fix(gateway): add --password-file and --token-file to avoid ps exposure

[Anandesh-Sharma]

Summary

• Add --password-file and --token-file options to gateway run and gateway call commands, following the existing ACP CLI pattern (src/cli/acp-cli.ts)
• Emit a warning when --password or --token are passed directly on the CLI, since they are visible in ps aux output
• Reuse the existing readSecretFromFile() utility from src/acp/secret-file.ts

Context

Gateway passwords passed via --password <secret> appear in plaintext in process argument lists visible to all users on the host (ps aux, /proc/[pid]/cmdline). The environment variable (OPENCLAW_GATEWAY_PASSWORD) and config file alternatives already exist but the CLI lacked the file-based option that the ACP CLI already supports.

Closes #27948

Test plan

• Verify openclaw gateway run --password-file /path/to/secret reads password from file
• Verify openclaw gateway run --password mysecret emits a warning
• Verify --password and --password-file together produces an error
• Verify gateway call subcommands support --token-file and --password-file

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

Added --password-file and --token-file options to gateway run and gateway call commands to prevent secrets from appearing in process listings (ps aux, /proc/[pid]/cmdline). This follows the existing pattern from src/cli/acp-cli.ts.

Key changes:

• Reuses existing readSecretFromFile() utility from src/acp/secret-file.ts with proper error handling for missing/empty files
• Enforces mutual exclusivity between direct flags (--password, --token) and file-based flags (--password-file, --token-file)
• Emits warnings in run.ts when direct CLI flags are used (missing in call.ts — see comment)
• Consistent error messages guide users toward safer alternatives (file-based or environment variable options)

Security improvement verified: The file-based approach keeps secrets out of process argument lists while maintaining backward compatibility with existing direct flag and environment variable methods.

Confidence Score: 4/5

• This PR is safe to merge with one minor logic issue that should be addressed
• Score reflects solid security improvement and correct implementation, but missing warning in call.ts means users of gateway call commands won't be informed about ps exposure risk when using direct flags. The core functionality (file reading, mutual exclusivity checks, error handling) is implemented correctly and follows the established ACP CLI pattern. Fix the warning issue and this becomes a 5.
• Pay close attention to src/cli/gateway-cli/call.ts - needs warning emission for direct secret flags to match the pattern in run.ts and acp-cli.ts

_{Last reviewed commit: 1f2c0f8}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

missing warnings for direct CLI secret flags — unlike src/cli/gateway-cli/run.ts (lines 256-265) and the existing ACP CLI pattern (src/cli/acp-cli.ts lines 69-74), this doesn't warn users when --token or --password are passed directly (visible in ps aux). add checks after resolving secrets:

if (opts.token) {
  console.warn("Warning: --token can be exposed via process listings. Prefer --token-file or OPENCLAW_GATEWAY_TOKEN.");
}
if (opts.password) {
  console.warn("Warning: --password can be exposed via process listings. Prefer --password-file or OPENCLAW_GATEWAY_PASSWORD.");
}

(or use defaultRuntime.error() to match the ACP CLI pattern)

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/cli/gateway-cli/call.ts
Line: 47-49

Comment:
missing warnings for direct CLI secret flags — unlike `src/cli/gateway-cli/run.ts` (lines 256-265) and the existing ACP CLI pattern (`src/cli/acp-cli.ts` lines 69-74), this doesn't warn users when `--token` or `--password` are passed directly (visible in `ps aux`). add checks after resolving secrets:

```typescript
if (opts.token) {
  console.warn("Warning: --token can be exposed via process listings. Prefer --token-file or OPENCLAW_GATEWAY_TOKEN.");
}
if (opts.password) {
  console.warn("Warning: --password can be exposed via process listings. Prefer --password-file or OPENCLAW_GATEWAY_PASSWORD.");
}
```

(or use `defaultRuntime.error()` to match the ACP CLI pattern)

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1f2c0f892d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Export token-file secret into OPENCLAW_GATEWAY_TOKEN

When --token-file is used, the token is loaded into tokenRaw but never written to OPENCLAW_GATEWAY_TOKEN, while the direct --token path still sets that env var earlier. Several runtime paths (for example resolveRelayAcceptedTokensForPort in src/browser/extension-relay-auth.ts) resolve the gateway token from config/env rather than this local tokenRaw, so starting with only --token-file and no configured gateway.auth.token can break browser relay/auth flows even though gateway auth override is present.

Useful? React with 👍 / 👎.

[steipete]

Thanks for the PR! Multiple PRs address issue #27948. Keeping #27985 as the earliest submission. Closing to reduce noise. This is an AI-assisted triage review. If we got this wrong, feel free to reopen — happy to revisit.