# Kiwi gitleaks config — extends base CircuitForge config with local rules

[extend]
path = "/Library/Development/CircuitForge/circuitforge-hooks/gitleaks.toml"

# ── Global allowlist ──────────────────────────────────────────────────────────
# Amazon grocery department IDs (rh=n:<10-digit>) false-positive as phone
# numbers. locale_config.py is a static lookup table with no secrets.

[allowlist]
# Amazon grocery dept IDs (rh=n:<digits>) false-positive as phone numbers.
regexes = [
    '''rh=n:\d{8,12}''',
]

# ── Test fixture allowlists ───────────────────────────────────────────────────

[[rules]]
id = "cf-generic-env-token"
description = "Generic KEY=<token> in env-style assignment — catches FORGEJO_API_TOKEN=hex etc."
regex = '''(?i)(token|secret|key|password|passwd|pwd|api_key)\s*[=:]\s*['"]?[A-Za-z0-9\-_]{20,}['"]?'''
[rules.allowlist]
paths = [
    '.*test.*',
]
regexes = [
    'api_key:\s*ollama',
    'api_key:\s*any',
    'your-[a-z\-]+-here',
    'replace-with-',
    'xxxx',
    'test-fixture-',
    'CFG-KIWI-TEST-',
]