From b630d0d4fb26c19dea574b25b125ceaf21edba26 Mon Sep 17 00:00:00 2001
From: Cobb <cobb@sulkta.com>
Date: Sat, 27 Jun 2026 12:59:05 -0700
Subject: [PATCH] =?UTF-8?q?gitleaks:=20drop=20broad=20docs/.*=20allowlist?=
 =?UTF-8?q?=20(hid=20a=20fork=20scratch=20doc)=20=E2=80=94=20scope=20to=20?=
 =?UTF-8?q?the=202=20docs=20that=20need=20it;=20future=20scratch=20docs=20?=
 =?UTF-8?q?now=20scanned?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitleaks.toml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index 11864819e5..c62b17917b 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -9,7 +9,10 @@
 #    this as public-by-design (all real auth goes through FirebaseAuth)
 #  - Segment readKey: client-side write key
 #  - user_signing_key in KDoc comments: example values in doc-strings
-#  - docs/ + *Test.kt files: scratch + test fixtures, never live credentials
+#  - docs/maps.md + *Test.kt: public MapTiler client-token fixtures
+#  - docs/build-logs/ssss-roundtrip-result.md: a DEAD test SSSS key (testbot
+#    @testbot-elementx locked 2026-06-27); the broad docs/.* glob was REMOVED
+#    because it had hidden this fork-added scratch doc from CI
 
 [extend]
 useDefault = true
@@ -17,7 +20,8 @@ useDefault = true
 [allowlist]
 description = "Public client keys (PostHog, MapTiler, Firebase, Segment) + docs + test fixtures"
 paths = [
-    '''docs/.*''',
+    '''docs/maps\.md''',
+    '''docs/build-logs/ssss-roundtrip-result\.md''',
     '''.*/google-services\.json''',
     '''.*Test\.kt''',
     '''localazy\.json''',