From 04fc967cbb2bbb533e32e7295f2fcf199c32789d Mon Sep 17 00:00:00 2001
From: kayos <kayos@sulkta.com>
Date: Thu, 28 May 2026 12:16:25 -0700
Subject: [PATCH] =?UTF-8?q?ci:=20gitleaks=20allowlist=20=E2=80=94=20PostHo?=
 =?UTF-8?q?g=20public=20client=20key=20+=20docs/build-logs=20scratch=20+?=
 =?UTF-8?q?=20Matrix=20KDoc=20examples.=20Refs=20#300?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitleaks.toml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .gitleaks.toml

diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000000..3e8f414069
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,25 @@
+# gitleaks config — element-x-ada
+#
+# Element X is a Matrix client (fork). Patterns flagged are all
+# public-by-design or doc fixtures:
+#  - PostHog apiKey: client-side analytics token, public on every PostHog-
+#    integrated mobile app. Identifies the project, doesn't grant write.
+#  - user_signing_key in ElementClassicConnection.kt: KDoc EXAMPLE of what
+#    the response shape looks like, not a live key
+#  - docs/build-logs/*.md: roundtrip-test scratch output
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Public PostHog client keys + Matrix protocol doc examples + build-log scratch"
+paths = [
+    '''docs/build-logs/.*''',
+]
+regexTarget = "line"
+regexes = [
+    # PostHog client API key (public-by-design — ships in every PostHog SDK consumer)
+    '''apiKey\s*=\s*"phc_[A-Za-z0-9_-]{30,}"''',
+    # Matrix protocol JSDoc examples in KDoc comments (the * prefix is the giveaway)
+    '''^\s*\*\s*"user_signing_key"\s*:\s*"''',
+]