Configuration

Configuration Reference

Three files control Pretense: .pretense.yaml for settings, .pretenseignore for exclusions, and ~/.pretense/credentials.json for authentication.

proxy mutation secrets audit .pretenseignore credentials.json

Complete default configuration

.pretense.yaml

# .pretense.yaml — full configuration reference
version: "0.6"

proxy:
  port: 9339
  timeout: 30000

mutation:
  enabled: true
  strategy: djb2
  saltRounds: 4
  languages:
    - typescript
    - javascript
    - python
    - go
    - java
  exclude:
    - "*.test.ts"
    - node_modules
  preserveComments: true
  preserveStrings: true

rules:
  - pattern: "getUserPayment.*"
    action: mutate
    note: "payment functions"
  - pattern: "STRIPE_.*"
    action: block
    note: "Stripe secrets"

secrets:
  patterns: default
  customPatterns: []
  blockOnDetect: true

audit:
  enabled: true
  retentionDays: 90
  export: sqlite

team:
  maxSeats: 100
  plan: pro

Run pretense init to generate this file in your project root.

proxy

Controls the local HTTP proxy server that intercepts LLM API traffic.

Field	Type	Default	Description
`proxy.port`	number	`9339`	Port the Pretense proxy listens on. Change this if 9339 conflicts with another service.
`proxy.timeout`	number	`30000`	Maximum milliseconds to wait for an upstream LLM API response before returning a 504.

mutation

Controls which files are scanned, which languages are supported, and what token types are mutated.

Field	Type	Default	Description
`mutation.languages`	string[]	`["typescript", "javascript", "python", "go", "java"]`	Languages the token scanner recognizes.
`mutation.exclude`	string[]	`["*.test.ts", "node_modules"]`	Glob patterns for files and directories to skip during scanning.
`mutation.preserveComments`	boolean	`true`	When true, all comment text is forwarded verbatim.
`mutation.preserveStrings`	boolean	`true`	When true, string literals are forwarded unchanged. Required for correct round-trip reversal.

secrets

Controls the secrets and PII scanner that blocks credentials from leaving your machine.

Field	Type	Default	Description
`secrets.patterns`	"default" \| "strict" \| "off"	`"default"`	"default" covers 30+ patterns. "strict" adds PII detection. "off" disables the scanner.
`secrets.customPatterns`	string[]	`[]`	Additional regex patterns to scan for. Useful for internal credential formats.
`secrets.blockOnDetect`	boolean	`true`	When true, any request containing a detected secret is rejected with HTTP 422.

audit

Controls the local audit log that records every mutation event for compliance reporting.

Field	Type	Default	Description
`audit.enabled`	boolean	`true`	Enables or disables the audit log. Required for SOC2 and HIPAA compliance exports.
`audit.retentionDays`	number	`90`	Number of days to retain audit log entries. Free tier: 30 days. Pro: 365 days.
`audit.export`	"sqlite" \| "json" \| "ndjson"	`"sqlite"`	Storage backend for the audit log.

Environment variable overrides

Any config field can be overridden via environment variable at runtime. Env vars take precedence over config.json.

Environment variable	Config field
`PRETENSE_PORT`	`proxy.port`
`PRETENSE_TIMEOUT`	`proxy.timeout`
`PRETENSE_BLOCK_SECRETS`	`secrets.blockOnDetect`
`PRETENSE_AUDIT_ENABLED`	`audit.enabled`
`PRETENSE_AUDIT_RETENTION`	`audit.retentionDays`

.pretenseignore

A gitignore-style file that tells Pretense which files and directories to skip during scans.

.pretenseignore

# .pretenseignore — files and directories to skip
# Follows .gitignore syntax

# Test files
*.test.ts
*.spec.ts
__tests__/

# Build output
dist/
build/
.next/

# Dependencies
node_modules/

# Documentation
*.md
docs/

•Uses .gitignore syntax: # for comments, ! for negation, ** for recursive glob
•Patterns are matched relative to the project root
•Add patterns via CLI: pretense ignore "*.test.ts"
•Commit .pretenseignore to version control so the team shares the same exclusions

~/.pretense/credentials.json

Stores authentication credentials for Pretense Cloud. Created by pretense auth login. Never commit this file.

~/.pretense/credentials.json

{
  "version": 1,
  "accounts": {
    "default": {
      "apiKey": "ptns_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "teamId": "team_abc123",
      "email": "you@company.com",
      "plan": "pro",
      "expiresAt": "2027-04-08T00:00:00.000Z"
    }
  },
  "activeAccount": "default"
}

This file contains sensitive credentials. It is stored in your home directory, not in your project. Never commit ~/.pretense/credentials.json to version control.

Per-repository configuration

Each repository gets its own .pretense.yaml and .pretenseignore. Commit both files to version control so your whole team shares the same settings.

your-project/
  .pretense.yaml       # commit this
  .pretenseignore      # commit this
  .pretense/
    mutations.json     # gitignore this
    audit.db           # gitignore this