fix: allowlist mock workload access token in gitleaks config

scottschreckengaust · claude · scottschreckengaust · commit f769ea85133b · 2026-04-23T20:14:19.000Z
The context-hydration test uses `wat-opaque-123` as a mock workload
access token. Gitleaks flags this as a generic-api-key false positive
across all commits. Add a path-scoped allowlist entry to suppress it.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -10,3 +10,7 @@ paths = [
     "^agent/tests/test_hooks\\.py$",
     "^agent/tests/test_output_scanner\\.py$",
 ]
+
+[[allowlists]]
+description = "Mock workload access token in CDK handler tests (not a real credential)."
+stopwords = ["wat-opaque-123"]

Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,7 @@ paths = [`
`10`	`10`	`"^agent/tests/test_hooks\\.py$",`
`11`	`11`	`"^agent/tests/test_output_scanner\\.py$",`
`12`	`12`	`]`
	`13`	`+`
	`14`	`+[[allowlists]]`
	`15`	`+description = "Mock workload access token in CDK handler tests (not a real credential)."`
	`16`	`+stopwords = ["wat-opaque-123"]`