diff --git a/src/secrets/runtime.coverage.test.ts b/src/secrets/runtime.coverage.test.ts
index f2440e0b077..2e49dd00f38 100644
--- a/src/secrets/runtime.coverage.test.ts
+++ b/src/secrets/runtime.coverage.test.ts
@@ -1,4 +1,5 @@
 /** Coverage tests for secrets runtime collector breadth and target surfaces. */
+import { createHash } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { afterAll, beforeAll, describe, expect, test, vi } from "vitest";
@@ -312,6 +313,18 @@ function resolveCoverageEnvId(entry: SecretRegistryEntry, fallbackEnvId: string)
     : fallbackEnvId;
 }
 
+function toCoverageEnvRefId(prefix: string, id: string): string {
+  const normalized = id
+    .toUpperCase()
+    .replace(/[^A-Z0-9_]/g, "_")
+    .replace(/_+/g, "_")
+    .replace(/^_+|_+$/g, "");
+  const name = normalized || "TARGET";
+  const hash = createHash("sha256").update(id).digest("hex").slice(0, 12).toUpperCase();
+  const maxNameLength = 128 - prefix.length - hash.length - 2;
+  return `${prefix}_${name.slice(0, Math.max(1, maxNameLength))}_${hash}`;
+}
+
 function resolveCoverageResolvedPath(entry: SecretRegistryEntry): string {
   return canonicalizeSecretTargetCoverageId(entry.id);
 }
@@ -756,7 +769,7 @@ async function expectOpenClawCoverageBatchResolved(
   const config = {} as OpenClawConfig;
   const env: Record<string, string> = {};
   for (const [index, entry] of batch.entries()) {
-    const envId = `OPENCLAW_SECRET_TARGET_${entry.id}`;
+    const envId = toCoverageEnvRefId("OPENCLAW_SECRET_TARGET", entry.id);
     const runtimeEnvId = resolveCoverageEnvId(entry, envId);
     const expectedValue = `resolved-${entry.id}`;
     const wildcardToken = resolveCoverageWildcardToken(index);
@@ -857,7 +870,7 @@ describe("secrets runtime target coverage", () => {
           profiles: {},
         };
         for (const [index, entry] of batch.entries()) {
-          const envId = `OPENCLAW_AUTH_SECRET_TARGET_${entry.id}`;
+          const envId = toCoverageEnvRefId("OPENCLAW_AUTH_SECRET_TARGET", entry.id);
           env[envId] = `resolved-${entry.id}`;
           applyAuthStoreTarget(authStore, entry, envId, resolveCoverageWildcardToken(index));
         }
diff --git a/src/tui/gateway-chat.test.ts b/src/tui/gateway-chat.test.ts
index 7910cd0421e..4eb4ebf6c07 100644
--- a/src/tui/gateway-chat.test.ts
+++ b/src/tui/gateway-chat.test.ts
@@ -47,13 +47,13 @@ type ModeExecProviderFixture = {
   tokenMarker: string;
   passwordMarker: string;
   providers: {
-    tokenProvider: {
+    tokenprovider: {
       source: "exec";
       command: string;
       args: string[];
       allowInsecurePath: true;
     };
-    passwordProvider: {
+    passwordprovider: {
       source: "exec";
       command: string;
       args: string[];
@@ -85,13 +85,13 @@ async function withModeExecProviderFixture(
       tokenMarker,
       passwordMarker,
       providers: {
-        tokenProvider: {
+        tokenprovider: {
           source: "exec",
           command: process.execPath,
           args: ["-e", tokenExecProgram],
           allowInsecurePath: true,
         },
-        passwordProvider: {
+        passwordprovider: {
           source: "exec",
           command: process.execPath,
           args: ["-e", passwordExecProgram],
@@ -361,7 +361,7 @@ describe("resolveGatewayConnection", () => {
       loadConfig.mockReturnValue({
         secrets: {
           providers: {
-            fileProvider: {
+            fileprovider: {
               source: "file",
               path: secretFile,
               mode: "json",
@@ -372,7 +372,7 @@ describe("resolveGatewayConnection", () => {
         gateway: {
           mode: "local",
           auth: {
-            token: { source: "file", provider: "fileProvider", id: "/gatewayToken" },
+            token: { source: "file", provider: "fileprovider", id: "/gatewayToken" },
           },
         },
       });
@@ -396,7 +396,7 @@ describe("resolveGatewayConnection", () => {
     loadConfig.mockReturnValue({
       secrets: {
         providers: {
-          execProvider: {
+          execprovider: {
             source: "exec",
             command: process.execPath,
             args: ["-e", execProgram],
@@ -407,7 +407,7 @@ describe("resolveGatewayConnection", () => {
       gateway: {
         mode: "local",
         auth: {
-          token: { source: "exec", provider: "execProvider", id: "EXEC_GATEWAY_TOKEN" },
+          token: { source: "exec", provider: "execprovider", id: "EXEC_GATEWAY_TOKEN" },
         },
       },
     });
@@ -428,8 +428,8 @@ describe("resolveGatewayConnection", () => {
             mode: "local",
             auth: {
               mode: "token",
-              token: { source: "exec", provider: "tokenProvider", id: "TOKEN_SECRET" },
-              password: { source: "exec", provider: "passwordProvider", id: "PASSWORD_SECRET" },
+              token: { source: "exec", provider: "tokenprovider", id: "TOKEN_SECRET" },
+              password: { source: "exec", provider: "passwordprovider", id: "PASSWORD_SECRET" },
             },
           },
         });
@@ -455,8 +455,8 @@ describe("resolveGatewayConnection", () => {
             mode: "local",
             auth: {
               mode: "password",
-              token: { source: "exec", provider: "tokenProvider", id: "TOKEN_SECRET" },
-              password: { source: "exec", provider: "passwordProvider", id: "PASSWORD_SECRET" },
+              token: { source: "exec", provider: "tokenprovider", id: "TOKEN_SECRET" },
+              password: { source: "exec", provider: "passwordprovider", id: "PASSWORD_SECRET" },
             },
           },
         });