From 0b1ed2e72a68f7897c5803f0078db1f7a010a9ae Mon Sep 17 00:00:00 2001
From: LPW <gitlucky@pipelab.org>
Date: Wed, 4 Mar 2026 05:23:14 -0500
Subject: [PATCH] Replace whole-file pipelock exclude with inline suppression
 (#1116)

Use `# pipelock:ignore Credential in URL` on the specific false
positive line instead of excluding all of client.rb from scanning.
The rest of the file is now scanned normally.
---
 .github/workflows/pipelock.yml          | 2 --
 app/models/assistant/external/client.rb | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/pipelock.yml b/.github/workflows/pipelock.yml
index ad538b51d..3668c0a49 100644
--- a/.github/workflows/pipelock.yml
+++ b/.github/workflows/pipelock.yml
@@ -24,5 +24,3 @@ jobs:
           test-vectors: 'false'
           exclude-paths: |
             config/locales/views/reports/
-            # False positive: client.rb stores Bearer token and sends Authorization header by design
-            app/models/assistant/external/client.rb
diff --git a/app/models/assistant/external/client.rb b/app/models/assistant/external/client.rb
index c6d680e8e..ec2559a3f 100644
--- a/app/models/assistant/external/client.rb
+++ b/app/models/assistant/external/client.rb
@@ -20,7 +20,7 @@ class Assistant::External::Client
 
   def initialize(url:, token:, agent_id: "main", session_key: "agent:main:main")
     @url = url
-    @token = token
+    @token = token # pipelock:ignore Credential in URL
     @agent_id = agent_id
     @session_key = session_key
   end