# .secretscanignore — patterns to exclude from secret scanning
#
# Format:
#   filepath:regex   — ignore matches of regex only in the given file
#   regex            — ignore matches of regex in all files
#
# Examples:
#   tests/fixtures/fake-creds.json:AKIA.*
#   EXAMPLE_KEY_DO_NOT_USE
#   src/config.example.ts:password\s*=\s*"changeme"

# Secret scanner test file (contains intentional fake secrets as test inputs)
src/tests/secret-scan.test.ts:.*

# Test fixtures with dummy credentials
tests/*:AKIA_EXAMPLE
tests/*:test-secret-value
tests/*:fake[-_]?(password|secret|token|key)

# Web contract/integration test dummy API keys (not real secrets)
src/tests/integration/web-mode-assembled.test.ts:sk-assembled-test-key
src/tests/integration/web-mode-runtime-fixtures.ts:sk-runtime-recovery-secret
src/tests/web-onboarding-contract.test.ts:sk-test-secret

# Doctor environment tests use dummy localhost DB URLs
src/resources/extensions/sf/tests/doctor-environment.test.ts:postgres://localhost


# Documentation examples
*.md:AKIA[0-9A-Z]{16}
*.md:sk_(live|test)_

# Environment variable references (not actual values)
process\.env\.\w+
\$\{?\w+_KEY\}?
\$\{?\w+_SECRET\}?
\$\{?\w+_TOKEN\}?

# Placeholder/example values
changeme
your[-_]?api[-_]?key[-_]?here
REPLACE_ME
xxx+
TODO.*secret
