# Secret-detection regex patterns for `security-audit`.
# Usage (ripgrep): rg -nP -f templates/secret-patterns.txt .
# Lines starting with '#' are comments and ignored by the audit.
# Patterns are PCRE2 (ripgrep -P). Always redact matched values in reports.

# --- Generic assignments (api key / secret / password / token) ---
(?i)(api[_-]?key|secret|passwd|password|token|access[_-]?key|private[_-]?key)\s*[=:]\s*['"][^'"]{8,}['"]

# --- AWS ---
AKIA[0-9A-Z]{16}
(?i)aws_secret_access_key\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?

# --- GitHub tokens (PAT, OAuth, app, refresh) ---
(ghp_|gho_|ghu_|ghs_|ghr_)[A-Za-z0-9]{36,}

# --- OpenAI / Anthropic / generic provider keys ---
sk-[A-Za-z0-9]{20,}
sk-ant-[A-Za-z0-9_-]{20,}

# --- Google API key ---
AIza[0-9A-Za-z_-]{35}

# --- Slack ---
xox[baprs]-[0-9A-Za-z-]{10,}

# --- Stripe ---
(sk|rk)_(live|test)_[0-9A-Za-z]{24,}

# --- Twilio ---
SK[0-9a-fA-F]{32}

# --- JWT (header.payload.signature) ---
eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}

# --- Private keys (PEM blocks) ---
-----BEGIN (RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----

# --- Database connection strings with embedded credentials ---
(?i)(postgres|postgresql|mysql|mongodb(\+srv)?|redis|amqp)://[^:@/\s]+:[^@/\s]+@

# --- High-entropy hex / base64 blobs (manual review; expect false positives) ---
(?i)(secret|key|token)\s*[=:]\s*['"][A-Fa-f0-9]{32,}['"]
