From 0e53a2b49b6201665018dc8250a80f7d46ffd8f7 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 9 May 2026 22:58:55 +0100
Subject: [PATCH] test: tighten gateway auth surface assertions

---
 .../runtime-gateway-auth-surfaces.test.ts     | 31 ++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/src/secrets/runtime-gateway-auth-surfaces.test.ts b/src/secrets/runtime-gateway-auth-surfaces.test.ts
index 373645b107e..4f0297dc32d 100644
--- a/src/secrets/runtime-gateway-auth-surfaces.test.ts
+++ b/src/secrets/runtime-gateway-auth-surfaces.test.ts
@@ -15,6 +15,15 @@ function evaluate(config: OpenClawConfig, env: NodeJS.ProcessEnv = EMPTY_ENV) {
   });
 }
 
+function expectGatewayState(
+  state: { active: boolean; hasSecretRef: boolean; reason: string },
+  expected: { active: boolean; hasSecretRef: boolean; reason: string },
+) {
+  expect(state.hasSecretRef).toBe(expected.hasSecretRef);
+  expect(state.active).toBe(expected.active);
+  expect(state.reason).toBe(expected.reason);
+}
+
 describe("evaluateGatewayAuthSurfaceStates", () => {
   it("marks gateway.auth.token active when token mode is explicit", () => {
     const states = evaluate({
@@ -26,7 +35,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.auth.token"]).toMatchObject({
+    expectGatewayState(states["gateway.auth.token"], {
       hasSecretRef: true,
       active: true,
       reason: 'gateway.auth.mode is "token".',
@@ -46,7 +55,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       { OPENCLAW_GATEWAY_TOKEN: "env-token" } as NodeJS.ProcessEnv,
     );
 
-    expect(states["gateway.auth.token"]).toMatchObject({
+    expectGatewayState(states["gateway.auth.token"], {
       hasSecretRef: true,
       active: false,
       reason: "gateway token env var is configured.",
@@ -63,7 +72,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.auth.token"]).toMatchObject({
+    expectGatewayState(states["gateway.auth.token"], {
       hasSecretRef: true,
       active: false,
       reason: 'gateway.auth.mode is "password".',
@@ -80,7 +89,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.auth.password"]).toMatchObject({
+    expectGatewayState(states["gateway.auth.password"], {
       hasSecretRef: true,
       active: true,
       reason: 'gateway.auth.mode is "password".',
@@ -97,7 +106,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.auth.password"]).toMatchObject({
+    expectGatewayState(states["gateway.auth.password"], {
       hasSecretRef: true,
       active: true,
       reason: "no token source can win, so password auth can win.",
@@ -116,7 +125,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       { OPENCLAW_GATEWAY_TOKEN: "env-token" } as NodeJS.ProcessEnv,
     );
 
-    expect(states["gateway.auth.password"]).toMatchObject({
+    expectGatewayState(states["gateway.auth.password"], {
       hasSecretRef: true,
       active: false,
       reason: "gateway token env var is configured.",
@@ -133,7 +142,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.remote.token"]).toMatchObject({
+    expectGatewayState(states["gateway.remote.token"], {
       hasSecretRef: true,
       active: true,
       reason: "local token auth can win and no env/auth token is configured.",
@@ -152,7 +161,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.remote.token"]).toMatchObject({
+    expectGatewayState(states["gateway.remote.token"], {
       hasSecretRef: true,
       active: false,
       reason: 'token auth cannot win with gateway.auth.mode="password".',
@@ -173,7 +182,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.remote.token"]).toMatchObject({
+    expectGatewayState(states["gateway.remote.token"], {
       hasSecretRef: true,
       active: false,
       reason: "gateway.auth.token is configured.",
@@ -208,7 +217,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.remote.password"]).toMatchObject({
+    expectGatewayState(states["gateway.remote.password"], {
       hasSecretRef: true,
       active: false,
       reason: 'password auth cannot win with gateway.auth.mode="token".',
@@ -228,7 +237,7 @@ describe("evaluateGatewayAuthSurfaceStates", () => {
       },
     } as OpenClawConfig);
 
-    expect(states["gateway.remote.password"]).toMatchObject({
+    expectGatewayState(states["gateway.remote.password"], {
       hasSecretRef: true,
       active: false,
       reason: "remote password fallback is not active.",