From 610d836151b855804a907f877028c11d55291e7d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Tue, 17 Mar 2026 09:49:07 +0000
Subject: [PATCH] test: merge audit gateway auth guardrail cases

---
 src/security/audit.test.ts | 77 ++++++++++++++++++--------------------
 1 file changed, 36 insertions(+), 41 deletions(-)

diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts
index 935bccd3322..ade9a3cdd73 100644
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -348,7 +348,7 @@ description: test skill
     expect(summary?.detail).toContain("trust model: personal assistant");
   });
 
-  it("evaluates non-loopback gateway auth presence", async () => {
+  it("evaluates gateway auth presence and rate-limit guardrails", async () => {
     const cases = [
       {
         name: "flags non-loopback bind without auth as critical",
@@ -432,6 +432,41 @@ description: test skill
           expectNoFinding(res, "gateway.bind_no_auth");
         },
       },
+      {
+        name: "warns when auth has no rate limit",
+        run: async () =>
+          audit(
+            {
+              gateway: {
+                bind: "lan",
+                auth: { token: "secret" },
+              },
+            },
+            { env: {} },
+          ),
+        assert: (res: SecurityAuditReport) => {
+          expect(hasFinding(res, "gateway.auth_no_rate_limit", "warn")).toBe(true);
+        },
+      },
+      {
+        name: "does not warn when auth rate limit is configured",
+        run: async () =>
+          audit(
+            {
+              gateway: {
+                bind: "lan",
+                auth: {
+                  token: "secret",
+                  rateLimit: { maxAttempts: 10, windowMs: 60_000, lockoutMs: 300_000 },
+                },
+              },
+            },
+            { env: {} },
+          ),
+        assert: (res: SecurityAuditReport) => {
+          expectNoFinding(res, "gateway.auth_no_rate_limit");
+        },
+      },
     ] as const;
 
     await Promise.all(
@@ -442,46 +477,6 @@ description: test skill
     );
   });
 
-  it("evaluates gateway auth rate-limit warning based on configuration", async () => {
-    const cases: Array<{
-      name: string;
-      cfg: OpenClawConfig;
-      expectWarn: boolean;
-    }> = [
-      {
-        name: "no rate limit",
-        cfg: {
-          gateway: {
-            bind: "lan",
-            auth: { token: "secret" },
-          },
-        },
-        expectWarn: true,
-      },
-      {
-        name: "rate limit configured",
-        cfg: {
-          gateway: {
-            bind: "lan",
-            auth: {
-              token: "secret",
-              rateLimit: { maxAttempts: 10, windowMs: 60_000, lockoutMs: 300_000 },
-            },
-          },
-        },
-        expectWarn: false,
-      },
-    ];
-    await Promise.all(
-      cases.map(async (testCase) => {
-        const res = await audit(testCase.cfg, { env: {} });
-        expect(hasFinding(res, "gateway.auth_no_rate_limit", "warn"), testCase.name).toBe(
-          testCase.expectWarn,
-        );
-      }),
-    );
-  });
-
   it("scores dangerous gateway.tools.allow over HTTP by exposure", async () => {
     const cases: Array<{
       name: string;