diff --git a/src/security/audit-gateway-auth-selection.test.ts b/src/security/audit-gateway-auth-selection.test.ts
index ca1c139ed6a..9767e60516f 100644
--- a/src/security/audit-gateway-auth-selection.test.ts
+++ b/src/security/audit-gateway-auth-selection.test.ts
@@ -3,6 +3,17 @@ import type { OpenClawConfig } from "../config/config.js";
 import { resolveGatewayProbeAuthSafe, resolveGatewayProbeTarget } from "../gateway/probe-auth.js";
 import { collectDeepProbeFindings } from "./audit-deep-probe-findings.js";
 
+function requireProbeAuthWarning(findings: ReturnType<typeof collectDeepProbeFindings>) {
+  const warning = findings.find(
+    (finding) => finding.checkId === "gateway.probe_auth_secretref_unavailable",
+  );
+  expect(warning).toBeDefined();
+  if (!warning) {
+    throw new Error("Expected gateway probe auth SecretRef warning");
+  }
+  return warning;
+}
+
 describe("security audit gateway auth selection", () => {
   it("applies gateway auth precedence across local and remote modes", async () => {
     const makeProbeEnv = (env?: { token?: string; password?: string }) => {
@@ -129,19 +140,21 @@ describe("security audit gateway auth selection", () => {
       mode: "local",
       env: {},
     });
-    const warning = collectDeepProbeFindings({
-      deep: {
-        gateway: {
-          attempted: true,
-          url: "ws://127.0.0.1:18789",
-          ok: true,
-          error: null,
-          close: null,
+    const warning = requireProbeAuthWarning(
+      collectDeepProbeFindings({
+        deep: {
+          gateway: {
+            attempted: true,
+            url: "ws://127.0.0.1:18789",
+            ok: true,
+            error: null,
+            close: null,
+          },
         },
-      },
-      authWarning: result.warning,
-    }).find((finding) => finding.checkId === "gateway.probe_auth_secretref_unavailable");
-    expect(warning?.severity).toBe("warn");
-    expect(warning?.detail).toContain("gateway.auth.token");
+        authWarning: result.warning,
+      }),
+    );
+    expect(warning.severity).toBe("warn");
+    expect(warning.detail).toContain("gateway.auth.token");
   });
 });