fix(daemon): warn on token drift during restart (#18018)

When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018

src/cli/daemon-cli/lifecycle-core.ts

@@ -1,5 +1,7 @@
 import type { GatewayService } from "../../daemon/service.js";
+import { loadConfig } from "../../config/config.js";
 import { resolveIsNixMode } from "../../config/paths.js";
+import { checkTokenDrift } from "../../daemon/service-audit.js";
 import { renderSystemdUnavailableHints } from "../../daemon/systemd-hints.js";
 import { isSystemdUserServiceAvailable } from "../../daemon/systemd.js";
 import { isWSL } from "../../infra/wsl.js";
@@ -255,6 +257,27 @@ export async function runServiceRestart(params: {
     });
     return false;
   }
+
+  // Check for token drift before restart (service token vs config token)
+  try {
+    const command = await params.service.readCommand(process.env);
+    const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN;
+    const cfg = loadConfig();
+    const configToken =
+      cfg.gateway?.auth?.token ||
+      process.env.OPENCLAW_GATEWAY_TOKEN ||
+      process.env.CLAWDBOT_GATEWAY_TOKEN;
+    const driftIssue = checkTokenDrift({ serviceToken, configToken });
+    if (driftIssue && !json) {
+      defaultRuntime.log(`\n⚠️  ${driftIssue.message}`);
+      if (driftIssue.detail) {
+        defaultRuntime.log(`   ${driftIssue.detail}\n`);
+      }
+    }
+  } catch {
+    // Non-fatal: token drift check is best-effort
+  }
+
   try {
     await params.service.restart({ env: process.env, stdout });
     let restarted = true;