Secrets: add inline allowlist review set (#38314)

* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
2026-05-10 09:42:44 +00:00 · 2026-03-06 19:35:26 -05:00
parent 3070fafec1
commit 42e3d8d693
80 changed files with 363 additions and 317 deletions
--- a/src/commands/onboard-search.test.ts
+++ b/src/commands/onboard-search.test.ts
@@ -121,7 +121,7 @@ describe("setupSearch", () => {
        web: {
          search: {
            provider: "perplexity",
-            perplexity: { apiKey: "existing-key" },
+            perplexity: { apiKey: "existing-key" }, // pragma: allowlist secret
          },
        },
      },
@@ -142,7 +142,7 @@ describe("setupSearch", () => {
          search: {
            provider: "perplexity",
            enabled: false,
-            perplexity: { apiKey: "existing-key" },
+            perplexity: { apiKey: "existing-key" }, // pragma: allowlist secret
          },
        },
      },
@@ -162,7 +162,7 @@ describe("setupSearch", () => {
        web: {
          search: {
            provider: "perplexity",
-            perplexity: { apiKey: "stored-pplx-key" },
+            perplexity: { apiKey: "stored-pplx-key" }, // pragma: allowlist secret
          },
        },
      },
@@ -184,7 +184,7 @@ describe("setupSearch", () => {
          search: {
            provider: "perplexity",
            enabled: false,
-            perplexity: { apiKey: "stored-pplx-key" },
+            perplexity: { apiKey: "stored-pplx-key" }, // pragma: allowlist secret
          },
        },
      },
@@ -212,7 +212,7 @@ describe("setupSearch", () => {

  it("quickstart skips key prompt when env var is available", async () => {
    const orig = process.env.BRAVE_API_KEY;
-    process.env.BRAVE_API_KEY = "env-brave-key";
+    process.env.BRAVE_API_KEY = "env-brave-key"; // pragma: allowlist secret
    try {
      const cfg: OpenClawConfig = {};
      const { prompter } = createPrompter({ selectValue: "brave" });
@@ -235,13 +235,13 @@ describe("setupSearch", () => {
    const cfg: OpenClawConfig = {};
    const { prompter } = createPrompter({ selectValue: "perplexity" });
    const result = await setupSearch(cfg, runtime, prompter, {
-      secretInputMode: "ref",
+      secretInputMode: "ref", // pragma: allowlist secret
    });
    expect(result.tools?.web?.search?.provider).toBe("perplexity");
    expect(result.tools?.web?.search?.perplexity?.apiKey).toEqual({
      source: "env",
      provider: "default",
-      id: "PERPLEXITY_API_KEY",
+      id: "PERPLEXITY_API_KEY", // pragma: allowlist secret
    });
    expect(prompter.text).not.toHaveBeenCalled();
  });
@@ -250,7 +250,7 @@ describe("setupSearch", () => {
    const cfg: OpenClawConfig = {};
    const { prompter } = createPrompter({ selectValue: "brave" });
    const result = await setupSearch(cfg, runtime, prompter, {
-      secretInputMode: "ref",
+      secretInputMode: "ref", // pragma: allowlist secret
    });
    expect(result.tools?.web?.search?.provider).toBe("brave");
    expect(result.tools?.web?.search?.apiKey).toEqual({