chore(security): remove stale secret baseline

.detect-secrets.cfg

@@ -1,45 +0,0 @@
-# detect-secrets exclusion patterns (regex)
-#
-# Note: detect-secrets does not read this file by default. If you want these
-# applied, wire them into your scan command (e.g. translate to --exclude-files
-# / --exclude-lines) or into a baseline's filters_used.
-
-[exclude-files]
-# pnpm lockfiles contain lots of high-entropy package integrity blobs.
-pattern = (^|/)pnpm-lock\.yaml$
-
-[exclude-lines]
-# Fastlane checks for private key marker; not a real key.
-pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
-# UI label string for Anthropic auth mode.
-pattern = case \.apiKeyEnv: "API key \(env var\)"
-# CodingKeys mapping uses apiKey literal.
-pattern = case apikey = "apiKey"
-# Schema labels referencing password fields (not actual secrets).
-pattern = "gateway\.remote\.password"
-pattern = "gateway\.auth\.password"
-# Schema label for talk API key (label text only).
-pattern = "talk\.apiKey"
-# checking for typeof is not something we care about.
-pattern = === "string"
-# specific optional-chaining password check that didn't match the line above.
-pattern = typeof remote\?\.password === "string"
-# Docker apt signing key fingerprint constant; not a secret.
-pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
-# Credential matrix metadata field in docs JSON; not a secret value.
-pattern = "secretShape": "(secret_input|sibling_ref)"
-# Docs line describing API key rotation knobs; not a credential.
-pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
-# Docs line describing remote password precedence; not a credential.
-pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
-pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
-# Test fixture starts a multiline fake private key; detector should ignore the header line.
-pattern = const key = `-----BEGIN PRIVATE KEY-----
-# Docs examples: literal placeholder API key snippets and shell heredoc helper.
-pattern = export CUSTOM_API_K[E]Y="your-key"
-pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
-pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
-pattern = "ap[i]Key": "xxxxx",
-pattern = ap[i]Key: "A[I]za\.\.\.",
-# Sparkle appcast signatures are release metadata, not credentials.
-pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"

.pre-commit-config.yaml

@@ -19,60 +19,7 @@ repos:
         args: [--maxkb=500]
       - id: check-merge-conflict
       - id: detect-private-key
-        exclude: '(^|/)(\.secrets\.baseline$|\.detect-secrets\.cfg$|\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)'
-
-  # Secret detection (same as CI)
-  - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.5.0
-    hooks:
-      - id: detect-secrets
-        args:
-          - --baseline
-          - .secrets.baseline
-          - --exclude-files
-          - '(^|/)pnpm-lock\.yaml$'
-          - --exclude-lines
-          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
-          - --exclude-lines
-          - 'case \.apiKeyEnv: "API key \(env var\)"'
-          - --exclude-lines
-          - 'case apikey = "apiKey"'
-          - --exclude-lines
-          - '"gateway\.remote\.password"'
-          - --exclude-lines
-          - '"gateway\.auth\.password"'
-          - --exclude-lines
-          - '"talk\.apiKey"'
-          - --exclude-lines
-          - '=== "string"'
-          - --exclude-lines
-          - 'typeof remote\?\.password === "string"'
-          - --exclude-lines
-          - "OPENCLAW_DOCKER_GPG_FINGERPRINT="
-          - --exclude-lines
-          - '"secretShape": "(secret_input|sibling_ref)"'
-          - --exclude-lines
-          - 'API key rotation \(provider-specific\): set `\*_API_KEYS`'
-          - --exclude-lines
-          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`'
-          - --exclude-lines
-          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`'
-          - --exclude-files
-          - '^src/gateway/client\.watchdog\.test\.ts$'
-          - --exclude-lines
-          - 'export CUSTOM_API_K[E]Y="your-key"'
-          - --exclude-lines
-          - 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF'''
-          - --exclude-lines
-          - 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},'
-          - --exclude-lines
-          - '"ap[i]Key": "xxxxx"(,)?'
-          - --exclude-lines
-          - 'ap[i]Key: "A[I]za\.\.\.",'
-          - --exclude-lines
-          - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
-          - --exclude-lines
-          - 'sparkle:edSignature="[A-Za-z0-9+/=]+"'
+        exclude: '(^|/)(\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)'
   # Shell script linting
   - repo: https://github.com/koalaman/shellcheck-precommit
     rev: v0.11.0

SECURITY.md

@@ -344,13 +344,12 @@ OpenClaw uses several security and release-validation layers. No single scanner
 
 ### Secret Detection
 
-OpenClaw uses `detect-secrets` with a checked-in baseline and local exclusion notes (`.secrets.baseline`, `.detect-secrets.cfg`). Secret-resolution behavior is also covered by the dedicated secrets test surface.
+OpenClaw runs the pre-commit `detect-private-key` hook in CI and keeps secret-resolution behavior covered by the dedicated secrets test surface.
 
-Run the baseline scan locally:
+Run the key scan locally:
 
 ```bash
-pip install detect-secrets==1.5.0
-detect-secrets scan --baseline .secrets.baseline
+pre-commit run --all-files detect-private-key
 ```
 
 ### Static Analysis

docs/gateway/security/index.md

@@ -1293,38 +1293,14 @@ If your AI does something bad:
 - What the attacker sent + what the agent did
 - Whether the Gateway was exposed beyond loopback (LAN/Tailscale Funnel/Serve)
 
-## Secret scanning with detect-secrets
+## Secret scanning
 
-CI runs the `detect-secrets` pre-commit hook in the `secrets` job.
-Pushes to `main` always run an all-files scan. Pull requests use a changed-file
-fast path when a base commit is available, and fall back to an all-files scan
-otherwise. If it fails, there are new candidates not yet in the baseline.
+CI runs the pre-commit `detect-private-key` hook over the repository. If it
+fails, remove or rotate the committed key material, then reproduce locally:
 
-### If CI fails
-
-1. Reproduce locally:
-
-   ```bash
-   pre-commit run --all-files detect-secrets
-   ```
-
-2. Understand the tools:
-   - `detect-secrets` in pre-commit runs `detect-secrets-hook` with the repo's
-     baseline and excludes.
-   - `detect-secrets audit` opens an interactive review to mark each baseline
-     item as real or false positive.
-3. For real secrets: rotate/remove them, then re-run the scan to update the baseline.
-4. For false positives: run the interactive audit and mark them as false:
-
-   ```bash
-   detect-secrets audit .secrets.baseline
-   ```
-
-5. If you need new excludes, add them to `.detect-secrets.cfg` and regenerate the
-   baseline with matching `--exclude-files` / `--exclude-lines` flags (the config
-   file is reference-only; detect-secrets doesn’t read it automatically).
-
-Commit the updated `.secrets.baseline` once it reflects the intended state.
+```bash
+pre-commit run --all-files detect-private-key
+```
 
 ## Reporting security issues