diff --git a/internal/app/spfinal_test.go b/internal/app/spfinal_test.go
new file mode 100644
index 0000000..1683d92
--- /dev/null
+++ b/internal/app/spfinal_test.go
@@ -0,0 +1,65 @@
+package app
+
+import (
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/stub"
+	"hakurei.app/hst"
+	"hakurei.app/system"
+	"hakurei.app/system/acl"
+)
+
+func TestSpFinalOp(t *testing.T) {
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"nil extra invalid env", func(bool, bool) outcomeOp {
+			return spFinalOp{}
+		}, func() *hst.Config {
+			c := hst.Template()
+			// verify nil check behaviour
+			c.ExtraPerms = append(c.ExtraPerms, hst.ExtraPermConfig{})
+			// verify toContainer behaviour
+			c.Container.Env["="] = "\x00"
+			return c
+		}, nil, []stub.Call{
+			// this op configures the system state and does not make calls during toSystem
+		}, newI().
+			Ensure(m("/var/lib/hakurei/u0"), 0700).
+			UpdatePermType(system.User, m("/var/lib/hakurei/u0"),
+				acl.Execute).
+			UpdatePermType(system.User, m("/var/lib/hakurei/u0/org.chromium.Chromium"),
+				acl.Read, acl.Write, acl.Execute), nil, nil, func(state *outcomeStateParams) {
+			state.params.Ops = new(container.Ops)
+		}, []stub.Call{
+			// this op configures the container state and does not make calls during toContainer
+		}, nil, nil, &hst.AppError{
+			Step: "flatten environment",
+			Err:  syscall.EINVAL,
+			Msg:  "invalid environment variable =",
+		}},
+
+		{"success", func(bool, bool) outcomeOp {
+			return spFinalOp{}
+		}, hst.Template, nil, []stub.Call{
+			// this op configures the system state and does not make calls during toSystem
+		}, newI().
+			Ensure(m("/var/lib/hakurei/u0"), 0700).
+			UpdatePermType(system.User, m("/var/lib/hakurei/u0"),
+				acl.Execute).
+			UpdatePermType(system.User, m("/var/lib/hakurei/u0/org.chromium.Chromium"),
+				acl.Read, acl.Write, acl.Execute), nil, nil, func(state *outcomeStateParams) {
+			state.params.Ops = new(container.Ops)
+		}, []stub.Call{
+			// this op configures the container state and does not make calls during toContainer
+		}, &container.Params{
+			Env: []string{
+				"GOOGLE_API_KEY=AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+				"GOOGLE_DEFAULT_CLIENT_ID=77185425430.apps.googleusercontent.com",
+				"GOOGLE_DEFAULT_CLIENT_SECRET=OTJgUOQcT7lO7GsGZq2G4IlT",
+			},
+			Ops: new(container.Ops).Remount(fhs.AbsRoot, syscall.MS_RDONLY),
+		}, nil, nil},
+	})
+}