gateway install --force keeps stale embedded OPENCLAW_GATEWAY_TOKEN in systemd unit

[sisutuulenisa]

Summary

openclaw gateway install --force does not remove the embedded OPENCLAW_GATEWAY_TOKEN from the systemd unit, even when gateway.auth.token is migrated to an env SecretRef.

Environment

• OpenClaw 2026.3.28
• Linux / systemd user service
• service file: ~/.config/systemd/user/openclaw-gateway.service

Repro

1. Configure gateway auth token as an env SecretRef in openclaw.json, for example:

{
  "secrets": {
    "providers": {
      "default": { "source": "env" }
    }
  },
  "gateway": {
    "auth": {
      "mode": "token",
      "token": {
        "source": "env",
        "provider": "default",
        "id": "OPENCLAW_GATEWAY_TOKEN"
      }
    }
  }
}

2. Keep OPENCLAW_GATEWAY_TOKEN=... in ~/.openclaw/.env
3. Run:

openclaw gateway install --force
systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service
openclaw doctor

Expected

The generated systemd unit should not embed:

Environment=OPENCLAW_GATEWAY_TOKEN=...

because the token is already SecretRef-managed via env + EnvironmentFile=%h/.openclaw/.env.

Actual

The generated unit still contains the embedded token line, and openclaw doctor keeps reporting:

• Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled.

Re-running openclaw gateway install --force does not fix it.

Workaround

Manual edit of the generated unit to remove:

Environment=OPENCLAW_GATEWAY_TOKEN=...

followed by daemon reload + restart fixes the doctor warning locally.

Notes

I also saw the service entrypoint migrate from dist/entry.js to dist/index.js during the same maintenance, so the reinstall is partially working — it just keeps writing the stale embedded gateway token.

[yqowen]

I can confirm this appears to affect macOS LaunchAgent as well, not just systemd.

On macOS, after upgrading and then running:

openclaw gateway install --force

openclaw gateway status still reports that the gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled.

In my case the LaunchAgent plist at:

~/Library/LaunchAgents/ai.openclaw.gateway.plist

still contained OPENCLAW_GATEWAY_TOKEN under EnvironmentVariables, even after reinstall.

The reinstall did partially work — the service entrypoint also migrated from dist/entry.js to dist/index.js — but the embedded gateway token remained in the generated service definition.

If I manually remove the OPENCLAW_GATEWAY_TOKEN entry from the plist and reload the LaunchAgent, the warning disappears. But after upgrading again, the token gets written back.

[hunterthewarrior420]

Confirmed this is still reproducible on 2026.4.8 on a Linux user-systemd install.

Additional data point from my host:

• upgraded from 2026.3.31 -> 2026.4.8
• gateway runtime itself stayed healthy
• Telegram stayed healthy
• memory stayed healthy
• gateway.auth.token was migrated to a real env SecretRef object:

{
  "mode": "token",
  "token": {
    "source": "env",
    "provider": "default",
    "id": "OPENCLAW_GATEWAY_TOKEN"
  }
}

• ~/.openclaw/.env already existed and contained OPENCLAW_GATEWAY_TOKEN

Despite that, repeated runs of:

openclaw gateway install --force

still left the generated unit with inline secret env lines such as:

Environment=OPENCLAW_GATEWAY_TOKEN=...

and openclaw gateway status kept reporting:

• Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled.

What finally fixed it locally was a manual unit repair:

1. replace the secret-bearing inline Environment= entries with:

EnvironmentFile=%h/.openclaw/.env

2. keep the non-secret service metadata inline
3. run:

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

After that:

• openclaw gateway status stopped reporting the embedded token warning
• the gateway stayed healthy

So at least on this host, 2026.4.8 still does not fully converge the existing user-systemd unit onto the file-backed env shape that the service audit expects.

[weissfl]

Confirmed again on 2026.4.11 on Linux / user-systemd.

I did a local code-path check instead of only looking at the generated unit, and the current behavior appears to be installer-driven, not just leftover stale state.

What I found in the installed build:

• runDaemonInstall() reads the existing service env via service.readCommand(...).environment
• then merges it into the install invocation env
• then passes that merged env into buildGatewayInstallPlan(...)
• the systemd unit generator in the installed build appears to emit inline Environment=... lines, not EnvironmentFile=..., for the generated gateway unit

So on this host the reinstall path effectively rehydrates the already-embedded env and writes it forward again.

That means the current warning/recommendation pair is still internally inconsistent in 2026.4.11:

• warning: Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled.
• action: openclaw gateway install --force
• result: generated unit still embeds env inline

This no longer looks like a host-specific misconfiguration. It looks like current product behavior for the Linux user-systemd install path.

[steipete]

Closing this as implemented after Codex review.

Current main already fixes the Linux/systemd reinstall path: forced gateway reinstalls no longer carry stale OPENCLAW_* values forward from the existing unit, and systemd installs now move dotenv-backed secrets into a generated EnvironmentFile instead of re-embedding them inline. The fix is documented in the 2026.4.14 changelog.

What I checked:

• Forced reinstall stops rehydrating old OPENCLAW_ service vars:* mergeInstallInvocationEnv() explicitly skips preserved vars whose normalized names start with OPENCLAW_, so a stale embedded OPENCLAW_GATEWAY_TOKEN from the existing service env is not merged back into a forced reinstall. (src/cli/daemon-cli/install.ts:27)
• Managed service env rebuilt from durable sources: buildGatewayInstallEnvironment() rebuilds managed env from durable sources (collectDurableServiceEnvVars) and auth env refs, then records managed keys separately instead of treating prior managed entries as preserved custom env. (src/commands/daemon-install-helpers.ts:215)
• Systemd writer now emits EnvironmentFile and strips matching inline secrets: writeSystemdUnit() reads the state-dir .env, writes gateway.systemd.env, passes it as environmentFiles, and removes matching dotenv-backed entries from inline Environment= lines before building the unit. (src/daemon/systemd.ts:455)
• Regression tests cover the exact stale-token scenario: stageSystemdService tests assert that dotenv-backed OPENCLAW_GATEWAY_TOKEN values land in EnvironmentFile=-.../gateway.systemd.env and do not remain inline, while newer inline overrides stay inline and stale .env values are excluded from the generated env file. (src/daemon/systemd.test.ts:682)
• Shipped fix called out in changelog: The 2026.4.14 changelog explicitly says: Doctor/systemd: keep openclaw doctor --repair and service reinstall from re-embedding dotenv-backed secrets in user systemd units, while preserving newer inline overrides over stale state-dir .env values.. (CHANGELOG.md:666)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 3a64aa49a901; fix evidence: release v2026.4.14.