From 9c73ff741b9bb4bfe613debe4e4450090cceab4d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 10 May 2026 16:52:56 +0100
Subject: [PATCH] test: clear gateway startup secrets broad matchers

---
 .../server-startup-config.secrets.test.ts     | 133 ++++++++----------
 1 file changed, 59 insertions(+), 74 deletions(-)

diff --git a/src/gateway/server-startup-config.secrets.test.ts b/src/gateway/server-startup-config.secrets.test.ts
index 192790bb6f3..a40a44a605b 100644
--- a/src/gateway/server-startup-config.secrets.test.ts
+++ b/src/gateway/server-startup-config.secrets.test.ts
@@ -61,6 +61,12 @@ function preparedSnapshot(config: OpenClawConfig): PreparedSecretsRuntimeSnapsho
   };
 }
 
+function callArg<T>(mock: { mock: { calls: unknown[][] } }, index = 0): T {
+  const call = mock.mock.calls[index];
+  expect(call).toBeDefined();
+  return call?.[0] as T;
+}
+
 describe("gateway startup config secret preflight", () => {
   const previousSkipChannels = process.env.OPENCLAW_SKIP_CHANNELS;
   const previousSkipProviders = process.env.OPENCLAW_SKIP_PROVIDERS;
@@ -124,10 +130,12 @@ describe("gateway startup config secret preflight", () => {
       activate: false,
     });
 
-    expect(prepareRuntimeSecretsSnapshot).toHaveBeenCalledWith({
-      config: expect.any(Object),
-      loadAuthStore: loadAuthProfileStoreWithoutExternalProfiles,
-    });
+    const preflightInput = callArg<{
+      config?: unknown;
+      loadAuthStore?: unknown;
+    }>(prepareRuntimeSecretsSnapshot);
+    expect(typeof preflightInput.config).toBe("object");
+    expect(preflightInput.loadAuthStore).toBe(loadAuthProfileStoreWithoutExternalProfiles);
   });
 
   it("does not emit degraded or recovered events for warning-only secret reloads", async () => {
@@ -153,37 +161,33 @@ describe("gateway startup config secret preflight", () => {
       activateRuntimeSecretsSnapshot: vi.fn(),
     });
 
-    await expect(
-      activateRuntimeSecrets(
-        {
-          plugins: {
-            entries: {
-              google: {
-                enabled: true,
-                config: {
-                  webSearch: {
-                    apiKey: { source: "env", provider: "default", id: "MISSING_GEMINI_KEY" },
-                  },
-                },
+    const config = {
+      plugins: {
+        entries: {
+          google: {
+            enabled: true,
+            config: {
+              webSearch: {
+                apiKey: { source: "env", provider: "default", id: "MISSING_GEMINI_KEY" },
               },
             },
           },
         },
-        {
-          reason: "reload",
-          activate: true,
-        },
-      ),
-    ).resolves.toMatchObject({
-      warnings: [warning],
+      },
+    };
+    const result = await activateRuntimeSecrets(config, {
+      reason: "reload",
+      activate: true,
     });
+    expect(result.sourceConfig).toBe(config);
+    expect(result.config).toBe(config);
+    expect(result.warnings).toEqual([warning]);
     expect(logSecrets.warn).toHaveBeenCalledWith(
       "[WEB_SEARCH_KEY_UNRESOLVED_FALLBACK_USED] web search provider fell back to environment credentials",
     );
     expect(emitStateEvent).not.toHaveBeenCalled();
-    expect(prepareRuntimeSecretsSnapshot).toHaveBeenCalledWith({
-      config: expect.any(Object),
-    });
+    const preflightInput = callArg<{ config?: unknown }>(prepareRuntimeSecretsSnapshot);
+    expect(typeof preflightInput.config).toBe("object");
   });
 
   it.each(KNOWN_WEAK_GATEWAY_TOKEN_PLACEHOLDERS)(
@@ -259,22 +263,17 @@ describe("gateway startup config secret preflight", () => {
       }),
     );
 
-    await expect(
-      activateRuntimeSecrets(config, {
-        reason: "startup",
-        activate: false,
-      }),
-    ).resolves.toMatchObject({
-      config: expect.objectContaining({
-        gateway: expect.any(Object),
-      }),
-    });
-    expect(prepareRuntimeSecretsSnapshot).toHaveBeenCalledWith({
-      config: expect.not.objectContaining({
-        channels: expect.anything(),
-      }),
-      loadAuthStore: loadAuthProfileStoreWithoutExternalProfiles,
+    const result = await activateRuntimeSecrets(config, {
+      reason: "startup",
+      activate: false,
     });
+    expect(typeof result.config.gateway).toBe("object");
+    const preflightInput = callArg<{
+      config?: OpenClawConfig;
+      loadAuthStore?: unknown;
+    }>(prepareRuntimeSecretsSnapshot);
+    expect(preflightInput.config?.channels).toBeUndefined();
+    expect(preflightInput.loadAuthStore).toBe(loadAuthProfileStoreWithoutExternalProfiles);
   });
 
   it("honors startup auth overrides before secret preflight gating", async () => {
@@ -310,21 +309,15 @@ describe("gateway startup config secret preflight", () => {
       }),
     });
 
-    expect(result.auth).toMatchObject({
-      mode: "password",
-      password: "override-password",
-    });
-    expect(prepareRuntimeSecretsSnapshot).toHaveBeenNthCalledWith(1, {
-      config: expect.objectContaining({
-        gateway: expect.objectContaining({
-          auth: expect.objectContaining({
-            mode: "password",
-            password: "override-password",
-          }),
-        }),
-      }),
-      loadAuthStore: loadAuthProfileStoreWithoutExternalProfiles,
-    });
+    expect(result.auth.mode).toBe("password");
+    expect(result.auth.password).toBe("override-password");
+    const preflightInput = callArg<{
+      config?: OpenClawConfig;
+      loadAuthStore?: unknown;
+    }>(prepareRuntimeSecretsSnapshot);
+    expect(preflightInput.config?.gateway?.auth?.mode).toBe("password");
+    expect(preflightInput.config?.gateway?.auth?.password).toBe("override-password");
+    expect(preflightInput.loadAuthStore).toBe(loadAuthProfileStoreWithoutExternalProfiles);
     expect(activateRuntimeSecretsSnapshot).toHaveBeenCalledTimes(1);
   });
 
@@ -344,21 +337,15 @@ describe("gateway startup config secret preflight", () => {
       }),
     });
 
-    expect(result.auth).toMatchObject({
-      mode: "token",
-      token: "startup-test-token",
-    });
+    expect(result.auth.mode).toBe("token");
+    expect(result.auth.token).toBe("startup-test-token");
     expect(prepareRuntimeSecretsSnapshot).toHaveBeenCalledTimes(1);
-    expect(prepareRuntimeSecretsSnapshot).toHaveBeenCalledWith({
-      config: expect.objectContaining({
-        gateway: expect.objectContaining({
-          auth: expect.objectContaining({
-            token: "startup-test-token",
-          }),
-        }),
-      }),
-      loadAuthStore: loadAuthProfileStoreWithoutExternalProfiles,
-    });
+    const preflightInput = callArg<{
+      config?: OpenClawConfig;
+      loadAuthStore?: unknown;
+    }>(prepareRuntimeSecretsSnapshot);
+    expect(preflightInput.config?.gateway?.auth?.token).toBe("startup-test-token");
+    expect(preflightInput.loadAuthStore).toBe(loadAuthProfileStoreWithoutExternalProfiles);
   });
 
   it("uses gateway auth strings resolved during startup preflight for bootstrap auth", async () => {
@@ -401,10 +388,8 @@ describe("gateway startup config secret preflight", () => {
       }),
     });
 
-    expect(result.auth).toMatchObject({
-      mode: "token",
-      token: "resolved-gateway-token",
-    });
+    expect(result.auth.mode).toBe("token");
+    expect(result.auth.token).toBe("resolved-gateway-token");
     expect(prepareRuntimeSecretsSnapshot).toHaveBeenCalledTimes(2);
   });
 });