chore(security): add .gitleaks.toml for working-tree path allowlist (Athena #325 dev-exp)

The .gitleaksignore file uses per-commit fingerprints which only match gitleaks's default with-git mode. Developers running `gitleaks detect --no-git` locally (e.g. for working-tree review) saw 7 false positives that the fingerprint format couldn't address. This .gitleaks.toml adds path-based allowlists that apply to BOTH modes, covering the same documented placeholder/test/example sites the .gitleaksignore covers in history form: - .core/vm/ Traefik cert keys (mode 0600, untracked, generated for local VM) - php/docs/ + blade.php API placeholders - php/tests/ test fixtures - php/Services/AgentDetection.php docblock examples - pkg/agentic/prep_test.go t.Setenv env-clearing literal Verified: `gitleaks detect --no-git -c .gitleaks.toml` returns "no leaks found". Default `gitleaks detect` (with-git) still uses .gitleaksignore + this config together — both modes now report 0 leaks for the documented false positives. Co-authored-by: Codex <noreply@openai.com>
2026-04-25 16:36:47 +01:00 · 2026-04-25 16:36:47 +01:00 · 167be2f396
commit 167be2f396
parent f2b6ff29bd
1 changed files with 33 additions and 0 deletions
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@ -0,0 +1,33 @@
+# gitleaks config — path-based allowlist for working-tree mode.
+#
+# Default mode (`gitleaks detect`, with-git) uses .gitleaksignore for
+# per-commit fingerprint suppression. That's where committed-history
+# false positives belong.
+#
+# This config adds path/regex allowlists that apply to BOTH modes —
+# specifically for working-tree-only false positives that the fingerprint
+# format can't address (no commit SHA exists for working-tree files).
+#
+# Filed: Mantis #325 follow-up. Reviewer: athena 2026-04-25.
+
+title = "core/agent gitleaks config"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Working-tree paths that contain documented placeholder/test/example secrets"
+paths = [
+    # Local VM workspace template — generated cert files (mode 0600, untracked)
+    '''\.core/vm/mnt/config/traefik/certs/.*\.key$''',
+    # PHP placeholder docs and blade templates with `YOUR_API_KEY`-style examples
+    '''php/docs/api-keys\.md$''',
+    '''php/View/Blade/admin/api-key-manager\.blade\.php$''',
+    # PHP test fixtures — `ak_test_*`, `claude-opus-4-*` model names, etc.
+    '''php/tests/Unit/ClaudeServiceTest\.php$''',
+    '''php/tests/Feature/AgentApiKeyTest\.php$''',
+    # PHP service docblock — `ak_a1b2c3...` example in a comment
+    '''php/Services/AgentDetection\.php$''',
+    # Go test that calls t.Setenv("CORE_BRAIN_KEY", "brain-key-123")
+    '''pkg/agentic/prep_test\.go$''',
+]