Secrets: add inline allowlist review set (#38314)

* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
2026-05-30 15:36:52 +00:00 · 2026-03-06 19:35:26 -05:00
parent 3070fafec1
commit 42e3d8d693
80 changed files with 363 additions and 317 deletions
--- a/src/gateway/credentials.ts
+++ b/src/gateway/credentials.ts
@@ -16,7 +16,7 @@ export type GatewayCredentialPrecedence = "env-first" | "config-first";
 export type GatewayRemoteCredentialPrecedence = "remote-first" | "env-first";
 export type GatewayRemoteCredentialFallback = "remote-env-local" | "remote-only";

-const GATEWAY_SECRET_REF_UNAVAILABLE_ERROR_CODE = "GATEWAY_SECRET_REF_UNAVAILABLE";
+const GATEWAY_SECRET_REF_UNAVAILABLE_ERROR_CODE = "GATEWAY_SECRET_REF_UNAVAILABLE"; // pragma: allowlist secret

 export class GatewaySecretRefUnavailableError extends Error {
  readonly code = GATEWAY_SECRET_REF_UNAVAILABLE_ERROR_CODE;
@@ -119,7 +119,7 @@ export function resolveGatewayCredentialsFromValues(params: {
      ? firstDefined([configToken, envToken])
      : firstDefined([envToken, configToken]);
  const password =
-    passwordPrecedence === "config-first"
+    passwordPrecedence === "config-first" // pragma: allowlist secret
      ? firstDefined([configPassword, envPassword])
      : firstDefined([envPassword, configPassword]);

@@ -158,7 +158,7 @@ export function resolveGatewayCredentialsFromConfig(params: {
      env,
      includeLegacyEnv,
      tokenPrecedence: "env-first",
-      passwordPrecedence: "env-first",
+      passwordPrecedence: "env-first", // pragma: allowlist secret
    });
  }

@@ -243,9 +243,9 @@ export function resolveGatewayCredentialsFromConfig(params: {
        ? firstDefined([envToken, remoteToken, localToken])
        : firstDefined([remoteToken, envToken, localToken]);
  const password =
-    remotePasswordFallback === "remote-only"
+    remotePasswordFallback === "remote-only" // pragma: allowlist secret
      ? remotePassword
-      : remotePasswordPrecedence === "env-first"
+      : remotePasswordPrecedence === "env-first" // pragma: allowlist secret
        ? firstDefined([envPassword, remotePassword, localPassword])
        : firstDefined([remotePassword, envPassword, localPassword]);

@@ -255,7 +255,7 @@ export function resolveGatewayCredentialsFromConfig(params: {
  const localTokenFallbackEnabled = remoteTokenFallback !== "remote-only";
  const localTokenFallback = remoteTokenFallback === "remote-only" ? undefined : localToken;
  const localPasswordFallback =
-    remotePasswordFallback === "remote-only" ? undefined : localPassword;
+    remotePasswordFallback === "remote-only" ? undefined : localPassword; // pragma: allowlist secret
  if (remoteTokenRef && !token && !envToken && !localTokenFallback && !password) {
    throwUnresolvedGatewaySecretInput("gateway.remote.token");
  }