# High-signal secret patterns. Screen staged content against these BEFORE committing:
#
#   git diff --cached | grep -nEi -f templates/secret-patterns.txt
#
# Any match should block the commit until reviewed. These are heuristics, not
# proof - a hit may be a false positive (an example key in docs), and a miss
# does not guarantee safety. When in doubt, do not commit.

# --- Filenames / paths that should almost never be committed ---
(^|/)\.env($|\.)
(^|/)id_rsa($|\.)
\.pem$
\.p12$
\.pfx$
credentials\.json$
service-account.*\.json$

# --- Private keys (inline) ---
-----BEGIN (RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----

# --- Cloud provider credentials ---
AKIA[0-9A-Z]{16}
aws_secret_access_key
ASIA[0-9A-Z]{16}
AIza[0-9A-Za-z_\-]{35}
ya29\.[0-9A-Za-z_\-]+

# --- Tokens / generic secrets ---
gh[pousr]_[0-9A-Za-z]{36,}
xox[baprs]-[0-9A-Za-z-]+
sk-[A-Za-z0-9]{20,}
eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+
(api[_-]?key|secret|token|passwd|password)\s*[:=]\s*['"][^'"]{8,}['"]
Authorization:\s*Bearer\s+[A-Za-z0-9._\-]+
