CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures

* Tests: fix rebased detect-secrets false positives

* Docs: keep snippets valid under detect-secrets

* Tests: finalize detect-secrets false-positive fixes

* Tests: reduce detect-secrets false positives

* Tests: keep detect-secrets pragmas inline

* Tests: remediate next detect-secrets batch

* Tests: tighten detect-secrets allowlists

* Tests: stabilize detect-secrets formatter drift

docs/start/wizard-cli-automation.md

@@ -152,7 +152,7 @@ openclaw onboard --non-interactive \
     Ref-mode variant:
 
     ```bash
-    export CUSTOM_API_KEY="your-key"
+    export CUSTOM_API_KEY="your-key" # pragma: allowlist secret
     openclaw onboard --non-interactive \
       --mode local \
       --auth-choice custom-api-key \