# Gitleaks Configuration for BreakPilot
# https://github.com/gitleaks/gitleaks
#
# Run locally: gitleaks detect --source . -v
# Pre-commit: gitleaks protect --staged -v

title = "BreakPilot Gitleaks Configuration"

# Use the default rules plus custom rules
[extend]
useDefault = true

# Custom rules for BreakPilot-specific patterns
[[rules]]
id = "anthropic-api-key"
description = "Anthropic API Key"
regex = '''sk-ant-api[0-9a-zA-Z-_]{20,}'''
tags = ["api", "anthropic"]
keywords = ["sk-ant-api"]

[[rules]]
id = "vast-api-key"
description = "vast.ai API Key"
regex = '''(?i)(vast[_-]?api[_-]?key|vast[_-]?key)\s*[=:]\s*['"]?([a-zA-Z0-9-_]{20,})['"]?'''
tags = ["api", "vast"]
keywords = ["vast"]

[[rules]]
id = "stripe-secret-key"
description = "Stripe Secret Key"
regex = '''sk_live_[0-9a-zA-Z]{24,}'''
tags = ["api", "stripe"]
keywords = ["sk_live"]

[[rules]]
id = "stripe-restricted-key"
description = "Stripe Restricted Key"
regex = '''rk_live_[0-9a-zA-Z]{24,}'''
tags = ["api", "stripe"]
keywords = ["rk_live"]

[[rules]]
id = "jwt-secret-hardcoded"
description = "Hardcoded JWT Secret"
regex = '''(?i)(jwt[_-]?secret|jwt[_-]?key)\s*[=:]\s*['"]([^'"]{32,})['"]'''
tags = ["secret", "jwt"]
keywords = ["jwt"]

# Allowlist for false positives
[allowlist]
description = "Global allowlist"
paths = [
    '''\.env\.example$''',
    '''\.env\.template$''',
    '''docs/.*\.md$''',
    '''SBOM\.md$''',
    '''.*_test\.py$''',
    '''.*_test\.go$''',
    '''test_.*\.py$''',
    '''.*\.bak$''',
    '''node_modules/.*''',
    '''venv/.*''',
    '''\.git/.*''',
]

# Specific commit allowlist (for already-rotated secrets)
commits = []

# Regex patterns to ignore
regexes = [
    '''REPLACE_WITH_REAL_.*''',
    '''your-.*-key-change-in-production''',
    '''breakpilot-dev-.*''',
    '''DEVELOPMENT-ONLY-.*''',
    '''placeholder.*''',
    '''example.*key''',
]