fix(gateway): read CLAWDIS_GATEWAY_PASSWORD from env

The CLI client (callGateway) now reads password from:
1. opts.password (explicit parameter)
2. CLAWDIS_GATEWAY_PASSWORD env var (NEW)
3. remote.password from config

This allows CLI commands like doctor/health to authenticate
without needing a --password flag when the env var is set.

Fixes auth issues for users with password-protected gateways.

CHANGELOG.md

@@ -29,6 +29,7 @@
 - Browser tools: add remote CDP URL support, Linux launcher options (`executablePath`, `noSandbox`), and surface `cdpUrl` in status.
 
 ### Fixes
+- Gateway CLI: read `CLAWDIS_GATEWAY_PASSWORD` from environment in `callGateway()` — allows `doctor`/`health` commands to auth without explicit `--password` flag.
 - Skills: switch imsg installer to brew tap formula.
 - Skills: gate macOS-only skills by OS and surface block reasons in the Skills UI.
 - Onboarding: show skill descriptions in the macOS setup flow and surface clearer Gateway/skills error messages.

src/gateway/call.ts

@@ -42,6 +42,14 @@ export async function callGateway<T = unknown>(
     (typeof remote?.token === "string" && remote.token.trim().length > 0
       ? remote.token.trim()
       : undefined);
+  const password =
+    (typeof opts.password === "string" && opts.password.trim().length > 0
+      ? opts.password.trim()
+      : undefined) ||
+    process.env.CLAWDIS_GATEWAY_PASSWORD ||
+    (typeof remote?.password === "string" && remote.password.trim().length > 0
+      ? remote.password.trim()
+      : undefined);
   return await new Promise<T>((resolve, reject) => {
     let settled = false;
     let ignoreClose = false;
@@ -56,7 +64,7 @@ export async function callGateway<T = unknown>(
     const client = new GatewayClient({
       url,
       token,
-      password: opts.password,
+      password,
       instanceId: opts.instanceId ?? randomUUID(),
       clientName: opts.clientName ?? "cli",
       clientVersion: opts.clientVersion ?? "dev",