From 93c57fd48705c605effee4ce525c424e00990cbf Mon Sep 17 00:00:00 2001 From: Snider Date: Sat, 25 Apr 2026 01:13:00 +0100 Subject: [PATCH] chore(security): add .gitleaksignore for 18 documented false-positives MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes Mantis #325 (agent portion). Each fingerprint listed is a documentation placeholder, test constant, or env-clearing call manually verified to be safe — not a real secret. The fingerprint format anchors per-commit so a future legitimate leak in the same file/rule will still be caught. Categories: - pkg/agentic/prep_test.go — t.Setenv("CORE_BRAIN_KEY", "") env-clear - pkg/orchestrator/security_test.go — MaskToken test fixture - php/docs/api-keys.md — curl-auth-header documentation example - php/View/Blade/admin/api-key-manager.blade.php — same - php/tests/Unit/ClaudeServiceTest.php — 'test-api-key' literal - php/tests/Feature/AgentApiKeyTest.php — 'ak_test_key_*' fixture - php/Services/AgentDetection.php — docblock example - src/php/* — older path of same files (pre-migration commits) Verification: gitleaks detect → 19 → 0 findings. Co-Authored-By: Argus Co-Authored-By: Athena Co-Authored-By: Virgil --- .gitleaksignore | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .gitleaksignore diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 0000000..2cfaaaa --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,48 @@ +# gitleaks ignore — documented false positives +# +# Each line below is a gitleaks fingerprint for a finding that has been +# manually reviewed and confirmed to be a documentation placeholder, test +# constant, env-clearing call, or example-snippet — NOT a real secret. +# +# Filed: Mantis #325. Reviewer: argus + athena. 2026-04-25. +# +# Format per gitleaks: ::: +# The file is anchored to per-commit fingerprints so a future legitimate +# leak in the same file/rule will still be caught. +# +# Why ignore: +# - php/docs/api-keys.md — curl example with placeholder Bearer +# - php/View/Blade/admin/api-key-manager.blade.php — curl example +# - php/tests/Unit/ClaudeServiceTest.php — 'test-api-key' literal in tests +# - php/tests/Feature/AgentApiKeyTest.php — 'ak_test_key_*' test fixture +# - php/Services/AgentDetection.php — docblock example string +# - pkg/agentic/prep_test.go — t.Setenv("CORE_BRAIN_KEY", "") env-clear +# - pkg/orchestrator/security_test.go — MaskToken test fixture +# - src/php/* — older copies of the same files (pre-Burst migration) + +# pkg/agentic/prep_test.go (CORE_BRAIN_KEY env-clear) +4fe1bf0aff66653a28625adde7df28f9b0b292ab:pkg/agentic/prep_test.go:generic-api-key:151 +726a384873dd17e1fb413fb8db9c8e63dd09b826:pkg/agentic/prep_test.go:generic-api-key:151 +da6d6cfa1a6e800364e576087524191e141b41d0:pkg/agentic/prep_test.go:generic-api-key:151 + +# pkg/orchestrator/security_test.go (MaskToken test fixture) +e90a84eaa01dccb9cbf5548bf057745eafa54243:pkg/orchestrator/security_test.go:generic-api-key:107 + +# php/* placeholders + test fixtures — current path +e58986a3b4e6bef381b3d436c16e1dbb2262aa5a:php/docs/api-keys.md:curl-auth-header:239 +e58986a3b4e6bef381b3d436c16e1dbb2262aa5a:php/View/Blade/admin/api-key-manager.blade.php:curl-auth-header:151 +e58986a3b4e6bef381b3d436c16e1dbb2262aa5a:php/tests/Unit/ClaudeServiceTest.php:generic-api-key:33 +e58986a3b4e6bef381b3d436c16e1dbb2262aa5a:php/tests/Feature/AgentApiKeyTest.php:generic-api-key:892 +e58986a3b4e6bef381b3d436c16e1dbb2262aa5a:php/Services/AgentDetection.php:generic-api-key:272 +ecd47fe3db0a057fcbca69b3e116f593336093dd:php/docs/api-keys.md:curl-auth-header:239 +ecd47fe3db0a057fcbca69b3e116f593336093dd:php/View/Blade/admin/api-key-manager.blade.php:curl-auth-header:151 +ecd47fe3db0a057fcbca69b3e116f593336093dd:php/tests/Unit/ClaudeServiceTest.php:generic-api-key:33 +ecd47fe3db0a057fcbca69b3e116f593336093dd:php/tests/Feature/AgentApiKeyTest.php:generic-api-key:892 +ecd47fe3db0a057fcbca69b3e116f593336093dd:php/Services/AgentDetection.php:generic-api-key:272 + +# src/php/* — older path before pkg-rename (kept as historical fingerprints) +e2d1d3266fe6af4f52ba88ba7b02583d9ad73d3b:src/php/docs/api-keys.md:curl-auth-header:239 +e2d1d3266fe6af4f52ba88ba7b02583d9ad73d3b:src/php/View/Blade/admin/api-key-manager.blade.php:curl-auth-header:151 +e2d1d3266fe6af4f52ba88ba7b02583d9ad73d3b:src/php/tests/Unit/ClaudeServiceTest.php:generic-api-key:33 +e2d1d3266fe6af4f52ba88ba7b02583d9ad73d3b:src/php/tests/Feature/AgentApiKeyTest.php:generic-api-key:892 +e2d1d3266fe6af4f52ba88ba7b02583d9ad73d3b:src/php/Services/AgentDetection.php:generic-api-key:272