From a21f518c0b082de061383195114d6045f3fdd249 Mon Sep 17 00:00:00 2001
From: 0xbyt4 <35742124+0xbyt4@users.noreply.github.com>
Date: Fri, 13 Mar 2026 17:05:55 +0300
Subject: [PATCH] fix: hide configured token value in Web UI startup log

Only print the access token when auto-generated (user needs it to
log in). When set via WEB_UI_TOKEN env var, just confirm it is set
without exposing the value in console output.
---
 gateway/platforms/web.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/gateway/platforms/web.py b/gateway/platforms/web.py
index 1d4e70ee..b6ca632e 100644
--- a/gateway/platforms/web.py
+++ b/gateway/platforms/web.py
@@ -66,7 +66,9 @@ class WebAdapter(BasePlatformAdapter):
         # Config
         self._host: str = config.extra.get("host", "127.0.0.1")
         self._port: int = config.extra.get("port", 8765)
-        self._token: str = config.extra.get("token", "") or secrets.token_hex(16)
+        configured_token = config.extra.get("token", "")
+        self._token: str = configured_token or secrets.token_hex(16)
+        self._token_auto_generated: bool = not configured_token
 
         # Connected WebSocket clients: session_id -> ws
         self._clients: Dict[str, web.WebSocketResponse] = {}
@@ -110,7 +112,10 @@ class WebAdapter(BasePlatformAdapter):
         for ip in all_ips:
             if ip != primary_ip:
                 print(f"[{self.name}]   also: http://{ip}:{self._port}")
-        print(f"[{self.name}] Access token: {self._token}")
+        if self._token_auto_generated:
+            print(f"[{self.name}] Access token (auto-generated): {self._token}")
+        else:
+            print(f"[{self.name}] Access token: (set via WEB_UI_TOKEN)")
 
         return True