Summary

• Problem: after re-pairing or token rotation, the gateway service environment token (OPENCLAW_GATEWAY_TOKEN) can drift from gateway.auth.token in openclaw.json.
• Why it matters: doctor audited service runtime/path settings but did not detect token drift, so local gateway auth could fail with unauthorized token mismatch during cron/tool calls.
• What changed: added token-drift auditing in service audit (gateway-token-mismatch) and wired doctor service audit to pass cfg.gateway.auth.token as the expected authoritative token.
• What did NOT change (scope boundary): no changes to pairing token format/protocol, no auth mode defaults, no channel routing behavior changes.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Device token mismatch after re-pairing - cron tool fails with "unauthorized: device token mismatch" #18175
• Related [Bug]: Device token mismatch after re-pairing - cron tool fails with "unauthorized: device token mismatch" #18175

User-visible / Behavior Changes

• openclaw doctor now detects when the installed gateway service token env is stale or missing compared to gateway.auth.token in config, and offers the existing service repair/update flow.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (Yes)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:
  • Risk: false-positive token mismatch prompts service reinstall.
  • Mitigation: drift check only applies when config token exists; repair remains behind existing doctor confirmation flow.

Repro + Verification

Environment

• OS: macOS (development)
• Runtime/container: Node + pnpm + Vitest
• Model/provider: N/A
• Integration/channel (if any): local gateway service config path
• Relevant config (redacted): gateway.auth.mode=token, gateway.auth.token=<redacted>

Steps

1. Configure gateway.auth.token with a new value in openclaw.json.
2. Leave installed gateway service with old OPENCLAW_GATEWAY_TOKEN env value.
3. Run doctor service audit/repair path.

Expected

• Doctor reports token drift and repairs service env to match config token.

Actual

• After this change, audit emits gateway-token-mismatch and doctor uses config token as source of truth when rebuilding service environment.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Tests:

• pnpm test src/daemon/service-audit.test.ts src/commands/doctor-gateway-services.test.ts
• Result: 2 files passed, 6 tests passed

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • mismatch is flagged when service token differs from config token
  • no mismatch when tokens match
  • doctor service repair passes config token into audit/install plan
• Edge cases checked:
  • expected token unset => no mismatch check
  • service token missing => mismatch flagged
• What you did not verify:
  • live end-to-end systemd repair on Linux host in this change
  • full pnpm build && pnpm check && pnpm test suite run

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  • revert this PR commit
• Files/config to restore:
  • src/daemon/service-audit.ts
  • src/commands/doctor-gateway-services.ts
• Known bad symptoms reviewers should watch for:
  • doctor repeatedly flags token mismatch despite synchronized service config and config token

Risks and Mitigations

• Risk:
  • Over-triggered repair prompts in custom service setups.
  • Mitigation:
  • Repair is still confirmation-gated and the issue level remains recommended.

AI-assistance disclosure:

• AI-assisted PR
• Testing level: lightly tested (targeted tests for changed areas)
• Reviewed and understood changed code paths

Greptile Summary

Adds token drift detection to the gateway service audit, treating gateway.auth.token in openclaw.json as the authoritative source. When openclaw doctor runs, it now compares the service's OPENCLAW_GATEWAY_TOKEN environment variable against the config token and flags mismatches for repair.

• Added gatewayTokenMismatch audit code to detect when service token differs from config token
• New auditGatewayToken function performs the comparison (only when expected token is set)
• maybeRepairGatewayServiceConfig now passes cfg.gateway?.auth?.token to audit
• Token repair uses the same confirmation-gated service install flow as other service issues
• Tests cover both mismatch detection and matching token scenarios

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is well-scoped, adds a straightforward comparison check, includes comprehensive tests, and follows existing patterns. The token comparison logic correctly handles edge cases (missing/empty tokens) and only triggers when an expected token is provided. The repair flow is already confirmation-gated.
• No files require special attention

_{Last reviewed commit: ab9860f}

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}