# Secret patterns for git-secrets
# Run `git secrets --add-provider -- cat .gitsecrets` to load these patterns
# Or manually add with `git secrets --add '<pattern>'`

# =============================================================================
# TPMJS-specific patterns
# =============================================================================

# TPMJS API keys (format: tpmjs_sk_<base64>)
tpmjs_sk_[A-Za-z0-9_-]+

# =============================================================================
# Database credentials
# =============================================================================

# Neon database passwords (format: npg_<alphanumeric>)
npg_[A-Za-z0-9]+

# PostgreSQL connection strings with embedded passwords
postgresql://[^:]+:[^@]+@.*neon

# Generic database URLs with passwords
DATABASE_URL=.*://[^:]+:[^@]+@

# =============================================================================
# Generic secret patterns
# =============================================================================

# Long hex strings (API keys, tokens) - 64 chars like CRON_SECRET
[a-f0-9]{64}

# JWT tokens (common format)
eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*

# Generic API key patterns
[Aa][Pp][Ii][-_]?[Kk][Ee][Yy].*['"][A-Za-z0-9_-]{20,}['"]

# =============================================================================
# Cloud provider patterns (via --register-aws)
# =============================================================================
# AWS patterns are automatically registered with `git secrets --register-aws`
# - AWS Access Key IDs: AKIA[0-9A-Z]{16}
# - AWS Secret Access Keys

# =============================================================================
# Allowed patterns (false positive exclusions)
# =============================================================================
# Add allowed patterns with: git secrets --add --allowed '<pattern>'
# Example: git secrets --add --allowed 'example\.com'
