From 52b0d148253f60d849711d29da76e8e88737ba4e Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 8 May 2026 13:09:56 +0100 Subject: [PATCH] test: clarify sandbox auth assertions --- .../auth-profiles/oauth-refresh-queue.test.ts | 6 ++--- .../sandbox/validate-sandbox-security.test.ts | 24 +++++++++---------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/src/agents/auth-profiles/oauth-refresh-queue.test.ts b/src/agents/auth-profiles/oauth-refresh-queue.test.ts index ae073af73d2..3b075375e8a 100644 --- a/src/agents/auth-profiles/oauth-refresh-queue.test.ts +++ b/src/agents/auth-profiles/oauth-refresh-queue.test.ts @@ -113,10 +113,8 @@ describe("OAuth refresh in-process queue", () => { it("resetOAuthRefreshQueuesForTest drains pending gates", () => { // We can't observe the internal map, but we can assert that calling the // reset is idempotent and safe from any state. - expect(() => { - resetOAuthRefreshQueuesForTest(); - resetOAuthRefreshQueuesForTest(); - }).not.toThrow(); + expect(resetOAuthRefreshQueuesForTest()).toBeUndefined(); + expect(resetOAuthRefreshQueuesForTest()).toBeUndefined(); }); it("serializes a 10-caller burst so later arrivals never pass an earlier caller", async () => { diff --git a/src/agents/sandbox/validate-sandbox-security.test.ts b/src/agents/sandbox/validate-sandbox-security.test.ts index ca031126615..5fb8849e188 100644 --- a/src/agents/sandbox/validate-sandbox-security.test.ts +++ b/src/agents/sandbox/validate-sandbox-security.test.ts @@ -180,11 +180,11 @@ describe("validateBindMounts", () => { }); it("compares Windows allowed roots case-insensitively", () => { - expect(() => + expect( validateBindMounts(["d:/DATA/OpenClaw/src:/src:ro"], { allowedSourceRoots: ["D:/data/openclaw"], }), - ).not.toThrow(); + ).toBeUndefined(); expect(() => validateBindMounts(["D:/other/project:/src:ro"], { @@ -280,22 +280,22 @@ describe("validateBindMounts", () => { it("allows bind sources in allowed roots when allowlist is configured", () => { const projectRoot = mkdtempSync(join(tmpdir(), "openclaw-sbx-allowed-")); - expect(() => + expect( validateBindMounts([`${join(projectRoot, "cache")}:/data:ro`], { allowedSourceRoots: [projectRoot], }), - ).not.toThrow(); + ).toBeUndefined(); }); it("allows bind sources outside allowed roots with explicit dangerous override", () => { const allowedRoot = mkdtempSync(join(tmpdir(), "openclaw-sbx-allowed-root-")); const externalRoot = mkdtempSync(join(tmpdir(), "openclaw-sbx-external-")); - expect(() => + expect( validateBindMounts([`${externalRoot}:/data:ro`], { allowedSourceRoots: [allowedRoot], allowSourcesOutsideAllowedRoots: true, }), - ).not.toThrow(); + ).toBeUndefined(); }); it("blocks reserved container target paths by default", () => { @@ -307,11 +307,11 @@ describe("validateBindMounts", () => { it("allows reserved container target paths with explicit dangerous override", () => { const projectRoot = mkdtempSync(join(tmpdir(), "openclaw-sbx-reserved-")); - expect(() => + expect( validateBindMounts([`${projectRoot}:/workspace:rw`], { allowReservedContainerTargets: true, }), - ).not.toThrow(); + ).toBeUndefined(); }); }); @@ -354,11 +354,11 @@ describe("validateNetworkMode", () => { }); it("allows container namespace joins with explicit dangerous override", () => { - expect(() => + expect( validateNetworkMode("container:abc123", { allowContainerNamespaceJoin: true, }), - ).not.toThrow(); + ).toBeUndefined(); }); }); @@ -397,13 +397,13 @@ describe("profile hardening", () => { describe("validateSandboxSecurity", () => { it("passes with safe config", () => { const projectRoot = mkdtempSync(join(tmpdir(), "openclaw-sbx-safe-config-")); - expect(() => + expect( validateSandboxSecurity({ binds: [`${projectRoot}:/src:rw`], network: "none", seccompProfile: "/tmp/seccomp.json", apparmorProfile: "openclaw-sandbox", }), - ).not.toThrow(); + ).toBeUndefined(); }); });