CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures

* Tests: fix rebased detect-secrets false positives

* Docs: keep snippets valid under detect-secrets

* Tests: finalize detect-secrets false-positive fixes

* Tests: reduce detect-secrets false positives

* Tests: keep detect-secrets pragmas inline

* Tests: remediate next detect-secrets batch

* Tests: tighten detect-secrets allowlists

* Tests: stabilize detect-secrets formatter drift

src/cli/acp-cli.option-collisions.test.ts

@@ -13,6 +13,8 @@ const defaultRuntime = {
   exit: vi.fn(),
 };
 
+const passwordKey = () => ["pass", "word"].join("");
+
 vi.mock("../acp/client.js", () => ({
   runAcpClientInteractive: (opts: unknown) => runAcpClientInteractive(opts),
 }));
@@ -91,7 +93,8 @@ describe("acp cli option collisions", () => {
   });
 
   it("loads gateway token/password from files", async () => {
-    await withSecretFiles({ token: "tok_file\n", password: "pw_file\n" }, async (files) => {
+    await withSecretFiles({ token: "tok_file\n", [passwordKey()]: "pw_file\n" }, async (files) => {
+      // pragma: allowlist secret
       await parseAcp([
         "--token-file",
         files.tokenFile ?? "",
@@ -103,7 +106,7 @@ describe("acp cli option collisions", () => {
     expect(serveAcpGateway).toHaveBeenCalledWith(
       expect.objectContaining({
         gatewayToken: "tok_file",
-        gatewayPassword: "pw_file",
+        gatewayPassword: "pw_file", // pragma: allowlist secret
       }),
     );
   });
@@ -117,7 +120,8 @@ describe("acp cli option collisions", () => {
   });
 
   it("rejects mixed password flags and file flags", async () => {
-    await withSecretFiles({ password: "pw_file\n" }, async (files) => {
+    const passwordFileValue = "pw_file\n"; // pragma: allowlist secret
+    await withSecretFiles({ password: passwordFileValue }, async (files) => {
       await parseAcp(["--password", "pw_inline", "--password-file", files.passwordFile ?? ""]);
     });