# gitleaks config — ORCH-022 security-gate (secret-scanning).
#
# Versioned in the repo root (07-infra I-4 / BR-13): rules + an allowlist of
# known-safe matches are reviewed as code. The security-gate (src/security_gate.py)
# passes this file via `--config` when present. gitleaks runs OFFLINE (local rules)
# so the "a secret always blocks" guarantee (BR-2) never depends on the network.
#
# Strategy: extend the built-in ruleset (broad coverage, maintained upstream) and
# only ADD a narrow allowlist for placeholders / fixtures that are intentionally
# fake (e.g. .env.example dummy values, test fixtures). Keep the allowlist tight —
# an over-broad allowlist silently re-opens the leak it was meant to bless.

title = "orchestrator gitleaks config"

[extend]
# Start from gitleaks' maintained default ruleset.
useDefault = true

[allowlist]
description = "Known-safe, intentionally non-secret matches (placeholders + fixtures)."

# Files that legitimately contain placeholder/dummy secret-shaped values:
#   * .env.example — the committed canon of env vars with DUMMY values (CLAUDE.md §8;
#     real secrets live only in the host .env / .env.staging, never in git).
#   * tests/ — fixtures may embed fake tokens to exercise the scanner itself (TC-03).
#   * .gitleaks.toml — this file (avoid self-matching example patterns below).
paths = [
    '''(^|/)\.env\.example$''',
    '''(^|/)tests/''',
    '''(^|/)\.gitleaks\.toml$''',
]

# Generic placeholder tokens used in docs / examples that are NOT real secrets.
regexes = [
    '''(?i)(your[-_]?(token|key|secret|password)[-_]?here)''',
    '''(?i)(changeme|dummy|example|placeholder|xxxxx+)''',
    '''(?i)<[a-z0-9_-]+>''',
]