CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures

* Tests: fix rebased detect-secrets false positives

* Docs: keep snippets valid under detect-secrets

* Tests: finalize detect-secrets false-positive fixes

* Tests: reduce detect-secrets false positives

* Tests: keep detect-secrets pragmas inline

* Tests: remediate next detect-secrets batch

* Tests: tighten detect-secrets allowlists

* Tests: stabilize detect-secrets formatter drift

docs/tools/web.md

@@ -104,7 +104,7 @@ Brave provides paid plans; check the Brave API portal for the current limits and
       search: {
         enabled: true,
         provider: "brave",
-        apiKey: "BSA...", // optional if BRAVE_API_KEY is set
+        apiKey: "BSA...", // pragma: allowlist secret; optional if BRAVE_API_KEY is set
       },
     },
   },
@@ -132,7 +132,7 @@ which returns AI-synthesized answers backed by live Google Search results with c
         provider: "gemini",
         gemini: {
           // API key (optional if GEMINI_API_KEY is set)
-          apiKey: "AIza...",
+          apiKey: "AIza...", // pragma: allowlist secret
           // Model (defaults to "gemini-2.5-flash")
           model: "gemini-2.5-flash",
         },