.gitleaks.toml

# Gitleaks configuration for ScriptHammer
# Scans for secrets and credentials before commits/pushes

[extend]
useDefault = true  # Use default secret patterns

# Custom rules for ScriptHammer stack
[[rules]]
id = "supabase-service-role-key"
description = "Supabase Service Role Key"
regex = '''sbp_[a-zA-Z0-9]{40}'''
severity = "high"

[[rules]]
id = "supabase-anon-key"
description = "Supabase Anon Key (JWT format)"
regex = '''eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+'''
severity = "medium"

[[rules]]
id = "github-pat-fine-grained"
description = "GitHub Fine-Grained Personal Access Token"
regex = '''github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}'''
severity = "critical"

[[rules]]
id = "stripe-live-key"
description = "Stripe Live Secret Key"
regex = '''sk_live_[a-zA-Z0-9]{24,}'''
severity = "critical"

[[rules]]
id = "stripe-test-key"
description = "Stripe Test Secret Key"
regex = '''sk_test_[a-zA-Z0-9]{24,}'''
severity = "medium"

# Allowlist false positives
[allowlist]
paths = [
  '''\.env\.example''',
  '''.*\.test\.ts''',
  '''.*\.test\.tsx''',
  '''.*\.spec\.ts''',
  '''docs/.*\.md''',
  '''tests/.*''',
  '''docker-compose\.yml''',       # Supabase demo JWT defaults (public, not real secrets)
  '''supabase/docker/.*''',        # Local Supabase stack config with demo defaults
]
# Supabase self-hosting demo keys — published verbatim at
# https://supabase.com/docs/guides/self-hosting/docker. JWT payload is
# `{"iss": "supabase-demo", ...}`, signed with the hardcoded demo secret
# `super-secret-jwt-token-with-at-least-32-characters-long`. These two
# signatures ONLY validate against that secret; a real project key has a
# different signature and still trips the supabase-anon-key rule above.
regexes = [
  '''dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE''',  # demo anon
  '''DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q''',  # demo service_role
]

# To allowlist specific commits, add their SHA hashes:
# [allowlist]
# commits = ["abc123...", "def456..."]