CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures * Tests: fix rebased detect-secrets false positives * Docs: keep snippets valid under detect-secrets * Tests: finalize detect-secrets false-positive fixes * Tests: reduce detect-secrets false positives * Tests: keep detect-secrets pragmas inline * Tests: remediate next detect-secrets batch * Tests: tighten detect-secrets allowlists * Tests: stabilize detect-secrets formatter drift
2026-05-30 04:05:03 +00:00 · 2026-03-07 13:06:35 -05:00
parent 46e324e269
commit e4d80ed556
137 changed files with 1231 additions and 2700 deletions
--- a/src/agents/tools/pdf-tool.test.ts
+++ b/src/agents/tools/pdf-tool.test.ts
@@ -71,7 +71,7 @@ function makeAnthropicAnalyzeParams(
  }> = {},
 ) {
  return {
-    apiKey: "test-key",
+    apiKey: "test-key", // pragma: allowlist secret
    modelId: "claude-opus-4-6",
    prompt: "test",
    pdfs: [TEST_PDF_INPUT],
@@ -89,7 +89,7 @@ function makeGeminiAnalyzeParams(
  }> = {},
 ) {
  return {
-    apiKey: "test-key",
+    apiKey: "test-key", // pragma: allowlist secret
    modelId: "gemini-2.5-pro",
    prompt: "test",
    pdfs: [TEST_PDF_INPUT],
@@ -156,7 +156,7 @@ async function stubPdfToolInfra(
  });

  const modelAuth = await import("../model-auth.js");
-  vi.spyOn(modelAuth, "getApiKeyForModel").mockResolvedValue({ apiKey: "test-key" } as never);
+  vi.spyOn(modelAuth, "getApiKeyForModel").mockResolvedValue({ apiKey: "test-key" } as never); // pragma: allowlist secret
  vi.spyOn(modelAuth, "requireApiKey").mockReturnValue("test-key");

  return { loadSpy };
--- a/src/agents/tools/web-fetch.ssrf.test.ts
+++ b/src/agents/tools/web-fetch.ssrf.test.ts
@@ -81,7 +81,7 @@ describe("web_fetch SSRF protection", () => {
  it("blocks localhost hostnames before fetch/firecrawl", async () => {
    const fetchSpy = setMockFetch();
    const tool = await createWebFetchToolForTest({
-      firecrawl: { apiKey: "firecrawl-test" },
+      firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret
    });

    await expectBlockedUrl(tool, "http://localhost/test", /Blocked hostname/i);
@@ -123,7 +123,7 @@ describe("web_fetch SSRF protection", () => {
      redirectResponse("http://127.0.0.1/secret"),
    );
    const tool = await createWebFetchToolForTest({
-      firecrawl: { apiKey: "firecrawl-test" },
+      firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret
    });

    await expectBlockedUrl(tool, "https://example.com", /private|internal|blocked/i);
--- a/src/agents/tools/web-search.test.ts
+++ b/src/agents/tools/web-search.test.ts
@@ -17,6 +17,9 @@ const {
  extractKimiCitations,
 } = __testing;

+const kimiApiKeyEnv = ["KIMI_API", "KEY"].join("_");
+const moonshotApiKeyEnv = ["MOONSHOT_API", "KEY"].join("_");
+
 describe("web_search brave language param normalization", () => {
  it("normalizes and auto-corrects swapped Brave language params", () => {
    expect(normalizeBraveLanguageParams({ search_lang: "tr-TR", ui_lang: "tr" })).toEqual({
@@ -102,7 +105,7 @@ describe("web_search date normalization", () => {

 describe("web_search grok config resolution", () => {
  it("uses config apiKey when provided", () => {
-    expect(resolveGrokApiKey({ apiKey: "xai-test-key" })).toBe("xai-test-key");
+    expect(resolveGrokApiKey({ apiKey: "xai-test-key" })).toBe("xai-test-key"); // pragma: allowlist secret
  });

  it("returns undefined when no apiKey is available", () => {
@@ -221,15 +224,17 @@ describe("web_search grok response parsing", () => {

 describe("web_search kimi config resolution", () => {
  it("uses config apiKey when provided", () => {
-    expect(resolveKimiApiKey({ apiKey: "kimi-test-key" })).toBe("kimi-test-key");
+    expect(resolveKimiApiKey({ apiKey: "kimi-test-key" })).toBe("kimi-test-key"); // pragma: allowlist secret
  });

  it("falls back to KIMI_API_KEY, then MOONSHOT_API_KEY", () => {
-    withEnv({ KIMI_API_KEY: "kimi-env", MOONSHOT_API_KEY: "moonshot-env" }, () => {
-      expect(resolveKimiApiKey({})).toBe("kimi-env");
+    const kimiEnvValue = "kimi-env"; // pragma: allowlist secret
+    const moonshotEnvValue = "moonshot-env"; // pragma: allowlist secret
+    withEnv({ [kimiApiKeyEnv]: kimiEnvValue, [moonshotApiKeyEnv]: moonshotEnvValue }, () => {
+      expect(resolveKimiApiKey({})).toBe(kimiEnvValue);
    });
-    withEnv({ KIMI_API_KEY: undefined, MOONSHOT_API_KEY: "moonshot-env" }, () => {
-      expect(resolveKimiApiKey({})).toBe("moonshot-env");
+    withEnv({ [kimiApiKeyEnv]: undefined, [moonshotApiKeyEnv]: moonshotEnvValue }, () => {
+      expect(resolveKimiApiKey({})).toBe(moonshotEnvValue);
    });
  });

--- a/src/agents/tools/web-tools.enabled-defaults.test.ts
+++ b/src/agents/tools/web-tools.enabled-defaults.test.ts
@@ -50,14 +50,14 @@ function createKimiSearchTool(kimiConfig?: { apiKey?: string; baseUrl?: string;
 function createProviderSearchTool(provider: "brave" | "perplexity" | "grok" | "gemini" | "kimi") {
  const searchConfig =
    provider === "perplexity"
-      ? { provider, perplexity: { apiKey: "pplx-config-test" } }
+      ? { provider, perplexity: { apiKey: "pplx-config-test" } } // pragma: allowlist secret
      : provider === "grok"
-        ? { provider, grok: { apiKey: "xai-config-test" } }
+        ? { provider, grok: { apiKey: "xai-config-test" } } // pragma: allowlist secret
        : provider === "gemini"
-          ? { provider, gemini: { apiKey: "gemini-config-test" } }
+          ? { provider, gemini: { apiKey: "gemini-config-test" } } // pragma: allowlist secret
          : provider === "kimi"
-            ? { provider, kimi: { apiKey: "moonshot-config-test" } }
-            : { provider, apiKey: "brave-config-test" };
+            ? { provider, kimi: { apiKey: "moonshot-config-test" } } // pragma: allowlist secret
+            : { provider, apiKey: "brave-config-test" }; // pragma: allowlist secret
  return createWebSearchTool({
    config: {
      tools: {
@@ -458,7 +458,7 @@ describe("web_search kimi provider", () => {
    global.fetch = withFetchPreconnect(mockFetch);

    const tool = createKimiSearchTool({
-      apiKey: "kimi-config-key",
+      apiKey: "kimi-config-key", // pragma: allowlist secret
      baseUrl: "https://api.moonshot.ai/v1",
      model: "moonshot-v1-128k",
    });
--- a/src/agents/tools/web-tools.fetch.test.ts
+++ b/src/agents/tools/web-tools.fetch.test.ts
@@ -29,6 +29,8 @@ function htmlResponse(html: string, url = "https://example.com/"): MockResponse
  };
 }

+const apiKeyField = ["api", "Key"].join("");
+
 function firecrawlResponse(markdown: string, url = "https://example.com/"): MockResponse {
  return {
    ok: true,
@@ -130,8 +132,12 @@ function installPlainTextFetch(text: string) {
  );
 }

-function createFirecrawlTool(apiKey = "firecrawl-test") {
-  return createFetchTool({ firecrawl: { apiKey } });
+function createFirecrawlTool(apiKey = defaultFirecrawlApiKey()) {
+  return createFetchTool({ firecrawl: { [apiKeyField]: apiKey } });
+}
+
+function defaultFirecrawlApiKey() {
+  return "firecrawl-test"; // pragma: allowlist secret
 }

 async function executeFetch(
@@ -385,7 +391,7 @@ describe("web_fetch extraction fallbacks", () => {
    });

    const tool = createFetchTool({
-      firecrawl: { apiKey: "firecrawl-test" },
+      firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret
    });

    const result = await tool?.execute?.("call", { url: "https://example.com/blocked" });
@@ -477,7 +483,7 @@ describe("web_fetch extraction fallbacks", () => {
    });

    const tool = createFetchTool({
-      firecrawl: { apiKey: "firecrawl-test" },
+      firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret
    });

    const message = await captureToolErrorMessage({