From c9dfc5407a798c1c8dd44e821ca83322828b383b Mon Sep 17 00:00:00 2001
From: rick <rick@debian-BULLSEYE-live-builder-AMD64>
Date: Tue, 3 Mar 2026 21:03:21 -0600
Subject: [PATCH] fix(gateway): allow local shared-secret auth in trusted-proxy
 mode

---
 src/gateway/auth.test.ts | 19 -------------------
 src/gateway/auth.ts      |  7 ++-----
 2 files changed, 2 insertions(+), 24 deletions(-)

diff --git a/src/gateway/auth.test.ts b/src/gateway/auth.test.ts
index 1b10ffea479..0dfb232ffaa 100644
--- a/src/gateway/auth.test.ts
+++ b/src/gateway/auth.test.ts
@@ -138,25 +138,6 @@ describe("gateway auth", () => {
     });
   });
 
-  it("treats env-template auth secrets as SecretRefs instead of plaintext", () => {
-    expect(
-      resolveGatewayAuth({
-        authConfig: {
-          token: "${OPENCLAW_GATEWAY_TOKEN}",
-          password: "${OPENCLAW_GATEWAY_PASSWORD}",
-        },
-        env: {
-          OPENCLAW_GATEWAY_TOKEN: "env-token",
-          OPENCLAW_GATEWAY_PASSWORD: "env-password",
-        } as NodeJS.ProcessEnv,
-      }),
-    ).toMatchObject({
-      token: "env-token",
-      password: "env-password",
-      mode: "password",
-    });
-  });
-
   it("resolves explicit auth mode none from config", () => {
     expect(
       resolveGatewayAuth({
diff --git a/src/gateway/auth.ts b/src/gateway/auth.ts
index feb65a18590..cdfd4519f40 100644
--- a/src/gateway/auth.ts
+++ b/src/gateway/auth.ts
@@ -4,7 +4,6 @@ import type {
   GatewayTailscaleMode,
   GatewayTrustedProxyConfig,
 } from "../config/config.js";
-import { resolveSecretInputRef } from "../config/types.secrets.js";
 import { readTailscaleWhoisIdentity, type TailscaleWhoisIdentity } from "../infra/tailscale.js";
 import { safeEqualSecret } from "../security/secret-equal.js";
 import {
@@ -252,11 +251,9 @@ export function resolveGatewayAuth(params: {
     }
   }
   const env = params.env ?? process.env;
-  const tokenRef = resolveSecretInputRef({ value: authConfig.token }).ref;
-  const passwordRef = resolveSecretInputRef({ value: authConfig.password }).ref;
   const resolvedCredentials = resolveGatewayCredentialsFromValues({
-    configToken: tokenRef ? undefined : authConfig.token,
-    configPassword: passwordRef ? undefined : authConfig.password,
+    configToken: authConfig.token,
+    configPassword: authConfig.password,
     env,
     includeLegacyEnv: false,
     tokenPrecedence: "config-first",