switchroom 0.5.0

package/telegram-plugin/secret-detect/audit.ts

@@ -0,0 +1,66 @@
+/**
+ * Structured audit log for secret-detection events.
+ *
+ * Rationale: the telegram plugin already intercepts `process.stderr.write`
+ * and tees every write to `~/.switchroom/logs/telegram-plugin.log` (see
+ * plugin-logger.ts). We piggyback on that — `emitAudit` serializes the
+ * event as a single JSON line prefixed with `[secret-detect-audit]` and
+ * sends it through stderr. The logger rotation + ops tooling all work for
+ * free.
+ *
+ * CRITICAL: the raw secret value is NEVER placed in the log. Only the slug
+ * and rule id. See the `no-raw-secret-in-log` test.
+ */
+
+export type AuditAction = 'stored' | 'suppressed' | 'ambiguous' | 'failed' | 'rewritten'
+
+export interface AuditEvent {
+  event: 'secret-detected'
+  chat_id: string
+  message_id: number | null
+  rule_id: string
+  slug: string
+  action: AuditAction
+  delete_ok: boolean
+  ts: number
+  /** Optional free-form reason (never contains the raw secret). */
+  detail?: string
+}
+
+export type AuditSink = (line: string) => void
+
+let sink: AuditSink = (line) => {
+  try {
+    process.stderr.write(line + '\n')
+  } catch {
+    // best-effort — never let audit logging break the host path
+  }
+}
+
+/**
+ * Override the sink (tests only). Pass `null` to restore the default.
+ */
+export function setAuditSink(next: AuditSink | null): void {
+  sink = next ?? ((line) => {
+    try {
+      process.stderr.write(line + '\n')
+    } catch {
+      /* ignore */
+    }
+  })
+}
+
+export function emitAudit(ev: Omit<AuditEvent, 'event' | 'ts'> & { ts?: number }): void {
+  const full: AuditEvent = {
+    event: 'secret-detected',
+    ts: ev.ts ?? Math.floor(Date.now() / 1000),
+    chat_id: ev.chat_id,
+    message_id: ev.message_id,
+    rule_id: ev.rule_id,
+    slug: ev.slug,
+    action: ev.action,
+    delete_ok: ev.delete_ok,
+    ...(ev.detail ? { detail: ev.detail } : {}),
+  }
+  sink(`[secret-detect-audit] ${JSON.stringify(full)}`)
+}

package/telegram-plugin/secret-detect/chunker.ts

@@ -0,0 +1,37 @@
+/**
+ * Sliding-window chunker for ReDoS-bounded detection.
+ *
+ * Inputs larger than 32 KB are split into 16 KB windows with 1 KB overlap.
+ * Each window is scanned independently; the caller is responsible for
+ * dedupe-by-byte-offset when merging per-window hits back together.
+ *
+ * The overlap exists so a secret that straddles a window boundary is still
+ * matched by at least one scan (provided the secret is ≤ 1 KB, which covers
+ * every known token format plus typical PEM private keys).
+ */
+
+export interface Window {
+  /** Start offset in the original string. */
+  offset: number
+  /** The window text. */
+  text: string
+}
+
+export const CHUNK_THRESHOLD = 32 * 1024
+export const WINDOW_SIZE = 16 * 1024
+export const OVERLAP = 1024
+
+export function chunk(text: string): Window[] {
+  if (text.length <= CHUNK_THRESHOLD) {
+    return [{ offset: 0, text }]
+  }
+  const out: Window[] = []
+  let offset = 0
+  while (offset < text.length) {
+    const end = Math.min(offset + WINDOW_SIZE, text.length)
+    out.push({ offset, text: text.slice(offset, end) })
+    if (end >= text.length) break
+    offset = end - OVERLAP
+  }
+  return out
+}

package/telegram-plugin/secret-detect/entropy.ts

@@ -0,0 +1,20 @@
+/**
+ * Shannon entropy — bits per character of a string.
+ *
+ * Used as the gate for KEY=value scanning (see kv-scanner.ts). Pure,
+ * deterministic, O(n). Returns 0 for empty input.
+ */
+export function shannonEntropy(s: string): number {
+  if (s.length === 0) return 0
+  const counts = new Map<string, number>()
+  for (const ch of s) {
+    counts.set(ch, (counts.get(ch) ?? 0) + 1)
+  }
+  let h = 0
+  const len = s.length
+  for (const c of counts.values()) {
+    const p = c / len
+    h -= p * Math.log2(p)
+  }
+  return h
+}

package/telegram-plugin/secret-detect/gitleaks-loader.ts

@@ -0,0 +1,74 @@
+/**
+ * Minimal loader for the vendored gitleaks.toml.
+ *
+ * We intentionally avoid adding a full TOML parser dep. The vendored file
+ * (gitleaks.toml) is a small handpicked subset, so a naive section-based
+ * parser is enough — it handles `[[rules]]`, `id = "..."`, `regex = '''...'''`
+ * (triple-single-quoted literals).
+ *
+ * When v2 lands the full upstream gitleaks.toml, swap this out for a real
+ * parser like `@iarna/toml`.
+ */
+import { readFileSync, existsSync } from 'node:fs'
+import { join, dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+import type { PatternDef } from './patterns.js'
+
+export interface GitleaksRule {
+  id: string
+  description?: string
+  regex: string
+}
+
+function defaultPath(): string {
+  const here = dirname(fileURLToPath(import.meta.url))
+  return join(here, 'gitleaks.toml')
+}
+
+export function parseGitleaksToml(content: string): GitleaksRule[] {
+  const rules: GitleaksRule[] = []
+  // Split on [[rules]] headers.
+  const sections = content.split(/^\s*\[\[\s*rules\s*\]\]\s*$/m).slice(1)
+  for (const section of sections) {
+    const rule: Partial<GitleaksRule> = {}
+    const idMatch = /^\s*id\s*=\s*"([^"]+)"\s*$/m.exec(section)
+    if (idMatch) rule.id = idMatch[1]
+    const descMatch = /^\s*description\s*=\s*"([^"]*)"\s*$/m.exec(section)
+    if (descMatch) rule.description = descMatch[1]
+    // Regex may be wrapped in ''' or " — prefer ''' which preserves regex
+    // escapes without TOML string escaping.
+    const reTriple = /^\s*regex\s*=\s*'''([\s\S]*?)'''\s*$/m.exec(section)
+    const reDouble = /^\s*regex\s*=\s*"((?:[^"\\]|\\.)*)"\s*$/m.exec(section)
+    const raw = reTriple?.[1] ?? reDouble?.[1]
+    if (rule.id && raw) {
+      rule.regex = raw
+      rules.push(rule as GitleaksRule)
+    }
+  }
+  return rules
+}
+
+export function loadGitleaksPatterns(path: string = defaultPath()): PatternDef[] {
+  if (!existsSync(path)) return []
+  let content: string
+  try {
+    content = readFileSync(path, 'utf8')
+  } catch {
+    return []
+  }
+  const rules = parseGitleaksToml(content)
+  const out: PatternDef[] = []
+  for (const r of rules) {
+    try {
+      const re = new RegExp(r.regex, 'g')
+      out.push({
+        rule_id: `gitleaks_${r.id.replace(/-/g, '_')}`,
+        regex: re,
+        captureIndex: 0,
+      })
+    } catch {
+      // Skip invalid regexes silently; the loader is best-effort.
+    }
+  }
+  return out
+}

package/telegram-plugin/secret-detect/gitleaks.toml

@@ -0,0 +1,27 @@
+# Minimal vendored gitleaks-style rule file.
+#
+# Full upstream gitleaks.toml (https://github.com/gitleaks/gitleaks) is the
+# long-term plan for v2. For v1 we ship a thin placeholder so the loader can
+# be exercised and we have a declared file path to extend.
+#
+# Each rule is a [rules.<id>] section with `regex` and optional `tags`.
+# The loader in gitleaks-loader.ts parses this file at boot and compiles
+# each regex into a PatternDef. TOML parsing is intentionally naive to
+# avoid a new dep — see gitleaks-loader.ts for the minimal parser.
+
+title = "switchroom vendored gitleaks (subset)"
+
+[[rules]]
+id = "slack-webhook"
+description = "Slack incoming webhook URL"
+regex = '''https://hooks\.slack\.com/services/[A-Za-z0-9_/]+'''
+
+[[rules]]
+id = "stripe-live-key"
+description = "Stripe live secret key"
+regex = '''\b(sk_live_[A-Za-z0-9]{24,})\b'''
+
+[[rules]]
+id = "sendgrid-api-key"
+description = "SendGrid API key"
+regex = '''\b(SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43})\b'''

package/telegram-plugin/secret-detect/index.ts

@@ -0,0 +1,218 @@
+/**
+ * Secret detection entrypoint for the Telegram plugin.
+ *
+ * `detectSecrets(text)` returns a normalized list of detections — each with
+ * a rule id, the matched bytes, byte-offsets in the original text, a
+ * confidence tier, a suppression flag, and a suggested vault slug.
+ *
+ * Detection stack (order = precedence on ties):
+ *   1. Anchored provider prefixes (sk-ant-, ghp_, AIza..., etc.)
+ *   2. Structured patterns (KEY=value, JSON fields, Authorization Bearer,
+ *      PEM blocks, CLI flags)
+ *   3. KEY=VALUE heuristic with Shannon-entropy gate (≥ 4.0)
+ *
+ * Big inputs (>32 KB) are chunked into 16 KB windows with 1 KB overlap
+ * (chunker.ts) for ReDoS bounding; we dedupe by byte-offset after.
+ *
+ * Nearby test/mock/example/fixture/dummy markers (within 40 chars) demote
+ * a hit to `suppressed: true`. The caller decides what that means (our
+ * convention: suppressed high-confidence → ambiguous, user is asked).
+ *
+ * Secretlint is integrated as an async supplementary source via
+ * `detectSecretsAsync`. The sync `detectSecrets` keeps the fast vendored-
+ * pattern path for callers on the hot path (Telegram message ingest).
+ * Gitleaks TOML is loaded via `gitleaks-loader.ts`.
+ */
+import { ALL_PATTERNS } from './patterns.js'
+import { scanKeyValue, type RawHit } from './kv-scanner.js'
+import { chunk } from './chunker.js'
+import { isSuppressed } from './suppressor.js'
+import { deriveSlug } from './slug.js'
+
+export interface Detection {
+  rule_id: string
+  matched_text: string
+  /** Byte offset into the original input text. */
+  start: number
+  /** Byte offset (exclusive) into the original input text. */
+  end: number
+  confidence: 'high' | 'ambiguous'
+  suppressed: boolean
+  /**
+   * Deterministic suggested vault key. Computed without reading the real
+   * vault; the caller may re-derive with `deriveSlug` when writing, passing
+   * the current vault key set to avoid collisions.
+   */
+  suggested_slug: string
+  /**
+   * Free-form key name the detector thinks described this secret, e.g.
+   * `ANTHROPIC_API_KEY` when the pattern was `env_key_value`. Used by
+   * `deriveSlug` as the preferred slug source.
+   */
+  key_name?: string
+}
+
+export function detectSecrets(text: string): Detection[] {
+  if (!text || text.length === 0) return []
+
+  // Chunk for ReDoS bounding; small inputs return a single window.
+  const windows = chunk(text)
+
+  // Collect raw hits with global offsets.
+  const raw: RawHit[] = []
+
+  for (const win of windows) {
+    for (const p of ALL_PATTERNS) {
+      // Make sure we're running a stateless global scan per window.
+      const re = new RegExp(p.regex.source, p.regex.flags.includes('g') ? p.regex.flags : p.regex.flags + 'g')
+      let m: RegExpExecArray | null
+      while ((m = re.exec(win.text)) !== null) {
+        if (m[0].length === 0) {
+          re.lastIndex++
+          continue
+        }
+        const cap = p.captureIndex === 0 ? m[0] : m[p.captureIndex]
+        if (!cap) continue
+        const matchStart = p.captureIndex === 0 ? m.index : m.index + m[0].indexOf(cap)
+        if (matchStart < 0) continue
+        const globalStart = win.offset + matchStart
+        const globalEnd = globalStart + cap.length
+        // For env_key_value (captureIndex=3), the LHS is group 1.
+        const keyName = p.rule_id === 'env_key_value' ? m[1] : undefined
+        raw.push({
+          rule_id: p.rule_id,
+          start: globalStart,
+          end: globalEnd,
+          matched_text: cap,
+          key_name: keyName,
+          confidence: 'high',
+        })
+      }
+    }
+    // KV heuristic scanner runs per window too.
+    const kvHits = scanKeyValue(win.text)
+    for (const h of kvHits) {
+      raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset })
+    }
+  }
+
+  // Dedupe by range + rule. If two rules hit the same range, prefer the
+  // earlier one in `ALL_PATTERNS` (higher precedence).
+  const deduped = dedupeRaw(raw)
+
+  // Resolve overlaps — drop any hit fully contained inside a higher-precedence
+  // hit on the same range.
+  const final = dropOverlaps(deduped)
+
+  // Upgrade to Detection shape + compute slug + check suppressor.
+  const existing = new Set<string>()
+  const out: Detection[] = []
+  for (const h of final) {
+    const suggested_slug = deriveSlug(
+      { key_name: h.key_name, rule_id: h.rule_id },
+      existing,
+    )
+    existing.add(suggested_slug)
+    out.push({
+      rule_id: h.rule_id,
+      matched_text: h.matched_text,
+      start: h.start,
+      end: h.end,
+      confidence: h.confidence,
+      suppressed: isSuppressed(text, h.start, h.end),
+      suggested_slug,
+      key_name: h.key_name,
+    })
+  }
+  // Stable sort by start offset so callers can rewrite left-to-right.
+  out.sort((a, b) => a.start - b.start)
+  return out
+}
+
+function dedupeRaw(raw: RawHit[]): RawHit[] {
+  const seen = new Map<string, RawHit>()
+  for (const h of raw) {
+    const key = `${h.start}:${h.end}`
+    const existing = seen.get(key)
+    if (!existing) {
+      seen.set(key, h)
+      continue
+    }
+    // Prefer high over ambiguous.
+    if (existing.confidence === 'ambiguous' && h.confidence === 'high') {
+      seen.set(key, h)
+    }
+  }
+  return Array.from(seen.values())
+}
+
+/**
+ * Drop hits fully contained inside another hit. Keeps the outer (typically
+ * broader / higher-signal) hit — e.g. a JWT match wholly inside an
+ * Authorization Bearer match keeps the Bearer.
+ */
+function dropOverlaps(hits: RawHit[]): RawHit[] {
+  const sorted = [...hits].sort((a, b) => (a.end - a.start) - (b.end - b.start))
+  const out: RawHit[] = []
+  for (const h of sorted) {
+    const contained = out.some(
+      (existing) =>
+        existing !== h &&
+        existing.start <= h.start &&
+        existing.end >= h.end &&
+        !(existing.start === h.start && existing.end === h.end),
+    )
+    if (!contained) out.push(h)
+  }
+  // Re-sort by start offset for deterministic downstream handling.
+  out.sort((a, b) => a.start - b.start || a.end - b.end)
+  return out
+}
+
+export { maskToken } from './mask.js'
+export { redactUrls } from './url-redact.js'
+export { deriveSlug } from './slug.js'
+export { detectViaSecretlint } from './secretlint-source.js'
+
+/**
+ * Async detection pipeline — runs `detectSecrets` (fast vendored engine)
+ * and Secretlint in parallel, then merges the results by deduping on
+ * `[start, end)` byte ranges. If Secretlint and a vendored pattern both
+ * match the same span, the first one wins (vendored, since it's listed
+ * first in the merge array below).
+ *
+ * Slug collisions are re-resolved on the merged list so the overall
+ * output has unique `suggested_slug` values.
+ */
+export async function detectSecretsAsync(text: string): Promise<Detection[]> {
+  if (!text || text.length === 0) return []
+  const [vendored, viaSecretlint] = await Promise.all([
+    Promise.resolve(detectSecrets(text)),
+    // Lazy-import keeps the sync `detectSecrets` path free of Secretlint
+    // initialization cost; paid once on first async call.
+    import('./secretlint-source.js').then((m) => m.detectViaSecretlint(text)),
+  ])
+
+  // Merge with range-based dedupe. Vendored first wins on exact ties.
+  const seen = new Map<string, Detection>()
+  for (const d of vendored) {
+    const key = `${d.start}:${d.end}`
+    if (!seen.has(key)) seen.set(key, d)
+  }
+  for (const d of viaSecretlint) {
+    const key = `${d.start}:${d.end}`
+    if (!seen.has(key)) seen.set(key, d)
+  }
+
+  // Re-derive slugs against the merged set (Secretlint and vendored each
+  // had independent `existing` sets; we coalesce here).
+  const existing = new Set<string>()
+  const out: Detection[] = Array.from(seen.values())
+    .sort((a, b) => a.start - b.start)
+    .map((d) => {
+      const slug = deriveSlug({ key_name: d.key_name, rule_id: d.rule_id }, existing)
+      existing.add(slug)
+      return { ...d, suggested_slug: slug }
+    })
+  return out
+}

package/telegram-plugin/secret-detect/kv-scanner.ts

@@ -0,0 +1,60 @@
+/**
+ * Heuristic KEY=VALUE scanner. Fallback when the structured patterns miss —
+ * e.g. lowercase env var names like `my_password=...` that the all-caps
+ * `env_key_value` pattern skips.
+ *
+ * Flow:
+ *   1. Regex-scan for `(password|token|secret|key|api_key)\s*[:=]\s*...`
+ *   2. Extract the RHS value
+ *   3. Gate on Shannon entropy ≥ 4.0 to cut obvious placeholders like
+ *      `password=foo` or `key=changeme`.
+ *
+ * Returns `RawHit` entries pointing at the VALUE bytes (not the whole
+ * `key=value` match), so the rewriter can preserve the `key=` prefix.
+ */
+import { shannonEntropy } from './entropy.js'
+
+export interface RawHit {
+  rule_id: string
+  start: number
+  end: number
+  matched_text: string
+  /** The identifier on the left of `=` or `:`, if any. Used for slug derivation. */
+  key_name?: string
+  /** Confidence tier — high = anchored pattern, ambiguous = entropy-only. */
+  confidence: 'high' | 'ambiguous'
+}
+
+// Lower-case / mixed-case KEY=VALUE. Uppercase-only is handled by the
+// structured `env_key_value` pattern for higher confidence.
+const KV_RE = /\b([A-Za-z_][A-Za-z0-9_-]*(?:password|passwd|token|secret|key|api[_-]?key))\s*[:=]\s*["']?([^\s"'\\]{8,})["']?/gi
+
+export const KV_ENTROPY_THRESHOLD = 4.0
+
+export function scanKeyValue(text: string): RawHit[] {
+  const hits: RawHit[] = []
+  KV_RE.lastIndex = 0
+  let m: RegExpExecArray | null
+  while ((m = KV_RE.exec(text)) !== null) {
+    const [, keyName, value] = m
+    if (!value) continue
+    // Shannon entropy gate — only flag values that actually look random.
+    const h = shannonEntropy(value)
+    if (h < KV_ENTROPY_THRESHOLD) continue
+    // The value starts at match.index + the length of everything before
+    // it in the match. Compute by finding the value inside the match.
+    const valueOffsetInMatch = m[0].indexOf(value, keyName!.length)
+    if (valueOffsetInMatch < 0) continue
+    const start = m.index + valueOffsetInMatch
+    const end = start + value.length
+    hits.push({
+      rule_id: 'kv_entropy',
+      start,
+      end,
+      matched_text: value,
+      key_name: keyName,
+      confidence: 'ambiguous',
+    })
+  }
+  return hits
+}

package/telegram-plugin/secret-detect/mask.ts

@@ -0,0 +1,13 @@
+/**
+ * Partial-reveal mask for a detected secret.
+ *
+ * Rule (locked spec): if length ≥ 18, show first 6 + "..." + last 4; else "***".
+ * Never reveals the middle bytes, never returns a substring an attacker could
+ * search for verbatim.
+ */
+export function maskToken(s: string): string {
+  if (s.length >= 18) {
+    return `${s.slice(0, 6)}...${s.slice(-4)}`
+  }
+  return '***'
+}

package/telegram-plugin/secret-detect/patterns.ts

@@ -0,0 +1,115 @@
+/**
+ * Pattern registry for secret detection — the openclaw-derived list plus
+ * a few anchored, high-confidence provider prefixes.
+ *
+ * Ordering matters: patterns near the top are preferred on ties (first match
+ * wins). Anchored provider prefixes are listed first so `sk-ant-...` wins
+ * over the generic "sk-..." match.
+ *
+ * Each entry has a rule_id, a regex, and a `captureIndex` pointing at the
+ * capture group that holds the raw secret bytes (so the detector can slice
+ * just the sensitive portion, not the whole match which may include
+ * "KEY=" or quote prefixes).
+ */
+export interface PatternDef {
+  rule_id: string
+  regex: RegExp
+  /**
+   * Which capture group is the secret value. 0 means "the whole match".
+   * For KEY=VALUE style, we point at the value group so the detection
+   * range covers only the secret bytes, letting the rewriter preserve
+   * the `KEY=` prefix.
+   */
+  captureIndex: number
+  /** If set, a hint used when deriving the vault slug. */
+  slugHint?: string
+}
+
+/**
+ * High-confidence anchored provider prefixes. Listed first so they win
+ * over the generic broad patterns.
+ */
+export const ANCHORED_PATTERNS: PatternDef[] = [
+  { rule_id: 'anthropic_api_key', regex: /\b(sk-ant-[A-Za-z0-9_-]{8,})\b/g, captureIndex: 1, slugHint: 'anthropic_api_key' },
+  // anthropic_api_key precedes; the patterns don't overlap (the `#` separator
+  // isn't in api-key shape) so ordering is moot for correctness.
+  // Anthropic OAuth browser code — emitted by the claude.com/cai authorize
+  // flow as two URL-safe base64 segments joined by `#`.
+  // Shape: <20+ url-safe-b64>#<20+ url-safe-b64>
+  // Anchored to whitespace boundaries (^/\s before, \s/$ after) to avoid
+  // false-positives on real URLs whose path segment + fragment anchor both
+  // exceed 20 chars (e.g. GitHub headings, npm readme anchors). The bare-code
+  // paste case ("code#state" alone on a line or after prose) is the only
+  // intended match target.
+  { rule_id: 'anthropic_oauth_code', regex: /(?:^|\s)([A-Za-z0-9_-]{20,}#[A-Za-z0-9_-]{20,})(?=\s|$)/gm, captureIndex: 1, slugHint: 'anthropic_oauth_code' },
+  { rule_id: 'openai_api_key', regex: /\b(sk-[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'openai_api_key' },
+  { rule_id: 'github_pat_classic', regex: /\b(ghp_[A-Za-z0-9]{20,})\b/g, captureIndex: 1, slugHint: 'github_pat' },
+  { rule_id: 'github_pat_fine_grained', regex: /\b(github_pat_[A-Za-z0-9_]{20,})\b/g, captureIndex: 1, slugHint: 'github_pat' },
+  { rule_id: 'slack_token', regex: /\b(xox[baprs]-[A-Za-z0-9-]{10,})\b/g, captureIndex: 1, slugHint: 'slack_token' },
+  { rule_id: 'slack_app_token', regex: /\b(xapp-[A-Za-z0-9-]{10,})\b/g, captureIndex: 1, slugHint: 'slack_app_token' },
+  { rule_id: 'groq_api_key', regex: /\b(gsk_[A-Za-z0-9_-]{10,})\b/g, captureIndex: 1, slugHint: 'groq_api_key' },
+  { rule_id: 'google_api_key', regex: /\b(AIza[0-9A-Za-z\-_]{20,})\b/g, captureIndex: 1, slugHint: 'google_api_key' },
+  { rule_id: 'perplexity_api_key', regex: /\b(pplx-[A-Za-z0-9_-]{10,})\b/g, captureIndex: 1, slugHint: 'perplexity_api_key' },
+  { rule_id: 'npm_token', regex: /\b(npm_[A-Za-z0-9]{10,})\b/g, captureIndex: 1, slugHint: 'npm_token' },
+  // Telegram bot tokens: with "bot" prefix or bare ID:token.
+  { rule_id: 'telegram_bot_token_prefixed', regex: /\bbot(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
+  { rule_id: 'telegram_bot_token', regex: /\b(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
+  { rule_id: 'aws_access_key', regex: /\b(AKIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: 'aws_access_key' },
+  { rule_id: 'jwt', regex: /\b(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b/g, captureIndex: 1, slugHint: 'jwt' },
+]
+
+/**
+ * Openclaw default pattern list. Matches structured contexts where a value
+ * is "labelled" as a secret (KEY=value, JSON field, CLI flag, Bearer token,
+ * PEM block). Only the value group is captured.
+ */
+export const STRUCTURED_PATTERNS: PatternDef[] = [
+  // KEY=value (ALL-CAPS identifier ending in KEY/TOKEN/SECRET/PASSWORD/PASSWD).
+  // Value group index is 2 — group 1 is the optional quote char.
+  {
+    rule_id: 'env_key_value',
+    regex: /\b([A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD))\b\s*[=:]\s*(["']?)([^\s"'\\]+)\2/g,
+    captureIndex: 3,
+    slugHint: 'env',
+  },
+  // JSON field: "apiKey": "value"
+  {
+    rule_id: 'json_secret_field',
+    regex: /"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken)"\s*:\s*"([^"]+)"/g,
+    captureIndex: 1,
+    slugHint: 'json_secret',
+  },
+  // CLI flag: --api-key VALUE or --token='VALUE'
+  {
+    rule_id: 'cli_flag',
+    regex: /--(?:api[-_]?key|hook[-_]?token|token|secret|password|passwd)\s+(["']?)([^\s"']+)\1/g,
+    captureIndex: 2,
+    slugHint: 'cli_flag',
+  },
+  // Authorization: Bearer token (form 1 — explicit Authorization header)
+  {
+    rule_id: 'bearer_auth_header',
+    regex: /Authorization\s*[:=]\s*Bearer\s+([A-Za-z0-9._\-+=]+)/g,
+    captureIndex: 1,
+    slugHint: 'bearer_token',
+  },
+  // Bare "Bearer XYZ" (length-gated to cut false positives on the word "Bearer")
+  {
+    rule_id: 'bearer_loose',
+    regex: /\bBearer\s+([A-Za-z0-9._\-+=]{18,})\b/g,
+    captureIndex: 1,
+    slugHint: 'bearer_token',
+  },
+  // PEM private key block — single greedy capture, non-overlapping.
+  {
+    rule_id: 'pem_private_key',
+    regex: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----/g,
+    captureIndex: 0,
+    slugHint: 'pem_private_key',
+  },
+]
+
+/**
+ * Concatenated registry — anchored first, then structured.
+ */
+export const ALL_PATTERNS: PatternDef[] = [...ANCHORED_PATTERNS, ...STRUCTURED_PATTERNS]