Secrets: add inline allowlist review set (#38314)

* Secrets: add inline allowlist review set

* Secrets: narrow detect-secrets file exclusions

* Secrets: exclude Docker fingerprint false positive

* Secrets: allowlist test and docs false positives

* Secrets: refresh baseline after allowlist updates

* Secrets: fix gateway chat fixture pragma

* Secrets: format pre-commit config

* Android: keep talk mode fixture JSON valid

* Feishu: rely on client timeout injection

* Secrets: allowlist provider auth test fixtures

* Secrets: allowlist onboard search fixtures

* Secrets: allowlist onboard mode fixture

* Secrets: allowlist gateway auth mode fixture

* Secrets: allowlist APNS wake test key

* Secrets: allowlist gateway reload fixtures

* Secrets: allowlist moonshot video fixture

* Secrets: allowlist auto audio fixture

* Secrets: allowlist tiny audio fixture

* Secrets: allowlist embeddings fixtures

* Secrets: allowlist resolve fixtures

* Secrets: allowlist target registry pattern fixtures

* Secrets: allowlist gateway chat env fixture

* Secrets: refresh baseline after fixture allowlists

* Secrets: reapply gateway chat env allowlist

* Secrets: reapply gateway chat env allowlist

* Secrets: stabilize gateway chat env allowlist

* Secrets: allowlist runtime snapshot save fixture

* Secrets: allowlist oauth profile fixtures

* Secrets: allowlist compaction identifier fixture

* Secrets: allowlist model auth fixture

* Secrets: allowlist model status fixtures

* Secrets: allowlist custom onboarding fixture

* Secrets: allowlist mattermost token summary fixtures

* Secrets: allowlist gateway auth suite fixtures

* Secrets: allowlist channel summary fixture

* Secrets: allowlist provider usage auth fixtures

* Secrets: allowlist media proxy fixture

* Secrets: allowlist secrets audit fixtures

* Secrets: refresh baseline after final fixture allowlists

* Feishu: prefer explicit client timeout

* Feishu: test direct timeout precedence

src/secrets/runtime.test.ts

@@ -122,21 +122,21 @@ describe("secrets runtime snapshot", () => {
     const snapshot = await prepareSecretsRuntimeSnapshot({
       config,
       env: {
-        OPENAI_API_KEY: "sk-env-openai",
-        GITHUB_TOKEN: "ghp-env-token",
-        REVIEW_SKILL_API_KEY: "sk-skill-ref",
-        MEMORY_REMOTE_API_KEY: "mem-ref-key",
-        TALK_API_KEY: "talk-ref-key",
-        TALK_PROVIDER_API_KEY: "talk-provider-ref-key",
+        OPENAI_API_KEY: "sk-env-openai", // pragma: allowlist secret
+        GITHUB_TOKEN: "ghp-env-token", // pragma: allowlist secret
+        REVIEW_SKILL_API_KEY: "sk-skill-ref", // pragma: allowlist secret
+        MEMORY_REMOTE_API_KEY: "mem-ref-key", // pragma: allowlist secret
+        TALK_API_KEY: "talk-ref-key", // pragma: allowlist secret
+        TALK_PROVIDER_API_KEY: "talk-provider-ref-key", // pragma: allowlist secret
         REMOTE_GATEWAY_TOKEN: "remote-token-ref",
-        REMOTE_GATEWAY_PASSWORD: "remote-password-ref",
+        REMOTE_GATEWAY_PASSWORD: "remote-password-ref", // pragma: allowlist secret
         TELEGRAM_BOT_TOKEN_REF: "telegram-bot-ref",
-        TELEGRAM_WEBHOOK_SECRET_REF: "telegram-webhook-ref",
+        TELEGRAM_WEBHOOK_SECRET_REF: "telegram-webhook-ref", // pragma: allowlist secret
         TELEGRAM_WORK_BOT_TOKEN_REF: "telegram-work-ref",
-        SLACK_SIGNING_SECRET_REF: "slack-signing-ref",
+        SLACK_SIGNING_SECRET_REF: "slack-signing-ref", // pragma: allowlist secret
         SLACK_WORK_BOT_TOKEN_REF: "slack-work-bot-ref",
         SLACK_WORK_APP_TOKEN_REF: "slack-work-app-ref",
-        WEB_SEARCH_API_KEY: "web-search-ref",
+        WEB_SEARCH_API_KEY: "web-search-ref", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () =>
@@ -305,7 +305,7 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        WEB_SEARCH_API_KEY: "web-search-ref",
+        WEB_SEARCH_API_KEY: "web-search-ref", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -343,8 +343,8 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        WEB_SEARCH_API_KEY: "web-search-ref",
-        WEB_SEARCH_GEMINI_API_KEY: "web-search-gemini-ref",
+        WEB_SEARCH_API_KEY: "web-search-ref", // pragma: allowlist secret
+        WEB_SEARCH_GEMINI_API_KEY: "web-search-gemini-ref", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -374,7 +374,7 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        WEB_SEARCH_GEMINI_API_KEY: "web-search-gemini-ref",
+        WEB_SEARCH_GEMINI_API_KEY: "web-search-gemini-ref", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -399,7 +399,7 @@ describe("secrets runtime snapshot", () => {
           {
             providers: {
               openai: {
-                apiKey: "sk-from-file-provider",
+                apiKey: "sk-from-file-provider", // pragma: allowlist secret
               },
             },
           },
@@ -494,7 +494,7 @@ describe("secrets runtime snapshot", () => {
           },
         },
       }),
-      env: { OPENAI_API_KEY: "sk-runtime" },
+      env: { OPENAI_API_KEY: "sk-runtime" }, // pragma: allowlist secret
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () =>
         loadAuthStoreWithProfiles({
@@ -603,7 +603,7 @@ describe("secrets runtime snapshot", () => {
           auth: {
             mode: "password",
             token: "local-token",
-            password: "local-password",
+            password: "local-password", // pragma: allowlist secret
           },
           remote: {
             enabled: true,
@@ -642,7 +642,7 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        GATEWAY_PASSWORD_REF: "resolved-gateway-password",
+        GATEWAY_PASSWORD_REF: "resolved-gateway-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -680,7 +680,7 @@ describe("secrets runtime snapshot", () => {
           auth: {
             mode: "password",
             token: { source: "env", provider: "default", id: "GATEWAY_TOKEN_REF" },
-            password: "password-123",
+            password: "password-123", // pragma: allowlist secret
           },
         },
       }),
@@ -728,7 +728,7 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        GATEWAY_PASSWORD_REF: "resolved-gateway-password",
+        GATEWAY_PASSWORD_REF: "resolved-gateway-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -822,7 +822,7 @@ describe("secrets runtime snapshot", () => {
       }),
       env: {
         REMOTE_TOKEN: "resolved-remote-token",
-        REMOTE_PASSWORD: "resolved-remote-password",
+        REMOTE_PASSWORD: "resolved-remote-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -846,7 +846,7 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        REMOTE_PASSWORD: "resolved-remote-password",
+        REMOTE_PASSWORD: "resolved-remote-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -980,8 +980,8 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        NEXTCLOUD_BOT_SECRET: "resolved-nextcloud-bot-secret",
-        NEXTCLOUD_API_PASSWORD: "resolved-nextcloud-api-password",
+        NEXTCLOUD_BOT_SECRET: "resolved-nextcloud-bot-secret", // pragma: allowlist secret
+        NEXTCLOUD_API_PASSWORD: "resolved-nextcloud-api-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -1022,8 +1022,8 @@ describe("secrets runtime snapshot", () => {
         },
       }),
       env: {
-        NEXTCLOUD_WORK_BOT_SECRET: "resolved-nextcloud-work-bot-secret",
-        NEXTCLOUD_WORK_API_PASSWORD: "resolved-nextcloud-work-api-password",
+        NEXTCLOUD_WORK_BOT_SECRET: "resolved-nextcloud-work-bot-secret", // pragma: allowlist secret
+        NEXTCLOUD_WORK_API_PASSWORD: "resolved-nextcloud-work-api-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -1058,7 +1058,7 @@ describe("secrets runtime snapshot", () => {
       }),
       env: {
         REMOTE_GATEWAY_TOKEN: "tailscale-remote-token",
-        REMOTE_GATEWAY_PASSWORD: "tailscale-remote-password",
+        REMOTE_GATEWAY_PASSWORD: "tailscale-remote-password", // pragma: allowlist secret
       },
       agentDirs: ["/tmp/openclaw-agent-main"],
       loadAuthStore: () => ({ version: 1, profiles: {} }),
@@ -1931,7 +1931,7 @@ describe("secrets runtime snapshot", () => {
             list: [{ id: "worker" }],
           },
         },
-        env: { OPENAI_API_KEY: "sk-runtime-worker" },
+        env: { OPENAI_API_KEY: "sk-runtime-worker" }, // pragma: allowlist secret
       });
 
       await expect(fs.access(workerStorePath)).rejects.toMatchObject({ code: "ENOENT" });