Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(doctor): check CLAWDBOT_GATEWAY_TOKEN env var for token auth #1448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
azade-c wants to merge 1 commit into from
Closed

fix(doctor): check CLAWDBOT_GATEWAY_TOKEN env var for token auth #1448

azade-c wants to merge 1 commit into from
+3 −1

Conversation

@azade-c
Copy link
Contributor

@azade-c azade-c commented Jan 22, 2026

Problem

clawdbot doctor shows a false positive warning about missing gateway token when the token is set via CLAWDBOT_GATEWAY_TOKEN environment variable instead of in the config file.

◇  Gateway auth ──────────────────────────────────────────────────╮
│                                                                 │
│  Gateway auth is off or missing a token. Token auth is now the  │
│  recommended default (including loopback).                      │
│                                                                 │
├─────────────────────────────────────────────────────────────────╯

This is a common setup when you want to keep secrets out of version-controlled config files.

Solution

Check both gateway.auth.token config and CLAWDBOT_GATEWAY_TOKEN env var, matching the runtime behavior in src/gateway/auth.ts.

Testing

Verified that doctor no longer shows the warning when CLAWDBOT_GATEWAY_TOKEN is set in the environment.

@azade-c
fix(doctor): check CLAWDBOT_GATEWAY_TOKEN env var for token auth
0054e52 
Doctor now checks both config (gateway.auth.token) and environment
(CLAWDBOT_GATEWAY_TOKEN) when validating gateway token auth, matching
the runtime behavior in src/gateway/auth.ts.

This avoids false positives when the token is set via env var to keep
it out of version-controlled config files.
@steipete steipete self-assigned this Jan 23, 2026
@steipete
Copy link
Contributor

steipete commented Jan 23, 2026

Merged via fast-forward after rebasing on main.

  • Doctor now honors CLAWDBOT_GATEWAY_TOKEN for auth checks; security audit warns on token reuse.
  • Added coverage for doctor env token suppression + hooks token reuse check.
  • Stabilized reply.block-streaming test timeout.

Tests: pnpm lint && pnpm build && pnpm test

SHA: ec2c69c

@steipete
Copy link
Contributor

steipete commented Jan 23, 2026

Already merged to main in ec2c69c.

@steipete steipete closed this Jan 23, 2026
@azade-c azade-c deleted the fix/doctor-check-token-env branch January 23, 2026 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@steipete steipete

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@azade-c @steipete