Gateway: reject mixed trusted-proxy token config

[jacobtomlinson]

Summary

• reject trusted-proxy gateway auth configs that also resolve a shared token
• keep startup validation aligned for both config and environment sourced tokens

Changes

• add a mutual-exclusion check in assertGatewayAuthConfigured(...) for trusted-proxy plus shared-token config
• add regression coverage for both gateway.auth.token and OPENCLAW_GATEWAY_TOKEN

Validation

• ran OPENCLAW_TEST_PROFILE=serial pnpm test -- src/gateway/auth.test.ts -t "rejects trusted-proxy mode when shared token comes from"
• ran local agentic review via claude -p "/review" and added env-token coverage based on the feedback

Notes

• residual risk or follow-up: this change keeps the fix at startup validation rather than changing unrelated runtime auth behavior

[jacobtomlinson]

Incorporated the earlier proposed validation change here and preserved co-author credit in the commit.

[greptile-apps]

Greptile Summary

This PR tightens gateway startup validation by making trusted-proxy mode and a shared token mutually exclusive, and removes the runtime loopback token-fallback path that created the ambiguity in the first place. The two concerns are addressed together: assertGatewayAuthConfigured now throws at server startup if both are present, and authorizeGatewayConnect no longer silently falls back to token auth for loopback requests. Test coverage is thorough — the parameterised it.each covers both the gateway.auth.token config path and the OPENCLAW_GATEWAY_TOKEN environment path, and a dedicated ordering test confirms that a missing trustedProxy config error still takes precedence over the token-conflict error.

Key changes:

• auth.ts:325–329: mutual-exclusion guard added inside the trusted-proxy branch of assertGatewayAuthConfigured
• auth.ts:460–479: ~24 lines of loopback token-fallback logic removed from authorizeGatewayConnect; all loopback requests now uniformly return trusted_proxy_loopback_source
• auth.test.ts: local-direct describe block renamed; four previously passing token-fallback assertions updated to expect rejection; new startup-validation tests added

Confidence Score: 5/5

Safe to merge — no correctness issues remain; the mutual-exclusion guard is correct and the removal of the loopback fallback is consistent with the new policy.

All P1 concerns from prior review threads have been resolved: the startup validator now correctly rejects mixed configs, the loopback fallback code has been fully removed (eliminating the false-confidence from the old token-fallback tests), and the new ordering test confirms the trustedProxy presence guard still fires before the token-conflict guard. No new logic bugs or security gaps were identified in this pass.

No files require special attention.

Important Files Changed

Filename	Overview
src/gateway/auth.ts	Adds mutual-exclusion guard in assertGatewayAuthConfigured for trusted-proxy + token and removes the local-direct loopback token fallback from authorizeGatewayConnect; both changes are logically consistent and correctly implemented.
src/gateway/auth.test.ts	Adds parameterised tests for both config-token and env-token rejection paths, adds an ordering test confirming missing-trustedProxy error takes precedence, renames the describe block, and updates all local-direct expectations from ok/token to rejected/loopback-source to match removed fallback.

_{Reviews (2): Last reviewed commit: "Gateway: fail closed for loopback truste..." | Re-trigger Greptile}

[jacobtomlinson]

@greptile review