doctor: false positive gateway token mismatch when systemd uses EnvironmentFile

[mySebbe]

Summary

openclaw doctor reports a false positive for gateway token drift/missing token when the systemd user service loads OPENCLAW_GATEWAY_TOKEN via EnvironmentFile= instead of an inline Environment= entry.

Version

• OpenClaw CLI: 2026.3.2
• OS: Ubuntu 24.04.4 LTS
• Kernel: 6.6.87.2-microsoft-standard-WSL2
• Service type: systemd user service

Repro

1. Put the gateway token in ~/.openclaw/.env:

   OPENCLAW_GATEWAY_TOKEN=...
   

2. Configure the user unit with:

   [Service]
   EnvironmentFile=%h/.openclaw/.env

3. Reference the token in config via env substitution:

   {
     gateway: {
       auth: { token: "${OPENCLAW_GATEWAY_TOKEN}" }
     }
   }

4. Restart the gateway service.
5. Run openclaw doctor.

Actual

doctor reports:

• Gateway service OPENCLAW_GATEWAY_TOKEN does not match gateway.auth.token in openclaw.json
• detail: service token is missing

Expected

If the token is supplied through EnvironmentFile= and the service is healthy, doctor should treat that as valid and not warn about a missing/stale service token.

Notes

In my setup the gateway is healthy and using the token successfully:

• openclaw gateway health returns OK
• the systemd unit has EnvironmentFile=/home/.../.openclaw/.env
• systemctl --user show openclaw-gateway.service -p EnvironmentFiles shows the env file is attached

This looks like doctor only checks inline command.environment.OPENCLAW_GATEWAY_TOKEN and does not account for tokens loaded from EnvironmentFile=.

The relevant logic appears to read only the embedded command environment:

• dist/daemon-cli.js: const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN?.trim();

So the warning is currently unavoidable for a hardened setup that keeps the token out of the unit file.

[mySebbe]

Confirmed on OpenClaw 2026.3.2 on Linux/systemd.

Local workaround that fixes the false positive without putting the token back inline into the unit:

• extend readSystemdServiceExecStart() to parse EnvironmentFile= entries
• load the referenced env file(s) and merge them into command.environment before auditGatewayToken() / checkTokenDrift() run
• I used dotenv.parse() for the env-file contents

I patched the installed dist files locally (dist/systemd-9EGLbHmq.js, dist/systemd-B3GFFEJL.js, and dist/daemon-cli.js) and after that openclaw doctor stopped reporting service token is missing while openclaw gateway health stayed OK.

That seems like the clean upstream fix too: treat EnvironmentFile= as part of the effective service environment during audit/drift checks.

[newcodebook]

This looks like a doctor audit blind spot rather than an actual token mismatch: if the gateway token is injected via EnvironmentFile=, the service can be healthy even though doctor reports service token is missing.

Practical workaround

1. Treat openclaw gateway health as the source of truth, and confirm the unit is actually loading the env file:
   • systemctl --user show openclaw-gateway.service -p EnvironmentFiles
2. If health is OK, ignore this specific doctor warning until the check learns to read EnvironmentFile= too.

Why this helps
The runtime can inherit OPENCLAW_GATEWAY_TOKEN from the env file successfully, while the current drift audit appears to inspect only inline service environment entries.

If you hit real connection/auth failures as well (not just the warning), the next useful artifact is the relevant unit snippet with EnvironmentFile= plus the output of openclaw gateway health.

Recommended reading:

• Linux: gateway doesn't stay running (systemd service not installed) | CoClaw
• OpenClaw Installation Troubleshooting: Node/NPM, PATH, Windows (WSL2), and Docker | CoClaw

[steipete]

Closing as a duplicate of #18475.

Same root cause: readSystemdServiceExecStart() in src/daemon/systemd.ts only inspects inline Environment= today, so doctor/status/audit miss EnvironmentFile= and drop-ins. Once command.environment is incomplete, auditGatewayToken() in src/daemon/service-audit.ts reports the false service token is missing warning.

Best current branch around this seam is #18498, but it still needs %h/optional EnvironmentFile= handling from #36801 before it is merge-ready.

[joshavant]

Thanks again for the report and for helping us track this down.

This has now been addressed by #39241, which consolidated the gateway auth-resolution fixes across Discord/node-host/systemd and related regression coverage.

Marking this as superseded by #39241, and we appreciate the detailed report.