# git-crypt encrypts these at rest; the working-tree plaintext is local-only.
# gitleaks scans the staged working-tree copy and can't see that they're
# encrypted on disk in git, so allowlist by fingerprint.
stacks/recruiter-responder/secrets/privkey.pem:private-key:1

# False positives: the `curl-auth-user` rule flags `-u "admin:..."` in the
# nextcloud-todos webhook-register provisioner, but the password is a shell
# variable ($NC_ADMIN_APP_PW) resolved at apply time from Vault — no literal
# secret is committed.
stacks/nextcloud-todos/main.tf:curl-auth-user:383
stacks/nextcloud-todos/main.tf:curl-auth-user:400