# Secret scanner — high-signal patterns (ERE, case-SENSITIVE). One regex per line; '#' starts a comment.
# These match secret VALUES (keys / tokens / private keys), not the word "secret".
# False positive on a real (test) value? Add the EXACT pattern line to .secret-allowlist.txt at the repo root,
# or replace the value with a placeholder. Deliberate bypass: git commit --no-verify (explicit request only, §4.5).

# PEM private keys (RSA / EC / OPENSSH / DSA / PGP ...)
-----BEGIN ([A-Z]+ )?PRIVATE KEY-----

# AWS access key id
(AKIA|ASIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|A3T)[A-Z0-9]{16}

# GitHub tokens (personal / oauth / user / server / refresh) + fine-grained PAT
gh[pousr]_[A-Za-z0-9]{36,}
github_pat_[A-Za-z0-9_]{22,}

# Google API key
AIza[A-Za-z0-9_-]{35}

# Slack token
xox[baprs]-[A-Za-z0-9-]{10,}

# Stripe live secret / restricted key
(sk|rk)_live_[A-Za-z0-9]{20,}

# OpenAI / Anthropic API keys
sk-(ant-|proj-)?[A-Za-z0-9_-]{24,}

# npm access token
npm_[A-Za-z0-9]{36}

# SendGrid API key
SG\.[A-Za-z0-9_-]{16,32}\.[A-Za-z0-9_-]{16,}

# JSON Web Token (header.payload.signature)
eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{10,}
