fix(ci): stabilize include permission checks

extensions/bonjour/src/ciao.ts

@@ -56,7 +56,7 @@ export function classifyCiaoProcessError(reason: unknown): CiaoProcessErrorClass
   return null;
 }
 
-/** Backward-compatible alias for unhandled-rejection classification. */
+/** Alternate export name for unhandled-rejection classification. */
 export const classifyCiaoUnhandledRejection = classifyCiaoProcessError;
 
 /** Return whether a ciao unhandled rejection is known and ignorable. */

src/agents/cli-runner/helpers.ts

@@ -141,7 +141,7 @@ export function buildCliAgentSystemPrompt(params: {
   });
 }
 
-/** Back-compat alias for the CLI system prompt builder. */
+/** Alternate export name for the CLI system prompt builder. */
 export const buildSystemPrompt = buildCliAgentSystemPrompt;
 
 /** Applies backend model aliases to a requested CLI model id. */

src/security/audit-config-include-perms.test.ts

@@ -4,7 +4,6 @@ import os from "node:os";
 import path from "node:path";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { ConfigFileSnapshot } from "../config/types.openclaw.js";
-import { collectIncludeFilePermFindings } from "./audit-extra.async.js";
 
 const inspectPathPermissionsMock = vi.hoisted(() => vi.fn());
 
@@ -17,10 +16,12 @@ vi.mock("./audit-fs.js", () => ({
 
 describe("security audit config include permissions", () => {
   beforeEach(() => {
+    vi.resetModules();
     inspectPathPermissionsMock.mockReset();
   });
 
   it("flags group/world-readable config include files", async () => {
+    const { collectIncludeFilePermFindings } = await import("./audit-extra.async.js");
     const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-include-perms-"));
     const stateDir = path.join(tmp, "state");
     fs.mkdirSync(stateDir, { recursive: true, mode: 0o700 });