fix(doctor): warn when OPENCLAW_GATEWAY_TOKEN env overrides gateway.auth.token config

[yelog]

Summary

Fixes #74271

When both OPENCLAW_GATEWAY_TOKEN (environment) and gateway.auth.token (config) are set, CLI commands (status, call, probe) use env-first precedence while the gateway server uses config-first. If the values differ, CLI commands silently fail to authenticate.

Changes

• Added warning in noteSecurityWarnings() when both env and config tokens are set, explaining the precedence divergence
• Added SecurityAuditFinding with checkId: "gateway.env_token_overrides_config" in auditGatewayConfig for openclaw security audit --deep
• 2 new tests: warning appears on conflict, no warning for env-only

[greptile-apps]

Greptile Summary

This PR adds a warning in noteSecurityWarnings() and a SecurityAuditFinding in collectGatewayConfigFindings() to surface the token precedence divergence between CLI commands (env-first) and the gateway server (config-first) when both OPENCLAW_GATEWAY_TOKEN and gateway.auth.token are set. The implementation is correct and the two new tests in doctor-security.test.ts cover the main cases for noteSecurityWarnings. The only gap is that the parallel SecurityAuditFinding path in audit-gateway-config.ts has no new test despite existing test infrastructure in audit-gateway.test.ts.

Confidence Score: 4/5

Safe to merge; the logic is correct and well-scoped, with only a missing test for the audit finding.

Only P2 findings — a missing test for the new collectGatewayConfigFindings path. Implementation logic and existing tests are sound.

src/security/audit-gateway-config.ts — needs a test in audit-gateway.test.ts for the new gateway.env_token_overrides_config finding.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/security/audit-gateway-config.ts
Line: 119-132

Comment:
**Missing test coverage for new audit finding**

The new `gateway.env_token_overrides_config` finding in `collectGatewayConfigFindings` has no corresponding test. The existing `audit-gateway.test.ts` file already has helpers (`hasFinding`, `hasFindingWithSeverity`, `withEnvAsync`) that make it straightforward to add cases — one where both `OPENCLAW_GATEWAY_TOKEN` env and `sourceConfig.gateway.auth.token` are set (expecting the finding), and one where only the env token is set (expecting no finding). Without these tests the audit path could regress silently.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(doctor): warn when OPENCLAW_GATEWAY_..." | Re-trigger Greptile}

[greptile-apps]

Missing test coverage for new audit finding

The new gateway.env_token_overrides_config finding in collectGatewayConfigFindings has no corresponding test. The existing audit-gateway.test.ts file already has helpers (hasFinding, hasFindingWithSeverity, withEnvAsync) that make it straightforward to add cases — one where both OPENCLAW_GATEWAY_TOKEN env and sourceConfig.gateway.auth.token are set (expecting the finding), and one where only the env token is set (expecting no finding). Without these tests the audit path could regress silently.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/security/audit-gateway-config.ts
Line: 119-132

Comment:
**Missing test coverage for new audit finding**

The new `gateway.env_token_overrides_config` finding in `collectGatewayConfigFindings` has no corresponding test. The existing `audit-gateway.test.ts` file already has helpers (`hasFinding`, `hasFindingWithSeverity`, `withEnvAsync`) that make it straightforward to add cases — one where both `OPENCLAW_GATEWAY_TOKEN` env and `sourceConfig.gateway.auth.token` are set (expecting the finding), and one where only the env token is set (expecting no finding). Without these tests the audit path could regress silently.

How can I resolve this? If you propose a fix, please make it concise.

[clawsweeper]

Codex review: passed.

Summary
The PR adds a shared gateway token-source conflict diagnostic, wires it into doctor, status, and security audit, adds regression tests, and updates CHANGELOG.md.

Reproducibility: yes. Source inspection shows current main has the env-first CLI/config-first server precedence split and no conflict diagnostic; this read-only review did not run a live CLI scenario.

Real behavior proof
Override: The PR has the proof: override label, and the exact-head Real behavior proof check is now successful.

Next step before merge
No repair lane is needed: the PR is automerge-opted, proof override is present, and remaining work is exact-head CI/merge gating.

Security
Cleared: The diff adds redacted diagnostics, tests, and a changelog entry without new dependencies, workflow changes, secret exposure, or package-resolution changes.

Review details

Best possible solution:

Land this diagnostic after exact-head CI and mergeability are green, then let the merged PR close #74271.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main has the env-first CLI/config-first server precedence split and no conflict diagnostic; this read-only review did not run a live CLI scenario.

Is this the best way to solve the issue?

Yes. Centralizing the redacted conflict helper and reusing it in doctor, status, and audit is the narrow maintainable approach, with guards for same-source SecretRefs and remote mode.

What I checked:

• Current-main CLI precedence: Local credential resolution reads OPENCLAW_GATEWAY_TOKEN and defaults token/password precedence to env-first for non-service CLI callers. (src/gateway/credentials.ts:82, 7d5ca3064a51)
• Current-main server precedence: Gateway auth resolution calls resolveGatewayCredentialsFromValues with tokenPrecedence/passwordPrecedence set to config-first, which can diverge from local CLI callers. (src/gateway/auth-resolve.ts:63, 7d5ca3064a51)
• Documented credential contract: The remote gateway docs document local-mode token precedence as OPENCLAW_GATEWAY_TOKEN before gateway.auth.token, and remote-mode precedence separately. Public docs: docs/gateway/remote.md. (docs/gateway/remote.md:115, 7d5ca3064a51)
• Current-main diagnostic gap: Current main returns only existing config diagnostics from status scan and has no gateway.env_token_overrides_config/auth-token-source-conflict helper or override warning. (src/commands/status.scan.config-shared.ts:48, 7d5ca3064a51)
• PR helper scope: The PR helper only reports a local-mode token-source conflict when OPENCLAW_GATEWAY_TOKEN is set, token auth can matter, config has a different token source/value, and config does not point at the same env SecretRef. (src/gateway/auth-token-source-conflict.ts:15, b665be3f6284)
• PR wiring and tests: The diff wires the helper into doctor, status secretDiagnostics, and gateway security audit, with tests for conflict, env-only suppression, same-env SecretRef suppression, and remote-mode suppression. (src/commands/doctor-security.test.ts:151, b665be3f6284)

Likely related people:

• steipete: Recent gateway credential, status helper, and gateway audit history repeatedly touches the precedence and diagnostic surfaces this PR extends. (role: recent maintainer and feature-history owner; confidence: high; commits: 1dd5fea7599d, e0cc374b07c1, 72dcf9422138; files: src/gateway/credentials.ts, src/gateway/auth-resolve.ts, src/commands/status.scan.config-shared.ts)
• vincentkoc: Recent commits touch gateway startup/auth import structure, gateway audit behavior, and remote/auth override behavior adjacent to this diagnostic. (role: adjacent gateway auth and audit maintainer; confidence: medium; commits: 1497425b8dbb, 7b18bd03bb6c, a19a7f5e6e4f; files: src/gateway/auth-resolve.ts, src/security/audit-gateway-config.ts, src/gateway/credentials.ts)
• joshavant: The gateway SecretRef expansion work added or maintained the config SecretRef helpers and gateway credential paths that this PR deliberately preserves. (role: SecretRef contract owner; confidence: medium; commits: 806803b7efe2; files: src/config/types.secrets.ts, src/gateway/credentials.ts, src/gateway/startup-auth.ts)

Remaining risk / open question:

• This read-only review did not run local tests; at inspection, 25 of 88 exact-head GitHub check runs for b665be3 were still queued.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7d5ca3064a51.

[sallyom]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25387644364
• Updated: 2026-05-05T16:11:30.039Z

[sallyom]

@clawsweeper automerge

[clawsweeper]

ClawSweeper 🐠 automerge status

ClawSweeper finished this automerge repair pass without changing the branch.

Executor outcome: no planned fix actions.
Worker summary: No repair artifact is needed. The hydrated preflight shows this PR is already closed as merged and #74271 is already closed immediately after that merge. The current checkout is on main at the artifact main SHA and contains the gateway token conflict diagnostic plus the audit/doctor/status regression coverage, including the Greptile-requested audit test path.

Worker actions:

• keep_closed on this PR: skipped - Already merged and closed; merge is blocked for this worker and there is no remaining repair action to emit.
• keep_closed on #74271: skipped - Already closed by the merged canonical PR; closure actions are blocked by job policy and invalid for already-closed refs.

This pass stayed observational only. No branch push, replacement, merge, or re-review was started.

fish notes: model gpt-5.5, reasoning high.

Automerge progress:

• 2026-05-05 16:54:14 UTC review queued 9929dd00ab52 (queued)

• 2026-05-05 16:55:46 UTC repair queued 9929dd00ab52 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/25390201380

• 2026-05-05 16:56:12 UTC review passed 9929dd00ab52 (structured ClawSweeper verdict: pass (sha=9929dd00ab528f30e8d9cbec28442370afc32...)

• 2026-05-05 18:47:59 UTC review passed b665be3f6284 (structured ClawSweeper verdict: pass (sha=b665be3f6284a1f00c97ab87a1d0260c4c6b9...)

• 2026-05-05 18:54:28 UTC review queued b665be3f6284 (queued)

• 2026-05-05 22:37:34 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/25390201380 automerge-openclaw-openclaw-74433

• 2026-05-05 22:37:36 UTC repair completed (no branch change) in 2s Run: https://github.com/openclaw/clawsweeper/actions/runs/25390201380 no planned fix actions