




























@@ -26,6 +26,7 @@ describe("noteSecurityWarnings gateway exposure", () => {
2626let prevToken: string | undefined;
2727let prevPassword: string | undefined;
2828let prevHome: string | undefined;
29+let prevServiceKind: string | undefined;
29303031beforeEach(() => {
3132note.mockClear();
@@ -35,8 +36,10 @@ describe("noteSecurityWarnings gateway exposure", () => {
3536prevToken = process.env.OPENCLAW_GATEWAY_TOKEN;
3637prevPassword = process.env.OPENCLAW_GATEWAY_PASSWORD;
3738prevHome = process.env.HOME;
39+prevServiceKind = process.env.OPENCLAW_SERVICE_KIND;
3840delete process.env.OPENCLAW_GATEWAY_TOKEN;
3941delete process.env.OPENCLAW_GATEWAY_PASSWORD;
42+delete process.env.OPENCLAW_SERVICE_KIND;
4043});
41444245afterEach(() => {
@@ -55,6 +58,11 @@ describe("noteSecurityWarnings gateway exposure", () => {
5558} else {
5659process.env.HOME = prevHome;
5760}
61+if (prevServiceKind === undefined) {
62+delete process.env.OPENCLAW_SERVICE_KIND;
63+} else {
64+process.env.OPENCLAW_SERVICE_KIND = prevServiceKind;
65+}
5866});
59676068const lastMessage = () => String(note.mock.calls.at(-1)?.[0] ?? "");
@@ -151,7 +159,7 @@ describe("noteSecurityWarnings gateway exposure", () => {
151159expect(message).not.toContain("CRITICAL");
152160});
153161154-it("warns when OPENCLAW_GATEWAY_TOKEN env overrides gateway.auth.token config (#74271)", async () => {
162+it("warns when OPENCLAW_GATEWAY_TOKEN env conflicts with gateway.auth.token config (#74271)", async () => {
155163process.env.OPENCLAW_GATEWAY_TOKEN = "env-token-123";
156164const cfg = {
157165gateway: {
@@ -162,8 +170,9 @@ describe("noteSecurityWarnings gateway exposure", () => {
162170} as OpenClawConfig;
163171await noteSecurityWarnings(cfg);
164172const message = lastMessage();
165-expect(message).toContain("OPENCLAW_GATEWAY_TOKEN overrides");
166-expect(message).toContain("env-first precedence");
173+expect(message).toContain("OPENCLAW_GATEWAY_TOKEN conflicts with gateway.auth.token");
174+expect(message).toContain("Direct local Gateway clients commonly prefer the env token");
175+expect(message).toContain("~/.openclaw/.env");
167176});
168177169178it("does not warn when only env token is set without config token", async () => {
@@ -174,6 +183,21 @@ describe("noteSecurityWarnings gateway exposure", () => {
174183expect(message).not.toContain("OPENCLAW_GATEWAY_TOKEN overrides");
175184});
176185186+it("does not warn inside the managed gateway service credential context", async () => {
187+process.env.OPENCLAW_GATEWAY_TOKEN = "env-token-123";
188+process.env.OPENCLAW_SERVICE_KIND = "gateway";
189+const cfg = {
190+gateway: {
191+auth: {
192+token: "config-token-456",
193+},
194+},
195+} as OpenClawConfig;
196+await noteSecurityWarnings(cfg);
197+const message = lastMessage();
198+expect(message).not.toContain("OPENCLAW_GATEWAY_TOKEN conflicts");
199+});
200+177201it("does not warn when config token uses OPENCLAW_GATEWAY_TOKEN SecretRef", async () => {
178202process.env.OPENCLAW_GATEWAY_TOKEN = "env-token-123";
179203const cfg = {
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。