refactor(daemon): extract gateway token drift helper

2026-03-08 00:27:41 +00:00
parent 02eef1d45a
commit 7ac7b39eff
3 changed files with 42 additions and 12 deletions
--- a/src/cli/daemon-cli/lifecycle-core.ts
+++ b/src/cli/daemon-cli/lifecycle-core.ts
@@ -5,12 +5,10 @@ import { checkTokenDrift } from "../../daemon/service-audit.js";
 import type { GatewayService } from "../../daemon/service.js";
 import { renderSystemdUnavailableHints } from "../../daemon/systemd-hints.js";
 import { isSystemdUserServiceAvailable } from "../../daemon/systemd.js";
-import {
-  isGatewaySecretRefUnavailableError,
-  resolveGatewayCredentialsFromConfig,
-} from "../../gateway/credentials.js";
+import { isGatewaySecretRefUnavailableError } from "../../gateway/credentials.js";
 import { isWSL } from "../../infra/wsl.js";
 import { defaultRuntime } from "../../runtime.js";
+import { resolveGatewayTokenForDriftCheck } from "./gateway-token-drift.js";
 import {
  buildDaemonServiceSnapshot,
  createNullWriter,
@@ -284,14 +282,7 @@ export async function runServiceRestart(params: {
      const command = await params.service.readCommand(process.env);
      const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN;
      const cfg = loadConfig();
-      const configToken = resolveGatewayCredentialsFromConfig({
-        cfg,
-        env: process.env,
-        modeOverride: "local",
-        // Drift checks should compare the persisted gateway token against the
-        // service token, not let an exported shell env mask config drift.
-        localTokenPrecedence: "config-first",
-      }).token;
+      const configToken = resolveGatewayTokenForDriftCheck({ cfg, env: process.env });
      const driftIssue = checkTokenDrift({ serviceToken, configToken });
      if (driftIssue) {
        const warning = driftIssue.detail