fix: keep node systemd gateway tokens out of units

[coygeek]

Summary

• Keep the Linux node daemon gateway token out of generated user systemd unit Environment= lines.
• Carry node install environment source metadata through the install path so OPENCLAW_GATEWAY_TOKEN is written to the existing owner-only service env file.
• Sanitize existing vulnerable inline token entries out of .bak unit backups during re-stage or upgrade.

Linked Issue

• Closes [Bug]: Linux node daemon install inlines gateway token into user systemd unit #78043

Security Impact

• Secrets/tokens handling changed: Yes.
• New permissions/capabilities: No.
• Data access scope changed: No.

The change moves the node daemon gateway token from a readable unit-file inline environment entry into the existing 0600 service env file path. Non-secret service environment values remain inline, and stale managed token values are removed when the current install omits them.

Tests

• OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/commands/node-daemon-install-helpers.test.ts src/daemon/systemd.test.ts
• pnpm exec oxfmt --check --threads=1 src/commands/node-daemon-install-helpers.ts src/commands/node-daemon-install-helpers.test.ts src/cli/node-cli/daemon.ts src/daemon/node-service.ts src/daemon/systemd.ts src/daemon/systemd.test.ts docs/cli/node.md CHANGELOG.md
• Stage 4 gate: pnpm exec oxlint src/ && pnpm build && pnpm check && pnpm test

Stage 4 completed with passed_with_baseline_failures: pnpm build and pnpm check passed; lint and test failures were classified as pre-existing baseline failures with 0 new failures.

Notes

• The branch was rebased and tested against current upstream source commit 7188e4f4ad87a51a11d3dc3c7909fd79ea01d6e9.
• The submitted issue was refreshed against release v2026.5.4 before publish.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR marks the node daemon gateway token as file-backed systemd service environment metadata, forwards that metadata through node install, sanitizes stale backup units, and updates tests, docs, and changelog.

Reproducibility: yes. for source-level reproduction: current main copies OPENCLAW_GATEWAY_TOKEN into the node service environment, omits node source metadata, and renders remaining systemd env inline. I did not run a live Linux user-systemd install in this read-only review.

Real behavior proof
Needs real behavior proof before merge: The PR body and comments provide tests and gate output, but no after-fix real Linux systemd transcript, file dump, logs, recording, or terminal output showing the changed credential placement. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
This is a focused security fix PR, but the remaining blocker is contributor or maintainer real Linux systemd proof rather than an automated code repair.

Security
Cleared: The diff narrows credential exposure and does not add dependencies, workflow changes, broader permissions, or new code-execution sources.

Review details

Best possible solution:

Land this PR or an equivalent narrow fix once redacted Linux user-systemd proof shows the node gateway token only in the owner-only env file and stale unit/backups sanitized.

Do we have a high-confidence way to reproduce the issue?

Yes for source-level reproduction: current main copies OPENCLAW_GATEWAY_TOKEN into the node service environment, omits node source metadata, and renders remaining systemd env inline. I did not run a live Linux user-systemd install in this read-only review.

Is this the best way to solve the issue?

Yes: using the existing environmentValueSources contract and 0600 systemd service env-file path is the narrow maintainable fix, and backup sanitization addresses upgrade residue. Merge should still wait for real behavior proof because the path handles a gateway credential.

What I checked:

• Current main copies the node token into service env: buildNodeServiceEnvironment() normalizes env.OPENCLAW_GATEWAY_TOKEN and returns it as OPENCLAW_GATEWAY_TOKEN, so the node install plan can carry a gateway bearer secret into service rendering. (src/daemon/service-env.ts:443, 0ad3d25fb7cd)
• Current main lacks node env source metadata: NodeInstallPlan only has environment, and buildNodeInstallPlan() returns no environmentValueSources, leaving the token indistinguishable from ordinary inline env on the node path. (src/commands/node-daemon-install-helpers.ts:12, 0ad3d25fb7cd)
• Current main passes node env to service install inline: runNodeDaemonInstall() passes environment to service.install() without source metadata, so the shared systemd writer only sees a normal service environment map. (src/cli/node-cli/daemon.ts:139, 0ad3d25fb7cd)
• Current main systemd renderer leaves non-file-managed values inline: writeSystemdUnit() filters dotenv/env-file backed entries but then passes remaining values into buildSystemdUnit(), whose renderEnvLines() emits Environment=<key>=<value> lines. (src/daemon/systemd.ts:594, 0ad3d25fb7cd)
• PR marks and forwards node token as file-backed: On the PR head, buildNodeInstallEnvironmentValueSources() marks OPENCLAW_GATEWAY_TOKEN as file, and runNodeDaemonInstall() forwards environmentValueSources into service install. (src/commands/node-daemon-install-helpers.ts:21, 3949a9fb6be1)
• PR writes file-backed env and sanitizes backups: On the PR head, systemd staging collects file-managed keys, writes file-backed values to the service env file, removes those keys from inline unit rendering, and filters them from .bak unit content. (src/daemon/systemd.ts:617, 3949a9fb6be1)

Likely related people:

• liuxiaopai-ai: Authored the commit that added node install persistence for OPENCLAW_GATEWAY_TOKEN, the behavior this PR now needs to render safely on systemd. (role: introduced behavior; confidence: high; commits: f1354869bd73; files: src/daemon/service-env.ts, src/daemon/service-env.test.ts, CHANGELOG.md)
• steipete: Introduced the exec host routing/node daemon feature and has recent service-env and node install path work around the affected files. (role: feature introducer and recent area contributor; confidence: high; commits: ae0b4c49903d, 4b8856ecbb92, 85ce75c005a2; files: src/commands/node-daemon-install-helpers.ts, src/daemon/service-env.ts, src/daemon/node-service.ts)
• hclsys: Authored the recent systemd env-file preservation and managed-key cleanup behavior that this PR extends for file-backed token cleanup. (role: adjacent systemd env-file contributor; confidence: high; commits: f8f881f63fab; files: src/daemon/systemd.ts, src/daemon/systemd.test.ts, src/daemon/service-managed-env.ts)
• tmimmanuel: Authored earlier systemd hardening to avoid inline dotenv secrets in unit files, directly adjacent to this credential-rendering surface. (role: prior related systemd hardening contributor; confidence: medium; commits: a2ab9e6a8e4c; files: src/daemon/systemd.ts, src/daemon/systemd-unit.ts, src/daemon/systemd.test.ts)

Remaining risk / open question:

• No after-fix real Linux user-systemd proof is attached for the unit, .bak, and 0600 env-file state.
• The related issue's newest confirmation supports the vulnerable state, but it is not proof that this PR fixes the behavior in a real install.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0ad3d25fb7cd.

[coygeek]

Another PR #84815 was merged to fix my issue.

Closing this PR.