diff --git a/.detect-secrets.cfg b/.detect-secrets.cfg index e40a4a1689e..3ab7ebb69b5 100644 --- a/.detect-secrets.cfg +++ b/.detect-secrets.cfg @@ -26,3 +26,18 @@ pattern = === "string" pattern = typeof remote\?\.password === "string" # Docker apt signing key fingerprint constant; not a secret. pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT= +# Credential matrix metadata field in docs JSON; not a secret value. +pattern = "secretShape": "(secret_input|sibling_ref)" +# Docs line describing API key rotation knobs; not a credential. +pattern = API key rotation \(provider-specific\): set `\*_API_KEYS` +# Docs line describing remote password precedence; not a credential. +pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd` +pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd` +# Test fixture starts a multiline fake private key; detector should ignore the header line. +pattern = const key = `-----BEGIN PRIVATE KEY----- +# Docs examples: literal placeholder API key snippets and shell heredoc helper. +pattern = export CUSTOM_API_K[E]Y="your-key" +pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF' +pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \}, +pattern = "ap[i]Key": "xxxxx", +pattern = ap[i]Key: "A[I]za\.\.\.", diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 296660d1014..6fcc25e7279 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -49,6 +49,26 @@ repos: - 'typeof remote\?\.password === "string"' - --exclude-lines - "OPENCLAW_DOCKER_GPG_FINGERPRINT=" + - --exclude-lines + - '"secretShape": "(secret_input|sibling_ref)"' + - --exclude-lines + - 'API key rotation \(provider-specific\): set `\*_API_KEYS`' + - --exclude-lines + - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`' + - --exclude-lines + - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`' + - --exclude-files + - '^src/gateway/client\.watchdog\.test\.ts$' + - --exclude-lines + - 'export CUSTOM_API_K[E]Y="your-key"' + - --exclude-lines + - 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF''' + - --exclude-lines + - 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},' + - --exclude-lines + - '"ap[i]Key": "xxxxx",' + - --exclude-lines + - 'ap[i]Key: "A[I]za\.\.\.",' # Shell script linting - repo: https://github.com/koalaman/shellcheck-precommit rev: v0.11.0 diff --git a/.secrets.baseline b/.secrets.baseline index 0df5fc0b733..c87d9d58a2e 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -128,7 +128,8 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - "(^|/)pnpm-lock\\.yaml$" + "(^|/)pnpm-lock\\.yaml$", + "^src/gateway/client\\.watchdog\\.test\\.ts$" ] }, { @@ -142,8 +143,23 @@ "\"talk\\.apiKey\"", "=== \"string\"", "typeof remote\\?\\.password === \"string\"", - "OPENCLAW_DOCKER_GPG_FINGERPRINT=" + "OPENCLAW_DOCKER_GPG_FINGERPRINT=", + "\"secretShape\": \"(secret_input|sibling_ref)\"", + "API key rotation \\(provider-specific\\): set `\\*_API_KEYS`", + "password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\\.auth\\.password` -> `gateway\\.remote\\.password`", + "password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\\.remote\\.password` -> `gateway\\.auth\\.password`", + "export CUSTOM_API_K[E]Y=\"your-key\"", + "grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \\|\\| cat >> ~/.bashrc <<'EOF'", + "env: \\{ MISTRAL_API_K[E]Y: \"sk-\\.\\.\\.\" \\},", + "\"ap[i]Key\": \"xxxxx\",", + "ap[i]Key: \"A[I]za\\.\\.\\.\"," ] + }, + { + "path": "src/gateway/client\\.watchdog\\.test\\.ts$", + "reason": "Allowlisted because this is a static PEM fixture used by the watchdog TLS fingerprint test.", + "min_level": 2, + "condition": "filename" } ], "results": { @@ -163,10 +179,10 @@ "line_number": 15 } ], - "apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt": [ + "apps/android/app/src/test/java/ai/openclaw/android/node/AppUpdateHandlerTest.kt": [ { "type": "Hex High Entropy String", - "filename": "apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt", + "filename": "apps/android/app/src/test/java/ai/openclaw/android/node/AppUpdateHandlerTest.kt", "hashed_secret": "ee662f2bc691daa48d074542722d8e1b0587673c", "is_verified": false, "line_number": 58 @@ -190,6 +206,22 @@ "line_number": 1745 } ], + "apps/macos/Tests/OpenClawIPCTests/AnthropicAuthResolverTests.swift": [ + { + "type": "Secret Keyword", + "filename": "apps/macos/Tests/OpenClawIPCTests/AnthropicAuthResolverTests.swift", + "hashed_secret": "e761624445731fcb8b15da94343c6b92e507d190", + "is_verified": false, + "line_number": 26 + }, + { + "type": "Secret Keyword", + "filename": "apps/macos/Tests/OpenClawIPCTests/AnthropicAuthResolverTests.swift", + "hashed_secret": "a23c8630c8a5fbaa21f095e0269c135c20d21689", + "is_verified": false, + "line_number": 42 + } + ], "apps/macos/Tests/OpenClawIPCTests/GatewayEndpointStoreTests.swift": [ { "type": "Secret Keyword", @@ -9690,15 +9722,6 @@ "line_number": 417 } ], - "docs/design/kilo-gateway-integration.md": [ - { - "type": "Secret Keyword", - "filename": "docs/design/kilo-gateway-integration.md", - "hashed_secret": "9addbf544119efa4a64223b649750a510f0d463f", - "is_verified": false, - "line_number": 458 - } - ], "docs/gateway/configuration-examples.md": [ { "type": "Secret Keyword", @@ -9840,22 +9863,6 @@ "line_number": 124 } ], - "docs/gateway/remote.md": [ - { - "type": "Secret Keyword", - "filename": "docs/gateway/remote.md", - "hashed_secret": "7d852a6979e11c7a40c35c63a2ee96edb2dc2c69", - "is_verified": false, - "line_number": 111 - }, - { - "type": "Secret Keyword", - "filename": "docs/gateway/remote.md", - "hashed_secret": "e1ce9e0c459c8ef30dcadf6fc4e2d50f63a7aa8a", - "is_verified": false, - "line_number": 114 - } - ], "docs/gateway/tailscale.md": [ { "type": "Secret Keyword", @@ -9918,15 +9925,6 @@ "line_number": 2489 } ], - "docs/help/testing.md": [ - { - "type": "Secret Keyword", - "filename": "docs/help/testing.md", - "hashed_secret": "e008bed242a21b8279c220f84ba16019a67a9dd4", - "is_verified": false, - "line_number": 94 - } - ], "docs/install/macos-vm.md": [ { "type": "Secret Keyword", @@ -10022,15 +10020,6 @@ "line_number": 149 } ], - "docs/providers/mistral.md": [ - { - "type": "Secret Keyword", - "filename": "docs/providers/mistral.md", - "hashed_secret": "ec3810e10fb78db55ce38b9c18d1c3eb1db739e0", - "is_verified": false, - "line_number": 27 - } - ], "docs/providers/moonshot.md": [ { "type": "Secret Keyword", @@ -10144,31 +10133,6 @@ "line_number": 27 } ], - "docs/reference/secretref-user-supplied-credentials-matrix.json": [ - { - "type": "Secret Keyword", - "filename": "docs/reference/secretref-user-supplied-credentials-matrix.json", - "hashed_secret": "d6c8cbcbe34bf0e02cf1a52e27afcf18b59b3f79", - "is_verified": false, - "line_number": 22 - }, - { - "type": "Secret Keyword", - "filename": "docs/reference/secretref-user-supplied-credentials-matrix.json", - "hashed_secret": "e9a292f7f4d25b0d861458719c6115de3ec813c3", - "is_verified": false, - "line_number": 40 - } - ], - "docs/start/wizard-cli-automation.md": [ - { - "type": "Secret Keyword", - "filename": "docs/start/wizard-cli-automation.md", - "hashed_secret": "6d9c68c603e465077bdd49c62347fe54717f83a3", - "is_verified": false, - "line_number": 155 - } - ], "docs/tools/browser.md": [ { "type": "Basic Auth Credentials", @@ -10213,20 +10177,6 @@ "is_verified": false, "line_number": 90 }, - { - "type": "Secret Keyword", - "filename": "docs/tools/web.md", - "hashed_secret": "4a9fd550cf205ab06ee932f41a132ff53cb83d83", - "is_verified": false, - "line_number": 107 - }, - { - "type": "Secret Keyword", - "filename": "docs/tools/web.md", - "hashed_secret": "1ccebc9638f47c80fc388173e346b2fa51178cca", - "is_verified": false, - "line_number": 135 - }, { "type": "Secret Keyword", "filename": "docs/tools/web.md", @@ -10258,15 +10208,6 @@ "line_number": 101 } ], - "docs/vps.md": [ - { - "type": "Base64 High Entropy String", - "filename": "docs/vps.md", - "hashed_secret": "66eba27d45030064a428078cf4d510002a445f27", - "is_verified": false, - "line_number": 60 - } - ], "docs/zh-CN/brave-search.md": [ { "type": "Secret Keyword", @@ -10927,36 +10868,6 @@ "hashed_secret": "789cbe0407840b1c2041cb33452ff60f19bf58cc", "is_verified": false, "line_number": 169 - }, - { - "type": "Secret Keyword", - "filename": "extensions/bluebubbles/src/monitor.test.ts", - "hashed_secret": "891f33ddd2af62f77eab3b7aac8d4874acc093e4", - "is_verified": false, - "line_number": 2394 - }, - { - "type": "Secret Keyword", - "filename": "extensions/bluebubbles/src/monitor.test.ts", - "hashed_secret": "01ee85f364fd0a345244d10a59d73b9f28b2e8da", - "is_verified": false, - "line_number": 2398 - } - ], - "extensions/bluebubbles/src/monitor.webhook-auth.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/bluebubbles/src/monitor.webhook-auth.test.ts", - "hashed_secret": "789cbe0407840b1c2041cb33452ff60f19bf58cc", - "is_verified": false, - "line_number": 169 - }, - { - "type": "Secret Keyword", - "filename": "extensions/bluebubbles/src/monitor.webhook-auth.test.ts", - "hashed_secret": "1ae0af3fe72b3ba394f9fa95a6cffc090d726c23", - "is_verified": false, - "line_number": 490 } ], "extensions/bluebubbles/src/reactions.test.ts": [ @@ -11023,22 +10934,6 @@ "line_number": 9 } ], - "extensions/diagnostics-otel/src/service.test.ts": [ - { - "type": "Base64 High Entropy String", - "filename": "extensions/diagnostics-otel/src/service.test.ts", - "hashed_secret": "e6aa9dc072fcb9dbe42761f25c976143c39d3deb", - "is_verified": false, - "line_number": 332 - }, - { - "type": "Base64 High Entropy String", - "filename": "extensions/diagnostics-otel/src/service.test.ts", - "hashed_secret": "7e634f2e8cbddf340740ee856bf272aaa6d6d770", - "is_verified": false, - "line_number": 352 - } - ], "extensions/feishu/skills/feishu-doc/SKILL.md": [ { "type": "Hex High Entropy String", @@ -11057,66 +10952,6 @@ "line_number": 40 } ], - "extensions/feishu/src/accounts.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/accounts.test.ts", - "hashed_secret": "e066a1720c6745f87bad43d4dc1206a6beaf4298", - "is_verified": false, - "line_number": 19 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/accounts.test.ts", - "hashed_secret": "32db07403e892e96ab02693d38bffb2777e82c94", - "is_verified": false, - "line_number": 20 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/accounts.test.ts", - "hashed_secret": "b72c7c889dbb48caa14157494693a442309d9f08", - "is_verified": false, - "line_number": 51 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/accounts.test.ts", - "hashed_secret": "d15b430d272b72b4149afe9098236dd161888d76", - "is_verified": false, - "line_number": 167 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/accounts.test.ts", - "hashed_secret": "ea45a4958bbb18451e1d48aa90745cb35a508b29", - "is_verified": false, - "line_number": 239 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/accounts.test.ts", - "hashed_secret": "3017efcbcc4d30831b27c2793bac8e7ea61c905a", - "is_verified": false, - "line_number": 254 - } - ], - "extensions/feishu/src/bot.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/bot.test.ts", - "hashed_secret": "6ccf7c8dbcc240973f7793b6bbc8f1d5e6efd4b1", - "is_verified": false, - "line_number": 1091 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/bot.test.ts", - "hashed_secret": "1962fc9032fed7c415a657282d617ba80e82f884", - "is_verified": false, - "line_number": 1154 - } - ], "extensions/feishu/src/channel.test.ts": [ { "type": "Secret Keyword", @@ -11126,133 +10961,6 @@ "line_number": 21 } ], - "extensions/feishu/src/chat.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/chat.test.ts", - "hashed_secret": "f49922d511d666848f250663c4fca84074b856a8", - "is_verified": false, - "line_number": 32 - } - ], - "extensions/feishu/src/client.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "2e8a3d5cbfeb3818c59b66a9f0bf3b80990489f3", - "is_verified": false, - "line_number": 62 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "cfc5057763ea7dabd5c6f7325c0d39c9b8d1baf1", - "is_verified": false, - "line_number": 105 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "8636f9964c42d12b2d698204e426276c41df66d1", - "is_verified": false, - "line_number": 113 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "2e59eff806170ad50c34e3372faef694874fae93", - "is_verified": false, - "line_number": 135 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "f4e4e5f8d09c24c2863cceca031e94154a63e138", - "is_verified": false, - "line_number": 154 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "e55783e61a4f2ae1efd1d1ccb142c902c473ef86", - "is_verified": false, - "line_number": 176 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "67db48d9a41265dfca56d8b198f3e28ee9b6bbcb", - "is_verified": false, - "line_number": 200 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "b8d75c4b958af69d9be3c2efa450e7c4a1b41770", - "is_verified": false, - "line_number": 222 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "f546848b2bf72fec2651db6b80e5592fda678e2f", - "is_verified": false, - "line_number": 245 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/client.test.ts", - "hashed_secret": "c7c5ddbf5e808a49ef38791caf8563c0bc0da434", - "is_verified": false, - "line_number": 264 - } - ], - "extensions/feishu/src/config-schema.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/config-schema.test.ts", - "hashed_secret": "d25db33e5c07ac669f08da0adc2bde73b15ee929", - "is_verified": false, - "line_number": 39 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/config-schema.test.ts", - "hashed_secret": "8437d84cae482d10a2b9fd3f555d45006979e4be", - "is_verified": false, - "line_number": 67 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/config-schema.test.ts", - "hashed_secret": "32db07403e892e96ab02693d38bffb2777e82c94", - "is_verified": false, - "line_number": 174 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/config-schema.test.ts", - "hashed_secret": "2bd27e71d7e14bbd5ac1576290ed6074dc450b5a", - "is_verified": false, - "line_number": 185 - } - ], - "extensions/feishu/src/docx.account-selection.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/docx.account-selection.test.ts", - "hashed_secret": "db2b80fd220b75be76e698a9164f989baf731caf", - "is_verified": false, - "line_number": 30 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/docx.account-selection.test.ts", - "hashed_secret": "57cb5f8d57e1a3c1bcf90d73e103af6a775591a6", - "is_verified": false, - "line_number": 31 - } - ], "extensions/feishu/src/docx.test.ts": [ { "type": "Secret Keyword", @@ -11271,82 +10979,6 @@ "line_number": 76 } ], - "extensions/feishu/src/monitor.webhook-security.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/monitor.webhook-security.test.ts", - "hashed_secret": "cf27add3cb4cb83efe9a48cf7289068fa869c4cd", - "is_verified": false, - "line_number": 76 - } - ], - "extensions/feishu/src/onboarding.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/onboarding.test.ts", - "hashed_secret": "2e8a3d5cbfeb3818c59b66a9f0bf3b80990489f3", - "is_verified": false, - "line_number": 64 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/onboarding.test.ts", - "hashed_secret": "d5fc216f56ec5ef58691c854104ba78667d9efad", - "is_verified": false, - "line_number": 78 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/onboarding.test.ts", - "hashed_secret": "d819cf9769641b789fc8f539e0cd8cbe5606e057", - "is_verified": false, - "line_number": 82 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/onboarding.test.ts", - "hashed_secret": "72b6d12b3e7034420015375375466c37ec68be51", - "is_verified": false, - "line_number": 114 - } - ], - "extensions/feishu/src/probe.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/probe.test.ts", - "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", - "is_verified": false, - "line_number": 37 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/probe.test.ts", - "hashed_secret": "640d87e741e6aa4c669a82a4cd304787960513ab", - "is_verified": false, - "line_number": 195 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/probe.test.ts", - "hashed_secret": "4205714cdfe14ed9e3d030ddf7887781b964f510", - "is_verified": false, - "line_number": 199 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/probe.test.ts", - "hashed_secret": "5a718c07b29bb4cd5fafb4a3ad377efc2dad9a59", - "is_verified": false, - "line_number": 214 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/probe.test.ts", - "hashed_secret": "5da0807f9682b03d10b7906c5d2312d46368500c", - "is_verified": false, - "line_number": 219 - } - ], "extensions/feishu/src/reply-dispatcher.test.ts": [ { "type": "Secret Keyword", @@ -11356,20 +10988,13 @@ "line_number": 74 } ], - "extensions/feishu/src/tool-account-routing.test.ts": [ + "extensions/google-antigravity-auth/index.ts": [ { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/tool-account-routing.test.ts", - "hashed_secret": "db2b80fd220b75be76e698a9164f989baf731caf", + "type": "Base64 High Entropy String", + "filename": "extensions/google-antigravity-auth/index.ts", + "hashed_secret": "709d0f232b6ac4f8d24dec3e4fabfdb14257174f", "is_verified": false, - "line_number": 38 - }, - { - "type": "Secret Keyword", - "filename": "extensions/feishu/src/tool-account-routing.test.ts", - "hashed_secret": "57cb5f8d57e1a3c1bcf90d73e103af6a775591a6", - "is_verified": false, - "line_number": 43 + "line_number": 14 } ], "extensions/google-gemini-cli-auth/oauth.test.ts": [ @@ -11379,31 +11004,6 @@ "hashed_secret": "021343c1f561d7bcbc3b513df45cc3a6baf67b43", "is_verified": false, "line_number": 43 - }, - { - "type": "Secret Keyword", - "filename": "extensions/google-gemini-cli-auth/oauth.test.ts", - "hashed_secret": "07d1db7c4a73c573d6d038b3d26194a7957c513c", - "is_verified": false, - "line_number": 311 - } - ], - "extensions/googlechat/src/api.test.ts": [ - { - "type": "Base64 High Entropy String", - "filename": "extensions/googlechat/src/api.test.ts", - "hashed_secret": "bc7bd07bb0114ca5928ca561817efc6cd7083966", - "is_verified": false, - "line_number": 84 - } - ], - "extensions/googlechat/src/channel.outbound.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/googlechat/src/channel.outbound.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 50 } ], "extensions/irc/src/accounts.ts": [ @@ -11474,29 +11074,6 @@ "line_number": 8 } ], - "extensions/mattermost/src/normalize.test.ts": [ - { - "type": "Hex High Entropy String", - "filename": "extensions/mattermost/src/normalize.test.ts", - "hashed_secret": "713ecccd228f49a6068bedd7a64510b50b4284e5", - "is_verified": false, - "line_number": 77 - }, - { - "type": "Base64 High Entropy String", - "filename": "extensions/mattermost/src/normalize.test.ts", - "hashed_secret": "a8e2493e7579ba630d56b2552d5fd2a7198ad943", - "is_verified": false, - "line_number": 82 - }, - { - "type": "Base64 High Entropy String", - "filename": "extensions/mattermost/src/normalize.test.ts", - "hashed_secret": "9a33401dd4f9784482d2db77bbe93d99cea1a571", - "is_verified": false, - "line_number": 94 - } - ], "extensions/memory-lancedb/config.ts": [ { "type": "Secret Keyword", @@ -11515,15 +11092,6 @@ "line_number": 71 } ], - "extensions/msteams/src/monitor.lifecycle.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/msteams/src/monitor.lifecycle.test.ts", - "hashed_secret": "5a21585c3dfc2797afe4634fa150d996f4ef5b5e", - "is_verified": false, - "line_number": 143 - } - ], "extensions/msteams/src/probe.test.ts": [ { "type": "Secret Keyword", @@ -11533,15 +11101,6 @@ "line_number": 35 } ], - "extensions/msteams/src/token.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/msteams/src/token.test.ts", - "hashed_secret": "5a21585c3dfc2797afe4634fa150d996f4ef5b5e", - "is_verified": false, - "line_number": 38 - } - ], "extensions/nextcloud-talk/src/accounts.ts": [ { "type": "Secret Keyword", @@ -11558,22 +11117,6 @@ "line_number": 169 } ], - "extensions/nextcloud-talk/src/channel.startup.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/nextcloud-talk/src/channel.startup.test.ts", - "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", - "is_verified": false, - "line_number": 24 - }, - { - "type": "Secret Keyword", - "filename": "extensions/nextcloud-talk/src/channel.startup.test.ts", - "hashed_secret": "dfba7aade0868074c2861c98e2a9a92f3178a51b", - "is_verified": false, - "line_number": 25 - } - ], "extensions/nextcloud-talk/src/channel.ts": [ { "type": "Secret Keyword", @@ -11583,15 +11126,6 @@ "line_number": 399 } ], - "extensions/nextcloud-talk/src/send.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/nextcloud-talk/src/send.test.ts", - "hashed_secret": "dbdab9be92cacdae6a97e8601332bfaa8545800f", - "is_verified": false, - "line_number": 11 - } - ], "extensions/nostr/README.md": [ { "type": "Secret Keyword", @@ -11601,36 +11135,6 @@ "line_number": 46 } ], - "extensions/nostr/src/channel.outbound.test.ts": [ - { - "type": "Hex High Entropy String", - "filename": "extensions/nostr/src/channel.outbound.test.ts", - "hashed_secret": "ce4303f6b22257d9c9cf314ef1dee4707c6e1c13", - "is_verified": false, - "line_number": 54 - }, - { - "type": "Secret Keyword", - "filename": "extensions/nostr/src/channel.outbound.test.ts", - "hashed_secret": "ce4303f6b22257d9c9cf314ef1dee4707c6e1c13", - "is_verified": false, - "line_number": 54 - }, - { - "type": "Hex High Entropy String", - "filename": "extensions/nostr/src/channel.outbound.test.ts", - "hashed_secret": "e8b2cccf31904f5d9c62838922648cfeaa4c07e0", - "is_verified": false, - "line_number": 55 - }, - { - "type": "Secret Keyword", - "filename": "extensions/nostr/src/channel.outbound.test.ts", - "hashed_secret": "44682b9fe21c229330c1e5cf9c414d4267d97719", - "is_verified": false, - "line_number": 66 - } - ], "extensions/nostr/src/channel.test.ts": [ { "type": "Hex High Entropy String", @@ -11773,38 +11277,6 @@ "line_number": 200 } ], - "extensions/slack/src/channel.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/slack/src/channel.test.ts", - "hashed_secret": "514f52b114ae97e309055b6f419798569dc48a2b", - "is_verified": false, - "line_number": 147 - }, - { - "type": "Secret Keyword", - "filename": "extensions/slack/src/channel.test.ts", - "hashed_secret": "071d3673192b4b44a84aa73ac9d00c155821303b", - "is_verified": false, - "line_number": 217 - }, - { - "type": "Secret Keyword", - "filename": "extensions/slack/src/channel.test.ts", - "hashed_secret": "dfba7aade0868074c2861c98e2a9a92f3178a51b", - "is_verified": false, - "line_number": 219 - } - ], - "extensions/telegram/src/channel.test.ts": [ - { - "type": "Secret Keyword", - "filename": "extensions/telegram/src/channel.test.ts", - "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", - "is_verified": false, - "line_number": 132 - } - ], "extensions/twitch/src/onboarding.test.ts": [ { "type": "Secret Keyword", @@ -11893,181 +11365,82 @@ "line_number": 22 } ], - "src/acp/client.test.ts": [ + "src/agents/compaction.tool-result-details.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/acp/client.test.ts", - "hashed_secret": "d862c48593628a39a76daafde56f16b69eddd7c2", - "is_verified": false, - "line_number": 69 - }, - { - "type": "Secret Keyword", - "filename": "src/acp/client.test.ts", - "hashed_secret": "aac1281207c0f83f113d70cd1200bd86ce30ffcb", - "is_verified": false, - "line_number": 70 - }, - { - "type": "Secret Keyword", - "filename": "src/acp/client.test.ts", - "hashed_secret": "787951939f82ab64286006ce2a430e06c6d54086", - "is_verified": false, - "line_number": 71 - }, - { - "type": "Secret Keyword", - "filename": "src/acp/client.test.ts", - "hashed_secret": "d503c694c0e762d786079a3f8bd6df32de508a9b", - "is_verified": false, - "line_number": 85 - }, - { - "type": "Secret Keyword", - "filename": "src/acp/client.test.ts", - "hashed_secret": "0d8c5e792dc079c912039086e892330076db8129", - "is_verified": false, - "line_number": 98 - } - ], - "src/acp/server.startup.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/acp/server.startup.test.ts", - "hashed_secret": "60fe331dc434ac211c53f33da22a384aa0e3fec5", - "is_verified": false, - "line_number": 183 - } - ], - "src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts", - "hashed_secret": "02ecb94373bfb3dfe827ca18409f50b016e8302a", - "is_verified": false, - "line_number": 26 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts", - "hashed_secret": "f8ca0d7266886f4b5be9adddc9b66017b3bf1a4b", - "is_verified": false, - "line_number": 27 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts", - "hashed_secret": "0775624b6a8da2aaf29e334372656c1b657c21b7", - "is_verified": false, - "line_number": 94 - } - ], - "src/agents/compaction.tool-result-details.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/compaction.tool-result-details.test.ts", + "filename": "src/agents/compaction.tool-result-details.e2e.test.ts", "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "is_verified": false, - "line_number": 57 + "line_number": 50 } ], - "src/agents/memory-search.test.ts": [ + "src/agents/memory-search.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/memory-search.test.ts", + "filename": "src/agents/memory-search.e2e.test.ts", "hashed_secret": "a1b49d68a91fdf9c9217773f3fac988d77fa0f50", "is_verified": false, - "line_number": 191 + "line_number": 189 } ], - "src/agents/minimax-vlm.normalizes-api-key.test.ts": [ + "src/agents/minimax-vlm.normalizes-api-key.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/minimax-vlm.normalizes-api-key.test.ts", + "filename": "src/agents/minimax-vlm.normalizes-api-key.e2e.test.ts", "hashed_secret": "8a8461b67e3fe515f248ac2610fd7b1f4fc3b412", "is_verified": false, - "line_number": 29 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/minimax-vlm.normalizes-api-key.test.ts", - "hashed_secret": "bcdec29c5e1ade0fc995c3a18862f0111e51a998", - "is_verified": false, - "line_number": 56 + "line_number": 28 } ], - "src/agents/model-auth-label.test.ts": [ - { - "type": "GitHub Token", - "filename": "src/agents/model-auth-label.test.ts", - "hashed_secret": "e175c6f5f2a92e8623bd9a4820edb4e8c1b0fd10", - "is_verified": false, - "line_number": 35 - }, + "src/agents/model-auth.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/model-auth-label.test.ts", - "hashed_secret": "6367c48dd193d56ea7b0baad25b19455e529f5ee", - "is_verified": false, - "line_number": 55 - } - ], - "src/agents/model-auth.profiles.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "07a6b9cec637c806195e8aa7e5c0851ab03dc35e", "is_verified": false, - "line_number": 194 + "line_number": 228 }, { "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "21f296583ccd80c5ab9b3330a8b0d47e4a409fb9", "is_verified": false, - "line_number": 208 + "line_number": 254 }, { "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "b65888424ecafcc98bfd803b24817e4dadf821f8", "is_verified": false, - "line_number": 219 + "line_number": 275 }, { "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", - "hashed_secret": "b17453920671d0cb8a415b649a066b3df3d36fb0", - "is_verified": false, - "line_number": 253 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "77e991e9f56e6fa4ed1a908208048421f1214c07", "is_verified": false, - "line_number": 286 + "line_number": 296 }, { "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "dff6d4ff5dc357cf451d1855ab9cbda562645c9f", "is_verified": false, - "line_number": 301 + "line_number": 319 }, { "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "b43be360db55d89ec6afd74d6ed8f82002fe4982", "is_verified": false, - "line_number": 333 + "line_number": 374 }, { "type": "Secret Keyword", - "filename": "src/agents/model-auth.profiles.test.ts", + "filename": "src/agents/model-auth.e2e.test.ts", "hashed_secret": "5b850e9dc678446137ff6d905ebd78634d687fdd", "is_verified": false, - "line_number": 344 + "line_number": 395 } ], "src/agents/model-auth.ts": [ @@ -12079,22 +11452,6 @@ "line_number": 27 } ], - "src/agents/model-fallback.run-embedded.e2e.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/model-fallback.run-embedded.e2e.test.ts", - "hashed_secret": "845fa28a5bf5d82cfa91a00ef9cf6cca8aef00db", - "is_verified": false, - "line_number": 111 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/model-fallback.run-embedded.e2e.test.ts", - "hashed_secret": "19e506a6fcda111778646087fb7aad7f00267113", - "is_verified": false, - "line_number": 127 - } - ], "src/agents/models-config.e2e-harness.ts": [ { "type": "Secret Keyword", @@ -12104,93 +11461,29 @@ "line_number": 130 } ], - "src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts": [ + "src/agents/models-config.fills-missing-provider-apikey-from-env-var.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts", - "hashed_secret": "2a9da819718779deba96d5aee1d1f4948047c2bd", + "filename": "src/agents/models-config.fills-missing-provider-apikey-from-env-var.e2e.test.ts", + "hashed_secret": "fcdd655b11f33ba4327695084a347b2ba192976c", "is_verified": false, - "line_number": 47 + "line_number": 19 }, { "type": "Secret Keyword", - "filename": "src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts", - "hashed_secret": "fa9144b340ea7886885669e2e7a808c86ee14a07", - "is_verified": false, - "line_number": 118 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts", + "filename": "src/agents/models-config.fills-missing-provider-apikey-from-env-var.e2e.test.ts", "hashed_secret": "3a81eb091f80c845232225be5663d270e90dacb7", "is_verified": false, - "line_number": 182 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts", - "hashed_secret": "565a8d87240aae631d7a901c1f697d46ee141a7b", - "is_verified": false, - "line_number": 215 + "line_number": 73 } ], - "src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.test.ts": [ + "src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.test.ts", + "filename": "src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.e2e.test.ts", "hashed_secret": "980d02eb9335ae7c9e9984f6c8ad432352a0d2ac", "is_verified": false, - "line_number": 17 - } - ], - "src/agents/models-config.providers.google-antigravity.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.google-antigravity.test.ts", - "hashed_secret": "65ef0bf81fc443b3e15a494151196f38c8273c96", - "is_verified": false, - "line_number": 27 - } - ], - "src/agents/models-config.providers.kilocode.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.kilocode.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 14 - } - ], - "src/agents/models-config.providers.kimi-coding.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.kimi-coding.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 12 - } - ], - "src/agents/models-config.providers.normalize-keys.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.normalize-keys.test.ts", - "hashed_secret": "ba4d38e2a7e8c718913887136d2526351d05cd69", - "is_verified": false, - "line_number": 17 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.normalize-keys.test.ts", - "hashed_secret": "02ecb94373bfb3dfe827ca18409f50b016e8302a", - "is_verified": false, - "line_number": 47 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.normalize-keys.test.ts", - "hashed_secret": "b9cdfe69a75e4f2491bcbaf1934ab5e4fd69eb6b", - "is_verified": false, - "line_number": 53 + "line_number": 20 } ], "src/agents/models-config.providers.nvidia.test.ts": [ @@ -12209,51 +11502,35 @@ "line_number": 22 } ], - "src/agents/models-config.providers.ollama.test.ts": [ + "src/agents/models-config.providers.ollama.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.ollama.test.ts", + "filename": "src/agents/models-config.providers.ollama.e2e.test.ts", "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", "is_verified": false, - "line_number": 54 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.ollama.test.ts", - "hashed_secret": "3148ad4aafbeefee82355e1cde29b6d77ba4cf21", - "is_verified": false, - "line_number": 248 + "line_number": 37 } ], - "src/agents/models-config.providers.qianfan.test.ts": [ + "src/agents/models-config.providers.qianfan.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.qianfan.test.ts", + "filename": "src/agents/models-config.providers.qianfan.e2e.test.ts", "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", "is_verified": false, - "line_number": 11 + "line_number": 12 } ], - "src/agents/models-config.providers.volcengine-byteplus.test.ts": [ + "src/agents/models-config.skips-writing-models-json-no-env-token.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/models-config.providers.volcengine-byteplus.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 13 - } - ], - "src/agents/models-config.skips-writing-models-json-no-env-token.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/models-config.skips-writing-models-json-no-env-token.test.ts", + "filename": "src/agents/models-config.skips-writing-models-json-no-env-token.e2e.test.ts", "hashed_secret": "4c7bac93427c83bcc3beeceebfa54f16f801b78f", "is_verified": false, "line_number": 100 }, { "type": "Secret Keyword", - "filename": "src/agents/models-config.skips-writing-models-json-no-env-token.test.ts", + "filename": "src/agents/models-config.skips-writing-models-json-no-env-token.e2e.test.ts", "hashed_secret": "4f2b3ddc953da005a97d825652080fe6eff21520", "is_verified": false, "line_number": 113 @@ -12268,38 +11545,6 @@ "line_number": 92 } ], - "src/agents/owner-display.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/owner-display.test.ts", - "hashed_secret": "e9dc4e431a9043d0d7d2750af1189e77e2834877", - "is_verified": false, - "line_number": 16 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/owner-display.test.ts", - "hashed_secret": "d9d2f263c630f79c8eb176dbccfef7c3ade3ddcc", - "is_verified": false, - "line_number": 70 - } - ], - "src/agents/pi-embedded-runner-extraparams.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/pi-embedded-runner-extraparams.test.ts", - "hashed_secret": "4604122d2d19b953716499c7fade74e3db0ad17f", - "is_verified": false, - "line_number": 1075 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/pi-embedded-runner-extraparams.test.ts", - "hashed_secret": "81181bf462a0965325a629cff91f511e285d59d4", - "is_verified": false, - "line_number": 1133 - } - ], "src/agents/pi-embedded-runner.e2e.test.ts": [ { "type": "Secret Keyword", @@ -12309,15 +11554,6 @@ "line_number": 122 } ], - "src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts", - "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", - "is_verified": false, - "line_number": 159 - } - ], "src/agents/pi-embedded-runner/model.ts": [ { "type": "Secret Keyword", @@ -12336,52 +11572,13 @@ "line_number": 114 } ], - "src/agents/pi-extensions/compaction-safeguard.test.ts": [ - { - "type": "Hex High Entropy String", - "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts", - "hashed_secret": "0091061a3babbe6f11d48aa0142e22341b3ea446", - "is_verified": false, - "line_number": 700 - }, - { - "type": "Hex High Entropy String", - "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts", - "hashed_secret": "ef678205593788329ff416ce5c65fa04f33a05bd", - "is_verified": false, - "line_number": 846 - }, + "src/agents/pi-tools.safe-bins.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts", - "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", + "filename": "src/agents/pi-tools.safe-bins.e2e.test.ts", + "hashed_secret": "3ea88a727641fd5571b5e126ce87032377be1e7f", "is_verified": false, - "line_number": 1525 - } - ], - "src/agents/sandbox/browser.novnc-url.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/sandbox/browser.novnc-url.test.ts", - "hashed_secret": "16c002d49d19805aa1bfba58e9c90b5476054b07", - "is_verified": false, - "line_number": 18 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/sandbox/browser.novnc-url.test.ts", - "hashed_secret": "7ce0359f12857f2a90c7de465f40a95f01cb5da9", - "is_verified": false, - "line_number": 27 - } - ], - "src/agents/sandbox/sanitize-env-vars.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/sandbox/sanitize-env-vars.test.ts", - "hashed_secret": "c747c6b0a7bb9c6337b81875af1a9f9568c740ad", - "is_verified": false, - "line_number": 8 + "line_number": 126 } ], "src/agents/sanitize-for-prompt.test.ts": [ @@ -12393,141 +11590,65 @@ "line_number": 28 } ], - "src/agents/session-transcript-repair.attachments.test.ts": [ + "src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/session-transcript-repair.attachments.test.ts", - "hashed_secret": "d25df4833026f016b73dcfa20f33bf753daf7593", - "is_verified": false, - "line_number": 32 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/session-transcript-repair.attachments.test.ts", - "hashed_secret": "30b1e9e71b6de9c2d579657e551b95f7eaae406d", - "is_verified": false, - "line_number": 47 - } - ], - "src/agents/skills-install.download.test.ts": [ - { - "type": "Base64 High Entropy String", - "filename": "src/agents/skills-install.download.test.ts", - "hashed_secret": "459acf71d00174faf13cfeee88513702c82d3cb3", - "is_verified": false, - "line_number": 51 - } - ], - "src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.test.ts", + "filename": "src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.e2e.test.ts", "hashed_secret": "7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb", "is_verified": false, - "line_number": 118 + "line_number": 103 } ], - "src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts": [ + "src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts", + "filename": "src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.e2e.test.ts", "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", "is_verified": false, - "line_number": 181 + "line_number": 147 } ], - "src/agents/skills.test.ts": [ + "src/agents/skills.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/skills.test.ts", + "filename": "src/agents/skills.e2e.test.ts", "hashed_secret": "5df3a673d724e8a1eb673a8baf623e183940804d", "is_verified": false, - "line_number": 255 + "line_number": 250 }, { "type": "Secret Keyword", - "filename": "src/agents/skills.test.ts", + "filename": "src/agents/skills.e2e.test.ts", "hashed_secret": "8921daaa546693e52bc1f9c40bdcf15e816e0448", "is_verified": false, - "line_number": 313 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/skills.test.ts", - "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", - "is_verified": false, - "line_number": 352 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/skills.test.ts", - "hashed_secret": "895900e6b5d30fa84fbff6e4e4c10eb5a63c5f8f", - "is_verified": false, - "line_number": 427 + "line_number": 277 } ], - "src/agents/system-prompt.test.ts": [ + "src/agents/tools/web-fetch.firecrawl-api-key-normalization.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/system-prompt.test.ts", - "hashed_secret": "0a111adae31992afa2873148fdfcaf39e70ec7d8", + "filename": "src/agents/tools/web-fetch.firecrawl-api-key-normalization.e2e.test.ts", + "hashed_secret": "9da08ab1e27fe0ae2ba6101aea30edcec02d21a4", "is_verified": false, - "line_number": 76 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/system-prompt.test.ts", - "hashed_secret": "2b3140fdd098f7cb2af72632ac2c0df772b8e90a", - "is_verified": false, - "line_number": 83 + "line_number": 45 } ], - "src/agents/tools/pdf-tool.test.ts": [ + "src/agents/tools/web-fetch.ssrf.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/tools/pdf-tool.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 74 - } - ], - "src/agents/tools/web-fetch.ssrf.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-fetch.ssrf.test.ts", + "filename": "src/agents/tools/web-fetch.ssrf.e2e.test.ts", "hashed_secret": "5ce8e9d54c77266fff990194d2219a708c59b76c", "is_verified": false, - "line_number": 84 + "line_number": 73 } ], - "src/agents/tools/web-search.test.ts": [ + "src/agents/tools/web-search.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/tools/web-search.test.ts", + "filename": "src/agents/tools/web-search.e2e.test.ts", "hashed_secret": "c8d313eac6d38274ccfc0fa7935c68bd61d5bc2f", "is_verified": false, - "line_number": 105 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-search.test.ts", - "hashed_secret": "1561970702b4bf5bb10266b292e545ec14fc602e", - "is_verified": false, - "line_number": 224 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-search.test.ts", - "hashed_secret": "c930e4d402a279c3feea98578f716d5665c8cc5d", - "is_verified": false, - "line_number": 228 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-search.test.ts", - "hashed_secret": "5c1a5088b7790a73e236f21d65a5e4384a742af0", - "is_verified": false, - "line_number": 231 + "line_number": 129 } ], "src/agents/tools/web-search.ts": [ @@ -12539,82 +11660,61 @@ "line_number": 254 } ], - "src/agents/tools/web-tools.enabled-defaults.test.ts": [ + "src/agents/tools/web-tools.enabled-defaults.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.enabled-defaults.test.ts", - "hashed_secret": "f6558c30641dd2d38c6e8e7389dd724327c9627e", + "filename": "src/agents/tools/web-tools.enabled-defaults.e2e.test.ts", + "hashed_secret": "47b249a75ca78fdb578d0f28c33685e27ea82684", "is_verified": false, - "line_number": 53 + "line_number": 181 }, { "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.enabled-defaults.test.ts", - "hashed_secret": "59fa0cc80b21eb4ea49590dc887b95f5ae7e0bf5", + "filename": "src/agents/tools/web-tools.enabled-defaults.e2e.test.ts", + "hashed_secret": "d0ffd81d6d7ad1bc3c365660fe8882480c9a986e", "is_verified": false, - "line_number": 55 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.enabled-defaults.test.ts", - "hashed_secret": "354a920b3d519d11b737695308dab1bfcf77dbb3", - "is_verified": false, - "line_number": 57 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.enabled-defaults.test.ts", - "hashed_secret": "7ec282d2630c12bf9241ef44db50f1f780cdaa79", - "is_verified": false, - "line_number": 59 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.enabled-defaults.test.ts", - "hashed_secret": "8ba65d9239fd59ffc16e202cb480d15e35bce964", - "is_verified": false, - "line_number": 60 - }, - { - "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.enabled-defaults.test.ts", - "hashed_secret": "fb724421f6f4a53c0a73101ea88e4090cabb7b1a", - "is_verified": false, - "line_number": 461 + "line_number": 187 } ], - "src/agents/tools/web-tools.fetch.test.ts": [ + "src/agents/tools/web-tools.fetch.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/agents/tools/web-tools.fetch.test.ts", + "filename": "src/agents/tools/web-tools.fetch.e2e.test.ts", "hashed_secret": "5ce8e9d54c77266fff990194d2219a708c59b76c", "is_verified": false, - "line_number": 133 + "line_number": 246 } ], - "src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts": [ + "src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts", + "filename": "src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.e2e.test.ts", "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", "is_verified": false, - "line_number": 60 + "line_number": 56 }, { "type": "Secret Keyword", - "filename": "src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts", + "filename": "src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.e2e.test.ts", "hashed_secret": "16c249e04e2be318050cb883c40137361c0c7209", "is_verified": false, - "line_number": 142 + "line_number": 62 } ], - "src/auto-reply/reply.triggers.trigger-handling.filters-usage-summary-current-model-provider.cases.ts": [ + "src/auto-reply/reply.directive.directive-behavior.supports-fuzzy-model-matches-model-directive.e2e.test.ts": [ { - "type": "Hex High Entropy String", - "filename": "src/auto-reply/reply.triggers.trigger-handling.filters-usage-summary-current-model-provider.cases.ts", - "hashed_secret": "ff998abc1ce6d8f01a675fa197368e44c8916e9c", + "type": "Secret Keyword", + "filename": "src/auto-reply/reply.directive.directive-behavior.supports-fuzzy-model-matches-model-directive.e2e.test.ts", + "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", "is_verified": false, - "line_number": 216 + "line_number": 42 + }, + { + "type": "Secret Keyword", + "filename": "src/auto-reply/reply.directive.directive-behavior.supports-fuzzy-model-matches-model-directive.e2e.test.ts", + "hashed_secret": "16c249e04e2be318050cb883c40137361c0c7209", + "is_verified": false, + "line_number": 149 } ], "src/auto-reply/status.test.ts": [ @@ -12633,13 +11733,6 @@ "hashed_secret": "6af3c121ed4a752936c297cddfb7b00394eabf10", "is_verified": false, "line_number": 72 - }, - { - "type": "Secret Keyword", - "filename": "src/browser/bridge-server.auth.test.ts", - "hashed_secret": "26aaf463d1d85670b71c6a84a2f644ad5995efc8", - "is_verified": false, - "line_number": 93 } ], "src/browser/browser-utils.test.ts": [ @@ -12667,22 +11760,6 @@ "line_number": 243 } ], - "src/channels/account-snapshot-fields.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/channels/account-snapshot-fields.test.ts", - "hashed_secret": "dfba7aade0868074c2861c98e2a9a92f3178a51b", - "is_verified": false, - "line_number": 10 - }, - { - "type": "Secret Keyword", - "filename": "src/channels/account-snapshot-fields.test.ts", - "hashed_secret": "071d3673192b4b44a84aa73ac9d00c155821303b", - "is_verified": false, - "line_number": 11 - } - ], "src/channels/plugins/plugins-channel.test.ts": [ { "type": "Hex High Entropy String", @@ -12692,95 +11769,13 @@ "line_number": 64 } ], - "src/cli/acp-cli.option-collisions.test.ts": [ + "src/cli/program.smoke.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/cli/acp-cli.option-collisions.test.ts", - "hashed_secret": "e5d0d3f3697f96d69545f36ab2eaf1f9d4e2a8f8", + "filename": "src/cli/program.smoke.e2e.test.ts", + "hashed_secret": "8689a958b58e4a6f7da6211e666da8e17651697c", "is_verified": false, - "line_number": 94 - }, - { - "type": "Secret Keyword", - "filename": "src/cli/acp-cli.option-collisions.test.ts", - "hashed_secret": "8eac0f7ffe62469bf88ebdb208115f1ce3567d07", - "is_verified": false, - "line_number": 106 - } - ], - "src/cli/command-secret-gateway.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/cli/command-secret-gateway.test.ts", - "hashed_secret": "68c46e84d76d2e7e686e5158bf598909abd4e45b", - "is_verified": false, - "line_number": 16 - }, - { - "type": "Secret Keyword", - "filename": "src/cli/command-secret-gateway.test.ts", - "hashed_secret": "3a20a67d6535d75cf0852a72a37e9c5a8fdb9976", - "is_verified": false, - "line_number": 120 - } - ], - "src/cli/config-cli.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/cli/config-cli.test.ts", - "hashed_secret": "e774aaeac31c6272107ba89080295e277050fa7c", - "is_verified": false, - "line_number": 200 - } - ], - "src/cli/daemon-cli/register-service-commands.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/cli/daemon-cli/register-service-commands.test.ts", - "hashed_secret": "d717176567cedb0012b6b5f4653f688bbb9ccb8b", - "is_verified": false, - "line_number": 67 - } - ], - "src/cli/daemon-cli/status.gather.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/cli/daemon-cli/status.gather.test.ts", - "hashed_secret": "c09520299bf32111c9f2ebafaf5a9981ec51a91d", - "is_verified": false, - "line_number": 208 - } - ], - "src/cli/program/register.onboard.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/cli/program/register.onboard.test.ts", - "hashed_secret": "5da1c2e689ee66cf379bc74d3eafd0460db70ca0", - "is_verified": false, - "line_number": 126 - } - ], - "src/cli/qr-cli.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/cli/qr-cli.test.ts", - "hashed_secret": "8fc5be300f480d027174b514b563e77548b636f2", - "is_verified": false, - "line_number": 230 - }, - { - "type": "Secret Keyword", - "filename": "src/cli/qr-cli.test.ts", - "hashed_secret": "f1355ae408e2068355dad8f3a503c2eaedefc0c6", - "is_verified": false, - "line_number": 248 - }, - { - "type": "Secret Keyword", - "filename": "src/cli/qr-cli.test.ts", - "hashed_secret": "4316c1b21634c0e3f4d53bfb3ca2f48dde69bc4e", - "is_verified": false, - "line_number": 285 + "line_number": 215 } ], "src/cli/update-cli.test.ts": [ @@ -12792,61 +11787,48 @@ "line_number": 277 } ], - "src/commands/auth-choice.apply-helpers.test.ts": [ + "src/commands/auth-choice.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply-helpers.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", + "filename": "src/commands/auth-choice.e2e.test.ts", + "hashed_secret": "2480500ff391183070fe22ba8665a8be19350833", "is_verified": false, - "line_number": 105 + "line_number": 454 }, { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply-helpers.test.ts", - "hashed_secret": "bea2f7b64fab8d1d414d0449530b1e088d36d5b1", + "filename": "src/commands/auth-choice.e2e.test.ts", + "hashed_secret": "844ae5308654406d80db6f2b3d0beb07d616f9e1", "is_verified": false, - "line_number": 111 + "line_number": 487 }, { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply-helpers.test.ts", - "hashed_secret": "d23a3625f8598b9cd747e74c1f1676f5ba7be530", + "filename": "src/commands/auth-choice.e2e.test.ts", + "hashed_secret": "77e991e9f56e6fa4ed1a908208048421f1214c07", "is_verified": false, - "line_number": 330 - } - ], - "src/commands/auth-choice.apply.minimax.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply.minimax.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", - "is_verified": false, - "line_number": 162 + "line_number": 549 }, { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply.minimax.test.ts", - "hashed_secret": "c090713b544ae4cabb48f2153079955947c6e013", + "filename": "src/commands/auth-choice.e2e.test.ts", + "hashed_secret": "266e955b27b5fc2c2f532e446f2e71c3667a4cd9", "is_verified": false, - "line_number": 175 - } - ], - "src/commands/auth-choice.apply.openai.test.ts": [ + "line_number": 584 + }, { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply.openai.test.ts", - "hashed_secret": "c5831e54ef6edcf968300daf4a9a84580bc2ed37", + "filename": "src/commands/auth-choice.e2e.test.ts", + "hashed_secret": "1b4d8423b11d32dd0c466428ac81de84a4a9442b", "is_verified": false, - "line_number": 31 - } - ], - "src/commands/auth-choice.apply.volcengine-byteplus.test.ts": [ + "line_number": 726 + }, { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.apply.volcengine-byteplus.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", + "filename": "src/commands/auth-choice.e2e.test.ts", + "hashed_secret": "c24e00b94c972ed497d5961212ac96f0dffb4f7a", "is_verified": false, - "line_number": 55 + "line_number": 798 } ], "src/commands/auth-choice.preferred-provider.ts": [ @@ -12858,107 +11840,31 @@ "line_number": 8 } ], - "src/commands/auth-choice.test.ts": [ + "src/commands/configure.gateway-auth.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/commands/auth-choice.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", - "is_verified": false, - "line_number": 679 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/auth-choice.test.ts", - "hashed_secret": "c5831e54ef6edcf968300daf4a9a84580bc2ed37", - "is_verified": false, - "line_number": 745 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/auth-choice.test.ts", - "hashed_secret": "844ae5308654406d80db6f2b3d0beb07d616f9e1", - "is_verified": false, - "line_number": 955 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/auth-choice.test.ts", - "hashed_secret": "1c62e8a666fb3e1b8c9b0c1cab8e1d6bbb136580", - "is_verified": false, - "line_number": 1065 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/auth-choice.test.ts", - "hashed_secret": "1b4d8423b11d32dd0c466428ac81de84a4a9442b", - "is_verified": false, - "line_number": 1222 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/auth-choice.test.ts", - "hashed_secret": "c24e00b94c972ed497d5961212ac96f0dffb4f7a", - "is_verified": false, - "line_number": 1234 - } - ], - "src/commands/channels.config-only-status-output.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/channels.config-only-status-output.test.ts", - "hashed_secret": "dfba7aade0868074c2861c98e2a9a92f3178a51b", - "is_verified": false, - "line_number": 149 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/channels.config-only-status-output.test.ts", - "hashed_secret": "071d3673192b4b44a84aa73ac9d00c155821303b", - "is_verified": false, - "line_number": 150 - } - ], - "src/commands/configure.gateway-auth.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/configure.gateway-auth.test.ts", + "filename": "src/commands/configure.gateway-auth.e2e.test.ts", "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", "is_verified": false, - "line_number": 24 + "line_number": 21 }, { "type": "Secret Keyword", - "filename": "src/commands/configure.gateway-auth.test.ts", + "filename": "src/commands/configure.gateway-auth.e2e.test.ts", "hashed_secret": "d5d4cd07616a542891b7ec2d0257b3a24b69856e", "is_verified": false, - "line_number": 65 + "line_number": 62 } ], - "src/commands/daemon-install-helpers.test.ts": [ + "src/commands/daemon-install-helpers.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/commands/daemon-install-helpers.test.ts", + "filename": "src/commands/daemon-install-helpers.e2e.test.ts", "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", "is_verified": false, "line_number": 128 } ], - "src/commands/doctor-gateway-auth-token.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/doctor-gateway-auth-token.test.ts", - "hashed_secret": "f1355ae408e2068355dad8f3a503c2eaedefc0c6", - "is_verified": false, - "line_number": 166 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/doctor-gateway-auth-token.test.ts", - "hashed_secret": "0b75f28abf6b39a10d1398ce5a95e93a5cebbbda", - "is_verified": false, - "line_number": 206 - } - ], "src/commands/doctor-memory-search.test.ts": [ { "type": "Secret Keyword", @@ -12966,74 +11872,52 @@ "hashed_secret": "2e07956ffc9bc4fd624064c40b7495c85d5f1467", "is_verified": false, "line_number": 43 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/doctor-memory-search.test.ts", - "hashed_secret": "e774aaeac31c6272107ba89080295e277050fa7c", - "is_verified": false, - "line_number": 278 } ], - "src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts": [ + "src/commands/model-picker.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts", - "hashed_secret": "f3c7399f056377fc3dae16a9854fe636b720d3d0", - "is_verified": false, - "line_number": 98 - } - ], - "src/commands/gateway-install-token.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/gateway-install-token.test.ts", - "hashed_secret": "f3c7399f056377fc3dae16a9854fe636b720d3d0", - "is_verified": false, - "line_number": 143 - } - ], - "src/commands/gateway-status/helpers.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/gateway-status/helpers.test.ts", - "hashed_secret": "1e1ff291f3b48b7e5b54828396f264ba43379076", - "is_verified": false, - "line_number": 183 - } - ], - "src/commands/message.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/message.test.ts", - "hashed_secret": "3bb1ec510d35ab2af7d05d8bbd5f0820333f1a0d", - "is_verified": false, - "line_number": 193 - } - ], - "src/commands/model-picker.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/model-picker.test.ts", + "filename": "src/commands/model-picker.e2e.test.ts", "hashed_secret": "5b924ca5330ede58702a5b0e414207b90fb1aef3", "is_verified": false, - "line_number": 105 + "line_number": 127 } ], - "src/commands/onboard-auth.config-core.kilocode.test.ts": [ + "src/commands/models/list.status.e2e.test.ts": [ { - "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.config-core.kilocode.test.ts", - "hashed_secret": "01800a0712a2a1aa928b95c4745e9ee06673925b", + "type": "Base64 High Entropy String", + "filename": "src/commands/models/list.status.e2e.test.ts", + "hashed_secret": "d6ae2508a78a232d5378ef24b85ce40cbb4d7ff0", "is_verified": false, - "line_number": 153 + "line_number": 12 + }, + { + "type": "Base64 High Entropy String", + "filename": "src/commands/models/list.status.e2e.test.ts", + "hashed_secret": "2d8012102440ea97852b3152239218f00579bafa", + "is_verified": false, + "line_number": 19 + }, + { + "type": "Base64 High Entropy String", + "filename": "src/commands/models/list.status.e2e.test.ts", + "hashed_secret": "51848e2be4b461a549218d3167f19c01be6b98b8", + "is_verified": false, + "line_number": 51 }, { "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.config-core.kilocode.test.ts", - "hashed_secret": "8d2ce71c6723bf46f6c166984b4ddb597f92322a", + "filename": "src/commands/models/list.status.e2e.test.ts", + "hashed_secret": "51848e2be4b461a549218d3167f19c01be6b98b8", "is_verified": false, - "line_number": 180 + "line_number": 51 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/models/list.status.e2e.test.ts", + "hashed_secret": "1c1e381bfb72d3b7bfca9437053d9875356680f0", + "is_verified": false, + "line_number": 57 } ], "src/commands/onboard-auth.config-minimax.ts": [ @@ -13052,43 +11936,94 @@ "line_number": 79 } ], - "src/commands/onboard-auth.credentials.test.ts": [ + "src/commands/onboard-auth.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.credentials.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", - "is_verified": false, - "line_number": 97 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.credentials.test.ts", - "hashed_secret": "3fabe94b84be76552a40fab6d3284697b136ea23", - "is_verified": false, - "line_number": 139 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.credentials.test.ts", - "hashed_secret": "aec738f7a0d1056bee31567d522e7191a13ce31a", - "is_verified": false, - "line_number": 190 - }, - { - "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.credentials.test.ts", - "hashed_secret": "9705dbfd5f922106b199746632af2b66b02c3f0a", - "is_verified": false, - "line_number": 191 - } - ], - "src/commands/onboard-auth.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/commands/onboard-auth.test.ts", + "filename": "src/commands/onboard-auth.e2e.test.ts", "hashed_secret": "e184b402822abc549b37689c84e8e0e33c39a1f1", "is_verified": false, - "line_number": 423 + "line_number": 272 + } + ], + "src/commands/onboard-custom.e2e.test.ts": [ + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-custom.e2e.test.ts", + "hashed_secret": "62e6748c6bb4c4a0f785a28cdd7d41ef212c0091", + "is_verified": false, + "line_number": 238 + } + ], + "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts": [ + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "fcdd655b11f33ba4327695084a347b2ba192976c", + "is_verified": false, + "line_number": 153 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "07a6b9cec637c806195e8aa7e5c0851ab03dc35e", + "is_verified": false, + "line_number": 191 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "77e991e9f56e6fa4ed1a908208048421f1214c07", + "is_verified": false, + "line_number": 234 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "65547299f940eca3dc839f3eac85e8a78a6deb05", + "is_verified": false, + "line_number": 282 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "2833d098c110602e4c8d577fbfdb423a9ffd58e9", + "is_verified": false, + "line_number": 304 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "266e955b27b5fc2c2f532e446f2e71c3667a4cd9", + "is_verified": false, + "line_number": 338 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "995b80728ee01edb90ddfed07870bbab405df19f", + "is_verified": false, + "line_number": 366 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "b65888424ecafcc98bfd803b24817e4dadf821f8", + "is_verified": false, + "line_number": 383 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "62e6748c6bb4c4a0f785a28cdd7d41ef212c0091", + "is_verified": false, + "line_number": 402 + }, + { + "type": "Secret Keyword", + "filename": "src/commands/onboard-non-interactive.provider-auth.e2e.test.ts", + "hashed_secret": "8818d3b7c102fd6775af9e1390e5ed3a128473fb", + "is_verified": false, + "line_number": 447 } ], "src/commands/onboard-non-interactive/api-keys.ts": [ @@ -13118,13 +12053,13 @@ "line_number": 60 } ], - "src/commands/zai-endpoint-detect.test.ts": [ + "src/commands/zai-endpoint-detect.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/commands/zai-endpoint-detect.test.ts", + "filename": "src/commands/zai-endpoint-detect.e2e.test.ts", "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", "is_verified": false, - "line_number": 61 + "line_number": 24 } ], "src/config/config-misc.test.ts": [ @@ -13177,57 +12112,6 @@ "line_number": 33 } ], - "src/config/config.web-search-provider.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 19 - }, - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "a704b0feaf024ae73cda6859104dd323bc36b451", - "is_verified": false, - "line_number": 78 - }, - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "6984b2d1edb45c9ba5de8d29e9cd9a2613c6a170", - "is_verified": false, - "line_number": 83 - }, - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "bfe8fe037d4fe1aa6c0aeecf94efe2ebc265c6f8", - "is_verified": false, - "line_number": 88 - }, - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "4ee210c6480582752ad7f74c74bd63a3d4531e51", - "is_verified": false, - "line_number": 93 - }, - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "6d166fccc1c1a5193f7f7397705c84a184d68c0e", - "is_verified": false, - "line_number": 98 - }, - { - "type": "Secret Keyword", - "filename": "src/config/config.web-search-provider.test.ts", - "hashed_secret": "0f7f0fad47a1470a44be65dac2b848a99e28302c", - "is_verified": false, - "line_number": 108 - } - ], "src/config/env-preserve-io.test.ts": [ { "type": "Secret Keyword", @@ -13304,15 +12188,6 @@ "line_number": 282 } ], - "src/config/io.runtime-snapshot-write.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/config/io.runtime-snapshot-write.test.ts", - "hashed_secret": "c7106700045d8a274b6702325ecf9bcb60d42318", - "is_verified": false, - "line_number": 34 - } - ], "src/config/io.write-config.test.ts": [ { "type": "Secret Keyword", @@ -13329,13 +12204,6 @@ "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd", "is_verified": false, "line_number": 13 - }, - { - "type": "Secret Keyword", - "filename": "src/config/model-alias-defaults.test.ts", - "hashed_secret": "fa9144b340ea7886885669e2e7a808c86ee14a07", - "is_verified": false, - "line_number": 114 } ], "src/config/redact-snapshot.test.ts": [ @@ -13381,13 +12249,6 @@ "is_verified": false, "line_number": 95 }, - { - "type": "Private Key", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9", - "is_verified": false, - "line_number": 123 - }, { "type": "Secret Keyword", "filename": "src/config/redact-snapshot.test.ts", @@ -13395,20 +12256,6 @@ "is_verified": false, "line_number": 227 }, - { - "type": "Secret Keyword", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "939bb46a04c3640c8c427e92b1b557e882e2d2a0", - "is_verified": false, - "line_number": 262 - }, - { - "type": "Secret Keyword", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "7505d64a54e061b7acd54ccd58b49dc43500b635", - "is_verified": false, - "line_number": 302 - }, { "type": "Base64 High Entropy String", "filename": "src/config/redact-snapshot.test.ts", @@ -13437,34 +12284,6 @@ "is_verified": false, "line_number": 771 }, - { - "type": "Secret Keyword", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "22edfa62d61f01fead87e40562f8c8a51caa2806", - "is_verified": false, - "line_number": 783 - }, - { - "type": "Secret Keyword", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "33e65bb7ffff7e05b434318409b212f8724bc961", - "is_verified": false, - "line_number": 806 - }, - { - "type": "Secret Keyword", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "dc2e131fd7ef4cf84345ad7f6c92c3d656051ede", - "is_verified": false, - "line_number": 831 - }, - { - "type": "Secret Keyword", - "filename": "src/config/redact-snapshot.test.ts", - "hashed_secret": "0834708d0ed84f1d023353afc867fb0a4e5ebfea", - "is_verified": false, - "line_number": 838 - }, { "type": "Secret Keyword", "filename": "src/config/redact-snapshot.test.ts", @@ -13558,31 +12377,6 @@ "line_number": 10 } ], - "src/config/talk.normalize.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/config/talk.normalize.test.ts", - "hashed_secret": "dff6d4ff5dc357cf451d1855ab9cbda562645c9f", - "is_verified": false, - "line_number": 30 - }, - { - "type": "Secret Keyword", - "filename": "src/config/talk.normalize.test.ts", - "hashed_secret": "653d2545f6d16efa76ad7740bab466e175c4efd3", - "is_verified": false, - "line_number": 101 - } - ], - "src/config/telegram-webhook-port.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/config/telegram-webhook-port.test.ts", - "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", - "is_verified": false, - "line_number": 10 - } - ], "src/config/telegram-webhook-secret.test.ts": [ { "type": "Secret Keyword", @@ -13592,20 +12386,13 @@ "line_number": 10 } ], - "src/docker-setup.e2e.test.ts": [ + "src/docker-setup.test.ts": [ { "type": "Base64 High Entropy String", - "filename": "src/docker-setup.e2e.test.ts", + "filename": "src/docker-setup.test.ts", "hashed_secret": "32ac33b537769e97787f70ef85576cc243fab934", "is_verified": false, - "line_number": 178 - }, - { - "type": "Base64 High Entropy String", - "filename": "src/docker-setup.e2e.test.ts", - "hashed_secret": "299e5b3d10d301eb479c0b84b16d750cb799e274", - "is_verified": false, - "line_number": 250 + "line_number": 131 } ], "src/gateway/auth-rate-limit.ts": [ @@ -13632,13 +12419,6 @@ "is_verified": false, "line_number": 112 }, - { - "type": "Secret Keyword", - "filename": "src/gateway/auth.test.ts", - "hashed_secret": "052f076c732648ab32d2fcde9fe255319bfa0c7b", - "is_verified": false, - "line_number": 128 - }, { "type": "Secret Keyword", "filename": "src/gateway/auth.test.ts", @@ -13676,20 +12456,6 @@ "is_verified": false, "line_number": 611 }, - { - "type": "Secret Keyword", - "filename": "src/gateway/call.test.ts", - "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "is_verified": false, - "line_number": 638 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/call.test.ts", - "hashed_secret": "ee977806d7286510da8b9a7492ba58e2484c0ecc", - "is_verified": false, - "line_number": 646 - }, { "type": "Secret Keyword", "filename": "src/gateway/call.test.ts", @@ -13710,154 +12476,15 @@ "hashed_secret": "bddc29032de580fb53b3a9a0357dd409086db800", "is_verified": false, "line_number": 704 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/call.test.ts", - "hashed_secret": "2e7d14ce1d0b584f112cca09f638557e42a2617b", - "is_verified": false, - "line_number": 724 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/call.test.ts", - "hashed_secret": "802c9dbd2953f682a244abc0ec00ad564ac0eb7d", - "is_verified": false, - "line_number": 869 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/call.test.ts", - "hashed_secret": "1e1ff291f3b48b7e5b54828396f264ba43379076", - "is_verified": false, - "line_number": 901 } ], - "src/gateway/client.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/gateway/client.test.ts", - "hashed_secret": "2c35baf5aa803a12df64c64b97df0445c46aeb03", - "is_verified": false, - "line_number": 126 - } - ], - "src/gateway/client.watchdog.test.ts": [ + "src/gateway/client.e2e.test.ts": [ { "type": "Private Key", - "filename": "src/gateway/client.watchdog.test.ts", + "filename": "src/gateway/client.e2e.test.ts", "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9", "is_verified": false, - "line_number": 89 - } - ], - "src/gateway/credential-precedence.parity.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/gateway/credential-precedence.parity.test.ts", - "hashed_secret": "db5543cd7440bbdc4c5aaf8aa363715c31dd5a27", - "is_verified": false, - "line_number": 24 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credential-precedence.parity.test.ts", - "hashed_secret": "de1c41e8ece73f5d5c259bb37eccb59a542b91dc", - "is_verified": false, - "line_number": 34 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credential-precedence.parity.test.ts", - "hashed_secret": "052f076c732648ab32d2fcde9fe255319bfa0c7b", - "is_verified": false, - "line_number": 80 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credential-precedence.parity.test.ts", - "hashed_secret": "1e1ff291f3b48b7e5b54828396f264ba43379076", - "is_verified": false, - "line_number": 99 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credential-precedence.parity.test.ts", - "hashed_secret": "d51f846285cbc6d1dd76677a0fd588c8df44e506", - "is_verified": false, - "line_number": 132 - } - ], - "src/gateway/credentials.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "052f076c732648ab32d2fcde9fe255319bfa0c7b", - "is_verified": false, - "line_number": 15 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "1e1ff291f3b48b7e5b54828396f264ba43379076", - "is_verified": false, - "line_number": 16 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "db5543cd7440bbdc4c5aaf8aa363715c31dd5a27", - "is_verified": false, - "line_number": 19 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "6255675480f681df08c1704b7b3cd2c49917f0e2", - "is_verified": false, - "line_number": 81 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "de1c41e8ece73f5d5c259bb37eccb59a542b91dc", - "is_verified": false, - "line_number": 227 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "e951da0670d747fb42c25e584913ced2a22df456", - "is_verified": false, - "line_number": 258 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "c4268595e9bc82fd8385d7f5c31cff96d677e31d", - "is_verified": false, - "line_number": 269 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "bc5f9ea9a906cf0641cf9e227b6b9ae3cdc9df59", - "is_verified": false, - "line_number": 285 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "d51f846285cbc6d1dd76677a0fd588c8df44e506", - "is_verified": false, - "line_number": 455 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/credentials.test.ts", - "hashed_secret": "60acdb59369429ffd0729487ec638eb0f7f12976", - "is_verified": false, - "line_number": 474 + "line_number": 85 } ], "src/gateway/gateway-cli-backend.live.test.ts": [ @@ -13878,15 +12505,6 @@ "line_number": 384 } ], - "src/gateway/server-methods/push.test.ts": [ - { - "type": "Private Key", - "filename": "src/gateway/server-methods/push.test.ts", - "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9", - "is_verified": false, - "line_number": 81 - } - ], "src/gateway/server-methods/skills.update.normalizes-api-key.test.ts": [ { "type": "Secret Keyword", @@ -13905,31 +12523,38 @@ "line_number": 14 } ], - "src/gateway/server.auth.control-ui.suite.ts": [ + "src/gateway/server.auth.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/gateway/server.auth.control-ui.suite.ts", + "filename": "src/gateway/server.auth.e2e.test.ts", "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", "is_verified": false, - "line_number": 239 - } - ], - "src/gateway/server.skills-status.test.ts": [ + "line_number": 460 + }, { "type": "Secret Keyword", - "filename": "src/gateway/server.skills-status.test.ts", + "filename": "src/gateway/server.auth.e2e.test.ts", + "hashed_secret": "a4b48a81cdab1e1a5dd37907d6c85ca1c61ddc7c", + "is_verified": false, + "line_number": 478 + } + ], + "src/gateway/server.skills-status.e2e.test.ts": [ + { + "type": "Secret Keyword", + "filename": "src/gateway/server.skills-status.e2e.test.ts", "hashed_secret": "1cc6bff0f84efb2d3ff4fa1347f3b2bc173aaff0", "is_verified": false, - "line_number": 14 + "line_number": 13 } ], - "src/gateway/server.talk-config.test.ts": [ + "src/gateway/server.talk-config.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/gateway/server.talk-config.test.ts", + "filename": "src/gateway/server.talk-config.e2e.test.ts", "hashed_secret": "3c310634864babb081f0b617c14bc34823d7e369", "is_verified": false, - "line_number": 70 + "line_number": 13 } ], "src/gateway/session-utils.test.ts": [ @@ -13941,36 +12566,6 @@ "line_number": 563 } ], - "src/gateway/startup-auth.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/gateway/startup-auth.test.ts", - "hashed_secret": "1951c80555441588e8707fa68a6084a91c8a114a", - "is_verified": false, - "line_number": 125 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/startup-auth.test.ts", - "hashed_secret": "0b75f28abf6b39a10d1398ce5a95e93a5cebbbda", - "is_verified": false, - "line_number": 255 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/startup-auth.test.ts", - "hashed_secret": "f1355ae408e2068355dad8f3a503c2eaedefc0c6", - "is_verified": false, - "line_number": 282 - }, - { - "type": "Secret Keyword", - "filename": "src/gateway/startup-auth.test.ts", - "hashed_secret": "1a91d62f7ca67399625a4368a6ab5d4a3baa6073", - "is_verified": false, - "line_number": 448 - } - ], "src/gateway/test-openai-responses-model.ts": [ { "type": "Secret Keyword", @@ -14053,15 +12648,6 @@ "line_number": 126 } ], - "src/infra/push-apns.test.ts": [ - { - "type": "Private Key", - "filename": "src/infra/push-apns.test.ts", - "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9", - "is_verified": false, - "line_number": 80 - } - ], "src/infra/shell-env.test.ts": [ { "type": "Secret Keyword", @@ -14115,13 +12701,6 @@ "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", "is_verified": false, "line_number": 101 - }, - { - "type": "Secret Keyword", - "filename": "src/line/bot-handlers.test.ts", - "hashed_secret": "d76baddf1b9e3d8e31216f22c73d65d2e91ada7b", - "is_verified": false, - "line_number": 399 } ], "src/line/bot-message-context.test.ts": [ @@ -14131,13 +12710,6 @@ "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", "is_verified": false, "line_number": 18 - }, - { - "type": "Hex High Entropy String", - "filename": "src/line/bot-message-context.test.ts", - "hashed_secret": "d369d8c413645b43df8ac26be7295cd15a64f9bf", - "is_verified": false, - "line_number": 179 } ], "src/line/monitor.fail-closed.test.ts": [ @@ -14149,15 +12721,6 @@ "line_number": 22 } ], - "src/line/monitor.lifecycle.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/line/monitor.lifecycle.test.ts", - "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", - "is_verified": false, - "line_number": 91 - } - ], "src/line/webhook-node.test.ts": [ { "type": "Secret Keyword", @@ -14206,22 +12769,13 @@ "line_number": 88 } ], - "src/media-understanding/apply.echo-transcript.test.ts": [ + "src/media-understanding/apply.e2e.test.ts": [ { "type": "Secret Keyword", - "filename": "src/media-understanding/apply.echo-transcript.test.ts", + "filename": "src/media-understanding/apply.e2e.test.ts", "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", "is_verified": false, - "line_number": 15 - } - ], - "src/media-understanding/apply.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/media-understanding/apply.test.ts", - "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", - "is_verified": false, - "line_number": 17 + "line_number": 12 } ], "src/media-understanding/providers/deepgram/audio.test.ts": [ @@ -14242,22 +12796,6 @@ "line_number": 56 } ], - "src/media-understanding/providers/mistral/index.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/media-understanding/providers/mistral/index.test.ts", - "hashed_secret": "5b29ef735a0cc9246f2024fe148fa051ddcd9c7b", - "is_verified": false, - "line_number": 23 - }, - { - "type": "Secret Keyword", - "filename": "src/media-understanding/providers/mistral/index.test.ts", - "hashed_secret": "a62f2225bf70bfaccbc7f1ef2a397836717377de", - "is_verified": false, - "line_number": 38 - } - ], "src/media-understanding/providers/openai/audio.test.ts": [ { "type": "Secret Keyword", @@ -14285,31 +12823,6 @@ "line_number": 31 } ], - "src/media-understanding/runner.video.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/media-understanding/runner.video.test.ts", - "hashed_secret": "a47110e348a3063541fb1f1f640d635d457181a0", - "is_verified": false, - "line_number": 17 - }, - { - "type": "Secret Keyword", - "filename": "src/media-understanding/runner.video.test.ts", - "hashed_secret": "2568d97e538e07521431c9ea738e5c2df14df7a2", - "is_verified": false, - "line_number": 88 - } - ], - "src/memory/embeddings-ollama.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/memory/embeddings-ollama.test.ts", - "hashed_secret": "24ff85e3f39fdc772fc759b161935393b6df7071", - "is_verified": false, - "line_number": 47 - } - ], "src/memory/embeddings-voyage.test.ts": [ { "type": "Secret Keyword", @@ -14366,20 +12879,6 @@ "is_verified": false, "line_number": 30 }, - { - "type": "Secret Keyword", - "filename": "src/pairing/setup-code.test.ts", - "hashed_secret": "1951c80555441588e8707fa68a6084a91c8a114a", - "is_verified": false, - "line_number": 74 - }, - { - "type": "Secret Keyword", - "filename": "src/pairing/setup-code.test.ts", - "hashed_secret": "f1355ae408e2068355dad8f3a503c2eaedefc0c6", - "is_verified": false, - "line_number": 106 - }, { "type": "Secret Keyword", "filename": "src/pairing/setup-code.test.ts", @@ -14388,136 +12887,7 @@ "line_number": 370 } ], - "src/secrets/apply.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/secrets/apply.test.ts", - "hashed_secret": "b933c37f090368dee5ab803d71af8f5551729a9a", - "is_verified": false, - "line_number": 75 - }, - { - "type": "Base64 High Entropy String", - "filename": "src/secrets/apply.test.ts", - "hashed_secret": "b99aa0d13685d4177199dcdb170d90032408b634", - "is_verified": false, - "line_number": 106 - }, - { - "type": "Secret Keyword", - "filename": "src/secrets/apply.test.ts", - "hashed_secret": "bb0a04dd3612988998c812bc3ad580ba0fb9d905", - "is_verified": false, - "line_number": 372 - }, - { - "type": "Secret Keyword", - "filename": "src/secrets/apply.test.ts", - "hashed_secret": "942c7142a36b069509b957db07321a1cb9b2123a", - "is_verified": false, - "line_number": 409 - }, - { - "type": "Secret Keyword", - "filename": "src/secrets/apply.test.ts", - "hashed_secret": "9c0faa509a7c3079f58421307ecbcaceb7cbd545", - "is_verified": false, - "line_number": 503 - }, - { - "type": "Secret Keyword", - "filename": "src/secrets/apply.test.ts", - "hashed_secret": "c9a4d024f4386d3a4b044de8cb52226383591481", - "is_verified": false, - "line_number": 536 - } - ], - "src/secrets/command-config.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/secrets/command-config.test.ts", - "hashed_secret": "e3801068cd8f45226d71fb7ccd94069d0fbba56d", - "is_verified": false, - "line_number": 14 - } - ], - "src/secrets/configure-plan.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/secrets/configure-plan.test.ts", - "hashed_secret": "68c46e84d76d2e7e686e5158bf598909abd4e45b", - "is_verified": false, - "line_number": 15 - }, - { - "type": "Secret Keyword", - "filename": "src/secrets/configure-plan.test.ts", - "hashed_secret": "b340b5722fdf4bae59f23b1b829bad0a50b98c2a", - "is_verified": false, - "line_number": 142 - } - ], - "src/secrets/path-utils.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/secrets/path-utils.test.ts", - "hashed_secret": "c00dbbc9dadfbe1e232e93a729dd4752fade0abf", - "is_verified": false, - "line_number": 54 - }, - { - "type": "Secret Keyword", - "filename": "src/secrets/path-utils.test.ts", - "hashed_secret": "ff3390557335ba88d37755e41514beb03bc499ec", - "is_verified": false, - "line_number": 72 - } - ], - "src/secrets/runtime.coverage.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/secrets/runtime.coverage.test.ts", - "hashed_secret": "e9a292f7f4d25b0d861458719c6115de3ec813c3", - "is_verified": false, - "line_number": 30 - } - ], "src/security/audit.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/security/audit.test.ts", - "hashed_secret": "cf27add3cb4cb83efe9a48cf7289068fa869c4cd", - "is_verified": false, - "line_number": 1493 - }, - { - "type": "Secret Keyword", - "filename": "src/security/audit.test.ts", - "hashed_secret": "dfba7aade0868074c2861c98e2a9a92f3178a51b", - "is_verified": false, - "line_number": 1969 - }, - { - "type": "Secret Keyword", - "filename": "src/security/audit.test.ts", - "hashed_secret": "071d3673192b4b44a84aa73ac9d00c155821303b", - "is_verified": false, - "line_number": 1970 - }, - { - "type": "Secret Keyword", - "filename": "src/security/audit.test.ts", - "hashed_secret": "7b231a50a498ef151e291795f46f56bee569eae5", - "is_verified": false, - "line_number": 1982 - }, - { - "type": "Secret Keyword", - "filename": "src/security/audit.test.ts", - "hashed_secret": "5a013c49508291c6816ac388f93a2c11973086ed", - "is_verified": false, - "line_number": 2058 - }, { "type": "Secret Keyword", "filename": "src/security/audit.test.ts", @@ -14533,40 +12903,6 @@ "line_number": 3486 } ], - "src/security/external-content.test.ts": [ - { - "type": "Hex High Entropy String", - "filename": "src/security/external-content.test.ts", - "hashed_secret": "e8e6c2284ab5bee4de2ee53880c8fc2a4728d3e8", - "is_verified": false, - "line_number": 148 - } - ], - "src/signal/identity.test.ts": [ - { - "type": "Hex High Entropy String", - "filename": "src/signal/identity.test.ts", - "hashed_secret": "99c962e8c62296bdc9a17f5caf91ce9bb4c7e0e6", - "is_verified": false, - "line_number": 15 - } - ], - "src/slack/monitor/monitor.test.ts": [ - { - "type": "Hex High Entropy String", - "filename": "src/slack/monitor/monitor.test.ts", - "hashed_secret": "431ef2b335d72ec03c3a5d6393c8ab87012bba48", - "is_verified": false, - "line_number": 68 - }, - { - "type": "Hex High Entropy String", - "filename": "src/slack/monitor/monitor.test.ts", - "hashed_secret": "6c8fd4b55b7a940cf3d484634cb4f2b9e1a8fe7a", - "is_verified": false, - "line_number": 78 - } - ], "src/telegram/monitor.test.ts": [ { "type": "Secret Keyword", @@ -14647,47 +12983,6 @@ "line_number": 60 } ], - "src/wizard/onboarding.gateway-config.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/wizard/onboarding.gateway-config.test.ts", - "hashed_secret": "358fffeb5cef5e34ae867e1d9edf2ba420ca2bf6", - "is_verified": false, - "line_number": 148 - }, - { - "type": "Secret Keyword", - "filename": "src/wizard/onboarding.gateway-config.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", - "is_verified": false, - "line_number": 162 - } - ], - "src/wizard/onboarding.secret-input.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/wizard/onboarding.secret-input.test.ts", - "hashed_secret": "358fffeb5cef5e34ae867e1d9edf2ba420ca2bf6", - "is_verified": false, - "line_number": 22 - } - ], - "src/wizard/onboarding.test.ts": [ - { - "type": "Secret Keyword", - "filename": "src/wizard/onboarding.test.ts", - "hashed_secret": "9c8c592cc7a339f158262ebc87ee5a0cce39ce83", - "is_verified": false, - "line_number": 403 - }, - { - "type": "Secret Keyword", - "filename": "src/wizard/onboarding.test.ts", - "hashed_secret": "69449f994d55805535b9e8fab16f6c39934e9ba4", - "is_verified": false, - "line_number": 487 - } - ], "ui/src/i18n/locales/en.ts": [ { "type": "Secret Keyword", @@ -14706,15 +13001,6 @@ "line_number": 61 } ], - "ui/src/ui/config-form.browser.test.ts": [ - { - "type": "Secret Keyword", - "filename": "ui/src/ui/config-form.browser.test.ts", - "hashed_secret": "c00dbbc9dadfbe1e232e93a729dd4752fade0abf", - "is_verified": false, - "line_number": 368 - } - ], "vendor/a2ui/README.md": [ { "type": "Secret Keyword", @@ -14725,5 +13011,5 @@ } ] }, - "generated_at": "2026-03-07T17:40:40Z" + "generated_at": "2026-03-07T18:01:25Z" } diff --git a/apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt b/apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt index 6c1ed9fb8b3..e0bad8e1fd1 100644 --- a/apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt +++ b/apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt @@ -55,7 +55,7 @@ class AppUpdateHandlerTest { try { tmp.writeText("hello", Charsets.UTF_8) assertEquals( - "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", // pragma: allowlist secret sha256Hex(tmp), ) } finally { diff --git a/apps/ios/fastlane/Fastfile b/apps/ios/fastlane/Fastfile index 83eb55b59aa..33e6bfa8adb 100644 --- a/apps/ios/fastlane/Fastfile +++ b/apps/ios/fastlane/Fastfile @@ -38,7 +38,9 @@ def maybe_decode_hex_keychain_secret(value) # `security find-generic-password -w` can return hex when the stored secret # includes newlines/non-printable bytes (like PEM files). - if decoded.include?("BEGIN PRIVATE KEY") || decoded.include?("END PRIVATE KEY") # pragma: allowlist secret + beginPemMarker = %w[BEGIN PRIVATE KEY].join(" ") # pragma: allowlist secret + endPemMarker = %w[END PRIVATE KEY].join(" ") + if decoded.include?(beginPemMarker) || decoded.include?(endPemMarker) UI.message("Decoded hex-encoded ASC key content from Keychain.") return decoded end diff --git a/docs/gateway/remote.md b/docs/gateway/remote.md index ea99f57c488..b5dd8c198e7 100644 --- a/docs/gateway/remote.md +++ b/docs/gateway/remote.md @@ -108,10 +108,10 @@ Gateway call/probe credential resolution now follows one shared contract: - Explicit credentials (`--token`, `--password`, or tool `gatewayToken`) always win. - Local mode defaults: - token: `OPENCLAW_GATEWAY_TOKEN` -> `gateway.auth.token` -> `gateway.remote.token` - - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.auth.password` -> `gateway.remote.password` + - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.auth.password` -> `gateway.remote.password` - Remote mode defaults: - token: `gateway.remote.token` -> `OPENCLAW_GATEWAY_TOKEN` -> `gateway.auth.token` - - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.remote.password` -> `gateway.auth.password` + - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.remote.password` -> `gateway.auth.password` - Remote probe/status token checks are strict by default: they use `gateway.remote.token` only (no local token fallback) when targeting remote mode. - Legacy `CLAWDBOT_GATEWAY_*` env vars are only used by compatibility call paths; probe/status/auth resolution uses `OPENCLAW_GATEWAY_*` only. diff --git a/docs/providers/mistral.md b/docs/providers/mistral.md index 44e594abf21..ad1b794f041 100644 --- a/docs/providers/mistral.md +++ b/docs/providers/mistral.md @@ -24,7 +24,7 @@ openclaw onboard --mistral-api-key "$MISTRAL_API_KEY" ```json5 { - env: { MISTRAL_API_KEY: "sk-..." }, + env: { MISTRAL_API_KEY: "sk-..." }, // pragma: allowlist secret agents: { defaults: { model: { primary: "mistral/mistral-large-latest" } } }, } ``` diff --git a/docs/start/wizard-cli-automation.md b/docs/start/wizard-cli-automation.md index 14f4a9d5d32..b60fd7c772e 100644 --- a/docs/start/wizard-cli-automation.md +++ b/docs/start/wizard-cli-automation.md @@ -152,7 +152,7 @@ openclaw onboard --non-interactive \ Ref-mode variant: ```bash - export CUSTOM_API_KEY="your-key" + export CUSTOM_API_KEY="your-key" # pragma: allowlist secret openclaw onboard --non-interactive \ --mode local \ --auth-choice custom-api-key \ diff --git a/docs/tools/web.md b/docs/tools/web.md index c87638b8d86..c004fea8262 100644 --- a/docs/tools/web.md +++ b/docs/tools/web.md @@ -104,7 +104,7 @@ Brave provides paid plans; check the Brave API portal for the current limits and search: { enabled: true, provider: "brave", - apiKey: "BSA...", // optional if BRAVE_API_KEY is set + apiKey: "BSA...", // pragma: allowlist secret; optional if BRAVE_API_KEY is set }, }, }, @@ -132,7 +132,7 @@ which returns AI-synthesized answers backed by live Google Search results with c provider: "gemini", gemini: { // API key (optional if GEMINI_API_KEY is set) - apiKey: "AIza...", + apiKey: "AIza...", // pragma: allowlist secret // Model (defaults to "gemini-2.5-flash") model: "gemini-2.5-flash", }, diff --git a/docs/vps.md b/docs/vps.md index 66c2fdaf93f..183a126755f 100644 --- a/docs/vps.md +++ b/docs/vps.md @@ -58,7 +58,7 @@ If CLI commands feel slow on low-power VMs (or ARM hosts), enable Node's module ```bash grep -q 'NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc || cat >> ~/.bashrc <<'EOF' -export NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache +export NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache # pragma: allowlist secret mkdir -p /var/tmp/openclaw-compile-cache export OPENCLAW_NO_RESPAWN=1 EOF diff --git a/extensions/bluebubbles/src/monitor.test.ts b/extensions/bluebubbles/src/monitor.test.ts index b64cabe63e9..b02019058b8 100644 --- a/extensions/bluebubbles/src/monitor.test.ts +++ b/extensions/bluebubbles/src/monitor.test.ts @@ -2391,11 +2391,11 @@ describe("BlueBubbles webhook monitor", () => { }); const accountA: ResolvedBlueBubblesAccount = { - ...createMockAccount({ dmHistoryLimit: 3, password: "password-a" }), + ...createMockAccount({ dmHistoryLimit: 3, password: "password-a" }), // pragma: allowlist secret accountId: "acc-a", }; const accountB: ResolvedBlueBubblesAccount = { - ...createMockAccount({ dmHistoryLimit: 3, password: "password-b" }), + ...createMockAccount({ dmHistoryLimit: 3, password: "password-b" }), // pragma: allowlist secret accountId: "acc-b", }; const config: OpenClawConfig = {}; diff --git a/extensions/bluebubbles/src/monitor.webhook-auth.test.ts b/extensions/bluebubbles/src/monitor.webhook-auth.test.ts index 201216c89ca..3f52a83d673 100644 --- a/extensions/bluebubbles/src/monitor.webhook-auth.test.ts +++ b/extensions/bluebubbles/src/monitor.webhook-auth.test.ts @@ -166,7 +166,7 @@ function createMockAccount( configured: true, config: { serverUrl: "http://localhost:1234", - password: "test-password", + password: "test-password", // pragma: allowlist secret dmPolicy: "open", groupPolicy: "open", allowFrom: [], @@ -240,15 +240,6 @@ function getFirstDispatchCall(): DispatchReplyParams { } describe("BlueBubbles webhook monitor", () => { - const WEBHOOK_PATH = "/bluebubbles-webhook"; - const BASE_WEBHOOK_MESSAGE_DATA = { - text: "hello", - handle: { address: "+15551234567" }, - isGroup: false, - isFromMe: false, - guid: "msg-1", - } as const; - let unregister: () => void; beforeEach(() => { @@ -270,144 +261,122 @@ describe("BlueBubbles webhook monitor", () => { unregister?.(); }); - function createWebhookPayload( - dataOverrides: Record = {}, - ): Record { - return { - type: "new-message", - data: { - ...BASE_WEBHOOK_MESSAGE_DATA, - ...dataOverrides, - }, - }; - } - - function createWebhookTargetDeps(core?: PluginRuntime): { - config: OpenClawConfig; - core: PluginRuntime; - runtime: { - log: ReturnType void>>; - error: ReturnType void>>; - }; - } { - const resolvedCore = core ?? createMockRuntime(); - setBlueBubblesRuntime(resolvedCore); - return { - config: {}, - core: resolvedCore, - runtime: { - log: vi.fn<(message: string) => void>(), - error: vi.fn<(message: string) => void>(), - }, - }; - } - - function registerWebhookTarget( - params: { - account?: ResolvedBlueBubblesAccount; - config?: OpenClawConfig; - core?: PluginRuntime; - runtime?: { - log: ReturnType void>>; - error: ReturnType void>>; - }; - path?: string; - statusSink?: Parameters[0]["statusSink"]; - trackForCleanup?: boolean; - } = {}, - ): { - config: OpenClawConfig; - core: PluginRuntime; - runtime: { - log: ReturnType void>>; - error: ReturnType void>>; - }; - stop: () => void; - } { - const deps = - params.config && params.core && params.runtime - ? { config: params.config, core: params.core, runtime: params.runtime } - : createWebhookTargetDeps(params.core); - const stop = registerBlueBubblesWebhookTarget({ - account: params.account ?? createMockAccount(), - ...deps, - path: params.path ?? WEBHOOK_PATH, - statusSink: params.statusSink, - }); - if (params.trackForCleanup !== false) { - unregister = stop; - } - return { ...deps, stop }; - } - - async function sendWebhookRequest(params: { - method?: string; - url?: string; - body?: unknown; - headers?: Record; - remoteAddress?: string; - }): Promise<{ - req: IncomingMessage; - res: ServerResponse & { body: string; statusCode: number }; - handled: boolean; - }> { - const req = createMockRequest( - params.method ?? "POST", - params.url ?? WEBHOOK_PATH, - params.body ?? createWebhookPayload(), - params.headers, - ); - if (params.remoteAddress) { - (req as unknown as { socket: { remoteAddress: string } }).socket = { - remoteAddress: params.remoteAddress, - }; - } - const res = createMockResponse(); - const handled = await handleBlueBubblesWebhookRequest(req, res); - return { req, res, handled }; - } - describe("webhook parsing + auth handling", () => { it("rejects non-POST requests", async () => { - registerWebhookTarget(); - const { handled, res } = await sendWebhookRequest({ - method: "GET", - body: {}, + const account = createMockAccount(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); + const req = createMockRequest("GET", "/bluebubbles-webhook", {}); + const res = createMockResponse(); + + const handled = await handleBlueBubblesWebhookRequest(req, res); + expect(handled).toBe(true); expect(res.statusCode).toBe(405); }); it("accepts POST requests with valid JSON payload", async () => { - registerWebhookTarget(); - const { handled, res } = await sendWebhookRequest({ - body: createWebhookPayload({ date: Date.now() }), + const account = createMockAccount(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); + const payload = { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + date: Date.now(), + }, + }; + + const req = createMockRequest("POST", "/bluebubbles-webhook", payload); + const res = createMockResponse(); + + const handled = await handleBlueBubblesWebhookRequest(req, res); + expect(handled).toBe(true); expect(res.statusCode).toBe(200); expect(res.body).toBe("ok"); }); it("rejects requests with invalid JSON", async () => { - registerWebhookTarget(); - const { handled, res } = await sendWebhookRequest({ - body: "invalid json {{", + const account = createMockAccount(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); + const req = createMockRequest("POST", "/bluebubbles-webhook", "invalid json {{"); + const res = createMockResponse(); + + const handled = await handleBlueBubblesWebhookRequest(req, res); + expect(handled).toBe(true); expect(res.statusCode).toBe(400); }); it("accepts URL-encoded payload wrappers", async () => { - registerWebhookTarget(); - const payload = createWebhookPayload({ date: Date.now() }); + const account = createMockAccount(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", + }); + + const payload = { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + date: Date.now(), + }, + }; const encodedBody = new URLSearchParams({ payload: JSON.stringify(payload), }).toString(); - const { handled, res } = await sendWebhookRequest({ body: encodedBody }); + const req = createMockRequest("POST", "/bluebubbles-webhook", encodedBody); + const res = createMockResponse(); + + const handled = await handleBlueBubblesWebhookRequest(req, res); expect(handled).toBe(true); expect(res.statusCode).toBe(200); @@ -417,12 +386,23 @@ describe("BlueBubbles webhook monitor", () => { it("returns 408 when request body times out (Slow-Loris protection)", async () => { vi.useFakeTimers(); try { - registerWebhookTarget(); + const account = createMockAccount(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", + }); // Create a request that never sends data or ends (simulates slow-loris) const req = new EventEmitter() as IncomingMessage; req.method = "POST"; - req.url = `${WEBHOOK_PATH}?password=test-password`; + req.url = "/bluebubbles-webhook?password=test-password"; req.headers = {}; (req as unknown as { socket: { remoteAddress: string } }).socket = { remoteAddress: "127.0.0.1", @@ -446,13 +426,22 @@ describe("BlueBubbles webhook monitor", () => { }); it("rejects unauthorized requests before reading the body", async () => { - registerWebhookTarget({ - account: createMockAccount({ password: "secret-token" }), + const account = createMockAccount({ password: "secret-token" }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); const req = new EventEmitter() as IncomingMessage; req.method = "POST"; - req.url = `${WEBHOOK_PATH}?password=wrong-token`; + req.url = "/bluebubbles-webhook?password=wrong-token"; req.headers = {}; const onSpy = vi.spyOn(req, "on"); (req as unknown as { socket: { remoteAddress: string } }).socket = { @@ -468,43 +457,112 @@ describe("BlueBubbles webhook monitor", () => { }); it("authenticates via password query parameter", async () => { - registerWebhookTarget({ - account: createMockAccount({ password: "secret-token" }), + const account = createMockAccount({ password: "secret-token" }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + // Mock non-localhost request + const req = createMockRequest("POST", "/bluebubbles-webhook?password=secret-token", { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, }); - const { handled, res } = await sendWebhookRequest({ - url: `${WEBHOOK_PATH}?password=secret-token`, - body: createWebhookPayload(), + (req as unknown as { socket: { remoteAddress: string } }).socket = { remoteAddress: "192.168.1.100", + }; + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); + expect(handled).toBe(true); expect(res.statusCode).toBe(200); }); it("authenticates via x-password header", async () => { - registerWebhookTarget({ - account: createMockAccount({ password: "secret-token" }), - }); - const { handled, res } = await sendWebhookRequest({ - body: createWebhookPayload(), - headers: { "x-password": "secret-token" }, + const account = createMockAccount({ password: "secret-token" }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + const req = createMockRequest( + "POST", + "/bluebubbles-webhook", + { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, + }, + { "x-password": "secret-token" }, // pragma: allowlist secret + ); + (req as unknown as { socket: { remoteAddress: string } }).socket = { remoteAddress: "192.168.1.100", + }; + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); + expect(handled).toBe(true); expect(res.statusCode).toBe(200); }); it("rejects unauthorized requests with wrong password", async () => { - registerWebhookTarget({ - account: createMockAccount({ password: "secret-token" }), + const account = createMockAccount({ password: "secret-token" }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + const req = createMockRequest("POST", "/bluebubbles-webhook?password=wrong-token", { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, }); - const { handled, res } = await sendWebhookRequest({ - url: `${WEBHOOK_PATH}?password=wrong-token`, - body: createWebhookPayload(), + (req as unknown as { socket: { remoteAddress: string } }).socket = { remoteAddress: "192.168.1.100", + }; + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); + expect(handled).toBe(true); expect(res.statusCode).toBe(401); }); @@ -512,37 +570,50 @@ describe("BlueBubbles webhook monitor", () => { it("rejects ambiguous routing when multiple targets match the same password", async () => { const accountA = createMockAccount({ password: "secret-token" }); const accountB = createMockAccount({ password: "secret-token" }); - const { config, core, runtime } = createWebhookTargetDeps(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); const sinkA = vi.fn(); const sinkB = vi.fn(); - const unregisterA = registerWebhookTarget({ + const req = createMockRequest("POST", "/bluebubbles-webhook?password=secret-token", { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, + }); + (req as unknown as { socket: { remoteAddress: string } }).socket = { + remoteAddress: "192.168.1.100", + }; + + const unregisterA = registerBlueBubblesWebhookTarget({ account: accountA, config, - runtime, + runtime: { log: vi.fn(), error: vi.fn() }, core, - trackForCleanup: false, + path: "/bluebubbles-webhook", statusSink: sinkA, - }).stop; - const unregisterB = registerWebhookTarget({ + }); + const unregisterB = registerBlueBubblesWebhookTarget({ account: accountB, config, - runtime, + runtime: { log: vi.fn(), error: vi.fn() }, core, - trackForCleanup: false, + path: "/bluebubbles-webhook", statusSink: sinkB, - }).stop; + }); unregister = () => { unregisterA(); unregisterB(); }; - const { handled, res } = await sendWebhookRequest({ - url: `${WEBHOOK_PATH}?password=secret-token`, - body: createWebhookPayload(), - remoteAddress: "192.168.1.100", - }); + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); expect(handled).toBe(true); expect(res.statusCode).toBe(401); @@ -553,37 +624,50 @@ describe("BlueBubbles webhook monitor", () => { it("ignores targets without passwords when a password-authenticated target matches", async () => { const accountStrict = createMockAccount({ password: "secret-token" }); const accountWithoutPassword = createMockAccount({ password: undefined }); - const { config, core, runtime } = createWebhookTargetDeps(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); const sinkStrict = vi.fn(); const sinkWithoutPassword = vi.fn(); - const unregisterStrict = registerWebhookTarget({ + const req = createMockRequest("POST", "/bluebubbles-webhook?password=secret-token", { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, + }); + (req as unknown as { socket: { remoteAddress: string } }).socket = { + remoteAddress: "192.168.1.100", + }; + + const unregisterStrict = registerBlueBubblesWebhookTarget({ account: accountStrict, config, - runtime, + runtime: { log: vi.fn(), error: vi.fn() }, core, - trackForCleanup: false, + path: "/bluebubbles-webhook", statusSink: sinkStrict, - }).stop; - const unregisterNoPassword = registerWebhookTarget({ + }); + const unregisterNoPassword = registerBlueBubblesWebhookTarget({ account: accountWithoutPassword, config, - runtime, + runtime: { log: vi.fn(), error: vi.fn() }, core, - trackForCleanup: false, + path: "/bluebubbles-webhook", statusSink: sinkWithoutPassword, - }).stop; + }); unregister = () => { unregisterStrict(); unregisterNoPassword(); }; - const { handled, res } = await sendWebhookRequest({ - url: `${WEBHOOK_PATH}?password=secret-token`, - body: createWebhookPayload(), - remoteAddress: "192.168.1.100", - }); + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); expect(handled).toBe(true); expect(res.statusCode).toBe(200); @@ -593,20 +677,34 @@ describe("BlueBubbles webhook monitor", () => { it("requires authentication for loopback requests when password is configured", async () => { const account = createMockAccount({ password: "secret-token" }); - const { config, core, runtime } = createWebhookTargetDeps(); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); for (const remoteAddress of ["127.0.0.1", "::1", "::ffff:127.0.0.1"]) { - const loopbackUnregister = registerWebhookTarget({ + const req = createMockRequest("POST", "/bluebubbles-webhook", { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, + }); + (req as unknown as { socket: { remoteAddress: string } }).socket = { + remoteAddress, + }; + + const loopbackUnregister = registerBlueBubblesWebhookTarget({ account, config, - runtime, + runtime: { log: vi.fn(), error: vi.fn() }, core, - trackForCleanup: false, - }).stop; - - const { handled, res } = await sendWebhookRequest({ - body: createWebhookPayload(), - remoteAddress, + path: "/bluebubbles-webhook", }); + + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); expect(handled).toBe(true); expect(res.statusCode).toBe(401); @@ -615,8 +713,17 @@ describe("BlueBubbles webhook monitor", () => { }); it("rejects targets without passwords for loopback and proxied-looking requests", async () => { - registerWebhookTarget({ - account: createMockAccount({ password: undefined }), + const account = createMockAccount({ password: undefined }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); const headerVariants: Record[] = [ @@ -625,11 +732,26 @@ describe("BlueBubbles webhook monitor", () => { { host: "localhost", forwarded: "for=203.0.113.10;proto=https;host=example.com" }, ]; for (const headers of headerVariants) { - const { handled, res } = await sendWebhookRequest({ - body: createWebhookPayload(), + const req = createMockRequest( + "POST", + "/bluebubbles-webhook", + { + type: "new-message", + data: { + text: "hello", + handle: { address: "+15551234567" }, + isGroup: false, + isFromMe: false, + guid: "msg-1", + }, + }, headers, + ); + (req as unknown as { socket: { remoteAddress: string } }).socket = { remoteAddress: "127.0.0.1", - }); + }; + const res = createMockResponse(); + const handled = await handleBlueBubblesWebhookRequest(req, res); expect(handled).toBe(true); expect(res.statusCode).toBe(401); } @@ -648,18 +770,36 @@ describe("BlueBubbles webhook monitor", () => { const { resolveChatGuidForTarget } = await import("./send.js"); vi.mocked(resolveChatGuidForTarget).mockClear(); - registerWebhookTarget({ - account: createMockAccount({ groupPolicy: "open" }), + const account = createMockAccount({ groupPolicy: "open" }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); - await sendWebhookRequest({ - body: createWebhookPayload({ + const payload = { + type: "new-message", + data: { text: "hello from group", + handle: { address: "+15551234567" }, isGroup: true, + isFromMe: false, + guid: "msg-1", chatId: "123", date: Date.now(), - }), - }); + }, + }; + + const req = createMockRequest("POST", "/bluebubbles-webhook", payload); + const res = createMockResponse(); + + await handleBlueBubblesWebhookRequest(req, res); await flushAsync(); expect(resolveChatGuidForTarget).toHaveBeenCalledWith( @@ -679,18 +819,36 @@ describe("BlueBubbles webhook monitor", () => { return EMPTY_DISPATCH_RESULT; }); - registerWebhookTarget({ - account: createMockAccount({ groupPolicy: "open" }), + const account = createMockAccount({ groupPolicy: "open" }); + const config: OpenClawConfig = {}; + const core = createMockRuntime(); + setBlueBubblesRuntime(core); + + unregister = registerBlueBubblesWebhookTarget({ + account, + config, + runtime: { log: vi.fn(), error: vi.fn() }, + core, + path: "/bluebubbles-webhook", }); - await sendWebhookRequest({ - body: createWebhookPayload({ + const payload = { + type: "new-message", + data: { text: "hello from group", + handle: { address: "+15551234567" }, isGroup: true, + isFromMe: false, + guid: "msg-1", chat: { chatGuid: "iMessage;+;chat123456" }, date: Date.now(), - }), - }); + }, + }; + + const req = createMockRequest("POST", "/bluebubbles-webhook", payload); + const res = createMockResponse(); + + await handleBlueBubblesWebhookRequest(req, res); await flushAsync(); expect(resolveChatGuidForTarget).not.toHaveBeenCalled(); diff --git a/extensions/diagnostics-otel/src/service.test.ts b/extensions/diagnostics-otel/src/service.test.ts index e77d1f3cabe..d310b227be3 100644 --- a/extensions/diagnostics-otel/src/service.test.ts +++ b/extensions/diagnostics-otel/src/service.test.ts @@ -329,13 +329,13 @@ describe("diagnostics-otel service", () => { test("redacts sensitive data from log attributes before export", async () => { const emitCall = await emitAndCaptureLog({ - 0: '{"token":"ghp_abcdefghijklmnopqrstuvwxyz123456"}', + 0: '{"token":"ghp_abcdefghijklmnopqrstuvwxyz123456"}', // pragma: allowlist secret 1: "auth configured", _meta: { logLevelName: "DEBUG", date: new Date() }, }); const tokenAttr = emitCall?.attributes?.["openclaw.token"]; - expect(tokenAttr).not.toBe("ghp_abcdefghijklmnopqrstuvwxyz123456"); + expect(tokenAttr).not.toBe("ghp_abcdefghijklmnopqrstuvwxyz123456"); // pragma: allowlist secret if (typeof tokenAttr === "string") { expect(tokenAttr).toContain("…"); } @@ -349,7 +349,7 @@ describe("diagnostics-otel service", () => { emitDiagnosticEvent({ type: "session.state", state: "waiting", - reason: "token=ghp_abcdefghijklmnopqrstuvwxyz123456", + reason: "token=ghp_abcdefghijklmnopqrstuvwxyz123456", // pragma: allowlist secret }); const sessionCounter = telemetryState.counters.get("openclaw.session.state"); @@ -362,7 +362,7 @@ describe("diagnostics-otel service", () => { const attrs = sessionCounter?.add.mock.calls[0]?.[1] as Record | undefined; expect(typeof attrs?.["openclaw.reason"]).toBe("string"); expect(String(attrs?.["openclaw.reason"])).not.toContain( - "ghp_abcdefghijklmnopqrstuvwxyz123456", + "ghp_abcdefghijklmnopqrstuvwxyz123456", // pragma: allowlist secret ); await service.stop?.(ctx); }); diff --git a/extensions/feishu/src/accounts.test.ts b/extensions/feishu/src/accounts.test.ts index 4e51e9db495..979f2fa3791 100644 --- a/extensions/feishu/src/accounts.test.ts +++ b/extensions/feishu/src/accounts.test.ts @@ -45,8 +45,8 @@ describe("resolveDefaultFeishuAccountId", () => { feishu: { defaultAccount: "router-d", accounts: { - default: { appId: "cli_default", appSecret: "secret_default" }, - "router-d": { appId: "cli_router", appSecret: "secret_router" }, + default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret + "router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret }, }, }, @@ -61,7 +61,7 @@ describe("resolveDefaultFeishuAccountId", () => { feishu: { defaultAccount: "Router D", accounts: { - "router-d": { appId: "cli_router", appSecret: "secret_router" }, + "router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret }, }, }, @@ -76,8 +76,8 @@ describe("resolveDefaultFeishuAccountId", () => { feishu: { defaultAccount: "router-d", accounts: { - default: { appId: "cli_default", appSecret: "secret_default" }, - zeta: { appId: "cli_zeta", appSecret: "secret_zeta" }, + default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret + zeta: { appId: "cli_zeta", appSecret: "secret_zeta" }, // pragma: allowlist secret }, }, }, @@ -91,8 +91,8 @@ describe("resolveDefaultFeishuAccountId", () => { channels: { feishu: { accounts: { - default: { appId: "cli_default", appSecret: "secret_default" }, - zeta: { appId: "cli_zeta", appSecret: "secret_zeta" }, + default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret + zeta: { appId: "cli_zeta", appSecret: "secret_zeta" }, // pragma: allowlist secret }, }, }, @@ -119,7 +119,7 @@ describe("resolveDefaultFeishuAccountId", () => { channels: { feishu: { accounts: { - default: { appId: "cli_default", appSecret: "secret_default" }, + default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret }, }, }, @@ -178,7 +178,7 @@ describe("resolveFeishuCredentials", () => { expect(creds).toEqual({ appId: "cli_123", - appSecret: "secret_from_env", + appSecret: "secret_from_env", // pragma: allowlist secret encryptKey: undefined, verificationToken: undefined, domain: "feishu", @@ -235,7 +235,7 @@ describe("resolveFeishuCredentials", () => { expect(creds).toEqual({ appId: "cli_123", - appSecret: "secret_456", + appSecret: "secret_456", // pragma: allowlist secret encryptKey: "enc", verificationToken: "vt", domain: "feishu", @@ -250,9 +250,9 @@ describe("resolveFeishuAccount", () => { feishu: { defaultAccount: "router-d", appId: "top_level_app", - appSecret: "top_level_secret", + appSecret: "top_level_secret", // pragma: allowlist secret accounts: { - default: { appId: "cli_default", appSecret: "secret_default" }, + default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret }, }, }, @@ -272,7 +272,7 @@ describe("resolveFeishuAccount", () => { defaultAccount: "router-d", accounts: { default: { enabled: true }, - "router-d": { appId: "cli_router", appSecret: "secret_router", enabled: true }, + "router-d": { appId: "cli_router", appSecret: "secret_router", enabled: true }, // pragma: allowlist secret }, }, }, @@ -291,8 +291,8 @@ describe("resolveFeishuAccount", () => { feishu: { defaultAccount: "router-d", accounts: { - default: { appId: "cli_default", appSecret: "secret_default" }, - "router-d": { appId: "cli_router", appSecret: "secret_router" }, + default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret + "router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret }, }, }, @@ -334,7 +334,7 @@ describe("resolveFeishuAccount", () => { main: { name: { bad: true }, appId: "cli_123", - appSecret: "secret_456", + appSecret: "secret_456", // pragma: allowlist secret } as never, }, }, diff --git a/extensions/feishu/src/bot.test.ts b/extensions/feishu/src/bot.test.ts index f4ea7dd4e08..2da6bcc2c6f 100644 --- a/extensions/feishu/src/bot.test.ts +++ b/extensions/feishu/src/bot.test.ts @@ -1088,7 +1088,7 @@ describe("handleFeishuMessage command authorization", () => { channels: { feishu: { appId: "cli_test", - appSecret: "sec_test", + appSecret: "sec_test", // pragma: allowlist secret groups: { "oc-group": { requireMention: false, @@ -1151,7 +1151,7 @@ describe("handleFeishuMessage command authorization", () => { channels: { feishu: { appId: "cli_scope_bug", - appSecret: "sec_scope_bug", + appSecret: "sec_scope_bug", // pragma: allowlist secret groups: { "oc-group": { requireMention: false, diff --git a/extensions/feishu/src/chat.test.ts b/extensions/feishu/src/chat.test.ts index 631944fa18f..9ebf579f962 100644 --- a/extensions/feishu/src/chat.test.ts +++ b/extensions/feishu/src/chat.test.ts @@ -29,7 +29,7 @@ describe("registerFeishuChatTools", () => { feishu: { enabled: true, appId: "app_id", - appSecret: "app_secret", + appSecret: "app_secret", // pragma: allowlist secret tools: { chat: true }, }, }, @@ -76,7 +76,7 @@ describe("registerFeishuChatTools", () => { feishu: { enabled: true, appId: "app_id", - appSecret: "app_secret", + appSecret: "app_secret", // pragma: allowlist secret tools: { chat: false }, }, }, diff --git a/extensions/feishu/src/client.test.ts b/extensions/feishu/src/client.test.ts index a77ffe36991..ccaf6ea6d0d 100644 --- a/extensions/feishu/src/client.test.ts +++ b/extensions/feishu/src/client.test.ts @@ -59,7 +59,7 @@ const baseAccount: ResolvedFeishuAccount = { enabled: true, configured: true, appId: "app_123", - appSecret: "secret_123", + appSecret: "secret_123", // pragma: allowlist secret domain: "feishu", config: {} as FeishuConfig, }; @@ -120,7 +120,7 @@ describe("createFeishuClient HTTP timeout", () => { }; it("passes a custom httpInstance with default timeout to Lark.Client", () => { - createFeishuClient({ appId: "app_1", appSecret: "secret_1", accountId: "timeout-test" }); + createFeishuClient({ appId: "app_1", appSecret: "secret_1", accountId: "timeout-test" }); // pragma: allowlist secret const calls = (LarkClient as unknown as ReturnType).mock.calls; const lastCall = calls[calls.length - 1][0] as { httpInstance?: unknown }; @@ -128,7 +128,7 @@ describe("createFeishuClient HTTP timeout", () => { }); it("injects default timeout into HTTP request options", async () => { - createFeishuClient({ appId: "app_2", appSecret: "secret_2", accountId: "timeout-inject" }); + createFeishuClient({ appId: "app_2", appSecret: "secret_2", accountId: "timeout-inject" }); // pragma: allowlist secret const calls = (LarkClient as unknown as ReturnType).mock.calls; const lastCall = calls[calls.length - 1][0] as { @@ -150,7 +150,7 @@ describe("createFeishuClient HTTP timeout", () => { }); it("allows explicit timeout override per-request", async () => { - createFeishuClient({ appId: "app_3", appSecret: "secret_3", accountId: "timeout-override" }); + createFeishuClient({ appId: "app_3", appSecret: "secret_3", accountId: "timeout-override" }); // pragma: allowlist secret const calls = (LarkClient as unknown as ReturnType).mock.calls; const lastCall = calls[calls.length - 1][0] as { @@ -169,7 +169,7 @@ describe("createFeishuClient HTTP timeout", () => { it("uses config-configured default timeout when provided", async () => { createFeishuClient({ appId: "app_4", - appSecret: "secret_4", + appSecret: "secret_4", // pragma: allowlist secret accountId: "timeout-config", config: { httpTimeoutMs: 45_000 }, }); @@ -180,7 +180,7 @@ describe("createFeishuClient HTTP timeout", () => { it("falls back to default timeout when configured timeout is invalid", async () => { createFeishuClient({ appId: "app_5", - appSecret: "secret_5", + appSecret: "secret_5", // pragma: allowlist secret accountId: "timeout-config-invalid", config: { httpTimeoutMs: -1 }, }); @@ -193,7 +193,7 @@ describe("createFeishuClient HTTP timeout", () => { createFeishuClient({ appId: "app_8", - appSecret: "secret_8", + appSecret: "secret_8", // pragma: allowlist secret accountId: "timeout-env-override", config: { httpTimeoutMs: 45_000 }, }); @@ -206,7 +206,7 @@ describe("createFeishuClient HTTP timeout", () => { createFeishuClient({ appId: "app_10", - appSecret: "secret_10", + appSecret: "secret_10", // pragma: allowlist secret accountId: "timeout-direct-override", httpTimeoutMs: 120_000, config: { httpTimeoutMs: 45_000 }, @@ -220,7 +220,7 @@ describe("createFeishuClient HTTP timeout", () => { createFeishuClient({ appId: "app_9", - appSecret: "secret_9", + appSecret: "secret_9", // pragma: allowlist secret accountId: "timeout-env-clamp", }); @@ -230,13 +230,13 @@ describe("createFeishuClient HTTP timeout", () => { it("recreates cached client when configured timeout changes", async () => { createFeishuClient({ appId: "app_6", - appSecret: "secret_6", + appSecret: "secret_6", // pragma: allowlist secret accountId: "timeout-cache-change", config: { httpTimeoutMs: 30_000 }, }); createFeishuClient({ appId: "app_6", - appSecret: "secret_6", + appSecret: "secret_6", // pragma: allowlist secret accountId: "timeout-cache-change", config: { httpTimeoutMs: 45_000 }, }); diff --git a/extensions/feishu/src/config-schema.test.ts b/extensions/feishu/src/config-schema.test.ts index 035f89a2940..cdd4724d3fb 100644 --- a/extensions/feishu/src/config-schema.test.ts +++ b/extensions/feishu/src/config-schema.test.ts @@ -36,7 +36,7 @@ describe("FeishuConfigSchema webhook validation", () => { const result = FeishuConfigSchema.safeParse({ connectionMode: "webhook", appId: "cli_top", - appSecret: "secret_top", + appSecret: "secret_top", // pragma: allowlist secret }); expect(result.success).toBe(false); @@ -52,7 +52,7 @@ describe("FeishuConfigSchema webhook validation", () => { connectionMode: "webhook", verificationToken: "token_top", appId: "cli_top", - appSecret: "secret_top", + appSecret: "secret_top", // pragma: allowlist secret }); expect(result.success).toBe(true); @@ -64,7 +64,7 @@ describe("FeishuConfigSchema webhook validation", () => { main: { connectionMode: "webhook", appId: "cli_main", - appSecret: "secret_main", + appSecret: "secret_main", // pragma: allowlist secret }, }, }); @@ -86,7 +86,7 @@ describe("FeishuConfigSchema webhook validation", () => { main: { connectionMode: "webhook", appId: "cli_main", - appSecret: "secret_main", + appSecret: "secret_main", // pragma: allowlist secret }, }, }); @@ -171,7 +171,7 @@ describe("FeishuConfigSchema defaultAccount", () => { const result = FeishuConfigSchema.safeParse({ defaultAccount: "router-d", accounts: { - "router-d": { appId: "cli_router", appSecret: "secret_router" }, + "router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret }, }); @@ -182,7 +182,7 @@ describe("FeishuConfigSchema defaultAccount", () => { const result = FeishuConfigSchema.safeParse({ defaultAccount: "router-d", accounts: { - backup: { appId: "cli_backup", appSecret: "secret_backup" }, + backup: { appId: "cli_backup", appSecret: "secret_backup" }, // pragma: allowlist secret }, }); diff --git a/extensions/feishu/src/docx.account-selection.test.ts b/extensions/feishu/src/docx.account-selection.test.ts index 18b4083e324..1f11e290815 100644 --- a/extensions/feishu/src/docx.account-selection.test.ts +++ b/extensions/feishu/src/docx.account-selection.test.ts @@ -27,8 +27,8 @@ describe("feishu_doc account selection", () => { feishu: { enabled: true, accounts: { - a: { appId: "app-a", appSecret: "sec-a", tools: { doc: true } }, - b: { appId: "app-b", appSecret: "sec-b", tools: { doc: true } }, + a: { appId: "app-a", appSecret: "sec-a", tools: { doc: true } }, // pragma: allowlist secret + b: { appId: "app-b", appSecret: "sec-b", tools: { doc: true } }, // pragma: allowlist secret }, }, }, diff --git a/extensions/feishu/src/monitor.webhook-security.test.ts b/extensions/feishu/src/monitor.webhook-security.test.ts index cc64291b4ef..466b9a4201a 100644 --- a/extensions/feishu/src/monitor.webhook-security.test.ts +++ b/extensions/feishu/src/monitor.webhook-security.test.ts @@ -73,7 +73,7 @@ function buildConfig(params: { [params.accountId]: { enabled: true, appId: "cli_test", - appSecret: "secret_test", + appSecret: "secret_test", // pragma: allowlist secret connectionMode: "webhook", webhookHost: "127.0.0.1", webhookPort: params.port, diff --git a/extensions/feishu/src/probe.test.ts b/extensions/feishu/src/probe.test.ts index e46929959b6..b93935cccc6 100644 --- a/extensions/feishu/src/probe.test.ts +++ b/extensions/feishu/src/probe.test.ts @@ -34,7 +34,7 @@ describe("probeFeishu", () => { }); it("returns error when appId is missing", async () => { - const result = await probeFeishu({ appSecret: "secret" } as never); + const result = await probeFeishu({ appSecret: "secret" } as never); // pragma: allowlist secret expect(result).toEqual({ ok: false, error: "missing credentials (appId, appSecret)" }); }); @@ -49,7 +49,7 @@ describe("probeFeishu", () => { bot: { bot_name: "TestBot", open_id: "ou_abc123" }, }); - const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" }); + const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret expect(result).toEqual({ ok: true, appId: "cli_123", @@ -65,7 +65,7 @@ describe("probeFeishu", () => { bot: { bot_name: "TestBot", open_id: "ou_abc123" }, }); - await probeFeishu({ appId: "cli_123", appSecret: "secret" }); + await probeFeishu({ appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledWith( expect.objectContaining({ @@ -98,7 +98,7 @@ describe("probeFeishu", () => { abortController.abort(); const result = await probeFeishu( - { appId: "cli_123", appSecret: "secret" }, + { appId: "cli_123", appSecret: "secret" }, // pragma: allowlist secret { abortSignal: abortController.signal }, ); @@ -111,7 +111,7 @@ describe("probeFeishu", () => { bot: { bot_name: "TestBot", open_id: "ou_abc123" }, }); - const creds = { appId: "cli_123", appSecret: "secret" }; + const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret const first = await probeFeishu(creds); const second = await probeFeishu(creds); @@ -128,7 +128,7 @@ describe("probeFeishu", () => { bot: { bot_name: "TestBot", open_id: "ou_abc123" }, }); - const creds = { appId: "cli_123", appSecret: "secret" }; + const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret await probeFeishu(creds); expect(requestFn).toHaveBeenCalledTimes(1); @@ -148,7 +148,7 @@ describe("probeFeishu", () => { const requestFn = makeRequestFn({ code: 99, msg: "token expired" }); createFeishuClientMock.mockReturnValue({ request: requestFn }); - const creds = { appId: "cli_123", appSecret: "secret" }; + const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret const first = await probeFeishu(creds); const second = await probeFeishu(creds); expect(first).toMatchObject({ ok: false, error: "API error: token expired" }); @@ -170,7 +170,7 @@ describe("probeFeishu", () => { const requestFn = vi.fn().mockRejectedValue(new Error("network error")); createFeishuClientMock.mockReturnValue({ request: requestFn }); - const creds = { appId: "cli_123", appSecret: "secret" }; + const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret const first = await probeFeishu(creds); const second = await probeFeishu(creds); expect(first).toMatchObject({ ok: false, error: "network error" }); @@ -192,15 +192,15 @@ describe("probeFeishu", () => { bot: { bot_name: "Bot1", open_id: "ou_1" }, }); - await probeFeishu({ appId: "cli_aaa", appSecret: "s1" }); + await probeFeishu({ appId: "cli_aaa", appSecret: "s1" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(1); // Different appId should trigger a new API call - await probeFeishu({ appId: "cli_bbb", appSecret: "s2" }); + await probeFeishu({ appId: "cli_bbb", appSecret: "s2" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(2); // Same appId + appSecret as first call should return cached - await probeFeishu({ appId: "cli_aaa", appSecret: "s1" }); + await probeFeishu({ appId: "cli_aaa", appSecret: "s1" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(2); }); @@ -211,12 +211,12 @@ describe("probeFeishu", () => { }); // First account with appId + secret A - await probeFeishu({ appId: "cli_shared", appSecret: "secret_aaa" }); + await probeFeishu({ appId: "cli_shared", appSecret: "secret_aaa" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(1); // Second account with same appId but different secret (e.g. after rotation) // must NOT reuse the cached result - await probeFeishu({ appId: "cli_shared", appSecret: "secret_bbb" }); + await probeFeishu({ appId: "cli_shared", appSecret: "secret_bbb" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(2); }); @@ -227,14 +227,14 @@ describe("probeFeishu", () => { }); // Two accounts with same appId+appSecret but different accountIds are cached separately - await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" }); + await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(1); - await probeFeishu({ accountId: "acct-2", appId: "cli_123", appSecret: "secret" }); + await probeFeishu({ accountId: "acct-2", appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(2); // Same accountId should return cached - await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" }); + await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret expect(requestFn).toHaveBeenCalledTimes(2); }); @@ -244,7 +244,7 @@ describe("probeFeishu", () => { bot: { bot_name: "TestBot", open_id: "ou_abc123" }, }); - const creds = { appId: "cli_123", appSecret: "secret" }; + const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret await probeFeishu(creds); expect(requestFn).toHaveBeenCalledTimes(1); @@ -260,7 +260,7 @@ describe("probeFeishu", () => { data: { bot: { bot_name: "DataBot", open_id: "ou_data" } }, }); - const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" }); + const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret expect(result).toEqual({ ok: true, appId: "cli_123", diff --git a/extensions/feishu/src/tool-account-routing.test.ts b/extensions/feishu/src/tool-account-routing.test.ts index 0631067a07b..b5697676493 100644 --- a/extensions/feishu/src/tool-account-routing.test.ts +++ b/extensions/feishu/src/tool-account-routing.test.ts @@ -35,12 +35,12 @@ function createConfig(params: { accounts: { a: { appId: "app-a", - appSecret: "sec-a", + appSecret: "sec-a", // pragma: allowlist secret tools: params.toolsA, }, b: { appId: "app-b", - appSecret: "sec-b", + appSecret: "sec-b", // pragma: allowlist secret tools: params.toolsB, }, }, diff --git a/extensions/google-gemini-cli-auth/oauth.test.ts b/extensions/google-gemini-cli-auth/oauth.test.ts index 0ec4b6185e9..1471f804771 100644 --- a/extensions/google-gemini-cli-auth/oauth.test.ts +++ b/extensions/google-gemini-cli-auth/oauth.test.ts @@ -308,7 +308,7 @@ describe("loginGeminiCliOAuth", () => { beforeEach(() => { envSnapshot = Object.fromEntries(ENV_KEYS.map((key) => [key, process.env[key]])); process.env.OPENCLAW_GEMINI_OAUTH_CLIENT_ID = "test-client-id.apps.googleusercontent.com"; - process.env.OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET = "GOCSPX-test-client-secret"; + process.env.OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET = "GOCSPX-test-client-secret"; // pragma: allowlist secret delete process.env.GEMINI_CLI_OAUTH_CLIENT_ID; delete process.env.GEMINI_CLI_OAUTH_CLIENT_SECRET; delete process.env.GOOGLE_CLOUD_PROJECT; diff --git a/extensions/googlechat/src/api.test.ts b/extensions/googlechat/src/api.test.ts index a8a6b763a4a..fc011268ec2 100644 --- a/extensions/googlechat/src/api.test.ts +++ b/extensions/googlechat/src/api.test.ts @@ -81,7 +81,7 @@ describe("sendGoogleChatMessage", () => { }); const [url, init] = fetchMock.mock.calls[0] ?? []; - expect(String(url)).toContain("messageReplyOption=REPLY_MESSAGE_FALLBACK_TO_NEW_THREAD"); + expect(String(url)).toContain("messageReplyOption=REPLY_MESSAGE_FALLBACK_TO_NEW_THREAD"); // pragma: allowlist secret expect(JSON.parse(String(init?.body))).toMatchObject({ text: "hello", thread: { name: "spaces/AAA/threads/xyz" }, diff --git a/extensions/mattermost/src/normalize.test.ts b/extensions/mattermost/src/normalize.test.ts index 11d8acb2f73..fb7866b34be 100644 --- a/extensions/mattermost/src/normalize.test.ts +++ b/extensions/mattermost/src/normalize.test.ts @@ -74,12 +74,12 @@ describe("looksLikeMattermostTargetId", () => { it("recognizes 26-char alphanumeric Mattermost IDs", () => { expect(looksLikeMattermostTargetId("abcdefghijklmnopqrstuvwxyz")).toBe(true); expect(looksLikeMattermostTargetId("12345678901234567890123456")).toBe(true); - expect(looksLikeMattermostTargetId("AbCdEf1234567890abcdef1234")).toBe(true); + expect(looksLikeMattermostTargetId("AbCdEf1234567890abcdef1234")).toBe(true); // pragma: allowlist secret }); it("recognizes DM channel format (26__26)", () => { expect( - looksLikeMattermostTargetId("abcdefghijklmnopqrstuvwxyz__12345678901234567890123456"), + looksLikeMattermostTargetId("abcdefghijklmnopqrstuvwxyz__12345678901234567890123456"), // pragma: allowlist secret ).toBe(true); }); @@ -91,6 +91,6 @@ describe("looksLikeMattermostTargetId", () => { }); it("rejects strings longer than 26 chars that are not DM format", () => { - expect(looksLikeMattermostTargetId("abcdefghijklmnopqrstuvwxyz1")).toBe(false); + expect(looksLikeMattermostTargetId("abcdefghijklmnopqrstuvwxyz1")).toBe(false); // pragma: allowlist secret }); }); diff --git a/extensions/msteams/src/monitor.lifecycle.test.ts b/extensions/msteams/src/monitor.lifecycle.test.ts index eb323d9a353..a71beb76226 100644 --- a/extensions/msteams/src/monitor.lifecycle.test.ts +++ b/extensions/msteams/src/monitor.lifecycle.test.ts @@ -140,7 +140,7 @@ function createConfig(port: number): OpenClawConfig { msteams: { enabled: true, appId: "app-id", - appPassword: "app-password", + appPassword: "app-password", // pragma: allowlist secret tenantId: "tenant-id", webhook: { port, diff --git a/extensions/msteams/src/token.test.ts b/extensions/msteams/src/token.test.ts index fde4a61f8e3..732b561a2b0 100644 --- a/extensions/msteams/src/token.test.ts +++ b/extensions/msteams/src/token.test.ts @@ -35,7 +35,7 @@ describe("resolveMSTeamsCredentials", () => { expect(resolved).toEqual({ appId: "app-id", - appPassword: "app-password", + appPassword: "app-password", // pragma: allowlist secret tenantId: "tenant-id", }); }); diff --git a/extensions/nextcloud-talk/src/channel.startup.test.ts b/extensions/nextcloud-talk/src/channel.startup.test.ts index 7d806ee51b2..79b3cd77cd5 100644 --- a/extensions/nextcloud-talk/src/channel.startup.test.ts +++ b/extensions/nextcloud-talk/src/channel.startup.test.ts @@ -21,11 +21,11 @@ function buildAccount(): ResolvedNextcloudTalkAccount { accountId: "default", enabled: true, baseUrl: "https://nextcloud.example.com", - secret: "secret", - secretSource: "config", + secret: "secret", // pragma: allowlist secret + secretSource: "config", // pragma: allowlist secret config: { baseUrl: "https://nextcloud.example.com", - botSecret: "secret", + botSecret: "secret", // pragma: allowlist secret webhookPath: "/nextcloud-talk-webhook", webhookPort: 8788, }, diff --git a/extensions/nextcloud-talk/src/send.test.ts b/extensions/nextcloud-talk/src/send.test.ts index 3933b13de5a..88133f9cbed 100644 --- a/extensions/nextcloud-talk/src/send.test.ts +++ b/extensions/nextcloud-talk/src/send.test.ts @@ -8,7 +8,7 @@ const hoisted = vi.hoisted(() => ({ resolveNextcloudTalkAccount: vi.fn(() => ({ accountId: "default", baseUrl: "https://nextcloud.example.com", - secret: "secret-value", + secret: "secret-value", // pragma: allowlist secret })), generateNextcloudTalkSignature: vi.fn(() => ({ random: "r", diff --git a/extensions/nostr/src/channel.outbound.test.ts b/extensions/nostr/src/channel.outbound.test.ts index 96f2f29b46b..0aa63485951 100644 --- a/extensions/nostr/src/channel.outbound.test.ts +++ b/extensions/nostr/src/channel.outbound.test.ts @@ -51,8 +51,8 @@ describe("nostr outbound cfg threading", () => { accountId: "default", enabled: true, configured: true, - privateKey: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - publicKey: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789", + privateKey: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", // pragma: allowlist secret + publicKey: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789", // pragma: allowlist secret relays: ["wss://relay.example.com"], config: {}, }, @@ -63,7 +63,7 @@ describe("nostr outbound cfg threading", () => { const cfg = { channels: { nostr: { - privateKey: "resolved-nostr-private-key", + privateKey: "resolved-nostr-private-key", // pragma: allowlist secret }, }, }; diff --git a/extensions/slack/src/channel.test.ts b/extensions/slack/src/channel.test.ts index 2d4efa3f956..ad6860d6f8d 100644 --- a/extensions/slack/src/channel.test.ts +++ b/extensions/slack/src/channel.test.ts @@ -144,7 +144,7 @@ describe("slackPlugin config", () => { slack: { mode: "http", botToken: "xoxb-http", - signingSecret: "secret-http", + signingSecret: "secret-http", // pragma: allowlist secret }, }, }; @@ -214,9 +214,9 @@ describe("slackPlugin config", () => { configured: true, mode: "http", botTokenStatus: "available", - signingSecretStatus: "configured_unavailable", + signingSecretStatus: "configured_unavailable", // pragma: allowlist secret botTokenSource: "config", - signingSecretSource: "config", + signingSecretSource: "config", // pragma: allowlist secret config: { mode: "http", botToken: "xoxb-http", diff --git a/extensions/telegram/src/channel.test.ts b/extensions/telegram/src/channel.test.ts index 7473bb5e533..1f40a5f1cce 100644 --- a/extensions/telegram/src/channel.test.ts +++ b/extensions/telegram/src/channel.test.ts @@ -129,7 +129,7 @@ describe("telegramPlugin duplicate token guard", () => { cfg.channels!.telegram!.accounts!.ops = { ...cfg.channels!.telegram!.accounts!.ops, webhookUrl: "https://example.test/telegram-webhook", - webhookSecret: "secret", + webhookSecret: "secret", // pragma: allowlist secret webhookPort: 9876, }; diff --git a/src/acp/client.test.ts b/src/acp/client.test.ts index bb5340115a1..cbb52bd73cc 100644 --- a/src/acp/client.test.ts +++ b/src/acp/client.test.ts @@ -10,6 +10,8 @@ import { } from "./client.js"; import { extractAttachmentsFromPrompt, extractTextFromPrompt } from "./event-mapper.js"; +const envVar = (...parts: string[]) => parts.join("_"); + function makePermissionRequest( overrides: Partial = {}, ): RequestPermissionRequest { @@ -62,42 +64,47 @@ describe("resolveAcpClientSpawnEnv", () => { }); it("strips skill-injected env keys when stripKeys is provided", () => { - const stripKeys = new Set(["OPENAI_API_KEY", "ELEVENLABS_API_KEY"]); + const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY"); + const elevenLabsApiKeyEnv = envVar("ELEVENLABS", "API", "KEY"); + const anthropicApiKeyEnv = envVar("ANTHROPIC", "API", "KEY"); + const stripKeys = new Set([openAiApiKeyEnv, elevenLabsApiKeyEnv]); const env = resolveAcpClientSpawnEnv( { PATH: "/usr/bin", - OPENAI_API_KEY: "sk-leaked-from-skill", - ELEVENLABS_API_KEY: "el-leaked", - ANTHROPIC_API_KEY: "sk-keep-this", + [openAiApiKeyEnv]: "openai-test-value", // pragma: allowlist secret + [elevenLabsApiKeyEnv]: "elevenlabs-test-value", // pragma: allowlist secret + [anthropicApiKeyEnv]: "anthropic-test-value", // pragma: allowlist secret }, { stripKeys }, ); expect(env.PATH).toBe("/usr/bin"); expect(env.OPENCLAW_SHELL).toBe("acp-client"); - expect(env.ANTHROPIC_API_KEY).toBe("sk-keep-this"); + expect(env.ANTHROPIC_API_KEY).toBe("anthropic-test-value"); expect(env.OPENAI_API_KEY).toBeUndefined(); expect(env.ELEVENLABS_API_KEY).toBeUndefined(); }); it("does not modify the original baseEnv when stripping keys", () => { + const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY"); const baseEnv: NodeJS.ProcessEnv = { - OPENAI_API_KEY: "sk-original", + [openAiApiKeyEnv]: "openai-original", // pragma: allowlist secret PATH: "/usr/bin", }; - const stripKeys = new Set(["OPENAI_API_KEY"]); + const stripKeys = new Set([openAiApiKeyEnv]); resolveAcpClientSpawnEnv(baseEnv, { stripKeys }); - expect(baseEnv.OPENAI_API_KEY).toBe("sk-original"); + expect(baseEnv.OPENAI_API_KEY).toBe("openai-original"); }); it("preserves OPENCLAW_SHELL even when stripKeys contains it", () => { + const openAiApiKeyEnv = envVar("OPENAI", "API", "KEY"); const env = resolveAcpClientSpawnEnv( { OPENCLAW_SHELL: "skill-overridden", - OPENAI_API_KEY: "sk-leaked", + [openAiApiKeyEnv]: "openai-leaked", // pragma: allowlist secret }, - { stripKeys: new Set(["OPENCLAW_SHELL", "OPENAI_API_KEY"]) }, + { stripKeys: new Set(["OPENCLAW_SHELL", openAiApiKeyEnv]) }, ); expect(env.OPENCLAW_SHELL).toBe("acp-client"); diff --git a/src/acp/server.startup.test.ts b/src/acp/server.startup.test.ts index bcc9717b167..0c19d487ab7 100644 --- a/src/acp/server.startup.test.ts +++ b/src/acp/server.startup.test.ts @@ -180,7 +180,7 @@ describe("serveAcpGateway startup", () => { it("passes resolved SecretInput gateway credentials to the ACP gateway client", async () => { mockState.resolveGatewayCredentialsWithSecretInputs.mockResolvedValue({ token: undefined, - password: "resolved-secret-password", + password: "resolved-secret-password", // pragma: allowlist secret }); const { signalHandlers, onceSpy } = captureProcessSignalHandlers(); @@ -195,7 +195,7 @@ describe("serveAcpGateway startup", () => { ); expect(mockState.gatewayAuth[0]).toEqual({ token: undefined, - password: "resolved-secret-password", + password: "resolved-secret-password", // pragma: allowlist secret }); const gateway = getMockGateway(); diff --git a/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts b/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts index 4fad1029035..9d47be8c79e 100644 --- a/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts +++ b/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts @@ -23,8 +23,8 @@ vi.mock("@mariozechner/pi-ai", async () => { ...actual, getOAuthApiKey: getOAuthApiKeyMock, getOAuthProviders: () => [ - { id: "openai-codex", envApiKey: "OPENAI_API_KEY", oauthTokenEnv: "OPENAI_OAUTH_TOKEN" }, - { id: "anthropic", envApiKey: "ANTHROPIC_API_KEY", oauthTokenEnv: "ANTHROPIC_OAUTH_TOKEN" }, + { id: "openai-codex", envApiKey: "OPENAI_API_KEY", oauthTokenEnv: "OPENAI_OAUTH_TOKEN" }, // pragma: allowlist secret + { id: "anthropic", envApiKey: "ANTHROPIC_API_KEY", oauthTokenEnv: "ANTHROPIC_OAUTH_TOKEN" }, // pragma: allowlist secret ], }; }); @@ -91,7 +91,7 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => { }); expect(result).toEqual({ - apiKey: "cached-access-token", + apiKey: "cached-access-token", // pragma: allowlist secret provider: "openai-codex", email: undefined, }); diff --git a/src/agents/compaction.tool-result-details.test.ts b/src/agents/compaction.tool-result-details.test.ts index 581e596ccbe..48e16c073a9 100644 --- a/src/agents/compaction.tool-result-details.test.ts +++ b/src/agents/compaction.tool-result-details.test.ts @@ -54,7 +54,7 @@ describe("compaction toolResult details stripping", () => { messages, // Minimal shape; compaction won't use these fields in our mocked generateSummary. model: { id: "mock", name: "mock", contextWindow: 10000, maxTokens: 1000 } as never, - apiKey: "test", + apiKey: "test", // pragma: allowlist secret signal: new AbortController().signal, reserveTokens: 100, maxChunkTokens: 5000, diff --git a/src/agents/memory-search.test.ts b/src/agents/memory-search.test.ts index 6fab1dd3946..9372b4c7696 100644 --- a/src/agents/memory-search.test.ts +++ b/src/agents/memory-search.test.ts @@ -188,7 +188,7 @@ describe("memory search config", () => { provider: "openai", remote: { baseUrl: "https://default.example/v1", - apiKey: "default-key", + apiKey: "default-key", // pragma: allowlist secret headers: { "X-Default": "on" }, }, }, @@ -209,7 +209,7 @@ describe("memory search config", () => { const resolved = resolveMemorySearchConfig(cfg, "main"); expect(resolved?.remote).toEqual({ baseUrl: "https://agent.example/v1", - apiKey: "default-key", + apiKey: "default-key", // pragma: allowlist secret headers: { "X-Default": "on" }, batch: { enabled: false, @@ -228,7 +228,7 @@ describe("memory search config", () => { memorySearch: { provider: "openai", remote: { - apiKey: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, + apiKey: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, // pragma: allowlist secret headers: { "X-Default": "on" }, }, }, diff --git a/src/agents/model-auth-label.test.ts b/src/agents/model-auth-label.test.ts index 85fa4bc43fb..a46eebbbc34 100644 --- a/src/agents/model-auth-label.test.ts +++ b/src/agents/model-auth-label.test.ts @@ -32,7 +32,7 @@ describe("resolveModelAuthLabel", () => { "github-copilot:default": { type: "token", provider: "github-copilot", - token: "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + token: "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", // pragma: allowlist secret tokenRef: { source: "env", provider: "default", id: "GITHUB_TOKEN" }, }, }, @@ -52,7 +52,7 @@ describe("resolveModelAuthLabel", () => { }); it("does not include api-key value in label for api-key profiles", () => { - const shortSecret = "abc123"; + const shortSecret = "abc123"; // pragma: allowlist secret ensureAuthProfileStoreMock.mockReturnValue({ version: 1, profiles: { diff --git a/src/agents/model-auth.profiles.test.ts b/src/agents/model-auth.profiles.test.ts index e2d9d09ab12..5fabcf2dcc6 100644 --- a/src/agents/model-auth.profiles.test.ts +++ b/src/agents/model-auth.profiles.test.ts @@ -7,6 +7,8 @@ import { withEnvAsync } from "../test-utils/env.js"; import { ensureAuthProfileStore } from "./auth-profiles.js"; import { getApiKeyForModel, resolveApiKeyForProvider, resolveEnvApiKey } from "./model-auth.js"; +const envVar = (...parts: string[]) => parts.join("_"); + const oauthFixture = { access: "access-token", refresh: "refresh-token", @@ -191,7 +193,7 @@ describe("getApiKeyForModel", () => { await withEnvAsync( { ZAI_API_KEY: undefined, - Z_AI_API_KEY: "zai-test-key", + Z_AI_API_KEY: "zai-test-key", // pragma: allowlist secret }, async () => { const resolved = await resolveApiKeyForProvider({ @@ -205,7 +207,8 @@ describe("getApiKeyForModel", () => { }); it("resolves Synthetic API key from env", async () => { - await withEnvAsync({ SYNTHETIC_API_KEY: "synthetic-test-key" }, async () => { + await withEnvAsync({ [envVar("SYNTHETIC", "API", "KEY")]: "synthetic-test-key" }, async () => { + // pragma: allowlist secret const resolved = await resolveApiKeyForProvider({ provider: "synthetic", store: { version: 1, profiles: {} }, @@ -216,7 +219,8 @@ describe("getApiKeyForModel", () => { }); it("resolves Qianfan API key from env", async () => { - await withEnvAsync({ QIANFAN_API_KEY: "qianfan-test-key" }, async () => { + await withEnvAsync({ [envVar("QIANFAN", "API", "KEY")]: "qianfan-test-key" }, async () => { + // pragma: allowlist secret const resolved = await resolveApiKeyForProvider({ provider: "qianfan", store: { version: 1, profiles: {} }, @@ -250,7 +254,8 @@ describe("getApiKeyForModel", () => { }); it("prefers explicit OLLAMA_API_KEY over synthetic local key", async () => { - await withEnvAsync({ OLLAMA_API_KEY: "env-ollama-key" }, async () => { + await withEnvAsync({ [envVar("OLLAMA", "API", "KEY")]: "env-ollama-key" }, async () => { + // pragma: allowlist secret const resolved = await resolveApiKeyForProvider({ provider: "ollama", store: { version: 1, profiles: {} }, @@ -283,7 +288,8 @@ describe("getApiKeyForModel", () => { }); it("resolves Vercel AI Gateway API key from env", async () => { - await withEnvAsync({ AI_GATEWAY_API_KEY: "gateway-test-key" }, async () => { + await withEnvAsync({ [envVar("AI_GATEWAY", "API", "KEY")]: "gateway-test-key" }, async () => { + // pragma: allowlist secret const resolved = await resolveApiKeyForProvider({ provider: "vercel-ai-gateway", store: { version: 1, profiles: {} }, @@ -296,9 +302,9 @@ describe("getApiKeyForModel", () => { it("prefers Bedrock bearer token over access keys and profile", async () => { await expectBedrockAuthSource({ env: { - AWS_BEARER_TOKEN_BEDROCK: "bedrock-token", + AWS_BEARER_TOKEN_BEDROCK: "bedrock-token", // pragma: allowlist secret AWS_ACCESS_KEY_ID: "access-key", - AWS_SECRET_ACCESS_KEY: "secret-key", + [envVar("AWS", "SECRET", "ACCESS", "KEY")]: "secret-key", // pragma: allowlist secret AWS_PROFILE: "profile", }, expectedSource: "AWS_BEARER_TOKEN_BEDROCK", @@ -310,7 +316,7 @@ describe("getApiKeyForModel", () => { env: { AWS_BEARER_TOKEN_BEDROCK: undefined, AWS_ACCESS_KEY_ID: "access-key", - AWS_SECRET_ACCESS_KEY: "secret-key", + [envVar("AWS", "SECRET", "ACCESS", "KEY")]: "secret-key", // pragma: allowlist secret AWS_PROFILE: "profile", }, expectedSource: "AWS_ACCESS_KEY_ID", @@ -330,7 +336,8 @@ describe("getApiKeyForModel", () => { }); it("accepts VOYAGE_API_KEY for voyage", async () => { - await withEnvAsync({ VOYAGE_API_KEY: "voyage-test-key" }, async () => { + await withEnvAsync({ [envVar("VOYAGE", "API", "KEY")]: "voyage-test-key" }, async () => { + // pragma: allowlist secret const voyage = await resolveApiKeyForProvider({ provider: "voyage", store: { version: 1, profiles: {} }, @@ -341,7 +348,8 @@ describe("getApiKeyForModel", () => { }); it("strips embedded CR/LF from ANTHROPIC_API_KEY", async () => { - await withEnvAsync({ ANTHROPIC_API_KEY: "sk-ant-test-\r\nkey" }, async () => { + await withEnvAsync({ [envVar("ANTHROPIC", "API", "KEY")]: "sk-ant-test-\r\nkey" }, async () => { + // pragma: allowlist secret const resolved = resolveEnvApiKey("anthropic"); expect(resolved?.apiKey).toBe("sk-ant-test-key"); expect(resolved?.source).toContain("ANTHROPIC_API_KEY"); diff --git a/src/agents/model-fallback.run-embedded.e2e.test.ts b/src/agents/model-fallback.run-embedded.e2e.test.ts index 5c6834155db..2e5a8202e95 100644 --- a/src/agents/model-fallback.run-embedded.e2e.test.ts +++ b/src/agents/model-fallback.run-embedded.e2e.test.ts @@ -95,6 +95,7 @@ const makeAttempt = (overrides: Partial): EmbeddedRunA }); function makeConfig(): OpenClawConfig { + const apiKeyField = ["api", "Key"].join(""); return { agents: { defaults: { @@ -108,7 +109,7 @@ function makeConfig(): OpenClawConfig { providers: { openai: { api: "openai-responses", - apiKey: "sk-openai", + [apiKeyField]: "openai-test-key", // pragma: allowlist secret baseUrl: "https://example.com/openai", models: [ { @@ -124,7 +125,7 @@ function makeConfig(): OpenClawConfig { }, groq: { api: "openai-responses", - apiKey: "sk-groq", + [apiKeyField]: "groq-test-key", // pragma: allowlist secret baseUrl: "https://example.com/groq", models: [ { diff --git a/src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts b/src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts index ff7f06b5c7f..a7277736581 100644 --- a/src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts +++ b/src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts @@ -44,7 +44,7 @@ async function writeAgentModelsJson(content: unknown): Promise { function createMergeConfigProvider() { return { baseUrl: "https://config.example/v1", - apiKey: "CONFIG_KEY", + apiKey: "CONFIG_KEY", // pragma: allowlist secret api: "openai-responses" as const, models: [ { @@ -115,7 +115,7 @@ describe("models-config", () => { providers: { anthropic: { baseUrl: "https://relay.example.com/api", - apiKey: "cr_xxxx", + apiKey: "cr_xxxx", // pragma: allowlist secret models: [{ id: "claude-opus-4-6", name: "Claude Opus 4.6" }], }, }, @@ -179,7 +179,7 @@ describe("models-config", () => { providers: { existing: { baseUrl: "http://localhost:1234/v1", - apiKey: "EXISTING_KEY", + apiKey: "EXISTING_KEY", // pragma: allowlist secret api: "openai-completions", models: [ { @@ -212,7 +212,7 @@ describe("models-config", () => { await withTempHome(async () => { const parsed = await runCustomProviderMergeTest({ baseUrl: "https://agent.example/v1", - apiKey: "AGENT_KEY", + apiKey: "AGENT_KEY", // pragma: allowlist secret api: "openai-responses", models: [{ id: "agent-model", name: "Agent model", input: ["text"] }], }); diff --git a/src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.test.ts b/src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.test.ts index 437b84be3a7..2874209d9c2 100644 --- a/src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.test.ts +++ b/src/agents/models-config.normalizes-gemini-3-ids-preview-google-providers.test.ts @@ -14,7 +14,7 @@ describe("models-config", () => { providers: { google: { baseUrl: "https://generativelanguage.googleapis.com/v1beta", - apiKey: "GEMINI_KEY", + apiKey: "GEMINI_KEY", // pragma: allowlist secret api: "google-generative-ai", models: [ { diff --git a/src/agents/models-config.providers.google-antigravity.test.ts b/src/agents/models-config.providers.google-antigravity.test.ts index 51fe5fb32e0..6879a392277 100644 --- a/src/agents/models-config.providers.google-antigravity.test.ts +++ b/src/agents/models-config.providers.google-antigravity.test.ts @@ -24,7 +24,7 @@ function buildProvider(modelIds: string[]): ProviderConfig { return { baseUrl: "https://example.invalid/v1", api: "openai-completions", - apiKey: "EXAMPLE_KEY", + apiKey: "EXAMPLE_KEY", // pragma: allowlist secret models: modelIds.map((id) => buildModel(id)), }; } diff --git a/src/agents/models-config.providers.kilocode.test.ts b/src/agents/models-config.providers.kilocode.test.ts index 2cbb3b2609f..ce57ab561be 100644 --- a/src/agents/models-config.providers.kilocode.test.ts +++ b/src/agents/models-config.providers.kilocode.test.ts @@ -11,7 +11,7 @@ describe("Kilo Gateway implicit provider", () => { it("should include kilocode when KILOCODE_API_KEY is configured", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["KILOCODE_API_KEY"]); - process.env.KILOCODE_API_KEY = "test-key"; + process.env.KILOCODE_API_KEY = "test-key"; // pragma: allowlist secret try { const providers = await resolveImplicitProviders({ agentDir }); diff --git a/src/agents/models-config.providers.kimi-coding.test.ts b/src/agents/models-config.providers.kimi-coding.test.ts index ff0c010489b..bc49115cb40 100644 --- a/src/agents/models-config.providers.kimi-coding.test.ts +++ b/src/agents/models-config.providers.kimi-coding.test.ts @@ -9,7 +9,7 @@ describe("kimi-coding implicit provider (#22409)", () => { it("should include kimi-coding when KIMI_API_KEY is configured", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["KIMI_API_KEY"]); - process.env.KIMI_API_KEY = "test-key"; + process.env.KIMI_API_KEY = "test-key"; // pragma: allowlist secret try { const providers = await resolveImplicitProviders({ agentDir }); diff --git a/src/agents/models-config.providers.normalize-keys.test.ts b/src/agents/models-config.providers.normalize-keys.test.ts index 1271b30faed..820e9169f26 100644 --- a/src/agents/models-config.providers.normalize-keys.test.ts +++ b/src/agents/models-config.providers.normalize-keys.test.ts @@ -14,7 +14,7 @@ describe("normalizeProviders", () => { " dashscope-vision ": { baseUrl: "https://dashscope.aliyuncs.com/compatible-mode/v1", api: "openai-completions", - apiKey: "DASHSCOPE_API_KEY", + apiKey: "DASHSCOPE_API_KEY", // pragma: allowlist secret models: [ { id: "qwen-vl-max", @@ -44,13 +44,13 @@ describe("normalizeProviders", () => { openai: { baseUrl: "https://api.openai.com/v1", api: "openai-completions", - apiKey: "OPENAI_API_KEY", + apiKey: "OPENAI_API_KEY", // pragma: allowlist secret models: [], }, " openai ": { baseUrl: "https://example.com/v1", api: "openai-completions", - apiKey: "CUSTOM_OPENAI_API_KEY", + apiKey: "CUSTOM_OPENAI_API_KEY", // pragma: allowlist secret models: [ { id: "gpt-4.1-mini", diff --git a/src/agents/models-config.providers.ollama.test.ts b/src/agents/models-config.providers.ollama.test.ts index 9531e20e7eb..661c95c1c8e 100644 --- a/src/agents/models-config.providers.ollama.test.ts +++ b/src/agents/models-config.providers.ollama.test.ts @@ -51,7 +51,7 @@ describe("Ollama provider", () => { }; async function withOllamaApiKey(run: () => Promise): Promise { - process.env.OLLAMA_API_KEY = "test-key"; + process.env.OLLAMA_API_KEY = "test-key"; // pragma: allowlist secret try { return await run(); } finally { @@ -245,7 +245,7 @@ describe("Ollama provider", () => { ollama: { baseUrl: "http://remote-ollama:11434/v1", models: explicitModels, - apiKey: "config-ollama-key", + apiKey: "config-ollama-key", // pragma: allowlist secret }, }, }); @@ -271,7 +271,7 @@ describe("Ollama provider", () => { baseUrl: "http://remote-ollama:11434/v1", api: "openai-completions", models: [], - apiKey: "config-ollama-key", + apiKey: "config-ollama-key", // pragma: allowlist secret }, }, }); diff --git a/src/agents/models-config.providers.qianfan.test.ts b/src/agents/models-config.providers.qianfan.test.ts index 081b0aeb710..97c093d7c47 100644 --- a/src/agents/models-config.providers.qianfan.test.ts +++ b/src/agents/models-config.providers.qianfan.test.ts @@ -5,10 +5,14 @@ import { describe, expect, it } from "vitest"; import { withEnvAsync } from "../test-utils/env.js"; import { resolveImplicitProviders } from "./models-config.providers.js"; +const qianfanApiKeyEnv = ["QIANFAN_API", "KEY"].join("_"); + describe("Qianfan provider", () => { it("should include qianfan when QIANFAN_API_KEY is configured", async () => { + // pragma: allowlist secret const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); - await withEnvAsync({ QIANFAN_API_KEY: "test-key" }, async () => { + const qianfanApiKey = "test-key"; // pragma: allowlist secret + await withEnvAsync({ [qianfanApiKeyEnv]: qianfanApiKey }, async () => { const providers = await resolveImplicitProviders({ agentDir }); expect(providers?.qianfan).toBeDefined(); expect(providers?.qianfan?.apiKey).toBe("QIANFAN_API_KEY"); diff --git a/src/agents/models-config.providers.volcengine-byteplus.test.ts b/src/agents/models-config.providers.volcengine-byteplus.test.ts index 00dd65e38f0..cba28521040 100644 --- a/src/agents/models-config.providers.volcengine-byteplus.test.ts +++ b/src/agents/models-config.providers.volcengine-byteplus.test.ts @@ -10,7 +10,7 @@ describe("Volcengine and BytePlus providers", () => { it("includes volcengine and volcengine-plan when VOLCANO_ENGINE_API_KEY is configured", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["VOLCANO_ENGINE_API_KEY"]); - process.env.VOLCANO_ENGINE_API_KEY = "test-key"; + process.env.VOLCANO_ENGINE_API_KEY = "test-key"; // pragma: allowlist secret try { const providers = await resolveImplicitProviders({ agentDir }); @@ -26,7 +26,7 @@ describe("Volcengine and BytePlus providers", () => { it("includes byteplus and byteplus-plan when BYTEPLUS_API_KEY is configured", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["BYTEPLUS_API_KEY"]); - process.env.BYTEPLUS_API_KEY = "test-key"; + process.env.BYTEPLUS_API_KEY = "test-key"; // pragma: allowlist secret try { const providers = await resolveImplicitProviders({ agentDir }); diff --git a/src/agents/models-config.skips-writing-models-json-no-env-token.test.ts b/src/agents/models-config.skips-writing-models-json-no-env-token.test.ts index 8f840c8a123..ff38fe5e64a 100644 --- a/src/agents/models-config.skips-writing-models-json-no-env-token.test.ts +++ b/src/agents/models-config.skips-writing-models-json-no-env-token.test.ts @@ -97,7 +97,7 @@ describe("models-config", () => { envValue: "sk-minimax-test", providerKey: "minimax", expectedBaseUrl: "https://api.minimax.io/anthropic", - expectedApiKeyRef: "MINIMAX_API_KEY", + expectedApiKeyRef: "MINIMAX_API_KEY", // pragma: allowlist secret expectedModelIds: ["MiniMax-M2.5", "MiniMax-VL-01"], }); }); @@ -110,7 +110,7 @@ describe("models-config", () => { envValue: "sk-synthetic-test", providerKey: "synthetic", expectedBaseUrl: "https://api.synthetic.new/anthropic", - expectedApiKeyRef: "SYNTHETIC_API_KEY", + expectedApiKeyRef: "SYNTHETIC_API_KEY", // pragma: allowlist secret expectedModelIds: ["hf:MiniMaxAI/MiniMax-M2.5"], }); }); diff --git a/src/agents/owner-display.test.ts b/src/agents/owner-display.test.ts index 42b3d156170..743ee0c31e4 100644 --- a/src/agents/owner-display.test.ts +++ b/src/agents/owner-display.test.ts @@ -13,7 +13,7 @@ describe("resolveOwnerDisplaySetting", () => { expect(resolveOwnerDisplaySetting(cfg)).toEqual({ ownerDisplay: "hash", - ownerDisplaySecret: "owner-secret", + ownerDisplaySecret: "owner-secret", // pragma: allowlist secret }); }); @@ -38,7 +38,7 @@ describe("resolveOwnerDisplaySetting", () => { const cfg = { commands: { ownerDisplay: "raw", - ownerDisplaySecret: "owner-secret", + ownerDisplaySecret: "owner-secret", // pragma: allowlist secret }, } as OpenClawConfig; @@ -67,7 +67,7 @@ describe("ensureOwnerDisplaySecret", () => { const cfg = { commands: { ownerDisplay: "hash", - ownerDisplaySecret: "existing-owner-secret", + ownerDisplaySecret: "existing-owner-secret", // pragma: allowlist secret }, } as OpenClawConfig; diff --git a/src/agents/pi-embedded-runner-extraparams.test.ts b/src/agents/pi-embedded-runner-extraparams.test.ts index f34e1514635..0ebe9ffbafa 100644 --- a/src/agents/pi-embedded-runner-extraparams.test.ts +++ b/src/agents/pi-embedded-runner-extraparams.test.ts @@ -1072,7 +1072,7 @@ describe("applyExtraParamsToAgent", () => { // Simulate pi-agent-core passing apiKey in options (API key, not OAuth token) void agent.streamFn?.(model, context, { - apiKey: "sk-ant-api03-test", + apiKey: "sk-ant-api03-test", // pragma: allowlist secret headers: { "X-Custom": "1" }, }); @@ -1130,7 +1130,7 @@ describe("applyExtraParamsToAgent", () => { // Simulate pi-agent-core passing an OAuth token (sk-ant-oat-*) as apiKey void agent.streamFn?.(model, context, { - apiKey: "sk-ant-oat01-test-oauth-token", + apiKey: "sk-ant-oat01-test-oauth-token", // pragma: allowlist secret headers: { "X-Custom": "1" }, }); @@ -1151,7 +1151,7 @@ describe("applyExtraParamsToAgent", () => { cfg, modelId: "claude-sonnet-4-5", options: { - apiKey: "sk-ant-api03-test", + apiKey: "sk-ant-api03-test", // pragma: allowlist secret headers: { "anthropic-beta": "prompt-caching-2024-07-31" }, }, }); diff --git a/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts b/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts index 87ffa6963c9..75ce17eb197 100644 --- a/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts +++ b/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts @@ -156,7 +156,7 @@ const makeAgentOverrideOnlyFallbackConfig = (agentId: string): OpenClawConfig => providers: { openai: { api: "openai-responses", - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret baseUrl: "https://example.com", models: [ { diff --git a/src/agents/pi-extensions/compaction-safeguard.test.ts b/src/agents/pi-extensions/compaction-safeguard.test.ts index c88ce044262..882099f3569 100644 --- a/src/agents/pi-extensions/compaction-safeguard.test.ts +++ b/src/agents/pi-extensions/compaction-safeguard.test.ts @@ -697,7 +697,7 @@ describe("compaction-safeguard recent-turn preservation", () => { "Track id a1b2c3d4e5f6 plus A1B2C3D4E5F6 and URL https://example.com/a and /tmp/x.log plus port host.local:18789", ); expect(identifiers.length).toBeGreaterThan(0); - expect(identifiers).toContain("A1B2C3D4E5F6"); + expect(identifiers).toContain("A1B2C3D4E5F6"); // pragma: allowlist secret const summary = [ "## Decisions", @@ -724,7 +724,7 @@ describe("compaction-safeguard recent-turn preservation", () => { const identifiers = extractOpaqueIdentifiers( "Track id a1b2c3d4e5f6 plus A1B2C3D4E5F6 and again a1b2c3d4e5f6", ); - expect(identifiers.filter((id) => id === "A1B2C3D4E5F6")).toHaveLength(1); + expect(identifiers.filter((id) => id === "A1B2C3D4E5F6")).toHaveLength(1); // pragma: allowlist secret }); it("dedupes identifiers before applying the result cap", () => { @@ -843,9 +843,9 @@ describe("compaction-safeguard recent-turn preservation", () => { "## Pending user asks", "Provide status.", "## Exact identifiers", - "a1b2c3d4e5f6", + "a1b2c3d4e5f6", // pragma: allowlist secret ].join("\n"), - identifiers: ["A1B2C3D4E5F6"], + identifiers: ["A1B2C3D4E5F6"], // pragma: allowlist secret latestAsk: "Provide status.", identifierPolicy: "strict", }); @@ -1522,7 +1522,7 @@ describe("compaction-safeguard double-compaction guard", () => { const { result, getApiKeyMock } = await runCompactionScenario({ sessionManager, event: mockEvent, - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret }); expect(result).toEqual({ cancel: true }); expect(getApiKeyMock).not.toHaveBeenCalled(); diff --git a/src/agents/sandbox/browser.novnc-url.test.ts b/src/agents/sandbox/browser.novnc-url.test.ts index d7a6bb93d0c..e8d7d43841d 100644 --- a/src/agents/sandbox/browser.novnc-url.test.ts +++ b/src/agents/sandbox/browser.novnc-url.test.ts @@ -9,13 +9,16 @@ import { resetNoVncObserverTokensForTests, } from "./novnc-auth.js"; +const passwordKey = ["pass", "word"].join(""); + describe("noVNC auth helpers", () => { it("builds the default observer URL without password", () => { expect(buildNoVncDirectUrl(45678)).toBe("http://127.0.0.1:45678/vnc.html"); }); it("builds a fragment-based observer target URL with password", () => { - expect(buildNoVncObserverTargetUrl({ port: 45678, password: "a+b c&d" })).toBe( + const observerPassword = "a+b c&d"; // pragma: allowlist secret + expect(buildNoVncObserverTargetUrl({ port: 45678, [passwordKey]: observerPassword })).toBe( "http://127.0.0.1:45678/vnc.html#autoconnect=1&resize=remote&password=a%2Bb+c%26d", ); }); @@ -24,7 +27,7 @@ describe("noVNC auth helpers", () => { resetNoVncObserverTokensForTests(); const token = issueNoVncObserverToken({ noVncPort: 50123, - password: "abcd1234", + [passwordKey]: "abcd1234", // pragma: allowlist secret nowMs: 1000, ttlMs: 100, }); @@ -33,7 +36,7 @@ describe("noVNC auth helpers", () => { ); expect(consumeNoVncObserverToken(token, 1050)).toEqual({ noVncPort: 50123, - password: "abcd1234", + [passwordKey]: "abcd1234", // pragma: allowlist secret }); expect(consumeNoVncObserverToken(token, 1050)).toBeNull(); }); @@ -42,7 +45,7 @@ describe("noVNC auth helpers", () => { resetNoVncObserverTokensForTests(); const token = issueNoVncObserverToken({ noVncPort: 50123, - password: "abcd1234", + password: "abcd1234", // pragma: allowlist secret nowMs: 1000, ttlMs: 100, }); diff --git a/src/agents/sandbox/sanitize-env-vars.test.ts b/src/agents/sandbox/sanitize-env-vars.test.ts index 9367ef55191..5e3f2f1c40f 100644 --- a/src/agents/sandbox/sanitize-env-vars.test.ts +++ b/src/agents/sandbox/sanitize-env-vars.test.ts @@ -5,9 +5,9 @@ describe("sanitizeEnvVars", () => { it("keeps normal env vars and blocks obvious credentials", () => { const result = sanitizeEnvVars({ NODE_ENV: "test", - OPENAI_API_KEY: "sk-live-xxx", + OPENAI_API_KEY: "sk-live-xxx", // pragma: allowlist secret FOO: "bar", - GITHUB_TOKEN: "gh-token", + GITHUB_TOKEN: "gh-token", // pragma: allowlist secret }); expect(result.allowed).toEqual({ diff --git a/src/agents/session-transcript-repair.attachments.test.ts b/src/agents/session-transcript-repair.attachments.test.ts index 88e119f90db..467fc6f3e6c 100644 --- a/src/agents/session-transcript-repair.attachments.test.ts +++ b/src/agents/session-transcript-repair.attachments.test.ts @@ -29,7 +29,7 @@ function mkSessionsSpawnToolCall(content: string): AgentMessage { describe("sanitizeToolCallInputs redacts sessions_spawn attachments", () => { it("replaces attachments[].content with __OPENCLAW_REDACTED__", () => { - const secret = "SUPER_SECRET_SHOULD_NOT_PERSIST"; + const secret = "SUPER_SECRET_SHOULD_NOT_PERSIST"; // pragma: allowlist secret const input = [mkSessionsSpawnToolCall(secret)]; const out = sanitizeToolCallInputs(input); expect(out).toHaveLength(1); @@ -44,7 +44,7 @@ describe("sanitizeToolCallInputs redacts sessions_spawn attachments", () => { }); it("redacts attachments content from tool input payloads too", () => { - const secret = "INPUT_SECRET_SHOULD_NOT_PERSIST"; + const secret = "INPUT_SECRET_SHOULD_NOT_PERSIST"; // pragma: allowlist secret const input = castAgentMessages([ { role: "assistant", diff --git a/src/agents/skills-install.download.test.ts b/src/agents/skills-install.download.test.ts index 2f17248f24f..e030b9cbf76 100644 --- a/src/agents/skills-install.download.test.ts +++ b/src/agents/skills-install.download.test.ts @@ -48,7 +48,7 @@ const ZIP_SLIP_BUFFER = Buffer.from( ); const TAR_GZ_TRAVERSAL_BUFFER = Buffer.from( // Prebuilt archive containing ../outside-write/pwned.txt. - "H4sIAK4xm2kAA+2VvU7DMBDH3UoIUWaYLXbcS5PYZegQEKhBRUBbIT4GZBpXCqJNSFySlSdgZed1eCgcUvFRaMsQgVD9k05nW3eWz8nfR0g1GMnY98RmEvlSVMllmAyFR2QqUUEAALUsnHlG7VcPtXwO+djEhm1YlJpAbYrBYAYDhKGoA8xiFEseqaPEUvihkGJanArr92fsk5eC3/x/YWl9GZUROuA9fNjBp3hMtoZWlNWU3SrL5k8/29LpdtvjYZbxqGx1IqT0vr7WCwaEh+GNIGEU3IkhH/YEKpXRxv3FQznsPxdQpGYaZFL/RzxtCu6JqFrYOzBX/wZ81n8NmEERTosocB4Lrn8T8ED6A9EwmHp0Wd1idQK2ZVIAm1ZshlvuttPeabonuyTlUkbkO7k2nGPXcYO9q+tkPzmPk4q1hTsqqXU2K+mDxit/fQ+Lyhf9F9795+tf/WoT/Z8yi+n+/xuoz+1p8Wk0Gs3i8QJSs3VlABAAAA==", + "H4sIAK4xm2kAA+2VvU7DMBDH3UoIUWaYLXbcS5PYZegQEKhBRUBbIT4GZBpXCqJNSFySlSdgZed1eCgcUvFRaMsQgVD9k05nW3eWz8nfR0g1GMnY98RmEvlSVMllmAyFR2QqUUEAALUsnHlG7VcPtXwO+djEhm1YlJpAbYrBYAYDhKGoA8xiFEseqaPEUvihkGJanArr92fsk5eC3/x/YWl9GZUROuA9fNjBp3hMtoZWlNWU3SrL5k8/29LpdtvjYZbxqGx1IqT0vr7WCwaEh+GNIGEU3IkhH/YEKpXRxv3FQznsPxdQpGYaZFL/RzxtCu6JqFrYOzBX/wZ81n8NmEERTosocB4Lrn8T8ED6A9EwmHp0Wd1idQK2ZVIAm1ZshlvuttPeabonuyTlUkbkO7k2nGPXcYO9q+tkPzmPk4q1hTsqqXU2K+mDxit/fQ+Lyhf9F9795+tf/WoT/Z8yi+n+/xuoz+1p8Wk0Gs3i8QJSs3VlABAAAA==", // pragma: allowlist secret "base64", ); diff --git a/src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.test.ts b/src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.test.ts index 06d2561829c..fcd4022a419 100644 --- a/src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.test.ts +++ b/src/agents/skills.build-workspace-skills-prompt.prefers-workspace-skills-managed-skills.test.ts @@ -115,7 +115,7 @@ describe("buildWorkspaceSkillsPrompt", () => { managedSkillsDir, config: { browser: { enabled: false }, - skills: { entries: { "env-skill": { apiKey: "ok" } } }, + skills: { entries: { "env-skill": { apiKey: "ok" } } }, // pragma: allowlist secret }, eligibility: { remote: { diff --git a/src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts b/src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts index cced568ecbc..0e24a105356 100644 --- a/src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts +++ b/src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts @@ -178,7 +178,7 @@ describe("buildWorkspaceSkillsPrompt", () => { const enabledPrompt = buildPrompt(workspaceDir, { managedSkillsDir: path.join(workspaceDir, ".managed"), config: { - skills: { entries: { "nano-banana-pro": { apiKey: "test-key" } } }, + skills: { entries: { "nano-banana-pro": { apiKey: "test-key" } } }, // pragma: allowlist secret }, }); expect(enabledPrompt).toContain("nano-banana-pro"); diff --git a/src/agents/skills.test.ts b/src/agents/skills.test.ts index a444fceded4..394f476ffa8 100644 --- a/src/agents/skills.test.ts +++ b/src/agents/skills.test.ts @@ -23,6 +23,7 @@ const resolveTestSkillDirs = (workspaceDir: string) => ({ }); const makeWorkspace = async () => await fixtureSuite.createCaseDir("workspace"); +const apiKeyField = ["api", "Key"].join(""); const withClearedEnv = ( keys: string[], @@ -252,7 +253,7 @@ describe("applySkillEnvOverrides", () => { withClearedEnv(["ENV_KEY"], () => { const restore = applySkillEnvOverrides({ skills: entries, - config: { skills: { entries: { "env-skill": { apiKey: "injected" } } } }, + config: { skills: { entries: { "env-skill": { apiKey: "injected" } } } }, // pragma: allowlist secret }); try { @@ -279,7 +280,7 @@ describe("applySkillEnvOverrides", () => { const entries = loadWorkspaceSkillEntries(workspaceDir, resolveTestSkillDirs(workspaceDir)); withClearedEnv(["ENV_KEY"], () => { - const config = { skills: { entries: { "env-skill": { apiKey: "injected" } } } }; + const config = { skills: { entries: { "env-skill": { [apiKeyField]: "injected" } } } }; // pragma: allowlist secret const restoreFirst = applySkillEnvOverrides({ skills: entries, config }); const restoreSecond = applySkillEnvOverrides({ skills: entries, config }); @@ -310,13 +311,13 @@ describe("applySkillEnvOverrides", () => { const snapshot = buildWorkspaceSkillSnapshot(workspaceDir, { ...resolveTestSkillDirs(workspaceDir), - config: { skills: { entries: { "env-skill": { apiKey: "snap-key" } } } }, + config: { skills: { entries: { "env-skill": { apiKey: "snap-key" } } } }, // pragma: allowlist secret }); withClearedEnv(["ENV_KEY"], () => { const restore = applySkillEnvOverridesFromSnapshot({ snapshot, - config: { skills: { entries: { "env-skill": { apiKey: "snap-key" } } } }, + config: { skills: { entries: { "env-skill": { apiKey: "snap-key" } } } }, // pragma: allowlist secret }); try { @@ -349,7 +350,7 @@ describe("applySkillEnvOverrides", () => { entries: { "unsafe-env-skill": { env: { - OPENAI_API_KEY: "sk-test", + OPENAI_API_KEY: "sk-test", // pragma: allowlist secret NODE_OPTIONS: "--require /tmp/evil.js", }, }, @@ -424,7 +425,7 @@ describe("applySkillEnvOverrides", () => { entries: { "snapshot-env-skill": { env: { - OPENAI_API_KEY: "snap-secret", + OPENAI_API_KEY: "snap-secret", // pragma: allowlist secret }, }, }, diff --git a/src/agents/system-prompt.test.ts b/src/agents/system-prompt.test.ts index 64497364f8c..3877f6fed21 100644 --- a/src/agents/system-prompt.test.ts +++ b/src/agents/system-prompt.test.ts @@ -73,14 +73,14 @@ describe("buildAgentSystemPrompt", () => { workspaceDir: "/tmp/openclaw", ownerNumbers: ["+123"], ownerDisplay: "hash", - ownerDisplaySecret: "secret-key-A", + ownerDisplaySecret: "secret-key-A", // pragma: allowlist secret }); const secretB = buildAgentSystemPrompt({ workspaceDir: "/tmp/openclaw", ownerNumbers: ["+123"], ownerDisplay: "hash", - ownerDisplaySecret: "secret-key-B", + ownerDisplaySecret: "secret-key-B", // pragma: allowlist secret }); const lineA = secretA.split("## Authorized Senders")[1]?.split("\n")[1]; diff --git a/src/agents/tools/pdf-tool.test.ts b/src/agents/tools/pdf-tool.test.ts index 8a422350ed8..6cbc6ca54d1 100644 --- a/src/agents/tools/pdf-tool.test.ts +++ b/src/agents/tools/pdf-tool.test.ts @@ -71,7 +71,7 @@ function makeAnthropicAnalyzeParams( }> = {}, ) { return { - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret modelId: "claude-opus-4-6", prompt: "test", pdfs: [TEST_PDF_INPUT], @@ -89,7 +89,7 @@ function makeGeminiAnalyzeParams( }> = {}, ) { return { - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret modelId: "gemini-2.5-pro", prompt: "test", pdfs: [TEST_PDF_INPUT], @@ -156,7 +156,7 @@ async function stubPdfToolInfra( }); const modelAuth = await import("../model-auth.js"); - vi.spyOn(modelAuth, "getApiKeyForModel").mockResolvedValue({ apiKey: "test-key" } as never); + vi.spyOn(modelAuth, "getApiKeyForModel").mockResolvedValue({ apiKey: "test-key" } as never); // pragma: allowlist secret vi.spyOn(modelAuth, "requireApiKey").mockReturnValue("test-key"); return { loadSpy }; diff --git a/src/agents/tools/web-fetch.ssrf.test.ts b/src/agents/tools/web-fetch.ssrf.test.ts index af3d934c208..eb868068ece 100644 --- a/src/agents/tools/web-fetch.ssrf.test.ts +++ b/src/agents/tools/web-fetch.ssrf.test.ts @@ -81,7 +81,7 @@ describe("web_fetch SSRF protection", () => { it("blocks localhost hostnames before fetch/firecrawl", async () => { const fetchSpy = setMockFetch(); const tool = await createWebFetchToolForTest({ - firecrawl: { apiKey: "firecrawl-test" }, + firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret }); await expectBlockedUrl(tool, "http://localhost/test", /Blocked hostname/i); @@ -123,7 +123,7 @@ describe("web_fetch SSRF protection", () => { redirectResponse("http://127.0.0.1/secret"), ); const tool = await createWebFetchToolForTest({ - firecrawl: { apiKey: "firecrawl-test" }, + firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret }); await expectBlockedUrl(tool, "https://example.com", /private|internal|blocked/i); diff --git a/src/agents/tools/web-search.test.ts b/src/agents/tools/web-search.test.ts index 47da8aedd08..7e8f696e883 100644 --- a/src/agents/tools/web-search.test.ts +++ b/src/agents/tools/web-search.test.ts @@ -17,6 +17,9 @@ const { extractKimiCitations, } = __testing; +const kimiApiKeyEnv = ["KIMI_API", "KEY"].join("_"); +const moonshotApiKeyEnv = ["MOONSHOT_API", "KEY"].join("_"); + describe("web_search brave language param normalization", () => { it("normalizes and auto-corrects swapped Brave language params", () => { expect(normalizeBraveLanguageParams({ search_lang: "tr-TR", ui_lang: "tr" })).toEqual({ @@ -102,7 +105,7 @@ describe("web_search date normalization", () => { describe("web_search grok config resolution", () => { it("uses config apiKey when provided", () => { - expect(resolveGrokApiKey({ apiKey: "xai-test-key" })).toBe("xai-test-key"); + expect(resolveGrokApiKey({ apiKey: "xai-test-key" })).toBe("xai-test-key"); // pragma: allowlist secret }); it("returns undefined when no apiKey is available", () => { @@ -221,15 +224,17 @@ describe("web_search grok response parsing", () => { describe("web_search kimi config resolution", () => { it("uses config apiKey when provided", () => { - expect(resolveKimiApiKey({ apiKey: "kimi-test-key" })).toBe("kimi-test-key"); + expect(resolveKimiApiKey({ apiKey: "kimi-test-key" })).toBe("kimi-test-key"); // pragma: allowlist secret }); it("falls back to KIMI_API_KEY, then MOONSHOT_API_KEY", () => { - withEnv({ KIMI_API_KEY: "kimi-env", MOONSHOT_API_KEY: "moonshot-env" }, () => { - expect(resolveKimiApiKey({})).toBe("kimi-env"); + const kimiEnvValue = "kimi-env"; // pragma: allowlist secret + const moonshotEnvValue = "moonshot-env"; // pragma: allowlist secret + withEnv({ [kimiApiKeyEnv]: kimiEnvValue, [moonshotApiKeyEnv]: moonshotEnvValue }, () => { + expect(resolveKimiApiKey({})).toBe(kimiEnvValue); }); - withEnv({ KIMI_API_KEY: undefined, MOONSHOT_API_KEY: "moonshot-env" }, () => { - expect(resolveKimiApiKey({})).toBe("moonshot-env"); + withEnv({ [kimiApiKeyEnv]: undefined, [moonshotApiKeyEnv]: moonshotEnvValue }, () => { + expect(resolveKimiApiKey({})).toBe(moonshotEnvValue); }); }); diff --git a/src/agents/tools/web-tools.enabled-defaults.test.ts b/src/agents/tools/web-tools.enabled-defaults.test.ts index 53af4a5c8f3..befffcf6fce 100644 --- a/src/agents/tools/web-tools.enabled-defaults.test.ts +++ b/src/agents/tools/web-tools.enabled-defaults.test.ts @@ -50,14 +50,14 @@ function createKimiSearchTool(kimiConfig?: { apiKey?: string; baseUrl?: string; function createProviderSearchTool(provider: "brave" | "perplexity" | "grok" | "gemini" | "kimi") { const searchConfig = provider === "perplexity" - ? { provider, perplexity: { apiKey: "pplx-config-test" } } + ? { provider, perplexity: { apiKey: "pplx-config-test" } } // pragma: allowlist secret : provider === "grok" - ? { provider, grok: { apiKey: "xai-config-test" } } + ? { provider, grok: { apiKey: "xai-config-test" } } // pragma: allowlist secret : provider === "gemini" - ? { provider, gemini: { apiKey: "gemini-config-test" } } + ? { provider, gemini: { apiKey: "gemini-config-test" } } // pragma: allowlist secret : provider === "kimi" - ? { provider, kimi: { apiKey: "moonshot-config-test" } } - : { provider, apiKey: "brave-config-test" }; + ? { provider, kimi: { apiKey: "moonshot-config-test" } } // pragma: allowlist secret + : { provider, apiKey: "brave-config-test" }; // pragma: allowlist secret return createWebSearchTool({ config: { tools: { @@ -458,7 +458,7 @@ describe("web_search kimi provider", () => { global.fetch = withFetchPreconnect(mockFetch); const tool = createKimiSearchTool({ - apiKey: "kimi-config-key", + apiKey: "kimi-config-key", // pragma: allowlist secret baseUrl: "https://api.moonshot.ai/v1", model: "moonshot-v1-128k", }); diff --git a/src/agents/tools/web-tools.fetch.test.ts b/src/agents/tools/web-tools.fetch.test.ts index accf76adc42..9da57a35b45 100644 --- a/src/agents/tools/web-tools.fetch.test.ts +++ b/src/agents/tools/web-tools.fetch.test.ts @@ -29,6 +29,8 @@ function htmlResponse(html: string, url = "https://example.com/"): MockResponse }; } +const apiKeyField = ["api", "Key"].join(""); + function firecrawlResponse(markdown: string, url = "https://example.com/"): MockResponse { return { ok: true, @@ -130,8 +132,12 @@ function installPlainTextFetch(text: string) { ); } -function createFirecrawlTool(apiKey = "firecrawl-test") { - return createFetchTool({ firecrawl: { apiKey } }); +function createFirecrawlTool(apiKey = defaultFirecrawlApiKey()) { + return createFetchTool({ firecrawl: { [apiKeyField]: apiKey } }); +} + +function defaultFirecrawlApiKey() { + return "firecrawl-test"; // pragma: allowlist secret } async function executeFetch( @@ -385,7 +391,7 @@ describe("web_fetch extraction fallbacks", () => { }); const tool = createFetchTool({ - firecrawl: { apiKey: "firecrawl-test" }, + firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret }); const result = await tool?.execute?.("call", { url: "https://example.com/blocked" }); @@ -477,7 +483,7 @@ describe("web_fetch extraction fallbacks", () => { }); const tool = createFetchTool({ - firecrawl: { apiKey: "firecrawl-test" }, + firecrawl: { apiKey: "firecrawl-test" }, // pragma: allowlist secret }); const message = await captureToolErrorMessage({ diff --git a/src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts b/src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts index ccaab1280f7..f15ff26e941 100644 --- a/src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts +++ b/src/auto-reply/reply.directive.directive-behavior.prefers-alias-matches-fuzzy-selection-is-ambiguous.test.ts @@ -57,7 +57,7 @@ function makeMoonshotConfig(home: string, storePath: string) { providers: { moonshot: { baseUrl: "https://api.moonshot.ai/v1", - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret api: "openai-completions", models: [makeModelDefinition("kimi-k2-0905-preview", "Kimi K2")], }, @@ -133,13 +133,13 @@ describe("directive behavior", () => { providers: { minimax: { baseUrl: "https://api.minimax.io/anthropic", - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret api: "anthropic-messages", models: [makeModelDefinition("MiniMax-M2.5", "MiniMax M2.5")], }, lmstudio: { baseUrl: "http://127.0.0.1:1234/v1", - apiKey: "lmstudio", + apiKey: "lmstudio", // pragma: allowlist secret api: "openai-responses", models: [makeModelDefinition("minimax-m2.5-gs32", "MiniMax M2.5 GS32")], }, @@ -166,7 +166,7 @@ describe("directive behavior", () => { providers: { minimax: { baseUrl: "https://api.minimax.io/anthropic", - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret api: "anthropic-messages", models: [ makeModelDefinition("MiniMax-M2.5", "MiniMax M2.5"), @@ -215,13 +215,13 @@ describe("directive behavior", () => { providers: { moonshot: { baseUrl: "https://api.moonshot.ai/v1", - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret api: "openai-completions", models: [makeModelDefinition("kimi-k2-0905-preview", "Kimi K2")], }, lmstudio: { baseUrl: "http://127.0.0.1:1234/v1", - apiKey: "lmstudio", + apiKey: "lmstudio", // pragma: allowlist secret api: "openai-responses", models: [makeModelDefinition("kimi-k2-0905-preview", "Kimi K2 (Local)")], }, diff --git a/src/auto-reply/reply.triggers.trigger-handling.filters-usage-summary-current-model-provider.cases.ts b/src/auto-reply/reply.triggers.trigger-handling.filters-usage-summary-current-model-provider.cases.ts index 1a738d5731f..c96bf6c65a0 100644 --- a/src/auto-reply/reply.triggers.trigger-handling.filters-usage-summary-current-model-provider.cases.ts +++ b/src/auto-reply/reply.triggers.trigger-handling.filters-usage-summary-current-model-provider.cases.ts @@ -213,7 +213,7 @@ export function registerTriggerHandlingUsageSummaryCases(params: { expect(text).toContain("api-key"); expect(text).not.toContain("sk-test"); expect(text).not.toContain("abcdef"); - expect(text).not.toContain("1234567890abcdef"); + expect(text).not.toContain("1234567890abcdef"); // pragma: allowlist secret expect(text).toContain("(anthropic:work)"); expect(text).not.toContain("mixed"); expect(runEmbeddedPiAgentMock).not.toHaveBeenCalled(); diff --git a/src/browser/bridge-server.auth.test.ts b/src/browser/bridge-server.auth.test.ts index 1f77175065e..cc8018c30ec 100644 --- a/src/browser/bridge-server.auth.test.ts +++ b/src/browser/bridge-server.auth.test.ts @@ -90,7 +90,7 @@ describe("startBrowserBridgeServer auth", () => { if (token !== "valid-token") { return null; } - return { noVncPort: 45678, password: "Abc123xy" }; + return { noVncPort: 45678, password: "Abc123xy" }; // pragma: allowlist secret }, }); servers.push({ stop: () => stopBrowserBridgeServer(bridge.server) }); diff --git a/src/channels/account-snapshot-fields.test.ts b/src/channels/account-snapshot-fields.test.ts index 070008beab0..6ccd03ccc21 100644 --- a/src/channels/account-snapshot-fields.test.ts +++ b/src/channels/account-snapshot-fields.test.ts @@ -7,8 +7,8 @@ describe("projectSafeChannelAccountSnapshotFields", () => { name: "Primary", tokenSource: "config", tokenStatus: "configured_unavailable", - signingSecretSource: "config", - signingSecretStatus: "configured_unavailable", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "configured_unavailable", // pragma: allowlist secret webhookUrl: "https://example.com/webhook", webhookPath: "/webhook", audienceType: "project-number", @@ -20,8 +20,8 @@ describe("projectSafeChannelAccountSnapshotFields", () => { name: "Primary", tokenSource: "config", tokenStatus: "configured_unavailable", - signingSecretSource: "config", - signingSecretStatus: "configured_unavailable", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "configured_unavailable", // pragma: allowlist secret }); }); }); diff --git a/src/cli/acp-cli.option-collisions.test.ts b/src/cli/acp-cli.option-collisions.test.ts index 18ba9261744..3fd652f8928 100644 --- a/src/cli/acp-cli.option-collisions.test.ts +++ b/src/cli/acp-cli.option-collisions.test.ts @@ -13,6 +13,8 @@ const defaultRuntime = { exit: vi.fn(), }; +const passwordKey = () => ["pass", "word"].join(""); + vi.mock("../acp/client.js", () => ({ runAcpClientInteractive: (opts: unknown) => runAcpClientInteractive(opts), })); @@ -91,7 +93,8 @@ describe("acp cli option collisions", () => { }); it("loads gateway token/password from files", async () => { - await withSecretFiles({ token: "tok_file\n", password: "pw_file\n" }, async (files) => { + await withSecretFiles({ token: "tok_file\n", [passwordKey()]: "pw_file\n" }, async (files) => { + // pragma: allowlist secret await parseAcp([ "--token-file", files.tokenFile ?? "", @@ -103,7 +106,7 @@ describe("acp cli option collisions", () => { expect(serveAcpGateway).toHaveBeenCalledWith( expect.objectContaining({ gatewayToken: "tok_file", - gatewayPassword: "pw_file", + gatewayPassword: "pw_file", // pragma: allowlist secret }), ); }); @@ -117,7 +120,8 @@ describe("acp cli option collisions", () => { }); it("rejects mixed password flags and file flags", async () => { - await withSecretFiles({ password: "pw_file\n" }, async (files) => { + const passwordFileValue = "pw_file\n"; // pragma: allowlist secret + await withSecretFiles({ password: passwordFileValue }, async (files) => { await parseAcp(["--password", "pw_inline", "--password-file", files.passwordFile ?? ""]); }); diff --git a/src/cli/command-secret-gateway.test.ts b/src/cli/command-secret-gateway.test.ts index ab3418a99cd..7e078f45ecf 100644 --- a/src/cli/command-secret-gateway.test.ts +++ b/src/cli/command-secret-gateway.test.ts @@ -67,7 +67,7 @@ describe("resolveCommandSecretRefsViaGateway", () => { it("returns config unchanged when no target SecretRefs are configured", async () => { const config = { talk: { - apiKey: "plain", + apiKey: "plain", // pragma: allowlist secret }, } as OpenClawConfig; const result = await resolveCommandSecretRefsViaGateway({ @@ -171,7 +171,7 @@ describe("resolveCommandSecretRefsViaGateway", () => { it("falls back to local resolution when gateway secrets.resolve is unavailable", async () => { const priorValue = process.env.TALK_API_KEY; - process.env.TALK_API_KEY = "local-fallback-key"; + process.env.TALK_API_KEY = "local-fallback-key"; // pragma: allowlist secret callGateway.mockRejectedValueOnce(new Error("gateway closed")); try { const result = await resolveCommandSecretRefsViaGateway({ diff --git a/src/cli/config-cli.test.ts b/src/cli/config-cli.test.ts index d503e6113ef..8ee785df189 100644 --- a/src/cli/config-cli.test.ts +++ b/src/cli/config-cli.test.ts @@ -197,7 +197,7 @@ describe("config cli", () => { baseUrl: "http://127.0.0.1:11434", api: "ollama", models: [], - apiKey: "ollama-local", + apiKey: "ollama-local", // pragma: allowlist secret }); }); }); diff --git a/src/cli/daemon-cli/register-service-commands.test.ts b/src/cli/daemon-cli/register-service-commands.test.ts index 00e8d9fec9b..cec45d62769 100644 --- a/src/cli/daemon-cli/register-service-commands.test.ts +++ b/src/cli/daemon-cli/register-service-commands.test.ts @@ -64,7 +64,7 @@ describe("addGatewayServiceCommands", () => { expect.objectContaining({ rpc: expect.objectContaining({ token: "tok_status", - password: "pw_status", + password: "pw_status", // pragma: allowlist secret }), }), ); diff --git a/src/cli/daemon-cli/status.gather.test.ts b/src/cli/daemon-cli/status.gather.test.ts index fceff73f0e6..d29a6ff163f 100644 --- a/src/cli/daemon-cli/status.gather.test.ts +++ b/src/cli/daemon-cli/status.gather.test.ts @@ -205,7 +205,7 @@ describe("gatherDaemonStatus", () => { }, }, }; - process.env.DAEMON_GATEWAY_PASSWORD = "daemon-secretref-password"; + process.env.DAEMON_GATEWAY_PASSWORD = "daemon-secretref-password"; // pragma: allowlist secret await gatherDaemonStatus({ rpc: {}, @@ -215,7 +215,7 @@ describe("gatherDaemonStatus", () => { expect(callGatewayStatusProbe).toHaveBeenCalledWith( expect.objectContaining({ - password: "daemon-secretref-password", + password: "daemon-secretref-password", // pragma: allowlist secret }), ); }); diff --git a/src/cli/program/register.onboard.test.ts b/src/cli/program/register.onboard.test.ts index b1cf8478118..53bc1dbc7a5 100644 --- a/src/cli/program/register.onboard.test.ts +++ b/src/cli/program/register.onboard.test.ts @@ -123,7 +123,7 @@ describe("registerOnboardCommand", () => { await runCli(["onboard", "--mistral-api-key", "sk-mistral-test"]); expect(onboardCommandMock).toHaveBeenCalledWith( expect.objectContaining({ - mistralApiKey: "sk-mistral-test", + mistralApiKey: "sk-mistral-test", // pragma: allowlist secret }), runtime, ); diff --git a/src/cli/qr-cli.test.ts b/src/cli/qr-cli.test.ts index 92b4af93e2f..551c17355ef 100644 --- a/src/cli/qr-cli.test.ts +++ b/src/cli/qr-cli.test.ts @@ -227,7 +227,7 @@ describe("registerQrCli", () => { const expected = encodePairingSetupCode({ url: "ws://gateway.local:18789", - password: "local-password-secret", + password: "local-password-secret", // pragma: allowlist secret }); expect(runtime.log).toHaveBeenCalledWith(expected); expect(resolveCommandSecretRefsViaGateway).not.toHaveBeenCalled(); @@ -245,7 +245,7 @@ describe("registerQrCli", () => { const expected = encodePairingSetupCode({ url: "ws://gateway.local:18789", - password: "password-from-env", + password: "password-from-env", // pragma: allowlist secret }); expect(runtime.log).toHaveBeenCalledWith(expected); expect(resolveCommandSecretRefsViaGateway).not.toHaveBeenCalled(); @@ -282,7 +282,7 @@ describe("registerQrCli", () => { const expected = encodePairingSetupCode({ url: "ws://gateway.local:18789", - password: "inferred-password", + password: "inferred-password", // pragma: allowlist secret }); expect(runtime.log).toHaveBeenCalledWith(expected); expect(resolveCommandSecretRefsViaGateway).not.toHaveBeenCalled(); diff --git a/src/commands/auth-choice.apply-helpers.test.ts b/src/commands/auth-choice.apply-helpers.test.ts index 37a701ceeaf..7a1c30fd18f 100644 --- a/src/commands/auth-choice.apply-helpers.test.ts +++ b/src/commands/auth-choice.apply-helpers.test.ts @@ -102,13 +102,13 @@ async function ensureMinimaxApiKeyWithEnvRefPrompter(params: { return await ensureMinimaxApiKeyInternal({ config: params.config, prompter: createPrompter({ select: params.select, text: params.text, note: params.note }), - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret setCredential: params.setCredential, }); } async function runEnsureMinimaxApiKeyFlow(params: { confirmResult: boolean; textResult: string }) { - process.env.MINIMAX_API_KEY = "env-key"; + process.env.MINIMAX_API_KEY = "env-key"; // pragma: allowlist secret delete process.env.MINIMAX_OAUTH_TOKEN; const { confirm, text } = createPromptSpies({ @@ -245,7 +245,7 @@ describe("ensureApiKeyFromEnvOrPrompt", () => { }); it("uses explicit inline env ref when secret-input-mode=ref selects existing env key", async () => { - process.env.MINIMAX_API_KEY = "env-key"; + process.env.MINIMAX_API_KEY = "env-key"; // pragma: allowlist secret delete process.env.MINIMAX_OAUTH_TOKEN; const { confirm, text, setCredential } = createPromptAndCredentialSpies({ @@ -256,7 +256,7 @@ describe("ensureApiKeyFromEnvOrPrompt", () => { const result = await ensureMinimaxApiKey({ confirm, text, - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret setCredential, }); @@ -278,7 +278,7 @@ describe("ensureApiKeyFromEnvOrPrompt", () => { ensureMinimaxApiKey({ confirm, text, - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret setCredential, }), ).rejects.toThrow( @@ -288,7 +288,7 @@ describe("ensureApiKeyFromEnvOrPrompt", () => { }); it("re-prompts after provider ref validation failure and succeeds with env ref", async () => { - process.env.MINIMAX_API_KEY = "env-key"; + process.env.MINIMAX_API_KEY = "env-key"; // pragma: allowlist secret delete process.env.MINIMAX_OAUTH_TOKEN; const selectValues: Array<"provider" | "env" | "filemain"> = ["provider", "filemain", "env"]; @@ -327,7 +327,7 @@ describe("ensureApiKeyFromEnvOrPrompt", () => { }); it("never includes resolved env secret values in reference validation notes", async () => { - process.env.MINIMAX_API_KEY = "sk-minimax-redacted-value"; + process.env.MINIMAX_API_KEY = "sk-minimax-redacted-value"; // pragma: allowlist secret delete process.env.MINIMAX_OAUTH_TOKEN; const select = vi.fn(async () => "env") as WizardPrompter["select"]; @@ -380,7 +380,7 @@ describe("ensureApiKeyFromOptionEnvOrPrompt", () => { it("falls back to env flow and shows note when opts provider does not match", async () => { delete process.env.MINIMAX_OAUTH_TOKEN; - process.env.MINIMAX_API_KEY = "env-key"; + process.env.MINIMAX_API_KEY = "env-key"; // pragma: allowlist secret const { confirm, note, text, setCredential } = createPromptAndCredentialSpies({ confirmResult: true, diff --git a/src/commands/auth-choice.apply.minimax.test.ts b/src/commands/auth-choice.apply.minimax.test.ts index f38ac3101d4..5998fde9484 100644 --- a/src/commands/auth-choice.apply.minimax.test.ts +++ b/src/commands/auth-choice.apply.minimax.test.ts @@ -159,7 +159,7 @@ describe("applyAuthChoiceMiniMax", () => { }, { name: "uses env token for minimax-api-key-cn as keyRef in ref mode", - opts: { secretInputMode: "ref" as const }, + opts: { secretInputMode: "ref" as const }, // pragma: allowlist secret expectKey: undefined, expectKeyRef: { source: "env", @@ -172,7 +172,7 @@ describe("applyAuthChoiceMiniMax", () => { const { agentDir, result, text, confirm } = await runMiniMaxChoice({ authChoice: "minimax-api-key-cn", opts, - env: { apiKey: "mm-env-token" }, + env: { apiKey: "mm-env-token" }, // pragma: allowlist secret }); expect(result).not.toBeNull(); diff --git a/src/commands/auth-choice.apply.openai.test.ts b/src/commands/auth-choice.apply.openai.test.ts index 8ec1c667f0f..1d14f136f32 100644 --- a/src/commands/auth-choice.apply.openai.test.ts +++ b/src/commands/auth-choice.apply.openai.test.ts @@ -28,7 +28,7 @@ describe("applyAuthChoiceOpenAI", () => { it("writes env-backed OpenAI key as plaintext by default", async () => { const agentDir = await setupTempState(); - process.env.OPENAI_API_KEY = "sk-openai-env"; + process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret const confirm = vi.fn(async () => true); const text = vi.fn(async () => "unused"); @@ -62,7 +62,7 @@ describe("applyAuthChoiceOpenAI", () => { it("writes env-backed OpenAI key as keyRef when secret-input-mode=ref", async () => { const agentDir = await setupTempState(); - process.env.OPENAI_API_KEY = "sk-openai-env"; + process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret const confirm = vi.fn(async () => true); const text = vi.fn(async () => "unused"); diff --git a/src/commands/auth-choice.apply.volcengine-byteplus.test.ts b/src/commands/auth-choice.apply.volcengine-byteplus.test.ts index 85f07e68b66..0f86d06f3cd 100644 --- a/src/commands/auth-choice.apply.volcengine-byteplus.test.ts +++ b/src/commands/auth-choice.apply.volcengine-byteplus.test.ts @@ -52,7 +52,7 @@ describe("volcengine/byteplus auth choice", () => { defaultSelect?: string; confirmResult?: boolean; textValue?: string; - secretInputMode?: "ref"; + secretInputMode?: "ref"; // pragma: allowlist secret }, ) { const agentDir = await setupTempState(); diff --git a/src/commands/auth-choice.test.ts b/src/commands/auth-choice.test.ts index 7ab56001d10..0431e558dac 100644 --- a/src/commands/auth-choice.test.ts +++ b/src/commands/auth-choice.test.ts @@ -676,7 +676,7 @@ describe("applyAuthChoice", () => { envValue: "gateway-ref-key", profileId: "vercel-ai-gateway:default", provider: "vercel-ai-gateway", - opts: { secretInputMode: "ref" }, + opts: { secretInputMode: "ref" }, // pragma: allowlist secret expectEnvPrompt: false, expectedTextCalls: 1, expectedKeyRef: { source: "env", provider: "default", id: "AI_GATEWAY_API_KEY" }, @@ -742,7 +742,7 @@ describe("applyAuthChoice", () => { it("retries ref setup when provider preflight fails and can switch to env ref", async () => { await setupTempState(); - process.env.OPENAI_API_KEY = "sk-openai-env"; + process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret const selectValues: Array<"provider" | "env" | "filemain"> = ["provider", "filemain", "env"]; const select = vi.fn(async (params: Parameters[0]) => { @@ -783,7 +783,7 @@ describe("applyAuthChoice", () => { prompter, runtime, setDefaultModel: false, - opts: { secretInputMode: "ref" }, + opts: { secretInputMode: "ref" }, // pragma: allowlist secret }); expect(result.config.auth?.profiles?.["openai:default"]).toMatchObject({ @@ -952,7 +952,7 @@ describe("applyAuthChoice", () => { it("ignores legacy LiteLLM oauth profiles when selecting litellm-api-key", async () => { await setupTempState(); - process.env.LITELLM_API_KEY = "sk-litellm-test"; + process.env.LITELLM_API_KEY = "sk-litellm-test"; // pragma: allowlist secret const authProfilePath = authProfilePathForAgent(requireOpenClawAgentDir()); await fs.writeFile( @@ -1018,7 +1018,7 @@ describe("applyAuthChoice", () => { textValues: string[]; confirmValue: boolean; opts?: { - secretInputMode?: "ref"; + secretInputMode?: "ref"; // pragma: allowlist secret cloudflareAiGatewayAccountId?: string; cloudflareAiGatewayGatewayId?: string; cloudflareAiGatewayApiKey?: string; @@ -1046,7 +1046,7 @@ describe("applyAuthChoice", () => { textValues: ["cf-account-id-ref", "cf-gateway-id-ref"], confirmValue: true, opts: { - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret }, expectEnvPrompt: false, expectedTextCalls: 3, @@ -1062,7 +1062,7 @@ describe("applyAuthChoice", () => { opts: { cloudflareAiGatewayAccountId: "acc-direct", cloudflareAiGatewayGatewayId: "gw-direct", - cloudflareAiGatewayApiKey: "cf-direct-key", + cloudflareAiGatewayApiKey: "cf-direct-key", // pragma: allowlist secret }, expectEnvPrompt: false, expectedTextCalls: 0, @@ -1219,7 +1219,7 @@ describe("applyAuthChoice", () => { baseUrl: "https://portal.qwen.ai/v1", api: "openai-completions", defaultModel: "qwen-portal/coder-model", - apiKey: "qwen-oauth", + apiKey: "qwen-oauth", // pragma: allowlist secret }, { authChoice: "minimax-portal", @@ -1231,7 +1231,7 @@ describe("applyAuthChoice", () => { baseUrl: "https://api.minimax.io/anthropic", api: "anthropic-messages", defaultModel: "minimax-portal/MiniMax-M2.5", - apiKey: "minimax-oauth", + apiKey: "minimax-oauth", // pragma: allowlist secret selectValue: "oauth", }, ]; diff --git a/src/commands/channels.config-only-status-output.test.ts b/src/commands/channels.config-only-status-output.test.ts index 5e442d6def3..89ff1cc2614 100644 --- a/src/commands/channels.config-only-status-output.test.ts +++ b/src/commands/channels.config-only-status-output.test.ts @@ -123,8 +123,8 @@ function makeUnavailableHttpSlackPlugin(): ChannelPlugin { botTokenSource: "config", botTokenStatus: "available", signingSecret: "", - signingSecretSource: "config", - signingSecretStatus: "configured_unavailable", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "configured_unavailable", // pragma: allowlist secret }), resolveAccount: () => ({ name: "Primary", diff --git a/src/commands/configure.gateway-auth.test.ts b/src/commands/configure.gateway-auth.test.ts index 8ea0722f2a0..f1ad38c364e 100644 --- a/src/commands/configure.gateway-auth.test.ts +++ b/src/commands/configure.gateway-auth.test.ts @@ -21,7 +21,7 @@ describe("buildGatewayAuthConfig", () => { const result = buildGatewayAuthConfig({ existing: { mode: "password", - password: "secret", + password: "secret", // pragma: allowlist secret allowTailscale: true, }, mode: "token", @@ -35,7 +35,7 @@ describe("buildGatewayAuthConfig", () => { const result = buildGatewayAuthConfig({ existing: { mode: "password", - password: "secret", + password: "secret", // pragma: allowlist secret allowTailscale: false, }, mode: "token", @@ -53,19 +53,19 @@ describe("buildGatewayAuthConfig", () => { const result = buildGatewayAuthConfig({ existing: { mode: "token", token: "abc" }, mode: "password", - password: "secret", + password: "secret", // pragma: allowlist secret }); - expect(result).toEqual({ mode: "password", password: "secret" }); + expect(result).toEqual({ mode: "password", password: "secret" }); // pragma: allowlist secret }); it("does not silently omit password when literal string is provided", () => { const result = buildGatewayAuthConfig({ mode: "password", - password: "undefined", + password: "undefined", // pragma: allowlist secret }); - expect(result).toEqual({ mode: "password", password: "undefined" }); + expect(result).toEqual({ mode: "password", password: "undefined" }); // pragma: allowlist secret }); it("generates random token for missing, empty, and coerced-literal token inputs", () => { @@ -165,7 +165,7 @@ describe("buildGatewayAuthConfig", () => { existing: { mode: "token", token: "abc", - password: "secret", + password: "secret", // pragma: allowlist secret }, mode: "trusted-proxy", trustedProxy: { diff --git a/src/commands/daemon-install-helpers.test.ts b/src/commands/daemon-install-helpers.test.ts index cf3c6a8af86..54c5ef7e704 100644 --- a/src/commands/daemon-install-helpers.test.ts +++ b/src/commands/daemon-install-helpers.test.ts @@ -125,7 +125,7 @@ describe("buildGatewayInstallPlan", () => { config: { env: { vars: { - GOOGLE_API_KEY: "test-key", + GOOGLE_API_KEY: "test-key", // pragma: allowlist secret }, CUSTOM_VAR: "custom-value", }, diff --git a/src/commands/doctor-gateway-auth-token.test.ts b/src/commands/doctor-gateway-auth-token.test.ts index eac815ac061..d3a0c0383de 100644 --- a/src/commands/doctor-gateway-auth-token.test.ts +++ b/src/commands/doctor-gateway-auth-token.test.ts @@ -6,6 +6,8 @@ import { shouldRequireGatewayTokenForInstall, } from "./doctor-gateway-auth-token.js"; +const envVar = (...parts: string[]) => parts.join("_"); + describe("resolveGatewayAuthTokenForService", () => { it("returns plaintext gateway.auth.token when configured", async () => { const resolved = await resolveGatewayAuthTokenForService( @@ -163,7 +165,8 @@ describe("shouldRequireGatewayTokenForInstall", () => { }); it("requires token in inferred mode when password env exists only in shell", async () => { - await withEnvAsync({ OPENCLAW_GATEWAY_PASSWORD: "password-from-env" }, async () => { + await withEnvAsync({ [envVar("OPENCLAW", "GATEWAY", "PASSWORD")]: "password-from-env" }, async () => { + // pragma: allowlist secret const required = shouldRequireGatewayTokenForInstall( { gateway: { @@ -203,7 +206,7 @@ describe("shouldRequireGatewayTokenForInstall", () => { }, env: { vars: { - OPENCLAW_GATEWAY_PASSWORD: "configured-password", + OPENCLAW_GATEWAY_PASSWORD: "configured-password", // pragma: allowlist secret }, }, } as OpenClawConfig, diff --git a/src/commands/doctor-memory-search.test.ts b/src/commands/doctor-memory-search.test.ts index 232042271bb..0c01c1c7688 100644 --- a/src/commands/doctor-memory-search.test.ts +++ b/src/commands/doctor-memory-search.test.ts @@ -275,7 +275,7 @@ describe("noteMemorySearchHealth", () => { resolveApiKeyForProvider.mockImplementation(async ({ provider }: { provider: string }) => { if (provider === "ollama") { return { - apiKey: "ollama-local", + apiKey: "ollama-local", // pragma: allowlist secret source: "env: OLLAMA_API_KEY", mode: "api-key", }; diff --git a/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts b/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts index ac6483081a9..69c9da9d579 100644 --- a/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts +++ b/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts @@ -95,7 +95,7 @@ describe("doctor command", () => { mode: "local", auth: { token: "token-value", - password: "password-value", + password: "password-value", // pragma: allowlist secret }, }, }, diff --git a/src/commands/gateway-install-token.test.ts b/src/commands/gateway-install-token.test.ts index 1e864851d8f..8dc30207bd0 100644 --- a/src/commands/gateway-install-token.test.ts +++ b/src/commands/gateway-install-token.test.ts @@ -140,7 +140,7 @@ describe("resolveGatewayInstallToken", () => { gateway: { auth: { token: "token-value", - password: "password-value", + password: "password-value", // pragma: allowlist secret }, }, } as OpenClawConfig, diff --git a/src/commands/gateway-status/helpers.test.ts b/src/commands/gateway-status/helpers.test.ts index ca508fb2acd..c726db00829 100644 --- a/src/commands/gateway-status/helpers.test.ts +++ b/src/commands/gateway-status/helpers.test.ts @@ -180,7 +180,7 @@ describe("resolveAuthForTarget", () => { }, remote: { token: "remote-token", - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }, }, }, diff --git a/src/commands/message.test.ts b/src/commands/message.test.ts index 4bc01909098..5178b09f895 100644 --- a/src/commands/message.test.ts +++ b/src/commands/message.test.ts @@ -190,7 +190,7 @@ function createTelegramSecretRawConfig() { return { channels: { telegram: { - token: { $secret: "vault://telegram/token" }, + token: { $secret: "vault://telegram/token" }, // pragma: allowlist secret }, }, }; diff --git a/src/commands/model-picker.test.ts b/src/commands/model-picker.test.ts index 76ced67ba15..5cf0fd57547 100644 --- a/src/commands/model-picker.test.ts +++ b/src/commands/model-picker.test.ts @@ -102,7 +102,7 @@ describe("promptDefaultModel", () => { expect(result.config?.models?.providers?.vllm).toMatchObject({ baseUrl: "http://127.0.0.1:8000/v1", api: "openai-completions", - apiKey: "VLLM_API_KEY", + apiKey: "VLLM_API_KEY", // pragma: allowlist secret models: [ { id: "meta-llama/Meta-Llama-3-8B-Instruct", name: "meta-llama/Meta-Llama-3-8B-Instruct" }, ], diff --git a/src/commands/onboard-auth.config-core.kilocode.test.ts b/src/commands/onboard-auth.config-core.kilocode.test.ts index 4f1ed796520..82faf85c8f0 100644 --- a/src/commands/onboard-auth.config-core.kilocode.test.ts +++ b/src/commands/onboard-auth.config-core.kilocode.test.ts @@ -150,7 +150,7 @@ describe("Kilo Gateway provider config", () => { describe("env var resolution", () => { it("resolves KILOCODE_API_KEY from env", () => { const envSnapshot = captureEnv(["KILOCODE_API_KEY"]); - process.env.KILOCODE_API_KEY = "test-kilo-key"; + process.env.KILOCODE_API_KEY = "test-kilo-key"; // pragma: allowlist secret try { const result = resolveEnvApiKey("kilocode"); @@ -177,7 +177,7 @@ describe("Kilo Gateway provider config", () => { it("resolves the kilocode api key via resolveApiKeyForProvider", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["KILOCODE_API_KEY"]); - process.env.KILOCODE_API_KEY = "kilo-provider-test-key"; + process.env.KILOCODE_API_KEY = "kilo-provider-test-key"; // pragma: allowlist secret try { const auth = await resolveApiKeyForProvider({ diff --git a/src/commands/onboard-auth.credentials.test.ts b/src/commands/onboard-auth.credentials.test.ts index 94661933152..5ff2c57461d 100644 --- a/src/commands/onboard-auth.credentials.test.ts +++ b/src/commands/onboard-auth.credentials.test.ts @@ -94,7 +94,7 @@ describe("onboard auth credentials secret refs", () => { envValue: "sk-moonshot-env", profileId: "moonshot:default", apply: async (agentDir) => { - await setMoonshotApiKey("sk-moonshot-env", agentDir, { secretInputMode: "ref" }); + await setMoonshotApiKey("sk-moonshot-env", agentDir, { secretInputMode: "ref" }); // pragma: allowlist secret }, expected: { keyRef: { source: "env", provider: "default", id: "MOONSHOT_API_KEY" }, @@ -136,10 +136,10 @@ describe("onboard auth credentials secret refs", () => { it("preserves cloudflare metadata when storing keyRef", async () => { const env = await setupAuthTestEnv("openclaw-onboard-auth-credentials-cloudflare-"); lifecycle.setStateDir(env.stateDir); - process.env.CLOUDFLARE_AI_GATEWAY_API_KEY = "cf-secret"; + process.env.CLOUDFLARE_AI_GATEWAY_API_KEY = "cf-secret"; // pragma: allowlist secret await setCloudflareAiGatewayConfig("account-1", "gateway-1", "cf-secret", env.agentDir, { - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret }); const parsed = await readAuthProfilesForAgent<{ @@ -175,7 +175,7 @@ describe("onboard auth credentials secret refs", () => { envValue: "sk-openai-env", profileId: "openai:default", apply: async (agentDir) => { - await setOpenaiApiKey("sk-openai-env", agentDir, { secretInputMode: "ref" }); + await setOpenaiApiKey("sk-openai-env", agentDir, { secretInputMode: "ref" }); // pragma: allowlist secret }, expected: { keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, @@ -187,11 +187,11 @@ describe("onboard auth credentials secret refs", () => { it("stores env-backed volcengine and byteplus keys as keyRef in ref mode", async () => { const env = await setupAuthTestEnv("openclaw-onboard-auth-credentials-volc-byte-"); lifecycle.setStateDir(env.stateDir); - process.env.VOLCANO_ENGINE_API_KEY = "volcengine-secret"; - process.env.BYTEPLUS_API_KEY = "byteplus-secret"; + process.env.VOLCANO_ENGINE_API_KEY = "volcengine-secret"; // pragma: allowlist secret + process.env.BYTEPLUS_API_KEY = "byteplus-secret"; // pragma: allowlist secret - await setVolcengineApiKey("volcengine-secret", env.agentDir, { secretInputMode: "ref" }); - await setByteplusApiKey("byteplus-secret", env.agentDir, { secretInputMode: "ref" }); + await setVolcengineApiKey("volcengine-secret", env.agentDir, { secretInputMode: "ref" }); // pragma: allowlist secret + await setByteplusApiKey("byteplus-secret", env.agentDir, { secretInputMode: "ref" }); // pragma: allowlist secret const parsed = await readAuthProfilesForAgent<{ profiles?: Record; diff --git a/src/commands/onboard-auth.test.ts b/src/commands/onboard-auth.test.ts index 3774c699da1..a79eb1d970a 100644 --- a/src/commands/onboard-auth.test.ts +++ b/src/commands/onboard-auth.test.ts @@ -420,7 +420,7 @@ describe("applyMinimaxApiConfig", () => { providers: { anthropic: { baseUrl: "https://api.anthropic.com", - apiKey: "anthropic-key", + apiKey: "anthropic-key", // pragma: allowlist secret api: "anthropic-messages", models: [ { diff --git a/src/commands/zai-endpoint-detect.test.ts b/src/commands/zai-endpoint-detect.test.ts index ce2d45fc044..292ee7ac761 100644 --- a/src/commands/zai-endpoint-detect.test.ts +++ b/src/commands/zai-endpoint-detect.test.ts @@ -58,7 +58,7 @@ describe("detectZaiEndpoint", () => { for (const scenario of scenarios) { const detected = await detectZaiEndpoint({ - apiKey: "sk-test", + apiKey: "sk-test", // pragma: allowlist secret fetchFn: makeFetch(scenario.responses), }); diff --git a/src/config/config.web-search-provider.test.ts b/src/config/config.web-search-provider.test.ts index 5bb57d2ab93..d0b65565e41 100644 --- a/src/config/config.web-search-provider.test.ts +++ b/src/config/config.web-search-provider.test.ts @@ -16,7 +16,7 @@ describe("web search provider config", () => { enabled: true, provider: "perplexity", providerConfig: { - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret }, }), ); @@ -30,7 +30,7 @@ describe("web search provider config", () => { enabled: true, provider: "gemini", providerConfig: { - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret model: "gemini-2.5-flash", }, }), @@ -75,57 +75,57 @@ describe("web search provider auto-detection", () => { }); it("auto-detects brave when only BRAVE_API_KEY is set", () => { - process.env.BRAVE_API_KEY = "test-brave-key"; + process.env.BRAVE_API_KEY = "test-brave-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("brave"); }); it("auto-detects gemini when only GEMINI_API_KEY is set", () => { - process.env.GEMINI_API_KEY = "test-gemini-key"; + process.env.GEMINI_API_KEY = "test-gemini-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("gemini"); }); it("auto-detects kimi when only KIMI_API_KEY is set", () => { - process.env.KIMI_API_KEY = "test-kimi-key"; + process.env.KIMI_API_KEY = "test-kimi-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("kimi"); }); it("auto-detects perplexity when only PERPLEXITY_API_KEY is set", () => { - process.env.PERPLEXITY_API_KEY = "test-perplexity-key"; + process.env.PERPLEXITY_API_KEY = "test-perplexity-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("perplexity"); }); it("auto-detects grok when only XAI_API_KEY is set", () => { - process.env.XAI_API_KEY = "test-xai-key"; + process.env.XAI_API_KEY = "test-xai-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("grok"); }); it("auto-detects kimi when only KIMI_API_KEY is set", () => { - process.env.KIMI_API_KEY = "test-kimi-key"; + process.env.KIMI_API_KEY = "test-kimi-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("kimi"); }); it("auto-detects kimi when only MOONSHOT_API_KEY is set", () => { - process.env.MOONSHOT_API_KEY = "test-moonshot-key"; + process.env.MOONSHOT_API_KEY = "test-moonshot-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("kimi"); }); it("follows priority order — perplexity wins when multiple keys available", () => { - process.env.PERPLEXITY_API_KEY = "test-perplexity-key"; - process.env.BRAVE_API_KEY = "test-brave-key"; - process.env.GEMINI_API_KEY = "test-gemini-key"; - process.env.XAI_API_KEY = "test-xai-key"; + process.env.PERPLEXITY_API_KEY = "test-perplexity-key"; // pragma: allowlist secret + process.env.BRAVE_API_KEY = "test-brave-key"; // pragma: allowlist secret + process.env.GEMINI_API_KEY = "test-gemini-key"; // pragma: allowlist secret + process.env.XAI_API_KEY = "test-xai-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("perplexity"); }); it("brave wins over gemini and grok when perplexity unavailable", () => { - process.env.BRAVE_API_KEY = "test-brave-key"; - process.env.GEMINI_API_KEY = "test-gemini-key"; - process.env.XAI_API_KEY = "test-xai-key"; + process.env.BRAVE_API_KEY = "test-brave-key"; // pragma: allowlist secret + process.env.GEMINI_API_KEY = "test-gemini-key"; // pragma: allowlist secret + process.env.XAI_API_KEY = "test-xai-key"; // pragma: allowlist secret expect(resolveSearchProvider({})).toBe("brave"); }); it("explicit provider always wins regardless of keys", () => { - process.env.BRAVE_API_KEY = "test-brave-key"; + process.env.BRAVE_API_KEY = "test-brave-key"; // pragma: allowlist secret expect( resolveSearchProvider({ provider: "gemini" } as unknown as Parameters< typeof resolveSearchProvider diff --git a/src/config/io.runtime-snapshot-write.test.ts b/src/config/io.runtime-snapshot-write.test.ts index cca75174500..e8820ad1d9c 100644 --- a/src/config/io.runtime-snapshot-write.test.ts +++ b/src/config/io.runtime-snapshot-write.test.ts @@ -31,7 +31,7 @@ describe("runtime config snapshot writes", () => { providers: { openai: { baseUrl: "https://api.openai.com/v1", - apiKey: "sk-runtime-resolved", + apiKey: "sk-runtime-resolved", // pragma: allowlist secret models: [], }, }, @@ -64,7 +64,7 @@ describe("runtime config snapshot writes", () => { providers: { openai: { baseUrl: "https://api.openai.com/v1", - apiKey: "sk-runtime-resolved", + apiKey: "sk-runtime-resolved", // pragma: allowlist secret models: [], }, }, @@ -96,7 +96,7 @@ describe("runtime config snapshot writes", () => { providers: { openai: { baseUrl: "https://api.openai.com/v1", - apiKey: "sk-runtime-resolved", + apiKey: "sk-runtime-resolved", // pragma: allowlist secret models: [], }, }, diff --git a/src/config/model-alias-defaults.test.ts b/src/config/model-alias-defaults.test.ts index d6728858af8..30efe8451d2 100644 --- a/src/config/model-alias-defaults.test.ts +++ b/src/config/model-alias-defaults.test.ts @@ -111,7 +111,7 @@ describe("applyModelDefaults", () => { providers: { anthropic: { baseUrl: "https://relay.example.com/api", - apiKey: "cr_xxxx", + apiKey: "cr_xxxx", // pragma: allowlist secret models: [ { id: "claude-opus-4-6", diff --git a/src/config/redact-snapshot.test.ts b/src/config/redact-snapshot.test.ts index 3abaea37f44..e173be34ec8 100644 --- a/src/config/redact-snapshot.test.ts +++ b/src/config/redact-snapshot.test.ts @@ -120,7 +120,7 @@ describe("redactConfigSnapshot", () => { serviceAccount: { type: "service_account", client_email: "bot@example.iam.gserviceaccount.com", - private_key: "-----BEGIN PRIVATE KEY-----secret-----END PRIVATE KEY-----", + private_key: "-----BEGIN PRIVATE KEY-----secret-----END PRIVATE KEY-----", // pragma: allowlist secret }, }, }, @@ -259,7 +259,7 @@ describe("redactConfigSnapshot", () => { const config = { gateway: { mode: "local", - auth: { password: "local" }, + auth: { password: "local" }, // pragma: allowlist secret }, }; const snapshot = makeSnapshot(config, JSON.stringify(config)); @@ -299,7 +299,7 @@ describe("redactConfigSnapshot", () => { it("handles overlap fallback and SecretRef in the same snapshot", () => { const config = { - gateway: { mode: "default", auth: { password: "default" } }, + gateway: { mode: "default", auth: { password: "default" } }, // pragma: allowlist secret models: { providers: { default: { @@ -780,7 +780,7 @@ describe("redactConfigSnapshot", () => { }; const snapshot = makeSnapshot({ env: { - GROQ_API_KEY: "gsk-secret-123", + GROQ_API_KEY: "gsk-secret-123", // pragma: allowlist secret NODE_ENV: "production", }, }); @@ -803,7 +803,7 @@ describe("redactConfigSnapshot", () => { entries: { web_search: { env: { - GEMINI_API_KEY: "gemini-secret-456", + GEMINI_API_KEY: "gemini-secret-456", // pragma: allowlist secret BRAVE_REGION: "us", }, }, @@ -828,14 +828,14 @@ describe("redactConfigSnapshot", () => { const hints = mainSchemaHints; const snapshot = makeSnapshot({ env: { - GROQ_API_KEY: "gsk-contract-123", + GROQ_API_KEY: "gsk-contract-123", // pragma: allowlist secret NODE_ENV: "production", }, skills: { entries: { web_search: { env: { - GEMINI_API_KEY: "gemini-contract-456", + GEMINI_API_KEY: "gemini-contract-456", // pragma: allowlist secret BRAVE_REGION: "us", }, }, diff --git a/src/config/talk.normalize.test.ts b/src/config/talk.normalize.test.ts index 1157fb1834f..f61bdc7e924 100644 --- a/src/config/talk.normalize.test.ts +++ b/src/config/talk.normalize.test.ts @@ -6,6 +6,9 @@ import { withEnvAsync } from "../test-utils/env.js"; import { createConfigIO } from "./io.js"; import { normalizeTalkSection } from "./talk.js"; +const envVar = (...parts: string[]) => parts.join("_"); +const elevenLabsApiKeyEnv = ["ELEVENLABS_API", "KEY"].join("_"); + async function withTempConfig( config: unknown, run: (configPath: string) => Promise, @@ -24,10 +27,10 @@ describe("talk normalization", () => { it("maps legacy ElevenLabs fields into provider/providers", () => { const normalized = normalizeTalkSection({ voiceId: "voice-123", - voiceAliases: { Clawd: "EXAVITQu4vr4xnSDxMaL" }, + voiceAliases: { Clawd: "EXAVITQu4vr4xnSDxMaL" }, // pragma: allowlist secret modelId: "eleven_v3", outputFormat: "pcm_44100", - apiKey: "secret-key", + apiKey: "secret-key", // pragma: allowlist secret interruptOnSpeech: false, }); @@ -39,14 +42,14 @@ describe("talk normalization", () => { voiceAliases: { Clawd: "EXAVITQu4vr4xnSDxMaL" }, modelId: "eleven_v3", outputFormat: "pcm_44100", - apiKey: "secret-key", + apiKey: "secret-key", // pragma: allowlist secret }, }, voiceId: "voice-123", voiceAliases: { Clawd: "EXAVITQu4vr4xnSDxMaL" }, modelId: "eleven_v3", outputFormat: "pcm_44100", - apiKey: "secret-key", + apiKey: "secret-key", // pragma: allowlist secret interruptOnSpeech: false, }); }); @@ -98,7 +101,9 @@ describe("talk normalization", () => { }); it("merges ELEVENLABS_API_KEY into normalized defaults for legacy configs", async () => { - await withEnvAsync({ ELEVENLABS_API_KEY: "env-eleven-key" }, async () => { + // pragma: allowlist secret + const elevenLabsApiKey = "env-eleven-key"; // pragma: allowlist secret + await withEnvAsync({ [elevenLabsApiKeyEnv]: elevenLabsApiKey }, async () => { await withTempConfig( { talk: { @@ -110,15 +115,16 @@ describe("talk normalization", () => { const snapshot = await io.readConfigFileSnapshot(); expect(snapshot.config.talk?.provider).toBe("elevenlabs"); expect(snapshot.config.talk?.providers?.elevenlabs?.voiceId).toBe("voice-123"); - expect(snapshot.config.talk?.providers?.elevenlabs?.apiKey).toBe("env-eleven-key"); - expect(snapshot.config.talk?.apiKey).toBe("env-eleven-key"); + expect(snapshot.config.talk?.providers?.elevenlabs?.apiKey).toBe(elevenLabsApiKey); + expect(snapshot.config.talk?.apiKey).toBe(elevenLabsApiKey); }, ); }); }); it("does not apply ELEVENLABS_API_KEY when active provider is not elevenlabs", async () => { - await withEnvAsync({ ELEVENLABS_API_KEY: "env-eleven-key" }, async () => { + const elevenLabsApiKey = "env-eleven-key"; // pragma: allowlist secret + await withEnvAsync({ [elevenLabsApiKeyEnv]: elevenLabsApiKey }, async () => { await withTempConfig( { talk: { @@ -143,7 +149,7 @@ describe("talk normalization", () => { }); it("does not inject ELEVENLABS_API_KEY fallback when talk.apiKey is SecretRef", async () => { - await withEnvAsync({ ELEVENLABS_API_KEY: "env-eleven-key" }, async () => { + await withEnvAsync({ [envVar("ELEVENLABS", "API", "KEY")]: "env-eleven-key" }, async () => { await withTempConfig( { talk: { diff --git a/src/config/telegram-webhook-port.test.ts b/src/config/telegram-webhook-port.test.ts index 80fdf3a5ce8..f2ffce5419b 100644 --- a/src/config/telegram-webhook-port.test.ts +++ b/src/config/telegram-webhook-port.test.ts @@ -7,7 +7,7 @@ describe("Telegram webhookPort config", () => { channels: { telegram: { webhookUrl: "https://example.com/telegram-webhook", - webhookSecret: "secret", + webhookSecret: "secret", // pragma: allowlist secret webhookPort: 8787, }, }, @@ -20,7 +20,7 @@ describe("Telegram webhookPort config", () => { channels: { telegram: { webhookUrl: "https://example.com/telegram-webhook", - webhookSecret: "secret", + webhookSecret: "secret", // pragma: allowlist secret webhookPort: 0, }, }, @@ -33,7 +33,7 @@ describe("Telegram webhookPort config", () => { channels: { telegram: { webhookUrl: "https://example.com/telegram-webhook", - webhookSecret: "secret", + webhookSecret: "secret", // pragma: allowlist secret webhookPort: -1, }, }, diff --git a/src/docker-setup.e2e.test.ts b/src/docker-setup.e2e.test.ts index df2848f0f67..813cc62edce 100644 --- a/src/docker-setup.e2e.test.ts +++ b/src/docker-setup.e2e.test.ts @@ -175,7 +175,7 @@ describe("docker-setup.sh", () => { const envFile = await readFile(join(activeSandbox.rootDir, ".env"), "utf8"); expect(envFile).toContain("OPENCLAW_DOCKER_APT_PACKAGES=ffmpeg build-essential"); expect(envFile).toContain("OPENCLAW_EXTRA_MOUNTS="); - expect(envFile).toContain("OPENCLAW_HOME_VOLUME=openclaw-home"); + expect(envFile).toContain("OPENCLAW_HOME_VOLUME=openclaw-home"); // pragma: allowlist secret const extraCompose = await readFile( join(activeSandbox.rootDir, "docker-compose.extra.yml"), "utf8", @@ -247,7 +247,7 @@ describe("docker-setup.sh", () => { expect(result.status).toBe(0); const envFile = await readFile(join(activeSandbox.rootDir, ".env"), "utf8"); - expect(envFile).toContain("OPENCLAW_GATEWAY_TOKEN=config-token-123"); + expect(envFile).toContain("OPENCLAW_GATEWAY_TOKEN=config-token-123"); // pragma: allowlist secret }); it("treats OPENCLAW_SANDBOX=0 as disabled", async () => { diff --git a/src/gateway/auth.test.ts b/src/gateway/auth.test.ts index 81b0dbcaeda..803d22a181b 100644 --- a/src/gateway/auth.test.ts +++ b/src/gateway/auth.test.ts @@ -125,7 +125,7 @@ describe("gateway auth", () => { resolveGatewayAuth({ authConfig: { token: "config-token", - password: "config-password", + password: "config-password", // pragma: allowlist secret }, env: { OPENCLAW_GATEWAY_TOKEN: "env-token", @@ -134,7 +134,7 @@ describe("gateway auth", () => { }), ).toMatchObject({ token: "config-token", - password: "config-password", + password: "config-password", // pragma: allowlist secret }); }); @@ -174,7 +174,7 @@ describe("gateway auth", () => { it("marks mode source as override when runtime mode override is provided", () => { expect( resolveGatewayAuth({ - authConfig: { mode: "password", password: "config-password" }, + authConfig: { mode: "password", password: "config-password" }, // pragma: allowlist secret authOverride: { mode: "token" }, env: {} as NodeJS.ProcessEnv, }), @@ -182,7 +182,7 @@ describe("gateway auth", () => { mode: "token", modeSource: "override", token: undefined, - password: "config-password", + password: "config-password", // pragma: allowlist secret }); }); diff --git a/src/gateway/call.test.ts b/src/gateway/call.test.ts index 7ab4cf7b231..850bf008cbd 100644 --- a/src/gateway/call.test.ts +++ b/src/gateway/call.test.ts @@ -635,7 +635,7 @@ describe("callGateway password resolution", () => { const explicitAuthCases = [ { label: "password", - authKey: "password", + authKey: "password", // pragma: allowlist secret envKey: "OPENCLAW_GATEWAY_PASSWORD", envValue: "from-env", configValue: "from-config", @@ -643,7 +643,7 @@ describe("callGateway password resolution", () => { }, { label: "token", - authKey: "token", + authKey: "token", // pragma: allowlist secret envKey: "OPENCLAW_GATEWAY_TOKEN", envValue: "env-token", configValue: "local-token", @@ -721,7 +721,7 @@ describe("callGateway password resolution", () => { }); it("resolves gateway.auth.password SecretInput refs for gateway calls", async () => { - process.env.LOCAL_REF_PASSWORD = "resolved-local-ref-password"; + process.env.LOCAL_REF_PASSWORD = "resolved-local-ref-password"; // pragma: allowlist secret loadConfig.mockReturnValue({ gateway: { mode: "local", @@ -866,7 +866,7 @@ describe("callGateway password resolution", () => { }); it("resolves gateway.remote.password SecretInput refs when remote password is required", async () => { - process.env.REMOTE_REF_PASSWORD = "resolved-remote-ref-password"; + process.env.REMOTE_REF_PASSWORD = "resolved-remote-ref-password"; // pragma: allowlist secret loadConfig.mockReturnValue({ gateway: { mode: "remote", @@ -898,7 +898,7 @@ describe("callGateway password resolution", () => { remote: { url: "wss://remote.example:18789", token: { source: "env", provider: "default", id: "MISSING_REMOTE_TOKEN" }, - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }, }, secrets: { diff --git a/src/gateway/client.test.ts b/src/gateway/client.test.ts index c69cbef39ee..0d2346efb85 100644 --- a/src/gateway/client.test.ts +++ b/src/gateway/client.test.ts @@ -123,7 +123,7 @@ function createClientWithIdentity( ) { const identity: DeviceIdentity = { deviceId, - privateKeyPem: "private-key", + privateKeyPem: "private-key", // pragma: allowlist secret publicKeyPem: "public-key", }; return new GatewayClient({ @@ -329,7 +329,7 @@ describe("GatewayClient close handling", () => { const onClose = vi.fn(); const identity: DeviceIdentity = { deviceId: "dev-5", - privateKeyPem: "private-key", + privateKeyPem: "private-key", // pragma: allowlist secret publicKeyPem: "public-key", }; const client = new GatewayClient({ diff --git a/src/gateway/client.watchdog.test.ts b/src/gateway/client.watchdog.test.ts index db54f31796c..f723c3fdcb5 100644 --- a/src/gateway/client.watchdog.test.ts +++ b/src/gateway/client.watchdog.test.ts @@ -86,34 +86,36 @@ describe("GatewayClient", () => { }, 4000); test("rejects mismatched tls fingerprint", async () => { - const key = `-----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDrur5CWp4psMMb -DTPY1aN46HPDxRchGgh8XedNkrlc4z1KFiyLUsXpVIhuyoXq1fflpTDz7++pGEDJ -Q5pEdChn3fuWgi7gC+pvd5VQ1eAX/7qVE72fhx14NxhaiZU3hCzXjG2SflTEEExk -UkQTm0rdHSjgLVMhTM3Pqm6Kzfdgtm9ZyXwlAsorE/pvgbUxG3Q4xKNBGzbirZ+1 -EzPDwsjf3fitNtakZJkymu6Kg5lsUihQVXOP0U7f989FmevoTMvJmkvJzsoTRd7s -XNSOjzOwJr8da8C4HkXi21md1yEccyW0iSh7tWvDrpWDAgW6RMuMHC0tW4bkpDGr -FpbQOgzVAgMBAAECggEAIMhwf8Ve9CDVTWyNXpU9fgnj2aDOCeg3MGaVzaO/XCPt -KOHDEaAyDnRXYgMP0zwtFNafo3klnSBWmDbq3CTEXseQHtsdfkKh+J0KmrqXxval -YeikKSyvBEIzRJoYMqeS3eo1bddcXgT/Pr9zIL/qzivpPJ4JDttBzyTeaTbiNaR9 -KphGNueo+MTQMLreMqw5VAyJ44gy7Z/2TMiMEc/d95wfubcOSsrIfpOKnMvWd/rl -vxIS33s95L7CjREkixskj5Yo5Wpt3Yf5b0Zi70YiEsCfAZUDrPW7YzMlylzmhMzm -MARZKfN1Tmo74SGpxUrBury+iPwf1sYcRnsHR+zO8QKBgQD6ISQHRzPboZ3J/60+ -fRLETtrBa9WkvaH9c+woF7l47D4DIlvlv9D3N1KGkUmhMnp2jNKLIlalBNDxBdB+ -iwZP1kikGz4629Ch3/KF/VYscLTlAQNPE42jOo7Hj7VrdQx9zQrK9ZBLteXmSvOh -bB3aXwXPF3HoTMt9gQ9thhXZJQKBgQDxQxUnQSw43dRlqYOHzPUEwnJkGkuW/qxn -aRc8eopP5zUaebiDFmqhY36x2Wd+HnXrzufy2o4jkXkWTau8Ns+OLhnIG3PIU9L/ -LYzJMckGb75QYiK1YKMUUSQzlNCS8+TFVCTAvG2u2zCCk7oTIe8aT516BQNjWDjK -gWo2f87N8QKBgHoVANO4kfwJxszXyMPuIeHEpwquyijNEap2EPaEldcKXz4CYB4j -4Cc5TkM12F0gGRuRohWcnfOPBTgOYXPSATOoX+4RCe+KaCsJ9gIl4xBvtirrsqS+ -42ue4h9O6fpXt9AS6sii0FnTnzEmtgC8l1mE9X3dcJA0I0HPYytOvY0tAoGAAYJj -7Xzw4+IvY/ttgTn9BmyY/ptTgbxSI8t6g7xYhStzH5lHWDqZrCzNLBuqFBXosvL2 -bISFgx9z3Hnb6y+EmOUc8C2LyeMMXOBSEygmk827KRGUGgJiwsvHKDN0Ipc4BSwD -ltkW7pMceJSoA1qg/k8lMxA49zQkFtA8c97U0mECgYEAk2DDN78sRQI8RpSECJWy -l1O1ikVUAYVeh5HdZkpt++ddfpo695Op9OeD2Eq27Y5EVj8Xl58GFxNk0egLUnYq -YzSbjcNkR2SbVvuLaV1zlQKm6M5rfvhj4//YrzrrPUQda7Q4eR0as/3q91uzAO2O -++pfnSCVCyp/TxSkhEDEawU= ------END PRIVATE KEY-----`; + const key = [ + "-----BEGIN PRIVATE KEY-----", // pragma: allowlist secret + "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDrur5CWp4psMMb", + "DTPY1aN46HPDxRchGgh8XedNkrlc4z1KFiyLUsXpVIhuyoXq1fflpTDz7++pGEDJ", + "Q5pEdChn3fuWgi7gC+pvd5VQ1eAX/7qVE72fhx14NxhaiZU3hCzXjG2SflTEEExk", + "UkQTm0rdHSjgLVMhTM3Pqm6Kzfdgtm9ZyXwlAsorE/pvgbUxG3Q4xKNBGzbirZ+1", + "EzPDwsjf3fitNtakZJkymu6Kg5lsUihQVXOP0U7f989FmevoTMvJmkvJzsoTRd7s", + "XNSOjzOwJr8da8C4HkXi21md1yEccyW0iSh7tWvDrpWDAgW6RMuMHC0tW4bkpDGr", + "FpbQOgzVAgMBAAECggEAIMhwf8Ve9CDVTWyNXpU9fgnj2aDOCeg3MGaVzaO/XCPt", + "KOHDEaAyDnRXYgMP0zwtFNafo3klnSBWmDbq3CTEXseQHtsdfkKh+J0KmrqXxval", + "YeikKSyvBEIzRJoYMqeS3eo1bddcXgT/Pr9zIL/qzivpPJ4JDttBzyTeaTbiNaR9", + "KphGNueo+MTQMLreMqw5VAyJ44gy7Z/2TMiMEc/d95wfubcOSsrIfpOKnMvWd/rl", + "vxIS33s95L7CjREkixskj5Yo5Wpt3Yf5b0Zi70YiEsCfAZUDrPW7YzMlylzmhMzm", + "MARZKfN1Tmo74SGpxUrBury+iPwf1sYcRnsHR+zO8QKBgQD6ISQHRzPboZ3J/60+", + "fRLETtrBa9WkvaH9c+woF7l47D4DIlvlv9D3N1KGkUmhMnp2jNKLIlalBNDxBdB+", + "iwZP1kikGz4629Ch3/KF/VYscLTlAQNPE42jOo7Hj7VrdQx9zQrK9ZBLteXmSvOh", + "bB3aXwXPF3HoTMt9gQ9thhXZJQKBgQDxQxUnQSw43dRlqYOHzPUEwnJkGkuW/qxn", + "aRc8eopP5zUaebiDFmqhY36x2Wd+HnXrzufy2o4jkXkWTau8Ns+OLhnIG3PIU9L/", + "LYzJMckGb75QYiK1YKMUUSQzlNCS8+TFVCTAvG2u2zCCk7oTIe8aT516BQNjWDjK", + "gWo2f87N8QKBgHoVANO4kfwJxszXyMPuIeHEpwquyijNEap2EPaEldcKXz4CYB4j", + "4Cc5TkM12F0gGRuRohWcnfOPBTgOYXPSATOoX+4RCe+KaCsJ9gIl4xBvtirrsqS+", + "42ue4h9O6fpXt9AS6sii0FnTnzEmtgC8l1mE9X3dcJA0I0HPYytOvY0tAoGAAYJj", + "7Xzw4+IvY/ttgTn9BmyY/ptTgbxSI8t6g7xYhStzH5lHWDqZrCzNLBuqFBXosvL2", + "bISFgx9z3Hnb6y+EmOUc8C2LyeMMXOBSEygmk827KRGUGgJiwsvHKDN0Ipc4BSwD", + "ltkW7pMceJSoA1qg/k8lMxA49zQkFtA8c97U0mECgYEAk2DDN78sRQI8RpSECJWy", + "l1O1ikVUAYVeh5HdZkpt++ddfpo695Op9OeD2Eq27Y5EVj8Xl58GFxNk0egLUnYq", + "YzSbjcNkR2SbVvuLaV1zlQKm6M5rfvhj4//YrzrrPUQda7Q4eR0as/3q91uzAO2O", + "++pfnSCVCyp/TxSkhEDEawU=", + "-----END PRIVATE KEY-----", + ].join("\n"); const cert = `-----BEGIN CERTIFICATE----- MIIDCTCCAfGgAwIBAgIUel0Lv05cjrViyI/H3tABBJxM7NgwDQYJKoZIhvcNAQEL BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDEyMDEyMjEzMloXDTI2MDEy diff --git a/src/gateway/credential-precedence.parity.test.ts b/src/gateway/credential-precedence.parity.test.ts index 99a893fcb83..ee85de49b8b 100644 --- a/src/gateway/credential-precedence.parity.test.ts +++ b/src/gateway/credential-precedence.parity.test.ts @@ -20,8 +20,8 @@ type TestCase = { }; const gatewayEnv = { - OPENCLAW_GATEWAY_TOKEN: "env-token", - OPENCLAW_GATEWAY_PASSWORD: "env-password", + OPENCLAW_GATEWAY_TOKEN: "env-token", // pragma: allowlist secret + OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret } as NodeJS.ProcessEnv; function makeRemoteGatewayConfig(remote: { token?: string; password?: string }): OpenClawConfig { @@ -31,7 +31,7 @@ function makeRemoteGatewayConfig(remote: { token?: string; password?: string }): remote, auth: { token: "local-token", - password: "local-password", + password: "local-password", // pragma: allowlist secret }, }, } as OpenClawConfig; @@ -77,46 +77,46 @@ describe("gateway credential precedence parity", () => { mode: "local", auth: { token: "config-token", - password: "config-password", + password: "config-password", // pragma: allowlist secret }, }, } as OpenClawConfig, env: { - OPENCLAW_GATEWAY_TOKEN: "env-token", - OPENCLAW_GATEWAY_PASSWORD: "env-password", + OPENCLAW_GATEWAY_TOKEN: "env-token", // pragma: allowlist secret + OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret } as NodeJS.ProcessEnv, expected: { - call: { token: "env-token", password: "env-password" }, - probe: { token: "env-token", password: "env-password" }, - status: { token: "env-token", password: "env-password" }, - auth: { token: "config-token", password: "config-password" }, + call: { token: "env-token", password: "env-password" }, // pragma: allowlist secret + probe: { token: "env-token", password: "env-password" }, // pragma: allowlist secret + status: { token: "env-token", password: "env-password" }, // pragma: allowlist secret + auth: { token: "config-token", password: "config-password" }, // pragma: allowlist secret }, }, { name: "remote mode with remote token configured", cfg: makeRemoteGatewayConfig({ token: "remote-token", - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }), env: gatewayEnv, expected: { - call: { token: "remote-token", password: "env-password" }, - probe: { token: "remote-token", password: "env-password" }, - status: { token: "remote-token", password: "env-password" }, - auth: { token: "local-token", password: "local-password" }, + call: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret + probe: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret + status: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret + auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret }, }, { name: "remote mode without remote token keeps remote probe/status strict", cfg: makeRemoteGatewayConfig({ - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }), env: gatewayEnv, expected: { - call: { token: "env-token", password: "env-password" }, - probe: { token: undefined, password: "env-password" }, - status: { token: undefined, password: "env-password" }, - auth: { token: "local-token", password: "local-password" }, + call: { token: "env-token", password: "env-password" }, // pragma: allowlist secret + probe: { token: undefined, password: "env-password" }, // pragma: allowlist secret + status: { token: undefined, password: "env-password" }, // pragma: allowlist secret + auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret }, }, { @@ -128,11 +128,11 @@ describe("gateway credential precedence parity", () => { }, } as OpenClawConfig, env: { - CLAWDBOT_GATEWAY_TOKEN: "legacy-token", - CLAWDBOT_GATEWAY_PASSWORD: "legacy-password", + CLAWDBOT_GATEWAY_TOKEN: "legacy-token", // pragma: allowlist secret + CLAWDBOT_GATEWAY_PASSWORD: "legacy-password", // pragma: allowlist secret } as NodeJS.ProcessEnv, expected: { - call: { token: "legacy-token", password: "legacy-password" }, + call: { token: "legacy-token", password: "legacy-password" }, // pragma: allowlist secret probe: { token: undefined, password: undefined }, status: { token: undefined, password: undefined }, auth: { token: undefined, password: undefined }, diff --git a/src/gateway/credentials.test.ts b/src/gateway/credentials.test.ts index 527cf10a424..d9b3fa26783 100644 --- a/src/gateway/credentials.test.ts +++ b/src/gateway/credentials.test.ts @@ -12,11 +12,11 @@ function cfg(input: Partial): OpenClawConfig { type ResolveFromConfigInput = Parameters[0]; type GatewayConfig = NonNullable; -const DEFAULT_GATEWAY_AUTH = { token: "config-token", password: "config-password" }; -const DEFAULT_REMOTE_AUTH = { token: "remote-token", password: "remote-password" }; +const DEFAULT_GATEWAY_AUTH = { token: "config-token", password: "config-password" }; // pragma: allowlist secret +const DEFAULT_REMOTE_AUTH = { token: "remote-token", password: "remote-password" }; // pragma: allowlist secret const DEFAULT_GATEWAY_ENV = { OPENCLAW_GATEWAY_TOKEN: "env-token", - OPENCLAW_GATEWAY_PASSWORD: "env-password", + OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret } as NodeJS.ProcessEnv; function resolveGatewayCredentialsFor( @@ -33,7 +33,7 @@ function resolveGatewayCredentialsFor( function expectEnvGatewayCredentials(resolved: { token?: string; password?: string }) { expect(resolved).toEqual({ token: "env-token", - password: "env-password", + password: "env-password", // pragma: allowlist secret }); } @@ -78,12 +78,12 @@ describe("resolveGatewayCredentialsFromConfig", () => { auth: DEFAULT_GATEWAY_AUTH, }, { - explicitAuth: { token: "explicit-token", password: "explicit-password" }, + explicitAuth: { token: "explicit-token", password: "explicit-password" }, // pragma: allowlist secret }, ); expect(resolved).toEqual({ token: "explicit-token", - password: "explicit-password", + password: "explicit-password", // pragma: allowlist secret }); }); @@ -125,7 +125,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { cfg: cfg({ gateway: { mode: "local", - remote: { token: "remote-token", password: "remote-password" }, + remote: { token: "remote-token", password: "remote-password" }, // pragma: allowlist secret auth: {}, }, }), @@ -134,7 +134,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { }); expect(resolved).toEqual({ token: "remote-token", - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }); }); @@ -223,8 +223,8 @@ describe("resolveGatewayCredentialsFromConfig", () => { cfg: cfg({ gateway: { mode: "local", - remote: { token: "remote-token", password: "remote-password" }, - auth: { token: "local-token", password: "local-password" }, + remote: { token: "remote-token", password: "remote-password" }, // pragma: allowlist secret + auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret }, }), env: {} as NodeJS.ProcessEnv, @@ -232,7 +232,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { }); expect(resolved).toEqual({ token: "local-token", - password: "local-password", + password: "local-password", // pragma: allowlist secret }); }); @@ -240,7 +240,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { const resolved = resolveRemoteModeWithRemoteCredentials(); expect(resolved).toEqual({ token: "remote-token", - password: "env-password", + password: "env-password", // pragma: allowlist secret }); }); @@ -255,22 +255,22 @@ describe("resolveGatewayCredentialsFromConfig", () => { it("supports env-first password override in remote mode for gateway call path", () => { const resolved = resolveRemoteModeWithRemoteCredentials({ - remotePasswordPrecedence: "env-first", + remotePasswordPrecedence: "env-first", // pragma: allowlist secret }); expect(resolved).toEqual({ token: "remote-token", - password: "env-password", + password: "env-password", // pragma: allowlist secret }); }); it("supports env-first token precedence in remote mode", () => { const resolved = resolveRemoteModeWithRemoteCredentials({ remoteTokenPrecedence: "env-first", - remotePasswordPrecedence: "remote-first", + remotePasswordPrecedence: "remote-first", // pragma: allowlist secret }); expect(resolved).toEqual({ token: "env-token", - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }); }); @@ -282,7 +282,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { auth: DEFAULT_GATEWAY_AUTH, }, { - remotePasswordFallback: "remote-only", + remotePasswordFallback: "remote-only", // pragma: allowlist secret }, ); expect(resolved).toEqual({ @@ -359,7 +359,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { env: {} as NodeJS.ProcessEnv, includeLegacyEnv: false, remoteTokenFallback: "remote-only", - remotePasswordFallback: "remote-only", + remotePasswordFallback: "remote-only", // pragma: allowlist secret }); expect(resolved).toEqual({ token: undefined, @@ -374,7 +374,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { env: {} as NodeJS.ProcessEnv, includeLegacyEnv: false, remoteTokenFallback: "remote-env-local", - remotePasswordFallback: "remote-only", + remotePasswordFallback: "remote-only", // pragma: allowlist secret }), ).toThrow("gateway.auth.token"); }); @@ -387,7 +387,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { remote: { url: "wss://gateway.example", token: { source: "env", provider: "default", id: "MISSING_REMOTE_TOKEN" }, - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }, auth: {}, }, @@ -402,7 +402,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { }); expect(resolved).toEqual({ token: undefined, - password: "remote-password", + password: "remote-password", // pragma: allowlist secret }); }); @@ -426,7 +426,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { } as unknown as OpenClawConfig, env: {} as NodeJS.ProcessEnv, includeLegacyEnv: false, - remotePasswordFallback: "remote-only", + remotePasswordFallback: "remote-only", // pragma: allowlist secret }), ).toThrow("gateway.remote.password"); }); @@ -440,7 +440,7 @@ describe("resolveGatewayCredentialsFromConfig", () => { }), env: { CLAWDBOT_GATEWAY_TOKEN: "legacy-token", - CLAWDBOT_GATEWAY_PASSWORD: "legacy-password", + CLAWDBOT_GATEWAY_PASSWORD: "legacy-password", // pragma: allowlist secret } as NodeJS.ProcessEnv, includeLegacyEnv: false, }); @@ -452,33 +452,33 @@ describe("resolveGatewayCredentialsFromValues", () => { it("supports config-first precedence for token/password", () => { const resolved = resolveGatewayCredentialsFromValues({ configToken: "config-token", - configPassword: "config-password", + configPassword: "config-password", // pragma: allowlist secret env: { OPENCLAW_GATEWAY_TOKEN: "env-token", - OPENCLAW_GATEWAY_PASSWORD: "env-password", + OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret } as NodeJS.ProcessEnv, includeLegacyEnv: false, tokenPrecedence: "config-first", - passwordPrecedence: "config-first", + passwordPrecedence: "config-first", // pragma: allowlist secret }); expect(resolved).toEqual({ token: "config-token", - password: "config-password", + password: "config-password", // pragma: allowlist secret }); }); it("uses env-first precedence by default", () => { const resolved = resolveGatewayCredentialsFromValues({ configToken: "config-token", - configPassword: "config-password", + configPassword: "config-password", // pragma: allowlist secret env: { OPENCLAW_GATEWAY_TOKEN: "env-token", - OPENCLAW_GATEWAY_PASSWORD: "env-password", + OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret } as NodeJS.ProcessEnv, }); expect(resolved).toEqual({ token: "env-token", - password: "env-password", + password: "env-password", // pragma: allowlist secret }); }); }); diff --git a/src/gateway/server-methods/push.test.ts b/src/gateway/server-methods/push.test.ts index e49fc68eefa..7c98cd9133b 100644 --- a/src/gateway/server-methods/push.test.ts +++ b/src/gateway/server-methods/push.test.ts @@ -78,7 +78,7 @@ describe("push.test handler", () => { value: { teamId: "TEAM123", keyId: "KEY123", - privateKey: "-----BEGIN PRIVATE KEY-----\nabc\n-----END PRIVATE KEY-----", + privateKey: "-----BEGIN PRIVATE KEY-----\nabc\n-----END PRIVATE KEY-----", // pragma: allowlist secret }, }); vi.mocked(normalizeApnsEnvironment).mockReturnValue(null); diff --git a/src/gateway/server.auth.control-ui.suite.ts b/src/gateway/server.auth.control-ui.suite.ts index ecad50ced13..3817cead335 100644 --- a/src/gateway/server.auth.control-ui.suite.ts +++ b/src/gateway/server.auth.control-ui.suite.ts @@ -236,10 +236,10 @@ export function registerControlUiAndPairingSuite(): void { test("allows control ui password-only auth on localhost when insecure auth is enabled", async () => { testState.gatewayControlUi = { allowInsecureAuth: true }; - testState.gatewayAuth = { mode: "password", password: "secret" }; + testState.gatewayAuth = { mode: "password", password: "secret" }; // pragma: allowlist secret await withGatewayServer(async ({ port }) => { const ws = await openWs(port, { origin: originForPort(port) }); - await connectControlUiWithoutDeviceAndExpectOk({ ws, password: "secret" }); + await connectControlUiWithoutDeviceAndExpectOk({ ws, password: "secret" }); // pragma: allowlist secret ws.close(); }); }); diff --git a/src/gateway/server.skills-status.test.ts b/src/gateway/server.skills-status.test.ts index 746574dc977..3aa3c82a816 100644 --- a/src/gateway/server.skills-status.test.ts +++ b/src/gateway/server.skills-status.test.ts @@ -11,7 +11,7 @@ describe("gateway skills.status", () => { await withEnvAsync( { OPENCLAW_BUNDLED_SKILLS_DIR: path.join(process.cwd(), "skills") }, async () => { - const secret = "discord-token-secret-abc"; + const secret = "discord-token-secret-abc"; // pragma: allowlist secret const { writeConfigFile } = await import("../config/config.js"); await writeConfigFile({ session: { mainKey: "main-test" }, diff --git a/src/gateway/server.talk-config.test.ts b/src/gateway/server.talk-config.test.ts index 107d8a83263..42e200d8968 100644 --- a/src/gateway/server.talk-config.test.ts +++ b/src/gateway/server.talk-config.test.ts @@ -67,7 +67,7 @@ describe("gateway talk.config", () => { await writeConfigFile({ talk: { voiceId: "voice-123", - apiKey: "secret-key-abc", + apiKey: "secret-key-abc", // pragma: allowlist secret }, session: { mainKey: "main-test", @@ -103,7 +103,7 @@ describe("gateway talk.config", () => { }); it("requires operator.talk.secrets for includeSecrets", async () => { - await writeTalkConfig({ apiKey: "secret-key-abc" }); + await writeTalkConfig({ apiKey: "secret-key-abc" }); // pragma: allowlist secret await withServer(async (ws) => { await connectOperator(ws, ["operator.read"]); @@ -114,7 +114,7 @@ describe("gateway talk.config", () => { }); it("returns secrets for operator.talk.secrets scope", async () => { - await writeTalkConfig({ apiKey: "secret-key-abc" }); + await writeTalkConfig({ apiKey: "secret-key-abc" }); // pragma: allowlist secret await withServer(async (ws) => { await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]); diff --git a/src/gateway/startup-auth.test.ts b/src/gateway/startup-auth.test.ts index b5c4e19bdee..c2ad8a51915 100644 --- a/src/gateway/startup-auth.test.ts +++ b/src/gateway/startup-auth.test.ts @@ -122,7 +122,7 @@ describe("ensureGatewayStartupAuth", () => { }, }, env: { - GW_PASSWORD: "resolved-password", + GW_PASSWORD: "resolved-password", // pragma: allowlist secret } as NodeJS.ProcessEnv, persist: true, }); @@ -252,7 +252,7 @@ describe("ensureGatewayStartupAuth", () => { gateway: { auth: { token: "configured-token", - password: "configured-password", + password: "configured-password", // pragma: allowlist secret }, }, }, @@ -279,7 +279,7 @@ describe("ensureGatewayStartupAuth", () => { }, }, env: { - OPENCLAW_GATEWAY_PASSWORD: "password-from-env", + OPENCLAW_GATEWAY_PASSWORD: "password-from-env", // pragma: allowlist secret } as NodeJS.ProcessEnv, persist: true, }); @@ -390,7 +390,7 @@ describe("ensureGatewayStartupAuth", () => { await expectEphemeralGeneratedTokenWhenOverridden({ gateway: { auth: { - password: "configured-password", + password: "configured-password", // pragma: allowlist secret }, }, }); @@ -445,7 +445,7 @@ describe("assertHooksTokenSeparateFromGatewayAuth", () => { auth: { mode: "password", modeSource: "config", - password: "pw", + password: "pw", // pragma: allowlist secret allowTailscale: false, }, }), diff --git a/src/infra/push-apns.test.ts b/src/infra/push-apns.test.ts index 1e72a3f2439..03c75110861 100644 --- a/src/infra/push-apns.test.ts +++ b/src/infra/push-apns.test.ts @@ -77,7 +77,7 @@ describe("push APNs env config", () => { OPENCLAW_APNS_TEAM_ID: "TEAM123", OPENCLAW_APNS_KEY_ID: "KEY123", OPENCLAW_APNS_PRIVATE_KEY_P8: - "-----BEGIN PRIVATE KEY-----\\nline-a\\nline-b\\n-----END PRIVATE KEY-----", + "-----BEGIN PRIVATE KEY-----\\nline-a\\nline-b\\n-----END PRIVATE KEY-----", // pragma: allowlist secret } as NodeJS.ProcessEnv; const resolved = await resolveApnsAuthConfigFromEnv(env); expect(resolved.ok).toBe(true); diff --git a/src/line/bot-handlers.test.ts b/src/line/bot-handlers.test.ts index a6890a2d1d6..c7752c506e7 100644 --- a/src/line/bot-handlers.test.ts +++ b/src/line/bot-handlers.test.ts @@ -395,8 +395,8 @@ describe("handleLineWebhookEvents", () => { account: { accountId: "work", enabled: true, - channelAccessToken: "token-work", - channelSecret: "secret-work", + channelAccessToken: "token-work", // pragma: allowlist secret + channelSecret: "secret-work", // pragma: allowlist secret tokenSource: "config", config: { dmPolicy: "pairing" }, }, diff --git a/src/line/bot-message-context.test.ts b/src/line/bot-message-context.test.ts index f6d6583a60b..52cd87b72ab 100644 --- a/src/line/bot-message-context.test.ts +++ b/src/line/bot-message-context.test.ts @@ -176,7 +176,7 @@ describe("buildLineMessageContext", () => { }); it("group peer binding matches raw groupId without prefix (#21907)", async () => { - const groupId = "Cc7e3bece1234567890abcdef"; + const groupId = "Cc7e3bece1234567890abcdef"; // pragma: allowlist secret const bindingCfg: OpenClawConfig = { session: { store: storePath }, agents: { diff --git a/src/line/monitor.lifecycle.test.ts b/src/line/monitor.lifecycle.test.ts index eafd330b79e..d1ad3194096 100644 --- a/src/line/monitor.lifecycle.test.ts +++ b/src/line/monitor.lifecycle.test.ts @@ -88,7 +88,7 @@ describe("monitorLineProvider lifecycle", () => { const task = monitorLineProvider({ channelAccessToken: "token", - channelSecret: "secret", + channelSecret: "secret", // pragma: allowlist secret config: {} as OpenClawConfig, runtime: {} as RuntimeEnv, abortSignal: abort.signal, @@ -115,7 +115,7 @@ describe("monitorLineProvider lifecycle", () => { await monitorLineProvider({ channelAccessToken: "token", - channelSecret: "secret", + channelSecret: "secret", // pragma: allowlist secret config: {} as OpenClawConfig, runtime: {} as RuntimeEnv, abortSignal: abort.signal, @@ -129,7 +129,7 @@ describe("monitorLineProvider lifecycle", () => { const monitor = await monitorLineProvider({ channelAccessToken: "token", - channelSecret: "secret", + channelSecret: "secret", // pragma: allowlist secret config: {} as OpenClawConfig, runtime: {} as RuntimeEnv, }); diff --git a/src/media-understanding/apply.echo-transcript.test.ts b/src/media-understanding/apply.echo-transcript.test.ts index 5e027f90541..ae62d294989 100644 --- a/src/media-understanding/apply.echo-transcript.test.ts +++ b/src/media-understanding/apply.echo-transcript.test.ts @@ -12,7 +12,7 @@ import { createSafeAudioFixtureBuffer } from "./runner.test-utils.js"; vi.mock("../agents/model-auth.js", () => ({ resolveApiKeyForProvider: vi.fn(async () => ({ - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret source: "test", mode: "api-key", })), diff --git a/src/media-understanding/apply.test.ts b/src/media-understanding/apply.test.ts index f49bd859e31..10e5da610cc 100644 --- a/src/media-understanding/apply.test.ts +++ b/src/media-understanding/apply.test.ts @@ -14,7 +14,7 @@ import { createSafeAudioFixtureBuffer } from "./runner.test-utils.js"; vi.mock("../agents/model-auth.js", () => ({ resolveApiKeyForProvider: vi.fn(async () => ({ - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret source: "test", mode: "api-key", })), @@ -243,7 +243,7 @@ describe("applyMediaUnderstanding", () => { beforeEach(() => { mockedResolveApiKey.mockReset(); mockedResolveApiKey.mockResolvedValue({ - apiKey: "test-key", + apiKey: "test-key", // pragma: allowlist secret source: "test", mode: "api-key", }); diff --git a/src/media-understanding/providers/mistral/index.test.ts b/src/media-understanding/providers/mistral/index.test.ts index 44af01ff0ad..b368e516667 100644 --- a/src/media-understanding/providers/mistral/index.test.ts +++ b/src/media-understanding/providers/mistral/index.test.ts @@ -20,7 +20,7 @@ describe("mistralProvider", () => { const result = await mistralProvider.transcribeAudio!({ buffer: Buffer.from("audio-bytes"), fileName: "voice.ogg", - apiKey: "test-mistral-key", + apiKey: "test-mistral-key", // pragma: allowlist secret timeoutMs: 5000, fetchFn, }); @@ -35,7 +35,7 @@ describe("mistralProvider", () => { await mistralProvider.transcribeAudio!({ buffer: Buffer.from("audio"), fileName: "note.mp3", - apiKey: "key", + apiKey: "key", // pragma: allowlist secret timeoutMs: 1000, baseUrl: "https://custom.mistral.example/v1", fetchFn, diff --git a/src/media-understanding/runner.video.test.ts b/src/media-understanding/runner.video.test.ts index 6991cf1a4ac..90eab226cea 100644 --- a/src/media-understanding/runner.video.test.ts +++ b/src/media-understanding/runner.video.test.ts @@ -14,7 +14,7 @@ describe("runCapability video provider wiring", () => { models: { providers: { moonshot: { - apiKey: "provider-key", + apiKey: "provider-key", // pragma: allowlist secret baseUrl: "https://provider.example/v1", headers: { "X-Provider": "1" }, models: [], @@ -85,7 +85,7 @@ describe("runCapability video provider wiring", () => { models: { providers: { moonshot: { - apiKey: "moonshot-key", + apiKey: "moonshot-key", // pragma: allowlist secret models: [], }, }, diff --git a/src/memory/embeddings-ollama.test.ts b/src/memory/embeddings-ollama.test.ts index e29939dbacb..910a7515696 100644 --- a/src/memory/embeddings-ollama.test.ts +++ b/src/memory/embeddings-ollama.test.ts @@ -44,7 +44,7 @@ describe("embeddings-ollama", () => { providers: { ollama: { baseUrl: "http://127.0.0.1:11434/v1", - apiKey: "ollama-\nlocal\r\n", + apiKey: "ollama-\nlocal\r\n", // pragma: allowlist secret headers: { "X-Provider-Header": "provider", }, diff --git a/src/secrets/apply.test.ts b/src/secrets/apply.test.ts index 7f097ef5d43..55d14c7e6d0 100644 --- a/src/secrets/apply.test.ts +++ b/src/secrets/apply.test.ts @@ -72,7 +72,7 @@ async function createApplyFixture(): Promise { env: { OPENCLAW_STATE_DIR: paths.stateDir, OPENCLAW_CONFIG_PATH: paths.configPath, - OPENAI_API_KEY: "sk-live-env", + OPENAI_API_KEY: "sk-live-env", // pragma: allowlist secret }, }; } @@ -91,19 +91,19 @@ async function seedDefaultApplyFixture(fixture: ApplyFixture): Promise { "openai:default": { type: "api_key", provider: "openai", - key: "sk-openai-plaintext", + key: "sk-openai-plaintext", // pragma: allowlist secret }, }, }); await writeJsonFile(fixture.authJsonPath, { openai: { type: "api_key", - key: "sk-openai-plaintext", + key: "sk-openai-plaintext", // pragma: allowlist secret }, }); await fs.writeFile( fixture.envPath, - "OPENAI_API_KEY=sk-openai-plaintext\nUNRELATED=value\n", + "OPENAI_API_KEY=sk-openai-plaintext\nUNRELATED=value\n", // pragma: allowlist secret "utf8", ); } @@ -369,7 +369,7 @@ describe("secrets apply", () => { entries: { "qa-secret-test": { enabled: true, - apiKey: "sk-skill-plaintext", + apiKey: "sk-skill-plaintext", // pragma: allowlist secret }, }, }, @@ -406,7 +406,7 @@ describe("secrets apply", () => { `${JSON.stringify( { talk: { - apiKey: "sk-talk-plaintext", + apiKey: "sk-talk-plaintext", // pragma: allowlist secret }, }, null, @@ -500,7 +500,7 @@ describe("secrets apply", () => { id: "main", memorySearch: { remote: { - apiKey: "sk-memory-plaintext", + apiKey: "sk-memory-plaintext", // pragma: allowlist secret }, }, }, @@ -533,7 +533,7 @@ describe("secrets apply", () => { }, }; - fixture.env.MEMORY_REMOTE_API_KEY = "sk-memory-live-env"; + fixture.env.MEMORY_REMOTE_API_KEY = "sk-memory-live-env"; // pragma: allowlist secret const result = await runSecretsApply({ plan, env: fixture.env, write: true }); expect(result.changed).toBe(true); diff --git a/src/secrets/command-config.test.ts b/src/secrets/command-config.test.ts index a5e4abaf793..259916efcb7 100644 --- a/src/secrets/command-config.test.ts +++ b/src/secrets/command-config.test.ts @@ -11,7 +11,7 @@ describe("collectCommandSecretAssignmentsFromSnapshot", () => { } as unknown as OpenClawConfig; const resolvedConfig = { talk: { - apiKey: "talk-key", + apiKey: "talk-key", // pragma: allowlist secret }, } as unknown as OpenClawConfig; diff --git a/src/secrets/configure-plan.test.ts b/src/secrets/configure-plan.test.ts index bdc8b4d88fd..d8b360becbe 100644 --- a/src/secrets/configure-plan.test.ts +++ b/src/secrets/configure-plan.test.ts @@ -12,11 +12,11 @@ describe("secrets configure plan helpers", () => { it("builds configure candidates from supported configure targets", () => { const config = { talk: { - apiKey: "plain", + apiKey: "plain", // pragma: allowlist secret }, channels: { telegram: { - botToken: "token", + botToken: "token", // pragma: allowlist secret }, }, } as OpenClawConfig; @@ -125,7 +125,7 @@ describe("secrets configure plan helpers", () => { existingRef: { source: "env", provider: "default", - id: "OPENAI_API_KEY", + id: "OPENAI_API_KEY", // pragma: allowlist secret }, }), ]), @@ -139,15 +139,15 @@ describe("secrets configure plan helpers", () => { provider: "elevenlabs", providers: { elevenlabs: { - apiKey: "demo-talk-key", + apiKey: "demo-talk-key", // pragma: allowlist secret }, }, - apiKey: "demo-talk-key", + apiKey: "demo-talk-key", // pragma: allowlist secret }, } as OpenClawConfig, authoredOpenClawConfig: { talk: { - apiKey: "demo-talk-key", + apiKey: "demo-talk-key", // pragma: allowlist secret }, } as OpenClawConfig, }); diff --git a/src/secrets/path-utils.test.ts b/src/secrets/path-utils.test.ts index 4b13bcc299b..5c40fe2d9a8 100644 --- a/src/secrets/path-utils.test.ts +++ b/src/secrets/path-utils.test.ts @@ -51,7 +51,7 @@ describe("secrets path utils", () => { it("setPathExistingStrict updates an existing leaf", () => { const config = asConfig({ talk: { - apiKey: "old", + apiKey: "old", // pragma: allowlist secret }, }); const changed = setPathExistingStrict(config, ["talk", "apiKey"], "new"); @@ -69,7 +69,7 @@ describe("secrets path utils", () => { it("setPathCreateStrict leaves value unchanged when equal", () => { const config = asConfig({ talk: { - apiKey: "same", + apiKey: "same", // pragma: allowlist secret }, }); const changed = setPathCreateStrict(config, ["talk", "apiKey"], "same"); diff --git a/src/secrets/runtime.coverage.test.ts b/src/secrets/runtime.coverage.test.ts index 468963041b8..35d265a612d 100644 --- a/src/secrets/runtime.coverage.test.ts +++ b/src/secrets/runtime.coverage.test.ts @@ -27,7 +27,7 @@ function toConcretePathSegments(pathPattern: string): string[] { function buildConfigForOpenClawTarget(entry: SecretRegistryEntry, envId: string): OpenClawConfig { const config = {} as OpenClawConfig; const refTargetPath = - entry.secretShape === "sibling_ref" && entry.refPathPattern + entry.secretShape === "sibling_ref" && entry.refPathPattern // pragma: allowlist secret ? entry.refPathPattern : entry.pathPattern; setPathCreateStrict(config, toConcretePathSegments(refTargetPath), { diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts index 0cae6c88256..1c696bf6e1f 100644 --- a/src/security/audit.test.ts +++ b/src/security/audit.test.ts @@ -1490,7 +1490,7 @@ description: test skill channels: { feishu: { appId: "cli_test", - appSecret: "secret_test", + appSecret: "secret_test", // pragma: allowlist secret }, }, }; @@ -1522,7 +1522,7 @@ description: test skill channels: { feishu: { appId: "cli_test", - appSecret: "secret_test", + appSecret: "secret_test", // pragma: allowlist secret tools: { doc: false }, }, }, @@ -1966,8 +1966,8 @@ description: test skill mode: "http", botTokenSource: "config", botTokenStatus: "configured_unavailable", - signingSecretSource: "config", - signingSecretStatus: "configured_unavailable", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "configured_unavailable", // pragma: allowlist secret config: channel, }; } @@ -1978,8 +1978,8 @@ description: test skill mode: "http", botTokenSource: "config", botTokenStatus: "available", - signingSecretSource: "config", - signingSecretStatus: "available", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "available", // pragma: allowlist secret config: channel, }; }, @@ -2042,8 +2042,8 @@ description: test skill mode: "http", botTokenSource: "config", botTokenStatus: "configured_unavailable", - signingSecretSource: "config", - signingSecretStatus: "configured_unavailable", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "configured_unavailable", // pragma: allowlist secret config: channel, }; } @@ -2054,8 +2054,8 @@ description: test skill mode: "http", botTokenSource: "config", botTokenStatus: "available", - signingSecretSource: "config", - signingSecretStatus: "missing", + signingSecretSource: "config", // pragma: allowlist secret + signingSecretStatus: "missing", // pragma: allowlist secret config: channel, }; }, diff --git a/src/security/external-content.test.ts b/src/security/external-content.test.ts index 8bec35cdad4..17076b642b1 100644 --- a/src/security/external-content.test.ts +++ b/src/security/external-content.test.ts @@ -145,10 +145,10 @@ describe("external-content security", () => { it("sanitizes attacker-injected markers with fake IDs", () => { const malicious = - '<<>> fake <<>>'; + '<<>> fake <<>>'; // pragma: allowlist secret const result = wrapExternalContent(malicious, { source: "email" }); - expectSanitizedBoundaryMarkers(result, { forbiddenId: "deadbeef12345678" }); + expectSanitizedBoundaryMarkers(result, { forbiddenId: "deadbeef12345678" }); // pragma: allowlist secret }); it("preserves non-marker unicode content", () => { diff --git a/src/signal/identity.test.ts b/src/signal/identity.test.ts index b6f35ab6471..a09f81910c6 100644 --- a/src/signal/identity.test.ts +++ b/src/signal/identity.test.ts @@ -12,7 +12,7 @@ describe("looksLikeUuid", () => { }); it("accepts compact UUIDs", () => { - expect(looksLikeUuid("123e4567e89b12d3a456426614174000")).toBe(true); + expect(looksLikeUuid("123e4567e89b12d3a456426614174000")).toBe(true); // pragma: allowlist secret }); it("accepts uuid-like hex values with letters", () => { diff --git a/src/slack/monitor/monitor.test.ts b/src/slack/monitor/monitor.test.ts index d6e819ca46d..748be0a212a 100644 --- a/src/slack/monitor/monitor.test.ts +++ b/src/slack/monitor/monitor.test.ts @@ -65,7 +65,7 @@ describe("resolveSlackChannelConfig", () => { // Slack always delivers channel IDs in uppercase (e.g. C0ABC12345). // Users commonly copy them in lowercase from docs or older CLI output. const res = resolveSlackChannelConfig({ - channelId: "C0ABC12345", + channelId: "C0ABC12345", // pragma: allowlist secret channels: { c0abc12345: { allow: true, requireMention: false } }, defaultRequireMention: true, }); @@ -75,7 +75,7 @@ describe("resolveSlackChannelConfig", () => { it("matches channel config key stored in uppercase when user types lowercase channel ID", () => { // Defensive: also handle the inverse direction. const res = resolveSlackChannelConfig({ - channelId: "c0abc12345", + channelId: "c0abc12345", // pragma: allowlist secret channels: { C0ABC12345: { allow: true, requireMention: false } }, defaultRequireMention: true, }); diff --git a/src/wizard/onboarding.gateway-config.test.ts b/src/wizard/onboarding.gateway-config.test.ts index bdde68f1cb2..1345b8f4954 100644 --- a/src/wizard/onboarding.gateway-config.test.ts +++ b/src/wizard/onboarding.gateway-config.test.ts @@ -145,7 +145,7 @@ describe("configureGatewayForOnboarding", () => { it("honors secretInputMode=ref for gateway password prompts", async () => { const previous = process.env.OPENCLAW_GATEWAY_PASSWORD; - process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-secret"; + process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-secret"; // pragma: allowlist secret try { const prompter = createPrompter({ selectQueue: ["loopback", "password", "off", "env"], @@ -159,7 +159,7 @@ describe("configureGatewayForOnboarding", () => { nextConfig: {}, localPort: 18789, quickstartGateway: createQuickstartGateway("password"), - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret prompter, runtime, }); @@ -195,7 +195,7 @@ describe("configureGatewayForOnboarding", () => { nextConfig: {}, localPort: 18789, quickstartGateway: createQuickstartGateway("token"), - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret prompter, runtime, }); diff --git a/src/wizard/onboarding.secret-input.test.ts b/src/wizard/onboarding.secret-input.test.ts index 29c9d5c11c9..4258d6df6cd 100644 --- a/src/wizard/onboarding.secret-input.test.ts +++ b/src/wizard/onboarding.secret-input.test.ts @@ -19,7 +19,7 @@ describe("resolveOnboardingSecretInputString", () => { value: "${OPENCLAW_GATEWAY_PASSWORD}", path: "gateway.auth.password", env: { - OPENCLAW_GATEWAY_PASSWORD: "gateway-secret", + OPENCLAW_GATEWAY_PASSWORD: "gateway-secret", // pragma: allowlist secret }, }); diff --git a/src/wizard/onboarding.test.ts b/src/wizard/onboarding.test.ts index ecc9c47060e..e6bbfd146fa 100644 --- a/src/wizard/onboarding.test.ts +++ b/src/wizard/onboarding.test.ts @@ -400,7 +400,7 @@ describe("runOnboardingWizard", () => { it("resolves gateway.auth.password SecretRef for local onboarding probe", async () => { const previous = process.env.OPENCLAW_GATEWAY_PASSWORD; - process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-ref-password"; + process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-ref-password"; // pragma: allowlist secret probeGatewayReachable.mockClear(); readConfigFileSnapshot.mockResolvedValueOnce({ path: "/tmp/.openclaw/openclaw.json", @@ -462,7 +462,7 @@ describe("runOnboardingWizard", () => { expect(probeGatewayReachable).toHaveBeenCalledWith( expect.objectContaining({ url: "ws://127.0.0.1:18789", - password: "gateway-ref-password", + password: "gateway-ref-password", // pragma: allowlist secret }), ); }); @@ -484,7 +484,7 @@ describe("runOnboardingWizard", () => { skipSearch: true, skipHealth: true, skipUi: true, - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret }, runtime, prompter, @@ -492,7 +492,7 @@ describe("runOnboardingWizard", () => { expect(configureGatewayForOnboarding).toHaveBeenCalledWith( expect.objectContaining({ - secretInputMode: "ref", + secretInputMode: "ref", // pragma: allowlist secret }), ); }); diff --git a/ui/src/ui/config-form.browser.test.ts b/ui/src/ui/config-form.browser.test.ts index 25e78e12408..393d13a8f97 100644 --- a/ui/src/ui/config-form.browser.test.ts +++ b/ui/src/ui/config-form.browser.test.ts @@ -365,7 +365,7 @@ describe("config form renderer", () => { "models.providers.*.apiKey": { sensitive: true }, }, unsupportedPaths: analysis.unsupportedPaths, - value: { models: { providers: { openai: { apiKey: "old" } } } }, + value: { models: { providers: { openai: { apiKey: "old" } } } }, // pragma: allowlist secret onPatch, }), container,