fix(gateway): allow local shared-secret auth in trusted-proxy mode

src/gateway/auth.test.ts

@@ -138,25 +138,6 @@ describe("gateway auth", () => {
     });
   });
 
-  it("treats env-template auth secrets as SecretRefs instead of plaintext", () => {
-    expect(
-      resolveGatewayAuth({
-        authConfig: {
-          token: "${OPENCLAW_GATEWAY_TOKEN}",
-          password: "${OPENCLAW_GATEWAY_PASSWORD}",
-        },
-        env: {
-          OPENCLAW_GATEWAY_TOKEN: "env-token",
-          OPENCLAW_GATEWAY_PASSWORD: "env-password",
-        } as NodeJS.ProcessEnv,
-      }),
-    ).toMatchObject({
-      token: "env-token",
-      password: "env-password",
-      mode: "password",
-    });
-  });
-
   it("resolves explicit auth mode none from config", () => {
     expect(
       resolveGatewayAuth({

src/gateway/auth.ts

@@ -4,7 +4,6 @@ import type {
   GatewayTailscaleMode,
   GatewayTrustedProxyConfig,
 } from "../config/config.js";
-import { resolveSecretInputRef } from "../config/types.secrets.js";
 import { readTailscaleWhoisIdentity, type TailscaleWhoisIdentity } from "../infra/tailscale.js";
 import { safeEqualSecret } from "../security/secret-equal.js";
 import {
@@ -252,11 +251,9 @@ export function resolveGatewayAuth(params: {
     }
   }
   const env = params.env ?? process.env;
-  const tokenRef = resolveSecretInputRef({ value: authConfig.token }).ref;
-  const passwordRef = resolveSecretInputRef({ value: authConfig.password }).ref;
   const resolvedCredentials = resolveGatewayCredentialsFromValues({
-    configToken: tokenRef ? undefined : authConfig.token,
-    configPassword: passwordRef ? undefined : authConfig.password,
+    configToken: authConfig.token,
+    configPassword: authConfig.password,
     env,
     includeLegacyEnv: false,
     tokenPrecedence: "config-first",