refactor: share startup auth token assertions

src/gateway/startup-auth.test.ts

@@ -53,6 +53,28 @@ describe("ensureGatewayStartupAuth", () => {
     expect(mocks.writeConfigFile).not.toHaveBeenCalled();
   }
 
+  async function expectResolvedToken(params: {
+    cfg: OpenClawConfig;
+    env: NodeJS.ProcessEnv;
+    expectedToken: string;
+    expectedConfiguredToken?: unknown;
+  }) {
+    const result = await ensureGatewayStartupAuth({
+      cfg: params.cfg,
+      env: params.env,
+      persist: true,
+    });
+
+    expect(result.generatedToken).toBeUndefined();
+    expect(result.persistedGeneratedToken).toBe(false);
+    expect(result.auth.mode).toBe("token");
+    expect(result.auth.token).toBe(params.expectedToken);
+    if ("expectedConfiguredToken" in params) {
+      expect(result.cfg.gateway?.auth?.token).toEqual(params.expectedConfiguredToken);
+    }
+    expect(mocks.writeConfigFile).not.toHaveBeenCalled();
+  }
+
   it("generates and persists a token when startup auth is missing", async () => {
     const result = await ensureGatewayStartupAuth({
       cfg: {},
@@ -138,7 +160,7 @@ describe("ensureGatewayStartupAuth", () => {
   });
 
   it("resolves gateway.auth.token SecretRef before startup auth checks", async () => {
-    const result = await ensureGatewayStartupAuth({
+    await expectResolvedToken({
       cfg: {
         gateway: {
           auth: {
@@ -155,23 +177,17 @@ describe("ensureGatewayStartupAuth", () => {
       env: {
         GW_TOKEN: "resolved-token",
       } as NodeJS.ProcessEnv,
-      persist: true,
+      expectedToken: "resolved-token",
+      expectedConfiguredToken: {
+        source: "env",
+        provider: "default",
+        id: "GW_TOKEN",
+      },
     });
-
-    expect(result.generatedToken).toBeUndefined();
-    expect(result.persistedGeneratedToken).toBe(false);
-    expect(result.auth.mode).toBe("token");
-    expect(result.auth.token).toBe("resolved-token");
-    expect(result.cfg.gateway?.auth?.token).toEqual({
-      source: "env",
-      provider: "default",
-      id: "GW_TOKEN",
-    });
-    expect(mocks.writeConfigFile).not.toHaveBeenCalled();
   });
 
   it("resolves env-template gateway.auth.token before env-token short-circuiting", async () => {
-    const result = await ensureGatewayStartupAuth({
+    await expectResolvedToken({
       cfg: {
         gateway: {
           auth: {
@@ -183,19 +199,13 @@ describe("ensureGatewayStartupAuth", () => {
       env: {
         OPENCLAW_GATEWAY_TOKEN: "resolved-token",
       } as NodeJS.ProcessEnv,
-      persist: true,
+      expectedToken: "resolved-token",
+      expectedConfiguredToken: "${OPENCLAW_GATEWAY_TOKEN}",
     });
-
-    expect(result.generatedToken).toBeUndefined();
-    expect(result.persistedGeneratedToken).toBe(false);
-    expect(result.auth.mode).toBe("token");
-    expect(result.auth.token).toBe("resolved-token");
-    expect(result.cfg.gateway?.auth?.token).toBe("${OPENCLAW_GATEWAY_TOKEN}");
-    expect(mocks.writeConfigFile).not.toHaveBeenCalled();
   });
 
   it("uses OPENCLAW_GATEWAY_TOKEN without resolving configured token SecretRef", async () => {
-    const result = await ensureGatewayStartupAuth({
+    await expectResolvedToken({
       cfg: {
         gateway: {
           auth: {
@@ -212,14 +222,8 @@ describe("ensureGatewayStartupAuth", () => {
       env: {
         OPENCLAW_GATEWAY_TOKEN: "token-from-env",
       } as NodeJS.ProcessEnv,
-      persist: true,
+      expectedToken: "token-from-env",
     });
-
-    expect(result.generatedToken).toBeUndefined();
-    expect(result.persistedGeneratedToken).toBe(false);
-    expect(result.auth.mode).toBe("token");
-    expect(result.auth.token).toBe("token-from-env");
-    expect(mocks.writeConfigFile).not.toHaveBeenCalled();
   });
 
   it("fails when gateway.auth.token SecretRef is active and unresolved", async () => {