From 69baea09347b7e7adbf22e0966d1c2da898fb60d Mon Sep 17 00:00:00 2001
From: Ashlee Radka <ashlee@vellum.ai>
Date: Tue, 24 Feb 2026 18:06:55 -0500
Subject: [PATCH] fix: respect env var precedence in http-token watcher
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Address review feedback on #8389:

1. Skip file-based token refresh when RUNTIME_BEARER_TOKEN env var is
   set, preserving the same precedence as loadConfig() where env vars
   override the file. Prevents cloud deployments with pinned tokens
   from being silently overwritten by daemon file writes.

2. Wrap mkdirSync in try-catch so a non-writable parent directory
   doesn't crash the gateway at startup — the watcher is gracefully
   skipped instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 gateway/src/index.ts | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gateway/src/index.ts b/gateway/src/index.ts
index e2763f6472..5e9de8381d 100644
--- a/gateway/src/index.ts
+++ b/gateway/src/index.ts
@@ -43,13 +43,22 @@ function startHttpTokenWatcher(cfg: GatewayConfig): FSWatcher | null {
     ?? join(process.env.BASE_DATA_DIR?.trim() || homedir(), ".vellum", "http-token");
 
   const dir = dirname(tokenPath);
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
+  try {
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+  } catch (err) {
+    log.warn({ err, path: dir }, "Cannot create token directory, skipping http-token watcher");
+    return null;
   }
 
   let debounceTimer: ReturnType<typeof setTimeout> | null = null;
 
   function refresh(): void {
+    // Skip file-based refresh when env vars explicitly pin the tokens —
+    // respect the same precedence as loadConfig().
+    if (process.env.RUNTIME_BEARER_TOKEN) return;
+
     try {
       const token = readFileSync(tokenPath, "utf-8").trim() || undefined;
       if (token && token !== cfg.runtimeBearerToken) {