# Optophi standard Semgrep path excludes — byte-identical across pycharter,
# pystator, pygubernator, pyactuator, pyalbedo, pycatalyst, pyfortis, pyintake,
# pyoptima.
#
# Semgrep auto-discovers this file (like .gitignore). Each glob excludes the
# matching paths from ALL Semgrep rules. We use this instead of the previous
# `.semgrep.yml` rule-ID overrides because that approach required Semgrep v2
# rule-patch syntax (message + severity + languages + pattern) — a per-rule
# path exclude alone is not a valid Semgrep rule and causes silent rule-load
# failure under `semgrep ci --config`. See Semgrep docs:
#   https://semgrep.dev/docs/cli-reference/#semgrep-scan-options-and-flags
#
# Keep the list conservative. If a new path triggers a false positive that
# blocks CI, consider inline ``# nosemgrep: <rule-id>`` first; only add a
# broad path here if inline suppression won't scale.

# ─── Committed virtual environments (accidentally checked in) ─────────────
venv/
.venv/

# ─── Test code — security rules apply to production, not fixtures ────────
tests/

# ─── SQLAlchemy identifier interpolation (legit internal DB-ops paths) ───
# SQLAlchemy does not bind identifiers (table / column names); internal
# admin tooling, migrations, DLQ stores, schema-discovery, and worker job
# sources must interpolate them into text() calls.
**/db/cli.py
**/db/_cli_commands.py
**/db/migrations/**
**/dlq/database_store.py
**/dlq/_db_*.py
**/discovery/sql_schema.py
**/discovery/stores/_sql.py
**/pipeline_generator/_db_*.py
**/pipeline_generator/_dlq_*.py
**/worker/event_sources/database.py
**/worker/event_sources/apply_data_database.py
**/worker/job_sources/_db_queries.py
**/worker/job_sources/database.py
**/workflow/_claiming.py
**/connectors/sinks/database.py
**/sinks/database.py
**/api/services/_db_testing.py
**/api/services/dlq_testing.py
**/semantic/knowledge/graph.py
**/semantic/knowledge/lineage.py

# ─── Credential audit-log boundary ────────────────────────────────────────
# These paths log a credential's name/id as part of the standard audit
# trail; no secret value, token, or derived key material is logged.
**/api/routes_credentials.py
**/api/routes_webhooks.py
**/api/services/_workflows.py
**/config/integrations.py
**/llm/_tokens.py
