From 28cc03ba705e949a42b4422a7095006813de935a Mon Sep 17 00:00:00 2001
From: pyr0ball <pyroballpcs@gmail.com>
Date: Sat, 7 Mar 2026 13:24:18 -0800
Subject: [PATCH] chore: expand peregrine .gitleaks.toml allowlists for history
 scan

Suppress false positives found during pre-push history scan:
- Path allowlists: docs/plans/*, tests/*, Streamlit app files,
  SearXNG default config, apple_calendar.py placeholder
- Regex allowlists: Unix epoch timestamps, localhost ports,
  555-area-code variants, CFG-* example license key patterns
- All 164 history commits now scan clean
---
 .gitleaks.toml | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index 42321db..5bd98f0 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -4,8 +4,29 @@ path = "/Library/Development/CircuitForge/circuitforge-hooks/gitleaks.toml"
 
 [allowlist]
 description = "Peregrine-specific allowlists"
-regexes = [
-    '\d{10}\.html',      # Craigslist listing IDs (10-digit paths, look like phone numbers)
-    '\d{10}\/',          # LinkedIn job IDs in URLs
-    'localhost:\d{4,5}', # port numbers that could trip phone pattern
+paths = [
+    'docs/plans/.*',                              # plan docs contain example tokens and placeholders
+    'docs/reference/.*',                          # reference docs (globally excluded in base config)
+    'tests/.*',                                   # test fixtures use fake phone numbers as job IDs
+    'scripts/integrations/apple_calendar\.py',    # you@icloud.com is a placeholder comment
+    # Streamlit app files: key= params are widget identifiers, not secrets
+    'app/feedback\.py',
+    'app/pages/2_Settings\.py',
+    'app/pages/7_Survey\.py',
+    # SearXNG default config: change-me-in-production is a well-known public placeholder
+    'docker/searxng/settings\.yml',
+]
+regexes = [
+    # Job listing numeric IDs (look like phone numbers to the phone rule)
+    '\d{10}\.html',                               # Craigslist listing IDs
+    '\d{10}\/',                                   # LinkedIn job IDs in URLs
+    # Localhost port patterns (look like phone numbers)
+    'localhost:\d{4,5}',
+    # Unix epoch timestamps in the 2025–2026 range (10-digit, look like phone numbers)
+    '174\d{7}',
+    # Example / placeholder license key patterns
+    'CFG-[A-Z]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}',
+    # Phone number false positives: 555 area code variants not caught by base allowlist
+    '555\) \d{3}-\d{4}',
+    '555-\d{3}-\d{4}',
 ]