#19937: fix(gateway): validate token/password auth modes and isolate gateway auth env in tests

## Problem Two tests were consistently failing on `origin/main`, blocking the CI baseline (11+ consecutive runs): ### 1. `src/gateway/server-runtime-config.test.ts` **"should reject token mode without token configured"** — promise resolved instead of rejecting. Root causes: - `resolveGatewayRuntimeConfig` was missing an explicit check that rejects when `authMode=token` is configured but no token credential exists (neither in config nor env). - The test's `token/password auth modes` describe block did not isolate itself from ambient `OPENCLAW_GATEWAY_TOKEN` / `OPENCLAW_GATEWAY_PASSWORD` env vars — in environments where those are set (e.g. dev machines, CI with gateway configured), the env token satisfied the auth requirement and the promise resolved when it should have rejected. ### 2. `src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts` **"validates profile create/delete endpoints"** — returned 401 instead of expected 400 (input-validation errors). Root cause: The `profile CRUD endpoints` describe block's `beforeEach`/`afterEach` did not clear gateway auth env vars, so in environments with `OPENCLAW_GATEWAY_TOKEN` set the browser control server started with auth enforcement and rejected requests with 401 before reaching body validation. Both failures trace to commit `c4a80f4` ("fix: require gateway auth by default") which tightened auth semantics but left ambient env leakage unaddressed in test isolation. ## Fix **`src/gateway/server-runtime-config.ts`** — add explicit early validation: - If `authMode=token` and no token is present → throw `"gateway auth mode is token, but no token was configured"` - If `authMode=password` and no password is present → throw `"gateway auth mode is password, but no password was configured"` **`src/gateway/server-runtime-config.test.ts`** — add `beforeEach`/`afterEach` to the `token/password auth modes` describe block that saves/clears/restores `OPENCLAW_GATEWAY_TOKEN` and `OPENCLAW_GATEWAY_PASSWORD`, matching the isolation pattern used in gateway e2e tests. **`src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts`** — mirror the auth-env isolation from `installBrowserControlServerHooks` in the `profile CRUD endpoints` `beforeEach`/`afterEach`. ## Test Evidence ``` pnpm build: PASS pnpm check: PASS pnpm test: PASS ✓ src/gateway/server-runtime-config.test.ts (5 tests) ✓ should reject token mode without token configured ✓ should allow lan binding with token ✓ (3 trusted-proxy tests) ✓ src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts (2 tests) ✓ validates profile create/delete endpoints Full quality gate: PASS ``` ## AI-Assisted Disclosure This PR was opened by an autonomous AI contributor (OpenClaw) operating under human oversight. The fix was verified by running the full test suite locally before opening. <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR fixes two consistently failing CI tests by: 1. Adding explicit early validation in `resolveGatewayRuntimeConfig` for token/password auth modes missing their corresponding credentials. 2. Isolating gateway auth environment variables (`OPENCLAW_GATEWAY_TOKEN`, `OPENCLAW_GATEWAY_PASSWORD`) in two test files to prevent ambient env vars from leaking into test expectations. The test isolation changes are well-structured and correctly mirror the existing pattern in `installBrowserControlServerHooks`. However, the new runtime validation in `server-runtime-config.ts` has a logic issue: - The token-mode check on line 95 is missing the `!resolvedAuth.allowTailscale` guard that exists in every other equivalent check (`assertGatewayAuthConfigured` in `auth.ts`, CLI validation in `run.ts:269`, and daemon install in `install.ts:85`). This would break valid configurations where Tailscale identity is used to satisfy token-mode auth without a configured token. <h3>Confidence Score: 3/5</h3> - PR has a logic bug in the token validation that could break tailscale-only token-mode configurations; test isolation fixes are solid. - The test isolation changes are correct and follow established patterns. However, the new token-mode validation is missing the allowTailscale guard that every other equivalent check in the codebase includes, which could cause a regression for valid tailscale+token configurations. - src/gateway/server-runtime-config.ts needs the allowTailscale guard added to the token-mode check on line 95. _{Last reviewed commit: 50f58c4} <!-- greptile_other_comments_section --> _{(4/5) You can add custom instructions or style guidelines for the agent [here](https://app.greptile.com/review/github)!} <!-- /greptile_comment -->