From c6f2fa5c6fe157c9ffb663b51c1b436a4db38bf3 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 9 May 2026 15:41:14 +0100
Subject: [PATCH] test: tighten sandbox policy assertions

---
 src/agents/sandbox/sanitize-env-vars.test.ts | 4 ++--
 src/agents/sandbox/tool-policy.test.ts       | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/agents/sandbox/sanitize-env-vars.test.ts b/src/agents/sandbox/sanitize-env-vars.test.ts
index 0389b29c0e5..c52bec4a4f7 100644
--- a/src/agents/sandbox/sanitize-env-vars.test.ts
+++ b/src/agents/sandbox/sanitize-env-vars.test.ts
@@ -14,7 +14,7 @@ describe("sanitizeEnvVars", () => {
       NODE_ENV: "test",
       FOO: "bar",
     });
-    expect(result.blocked).toEqual(expect.arrayContaining(["OPENAI_API_KEY", "GITHUB_TOKEN"]));
+    expect(result.blocked).toStrictEqual(["OPENAI_API_KEY", "GITHUB_TOKEN"]);
   });
 
   it("blocks credentials even when suffix pattern matches", () => {
@@ -25,7 +25,7 @@ describe("sanitizeEnvVars", () => {
     });
 
     expect(result.allowed).toEqual({ USER: "alice" });
-    expect(result.blocked).toEqual(expect.arrayContaining(["MY_TOKEN", "MY_SECRET"]));
+    expect(result.blocked).toStrictEqual(["MY_TOKEN", "MY_SECRET"]);
   });
 
   it("adds warnings for suspicious values", () => {
diff --git a/src/agents/sandbox/tool-policy.test.ts b/src/agents/sandbox/tool-policy.test.ts
index f9e94fc872f..5d9038a25e6 100644
--- a/src/agents/sandbox/tool-policy.test.ts
+++ b/src/agents/sandbox/tool-policy.test.ts
@@ -137,14 +137,18 @@ describe("sandbox/tool-policy", () => {
     };
 
     const sandbox = resolveSandboxConfigForAgent(cfg, "tavern");
-    expect(sandbox.tools.allow).toEqual(expect.arrayContaining(["browser", "message", "tts"]));
+    expect(sandbox.tools.allow).toContain("browser");
+    expect(sandbox.tools.allow).toContain("message");
+    expect(sandbox.tools.allow).toContain("tts");
     expect(sandbox.tools.deny).not.toContain("browser");
 
     const runtime = resolveSandboxRuntimeStatus({
       cfg,
       sessionKey: "agent:tavern:main",
     });
-    expect(runtime.toolPolicy.allow).toEqual(expect.arrayContaining(["browser", "message", "tts"]));
+    expect(runtime.toolPolicy.allow).toContain("browser");
+    expect(runtime.toolPolicy.allow).toContain("message");
+    expect(runtime.toolPolicy.allow).toContain("tts");
     expect(runtime.toolPolicy.deny).not.toContain("browser");
   });