From 630485ac989a7ad2ef1d41d6d506ddddde45874c Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 7 Mar 2026 17:31:24 +0000
Subject: [PATCH] fix(ci): harden diffs viewer request guard and secret scan
 baseline

---
 .secrets.baseline          | 12 ++++++------
 apps/ios/fastlane/Fastfile |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 11a5d0f6cc3..df8df6827f1 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -12342,21 +12342,21 @@
         "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts",
         "hashed_secret": "0091061a3babbe6f11d48aa0142e22341b3ea446",
         "is_verified": false,
-        "line_number": 665
+        "line_number": 700
       },
       {
         "type": "Hex High Entropy String",
         "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts",
         "hashed_secret": "ef678205593788329ff416ce5c65fa04f33a05bd",
         "is_verified": false,
-        "line_number": 811
+        "line_number": 846
       },
       {
         "type": "Secret Keyword",
         "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts",
         "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd",
         "is_verified": false,
-        "line_number": 1490
+        "line_number": 1525
       }
     ],
     "src/agents/sandbox/browser.novnc-url.test.ts": [
@@ -13026,14 +13026,14 @@
         "filename": "src/commands/onboard-auth.config-core.kilocode.test.ts",
         "hashed_secret": "01800a0712a2a1aa928b95c4745e9ee06673925b",
         "is_verified": false,
-        "line_number": 163
+        "line_number": 153
       },
       {
         "type": "Secret Keyword",
         "filename": "src/commands/onboard-auth.config-core.kilocode.test.ts",
         "hashed_secret": "8d2ce71c6723bf46f6c166984b4ddb597f92322a",
         "is_verified": false,
-        "line_number": 190
+        "line_number": 180
       }
     ],
     "src/commands/onboard-auth.config-minimax.ts": [
@@ -14725,5 +14725,5 @@
       }
     ]
   },
-  "generated_at": "2026-03-07T16:49:39Z"
+  "generated_at": "2026-03-07T17:11:52Z"
 }
diff --git a/apps/ios/fastlane/Fastfile b/apps/ios/fastlane/Fastfile
index 942939bb591..83eb55b59aa 100644
--- a/apps/ios/fastlane/Fastfile
+++ b/apps/ios/fastlane/Fastfile
@@ -38,7 +38,7 @@ def maybe_decode_hex_keychain_secret(value)
 
     # `security find-generic-password -w` can return hex when the stored secret
     # includes newlines/non-printable bytes (like PEM files).
-    if decoded.include?("BEGIN PRIVATE KEY") || decoded.include?("END PRIVATE KEY")
+    if decoded.include?("BEGIN PRIVATE KEY") || decoded.include?("END PRIVATE KEY") # pragma: allowlist secret
       UI.message("Decoded hex-encoded ASC key content from Keychain.")
       return decoded
     end