daemon: load systemd EnvironmentFile and drop-ins so gateway status probe uses same env as gateway

[saurav470]

Summary

fix #18475

• Problem: After adding systemd user overrides with EnvironmentFile= (e.g. /etc/openclaw/secrets/*.env) for the openclaw-gateway service, openclaw gateway status reports a false unauthorized: device token mismatch (rotate/reissue device token) even though the gateway runs normally, the dashboard loads, and openclaw status / openclaw doctor work.
• Why it matters: The status command’s RPC probe was using credentials from the CLI’s environment (or main unit only), while the gateway process gets env from systemd including EnvironmentFile and drop-ins. Any token/config set only in those files caused a credential mismatch and the misleading device-token error.
• What changed: On Linux, readSystemdServiceExecStart() now loads EnvironmentFile= contents and parses drop-in dirs (*.service.d/*.conf) so the returned environment matches what the gateway process actually sees. The daemon status probe already merges this service env; it now gets the same token/config as the gateway.
• What did NOT change: No change to gateway auth logic, config schema, or other platforms (LaunchAgent, schtasks). Only systemd unit parsing and env merge for the status probe.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: gateway connect failed: Error: unauthorized: device token mismatch (rotate/reissue device token) #18475
• Related #

User-visible / Behavior Changes

• Before: openclaw gateway status could report "unauthorized: device token mismatch" when the gateway was started with EnvironmentFile= or drop-in overrides that set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_CONFIG_PATH, even though the gateway and dashboard were healthy.
• After: The status probe uses the same env (including vars from EnvironmentFile and drop-ins) as the gateway process, so the probe succeeds and no false device-token error is shown.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No (we only read the same env files systemd already passes to the gateway; no new secrets exposure).
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux (e.g. Linux Mint 22.3)
• Runtime/container: Node 22+, systemd user units
• Relevant config: User override ~/.config/systemd/user/openclaw-gateway.service.d/secrets.conf with EnvironmentFile=/etc/openclaw/secrets/agent1.env (and optionally more).

Steps

1. Create /etc/openclaw/secrets/agent1.env (or placeholder) and ~/.config/systemd/user/openclaw-gateway.service.d/secrets.conf with [Service] and EnvironmentFile=....
2. systemctl --user daemon-reload and openclaw gateway restart.
3. Run openclaw gateway status.

Expected

• Status reports gateway reachable and RPC probe OK (no auth/device-token error).

Actual (before fix)

• Status reported "unauthorized: device token mismatch (rotate/reissue device token)" while gateway and dashboard remained functional.

Evidence

• Failing test/log before + passing after: New unit tests in src/daemon/systemd.test.ts for EnvironmentFile=, drop-in merge, optional -/path, and [Service]-only parsing.
• Trace/log snippets: Issue [Bug]: gateway connect failed: Error: unauthorized: device token mismatch (rotate/reissue device token) #18475 describes the exact error and steps.

Human Verification (required)

• Verified scenarios: Unit tests for systemd env parsing (EnvironmentFile, drop-ins, optional file, section parsing); existing daemon + daemon-cli tests pass.
• Edge cases checked: Optional EnvironmentFile; drop-in override order; [Service] vs [Unit] section.
• What you did not verify: Live run on Linux with real systemd user gateway and override (reporter’s environment).

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Failure Recovery (if this breaks)

• Revert the commit; no config or env changes to restore.
• Known bad symptoms: If systemd unit or drop-in parsing regresses, readSystemdServiceExecStart could return null or incomplete env; status would then fall back to CLI env (previous behavior).

Risks and Mitigations

• Risk: Parsing of EnvironmentFile format (e.g. quoting) could differ from systemd in edge cases.
  • Mitigation: Parser follows simple KEY=VALUE and optional quoting; optional files use -/path; tests cover basic and override cases. Complex expansion is not implemented (systemd does it at run time; we only need same vars for probe).

Greptile Summary

Fixes openclaw gateway status reporting a false "unauthorized: device token mismatch" when the gateway's systemd unit uses EnvironmentFile directives or drop-in overrides. The status probe now loads the same env files and drop-in configs that systemd passes to the gateway process, so credentials match.

• Extracted parseSystemdServiceSection to parse only the Service section
• Added a parser for env files with basic quote support
• The main function now loads EnvironmentFile entries and merges drop-in configs
• Four new integration tests cover env file loading, drop-in override precedence, optional file handling, and section-scoped parsing
• Only a clarifying comment added to status.gather.ts; no functional change

Resilience concern: If a non-optional EnvironmentFile path is missing or a drop-in file is unreadable, the entire parse aborts and returns null, silently falling back to CLI env. This could mask config issues.

Confidence Score: 3/5

• PR is a net improvement but has resilience gaps in error handling that could silently hide misconfiguration
• The core logic for parsing systemd EnvironmentFile and drop-in configs is correct and well-tested for the happy path. However, two error-handling gaps were identified: (1) a missing non-optional EnvironmentFile causes the entire function to silently return null via the outer catch, which is indistinguishable from a missing unit file and could reproduce the same silent credential mismatch the PR aims to fix; (2) a single unreadable drop-in file similarly aborts the full parse, inconsistent with the graceful readdir error handling. These are not regressions (previous code had no EnvironmentFile support at all) but they limit the fix's robustness. Tests are solid but don't cover the required-file-missing failure scenario.
• src/daemon/systemd.ts — error handling in readSystemdServiceExecStart for required EnvironmentFile failures and drop-in read errors

_{Last reviewed commit: 66d5c23}

[greptile-apps]

_{3 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[igmarketing]

Does this has been fixed?