04-27T06:02:48.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai
 ### Fixes
 
 - macOS Gateway: detect installed-but-unloaded LaunchAgent split-brain states during status, doctor, and restart, and re-bootstrap launchd supervision before falling back to unmanaged listener restarts. Fixes #67335, #53475, and #71060; refs #58890, #60885, and #70801. Thanks @ze1tgeist88, @dafacto, and @vishutdhar.
+- Gateway/restart: keep local restart-health probes on configured local daemon auth without falling back to remote gateway credentials. (#57374, #59439) Thanks @zssggle-rgb and @roytong9.
 - Plugins/install: stage bundled plugin runtime dependencies before Gateway startup and drain update restarts while preserving per-plugin isolation when pre-stage scan or install fails. Thanks @codex.
 - CLI/startup: read generated startup metadata from the bundled `dist` layout before falling back to live help rendering, so root/browser help and channel-option bootstrap stay on the fast path. Thanks @vincentkoc.
 - CLI/help: treat positional `help` invocations like `openclaw channels help` as help paths for startup gating, avoiding model/auth warmup while preserving positional arguments such as `openclaw docs help`. Thanks @gumadeiras.
diff --git a/src/gateway/probe-auth.test.ts b/src/gateway/probe-auth.test.ts
@@ -77,6 +77,30 @@ describe("resolveGatewayProbeAuthSafe", () => {
     } as OpenClawConfig);
   });
 
+  it("does not fall through to remote credentials for local probes", () => {
+    const result = resolveGatewayProbeAuthSafe({
+      cfg: {
+        gateway: {
+          mode: "local",
+          remote: {
+            url: "wss://gateway.example",
+            token: "remote-token",
+            password: "remote-password", // pragma: allowlist secret
+          },
+        },
+      } as OpenClawConfig,
+      mode: "local",
+      env: {} as NodeJS.ProcessEnv,
+    });
+
+    expect(result).toEqual({
+      auth: {
+        token: undefined,
+        password: undefined,
+      },
+    });
+  });
+
   it("ignores unresolved local token SecretRef in remote mode when remote-only auth is requested", () => {
     const result = resolveGatewayProbeAuthSafe({
       cfg: {
@@ -171,6 +195,36 @@ describe("resolveGatewayProbeAuthSafeWithSecretInputs", () => {
     });
   });
 
+  it("does not resolve remote SecretRefs for local probes", async () => {
+    const result = await resolveGatewayProbeAuthSafeWithSecretInputs({
+      cfg: {
+        gateway: {
+          mode: "local",
+          remote: {
+            url: "wss://gateway.example",
+            token: { source: "env", provider: "default", id: "REMOTE_GATEWAY_TOKEN" },
+          },
+        },
+        secrets: {
+          providers: {
+            default: { source: "env" },
+          },
+        },
+      } as OpenClawConfig,
+      mode: "local",
+      env: {
+        REMOTE_GATEWAY_TOKEN: "remote-token",
+      } as NodeJS.ProcessEnv,
+    });
+
+    expect(result).toEqual({
+      auth: {
+        token: undefined,
+        password: undefined,
+      },
+    });
+  });
+
   it("returns warning and empty auth when SecretRef cannot be resolved via async path", async () => {
     const result = await resolveGatewayProbeAuthSafeWithSecretInputs({
       cfg: {
diff --git a/src/gateway/probe-auth.ts b/src/gateway/probe-auth.ts
@@ -15,9 +15,10 @@ function buildGatewayProbeCredentialPolicy(params: {
   env?: NodeJS.ProcessEnv;
   explicitAuth?: ExplicitGatewayAuth;
 }) {
+  const cfg = resolveGatewayProbeCredentialConfig(params);
   return {
-    config: params.cfg,
-    cfg: params.cfg,
+    config: cfg,
+    cfg,
     env: params.env,
     explicitAuth: params.explicitAuth,
     modeOverride: params.mode,
@@ -26,6 +27,31 @@ function buildGatewayProbeCredentialPolicy(params: {
   };
 }
 
+function resolveGatewayProbeCredentialConfig(params: {
+  cfg: OpenClawConfig;
+  mode: "local" | "remote";
+}): OpenClawConfig {
+  if (params.mode !== "local") {
+    return params.cfg;
+  }
+
+  const remote = params.cfg.gateway?.remote;
+  if (!remote || (remote.token === undefined && remote.password === undefined)) {
+    return params.cfg;
+  }
+
+  const remoteWithoutAuth = { ...remote };
+  delete remoteWithoutAuth.token;
+  delete remoteWithoutAuth.password;
+  return {
+    ...params.cfg,
+    gateway: {
+      ...params.cfg.gateway,
+      remote: remoteWithoutAuth,
+    },
+  };
+}
+
 function resolveExplicitProbeAuth(explicitAuth?: ExplicitGatewayAuth): {
   token?: string;
   password?: string;
