fix: honor gateway env token for doctor/security

Co-authored-by: azade-c <azade-c@users.noreply.github.com>

CHANGELOG.md

@@ -33,6 +33,7 @@ Docs: https://docs.clawd.bot
 - Agents: surface concrete API error details instead of generic AI service errors.
 - Exec approvals: allow per-segment allowlists for chained shell commands on gateway + node hosts. (#1458) Thanks @czekaj.
 - Agents: make OpenAI sessions image-sanitize-only; gate tool-id/repair sanitization by provider.
+- Doctor: honor CLAWDBOT_GATEWAY_TOKEN for auth checks and security audit token reuse. (#1448) Thanks @azade-c.
 - Agents: make tool summaries more readable and only show optional params when set.
 - Agents: centralize transcript sanitization in the runner; keep <final> tags and error turns intact.
 - Mattermost (plugin): enforce pairing/allowlist gating, keep @username targets, and clarify plugin-only docs. (#1428) Thanks @damoahdominic.

src/auto-reply/reply.block-streaming.test.ts

@@ -42,7 +42,7 @@ describe("block streaming", () => {
   });
 
   async function waitForCalls(fn: () => number, calls: number) {
-    const deadline = Date.now() + 1500;
+    const deadline = Date.now() + 5000;
     while (fn() < calls) {
       if (Date.now() > deadline) {
         throw new Error(`Expected ${calls} call(s), got ${fn()}`);

src/commands/doctor.ts

@@ -13,6 +13,7 @@ import { formatCliCommand } from "../cli/command-format.js";
 import type { ClawdbotConfig } from "../config/config.js";
 import { CONFIG_PATH_CLAWDBOT, readConfigFileSnapshot, writeConfigFile } from "../config/config.js";
 import { resolveGatewayService } from "../daemon/service.js";
+import { resolveGatewayAuth } from "../gateway/auth.js";
 import { buildGatewayConnectionDetails } from "../gateway/call.js";
 import { resolveClawdbotPackageRoot } from "../infra/clawdbot-root.js";
 import type { RuntimeEnv } from "../runtime.js";
@@ -111,10 +112,11 @@ export async function doctorCommand(
     note(gatewayDetails.remoteFallbackNote, "Gateway");
   }
   if (resolveMode(cfg) === "local") {
-    const authMode = cfg.gateway?.auth?.mode;
+    const auth = resolveGatewayAuth({
-    const token =
+      authConfig: cfg.gateway?.auth,
-      typeof cfg.gateway?.auth?.token === "string" ? cfg.gateway?.auth?.token.trim() : "";
+      tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
-    const needsToken = authMode !== "password" && (authMode !== "token" || !token);
+    });
+    const needsToken = auth.mode !== "password" && (auth.mode !== "token" || !auth.token);
     if (needsToken) {
       note(
         "Gateway auth is off or missing a token. Token auth is now the recommended default (including loopback).",

src/commands/doctor.warns-state-directory-is-missing.test.ts

@@ -389,4 +389,39 @@ describe("doctor command", () => {
     );
     expect(warned).toBe(true);
   });
+
+  it("skips gateway auth warning when CLAWDBOT_GATEWAY_TOKEN is set", async () => {
+    readConfigFileSnapshot.mockResolvedValue({
+      path: "/tmp/clawdbot.json",
+      exists: true,
+      raw: "{}",
+      parsed: {},
+      valid: true,
+      config: {
+        gateway: { mode: "local" },
+      },
+      issues: [],
+      legacyIssues: [],
+    });
+
+    const prevToken = process.env.CLAWDBOT_GATEWAY_TOKEN;
+    process.env.CLAWDBOT_GATEWAY_TOKEN = "env-token-1234567890";
+    note.mockClear();
+
+    try {
+      const { doctorCommand } = await import("./doctor.js");
+      await doctorCommand(
+        { log: vi.fn(), error: vi.fn(), exit: vi.fn() },
+        { nonInteractive: true, workspaceSuggestions: false },
+      );
+    } finally {
+      if (prevToken === undefined) delete process.env.CLAWDBOT_GATEWAY_TOKEN;
+      else process.env.CLAWDBOT_GATEWAY_TOKEN = prevToken;
+    }
+
+    const warned = note.mock.calls.some(([message]) =>
+      String(message).includes("Gateway auth is off or missing a token"),
+    );
+    expect(warned).toBe(false);
+  });
 });

src/security/audit-extra.ts

@@ -17,6 +17,7 @@ import {
   resolveSandboxConfigForAgent,
   resolveSandboxToolPolicyForAgent,
 } from "../agents/sandbox.js";
+import { resolveGatewayAuth } from "../gateway/auth.js";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
 import { INCLUDE_KEY, MAX_INCLUDE_DEPTH } from "../config/includes.js";
 import { normalizeAgentId } from "../routing/session-key.js";
@@ -186,9 +187,15 @@ export function collectHooksHardeningFindings(cfg: ClawdbotConfig): SecurityAudi
     });
   }
 
+  const gatewayAuth = resolveGatewayAuth({
+    authConfig: cfg.gateway?.auth,
+    tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
+  });
   const gatewayToken =
-    typeof cfg.gateway?.auth?.token === "string" && cfg.gateway.auth.token.trim()
+    gatewayAuth.mode === "token" &&
-      ? cfg.gateway.auth.token.trim()
+    typeof gatewayAuth.token === "string" &&
+    gatewayAuth.token.trim()
+      ? gatewayAuth.token.trim()
       : null;
   if (token && gatewayToken && token === gatewayToken) {
     findings.push({

src/security/audit.test.ts

@@ -656,6 +656,31 @@ describe("security audit", () => {
     );
   });
 
+  it("warns when hooks token reuses the gateway env token", async () => {
+    const prevToken = process.env.CLAWDBOT_GATEWAY_TOKEN;
+    process.env.CLAWDBOT_GATEWAY_TOKEN = "shared-gateway-token-1234567890";
+    const cfg: ClawdbotConfig = {
+      hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
+    };
+
+    try {
+      const res = await runSecurityAudit({
+        config: cfg,
+        includeFilesystem: false,
+        includeChannelSecurity: false,
+      });
+
+      expect(res.findings).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({ checkId: "hooks.token_reuse_gateway_token", severity: "warn" }),
+        ]),
+      );
+    } finally {
+      if (prevToken === undefined) delete process.env.CLAWDBOT_GATEWAY_TOKEN;
+      else process.env.CLAWDBOT_GATEWAY_TOKEN = prevToken;
+    }
+  });
+
   it("warns when state/config look like a synced folder", async () => {
     const cfg: ClawdbotConfig = {};