From 2185dcf136a965ea037abec51b4ca4d79a8a3966 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 12 Apr 2026 03:54:26 +0100
Subject: [PATCH] test(secrets): reuse auth runtime fixtures

---
 ...runtime-auth-profiles-oauth-policy.test.ts | 38 +++++++++---------
 .../runtime-auth-store-inline-refs.test.ts    | 39 +++++--------------
 src/secrets/runtime.test.ts                   | 24 ++----------
 3 files changed, 31 insertions(+), 70 deletions(-)

diff --git a/src/secrets/runtime-auth-profiles-oauth-policy.test.ts b/src/secrets/runtime-auth-profiles-oauth-policy.test.ts
index 30a80862d05..0d718717eb7 100644
--- a/src/secrets/runtime-auth-profiles-oauth-policy.test.ts
+++ b/src/secrets/runtime-auth-profiles-oauth-policy.test.ts
@@ -1,7 +1,11 @@
 import { describe, expect, it } from "vitest";
-import type { AuthProfileStore } from "../agents/auth-profiles.js";
 import type { OpenClawConfig } from "../config/config.js";
-import { prepareSecretsRuntimeSnapshot } from "./runtime.js";
+import {
+  loadAuthStoreWithProfiles,
+  setupSecretsRuntimeSnapshotTestHooks,
+} from "./runtime.test-support.ts";
+
+const { prepareSecretsRuntimeSnapshot } = setupSecretsRuntimeSnapshotTestHooks();
 
 function withAuthProfileMode(mode: "api_key" | "oauth" | "token"): OpenClawConfig {
   return {
@@ -23,16 +27,13 @@ function withAuthProfileMode(mode: "api_key" | "oauth" | "token"): OpenClawConfi
 
 describe("secrets runtime oauth auth-profile SecretRef policy", () => {
   it("fails startup snapshot when oauth mode profile uses token SecretRef", async () => {
-    const store: AuthProfileStore = {
-      version: 1,
-      profiles: {
-        "anthropic:default": {
-          type: "token",
-          provider: "anthropic",
-          tokenRef: { source: "env", provider: "default", id: "ANTHROPIC_TOKEN" },
-        },
+    const store = loadAuthStoreWithProfiles({
+      "anthropic:default": {
+        type: "token",
+        provider: "anthropic",
+        tokenRef: { source: "env", provider: "default", id: "ANTHROPIC_TOKEN" },
       },
-    };
+    });
 
     await expect(
       prepareSecretsRuntimeSnapshot({
@@ -46,16 +47,13 @@ describe("secrets runtime oauth auth-profile SecretRef policy", () => {
   });
 
   it("keeps token SecretRef support when the profile mode is token", async () => {
-    const store: AuthProfileStore = {
-      version: 1,
-      profiles: {
-        "anthropic:default": {
-          type: "token",
-          provider: "anthropic",
-          tokenRef: { source: "env", provider: "default", id: "ANTHROPIC_TOKEN" },
-        },
+    const store = loadAuthStoreWithProfiles({
+      "anthropic:default": {
+        type: "token",
+        provider: "anthropic",
+        tokenRef: { source: "env", provider: "default", id: "ANTHROPIC_TOKEN" },
       },
-    };
+    });
 
     const snapshot = await prepareSecretsRuntimeSnapshot({
       config: withAuthProfileMode("token"),
diff --git a/src/secrets/runtime-auth-store-inline-refs.test.ts b/src/secrets/runtime-auth-store-inline-refs.test.ts
index 5f5b7ad4d58..ca445fd0068 100644
--- a/src/secrets/runtime-auth-store-inline-refs.test.ts
+++ b/src/secrets/runtime-auth-store-inline-refs.test.ts
@@ -1,35 +1,18 @@
-import { afterEach, beforeAll, describe, expect, it } from "vitest";
-import type { AuthProfileStore } from "../agents/auth-profiles.js";
-import type { OpenClawConfig } from "../config/config.js";
-import { clearConfigCache, clearRuntimeConfigSnapshot } from "../config/config.js";
+import { describe, expect, it } from "vitest";
+import { activateSecretsRuntimeSnapshot } from "./runtime.js";
 import {
-  activateSecretsRuntimeSnapshot,
-  clearSecretsRuntimeSnapshot,
-  prepareSecretsRuntimeSnapshot,
-} from "./runtime.js";
+  asConfig,
+  loadAuthStoreWithProfiles,
+  setupSecretsRuntimeSnapshotTestHooks,
+} from "./runtime.test-support.ts";
 
 const EMPTY_LOADABLE_PLUGIN_ORIGINS = new Map();
-
-function loadAuthStoreWithProfiles(profiles: AuthProfileStore["profiles"]): AuthProfileStore {
-  return {
-    version: 1,
-    profiles,
-  };
-}
+const { prepareSecretsRuntimeSnapshot } = setupSecretsRuntimeSnapshotTestHooks();
 
 describe("secrets runtime snapshot inline auth-store refs", () => {
-  beforeAll(() => {});
-
-  afterEach(() => {
-    clearSecretsRuntimeSnapshot();
-    clearRuntimeConfigSnapshot();
-    clearConfigCache();
-  });
-
   it("normalizes inline SecretRef object on token to tokenRef", async () => {
-    const config: OpenClawConfig = { models: {}, secrets: {} };
     const snapshot = await prepareSecretsRuntimeSnapshot({
-      config,
+      config: asConfig({ models: {}, secrets: {} }),
       env: { MY_TOKEN: "resolved-token-value" },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS,
@@ -53,9 +36,8 @@ describe("secrets runtime snapshot inline auth-store refs", () => {
   });
 
   it("normalizes inline SecretRef object on key to keyRef", async () => {
-    const config: OpenClawConfig = { models: {}, secrets: {} };
     const snapshot = await prepareSecretsRuntimeSnapshot({
-      config,
+      config: asConfig({ models: {}, secrets: {} }),
       env: { MY_KEY: "resolved-key-value" },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS,
@@ -79,9 +61,8 @@ describe("secrets runtime snapshot inline auth-store refs", () => {
   });
 
   it("keeps explicit keyRef when inline key SecretRef is also present", async () => {
-    const config: OpenClawConfig = { models: {}, secrets: {} };
     const snapshot = await prepareSecretsRuntimeSnapshot({
-      config,
+      config: asConfig({ models: {}, secrets: {} }),
       env: {
         PRIMARY_KEY: "primary-key-value",
         SHADOW_KEY: "shadow-key-value",
diff --git a/src/secrets/runtime.test.ts b/src/secrets/runtime.test.ts
index d7ab00e944b..872255f6b8c 100644
--- a/src/secrets/runtime.test.ts
+++ b/src/secrets/runtime.test.ts
@@ -1,28 +1,10 @@
-import { afterEach, beforeAll, describe, expect, it } from "vitest";
-import type { OpenClawConfig } from "../config/config.js";
-
-function asConfig(value: unknown): OpenClawConfig {
-  return value as OpenClawConfig;
-}
+import { describe, expect, it } from "vitest";
+import { asConfig, setupSecretsRuntimeSnapshotTestHooks } from "./runtime.test-support.ts";
 
 const EMPTY_LOADABLE_PLUGIN_ORIGINS = new Map();
-let clearConfigCache: typeof import("../config/config.js").clearConfigCache;
-let clearRuntimeConfigSnapshot: typeof import("../config/config.js").clearRuntimeConfigSnapshot;
-let clearSecretsRuntimeSnapshot: typeof import("./runtime.js").clearSecretsRuntimeSnapshot;
-let prepareSecretsRuntimeSnapshot: typeof import("./runtime.js").prepareSecretsRuntimeSnapshot;
+const { prepareSecretsRuntimeSnapshot } = setupSecretsRuntimeSnapshotTestHooks();
 
 describe("secrets runtime snapshot", () => {
-  beforeAll(async () => {
-    ({ clearConfigCache, clearRuntimeConfigSnapshot } = await import("../config/config.js"));
-    ({ clearSecretsRuntimeSnapshot, prepareSecretsRuntimeSnapshot } = await import("./runtime.js"));
-  });
-
-  afterEach(() => {
-    clearSecretsRuntimeSnapshot();
-    clearRuntimeConfigSnapshot();
-    clearConfigCache();
-  });
-
   it("resolves sandbox ssh secret refs for active ssh backends", async () => {
     const snapshot = await prepareSecretsRuntimeSnapshot({
       config: asConfig({