From 6533f322e33c8f20a3a15f44ef9a150fa520a775 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 16 Apr 2026 08:46:00 +0000
Subject: [PATCH] fix: add last-reviewed watermark SHA to secret-scan safe
 patterns

---
 lib/secret-scan.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/secret-scan.sh b/lib/secret-scan.sh
index b350284..a53bd87 100644
--- a/lib/secret-scan.sh
+++ b/lib/secret-scan.sh
@@ -30,9 +30,10 @@ _SECRET_PATTERNS=(
 _SAFE_PATTERNS=(
   # Shell variable references: $VAR, ${VAR}, ${VAR:-default}
   '\$\{?[A-Z_]+\}?'
-  # Git SHAs in typical git contexts (commit refs, not standalone secrets)
+  # Git SHAs in typical git contexts (commit refs, watermarks, not standalone secrets)
   'commit [0-9a-f]{40}'
   'Merge [0-9a-f]{40}'
+  'last-reviewed: [0-9a-f]{40}'
   # Forge/GitHub URLs with short hex (PR refs, commit links)
   'codeberg\.org/[^[:space:]]+'
   'localhost:3000/[^[:space:]]+'