# gitleaks - Doramagic AI Context Pack > Purpose: pre-work context for the user's host AI. This pack does not prove that the project has been installed, run, or validated. ## Project - canonical_name: `gitleaks/gitleaks` - capability: Find secrets with Gitleaks 🔑 - expected_user_outcome: Find secrets with Gitleaks 🔑 ## Operating Boundaries - Do not claim that the project has been installed, run, called through an API, or used on local files unless separate evidence proves it. - Project facts must come from repo evidence, Claim Graph, or explicit source references. - When a capability is not verified, mark it as unverified instead of completing it as fact. - publish_status: `publishable` - blocking_gaps: none --- ## Doramagic Context Augmentation The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints. ## Human Manual Outline Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph. Host AI hard rules: - Do not treat page titles, section order, summaries, or importance values as factual project evidence. - When explaining the Human Manual outline, state that it is only a reading route or salience signal. - Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph. - **Overview, Installation, and CLI Commands**: importance `high` - source_paths: README.md, main.go, cmd/root.go, cmd/git.go, cmd/directory.go - **Configuration, Rules, and Allowlists**: importance `high` - source_paths: config/config.go, config/rule.go, config/allowlist.go, config/utils.go, config/gitleaks.toml - **Scanning Modes, Sources, and Detection Engine**: importance `high` - source_paths: detect/detect.go, detect/files.go, detect/git.go, detect/reader.go, detect/fragment.go - **Reporting, Findings, and Output Formats**: importance `medium` - source_paths: report/finding.go, report/report.go, report/json.go, report/csv.go, report/junit.go ## Repo Inspection Evidence - repo_clone_verified: true - repo_inspection_verified: true - repo_commit: `8ad8470035d31a209322c580153b45c18e21b980` - inspected_files: `Dockerfile`, `README.md` Host AI hard rules: - Without repo_clone_verified=true, do not claim that the source code has been read. - Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts. - Without quick_start_verified=true, do not claim that the Quick Start path has run successfully. ## Doramagic Pitfall Constraints These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes. ### Constraint 1: Installation risk requires verification - Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/gitleaks/gitleaks/issues/2165 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 2: Security or permission risk requires verification - Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/gitleaks/gitleaks/issues/2110 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 3: Security or permission risk requires verification - Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: packet_text.keyword_scan | https://github.com/gitleaks/gitleaks - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 4: Installation risk requires verification - Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: identity.distribution | https://github.com/gitleaks/gitleaks - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 5: Capability evidence risk requires verification - Trigger: README/documentation is current enough for a first validation pass. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: capability.assumptions | https://github.com/gitleaks/gitleaks - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 6: Maintenance risk requires verification - Trigger: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: evidence.maintainer_signals | https://github.com/gitleaks/gitleaks - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 7: Security or permission risk requires verification - Trigger: no_demo - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: downstream_validation.risk_items | https://github.com/gitleaks/gitleaks - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 8: Security or permission risk requires verification - Trigger: no_demo - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: risks.scoring_risks | https://github.com/gitleaks/gitleaks - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 9: Security or permission risk requires verification - Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/gitleaks/gitleaks/issues/2158 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 10: Security or permission risk requires verification - Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/gitleaks/gitleaks/issues/2164 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.