fix: honor gateway env token for doctor/security

Co-authored-by: azade-c <azade-c@users.noreply.github.com>
2026-01-23 03:13:44 +00:00
parent f1deffa681
commit ec2c69c230
6 changed files with 77 additions and 7 deletions
--- a/src/commands/doctor.ts
+++ b/src/commands/doctor.ts
@@ -13,6 +13,7 @@ import { formatCliCommand } from "../cli/command-format.js";
 import type { ClawdbotConfig } from "../config/config.js";
 import { CONFIG_PATH_CLAWDBOT, readConfigFileSnapshot, writeConfigFile } from "../config/config.js";
 import { resolveGatewayService } from "../daemon/service.js";
+import { resolveGatewayAuth } from "../gateway/auth.js";
 import { buildGatewayConnectionDetails } from "../gateway/call.js";
 import { resolveClawdbotPackageRoot } from "../infra/clawdbot-root.js";
 import type { RuntimeEnv } from "../runtime.js";
@@ -111,10 +112,11 @@ export async function doctorCommand(
    note(gatewayDetails.remoteFallbackNote, "Gateway");
  }
  if (resolveMode(cfg) === "local") {
-    const authMode = cfg.gateway?.auth?.mode;
-    const token =
-      typeof cfg.gateway?.auth?.token === "string" ? cfg.gateway?.auth?.token.trim() : "";
-    const needsToken = authMode !== "password" && (authMode !== "token" || !token);
+    const auth = resolveGatewayAuth({
+      authConfig: cfg.gateway?.auth,
+      tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
+    });
+    const needsToken = auth.mode !== "password" && (auth.mode !== "token" || !auth.token);
    if (needsToken) {
      note(
        "Gateway auth is off or missing a token. Token auth is now the recommended default (including loopback).",
--- a/src/commands/doctor.warns-state-directory-is-missing.test.ts
+++ b/src/commands/doctor.warns-state-directory-is-missing.test.ts
@@ -389,4 +389,39 @@ describe("doctor command", () => {
    );
    expect(warned).toBe(true);
  });
+
+  it("skips gateway auth warning when CLAWDBOT_GATEWAY_TOKEN is set", async () => {
+    readConfigFileSnapshot.mockResolvedValue({
+      path: "/tmp/clawdbot.json",
+      exists: true,
+      raw: "{}",
+      parsed: {},
+      valid: true,
+      config: {
+        gateway: { mode: "local" },
+      },
+      issues: [],
+      legacyIssues: [],
+    });
+
+    const prevToken = process.env.CLAWDBOT_GATEWAY_TOKEN;
+    process.env.CLAWDBOT_GATEWAY_TOKEN = "env-token-1234567890";
+    note.mockClear();
+
+    try {
+      const { doctorCommand } = await import("./doctor.js");
+      await doctorCommand(
+        { log: vi.fn(), error: vi.fn(), exit: vi.fn() },
+        { nonInteractive: true, workspaceSuggestions: false },
+      );
+    } finally {
+      if (prevToken === undefined) delete process.env.CLAWDBOT_GATEWAY_TOKEN;
+      else process.env.CLAWDBOT_GATEWAY_TOKEN = prevToken;
+    }
+
+    const warned = note.mock.calls.some(([message]) =>
+      String(message).includes("Gateway auth is off or missing a token"),
+    );
+    expect(warned).toBe(false);
+  });
 });