# Secrets-scan allowlist (consumed by ~/.claude/harness/scripts/secrets-scan.sh)
# Format:  <path-or-glob>:<line-number | substring-to-match>
# Each entry suppresses a known false positive. Real secrets must NEVER be added.

# Test fixtures — deliberately fake credentials that exercise token generation/JWT
# signing. Not live secrets (TEST_TEAM_ID / test_signature / throwaway key).
tests/conftest.py:BEGIN PRIVATE KEY
tests/conftest.py:test_signature
tests/test_harvest.py:FAKE_TOKEN

# User-facing CLI help text referencing the `generate-token` command name
# (a command, not a secret value).
src/applemusic_mcp/server.py:generate-token
