diff --git a/src/gateway/server/ws-connection/auth-context.test.ts b/src/gateway/server/ws-connection/auth-context.test.ts
index 70476ac6a7c..6d696b67052 100644
--- a/src/gateway/server/ws-connection/auth-context.test.ts
+++ b/src/gateway/server/ws-connection/auth-context.test.ts
@@ -62,6 +62,29 @@ async function resolveDeviceTokenDecision(params: {
   });
 }
 
+async function resolveSuccessfulNodeBootstrapDecision(params: {
+  verifyBootstrapToken: VerifyBootstrapTokenFn;
+  verifyDeviceToken: VerifyDeviceTokenFn;
+}) {
+  return await resolveConnectAuthDecision({
+    state: createBaseState({
+      authResult: { ok: true, method: "tailscale" },
+      authOk: true,
+      authMethod: "tailscale",
+      bootstrapTokenCandidate: "bootstrap-token",
+      deviceTokenCandidate: undefined,
+      deviceTokenCandidateSource: undefined,
+    }),
+    hasDeviceIdentity: true,
+    deviceId: "dev-1",
+    publicKey: "pub-1",
+    role: "node",
+    scopes: [],
+    verifyBootstrapToken: params.verifyBootstrapToken,
+    verifyDeviceToken: params.verifyDeviceToken,
+  });
+}
+
 describe("resolveConnectAuthDecision", () => {
   it("keeps shared-secret mismatch when fallback device-token check fails", async () => {
     const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: false }));
@@ -190,20 +213,7 @@ describe("resolveConnectAuthDecision", () => {
   it("prefers a valid bootstrap token over an already successful shared auth path", async () => {
     const verifyBootstrapToken = vi.fn<VerifyBootstrapTokenFn>(async () => ({ ok: true }));
     const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: true }));
-    const decision = await resolveConnectAuthDecision({
-      state: createBaseState({
-        authResult: { ok: true, method: "tailscale" },
-        authOk: true,
-        authMethod: "tailscale",
-        bootstrapTokenCandidate: "bootstrap-token",
-        deviceTokenCandidate: undefined,
-        deviceTokenCandidateSource: undefined,
-      }),
-      hasDeviceIdentity: true,
-      deviceId: "dev-1",
-      publicKey: "pub-1",
-      role: "node",
-      scopes: [],
+    const decision = await resolveSuccessfulNodeBootstrapDecision({
       verifyBootstrapToken,
       verifyDeviceToken,
     });
@@ -219,20 +229,7 @@ describe("resolveConnectAuthDecision", () => {
       reason: "bootstrap_token_invalid",
     }));
     const verifyDeviceToken = vi.fn<VerifyDeviceTokenFn>(async () => ({ ok: true }));
-    const decision = await resolveConnectAuthDecision({
-      state: createBaseState({
-        authResult: { ok: true, method: "tailscale" },
-        authOk: true,
-        authMethod: "tailscale",
-        bootstrapTokenCandidate: "bootstrap-token",
-        deviceTokenCandidate: undefined,
-        deviceTokenCandidateSource: undefined,
-      }),
-      hasDeviceIdentity: true,
-      deviceId: "dev-1",
-      publicKey: "pub-1",
-      role: "node",
-      scopes: [],
+    const decision = await resolveSuccessfulNodeBootstrapDecision({
       verifyBootstrapToken,
       verifyDeviceToken,
     });