# .gitleaksignore — fingerprint allowlist for verified false positives.
#
# FORMAT: one finding fingerprint per line.
#   <commit-sha>:<file>:<rule-id>:<line>
# See: https://github.com/gitleaks/gitleaks#gitleaksignore
#
# ─── HARD RULE — READ BEFORE ADDING AN ENTRY ─────────────────────────────────
# DO NOT include the literal phrase that triggered the rule anywhere in your
# comment or explanation. Gitleaks scans this file too; if your comment quotes
# the offending English prose back, gitleaks will re-match on this file, you
# will add a new fingerprint, you will quote the phrase again, and you will
# spend an hour in an infinite loop before noticing. (Ask us how we know.)
#
# When describing a finding, reference it abstractly: "documentation prose in
# section N of the enterprise playbook", not the specific words. If you need
# the text for context, link to the commit on GitHub via the Fingerprint URL
# that gitleaks prints in the job output.
# ─────────────────────────────────────────────────────────────────────────────

# Doc prose in an early draft of the enterprise security playbook. No secret;
# reworded in a follow-up commit. History-only finding.
a5c3a329da9d0f5deed6a6857bcbaeaf3a024f1e:docs/ENTERPRISE_SECURITY_PLAYBOOK.md:generic-api-key:258

# Historical false positive in a previous version of this file itself, caused
# by the trap documented above. Retained because gitleaks walks history.
792b4ad4ff3f877992a678bd533f2dd2dd7854da:.gitleaksignore:generic-api-key:10

# History-only false positives from test fixtures that temporarily used
# unsigned token-shaped strings before being replaced with generated values.
e67c1273881cb01cfbc64b1f6a1081613e5e8fe3:tests/test_api_hardening.py:jwt:286
e67c1273881cb01cfbc64b1f6a1081613e5e8fe3:tests/test_api_oidc.py:jwt:334
e67c1273881cb01cfbc64b1f6a1081613e5e8fe3:tests/test_api_oidc.py:jwt:360
