From f35dbcc3289bf78dd7f61e5756ff646719afdf13 Mon Sep 17 00:00:00 2001
From: Shakker <shakkerdroid@gmail.com>
Date: Sat, 9 May 2026 05:09:12 +0100
Subject: [PATCH] test: tighten security empty array assertions

---
 src/secrets/command-config.test.ts                 | 2 +-
 src/secrets/exec-secret-ref-id-parity.test.ts      | 2 +-
 src/secrets/provider-env-vars.dynamic.test.ts      | 6 +++---
 src/secrets/runtime-external-channel-audit.test.ts | 2 +-
 src/secrets/runtime-request-secret-refs.test.ts    | 2 +-
 src/secrets/runtime-web-tools.test.ts              | 2 +-
 src/security/audit-node-command-findings.test.ts   | 2 +-
 src/security/audit-plugin-code-safety.test.ts      | 2 +-
 src/security/audit-plugin-readonly-scope.test.ts   | 2 +-
 src/security/dangerous-config-flags.test.ts        | 2 +-
 src/security/dm-policy-shared.test.ts              | 6 +++---
 src/security/external-content.test.ts              | 2 +-
 12 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/src/secrets/command-config.test.ts b/src/secrets/command-config.test.ts
index 3c4131d5372..924bf3eb4ca 100644
--- a/src/secrets/command-config.test.ts
+++ b/src/secrets/command-config.test.ts
@@ -82,7 +82,7 @@ describe("collectCommandSecretAssignmentsFromSnapshot", () => {
       inactiveRefPaths: new Set(["agents.defaults.memorySearch.remote.apiKey"]),
     });
 
-    expect(result.assignments).toEqual([]);
+    expect(result.assignments).toStrictEqual([]);
     expect(result.diagnostics).toEqual([
       "agents.defaults.memorySearch.remote.apiKey: secret ref is configured on an inactive surface; skipping command-time assignment.",
     ]);
diff --git a/src/secrets/exec-secret-ref-id-parity.test.ts b/src/secrets/exec-secret-ref-id-parity.test.ts
index 524db12c041..03679825227 100644
--- a/src/secrets/exec-secret-ref-id-parity.test.ts
+++ b/src/secrets/exec-secret-ref-id-parity.test.ts
@@ -226,7 +226,7 @@ describe("exec SecretRef id parity", () => {
   }
 
   it("derives sampled class coverage from target registry metadata", () => {
-    expect(unclassifiedTargetIds).toEqual([]);
+    expect(unclassifiedTargetIds).toStrictEqual([]);
     expect(sampledTargetsByClass.length).toBeGreaterThan(0);
   });
 
diff --git a/src/secrets/provider-env-vars.dynamic.test.ts b/src/secrets/provider-env-vars.dynamic.test.ts
index e401457fd21..1221e644d70 100644
--- a/src/secrets/provider-env-vars.dynamic.test.ts
+++ b/src/secrets/provider-env-vars.dynamic.test.ts
@@ -482,13 +482,13 @@ describe("provider env vars dynamic manifest metadata", () => {
         config: { plugins: {} },
         includeUntrustedWorkspacePlugins: false,
       }),
-    ).toEqual([]);
+    ).toStrictEqual([]);
     expect(
       mod.getProviderEnvVars("workspace-setup", {
         config: { plugins: {} },
         includeUntrustedWorkspacePlugins: false,
       }),
-    ).toEqual([]);
+    ).toStrictEqual([]);
     expect(
       mod.listKnownProviderAuthEnvVarNames({
         config: { plugins: {} },
@@ -558,7 +558,7 @@ describe("provider env vars dynamic manifest metadata", () => {
         },
         includeUntrustedWorkspacePlugins: false,
       }),
-    ).toEqual([]);
+    ).toStrictEqual([]);
   });
 
   it("keeps selected workspace context engine env vars when requested", async () => {
diff --git a/src/secrets/runtime-external-channel-audit.test.ts b/src/secrets/runtime-external-channel-audit.test.ts
index 58d623aaa92..98c22aeeb11 100644
--- a/src/secrets/runtime-external-channel-audit.test.ts
+++ b/src/secrets/runtime-external-channel-audit.test.ts
@@ -287,7 +287,7 @@ describe("secrets runtime externalized channel SecretRef audit", () => {
       "channels.zalo.accounts.work.botToken": "zalo-work-bot-token",
       "channels.zalo.accounts.work.webhookSecret": "zalo-work-webhook-secret",
     });
-    expect(snapshot.warnings).toEqual([]);
+    expect(snapshot.warnings).toStrictEqual([]);
     expectMetadataBackedContractsWereUsed();
   });
 
diff --git a/src/secrets/runtime-request-secret-refs.test.ts b/src/secrets/runtime-request-secret-refs.test.ts
index 0bd95eba901..1db96bedeea 100644
--- a/src/secrets/runtime-request-secret-refs.test.ts
+++ b/src/secrets/runtime-request-secret-refs.test.ts
@@ -38,7 +38,7 @@ describe("secrets runtime snapshot request secret refs", () => {
       loadAuthStore,
     });
 
-    expect(snapshot.authStores).toEqual([]);
+    expect(snapshot.authStores).toStrictEqual([]);
   });
 
   it("resolves model provider request secret refs for headers, auth, and tls material", async () => {
diff --git a/src/secrets/runtime-web-tools.test.ts b/src/secrets/runtime-web-tools.test.ts
index d7df13a71c5..ae1149ed546 100644
--- a/src/secrets/runtime-web-tools.test.ts
+++ b/src/secrets/runtime-web-tools.test.ts
@@ -1120,7 +1120,7 @@ describe("runtime web tools resolution", () => {
     expect(resolveSpy).not.toHaveBeenCalled();
     expect(metadata.fetch.selectedProvider).toBeUndefined();
     expect(metadata.fetch.selectedProviderKeySource).toBeUndefined();
-    expect(context.warnings).toEqual([]);
+    expect(context.warnings).toStrictEqual([]);
     expect(resolveBundledExplicitWebFetchProvidersFromPublicArtifactsMock).not.toHaveBeenCalled();
     expect(resolveBundledWebFetchProvidersFromPublicArtifactsMock).not.toHaveBeenCalled();
     expect(resolvePluginWebFetchProvidersMock).not.toHaveBeenCalled();
diff --git a/src/security/audit-node-command-findings.test.ts b/src/security/audit-node-command-findings.test.ts
index 7247b2608ec..f56adb96c99 100644
--- a/src/security/audit-node-command-findings.test.ts
+++ b/src/security/audit-node-command-findings.test.ts
@@ -110,7 +110,7 @@ describe("security audit node command findings", () => {
       },
     } satisfies OpenClawConfig);
 
-    expect(findings).toEqual([]);
+    expect(findings).toStrictEqual([]);
   });
 
   it("evaluates dangerous gateway.nodes.allowCommands findings", () => {
diff --git a/src/security/audit-plugin-code-safety.test.ts b/src/security/audit-plugin-code-safety.test.ts
index 3a5db98e392..6b7ee547c7b 100644
--- a/src/security/audit-plugin-code-safety.test.ts
+++ b/src/security/audit-plugin-code-safety.test.ts
@@ -9,6 +9,6 @@ describe("security audit plugin code safety gating", () => {
       deep: false,
     });
 
-    expect(findings).toEqual([]);
+    expect(findings).toStrictEqual([]);
   });
 });
diff --git a/src/security/audit-plugin-readonly-scope.test.ts b/src/security/audit-plugin-readonly-scope.test.ts
index 200b30999a4..41a6ed3c18a 100644
--- a/src/security/audit-plugin-readonly-scope.test.ts
+++ b/src/security/audit-plugin-readonly-scope.test.ts
@@ -147,7 +147,7 @@ describe("security audit read-only plugin scope", () => {
       loadPluginSecurityCollectors: false,
     });
 
-    expect(findings).toEqual([]);
+    expect(findings).toStrictEqual([]);
     expect(getActivePluginRegistryMock).not.toHaveBeenCalled();
     expect(applyPluginAutoEnableMock).not.toHaveBeenCalled();
     expect(loadPluginMetadataRegistrySnapshotMock).not.toHaveBeenCalled();
diff --git a/src/security/dangerous-config-flags.test.ts b/src/security/dangerous-config-flags.test.ts
index bd14bf2ba13..bcb8f12994b 100644
--- a/src/security/dangerous-config-flags.test.ts
+++ b/src/security/dangerous-config-flags.test.ts
@@ -64,7 +64,7 @@ describe("collectEnabledInsecureOrDangerousFlags", () => {
           ]),
         },
       ),
-    ).toEqual([]);
+    ).toStrictEqual([]);
   });
 
   it("collects dangerous sandbox, hook, browser, and fs flags", () => {
diff --git a/src/security/dm-policy-shared.test.ts b/src/security/dm-policy-shared.test.ts
index f1d7d869116..bbd6b322fe4 100644
--- a/src/security/dm-policy-shared.test.ts
+++ b/src/security/dm-policy-shared.test.ts
@@ -35,7 +35,7 @@ describe("security/dm-policy-shared", () => {
       },
     });
     expect(called).toBe(false);
-    expect(storeAllowFrom).toEqual([]);
+    expect(storeAllowFrom).toStrictEqual([]);
   }
 
   function resolveCommandGate(overrides: {
@@ -77,7 +77,7 @@ describe("security/dm-policy-shared", () => {
         throw new Error("offline");
       },
     });
-    expect(state.configAllowFrom).toEqual([]);
+    expect(state.configAllowFrom).toStrictEqual([]);
     expect(state.hasWildcard).toBe(false);
     expect(state.allowCount).toBe(0);
     expect(state.isMultiUserDm).toBe(false);
@@ -158,7 +158,7 @@ describe("security/dm-policy-shared", () => {
       groupAllowFromFallbackToAllowFrom: false,
     });
     expect(lists.effectiveAllowFrom).toEqual(["owner", "paired-user"]);
-    expect(lists.effectiveGroupAllowFrom).toEqual([]);
+    expect(lists.effectiveGroupAllowFrom).toStrictEqual([]);
   });
 
   it("infers pinned main DM owner from a single configured allowlist entry", () => {
diff --git a/src/security/external-content.test.ts b/src/security/external-content.test.ts
index 8d60f0e5f51..a4997053a71 100644
--- a/src/security/external-content.test.ts
+++ b/src/security/external-content.test.ts
@@ -35,7 +35,7 @@ function expectSuspiciousPatternDetection(content: string, expected: boolean) {
     expect(patterns.length).toBeGreaterThan(0);
     return;
   }
-  expect(patterns).toEqual([]);
+  expect(patterns).toStrictEqual([]);
 }
 
 describe("external-content security", () => {