From ab16feb5bfabce2f0aebff51125add46a09fb99a Mon Sep 17 00:00:00 2001
From: Shakker <shakkerdroid@gmail.com>
Date: Fri, 8 May 2026 21:11:30 +0100
Subject: [PATCH] test: tighten gateway exposure assertions

---
 src/security/audit-gateway-exposure.test.ts | 31 +++++++++++++--------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/security/audit-gateway-exposure.test.ts b/src/security/audit-gateway-exposure.test.ts
index 933c7b2bb66..b5f3c7d33ae 100644
--- a/src/security/audit-gateway-exposure.test.ts
+++ b/src/security/audit-gateway-exposure.test.ts
@@ -10,6 +10,20 @@ function hasFinding(
   return findings.some((finding) => finding.checkId === checkId && finding.severity === severity);
 }
 
+function requireDangerousFlagsFinding(
+  findings: ReturnType<typeof collectGatewayConfigFindings>,
+  label: string,
+) {
+  const finding = findings.find((entry) => entry.checkId === "config.insecure_or_dangerous_flags");
+  expect(finding, label).toMatchObject({
+    checkId: "config.insecure_or_dangerous_flags",
+  });
+  if (!finding) {
+    throw new Error(`Expected dangerous flags finding for ${label}`);
+  }
+  return finding;
+}
+
 describe("security audit gateway exposure findings", () => {
   it("warns on insecure or dangerous flags", () => {
     const cases = [
@@ -69,15 +83,10 @@ describe("security audit gateway exposure findings", () => {
           expect.arrayContaining([expect.objectContaining(testCase.expectedFinding)]),
         );
       }
-      const finding = findings.find(
-        (entry) => entry.checkId === "config.insecure_or_dangerous_flags",
-      );
-      expect(finding, testCase.name).toMatchObject({
-        checkId: "config.insecure_or_dangerous_flags",
-      });
-      expect(finding?.severity, testCase.name).toBe("warn");
+      const finding = requireDangerousFlagsFinding(findings, testCase.name);
+      expect(finding.severity, testCase.name).toBe("warn");
       for (const snippet of testCase.expectedDangerousDetails) {
-        expect(finding?.detail, `${testCase.name}:${snippet}`).toContain(snippet);
+        expect(finding.detail, `${testCase.name}:${snippet}`).toContain(snippet);
       }
     }
   });
@@ -150,10 +159,8 @@ describe("security audit gateway exposure findings", () => {
     expect(
       findings.some((finding) => finding.checkId === "gateway.control_ui.allowed_origins_required"),
     ).toBe(false);
-    const flags = findings.find(
-      (finding) => finding.checkId === "config.insecure_or_dangerous_flags",
-    );
-    expect(flags?.detail ?? "").toContain(
+    const flags = requireDangerousFlagsFinding(findings, "host header origin fallback");
+    expect(flags.detail).toContain(
       "gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true",
     );
   });