.gitleaks.toml

[extend]
useDefault = true

[allowlist]
paths = [
  '''packages/dotfiles/Library/Application Support/pinchtab/config\.json''',
  # Archive projects — legacy code, not deployed
  '''archive/''',
  # Worktrees from Claude Code agents
  '''\.claude/worktrees/''',
  # Lock files — contain hashes, not secrets
  '''\.lock$''',
  '''Podfile\.lock$''',
  '''Manifest\.lock$''',
  # Generated/vendored code
  '''generated/imports/''',
  # Vendored N64Wasm emulator source (parallel-n64 + angrylion) — third-party
  # C/C++; e.g. gles2rice chained `gRDP.keyR=...=0;` flagged as generic-api-key
  '''packages/discord-plays-mario-kart/wasm-src/''',
  '''\.build/checkouts/''',
  '''debug/index/store/''',
  '''src/cdk8s/dist/''',
  # Minecraft server config files (RCON passwords are non-sensitive defaults)
  '''config/minecraft-.*/server\.properties$''',
  # JWT in README (documentation example)
  '''packages/discord-plays-pokemon/README\.md''',
  # Public Firebase web API key (client-side safe, same key as better-skill-capped fetcher)
  '''packages/better-skill-capped/fetcher/src/''',
  '''packages/temporal/src/activities/fetcher\.ts''',
  # Patch files — git object hashes falsely flagged as sourcegraph-access-token
  '''patches/satori@.*\.patch$''',
  '''packages/.*/patches/satori@.*\.patch$''',
  # Skill/reference docs — example curl commands and API key placeholders
  '''packages/dotfiles/dot_agents/skills/tailscale-helper/references/''',
  '''packages/dotfiles/dot_agents/skills/grafana-helper/SKILL\.md''',
  # Cloudflare operator Helm chart URL contains "apikey" substring
  '''packages/homelab/src/cdk8s/src/resources/argo-applications/cloudflare-operator\.ts''',
  # CI step key "smoke-test-discord-plays-pokemon" falsely flagged as discord-client-secret
  '''scripts/ci/src/steps/images\.ts''',
  # Spectator API test data — encryptionKey is a Riot game session key, not a secret
  '''packages/scout-for-lol/.*/testdata/spectator-.*\.json''',
]