test: tighten security empty array assertions

src/secrets/command-config.test.ts

@@ -82,7 +82,7 @@ describe("collectCommandSecretAssignmentsFromSnapshot", () => {
       inactiveRefPaths: new Set(["agents.defaults.memorySearch.remote.apiKey"]),
     });
 
-    expect(result.assignments).toEqual([]);
+    expect(result.assignments).toStrictEqual([]);
     expect(result.diagnostics).toEqual([
       "agents.defaults.memorySearch.remote.apiKey: secret ref is configured on an inactive surface; skipping command-time assignment.",
     ]);

src/secrets/exec-secret-ref-id-parity.test.ts

@@ -226,7 +226,7 @@ describe("exec SecretRef id parity", () => {
   }
 
   it("derives sampled class coverage from target registry metadata", () => {
-    expect(unclassifiedTargetIds).toEqual([]);
+    expect(unclassifiedTargetIds).toStrictEqual([]);
     expect(sampledTargetsByClass.length).toBeGreaterThan(0);
   });
 

src/secrets/provider-env-vars.dynamic.test.ts

@@ -482,13 +482,13 @@ describe("provider env vars dynamic manifest metadata", () => {
         config: { plugins: {} },
         includeUntrustedWorkspacePlugins: false,
       }),
-    ).toEqual([]);
+    ).toStrictEqual([]);
     expect(
       mod.getProviderEnvVars("workspace-setup", {
         config: { plugins: {} },
         includeUntrustedWorkspacePlugins: false,
       }),
-    ).toEqual([]);
+    ).toStrictEqual([]);
     expect(
       mod.listKnownProviderAuthEnvVarNames({
         config: { plugins: {} },
@@ -558,7 +558,7 @@ describe("provider env vars dynamic manifest metadata", () => {
         },
         includeUntrustedWorkspacePlugins: false,
       }),
-    ).toEqual([]);
+    ).toStrictEqual([]);
   });
 
   it("keeps selected workspace context engine env vars when requested", async () => {

src/secrets/runtime-external-channel-audit.test.ts

@@ -287,7 +287,7 @@ describe("secrets runtime externalized channel SecretRef audit", () => {
       "channels.zalo.accounts.work.botToken": "zalo-work-bot-token",
       "channels.zalo.accounts.work.webhookSecret": "zalo-work-webhook-secret",
     });
-    expect(snapshot.warnings).toEqual([]);
+    expect(snapshot.warnings).toStrictEqual([]);
     expectMetadataBackedContractsWereUsed();
   });
 

src/secrets/runtime-request-secret-refs.test.ts

@@ -38,7 +38,7 @@ describe("secrets runtime snapshot request secret refs", () => {
       loadAuthStore,
     });
 
-    expect(snapshot.authStores).toEqual([]);
+    expect(snapshot.authStores).toStrictEqual([]);
   });
 
   it("resolves model provider request secret refs for headers, auth, and tls material", async () => {

src/secrets/runtime-web-tools.test.ts

@@ -1120,7 +1120,7 @@ describe("runtime web tools resolution", () => {
     expect(resolveSpy).not.toHaveBeenCalled();
     expect(metadata.fetch.selectedProvider).toBeUndefined();
     expect(metadata.fetch.selectedProviderKeySource).toBeUndefined();
-    expect(context.warnings).toEqual([]);
+    expect(context.warnings).toStrictEqual([]);
     expect(resolveBundledExplicitWebFetchProvidersFromPublicArtifactsMock).not.toHaveBeenCalled();
     expect(resolveBundledWebFetchProvidersFromPublicArtifactsMock).not.toHaveBeenCalled();
     expect(resolvePluginWebFetchProvidersMock).not.toHaveBeenCalled();

src/security/audit-node-command-findings.test.ts

@@ -110,7 +110,7 @@ describe("security audit node command findings", () => {
       },
     } satisfies OpenClawConfig);
 
-    expect(findings).toEqual([]);
+    expect(findings).toStrictEqual([]);
   });
 
   it("evaluates dangerous gateway.nodes.allowCommands findings", () => {

src/security/audit-plugin-code-safety.test.ts

@@ -9,6 +9,6 @@ describe("security audit plugin code safety gating", () => {
       deep: false,
     });
 
-    expect(findings).toEqual([]);
+    expect(findings).toStrictEqual([]);
   });
 });

src/security/audit-plugin-readonly-scope.test.ts

@@ -147,7 +147,7 @@ describe("security audit read-only plugin scope", () => {
       loadPluginSecurityCollectors: false,
     });
 
-    expect(findings).toEqual([]);
+    expect(findings).toStrictEqual([]);
     expect(getActivePluginRegistryMock).not.toHaveBeenCalled();
     expect(applyPluginAutoEnableMock).not.toHaveBeenCalled();
     expect(loadPluginMetadataRegistrySnapshotMock).not.toHaveBeenCalled();

src/security/dangerous-config-flags.test.ts

@@ -64,7 +64,7 @@ describe("collectEnabledInsecureOrDangerousFlags", () => {
           ]),
         },
       ),
-    ).toEqual([]);
+    ).toStrictEqual([]);
   });
 
   it("collects dangerous sandbox, hook, browser, and fs flags", () => {

src/security/dm-policy-shared.test.ts

@@ -35,7 +35,7 @@ describe("security/dm-policy-shared", () => {
       },
     });
     expect(called).toBe(false);
-    expect(storeAllowFrom).toEqual([]);
+    expect(storeAllowFrom).toStrictEqual([]);
   }
 
   function resolveCommandGate(overrides: {
@@ -77,7 +77,7 @@ describe("security/dm-policy-shared", () => {
         throw new Error("offline");
       },
     });
-    expect(state.configAllowFrom).toEqual([]);
+    expect(state.configAllowFrom).toStrictEqual([]);
     expect(state.hasWildcard).toBe(false);
     expect(state.allowCount).toBe(0);
     expect(state.isMultiUserDm).toBe(false);
@@ -158,7 +158,7 @@ describe("security/dm-policy-shared", () => {
       groupAllowFromFallbackToAllowFrom: false,
     });
     expect(lists.effectiveAllowFrom).toEqual(["owner", "paired-user"]);
-    expect(lists.effectiveGroupAllowFrom).toEqual([]);
+    expect(lists.effectiveGroupAllowFrom).toStrictEqual([]);
   });
 
   it("infers pinned main DM owner from a single configured allowlist entry", () => {

src/security/external-content.test.ts

@@ -35,7 +35,7 @@ function expectSuspiciousPatternDetection(content: string, expected: boolean) {
     expect(patterns.length).toBeGreaterThan(0);
     return;
   }
-  expect(patterns).toEqual([]);
+  expect(patterns).toStrictEqual([]);
 }
 
 describe("external-content security", () => {