openclaw
diff --git a/‎.detect-secrets.cfg‎
Lines changed: 2 additions & 4 deletions b/‎.detect-secrets.cfg‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 3 additions & 1 deletion b/‎.pre-commit-config.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.secrets.baseline‎
Lines changed: 15 additions & 21 deletions b/‎.secrets.baseline‎
Lines changed: 15 additions & 21 deletions
diff --git a/‎appcast.xml‎
Lines changed: 3 additions & 3 deletions b/‎appcast.xml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎apps/android/app/src/test/java/ai/openclaw/android/voice/TalkModeConfigParsingTest.kt‎
Lines changed: 7 additions & 9 deletions b/‎apps/android/app/src/test/java/ai/openclaw/android/voice/TalkModeConfigParsingTest.kt‎
Lines changed: 7 additions & 9 deletions
diff --git a/‎apps/ios/Sources/Gateway/GatewaySettingsStore.swift‎
Lines changed: 1 addition & 1 deletion b/‎apps/ios/Sources/Gateway/GatewaySettingsStore.swift‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/ios/Tests/TalkModeConfigParsingTests.swift‎
Lines changed: 1 addition & 1 deletion b/‎apps/ios/Tests/TalkModeConfigParsingTests.swift‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/channels/telegram.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/channels/telegram.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/gateway/secrets.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/gateway/secrets.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/platforms/raspberry-pi.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/platforms/raspberry-pi.md‎
Lines changed: 1 addition & 1 deletion
@@ -7,10 +7,6 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
-# Generated output and vendored assets.
-pattern = (^|/)(dist|vendor)/
-# Local config file with allowlist patterns.
-pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.
@@ -28,3 +24,5 @@ pattern = "talk\.apiKey"
 pattern = === "string"
 # specific optional-chaining password check that didn't match the line above.
 pattern = typeof remote\?\.password === "string"
+# Docker apt signing key fingerprint constant; not a secret.
+pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
@@ -30,7 +30,7 @@ repos:
           - --baseline
           - .secrets.baseline
           - --exclude-files
-          - '(^|/)(dist/|vendor/|pnpm-lock\.yaml$|\.detect-secrets\.cfg$)'
+          - '(^|/)pnpm-lock\.yaml$'
           - --exclude-lines
           - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
           - --exclude-lines
@@ -47,6 +47,8 @@ repos:
           - '=== "string"'
           - --exclude-lines
           - 'typeof remote\?\.password === "string"'
+          - --exclude-lines
+          - "OPENCLAW_DOCKER_GPG_FINGERPRINT="
   # Shell script linting
   - repo: https://github.com/koalaman/shellcheck-precommit
     rev: v0.11.0
 
@@ -141,7 +141,8 @@
         "\"gateway\\.auth\\.password\"",
         "\"talk\\.apiKey\"",
         "=== \"string\"",
-        "typeof remote\\?\\.password === \"string\""
+        "typeof remote\\?\\.password === \"string\"",
+        "OPENCLAW_DOCKER_GPG_FINGERPRINT="
       ]
     }
   ],
@@ -152,14 +153,14 @@
         "filename": ".detect-secrets.cfg",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 17
+        "line_number": 13
       },
       {
         "type": "Secret Keyword",
         "filename": ".detect-secrets.cfg",
         "hashed_secret": "fe88fceb47e040ba1bfafa4ac639366188df2f6d",
         "is_verified": false,
-        "line_number": 19
+        "line_number": 15
       }
     ],
     "appcast.xml": [
@@ -12387,21 +12388,14 @@
         "filename": "src/config/schema.help.ts",
         "hashed_secret": "9f4cda226d3868676ac7f86f59e4190eb94bd208",
         "is_verified": false,
-        "line_number": 109
+        "line_number": 647
       },
       {
         "type": "Secret Keyword",
         "filename": "src/config/schema.help.ts",
         "hashed_secret": "01822c8bbf6a8b136944b14182cb885100ec2eae",
         "is_verified": false,
-        "line_number": 130
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "src/config/schema.help.ts",
-        "hashed_secret": "bb7dfd9746e660e4a4374951ec5938ef0e343255",
-        "is_verified": false,
-        "line_number": 187
+        "line_number": 678
       }
     ],
     "src/config/schema.irc.ts": [
@@ -12720,21 +12714,21 @@
         "filename": "src/infra/provider-usage.auth.normalizes-keys.test.ts",
         "hashed_secret": "45c7365e3b542cdb4fae6ec10c2ff149224d7656",
         "is_verified": false,
-        "line_number": 80
+        "line_number": 123
       },
       {
         "type": "Secret Keyword",
         "filename": "src/infra/provider-usage.auth.normalizes-keys.test.ts",
         "hashed_secret": "b67074884ab7ef7c7a8cd6a3da9565d96c792248",
         "is_verified": false,
-        "line_number": 81
+        "line_number": 124
       },
       {
         "type": "Secret Keyword",
         "filename": "src/infra/provider-usage.auth.normalizes-keys.test.ts",
         "hashed_secret": "d4d8027e64f9cf4180d3aecfe31ea409368022ee",
         "is_verified": false,
-        "line_number": 82
+        "line_number": 125
       }
     ],
     "src/infra/shell-env.test.ts": [
@@ -12900,7 +12894,7 @@
         "filename": "src/media-understanding/runner.auto-audio.test.ts",
         "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f",
         "is_verified": false,
-        "line_number": 40
+        "line_number": 23
       }
     ],
     "src/media-understanding/runner.deepgram.test.ts": [
@@ -12934,21 +12928,21 @@
         "filename": "src/memory/embeddings.test.ts",
         "hashed_secret": "a47110e348a3063541fb1f1f640d635d457181a0",
         "is_verified": false,
-        "line_number": 45
+        "line_number": 47
       },
       {
         "type": "Secret Keyword",
         "filename": "src/memory/embeddings.test.ts",
         "hashed_secret": "c734e47630dda71619c696d88381f06f7511bd78",
         "is_verified": false,
-        "line_number": 160
+        "line_number": 195
       },
       {
         "type": "Secret Keyword",
         "filename": "src/memory/embeddings.test.ts",
         "hashed_secret": "56e1d57b8db262b08bc73c60ed08d8c92e59503f",
         "is_verified": false,
-        "line_number": 189
+        "line_number": 291
       }
     ],
     "src/pairing/pairing-store.ts": [
@@ -13060,7 +13054,7 @@
         "filename": "src/tui/gateway-chat.test.ts",
         "hashed_secret": "6255675480f681df08c1704b7b3cd2c49917f0e2",
         "is_verified": false,
-        "line_number": 85
+        "line_number": 60
       }
     ],
     "src/web/login.test.ts": [
@@ -13100,5 +13094,5 @@
       }
     ]
   },
-  "generated_at": "2026-02-17T13:34:38Z"
+  "generated_at": "2026-03-07T00:11:03Z"
 }
@@ -219,7 +219,7 @@
 </ul>
 <p><a href="https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md">View full changelog</a></p>
 ]]></description>
-            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.3.2/OpenClaw-2026.3.2.zip" length="23181513" type="application/octet-stream" sparkle:edSignature="THMgkcoMgz2vv5zse3Po3K7l3Or2RhBKurXZIi8iYVXN76yJy1YXAY6kXi6ovD+dbYn68JKYDIKA1Ya78bO7BQ=="/>
+            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.3.2/OpenClaw-2026.3.2.zip" length="23181513" type="application/octet-stream" sparkle:edSignature="THMgkcoMgz2vv5zse3Po3K7l3Or2RhBKurXZIi8iYVXN76yJy1YXAY6kXi6ovD+dbYn68JKYDIKA1Ya78bO7BQ=="/> <!-- pragma: allowlist secret -->
         </item>
         <item>
             <title>2026.3.1</title>
@@ -357,7 +357,7 @@
 </ul>
 <p><a href="https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md">View full changelog</a></p>
 ]]></description>
-            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.3.1/OpenClaw-2026.3.1.zip" length="12804155" type="application/octet-stream" sparkle:edSignature="TF1otD4Vk3pG0iViX7mvix5DQEgAsk4JkSFvH7opjf9aawV16f29SUa2wRmiCFU6HEgyNgnGI/078O+A27eXCA=="/>
+            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.3.1/OpenClaw-2026.3.1.zip" length="12804155" type="application/octet-stream" sparkle:edSignature="TF1otD4Vk3pG0iViX7mvix5DQEgAsk4JkSFvH7opjf9aawV16f29SUa2wRmiCFU6HEgyNgnGI/078O+A27eXCA=="/> <!-- pragma: allowlist secret -->
         </item>
     </channel>
-</rss>
+</rss>
@@ -1,8 +1,10 @@
 package ai.openclaw.android.voice
 
 import kotlinx.serialization.json.Json
+import kotlinx.serialization.json.buildJsonObject
 import kotlinx.serialization.json.jsonPrimitive
 import kotlinx.serialization.json.jsonObject
+import kotlinx.serialization.json.put
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertNotNull
 import org.junit.Assert.assertTrue
@@ -38,16 +40,12 @@ class TalkModeConfigParsingTest {
 
   @Test
   fun fallsBackToLegacyTalkFieldsWhenNormalizedPayloadMissing() {
+    val legacyApiKey = "legacy-key" // pragma: allowlist secret
     val talk =
-      json.parseToJsonElement(
-          """
-          {
-            "voiceId": "voice-legacy",
-            "apiKey": "legacy-key"
-          }
-          """.trimIndent(),
-        )
-        .jsonObject
+      buildJsonObject {
+        put("voiceId", "voice-legacy")
+        put("apiKey", legacyApiKey) // pragma: allowlist secret
+      }
 
     val selection = TalkModeManager.selectTalkProviderConfig(talk)
     assertNotNull(selection)
 
@@ -26,7 +26,7 @@ enum GatewaySettingsStore {
     private static let preferredGatewayStableIDAccount = "preferredStableID"
     private static let lastDiscoveredGatewayStableIDAccount = "lastDiscoveredStableID"
     private static let lastGatewayConnectionAccount = "lastConnection"
-    private static let talkProviderApiKeyAccountPrefix = "provider.apiKey."
+    private static let talkProviderApiKeyAccountPrefix = "provider.apiKey." // pragma: allowlist secret
 
     static func bootstrapPersistence() {
         self.ensureStableInstanceID()
 
@@ -23,7 +23,7 @@ import Testing
     @Test func ignoresLegacyTalkFieldsWhenNormalizedPayloadMissing() {
         let talk: [String: Any] = [
             "voiceId": "voice-legacy",
-            "apiKey": "legacy-key",
+            "apiKey": "legacy-key", // pragma: allowlist secret
         ]
 
         let selection = TalkModeManager.selectTalkProviderConfig(talk)
 
@@ -804,7 +804,7 @@ openclaw message poll --channel telegram --target -1001234567890:topic:42 \
 ```yaml
 channels:
   telegram:
-    proxy: socks5://user:pass@proxy-host:1080
+    proxy: socks5://<user>:<password>@proxy-host:1080
 ```
 
     - Node 22+ defaults to `autoSelectFamily=true` (except WSL2) and `dnsResultOrder=ipv4first`.
 
@@ -179,8 +179,8 @@ Request payload (stdin):
 
 Response payload (stdout):
 
-```json
-{ "protocolVersion": 1, "values": { "providers/openai/apiKey": "sk-..." } }
+```jsonc
+{ "protocolVersion": 1, "values": { "providers/openai/apiKey": "<openai-api-key>" } } // pragma: allowlist secret
 ```
 
 Optional per-id errors:
 
@@ -197,7 +197,7 @@ See [Pi USB boot guide](https://www.raspberrypi.com/documentation/computers/rasp
 On lower-power Pi hosts, enable Node's module compile cache so repeated CLI runs are faster:
 
 ```bash
-grep -q 'NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc || cat >> ~/.bashrc <<'EOF'
+grep -q 'NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc || cat >> ~/.bashrc <<'EOF' # pragma: allowlist secret
 export NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
 mkdir -p /var/tmp/openclaw-compile-cache
 export OPENCLAW_NO_RESPAWN=1
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ import Testing`
`23`	`23`	`@Test func ignoresLegacyTalkFieldsWhenNormalizedPayloadMissing() {`
`24`	`24`	`let talk: [String: Any] = [`
`25`	`25`	`"voiceId": "voice-legacy",`
`26`		`- "apiKey": "legacy-key",`
	`26`	`+ "apiKey": "legacy-key", // pragma: allowlist secret`
`27`	`27`	`]`
`28`	`28`
`29`	`29`	`let selection = TalkModeManager.selectTalkProviderConfig(talk)`