From 18125b0dafa0cd3f41ebfed870e2b3292a3ceb61 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 10 May 2026 00:00:43 +0100
Subject: [PATCH] test: tighten gateway exposure assertions

---
 src/security/audit-gateway-exposure.test.ts | 27 ++++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/security/audit-gateway-exposure.test.ts b/src/security/audit-gateway-exposure.test.ts
index b5f3c7d33ae..28acea66937 100644
--- a/src/security/audit-gateway-exposure.test.ts
+++ b/src/security/audit-gateway-exposure.test.ts
@@ -15,12 +15,23 @@ function requireDangerousFlagsFinding(
   label: string,
 ) {
   const finding = findings.find((entry) => entry.checkId === "config.insecure_or_dangerous_flags");
-  expect(finding, label).toMatchObject({
-    checkId: "config.insecure_or_dangerous_flags",
-  });
   if (!finding) {
     throw new Error(`Expected dangerous flags finding for ${label}`);
   }
+  expect(finding.checkId, label).toBe("config.insecure_or_dangerous_flags");
+  return finding;
+}
+
+function requireFinding(
+  findings: ReturnType<typeof collectGatewayConfigFindings>,
+  checkId: string,
+  label: string,
+) {
+  const finding = findings.find((entry) => entry.checkId === checkId);
+  if (!finding) {
+    throw new Error(`Expected ${checkId} finding for ${label}`);
+  }
+  expect(finding.checkId, label).toBe(checkId);
   return finding;
 }
 
@@ -79,9 +90,12 @@ describe("security audit gateway exposure findings", () => {
     for (const testCase of cases) {
       const findings = collectGatewayConfigFindings(testCase.cfg, testCase.cfg, {});
       if ("expectedFinding" in testCase) {
-        expect(findings, testCase.name).toEqual(
-          expect.arrayContaining([expect.objectContaining(testCase.expectedFinding)]),
+        const exposureFinding = requireFinding(
+          findings,
+          testCase.expectedFinding.checkId,
+          testCase.name,
         );
+        expect(exposureFinding.severity, testCase.name).toBe(testCase.expectedFinding.severity);
       }
       const finding = requireDangerousFlagsFinding(findings, testCase.name);
       expect(finding.severity, testCase.name).toBe("warn");
@@ -135,7 +149,8 @@ describe("security audit gateway exposure findings", () => {
     },
   ])("$name", ({ cfg, expectedFinding, expectedNoFinding }) => {
     const findings = collectGatewayConfigFindings(cfg, cfg, {});
-    expect(findings).toEqual(expect.arrayContaining([expect.objectContaining(expectedFinding)]));
+    const finding = requireFinding(findings, expectedFinding.checkId, expectedFinding.checkId);
+    expect(finding.severity).toBe(expectedFinding.severity);
     if (expectedNoFinding) {
       expect(findings.map((finding) => finding.checkId)).not.toContain(expectedNoFinding);
     }