negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

CI: restore main detect-secrets scan (#38438)

Browse Source 
* Tests: stabilize detect-secrets fixtures

* Tests: fix rebased detect-secrets false positives

* Docs: keep snippets valid under detect-secrets

* Tests: finalize detect-secrets false-positive fixes

* Tests: reduce detect-secrets false positives

* Tests: keep detect-secrets pragmas inline

* Tests: remediate next detect-secrets batch

* Tests: tighten detect-secrets allowlists

* Tests: stabilize detect-secrets formatter drift
This commit is contained in:
Vincent Koc
2026-03-07 13:06:35 -05:00
committed by GitHub
parent 46e324e269
commit e4d80ed556
137 changed files with 1231 additions and 2700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
extensions/feishu/src/accounts.test.ts
View File

@@ -45,8 +45,8 @@ describe("resolveDefaultFeishuAccountId", () => {
feishu: {
defaultAccount: "router-d",
accounts: {
default: { appId: "cli_default", appSecret: "secret_default" },
"router-d": { appId: "cli_router", appSecret: "secret_router" },
default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret
"router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret
},
},
},
@@ -61,7 +61,7 @@ describe("resolveDefaultFeishuAccountId", () => {
feishu: {
defaultAccount: "Router D",
accounts: {
"router-d": { appId: "cli_router", appSecret: "secret_router" },
"router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret
},
},
},
@@ -76,8 +76,8 @@ describe("resolveDefaultFeishuAccountId", () => {
feishu: {
defaultAccount: "router-d",
accounts: {
default: { appId: "cli_default", appSecret: "secret_default" },
zeta: { appId: "cli_zeta", appSecret: "secret_zeta" },
default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret
zeta: { appId: "cli_zeta", appSecret: "secret_zeta" }, // pragma: allowlist secret
},
},
},
@@ -91,8 +91,8 @@ describe("resolveDefaultFeishuAccountId", () => {
channels: {
feishu: {
accounts: {
default: { appId: "cli_default", appSecret: "secret_default" },
zeta: { appId: "cli_zeta", appSecret: "secret_zeta" },
default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret
zeta: { appId: "cli_zeta", appSecret: "secret_zeta" }, // pragma: allowlist secret
},
},
},
@@ -119,7 +119,7 @@ describe("resolveDefaultFeishuAccountId", () => {
channels: {
feishu: {
accounts: {
default: { appId: "cli_default", appSecret: "secret_default" },
default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret
},
},
},
@@ -178,7 +178,7 @@ describe("resolveFeishuCredentials", () => {
expect(creds).toEqual({
appId: "cli_123",
appSecret: "secret_from_env",
appSecret: "secret_from_env", // pragma: allowlist secret
encryptKey: undefined,
verificationToken: undefined,
domain: "feishu",
@@ -235,7 +235,7 @@ describe("resolveFeishuCredentials", () => {
expect(creds).toEqual({
appId: "cli_123",
appSecret: "secret_456",
appSecret: "secret_456", // pragma: allowlist secret
encryptKey: "enc",
verificationToken: "vt",
domain: "feishu",
@@ -250,9 +250,9 @@ describe("resolveFeishuAccount", () => {
feishu: {
defaultAccount: "router-d",
appId: "top_level_app",
appSecret: "top_level_secret",
appSecret: "top_level_secret", // pragma: allowlist secret
accounts: {
default: { appId: "cli_default", appSecret: "secret_default" },
default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret
},
},
},
@@ -272,7 +272,7 @@ describe("resolveFeishuAccount", () => {
defaultAccount: "router-d",
accounts: {
default: { enabled: true },
"router-d": { appId: "cli_router", appSecret: "secret_router", enabled: true },
"router-d": { appId: "cli_router", appSecret: "secret_router", enabled: true }, // pragma: allowlist secret
},
},
},
@@ -291,8 +291,8 @@ describe("resolveFeishuAccount", () => {
feishu: {
defaultAccount: "router-d",
accounts: {
default: { appId: "cli_default", appSecret: "secret_default" },
"router-d": { appId: "cli_router", appSecret: "secret_router" },
default: { appId: "cli_default", appSecret: "secret_default" }, // pragma: allowlist secret
"router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret
},
},
},
@@ -334,7 +334,7 @@ describe("resolveFeishuAccount", () => {
main: {
name: { bad: true },
appId: "cli_123",
appSecret: "secret_456",
appSecret: "secret_456", // pragma: allowlist secret
} as never,
},
},

4
extensions/feishu/src/bot.test.ts
View File

@@ -1088,7 +1088,7 @@ describe("handleFeishuMessage command authorization", () => {
channels: {
feishu: {
appId: "cli_test",
appSecret: "sec_test",
appSecret: "sec_test", // pragma: allowlist secret
groups: {
"oc-group": {
requireMention: false,
@@ -1151,7 +1151,7 @@ describe("handleFeishuMessage command authorization", () => {
channels: {
feishu: {
appId: "cli_scope_bug",
appSecret: "sec_scope_bug",
appSecret: "sec_scope_bug", // pragma: allowlist secret
groups: {
"oc-group": {
requireMention: false,

4
extensions/feishu/src/chat.test.ts
View File

@@ -29,7 +29,7 @@ describe("registerFeishuChatTools", () => {
feishu: {
enabled: true,
appId: "app_id",
appSecret: "app_secret",
appSecret: "app_secret", // pragma: allowlist secret
tools: { chat: true },
},
},
@@ -76,7 +76,7 @@ describe("registerFeishuChatTools", () => {
feishu: {
enabled: true,
appId: "app_id",
appSecret: "app_secret",
appSecret: "app_secret", // pragma: allowlist secret
tools: { chat: false },
},
},

22
extensions/feishu/src/client.test.ts
View File

@@ -59,7 +59,7 @@ const baseAccount: ResolvedFeishuAccount = {
enabled: true,
configured: true,
appId: "app_123",
appSecret: "secret_123",
appSecret: "secret_123", // pragma: allowlist secret
domain: "feishu",
config: {} as FeishuConfig,
};
@@ -120,7 +120,7 @@ describe("createFeishuClient HTTP timeout", () => {
};
it("passes a custom httpInstance with default timeout to Lark.Client", () => {
createFeishuClient({ appId: "app_1", appSecret: "secret_1", accountId: "timeout-test" });
createFeishuClient({ appId: "app_1", appSecret: "secret_1", accountId: "timeout-test" }); // pragma: allowlist secret
const calls = (LarkClient as unknown as ReturnType<typeof vi.fn>).mock.calls;
const lastCall = calls[calls.length - 1][0] as { httpInstance?: unknown };
@@ -128,7 +128,7 @@ describe("createFeishuClient HTTP timeout", () => {
});
it("injects default timeout into HTTP request options", async () => {
createFeishuClient({ appId: "app_2", appSecret: "secret_2", accountId: "timeout-inject" });
createFeishuClient({ appId: "app_2", appSecret: "secret_2", accountId: "timeout-inject" }); // pragma: allowlist secret
const calls = (LarkClient as unknown as ReturnType<typeof vi.fn>).mock.calls;
const lastCall = calls[calls.length - 1][0] as {
@@ -150,7 +150,7 @@ describe("createFeishuClient HTTP timeout", () => {
});
it("allows explicit timeout override per-request", async () => {
createFeishuClient({ appId: "app_3", appSecret: "secret_3", accountId: "timeout-override" });
createFeishuClient({ appId: "app_3", appSecret: "secret_3", accountId: "timeout-override" }); // pragma: allowlist secret
const calls = (LarkClient as unknown as ReturnType<typeof vi.fn>).mock.calls;
const lastCall = calls[calls.length - 1][0] as {
@@ -169,7 +169,7 @@ describe("createFeishuClient HTTP timeout", () => {
it("uses config-configured default timeout when provided", async () => {
createFeishuClient({
appId: "app_4",
appSecret: "secret_4",
appSecret: "secret_4", // pragma: allowlist secret
accountId: "timeout-config",
config: { httpTimeoutMs: 45_000 },
});
@@ -180,7 +180,7 @@ describe("createFeishuClient HTTP timeout", () => {
it("falls back to default timeout when configured timeout is invalid", async () => {
createFeishuClient({
appId: "app_5",
appSecret: "secret_5",
appSecret: "secret_5", // pragma: allowlist secret
accountId: "timeout-config-invalid",
config: { httpTimeoutMs: -1 },
});
@@ -193,7 +193,7 @@ describe("createFeishuClient HTTP timeout", () => {
createFeishuClient({
appId: "app_8",
appSecret: "secret_8",
appSecret: "secret_8", // pragma: allowlist secret
accountId: "timeout-env-override",
config: { httpTimeoutMs: 45_000 },
});
@@ -206,7 +206,7 @@ describe("createFeishuClient HTTP timeout", () => {
createFeishuClient({
appId: "app_10",
appSecret: "secret_10",
appSecret: "secret_10", // pragma: allowlist secret
accountId: "timeout-direct-override",
httpTimeoutMs: 120_000,
config: { httpTimeoutMs: 45_000 },
@@ -220,7 +220,7 @@ describe("createFeishuClient HTTP timeout", () => {
createFeishuClient({
appId: "app_9",
appSecret: "secret_9",
appSecret: "secret_9", // pragma: allowlist secret
accountId: "timeout-env-clamp",
});
@@ -230,13 +230,13 @@ describe("createFeishuClient HTTP timeout", () => {
it("recreates cached client when configured timeout changes", async () => {
createFeishuClient({
appId: "app_6",
appSecret: "secret_6",
appSecret: "secret_6", // pragma: allowlist secret
accountId: "timeout-cache-change",
config: { httpTimeoutMs: 30_000 },
});
createFeishuClient({
appId: "app_6",
appSecret: "secret_6",
appSecret: "secret_6", // pragma: allowlist secret
accountId: "timeout-cache-change",
config: { httpTimeoutMs: 45_000 },
});

12
extensions/feishu/src/config-schema.test.ts
View File

@@ -36,7 +36,7 @@ describe("FeishuConfigSchema webhook validation", () => {
const result = FeishuConfigSchema.safeParse({
connectionMode: "webhook",
appId: "cli_top",
appSecret: "secret_top",
appSecret: "secret_top", // pragma: allowlist secret
});
expect(result.success).toBe(false);
@@ -52,7 +52,7 @@ describe("FeishuConfigSchema webhook validation", () => {
connectionMode: "webhook",
verificationToken: "token_top",
appId: "cli_top",
appSecret: "secret_top",
appSecret: "secret_top", // pragma: allowlist secret
});
expect(result.success).toBe(true);
@@ -64,7 +64,7 @@ describe("FeishuConfigSchema webhook validation", () => {
main: {
connectionMode: "webhook",
appId: "cli_main",
appSecret: "secret_main",
appSecret: "secret_main", // pragma: allowlist secret
},
},
});
@@ -86,7 +86,7 @@ describe("FeishuConfigSchema webhook validation", () => {
main: {
connectionMode: "webhook",
appId: "cli_main",
appSecret: "secret_main",
appSecret: "secret_main", // pragma: allowlist secret
},
},
});
@@ -171,7 +171,7 @@ describe("FeishuConfigSchema defaultAccount", () => {
const result = FeishuConfigSchema.safeParse({
defaultAccount: "router-d",
accounts: {
"router-d": { appId: "cli_router", appSecret: "secret_router" },
"router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret
},
});
@@ -182,7 +182,7 @@ describe("FeishuConfigSchema defaultAccount", () => {
const result = FeishuConfigSchema.safeParse({
defaultAccount: "router-d",
accounts: {
backup: { appId: "cli_backup", appSecret: "secret_backup" },
backup: { appId: "cli_backup", appSecret: "secret_backup" }, // pragma: allowlist secret
},
});

4
extensions/feishu/src/docx.account-selection.test.ts
View File

@@ -27,8 +27,8 @@ describe("feishu_doc account selection", () => {
feishu: {
enabled: true,
accounts: {
a: { appId: "app-a", appSecret: "sec-a", tools: { doc: true } },
b: { appId: "app-b", appSecret: "sec-b", tools: { doc: true } },
a: { appId: "app-a", appSecret: "sec-a", tools: { doc: true } }, // pragma: allowlist secret
b: { appId: "app-b", appSecret: "sec-b", tools: { doc: true } }, // pragma: allowlist secret
},
},
},

2
extensions/feishu/src/monitor.webhook-security.test.ts
View File

@@ -73,7 +73,7 @@ function buildConfig(params: {
[params.accountId]: {
enabled: true,
appId: "cli_test",
appSecret: "secret_test",
appSecret: "secret_test", // pragma: allowlist secret
connectionMode: "webhook",
webhookHost: "127.0.0.1",
webhookPort: params.port,

36
extensions/feishu/src/probe.test.ts
View File

@@ -34,7 +34,7 @@ describe("probeFeishu", () => {
});
it("returns error when appId is missing", async () => {
const result = await probeFeishu({ appSecret: "secret" } as never);
const result = await probeFeishu({ appSecret: "secret" } as never); // pragma: allowlist secret
expect(result).toEqual({ ok: false, error: "missing credentials (appId, appSecret)" });
});
@@ -49,7 +49,7 @@ describe("probeFeishu", () => {
bot: { bot_name: "TestBot", open_id: "ou_abc123" },
});
const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" });
const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret
expect(result).toEqual({
ok: true,
appId: "cli_123",
@@ -65,7 +65,7 @@ describe("probeFeishu", () => {
bot: { bot_name: "TestBot", open_id: "ou_abc123" },
});
await probeFeishu({ appId: "cli_123", appSecret: "secret" });
await probeFeishu({ appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledWith(
expect.objectContaining({
@@ -98,7 +98,7 @@ describe("probeFeishu", () => {
abortController.abort();
const result = await probeFeishu(
{ appId: "cli_123", appSecret: "secret" },
{ appId: "cli_123", appSecret: "secret" }, // pragma: allowlist secret
{ abortSignal: abortController.signal },
);
@@ -111,7 +111,7 @@ describe("probeFeishu", () => {
bot: { bot_name: "TestBot", open_id: "ou_abc123" },
});
const creds = { appId: "cli_123", appSecret: "secret" };
const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret
const first = await probeFeishu(creds);
const second = await probeFeishu(creds);
@@ -128,7 +128,7 @@ describe("probeFeishu", () => {
bot: { bot_name: "TestBot", open_id: "ou_abc123" },
});
const creds = { appId: "cli_123", appSecret: "secret" };
const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret
await probeFeishu(creds);
expect(requestFn).toHaveBeenCalledTimes(1);
@@ -148,7 +148,7 @@ describe("probeFeishu", () => {
const requestFn = makeRequestFn({ code: 99, msg: "token expired" });
createFeishuClientMock.mockReturnValue({ request: requestFn });
const creds = { appId: "cli_123", appSecret: "secret" };
const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret
const first = await probeFeishu(creds);
const second = await probeFeishu(creds);
expect(first).toMatchObject({ ok: false, error: "API error: token expired" });
@@ -170,7 +170,7 @@ describe("probeFeishu", () => {
const requestFn = vi.fn().mockRejectedValue(new Error("network error"));
createFeishuClientMock.mockReturnValue({ request: requestFn });
const creds = { appId: "cli_123", appSecret: "secret" };
const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret
const first = await probeFeishu(creds);
const second = await probeFeishu(creds);
expect(first).toMatchObject({ ok: false, error: "network error" });
@@ -192,15 +192,15 @@ describe("probeFeishu", () => {
bot: { bot_name: "Bot1", open_id: "ou_1" },
});
await probeFeishu({ appId: "cli_aaa", appSecret: "s1" });
await probeFeishu({ appId: "cli_aaa", appSecret: "s1" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(1);
// Different appId should trigger a new API call
await probeFeishu({ appId: "cli_bbb", appSecret: "s2" });
await probeFeishu({ appId: "cli_bbb", appSecret: "s2" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(2);
// Same appId + appSecret as first call should return cached
await probeFeishu({ appId: "cli_aaa", appSecret: "s1" });
await probeFeishu({ appId: "cli_aaa", appSecret: "s1" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(2);
});
@@ -211,12 +211,12 @@ describe("probeFeishu", () => {
});
// First account with appId + secret A
await probeFeishu({ appId: "cli_shared", appSecret: "secret_aaa" });
await probeFeishu({ appId: "cli_shared", appSecret: "secret_aaa" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(1);
// Second account with same appId but different secret (e.g. after rotation)
// must NOT reuse the cached result
await probeFeishu({ appId: "cli_shared", appSecret: "secret_bbb" });
await probeFeishu({ appId: "cli_shared", appSecret: "secret_bbb" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(2);
});
@@ -227,14 +227,14 @@ describe("probeFeishu", () => {
});
// Two accounts with same appId+appSecret but different accountIds are cached separately
await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" });
await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(1);
await probeFeishu({ accountId: "acct-2", appId: "cli_123", appSecret: "secret" });
await probeFeishu({ accountId: "acct-2", appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(2);
// Same accountId should return cached
await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" });
await probeFeishu({ accountId: "acct-1", appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret
expect(requestFn).toHaveBeenCalledTimes(2);
});
@@ -244,7 +244,7 @@ describe("probeFeishu", () => {
bot: { bot_name: "TestBot", open_id: "ou_abc123" },
});
const creds = { appId: "cli_123", appSecret: "secret" };
const creds = { appId: "cli_123", appSecret: "secret" }; // pragma: allowlist secret
await probeFeishu(creds);
expect(requestFn).toHaveBeenCalledTimes(1);
@@ -260,7 +260,7 @@ describe("probeFeishu", () => {
data: { bot: { bot_name: "DataBot", open_id: "ou_data" } },
});
const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" });
const result = await probeFeishu({ appId: "cli_123", appSecret: "secret" }); // pragma: allowlist secret
expect(result).toEqual({
ok: true,
appId: "cli_123",

4
extensions/feishu/src/tool-account-routing.test.ts
View File

@@ -35,12 +35,12 @@ function createConfig(params: {
accounts: {
a: {
appId: "app-a",
appSecret: "sec-a",
appSecret: "sec-a", // pragma: allowlist secret
tools: params.toolsA,
},
b: {
appId: "app-b",
appSecret: "sec-b",
appSecret: "sec-b", // pragma: allowlist secret
tools: params.toolsB,
},
},