diff --git a/src/secrets/runtime-gateway-local-surfaces.test.ts b/src/secrets/runtime-gateway-local-surfaces.test.ts index 431db007cf0..69dd0ccc38b 100644 --- a/src/secrets/runtime-gateway-local-surfaces.test.ts +++ b/src/secrets/runtime-gateway-local-surfaces.test.ts @@ -3,6 +3,22 @@ import { asConfig, setupSecretsRuntimeSnapshotTestHooks } from "./runtime.test-s const { prepareSecretsRuntimeSnapshot } = setupSecretsRuntimeSnapshotTestHooks(); +async function expectInactiveGatewayPassword(config: unknown): Promise { + const snapshot = await prepareSecretsRuntimeSnapshot({ + config: asConfig(config), + env: {}, + agentDirs: ["/tmp/openclaw-agent-main"], + loadAuthStore: () => ({ version: 1, profiles: {} }), + }); + + expect(snapshot.config.gateway?.auth?.password).toEqual({ + source: "env", + provider: "default", + id: "GATEWAY_PASSWORD_REF", + }); + expect(snapshot.warnings.map((warning) => warning.path)).toContain("gateway.auth.password"); +} + describe("secrets runtime gateway local surfaces", () => { it("treats gateway.remote refs as inactive when local auth credentials are configured", async () => { const snapshot = await prepareSecretsRuntimeSnapshot({ @@ -124,53 +140,29 @@ describe("secrets runtime gateway local surfaces", () => { }); it("treats gateway.auth.password ref as inactive when auth mode is trusted-proxy", async () => { - const snapshot = await prepareSecretsRuntimeSnapshot({ - config: asConfig({ - gateway: { - auth: { - mode: "trusted-proxy", - password: { source: "env", provider: "default", id: "GATEWAY_PASSWORD_REF" }, - }, + await expectInactiveGatewayPassword({ + gateway: { + auth: { + mode: "trusted-proxy", + password: { source: "env", provider: "default", id: "GATEWAY_PASSWORD_REF" }, }, - }), - env: {}, - agentDirs: ["/tmp/openclaw-agent-main"], - loadAuthStore: () => ({ version: 1, profiles: {} }), + }, }); - - expect(snapshot.config.gateway?.auth?.password).toEqual({ - source: "env", - provider: "default", - id: "GATEWAY_PASSWORD_REF", - }); - expect(snapshot.warnings.map((warning) => warning.path)).toContain("gateway.auth.password"); }); it("treats gateway.auth.password ref as inactive when remote token is configured", async () => { - const snapshot = await prepareSecretsRuntimeSnapshot({ - config: asConfig({ - gateway: { - mode: "local", - auth: { - password: { source: "env", provider: "default", id: "GATEWAY_PASSWORD_REF" }, - }, - remote: { - enabled: true, - token: "remote-token", - }, + await expectInactiveGatewayPassword({ + gateway: { + mode: "local", + auth: { + password: { source: "env", provider: "default", id: "GATEWAY_PASSWORD_REF" }, }, - }), - env: {}, - agentDirs: ["/tmp/openclaw-agent-main"], - loadAuthStore: () => ({ version: 1, profiles: {} }), + remote: { + enabled: true, + token: "remote-token", + }, + }, }); - - expect(snapshot.config.gateway?.auth?.password).toEqual({ - source: "env", - provider: "default", - id: "GATEWAY_PASSWORD_REF", - }); - expect(snapshot.warnings.map((warning) => warning.path)).toContain("gateway.auth.password"); }); it.each(["none", "trusted-proxy"] as const)( @@ -180,7 +172,9 @@ describe("secrets runtime gateway local surfaces", () => { config: asConfig({ gateway: { mode: "local", - auth: { mode }, + auth: { + mode, + }, remote: { enabled: true, token: { source: "env", provider: "default", id: "REMOTE_GATEWAY_TOKEN_REF" },