diff --git a/src/agents/sandbox/validate-sandbox-security.test.ts b/src/agents/sandbox/validate-sandbox-security.test.ts
index 5fb8849e188..46cb986f4a6 100644
--- a/src/agents/sandbox/validate-sandbox-security.test.ts
+++ b/src/agents/sandbox/validate-sandbox-security.test.ts
@@ -16,16 +16,25 @@ function expectBindMountsToThrow(binds: string[], expected: RegExp, label: strin
   expect(() => validateBindMounts(binds), label).toThrow(expected);
 }
 
+function expectBlockedTargetReason(
+  bind: string,
+): Extract<NonNullable<ReturnType<typeof getBlockedBindReason>>, { kind: "targets" }> {
+  const reason = getBlockedBindReason(bind);
+  expect(reason?.kind).toBe("targets");
+  if (reason?.kind !== "targets") {
+    throw new Error(`expected blocked target reason for ${bind}`);
+  }
+  return reason;
+}
+
 describe("getBlockedBindReason", () => {
   afterEach(() => {
     vi.unstubAllEnvs();
   });
 
   it("blocks common Docker socket directories", () => {
-    expect(getBlockedBindReason("/run:/run")).toEqual(expect.objectContaining({ kind: "targets" }));
-    expect(getBlockedBindReason("/var/run:/var/run:ro")).toEqual(
-      expect.objectContaining({ kind: "targets" }),
-    );
+    expectBlockedTargetReason("/run:/run");
+    expectBlockedTargetReason("/var/run:/var/run:ro");
   });
 
   it("does not block /var by default", () => {
@@ -47,9 +56,7 @@ describe("getBlockedBindReason", () => {
     ] as const;
 
     for (const source of cases) {
-      expect(getBlockedBindReason(`${source}:/mnt/test:ro`)).toEqual(
-        expect.objectContaining({ kind: "targets" }),
-      );
+      expectBlockedTargetReason(`${source}:/mnt/test:ro`);
     }
   });
 
@@ -57,12 +64,8 @@ describe("getBlockedBindReason", () => {
     vi.stubEnv("HOME", "/home/tester");
     vi.stubEnv("OPENCLAW_HOME", "/srv/openclaw-home");
 
-    expect(getBlockedBindReason("/home/tester/.gnupg/secring.gpg:/mnt/gnupg:ro")).toEqual(
-      expect.objectContaining({
-        kind: "targets",
-        blockedPath: "/home/tester/.gnupg",
-      }),
-    );
+    const reason = expectBlockedTargetReason("/home/tester/.gnupg/secring.gpg:/mnt/gnupg:ro");
+    expect(reason?.blockedPath).toBe("/home/tester/.gnupg");
   });
 
   it("blocks canonical OS-home aliases for credential paths", () => {
@@ -77,12 +80,8 @@ describe("getBlockedBindReason", () => {
     symlinkSync(realHome, aliasHome);
     vi.stubEnv("HOME", aliasHome);
 
-    expect(getBlockedBindReason(`${join(realHome, ".ssh", "config")}:/mnt/ssh:ro`)).toEqual(
-      expect.objectContaining({
-        kind: "targets",
-        blockedPath: normalizePathForSnapshot(join(realHome, ".ssh")),
-      }),
-    );
+    const reason = expectBlockedTargetReason(`${join(realHome, ".ssh", "config")}:/mnt/ssh:ro`);
+    expect(reason?.blockedPath).toBe(normalizePathForSnapshot(join(realHome, ".ssh")));
   });
 });