# Secret-scan allowlist (T-1844).
# Each non-empty, non-comment line is an extended-regex applied against the
# matching line. If any allowlist regex matches, the finding is suppressed.
#
# Add entries ONLY for known false-positives. Real secrets should be removed
# from the commit, not allowlisted.

# The pattern catalogue itself contains regex literals that may shape-match.
^\.secret-scan-patterns:
\.secret-scan-patterns

# The allowlist itself
^\.secret-scan-allowlist:
\.secret-scan-allowlist

# Test fixtures intentionally contain pattern-shaped strings to exercise the scanner.
tests/unit/test_secret_scan\.bats

# Documentation that describes secret formats by their pattern (refers to them by shape,
# not value — these are educational examples).
docs/(reports|design|deployment-runbook).*\.md:.*(AKIA[0-9A-Z]{16}|gh[pousr]_)

# Task files reference pattern names by name — anchored at task-ref colon prefixes.
\.tasks/.*\.md:.*(Azure DevOps PAT|AWS Access Key|GitHub PAT|SSH Private Key)

# Mirror sync log captures GitHub error messages that may reference the leaked
# location (location, not value — but the GH013 stderr block contains pattern-shaped
# text describing the rejection).
\.context/working/\.mirror-sync\.log:

# Vendored framework copies — the parent project scans the real source files;
# vendored duplicates would double-flag everything.
^\.agentic-framework/

# Third-party dependency manifests — npm/pip/cargo integrity hashes are
# content addressing, not secrets.
node_modules/
package-lock\.json:
yarn\.lock:
Cargo\.lock:
poetry\.lock:
pnpm-lock\.yaml:

# Compiled / generated artifacts — bundled JS, minified CSS, etc.
\.min\.(js|css):
/dist/.*\.(js|css):

# Episodic memory / handover narrative may quote git SHAs, content hashes,
# session IDs in 52-char shapes. These are not credentials.
\.context/(episodic|handovers)/.*\.(yaml|md):.*[a-f0-9]{40,64}

# Lib spike notes that reference cryptographic test vectors
\.context/spikes/.*\.(md|yaml):.*[a-f0-9]{40,64}

# Docs that quote git commit SHAs / content hashes (cross-reference markers).
docs/.*\.md:.*[a-f0-9]{40,64}

# Tracked PostScript binary file at repo root (T-1844 follow-up: investigate
# why this is tracked — appears to be accidentally-committed print output,
# 36MB, 462k lines of hex-like content matching base32 alphabet runs).
^os:

# Generated docs (component fabric exports) may quote pattern-shaped strings
# from their source files.
^docs/generated/components/

# Tools / scripts that contain the pattern catalogue inline for testing or
# documentation purposes.
^tools/

# Inception spike notes that quote pattern shapes by name.
\.tasks/active/T-1842-.*\.md:

# BVP propose-queue + weight-history files: operator-typed rationales (Reject
# decision narrative, audit trail) can be arbitrary strings — long runs of
# alphabetic chars shape-match Azure DevOps PAT regex but are not credentials.
# The propose-queue is append-only and the weight-history is mutated only via
# `fw bvp confirm` + Sovereign-gated `fw bvp driver --add/--remove`. The fields
# in question (`rationale_decision`, `rationale`) carry human text, not tokens.
^\.context/bvp-driver-proposals\.jsonl:
^\.context/bvp-weight-history\.yaml:
