perf(test): isolate deep probe finding helper

src/security/audit-deep-probe-findings.ts

@@ -0,0 +1,28 @@
+import { formatCliCommand } from "../cli/command-format.js";
+import type { SecurityAuditFinding, SecurityAuditReport } from "./audit.js";
+
+export function collectDeepProbeFindings(params: {
+  deep?: SecurityAuditReport["deep"];
+  authWarning?: string;
+}): SecurityAuditFinding[] {
+  const findings: SecurityAuditFinding[] = [];
+  if (params.deep?.gateway?.attempted && !params.deep.gateway.ok) {
+    findings.push({
+      checkId: "gateway.probe_failed",
+      severity: "warn",
+      title: "Gateway probe failed (deep)",
+      detail: params.deep.gateway.error ?? "gateway unreachable",
+      remediation: `Run "${formatCliCommand("openclaw status --all")}" to debug connectivity/auth, then re-run "${formatCliCommand("openclaw security audit --deep")}".`,
+    });
+  }
+  if (params.authWarning) {
+    findings.push({
+      checkId: "gateway.probe_auth_secretref_unavailable",
+      severity: "warn",
+      title: "Gateway probe auth SecretRef is unavailable",
+      detail: params.authWarning,
+      remediation: `Set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD in this shell or resolve the external secret provider, then re-run "${formatCliCommand("openclaw security audit --deep")}".`,
+    });
+  }
+  return findings;
+}

src/security/audit-gateway-auth-selection.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveGatewayProbeAuthSafe, resolveGatewayProbeTarget } from "../gateway/probe-auth.js";
-import { collectDeepProbeFindings } from "./audit.js";
+import { collectDeepProbeFindings } from "./audit-deep-probe-findings.js";
 
 describe("security audit gateway auth selection", () => {
   it("applies gateway auth precedence across local and remote modes", async () => {

src/security/audit.ts

@@ -3,7 +3,6 @@ import path from "node:path";
 import { resolveSandboxConfigForAgent } from "../agents/sandbox/config.js";
 import { hasPotentialConfiguredChannels } from "../channels/config-presence.js";
 import type { listChannelPlugins } from "../channels/plugins/index.js";
-import { formatCliCommand } from "../cli/command-format.js";
 import type { ConfigFileSnapshot, OpenClawConfig } from "../config/config.js";
 import { resolveConfigPath, resolveStateDir } from "../config/paths.js";
 import { applyPluginAutoEnable } from "../config/plugin-auto-enable.js";
@@ -19,6 +18,7 @@ import { listRiskyConfiguredSafeBins } from "../infra/exec-safe-bin-semantics.js
 import { normalizeTrustedSafeBinDirs } from "../infra/exec-safe-bin-trust.js";
 import { getActivePluginRegistry } from "../plugins/runtime.js";
 import { DEFAULT_AGENT_ID } from "../routing/session-key.js";
+import { collectDeepProbeFindings } from "./audit-deep-probe-findings.js";
 import {
   formatPermissionDetail,
   formatPermissionRemediation,
@@ -1260,32 +1260,6 @@ async function maybeProbeGateway(params: {
   };
 }
 
-export function collectDeepProbeFindings(params: {
-  deep?: SecurityAuditReport["deep"];
-  authWarning?: string;
-}): SecurityAuditFinding[] {
-  const findings: SecurityAuditFinding[] = [];
-  if (params.deep?.gateway?.attempted && !params.deep.gateway.ok) {
-    findings.push({
-      checkId: "gateway.probe_failed",
-      severity: "warn",
-      title: "Gateway probe failed (deep)",
-      detail: params.deep.gateway.error ?? "gateway unreachable",
-      remediation: `Run "${formatCliCommand("openclaw status --all")}" to debug connectivity/auth, then re-run "${formatCliCommand("openclaw security audit --deep")}".`,
-    });
-  }
-  if (params.authWarning) {
-    findings.push({
-      checkId: "gateway.probe_auth_secretref_unavailable",
-      severity: "warn",
-      title: "Gateway probe auth SecretRef is unavailable",
-      detail: params.authWarning,
-      remediation: `Set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD in this shell or resolve the external secret provider, then re-run "${formatCliCommand("openclaw security audit --deep")}".`,
-    });
-  }
-  return findings;
-}
-
 async function createAuditExecutionContext(
   opts: SecurityAuditOptions,
 ): Promise<AuditExecutionContext> {