Secrets: add inline allowlist review set (#38314)

* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
2026-05-08 06:21:26 +00:00 · 2026-03-06 19:35:26 -05:00
parent 3070fafec1
commit 42e3d8d693
80 changed files with 363 additions and 317 deletions
--- a/src/media-understanding/providers/moonshot/video.test.ts
+++ b/src/media-understanding/providers/moonshot/video.test.ts
@@ -16,7 +16,7 @@ describe("describeMoonshotVideo", () => {
    const result = await describeMoonshotVideo({
      buffer: Buffer.from("video-bytes"),
      fileName: "clip.mp4",
-      apiKey: "moonshot-test",
+      apiKey: "moonshot-test", // pragma: allowlist secret
      timeoutMs: 1500,
      baseUrl: "https://api.moonshot.ai/v1/",
      model: "kimi-k2.5",
@@ -61,7 +61,7 @@ describe("describeMoonshotVideo", () => {
    const result = await describeMoonshotVideo({
      buffer: Buffer.from("video"),
      fileName: "clip.mp4",
-      apiKey: "moonshot-test",
+      apiKey: "moonshot-test", // pragma: allowlist secret
      timeoutMs: 1000,
      fetchFn,
    });
--- a/src/media-understanding/runner.auto-audio.test.ts
+++ b/src/media-understanding/runner.auto-audio.test.ts
@@ -120,7 +120,7 @@ describe("runCapability auto audio entries", () => {
    delete process.env.GROQ_API_KEY;
    delete process.env.DEEPGRAM_API_KEY;
    delete process.env.GEMINI_API_KEY;
-    process.env.MISTRAL_API_KEY = "mistral-test-key";
+    process.env.MISTRAL_API_KEY = "mistral-test-key"; // pragma: allowlist secret
    let runResult: Awaited<ReturnType<typeof runCapability>> | undefined;
    try {
      await withAudioFixture("openclaw-auto-audio-mistral", async ({ ctx, media, cache }) => {
@@ -140,7 +140,7 @@ describe("runCapability auto audio entries", () => {
          models: {
            providers: {
              mistral: {
-                apiKey: "mistral-test-key",
+                apiKey: "mistral-test-key", // pragma: allowlist secret
                models: [],
              },
            },
--- a/src/media-understanding/runner.proxy.test.ts
+++ b/src/media-understanding/runner.proxy.test.ts
@@ -25,7 +25,7 @@ async function runAudioCapabilityWithFetchCapture(params: {
      models: {
        providers: {
          openai: {
-            apiKey: "test-key",
+            apiKey: "test-key", // pragma: allowlist secret
            models: [],
          },
        },
@@ -80,7 +80,7 @@ describe("runCapability proxy fetch passthrough", () => {
          models: {
            providers: {
              moonshot: {
-                apiKey: "test-key",
+                apiKey: "test-key", // pragma: allowlist secret
                models: [],
              },
            },
--- a/src/media-understanding/runner.skip-tiny-audio.test.ts
+++ b/src/media-understanding/runner.skip-tiny-audio.test.ts
@@ -52,7 +52,7 @@ const AUDIO_CAPABILITY_CFG = {
  models: {
    providers: {
      openai: {
-        apiKey: "test-key",
+        apiKey: "test-key", // pragma: allowlist secret
        models: [],
      },
    },