fix(bot):Fix bot api-channel auth check

[yeshion23333]

Description

详细改动：

• 修复 Bot API 鉴权链路，统一使用 bot.gateway.token / X-Gateway-Token，打通 OpenViking → Vikingbot 代理鉴权。
• 强化默认安全：gateway 默认绑定 127.0.0.1；当 host 非 localhost 时强制要求 bot.gateway.token，启动即失败（fail-fast）。
• 清理参数与启动行为：openviking-server --with-bot 统一改为 --bot-port（移除 --bot-url）；with-bot 启动的 vikingbot 强制本地 host。
• 优化运维体验：--with-bot 日志目录默认跟随 storage.workspace。
• 配置中gateway 的host、port实际不生效的问题。
• 补齐测试：新增/更新鉴权、启动安全、配置读取与 bootstrap 相关回归测试。

Change:

• Fixed Bot API auth end-to-end by standardizing on bot.gateway.token / X-Gateway-Token across OpenViking → Vikingbot proxy calls.
• Hardened defaults: gateway now binds to 127.0.0.1 by default; non-localhost host requires bot.gateway.token (fail-fast on startup).
• Simplified startup contract: openviking-server --with-bot now uses --bot-port (removed --bot-url); with-bot launches vikingbot on localhost host.
• Improved operability: default bot log directory now follows storage.workspace.
• Added/updated regression tests for auth flow, startup security checks, config loading, and bootstrap behavior.

Related Issue

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test update

Changes Made

Testing

• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have tested this on the following platforms:
  • Linux
  • macOS
  • Windows

Checklist

• My code follows the project's coding style
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Screenshots (if applicable)

Additional Notes

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🏅 Score: 85

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ No major issues detected

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Add timeout to httpx AsyncClient for bot proxy Add timeout configuration to the httpx.AsyncClient calls to improve API resilience for the bot proxy endpoints. openviking/server/routers/bot.py [102] -async with httpx.AsyncClient() as client: +async with httpx.AsyncClient(timeout=httpx.Timeout(30.0, connect=5.0)) as client: Suggestion importance[1-10]: 6 __ Why: Adding timeout configuration to the httpx client improves API resilience by preventing hanging requests, a moderate quality improvement.	Low
	Replace print with logger.error for security message Replace the print() statement with logger.error() to align with the codebase's loguru-based logging pattern. bot/vikingbot/cli/commands.py [291-297] if requires_gateway_token(effective_host, gateway_token): - print( - "SECURITY: bot.gateway.token is required when gateway.host is non-localhost.\n" - "Set bot.gateway.token in ov.conf, or bind gateway.host to 127.0.0.1/localhost.", - file=sys.stderr, + logger.error( + "SECURITY: bot.gateway.token is required when gateway.host is non-localhost. " + "Set bot.gateway.token in ov.conf, or bind gateway.host to 127.0.0.1/localhost." ) sys.exit(1) Suggestion importance[1-10]: 5 __ Why: The suggestion aligns the code with the codebase's logging pattern using loguru, improving consistency, though it's not a critical fix.	Low