fix: narrow qwen gitleaks allowlist and linux keychain placeholder

MarcoDotIO · MarcoDotIO · commit 059f76319c4e · 2026-03-11T20:49:45.000-04:00
diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml
@@ -0,0 +1,13 @@
+title = "OpenClawKit gitleaks overrides"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Ignore Qwen OAuth reference values and test placeholders"
+stopwords = [
+  "f0304373b74a44d2b584a3fb70ca9e56",
+  "qwen-oauth-token",
+  "fresh-qwen-access",
+  "fresh-qwen-refresh",
+]
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -23,3 +23,5 @@ jobs:
 
       - name: Run gitleaks
         uses: gitleaks/gitleaks-action@v2
+        env:
+          GITLEAKS_CONFIG: .github/.gitleaks.toml
diff --git a/Sources/OpenClawCore/CredentialStore.swift b/Sources/OpenClawCore/CredentialStore.swift
@@ -257,7 +257,7 @@ public actor KeychainCredentialStore: CredentialStore {
     }
 }
 #else
-/// Non-Apple placeholder that preserves API shape when Security is unavailable.
+/// Non-Apple placeholder when Security is unavailable.
 public actor KeychainCredentialStore: CredentialStore {
     /// Creates a placeholder keychain store.
     /// - Parameters:
@@ -267,7 +267,7 @@ public actor KeychainCredentialStore: CredentialStore {
     public init(
         service _: String = "io.marcodotio.openclawkit.credentials",
         accessGroup _: String? = nil,
-        accessibility _: CFString = "kSecAttrAccessibleWhenUnlockedThisDeviceOnly" as CFString
+        accessibility _: String = "kSecAttrAccessibleWhenUnlockedThisDeviceOnly"
     ) {}
 
     public func saveSecret(_: String, for _: String) async throws {
