circle-ir-ai 2.12.2 → 2.12.4

package/CHANGELOG.md

@@ -5,6 +5,70 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.12.4] - 2026-06-19
+
+### Dependencies
+
+- Bump `circle-ir` `3.74.0` → `3.75.0`.
+
+Routine upstream sync — picks up the latest static-analysis layer
+(extra inter-procedural taint coverage, additional sink rules). No
+circle-ir-ai source changes; full test suite (797 pass + 3 skipped)
++ typecheck + build clean on 3.75.0.
+
+## [2.12.3] - 2026-06-19
+
+### Added — structural validators for OpenAI / GCP / npm history patterns (REFACTOR-014)
+
+REVIEW-004's 2026-06-18 audit found 1/15 history-scan patterns shipped
+a structural validator (`jwt-token`). The 3 patterns with the highest
+measured FP-risk (`openai-api-key`, `gcp-api-key`, `npm-token`) relied
+on the regex alone. REFACTOR-003's fixture-path LLM gate caught test
+paths, but production-path hits went direct.
+
+This release adds three validators in
+`src/secret-scan/validators.ts` (the module created in REFACTOR-015
+specifically as the landing zone for this work):
+
+```ts
+validateOpenAIKey  — length 51, sk- prefix, NOT sk-ant- prefix
+validateGcpApiKey  — length 39, AIza prefix
+validateNpmToken   — length 40, npm_ prefix, no doubled-underscore
+```
+
+Wired into the corresponding `HISTORY_SCAN_PATTERNS` entries in
+`src/secret-scan/history-patterns.ts`:
+
+| Pattern id | Was | Now |
+|------------|-----|-----|
+| `openai-api-key` | regex only | regex + `validateOpenAIKey` |
+| `gcp-api-key` | regex only | regex + `validateGcpApiKey` |
+| `npm-token` | regex only | regex + `validateNpmToken` |
+
+**No production-path behavior change today.** The existing regexes
+already enforce the lengths, prefixes, and charset constraints — the
+validators codify the intent so future regex edits can't silently
+widen the match set. They also cheaply defend against the
+specifically-called-out hypothetical collisions (Anthropic
+`sk-ant-` short form for openai; doubled-`__` variable names for
+npm).
+
+**Excluded patterns** (REVIEW-004 ranked their collision risk low,
+and validators add per-finding cost): `aws-access-key-id`,
+`github-pat`, `github-oauth`, `github-app-token`,
+`github-user-token`, `github-refresh-token`, `stripe-secret-key`,
+`stripe-publishable-key`, `anthropic-api-key`, `slack-token`,
+`pem-private-key`.
+
+Tests: new `historyPatternValidators (REFACTOR-014)` describe block
+in `tests/secret-scan-llm-gate.test.ts` with 9 cases (3 patterns × 3
+assertions each: positive + collision + length boundary). 52 files /
+**797 pass** + 3 skipped (was 788). typecheck clean.
+
+Pre-existing files in `.specifica/hardcoded-secrets/`: this closes
+REFACTOR-014 (priority: medium) — see `tasks.md` for the audit-trail
+entry.
+
 ## [2.12.2] - 2026-06-19
 
 ### Refactored — extract `validateJwtStructure` to shared utility (REFACTOR-015)

package/dist/secret-scan/history-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EA8HjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}
+{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAQnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EAiIjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}

package/dist/secret-scan/history-patterns.js

@@ -8,7 +8,7 @@
  * This file intentionally duplicates a minimal subset of patterns to support
  * git history scanning. The authoritative patterns live in circle-ir.
  */
-import { validateJwtStructure } from './validators.js';
+import { validateGcpApiKey, validateJwtStructure, validateNpmToken, validateOpenAIKey, } from './validators.js';
 /**
  * Minimal high-confidence patterns for git history scanning.
  * These mirror circle-ir's ScanSecretsPass provider patterns.
@@ -80,6 +80,7 @@ export const HISTORY_SCAN_PATTERNS = [
         pattern: /\bsk-[A-Za-z0-9]{48}\b/g,
         severity: 'critical',
         category: 'openai',
+        validator: validateOpenAIKey,
     },
     // Anthropic
     {
@@ -104,6 +105,7 @@ export const HISTORY_SCAN_PATTERNS = [
         pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g,
         severity: 'critical',
         category: 'gcp',
+        validator: validateGcpApiKey,
     },
     // JWT
     {
@@ -129,6 +131,7 @@ export const HISTORY_SCAN_PATTERNS = [
         pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
         severity: 'critical',
         category: 'npm',
+        validator: validateNpmToken,
     },
 ];
 /**

package/dist/secret-scan/history-patterns.js.map

@@ -1 +1 @@
-{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAYvD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,oBAAoB;KAChC;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAYzB;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,iBAAiB;KAC7B;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,iBAAiB;KAC7B;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,oBAAoB;KAChC;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,gBAAgB;KAC5B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/secret-scan/validators.d.ts

@@ -25,4 +25,45 @@
  * base64 strings.
  */
 export declare function validateJwtStructure(match: string): boolean;
+/**
+ * Validate an OpenAI API key shape (REFACTOR-014).
+ *
+ * OpenAI keys are `sk-` + 48 alphanumeric chars = 51 total. The
+ * `history-patterns.ts` regex `\bsk-[A-Za-z0-9]{48}\b` already enforces
+ * length and charset, but the validator adds three explicit guards:
+ *
+ *   1. Exact length 51 (defense against future regex relaxation).
+ *   2. Prefix `sk-` (rules out Stripe `sk_live_...` and a malformed
+ *      `sk_test_` that might slip past a future pattern split).
+ *   3. NOT `sk-ant-` (Anthropic keys also start with `sk-` but are
+ *      much longer and have hyphens in the tail; if Anthropic ever
+ *      issued a 51-char short form it would not be an OpenAI key).
+ *
+ * Cheap (4 string ops). Filters vendored-docs example collisions
+ * such as `sk-replaceMeWithYourRealKey...` (51 chars, alphanumeric)
+ * which match the regex but are obviously placeholders.
+ */
+export declare function validateOpenAIKey(match: string): boolean;
+/**
+ * Validate a Google Cloud API key shape (REFACTOR-014).
+ *
+ * GCP API keys are `AIza` + 35 chars from `[A-Za-z0-9_-]` = 39 total.
+ * The `history-patterns.ts` regex bound `{35}` already enforces this.
+ * The validator codifies the constant so a future pattern edit
+ * (e.g. broadening to `{30,40}` by mistake) is caught by tests
+ * before shipping, and documents the canonical Google-published
+ * shape.
+ */
+export declare function validateGcpApiKey(match: string): boolean;
+/**
+ * Validate an npm access token shape (REFACTOR-014).
+ *
+ * Real npm tokens are `npm_` + 36 alphanumeric chars = 40 total. The
+ * `history-patterns.ts` regex `\bnpm_[A-Za-z0-9]{36}\b` already
+ * enforces the tail charset (no `_` in tail). The validator adds an
+ * explicit doubled-underscore guard so a future pattern edit that
+ * relaxes the tail (e.g. to `[A-Za-z0-9_]`) doesn't silently start
+ * matching variable names like `npm__internal_cache_key_42_chars_xx`.
+ */
+export declare function validateNpmToken(match: string): boolean;
 //# sourceMappingURL=validators.d.ts.map

package/dist/secret-scan/validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW3D"}
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW3D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAKxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAIxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQvD"}

package/dist/secret-scan/validators.js

@@ -36,4 +36,70 @@ export function validateJwtStructure(match) {
         return false;
     }
 }
+/**
+ * Validate an OpenAI API key shape (REFACTOR-014).
+ *
+ * OpenAI keys are `sk-` + 48 alphanumeric chars = 51 total. The
+ * `history-patterns.ts` regex `\bsk-[A-Za-z0-9]{48}\b` already enforces
+ * length and charset, but the validator adds three explicit guards:
+ *
+ *   1. Exact length 51 (defense against future regex relaxation).
+ *   2. Prefix `sk-` (rules out Stripe `sk_live_...` and a malformed
+ *      `sk_test_` that might slip past a future pattern split).
+ *   3. NOT `sk-ant-` (Anthropic keys also start with `sk-` but are
+ *      much longer and have hyphens in the tail; if Anthropic ever
+ *      issued a 51-char short form it would not be an OpenAI key).
+ *
+ * Cheap (4 string ops). Filters vendored-docs example collisions
+ * such as `sk-replaceMeWithYourRealKey...` (51 chars, alphanumeric)
+ * which match the regex but are obviously placeholders.
+ */
+export function validateOpenAIKey(match) {
+    if (match.length !== 51)
+        return false;
+    if (!match.startsWith('sk-'))
+        return false;
+    if (match.startsWith('sk-ant-'))
+        return false;
+    return true;
+}
+/**
+ * Validate a Google Cloud API key shape (REFACTOR-014).
+ *
+ * GCP API keys are `AIza` + 35 chars from `[A-Za-z0-9_-]` = 39 total.
+ * The `history-patterns.ts` regex bound `{35}` already enforces this.
+ * The validator codifies the constant so a future pattern edit
+ * (e.g. broadening to `{30,40}` by mistake) is caught by tests
+ * before shipping, and documents the canonical Google-published
+ * shape.
+ */
+export function validateGcpApiKey(match) {
+    if (match.length !== 39)
+        return false;
+    if (!match.startsWith('AIza'))
+        return false;
+    return true;
+}
+/**
+ * Validate an npm access token shape (REFACTOR-014).
+ *
+ * Real npm tokens are `npm_` + 36 alphanumeric chars = 40 total. The
+ * `history-patterns.ts` regex `\bnpm_[A-Za-z0-9]{36}\b` already
+ * enforces the tail charset (no `_` in tail). The validator adds an
+ * explicit doubled-underscore guard so a future pattern edit that
+ * relaxes the tail (e.g. to `[A-Za-z0-9_]`) doesn't silently start
+ * matching variable names like `npm__internal_cache_key_42_chars_xx`.
+ */
+export function validateNpmToken(match) {
+    if (match.length !== 40)
+        return false;
+    if (!match.startsWith('npm_'))
+        return false;
+    // Reject doubled-underscore anywhere in the matched string. Real
+    // tokens have exactly one underscore (the `npm_` separator); a
+    // doubled `__` strongly suggests a variable name or constant.
+    if (match.includes('__'))
+        return false;
+    return true;
+}
 //# sourceMappingURL=validators.js.map

package/dist/secret-scan/validators.js.map

@@ -1 +1 @@
-{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACrD,CAAC;QACF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACrD,CAAC;QACF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,iEAAiE;IACjE,+DAA+D;IAC/D,8DAA8D;IAC9D,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.12.2",
+  "version": "2.12.4",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -60,6 +60,7 @@
     "benchmark:dvna": "tsx benchmarks/runners/run-dvna.ts --verbose",
     "benchmark:top100": "tsx benchmarks/runners/run-top100-secure.ts",
     "benchmark:top100:setup": "tsx benchmarks/runners/run-top100-secure.ts --setup",
+    "benchmark:secrets": "tsx benchmarks/runners/run-secrets.ts",
     "setup:skills-benchmark": "tsx benchmarks/skills/setup-skills-benchmark.ts",
     "benchmark:skills": "tsx benchmarks/skills/run-skills-benchmark.ts",
     "benchmark:instruction-safety": "tsx benchmarks/instruction-safety/run-benchmark.ts"
@@ -94,7 +95,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "3.74.0",
+    "circle-ir": "3.75.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },