From b008989bef0747c49b9beecc7221f643d60e7e24 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Thu, 28 May 2026 11:34:32 +0200
Subject: [PATCH] fix(security): address OpenClaw CodeQL alerts

---
 .github/workflows/mantis-telegram-desktop-proof.yml | 1 +
 src/agents/auth-profiles/legacy-oauth-sidecar.ts    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/mantis-telegram-desktop-proof.yml b/.github/workflows/mantis-telegram-desktop-proof.yml
index b505924dacc..38eb79b2c6d 100644
--- a/.github/workflows/mantis-telegram-desktop-proof.yml
+++ b/.github/workflows/mantis-telegram-desktop-proof.yml
@@ -225,6 +225,7 @@ jobs:
       - name: Checkout harness ref
         uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.repository.default_branch }}
           persist-credentials: false
           fetch-depth: 0
 
diff --git a/src/agents/auth-profiles/legacy-oauth-sidecar.ts b/src/agents/auth-profiles/legacy-oauth-sidecar.ts
index 80d22cfeaff..f7142fd78bd 100644
--- a/src/agents/auth-profiles/legacy-oauth-sidecar.ts
+++ b/src/agents/auth-profiles/legacy-oauth-sidecar.ts
@@ -119,6 +119,7 @@ function buildLegacyOAuthSecretKey(seed: string): Buffer {
   // Legacy #79006 compatibility: existing sidecars were encrypted with this
   // SHA-256 key derivation, so changing it would strand affected users.
   // codeql[js/insufficient-password-hash]
+  // lgtm[js/insufficient-password-hash]
   return createHash("sha256").update(`openclaw:auth-profile-oauth:${seed}`).digest();
 }