[Security]: security audit does not flag tokens with no expiry or rotation policy

### Bug type
Missing check
### Summary
`openclaw security audit` checks token *length* (`gateway.token_too_short`)
but never flags tokens that lack an expiry date or rotation policy.
The threat model (T-PERSIST-004) lists token persistence as High risk with
mitigation "None — tokens don't expire by default." A stolen token grants
indefinite access until manually revoked.
The audit should warn when `gateway.auth.token` is configured but no
expiry or rotation mechanism is in place.
### Expected behavior
The audit should emit a finding like:
[warn] gateway.token_no_expiry — Gateway token has no expiry configured

### Actual behavior
No finding is emitted regardless of token expiry configuration.
### OpenClaw version
Latest (2026.3.2)
### Operating system
All
### Impact and severity
Medium — defense-in-depth, not a vulnerability

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security]: security audit does not flag tokens with no expiry or rotation policy #16

Bug type

Summary

Expected behavior

Actual behavior

OpenClaw version

Operating system

Impact and severity

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

[Security]: security audit does not flag tokens with no expiry or rotation policy #16

Description

Bug type

Summary

Expected behavior

Actual behavior

OpenClaw version

Operating system

Impact and severity

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions