# Gitleaks configuration
# Extends the built-in default ruleset and adds allowlists for known
# non-secret values that would otherwise trip the scan.

[extend]
useDefault = true

[allowlist]
description = "Known dev/test placeholders and generated artifacts"

regexes = [
  # Frontend test env value, set in .gitea/workflows/ci.yml
  '''placeholder-anon-key-for-tests-only''',
  # Local-only Postgres password in docker-compose.yml (dev container)
  '''development_password''',
]

paths = [
  '''pnpm-lock\.yaml''',
  '''.*/coverage/.*''',
  '''.*/dist/.*''',
  '''.*/node_modules/.*''',
]