security: add gitleaks scanning + 2026-04-18 delta review (#403)

* security: add gitleaks scanning + 2026-04-18 security delta review

Delta review between PR #377 (2026-03-17) and 7b42e36 found no new
critical/high issues. Three cybersecurity-skills toolkits ran:
gitleaks secret scanning, GitHub Actions workflow hardening, and
cryptographic audit of the delta.

Historic leak surfaced: 4 real test-instance tokens (zwqg, plasma,
zulu, badger) sat in public git history from late-2025 / early-2026.
All four are now dead ('Invalid token' response), so the exposure is
stale — but worth documenting and preventing recurrence.

Adds:
- .gitleaks.toml: custom rules for NetBox v1 (40-hex) and v2 (nbt_*)
  token formats plus a project-wide allowlist (docker-compose
  bootstrap token, Slack webhook placeholders, generic 'your-key'
  patterns)
- .gitleaks-baseline.json: snapshot of 8 historic (dead-token)
  findings so CI only flags new secrets
- .github/workflows/secret-scan.yml: gitleaks CI on every push/PR
  to dev/main via gitleaks-action@v2
- .pre-commit-config.yaml: opt-in local gitleaks pre-commit hook
- docs/superpowers/reviews/2026-04-18-security-delta-review.md:
  full findings report with severity tags and follow-up PR list

Medium findings documented for follow-up (not fixed here):
- pre-release-validation.yml: 5 \${{ inputs.* }} interpolations
  into pwsh run-blocks (script injection vector via workflow_dispatch)
- actions/* SHA pinning: 25+ unpinned references to GitHub-owned
  actions (supply-chain hardening)

Positive findings worth preserving:
- PR #377 HTTP-plaintext warning, SkipCertificateCheck opt-in,
  AllowInsecureRedirect warning are all intact
- zwqg token was protected by NetBox per-token IP allowlist during
  its live window — a defense-in-depth layer that should be
  enabled on all prod-hosted tokens
- Central auth + TLS code in InvokeNetboxRequest, Connect-NBAPI,
  Set-NBCipherSSL is unchanged since PR #377 (no regressions)

* security: widen gitleaks v1-token rule to catch low-entropy hex

The initial rule required a 'netbox_token' / 'api_token' prefix, which
missed tokens committed as plain PowerShell 'Token = ''aaaa4bb9...'''.
Gitleaks' default generic-api-key uses entropy >= 3.5, but the exposed
'aaaa4bb91eb7...' token scores 3.37 (below threshold) because of the
'aaaa' prefix.

Widened the keyword alternation to also match bare 'token' / 'apikey' /
'api_key' as assignment prefixes, which catches the common PowerShell
hashtable / YAML / JSON patterns without being so loose that it matches
any 40-hex string.

Regenerated the baseline to capture the 9 historic findings (previous
8 + the 'aaaa4bb9' in ScenarioTestHelper.psm1 that was missing).

Verified:
- Synthetic test: 'Token = ''aaaa...''' now flagged
- Baseline-suppressed full scan: 'no leaks found' on HEAD

* security: address Gemini review — tighten allowlist, drop path exclusions

Two of Gemini's three review comments were valid:

1. Bracket-placeholder regex was too broad (HIGH — valid)
   Previous: `(<|\[|\{)[^>\]\}]*(token|key|secret|password)[^>\]\}]*(>|\]|\})`
   This silently allowlisted real secrets inside PowerShell hashtables and
   JSON objects, e.g.:
       @{ token = 'real_secret_value' }
       {"secret": "real_value"}
   The curly-brace match would swallow the entire structure.

   Fix: narrow to angle-bracket placeholders only, with an enumerated
   placeholder-prefix word:
       <(your|placeholder|example|fake|insert|my)?[-_]?(api[-_]?)?(token|key|secret|password|pat)>
   Still matches <YOUR_TOKEN>, <MY_API_KEY>, <PAT>, <TOKEN>. Does NOT
   match @{ token = '...' } or {"secret": "..."} — real secrets in those
   contexts are now correctly flagged.

2. Tests/ and docs/ path exclusions dropped (MEDIUM — valid)
   Gemini: "Real tokens have landed in tests before" — and indeed, the
   very tokens this PR documents leaked via Tests/Scenario/ScenarioTestHelper.psm1.
   Keeping these paths scannable catches that class of mistake again.

   Added 'nbt_abc123def456.ghijklmnopqrstuvwxyz1234567890' (the one
   placeholder token in Tests/Setup.Tests.ps1) to the v2-token rule
   allowlist. No other Tests/ or docs/ entries triggered findings with
   the existing allowlist — no ongoing maintenance burden.

The third comment (v8.30.1 doesn't exist) was empirically refuted —
`curl https://api.github.com/repos/gitleaks/gitleaks/releases` returns
v8.30.1 as the current latest (published 2026-03-21). Gemini's training
data apparently predates the v8.22+ release line. Pinned version is
correct; see the pre-commit-hooks.io mirror for confirmation.

Baseline regenerated: 10 entries (was 9) — added the one Tests/Setup.Tests.ps1
placeholder that the path exclusion previously hid.

* security: round 2 Gemini feedback — word boundaries + global placeholders

Addresses Gemini's second-round review (2026-04-18T09:00:46Z):

1. Added \b word boundaries to netbox-v2-token regex (valid, MEDIUM)
   Prevents partial matches within larger alphanumeric strings.

2. Moved v2 token placeholders from [rules.allowlist] to global
   [allowlist].regexes (valid, MEDIUM). Now suppressed against every
   rule including the default generic-api-key rule.

3. v1 token rule hardening (partially valid, MEDIUM):
   - Added \b boundaries so exactly 40 hex chars are required
     (a 48-hex string won't match the first 40 — precisely what
     Gemini's (?![a-f0-9]) lookahead would have achieved, but
     Go's regexp package doesn't support lookahead, so \b is
     the portable equivalent — verified empirically: gitleaks
     panics on Perl-syntax `(?!`)
   - Added "api-key" (dash form) to keywords for broader trigger
   - Added secretGroup = 1 so fingerprint uses the captured token
     value, not the full match including the keyword prefix

Baseline regenerated: 9 entries (was 10 — the tightened v2 rule
no longer flags the nbt_abc123def456.ghijklmnopqrstuvwxyz1234567890
placeholder since it's now globally allowlisted).

Synthetic verification:
- 'Token = ''aaaa4bb9...40hex''': flagged ✓
- 'nbt_kVJSfSxl3xvO.b4K...': flagged ✓
- nbt_abc123def456.ghijk... placeholder: suppressed ✓
- @{ secret = 'abc...42hex' } (real-looking secret in hashtable):
  now flagged by default generic-api-key (the overly-broad bracket
  allowlist from v1 no longer hides it) ✓

* security: add leading \b to v1 token rule (round 3 Gemini)

Without a leading word boundary, the v1 token regex would partial-match
the substring 'Token' inside identifiers like PowerShell's
`$CancellationToken` or .NET's `CancellationToken`, producing false
positives on any 40-hex value assigned to such a variable.

Verified empirically:

    $CancellationToken = '<40-hex>'

Before: flagged by netbox-v1-token rule (FP)
After:  flagged only by generic-api-key entropy rule (correct default
        gitleaks behavior; my custom rule now correctly abstains)

`$Token = '<40-hex>'` still flagged by netbox-v1-token (intended).

Baseline unchanged at 9 entries — all historic findings use `Token =` or
equivalent identifiers that already start at a word boundary.

Author: ctrl-alt-automate

.github/workflows/secret-scan.yml

@@ -0,0 +1,29 @@
+name: Secret Scan
+
+on:
+  push:
+    branches: [dev, main, master]
+  pull_request:
+    branches: [dev, main, master]
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history — gitleaks needs commits to scan
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Gitleaks picks up .gitleaks.toml and .gitleaks-baseline.json
+          # from the repo root automatically.
+          GITLEAKS_ENABLE_SUMMARY: "true"
+          GITLEAKS_ENABLE_COMMENTS: "true"

.gitleaks-baseline.json

@@ -0,0 +1,227 @@
+[
+ {
+  "RuleID": "netbox-v2-token",
+  "Description": "NetBox v2 Bearer token (nbt_\u003ckey\u003e.\u003csecret\u003e)",
+  "StartLine": 272,
+  "EndLine": 272,
+  "StartColumn": 23,
+  "EndColumn": 79,
+  "Match": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "Secret": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "File": ".github/workflows/integration.yml",
+  "SymlinkFile": "",
+  "Commit": "8044791c23a49df78e385aca6ffc74b0023f8ab1",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/8044791c23a49df78e385aca6ffc74b0023f8ab1/.github/workflows/integration.yml#L272",
+  "Entropy": 5.043073,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-06T12:54:06Z",
+  "Message": "security: Remove hardcoded tokens from ScenarioTestHelper\n\nBREAKING CHANGE: Test credentials now loaded from environment variables\n\nRequired environment variables:\n- NETBOX_449_HOST / NETBOX_449_TOKEN (plasma-paint)\n- NETBOX_449_ZWQG_HOST / NETBOX_449_ZWQG_TOKEN (cloud.netboxapp.com)\n- NETBOX_437_HOST / NETBOX_437_TOKEN (badger-victor)\n- NETBOX_450_HOST / NETBOX_450_TOKEN (zulu-how)\n\nAdded validation with clear error messages when env vars are missing.\n\nIMPORTANT: Revoke and regenerate all exposed tokens immediately!\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v2"
+  ],
+  "Fingerprint": "8044791c23a49df78e385aca6ffc74b0023f8ab1:.github/workflows/integration.yml:netbox-v2-token:272"
+ },
+ {
+  "RuleID": "netbox-v2-token",
+  "Description": "NetBox v2 Bearer token (nbt_\u003ckey\u003e.\u003csecret\u003e)",
+  "StartLine": 28,
+  "EndLine": 28,
+  "StartColumn": 22,
+  "EndColumn": 78,
+  "Match": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "Secret": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L28",
+  "Entropy": 5.043073,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v2"
+  ],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:netbox-v2-token:28"
+ },
+ {
+  "RuleID": "netbox-v1-token",
+  "Description": "NetBox v1 API token (40-char hex key)",
+  "StartLine": 13,
+  "EndLine": 13,
+  "StartColumn": 10,
+  "EndColumn": 62,
+  "Match": "Token    = '4188039a3a05ebb58e4969873bace61c77222eb7'",
+  "Secret": "4188039a3a05ebb58e4969873bace61c77222eb7",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L13",
+  "Entropy": 3.7464395,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v1"
+  ],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:netbox-v1-token:13"
+ },
+ {
+  "RuleID": "netbox-v1-token",
+  "Description": "NetBox v1 API token (40-char hex key)",
+  "StartLine": 18,
+  "EndLine": 18,
+  "StartColumn": 10,
+  "EndColumn": 62,
+  "Match": "Token    = 'a9717b9520d54d19383649066ef3b25e313bf219'",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L18",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v1"
+  ],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:netbox-v1-token:18"
+ },
+ {
+  "RuleID": "netbox-v1-token",
+  "Description": "NetBox v1 API token (40-char hex key)",
+  "StartLine": 23,
+  "EndLine": 23,
+  "StartColumn": 10,
+  "EndColumn": 62,
+  "Match": "Token    = 'aaaa4bb91eb74fe02ec1be9a83940341a49b1e9a'",
+  "Secret": "aaaa4bb91eb74fe02ec1be9a83940341a49b1e9a",
+  "File": "Tests/Scenario/ScenarioTestHelper.psm1",
+  "SymlinkFile": "",
+  "Commit": "02c3b9594f380b310bc07ea43487019d3d960e49",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/02c3b9594f380b310bc07ea43487019d3d960e49/Tests/Scenario/ScenarioTestHelper.psm1#L23",
+  "Entropy": 3.3696768,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2026-01-03T15:16:15Z",
+  "Message": "feat: Add 500 error fallback for bulk operations\n\nWhen bulk API requests fail with 500 Internal Server Error (which can\noccur due to Redis cache inconsistency on cloud-hosted Netbox instances),\nthe module now automatically falls back to sequential single-item requests.\n\nChanges:\n- Send-NBBulkRequest: Add 500 error detection and sequential fallback\n  with exponential backoff retry (3 attempts, 500ms/1s/2s delays)\n- Connect-NBAPI: Add AllowInsecureRedirect for PS 7.4+ compatibility\n- Set-NBIPAMAddress: Add ValueFromPipelineByPropertyName to Status/Description\n- Get-NBTenant: Rename GroupID to Group_Id with backwards-compatible alias\n- Add Scenario test suite for bulk operations, workflows, filters\n\nFixes: Test file bug where $($i++) in string interpolation doesn't work\nin PowerShell - increment must be on separate line before use.\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v1"
+  ],
+  "Fingerprint": "02c3b9594f380b310bc07ea43487019d3d960e49:Tests/Scenario/ScenarioTestHelper.psm1:netbox-v1-token:23"
+ },
+ {
+  "RuleID": "netbox-v2-token",
+  "Description": "NetBox v2 Bearer token (nbt_\u003ckey\u003e.\u003csecret\u003e)",
+  "StartLine": 242,
+  "EndLine": 242,
+  "StartColumn": 24,
+  "EndColumn": 80,
+  "Match": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "Secret": "nbt_kVJSfSxl3xvO.b4KIab8fc0sKntsws0KK7j6VwWNYnztZ9BOC7NAq",
+  "File": ".github/workflows/integration.yml",
+  "SymlinkFile": "",
+  "Commit": "a449cfaa9c6c7618986285ab852df27a9e863c0b",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/a449cfaa9c6c7618986285ab852df27a9e863c0b/.github/workflows/integration.yml#L242",
+  "Entropy": 5.043073,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-30T09:13:28Z",
+  "Message": "ci: Add exe.dev live testing workflow and v2 token support\n\n- Update version matrix: 4.3.7, 4.4.9, 4.5.0-beta1\n- Add v2 token tests for Netbox 4.5+ in integration.yml\n- Add 4.5.0-beta1 to compatibility.yml\n- Create exe-dev-tests.yml for testing against live exe.dev VMs\n  - Manual trigger with VM selection (all/stable/minimum/beta)\n  - Quick and full test scopes\n  - Requires EXEDEV_TOKEN_* secrets\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v2"
+  ],
+  "Fingerprint": "a449cfaa9c6c7618986285ab852df27a9e863c0b:.github/workflows/integration.yml:netbox-v2-token:242"
+ },
+ {
+  "RuleID": "netbox-v1-token",
+  "Description": "NetBox v1 API token (40-char hex key)",
+  "StartLine": 21,
+  "EndLine": 21,
+  "StartColumn": 2,
+  "EndColumn": 49,
+  "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": ".claude/commands/netbox-api.md",
+  "SymlinkFile": "",
+  "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/netbox-api.md?plain=1#L21",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-10T22:15:53Z",
+  "Message": "Add development tooling and Claude Code integration\n\n- Add CLAUDE.md with project overview and development guide\n- Add Connect-DevNetbox.ps1 helper script for quick API connection\n- Add .netboxps.config.example.ps1 template for local credentials\n- Add specialized slash commands for AI-assisted development:\n  - /netbox-api: Netbox API expert for endpoint documentation\n  - /powershell-expert: PowerShell best practices guidance\n  - /implement: Combined workflow for new endpoint implementation\n  - /test-endpoint: Compatibility testing against Netbox 4.4.7\n- Update .gitignore to exclude local config files\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v1"
+  ],
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/netbox-api.md:netbox-v1-token:21"
+ },
+ {
+  "RuleID": "netbox-v1-token",
+  "Description": "NetBox v1 API token (40-char hex key)",
+  "StartLine": 8,
+  "EndLine": 8,
+  "StartColumn": 2,
+  "EndColumn": 49,
+  "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": ".claude/commands/test-endpoint.md",
+  "SymlinkFile": "",
+  "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/test-endpoint.md?plain=1#L8",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-10T22:15:53Z",
+  "Message": "Add development tooling and Claude Code integration\n\n- Add CLAUDE.md with project overview and development guide\n- Add Connect-DevNetbox.ps1 helper script for quick API connection\n- Add .netboxps.config.example.ps1 template for local credentials\n- Add specialized slash commands for AI-assisted development:\n  - /netbox-api: Netbox API expert for endpoint documentation\n  - /powershell-expert: PowerShell best practices guidance\n  - /implement: Combined workflow for new endpoint implementation\n  - /test-endpoint: Compatibility testing against Netbox 4.4.7\n- Update .gitignore to exclude local config files\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v1"
+  ],
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/test-endpoint.md:netbox-v1-token:8"
+ },
+ {
+  "RuleID": "netbox-v1-token",
+  "Description": "NetBox v1 API token (40-char hex key)",
+  "StartLine": 12,
+  "EndLine": 12,
+  "StartColumn": 2,
+  "EndColumn": 49,
+  "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
+  "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
+  "File": ".claude/commands/implement.md",
+  "SymlinkFile": "",
+  "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/implement.md?plain=1#L12",
+  "Entropy": 3.7659574,
+  "Author": "ctrl-alt-automate",
+  "Email": "elvis@deployment-team.nl",
+  "Date": "2025-12-10T22:15:53Z",
+  "Message": "Add development tooling and Claude Code integration\n\n- Add CLAUDE.md with project overview and development guide\n- Add Connect-DevNetbox.ps1 helper script for quick API connection\n- Add .netboxps.config.example.ps1 template for local credentials\n- Add specialized slash commands for AI-assisted development:\n  - /netbox-api: Netbox API expert for endpoint documentation\n  - /powershell-expert: PowerShell best practices guidance\n  - /implement: Combined workflow for new endpoint implementation\n  - /test-endpoint: Compatibility testing against Netbox 4.4.7\n- Update .gitignore to exclude local config files\n\n🤖 Generated with [Claude Code](https://claude.com/claude-code)\n\nCo-Authored-By: Claude Opus 4.5 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [
+   "netbox",
+   "token",
+   "v1"
+  ],
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/implement.md:netbox-v1-token:12"
+ }
+]

.gitleaks.toml

@@ -0,0 +1,77 @@
+# PowerNetbox Gitleaks Configuration
+# Extends the default rule set with PowerNetbox-specific patterns
+# and an allowlist for known test/placeholder values.
+
+title = "PowerNetbox Gitleaks Configuration"
+
+[extend]
+useDefault = true
+
+# Custom rule: NetBox v2 Bearer token format (nbt_<key>.<secret>).
+# Word boundaries (\b) prevent partial matches inside longer alphanumeric
+# strings — e.g. `XnbtX_abc123.xyz...` (unlikely but possible) won't false-
+# positive at the inner "nbt_" position.
+[[rules]]
+id = "netbox-v2-token"
+description = "NetBox v2 Bearer token (nbt_<key>.<secret>)"
+regex = '''\bnbt_[A-Za-z0-9]{10,}\.[A-Za-z0-9]{30,}\b'''
+keywords = ["nbt_"]
+tags = ["netbox", "token", "v2"]
+
+# Custom rule: NetBox v1 token (40-char hex). Matches PowerShell assignment
+# style (`Token = '...'`), YAML/JSON style (`token: "..."`), and common
+# variable-name prefixes (NETBOX_TOKEN, API_TOKEN, etc.).
+# This rule catches tokens that gitleaks' built-in generic-api-key rule
+# may miss due to low-entropy leading chars (e.g. 'aaaa4bb9...').
+# Word boundaries ensure exactly-40-hex match — a 48-hex string won't
+# match the first 40 chars.  Go's regexp package doesn't support negative
+# lookahead, so `\b` is the portable equivalent.
+[[rules]]
+id = "netbox-v1-token"
+description = "NetBox v1 API token (40-char hex key)"
+regex = '''(?i)\b(?:token|netbox[_-]?token|nb[_-]?token|api[_-]?token|api[_-]?key)\s*[:=]\s*["']?\b([a-f0-9]{40})\b["']?'''
+keywords = ["token", "apikey", "api_key", "api-key"]
+secretGroup = 1
+tags = ["netbox", "token", "v1"]
+
+# Global allowlist for common PowerNetbox test/placeholder values.
+# Placeholders live here (not per-rule) so they're suppressed against every
+# rule, including the default generic-api-key entropy scan.
+[allowlist]
+description = "PowerNetbox project-wide allowlist"
+
+paths = [
+    # The config file itself contains example patterns that would trip its own rules.
+    '''(^|/)\.gitleaks\.toml$''',
+    # Baseline captures historic findings that have been rotated.
+    '''(^|/)\.gitleaks-baseline\.json$''',
+    # Note: Tests/ and docs/ are intentionally NOT excluded so real tokens
+    # accidentally landing there are still caught. Rely on the regex
+    # allowlist below for known-safe placeholders.
+]
+
+regexes = [
+    # docker-compose.ci.yml bootstrap token (public netbox-docker default)
+    '''0123456789abcdef0123456789abcdef01234567''',
+    # Slack webhook placeholder pattern (T00000000/B00000000/XXX...)
+    '''hooks\.slack\.com/services/T0+/B0+/X+''',
+    # Common placeholder patterns — matches YOUR_TOKEN, my-api-key, etc.
+    '''(?i)your[-_]?(api[-_]?)?(token|key|secret)''',
+    '''(?i)(example|sample|placeholder|fake|dummy|test|insert|my)[-_]?(api[-_]?)?(token|key|secret|password)''',
+    # NetBox v2 token placeholders used in docs and tests. Kept here (not in
+    # a per-rule allowlist) so they're also ignored by the generic-api-key
+    # rule if its entropy heuristic ever catches them.
+    '''nbt_abc123\.xyz789''',
+    '''nbt_abc123def456\.ghijklmnopqrstuvwxyz1234567890''',
+    '''nbt_ExampleKey123\.ExampleSecretValue456789''',
+    '''nbt_yourKey\.yourSecret''',
+    '''nbt_\{key\}\.\{secret\}''',
+    # Angle-bracket placeholders only: <TOKEN>, <YOUR_API_KEY>.
+    # Intentionally narrow — does NOT match PowerShell hashtables (`@{ token = 'x' }`)
+    # or JSON objects (`{"secret": "value"}`), which could hide real secrets.
+    '''(?i)<(your|placeholder|example|fake|insert|my)?[-_]?(api[-_]?)?(token|key|secret|password|pat)>''',
+    # xxxxxxxx, ****, 00000000 sequences
+    '''x{8,}''',
+    '''\*{8,}''',
+    '''0{10,}''',
+]