title = "Veza gitleaks config"

# Inherit gitleaks v8 default ruleset
[extend]
useDefault = true

# Project-wide allowlist
#
# Categories of allowed paths (every entry below is a known false-positive
# source confirmed by reading the file or its history):
#
#   1. Go test files — fake JWTs like eyJ...invalid_signature for auth-failure tests
#   2. Historical .backup-pre-uuid-migration dir — gone from HEAD but in git history
#   3. Playwright e2e artifacts — auth state snapshots, test result dumps
#   4. Storybook stories + MSW mocks — UI fixtures with placeholder API keys
#   5. Documentation — API examples, smoke test logs, integration guides
#   6. K8s deployment templates — base64-encoded "secure_pass" placeholders
#   7. Local dev TLS certs (CN=localhost) under docker/haproxy/certs/
#   8. Rust/TS test fixtures — deterministic constants used only in #[cfg(test)]
#   9. Generated bundle analysis HTML
#  10. Legacy templates (apps/web/desy/legacy/)
#
# This allowlist intentionally errs on the side of letting things through.
# Real secret rotation should rely on .env, vault, or k8s sealed-secrets.
# When tightening, prefer adding a stopword over removing a path entry.
[allowlist]
description = "Allowlist test fixtures, docs, k8s templates, and dev artifacts"
paths = [
    # Go tests
    '''.*_test\.go$''',
    '''.*\.backup-pre-uuid-migration/.*''',
    '''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',

    # Playwright / e2e artifacts
    '''apps/web/e2e/\.auth/.*''',
    '''apps/web/e2e-results\.json$''',
    '''apps/web/full_test_result\.txt$''',
    '''apps/web/e2e/.*\.md$''',

    # Storybook + MSW mocks
    '''apps/web/.*\.stories\.(ts|tsx|js|jsx)$''',
    '''apps/web/src/mocks/.*''',

    # Documentation (markdown samples are inherently full of example tokens)
    '''.*\.md$''',

    # K8s deployment templates with base64 placeholders
    '''.*/k8s/.*\.ya?ml$''',

    # Local dev / self-signed TLS material
    '''docker/haproxy/certs/.*\.(pem|key|crt|csr)$''',

    # Rust / TS test fixtures inside source files (constants used only in
    # #[cfg(test)] modules — see veza-stream-server/src/utils/signature.rs)
    '''veza-stream-server/src/utils/signature\.rs$''',
    '''veza-stream-server/src/utils/env\.rs$''',
    '''veza-chat-server/src/env\.rs$''',

    # Legacy / static templates
    '''apps/web/desy/legacy/.*''',

    # Pre-existing source files with hardcoded *test* keys (must stay until refactor)
    '''apps/web/src/components/studio/.*''',
    '''apps/web/src/components/settings/security/TwoFactorSetup\.tsx$''',
    '''apps/web/src/features/live/.*''',

    # Generated artifacts
    '''\.build/.*\.html$''',
]
stopwords = [
    "invalid_signature",
    "test-jwt-secret",
    "test-secret",
    "test-internal-api-key",
    "test_secret_key_that_is_long_enough_32chars",
    "sk-abc123-def456-ghi789",
    "live_83921_abc123xyz789_secret_key",
    "secure_pass",
]