diff --git a/src/gateway/connection-auth.test.ts b/src/gateway/connection-auth.test.ts
index 70118ee0d0e..4b4d00e2cd5 100644
--- a/src/gateway/connection-auth.test.ts
+++ b/src/gateway/connection-auth.test.ts
@@ -62,7 +62,7 @@ describe("resolveGatewayConnectionAuth", () => {
       env: DEFAULT_ENV,
       options: {
         localTokenPrecedence: "config-first",
-        localPasswordPrecedence: "config-first",
+        localPasswordPrecedence: "config-first", // pragma: allowlist secret
       },
       expected: {
         token: "config-token",
@@ -84,7 +84,7 @@ describe("resolveGatewayConnectionAuth", () => {
       env: DEFAULT_ENV,
       options: {
         localTokenPrecedence: "env-first",
-        localPasswordPrecedence: "config-first",
+        localPasswordPrecedence: "config-first", // pragma: allowlist secret
       },
       expected: {
         token: "env-token",
@@ -132,7 +132,7 @@ describe("resolveGatewayConnectionAuth", () => {
       env: DEFAULT_ENV,
       options: {
         remoteTokenPrecedence: "env-first",
-        remotePasswordPrecedence: "remote-first",
+        remotePasswordPrecedence: "remote-first", // pragma: allowlist secret
       },
       expected: {
         token: "env-token",
@@ -157,7 +157,7 @@ describe("resolveGatewayConnectionAuth", () => {
       env: DEFAULT_ENV,
       options: {
         remoteTokenFallback: "remote-only",
-        remotePasswordFallback: "remote-only",
+        remotePasswordFallback: "remote-only", // pragma: allowlist secret
       },
       expected: {
         token: "remote-token",
@@ -184,7 +184,7 @@ describe("resolveGatewayConnectionAuth", () => {
       options: {
         modeOverride: "remote",
         remoteTokenPrecedence: "remote-first",
-        remotePasswordPrecedence: "remote-first",
+        remotePasswordPrecedence: "remote-first", // pragma: allowlist secret
       },
       expected: {
         token: "remote-token",
@@ -267,7 +267,7 @@ describe("resolveGatewayConnectionAuth", () => {
     });
     const env = {
       CLAWDBOT_GATEWAY_TOKEN: "legacy-token",
-      LOCAL_SECRET_TOKEN: "resolved-from-secretref",
+      LOCAL_SECRET_TOKEN: "resolved-from-secretref", // pragma: allowlist secret
     } as NodeJS.ProcessEnv;
 
     const resolved = await resolveGatewayConnectionAuth({
@@ -336,7 +336,7 @@ describe("resolveGatewayConnectionAuth", () => {
       config,
       env,
       includeLegacyEnv: false,
-      localPasswordPrecedence: "config-first",
+      localPasswordPrecedence: "config-first", // pragma: allowlist secret
     });
     expect(resolved).toEqual({
       token: undefined,