github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 18:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

CI: restore main detect-secrets scan (#38438)

Browse Source 
* Tests: stabilize detect-secrets fixtures

* Tests: fix rebased detect-secrets false positives

* Docs: keep snippets valid under detect-secrets

* Tests: finalize detect-secrets false-positive fixes

* Tests: reduce detect-secrets false positives

* Tests: keep detect-secrets pragmas inline

* Tests: remediate next detect-secrets batch

* Tests: tighten detect-secrets allowlists

* Tests: stabilize detect-secrets formatter drift
This commit is contained in:
Vincent Koc
2026-03-07 13:06:35 -05:00
committed by GitHub
parent 46e324e269
commit e4d80ed556
137 changed files with 1231 additions and 2700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/acp/client.test.ts
View File

@@ -10,6 +10,8 @@ import {
} from "./client.js";
import { extractAttachmentsFromPrompt, extractTextFromPrompt } from "./event-mapper.js";
const envVar = (...parts: string[]) => parts.join("_");
function makePermissionRequest(
overrides: Partial<RequestPermissionRequest> = {},
): RequestPermissionRequest {
@@ -62,42 +64,47 @@ describe("resolveAcpClientSpawnEnv", () => {
});
it("strips skill-injected env keys when stripKeys is provided", () => {
const stripKeys = new Set(["OPENAI_API_KEY", "ELEVENLABS_API_KEY"]);
const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY");
const elevenLabsApiKeyEnv = envVar("ELEVENLABS", "API", "KEY");
const anthropicApiKeyEnv = envVar("ANTHROPIC", "API", "KEY");
const stripKeys = new Set([openAiApiKeyEnv, elevenLabsApiKeyEnv]);
const env = resolveAcpClientSpawnEnv(
{
PATH: "/usr/bin",
OPENAI_API_KEY: "sk-leaked-from-skill",
ELEVENLABS_API_KEY: "el-leaked",
ANTHROPIC_API_KEY: "sk-keep-this",
[openAiApiKeyEnv]: "openai-test-value", // pragma: allowlist secret
[elevenLabsApiKeyEnv]: "elevenlabs-test-value", // pragma: allowlist secret
[anthropicApiKeyEnv]: "anthropic-test-value", // pragma: allowlist secret
},
{ stripKeys },
);
expect(env.PATH).toBe("/usr/bin");
expect(env.OPENCLAW_SHELL).toBe("acp-client");
expect(env.ANTHROPIC_API_KEY).toBe("sk-keep-this");
expect(env.ANTHROPIC_API_KEY).toBe("anthropic-test-value");
expect(env.OPENAI_API_KEY).toBeUndefined();
expect(env.ELEVENLABS_API_KEY).toBeUndefined();
});
it("does not modify the original baseEnv when stripping keys", () => {
const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY");
const baseEnv: NodeJS.ProcessEnv = {
OPENAI_API_KEY: "sk-original",
[openAiApiKeyEnv]: "openai-original", // pragma: allowlist secret
PATH: "/usr/bin",
};
const stripKeys = new Set(["OPENAI_API_KEY"]);
const stripKeys = new Set([openAiApiKeyEnv]);
resolveAcpClientSpawnEnv(baseEnv, { stripKeys });
expect(baseEnv.OPENAI_API_KEY).toBe("sk-original");
expect(baseEnv.OPENAI_API_KEY).toBe("openai-original");
});
it("preserves OPENCLAW_SHELL even when stripKeys contains it", () => {
const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY");
const env = resolveAcpClientSpawnEnv(
{
OPENCLAW_SHELL: "skill-overridden",
OPENAI_API_KEY: "sk-leaked",
[openAiApiKeyEnv]: "openai-leaked", // pragma: allowlist secret
},
{ stripKeys: new Set(["OPENCLAW_SHELL", "OPENAI_API_KEY"]) },
{ stripKeys: new Set(["OPENCLAW_SHELL", openAiApiKeyEnv]) },
);
expect(env.OPENCLAW_SHELL).toBe("acp-client");

4
src/acp/server.startup.test.ts
View File

@@ -180,7 +180,7 @@ describe("serveAcpGateway startup", () => {
it("passes resolved SecretInput gateway credentials to the ACP gateway client", async () => {
mockState.resolveGatewayCredentialsWithSecretInputs.mockResolvedValue({
token: undefined,
password: "resolved-secret-password",
password: "resolved-secret-password", // pragma: allowlist secret
});
const { signalHandlers, onceSpy } = captureProcessSignalHandlers();
@@ -195,7 +195,7 @@ describe("serveAcpGateway startup", () => {
);
expect(mockState.gatewayAuth[0]).toEqual({
token: undefined,
password: "resolved-secret-password",
password: "resolved-secret-password", // pragma: allowlist secret
});
const gateway = getMockGateway();