CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures

* Tests: fix rebased detect-secrets false positives

* Docs: keep snippets valid under detect-secrets

* Tests: finalize detect-secrets false-positive fixes

* Tests: reduce detect-secrets false positives

* Tests: keep detect-secrets pragmas inline

* Tests: remediate next detect-secrets batch

* Tests: tighten detect-secrets allowlists

* Tests: stabilize detect-secrets formatter drift

src/commands/auth-choice.test.ts

@@ -676,7 +676,7 @@ describe("applyAuthChoice", () => {
         envValue: "gateway-ref-key",
         profileId: "vercel-ai-gateway:default",
         provider: "vercel-ai-gateway",
-        opts: { secretInputMode: "ref" },
+        opts: { secretInputMode: "ref" }, // pragma: allowlist secret
         expectEnvPrompt: false,
         expectedTextCalls: 1,
         expectedKeyRef: { source: "env", provider: "default", id: "AI_GATEWAY_API_KEY" },
@@ -742,7 +742,7 @@ describe("applyAuthChoice", () => {
 
   it("retries ref setup when provider preflight fails and can switch to env ref", async () => {
     await setupTempState();
-    process.env.OPENAI_API_KEY = "sk-openai-env";
+    process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret
 
     const selectValues: Array<"provider" | "env" | "filemain"> = ["provider", "filemain", "env"];
     const select = vi.fn(async (params: Parameters<WizardPrompter["select"]>[0]) => {
@@ -783,7 +783,7 @@ describe("applyAuthChoice", () => {
       prompter,
       runtime,
       setDefaultModel: false,
-      opts: { secretInputMode: "ref" },
+      opts: { secretInputMode: "ref" }, // pragma: allowlist secret
     });
 
     expect(result.config.auth?.profiles?.["openai:default"]).toMatchObject({
@@ -952,7 +952,7 @@ describe("applyAuthChoice", () => {
 
   it("ignores legacy LiteLLM oauth profiles when selecting litellm-api-key", async () => {
     await setupTempState();
-    process.env.LITELLM_API_KEY = "sk-litellm-test";
+    process.env.LITELLM_API_KEY = "sk-litellm-test"; // pragma: allowlist secret
 
     const authProfilePath = authProfilePathForAgent(requireOpenClawAgentDir());
     await fs.writeFile(
@@ -1018,7 +1018,7 @@ describe("applyAuthChoice", () => {
       textValues: string[];
       confirmValue: boolean;
       opts?: {
-        secretInputMode?: "ref";
+        secretInputMode?: "ref"; // pragma: allowlist secret
         cloudflareAiGatewayAccountId?: string;
         cloudflareAiGatewayGatewayId?: string;
         cloudflareAiGatewayApiKey?: string;
@@ -1046,7 +1046,7 @@ describe("applyAuthChoice", () => {
         textValues: ["cf-account-id-ref", "cf-gateway-id-ref"],
         confirmValue: true,
         opts: {
-          secretInputMode: "ref",
+          secretInputMode: "ref", // pragma: allowlist secret
         },
         expectEnvPrompt: false,
         expectedTextCalls: 3,
@@ -1062,7 +1062,7 @@ describe("applyAuthChoice", () => {
         opts: {
           cloudflareAiGatewayAccountId: "acc-direct",
           cloudflareAiGatewayGatewayId: "gw-direct",
-          cloudflareAiGatewayApiKey: "cf-direct-key",
+          cloudflareAiGatewayApiKey: "cf-direct-key", // pragma: allowlist secret
         },
         expectEnvPrompt: false,
         expectedTextCalls: 0,
@@ -1219,7 +1219,7 @@ describe("applyAuthChoice", () => {
         baseUrl: "https://portal.qwen.ai/v1",
         api: "openai-completions",
         defaultModel: "qwen-portal/coder-model",
-        apiKey: "qwen-oauth",
+        apiKey: "qwen-oauth", // pragma: allowlist secret
       },
       {
         authChoice: "minimax-portal",
@@ -1231,7 +1231,7 @@ describe("applyAuthChoice", () => {
         baseUrl: "https://api.minimax.io/anthropic",
         api: "anthropic-messages",
         defaultModel: "minimax-portal/MiniMax-M2.5",
-        apiKey: "minimax-oauth",
+        apiKey: "minimax-oauth", // pragma: allowlist secret
         selectValue: "oauth",
       },
     ];