credactor 2.0.0__py3-none-any.whl

credactor/__init__.py

@@ -0,0 +1,3 @@
+"""Credactor — credential redactor for source code."""
+
+__version__ = '2.0.0'

credactor/__main__.py

@@ -0,0 +1,6 @@
+"""Allow running as ``python -m credactor``."""
+
+from .cli import main
+
+if __name__ == '__main__':
+    main()

credactor/cli.py

@@ -0,0 +1,228 @@
+"""
+CLI entry point using argparse.
+
+Addresses: #6 (--staged), #7 (--format), #8 (--dry-run), #24 (argparse),
+           #33 (--fix-all), #34 (exit codes: 0=clean, 1=findings, 2=error)
+"""
+
+from __future__ import annotations
+
+import argparse
+import os
+import sys
+from pathlib import Path
+
+from .config import Config, apply_config_file, load_config_file
+from .redactor import fix_all, interactive_review
+from .report import json_report, print_gitignore_skipped, print_report, sarif_report
+from .scanner import scan_file
+from .suppressions import AllowList
+from .walker import scan_git_history, scan_staged_files, select_json_files, walk_and_scan
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog='credactor',
+        description='Scan source files for hardcoded credentials and optionally redact them.',
+        epilog='Exit codes: 0 = clean, 1 = unresolved findings, 2 = error',
+    )
+
+    parser.add_argument(
+        'target', nargs='?', default='.',
+        help='Directory or file to scan (default: current directory)',
+    )
+
+    # Mode flags
+    mode = parser.add_argument_group('mode')
+    mode.add_argument(
+        '--ci', action='store_true',
+        help='CI mode: report only (no prompts), exit 1 on findings',
+    )
+    mode.add_argument(
+        '--dry-run', action='store_true',
+        help='Show what would be found/replaced without modifying files',
+    )
+    mode.add_argument(
+        '--fix-all', action='store_true',
+        help='Replace all findings without prompting',
+    )
+    mode.add_argument(
+        '--staged', action='store_true',
+        help='Scan only git-staged files (for pre-commit hooks)',
+    )
+    mode.add_argument(
+        '--scan-history', action='store_true',
+        help='Scan git commit history for leaked credentials',
+    )
+
+    # Output flags
+    output = parser.add_argument_group('output')
+    output.add_argument(
+        '--format', '-f', choices=['text', 'json', 'sarif'], default='text',
+        dest='output_format',
+        help='Output format (default: text)',
+    )
+    output.add_argument(
+        '--no-color', action='store_true',
+        help='Disable ANSI color output',
+    )
+
+    # Replacement flags
+    replace = parser.add_argument_group('replacement')
+    replace.add_argument(
+        '--replace-with', choices=['sentinel', 'env', 'custom'], default='sentinel',
+        dest='replace_mode',
+        help='Replacement strategy: sentinel (default), env (language-aware env var ref), custom',
+    )
+    replace.add_argument(
+        '--replacement', type=str, default='REDACTED_BY_CREDACTOR',
+        help='Custom replacement string (used with --replace-with=sentinel or custom)',
+    )
+    replace.add_argument(
+        '--no-backup', action='store_true',
+        help='Skip creating .bak backup files before modifying',
+    )
+
+    # Configuration
+    config_group = parser.add_argument_group('configuration')
+    config_group.add_argument(
+        '--config', type=str, default=None,
+        help='Path to .credactor.toml config file',
+    )
+    config_group.add_argument(
+        '--scan-json', action='store_true',
+        help='Include .json files in the scan',
+    )
+
+    return parser
+
+
+def main(argv: list[str] | None = None) -> None:
+    parser = build_parser()
+    args = parser.parse_args(argv)
+
+    # Build Config
+    config = Config(
+        ci_mode=args.ci,
+        dry_run=args.dry_run,
+        fix_all=args.fix_all,
+        staged_only=args.staged,
+        scan_history=args.scan_history,
+        scan_json=args.scan_json,
+        no_backup=args.no_backup,
+        no_color=args.no_color,
+        replace_mode=args.replace_mode,
+        custom_replacement=args.replacement,
+        output_format=args.output_format,
+        target=args.target,
+        config_path=args.config,
+    )
+
+    # Load config file (#25)
+    target = config.target
+    if not os.path.exists(target):
+        print(f'Error: path not found: {target}', file=sys.stderr)
+        sys.exit(2)
+
+    # Guard against scanning system directories
+    _PROTECTED_DIRS = {'/', '/etc', '/usr', '/var', '/boot', '/sys', '/proc',
+                       '/bin', '/sbin', '/lib', '/opt', '/root',
+                       'C:\\', 'C:\\Windows', 'C:\\Program Files'}
+    resolved = str(Path(target).resolve())
+    if resolved in _PROTECTED_DIRS:
+        print(f'Error: refusing to scan system directory: {resolved}',
+              file=sys.stderr)
+        print('  Use a project directory instead.', file=sys.stderr)
+        sys.exit(2)
+
+    file_data = load_config_file(target, config.config_path)
+    if file_data:
+        apply_config_file(config, file_data)
+
+    # Suppressions (#3, #4)
+    allowlist = AllowList(target)
+
+    print(f'Scanning: {Path(target).resolve()}', file=sys.stderr)
+
+    # --- Dispatch based on mode ---
+    findings: list[dict] = []
+
+    if config.staged_only:
+        # #6 — staged files only
+        findings = scan_staged_files(target, config, allowlist)
+    elif config.scan_history:
+        # #11 — git history
+        findings = scan_git_history(target, config, allowlist)
+    else:
+        # Normal directory scan (#26 single walk)
+        dir_findings, gitignore_skipped, json_files = walk_and_scan(target, config, allowlist)
+        findings = dir_findings
+
+        # Report gitignored files
+        if config.output_format == 'text':
+            print_gitignore_skipped(gitignore_skipped, target, no_color=config.no_color)
+
+        # Optionally scan JSON files
+        if config.scan_json and json_files:
+            # Skip interactive selection when non-interactive
+            if (config.ci_mode or config.dry_run or config.fix_all
+                    or config.output_format != 'text'):
+                json_paths = json_files
+            else:
+                json_paths = select_json_files(json_files, target)
+
+            for path in json_paths:
+                findings.extend(scan_file(path, config=config, allowlist=allowlist))
+
+    # --- Output ---
+    if not findings:
+        if config.output_format == 'json':
+            print(json_report(findings, target))
+        elif config.output_format == 'sarif':
+            print(sarif_report(findings, target))
+        else:
+            print('\n[OK] No hardcoded credentials detected. Safe for commits.\n')
+        sys.exit(0)
+
+    # We have findings — report them
+    if config.output_format == 'json':
+        print(json_report(findings, target))
+    elif config.output_format == 'sarif':
+        print(sarif_report(findings, target))
+    else:
+        print_report(findings, target, no_color=config.no_color)
+
+    # #34 — exit code semantics (consistent across all formats)
+    if config.ci_mode or config.dry_run:
+        sys.exit(1)
+
+    if config.fix_all:
+        # Confirmation before destructive batch operation
+        by_file: dict[str, list] = {}
+        for f in findings:
+            by_file.setdefault(f['file'], []).append(f)
+        print(f'\n  --fix-all will modify {len(by_file)} file(s) '
+              f'with {len(findings)} replacement(s).')
+        if not config.no_backup:
+            print('  .bak backups will be created (contain original secrets).')
+        else:
+            print('  WARNING: --no-backup is set. No backups will be created.')
+        try:
+            answer = input('  Proceed? [y/N]: ').strip().lower()
+        except (KeyboardInterrupt, EOFError):
+            print('\n  Aborted.')
+            sys.exit(1)
+        if answer not in ('y', 'yes'):
+            print('  Aborted.')
+            sys.exit(1)
+
+        unresolved = fix_all(findings, target, config)
+        sys.exit(1 if unresolved > 0 else 0)
+
+    # Non-text formats in non-CI mode: report and exit 1
+    if config.output_format != 'text':
+        sys.exit(1)
+
+    # Interactive mode (default, text only)
+    unresolved = interactive_review(findings, target, config)
+    sys.exit(1 if unresolved > 0 else 0)

credactor/config.py

@@ -0,0 +1,136 @@
+"""
+Configuration loading from ``.credactor.toml`` files.
+
+Addresses: #25 (config file support)
+"""
+
+from __future__ import annotations
+
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Optional
+
+
+@dataclass
+class Config:
+    """Runtime configuration — populated from CLI flags and/or config file."""
+
+    # Thresholds
+    entropy_threshold: float = 3.5
+    min_value_length: int = 8
+
+    # Directories / files
+    skip_dirs: set[str] = field(default_factory=lambda: set())
+    skip_files: set[str] = field(default_factory=lambda: set())
+    extra_extensions: set[str] = field(default_factory=lambda: set())
+    extra_safe_values: set[str] = field(default_factory=lambda: set())
+
+    # Behaviour flags (populated by CLI)
+    ci_mode: bool = False
+    dry_run: bool = False
+    fix_all: bool = False
+    staged_only: bool = False
+    scan_history: bool = False
+    scan_json: bool = False
+    no_backup: bool = False
+    no_color: bool = False
+    replace_mode: str = 'sentinel'  # 'sentinel' | 'env' | 'custom'
+    custom_replacement: str = 'REDACTED_BY_CREDACTOR'
+    output_format: str = 'text'  # 'text' | 'json' | 'sarif'
+    target: str = '.'
+    config_path: Optional[str] = None
+
+
+def load_config_file(root: str, explicit_path: Optional[str] = None) -> dict:
+    """Load a .credactor.toml config file and return the raw dict.
+
+    Searches for .credactor.toml in root, then parent dirs up to /.
+    If explicit_path is given, only that path is tried.
+    """
+    if explicit_path:
+        candidates = [Path(explicit_path)]
+    else:
+        # HIGH-06: Limit traversal depth to prevent picking up config files
+        # from shared parent directories (e.g. /tmp/.credactor.toml).
+        # Walk up at most 5 levels — enough for monorepo nesting.
+        max_depth = 5
+        candidates = []
+        p = Path(root).resolve()
+        for _ in range(max_depth):
+            candidates.append(p / '.credactor.toml')
+            if p.parent == p:
+                break
+            p = p.parent
+
+    for candidate in candidates:
+        if candidate.is_file():
+            return _parse_toml(candidate)
+
+    return {}
+
+
+def _parse_toml(path: Path) -> dict:
+    """Parse a TOML file. Uses tomllib (3.11+) or tomli as fallback."""
+    if sys.version_info >= (3, 11):
+        import tomllib
+        with open(path, 'rb') as fh:
+            return tomllib.load(fh)
+    else:
+        try:
+            import tomli
+            with open(path, 'rb') as fh:
+                return tomli.load(fh)
+        except ImportError:
+            # Fall back to very basic key=value parsing for simple configs
+            return _basic_toml_parse(path)
+
+
+def _basic_toml_parse(path: Path) -> dict:
+    """Minimal TOML-like parser for key = value pairs (no nested tables)."""
+    result: dict = {}
+    try:
+        with open(path, encoding='utf-8') as fh:
+            for line in fh:
+                stripped = line.strip()
+                if not stripped or stripped.startswith('#') or stripped.startswith('['):
+                    continue
+                if '=' not in stripped:
+                    continue
+                key, _, val = stripped.partition('=')
+                key = key.strip()
+                val = val.strip().strip('"').strip("'")
+                # Try to parse as list
+                if val.startswith('[') and val.endswith(']'):
+                    items = val[1:-1].split(',')
+                    result[key] = [i.strip().strip('"').strip("'") for i in items if i.strip()]
+                elif val.lower() in ('true', 'false'):
+                    result[key] = val.lower() == 'true'
+                elif val.isdigit():
+                    result[key] = int(val)
+                else:
+                    try:
+                        result[key] = float(val)
+                    except ValueError:
+                        result[key] = val
+    except (OSError, PermissionError):
+        pass
+    return result
+
+
+def apply_config_file(config: Config, file_data: dict) -> None:
+    """Merge values from a parsed config file into the Config object."""
+    if 'entropy_threshold' in file_data:
+        config.entropy_threshold = float(file_data['entropy_threshold'])
+    if 'min_value_length' in file_data:
+        config.min_value_length = int(file_data['min_value_length'])
+    if 'skip_dirs' in file_data:
+        config.skip_dirs.update(file_data['skip_dirs'])
+    if 'skip_files' in file_data:
+        config.skip_files.update(file_data['skip_files'])
+    if 'extra_extensions' in file_data:
+        config.extra_extensions.update(file_data['extra_extensions'])
+    if 'extra_safe_values' in file_data:
+        config.extra_safe_values.update(v.lower() for v in file_data['extra_safe_values'])
+    if 'replacement' in file_data:
+        config.custom_replacement = str(file_data['replacement'])

credactor/gitignore.py

@@ -0,0 +1,73 @@
+"""
+.gitignore pattern loading and matching.
+
+Extracted from the original credential_redactor.py with no logic changes.
+"""
+
+import fnmatch
+import os
+from pathlib import Path
+
+from .patterns import SKIP_DIRS
+
+
+def load_gitignore_patterns(root: str) -> list[tuple[str, str]]:
+    """Walk *root* and collect ``(pattern, base_dir)`` from every ``.gitignore``."""
+    patterns: list[tuple[str, str]] = []
+    root_path = Path(root).resolve()
+
+    for dirpath, dirnames, filenames in os.walk(root_path):
+        dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
+        if '.gitignore' in filenames:
+            gi_path = os.path.join(dirpath, '.gitignore')
+            try:
+                with open(gi_path, encoding='utf-8', errors='replace') as fh:
+                    for line in fh:
+                        stripped = line.strip()
+                        if not stripped or stripped.startswith('#') or stripped.startswith('!'):
+                            continue
+                        patterns.append((stripped, dirpath))
+            except (OSError, PermissionError):
+                pass
+
+    return patterns
+
+
+def matches_gitignore(filepath: str, patterns: list[tuple[str, str]]) -> bool:
+    """Return True if *filepath* is covered by any collected ``.gitignore`` pattern."""
+    file_path = Path(filepath).resolve()
+
+    for pattern, base_dir in patterns:
+        base_path = Path(base_dir).resolve()
+
+        try:
+            rel = file_path.relative_to(base_path)
+        except ValueError:
+            continue
+
+        rel_str = rel.as_posix()
+        rel_parts = rel.parts
+
+        # Pattern ending with '/' targets directories
+        if pattern.endswith('/'):
+            dir_pattern = pattern.rstrip('/')
+            if any(fnmatch.fnmatch(part, dir_pattern) for part in rel_parts[:-1]):
+                return True
+            continue
+
+        # Pattern with '/' is anchored to the .gitignore directory
+        if '/' in pattern.lstrip('/'):
+            clean = pattern.lstrip('/')
+            if clean.startswith('**/'):
+                sub = clean[3:]
+                if fnmatch.fnmatch(rel_str, sub) or fnmatch.fnmatch(rel.name, sub):
+                    return True
+            elif fnmatch.fnmatch(rel_str, clean):
+                return True
+        else:
+            if fnmatch.fnmatch(rel.name, pattern):
+                return True
+            if any(fnmatch.fnmatch(part, pattern) for part in rel_parts[:-1]):
+                return True
+
+    return False

credactor/patterns.py

@@ -0,0 +1,204 @@
+"""
+Regex patterns, constants, and safe-value lists for credential detection.
+
+Addresses: #17 (connection strings), #18 (PEM keys), #19 (provider prefixes),
+           #20 (Vault/SOPS dynamic lookups), #21 (XML attributes)
+"""
+
+import re
+
+# ---------------------------------------------------------------------------
+# File types to scan
+# ---------------------------------------------------------------------------
+SCAN_EXTENSIONS = {
+    '.py', '.js', '.ts', '.jsx', '.tsx', '.sh', '.bash',
+    '.env', '.cfg', '.ini', '.toml',
+    '.yaml', '.yml',
+    '.rb', '.go', '.java', '.php', '.cs', '.kt',
+    '.tf', '.hcl', '.conf', '.properties',
+    '.xml',
+}
+
+# Directories / files to skip entirely
+SKIP_DIRS = {'.git', '__pycache__', 'node_modules', '.venv', 'venv', '.tox',
+             '.mypy_cache', '.pytest_cache', 'dist', 'build', '.eggs'}
+SKIP_FILES = {'package-lock.json', 'yarn.lock', 'poetry.lock', 'pnpm-lock.yaml'}
+
+# ---------------------------------------------------------------------------
+# Placeholder / safe values – findings with these values are suppressed
+# ---------------------------------------------------------------------------
+SAFE_VALUES = {
+    '', 'xxxxx', 'your_key_here', 'your_api_key', 'replace_me',
+    'changeme', 'placeholder', 'none', 'null', 'true', 'false',
+    'todo', '<your_key>', '<api_key>', 'example', 'test', 'dummy',
+    'your_secret', 'your_token', 'your_password', 'enter_here',
+    'your_client_id', 'your_client_secret', 'your_tenant_id',
+    'xxxx', 'xxxxxx', 'xxxxxxx', 'xxxxxxxx',
+    'redacted_by_credactor',
+}
+
+# ---------------------------------------------------------------------------
+# Dynamic / runtime secret-retrieval patterns
+# Lines containing these patterns fetch secrets at runtime — not hardcoded.
+# Addresses #20: added Vault and SOPS patterns.
+# ---------------------------------------------------------------------------
+DYNAMIC_LOOKUP_RE = re.compile(
+    r'(?:'
+    r'Variable\.get'                     # Apache Airflow Variable store
+    r'|os\.getenv'                       # os.getenv('KEY')
+    r'|os\.environ(?:\.get)?\s*[\[({]'  # os.environ['KEY'] / os.environ.get(
+    r'|environ\.get\s*\('               # environ.get(
+    r'|getenv\s*\('                      # standalone getenv(
+    r'|config\.get\s*\('                # config.get(
+    r'|settings\.get\s*\('              # settings.get(
+    r'|SecretClient.*\.get_secret'       # Azure Key Vault
+    r'|boto3.*\.get_secret'             # AWS Secrets Manager
+    r'|keyring\.get_password'           # system keyring
+    # #20 – Hashicorp Vault / SOPS
+    r'|vault:secret/'                   # Vault secret reference
+    r'|ENC\[AES256_GCM,'               # SOPS-encrypted value
+    r'|hvac\.Client'                    # Hashicorp Vault Python client
+    r'|Vault\.read\s*\('               # Vault read call
+    r')',
+    re.IGNORECASE,
+)
+
+# ---------------------------------------------------------------------------
+# Suspicious variable name patterns (case-insensitive)
+# ---------------------------------------------------------------------------
+CRED_VAR_PATTERNS = re.compile(
+    r'(?i)\b('
+    r'api[_\-]?key|apikey|api[_\-]?token|'
+    r'auth[_\-]?token|access[_\-]?token|bearer[_\-]?token|'
+    r'client[_\-]?secret|secret[_\-]?key|app[_\-]?secret|'
+    r'private[_\-]?key|signing[_\-]?key|'
+    r'password|passwd|passphrase|pwd|'
+    r'access[_\-]?key|access[_\-]?id|secret[_\-]?id|'
+    r'client[_\-]?id|tenant[_\-]?id|app[_\-]?id|'
+    r'ssh[_\-]?key|encryption[_\-]?key|'
+    r'db[_\-]?password|database[_\-]?password|'
+    r'db[_\-]?pass|db[_\-]?pwd|'
+    r'postgres[_\-]?password|mysql[_\-]?(?:root[_\-]?)?password|'
+    r'mongo[_\-]?(?:uri|url|password)|redis[_\-]?(?:url|password)|'
+    r'database[_\-]?url|db[_\-]?(?:url|uri)|db[_\-]?conn(?:ection)?(?:[_\-]?string)?|'
+    r'smtp[_\-]?password|mail[_\-]?password|'
+    r'webhook[_\-]?secret|bot[_\-]?token|'
+    r'consumer[_\-]?key|consumer[_\-]?secret|'
+    r'refresh[_\-]?token|oauth[_\-]?token'
+    r')\b'
+)
+
+# ---------------------------------------------------------------------------
+# High-value credential value patterns — (regex, label, min_entropy, severity)
+# #19: Added GCP, Stripe, Slack, GitHub, GitLab, npm, PyPI prefixes.
+# #17: Added connection string pattern.
+# #18: Added PEM private key header.
+# ---------------------------------------------------------------------------
+_JWT_RE = re.compile(
+    r'eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}'
+)
+_AWS_RE = re.compile(
+    r'\b(AKIA|ASIA|AROA|AIDA|ANPA|ANVA|AIPA)[A-Z0-9]{16}\b'
+)
+_HEX_RE = re.compile(r'\b[0-9a-fA-F]{32,64}\b')
+_B64_RE = re.compile(r'[A-Za-z0-9+/=_\-]{60,}')
+
+# #19 – Provider-specific token prefixes (deterministic, near-zero false positives)
+_GCP_RE = re.compile(r'\bAIza[0-9A-Za-z_-]{35}\b')
+_STRIPE_LIVE_RE = re.compile(r'\b[sr]k_live_[0-9a-zA-Z]{24,}\b')
+_STRIPE_TEST_RE = re.compile(r'\b[sr]k_test_[0-9a-zA-Z]{24,}\b')
+_SLACK_RE = re.compile(r'\bxox[bpsa]-[0-9A-Za-z-]{10,}\b')
+_GITHUB_RE = re.compile(
+    r'\b(?:ghp_|gho_|ghs_|ghu_|github_pat_)[0-9A-Za-z_]{16,}\b'
+)
+_GITLAB_RE = re.compile(r'\bglpat-[0-9A-Za-z_-]{20,}\b')
+_NPM_RE = re.compile(r'\bnpm_[0-9a-zA-Z]{36}\b')
+_PYPI_RE = re.compile(r'\bpypi-[0-9a-zA-Z_-]{16,}\b')
+
+# #17 – Connection strings with embedded credentials (scheme://user:pass@host)
+_CONN_STRING_RE = re.compile(
+    r'[a-zA-Z][a-zA-Z0-9+.-]*://[^:@\s]+:[^@\s]+@[^\s"\']{3,}'
+)
+
+# #18 – PEM private key header
+_PEM_KEY_RE = re.compile(r'-----BEGIN\s+(?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----')
+
+# severity: critical > high > medium > low
+VALUE_PATTERNS = [
+    # Deterministic provider prefixes — critical severity
+    (_AWS_RE,          'AWS access key',       3.0, 'critical'),
+    (_GCP_RE,          'GCP API key',          3.0, 'critical'),
+    (_STRIPE_LIVE_RE,  'Stripe live key',      3.0, 'critical'),
+    (_GITHUB_RE,       'GitHub token',         3.0, 'critical'),
+    (_GITLAB_RE,       'GitLab token',         3.0, 'critical'),
+    (_SLACK_RE,        'Slack token',          3.0, 'critical'),
+    (_NPM_RE,          'npm token',            3.0, 'critical'),
+    (_PYPI_RE,         'PyPI token',           3.0, 'critical'),
+    (_PEM_KEY_RE,      'private key header',   0.0, 'critical'),
+    # Structural patterns — high severity
+    (_JWT_RE,          'JWT token',            3.3, 'high'),
+    (_CONN_STRING_RE,  'connection string',    2.5, 'high'),
+    (_STRIPE_TEST_RE,  'Stripe test key',      3.0, 'medium'),
+    # Heuristic patterns — medium/low severity
+    (_HEX_RE,          'hex credential',       3.5, 'medium'),
+    (_B64_RE,          'high-entropy string',  3.8, 'low'),
+]
+
+# ---------------------------------------------------------------------------
+# Assignment detection — variable/key name on the left, value on the right
+# #13: Fixed greedy capture for unquoted values.
+# #21: Added XML attribute pattern.
+# ---------------------------------------------------------------------------
+
+# Standard assignment: VAR = "value" / VAR = 'value' / "key": "value"
+# #13 fix: quoted values capture up to closing quote; unquoted values stop
+# at whitespace or comment characters.
+ASSIGNMENT_RE = re.compile(
+    r'''
+        ["']?                          # optional quote around key name
+        (?P<var>[\w.\-]+)              # variable or key name
+        ["']?                          # optional closing quote around key name
+        \s*[:=]\s*                     # assignment or dict colon
+        (?:
+            (?P<q>["'])                # opening quote
+            (?P<val_q>(?:(?!(?P=q)).)+)  # value: everything up to matching quote
+            (?P=q)                     # closing quote
+        |
+            (?P<val_u>[^\s#;,\]}"']+)  # unquoted: stop at whitespace/comment/delimiters/quotes
+        )
+    ''',
+    re.VERBOSE,
+)
+
+# #21 – XML attribute: <... key="Password" value="secret" ...>
+# Supports both orderings: key/name before or after value.
+_XML_KEY_FIRST = re.compile(
+    r'<[^>]*?\b(?:key|name)\s*=\s*["\'](?P<xml_key>[^"\']+)["\']'
+    r'[^>]*?\bvalue\s*=\s*["\'](?P<xml_val>[^"\']+)["\']',
+    re.IGNORECASE,
+)
+_XML_VAL_FIRST = re.compile(
+    r'<[^>]*?\bvalue\s*=\s*["\'](?P<xml_val>[^"\']+)["\']'
+    r'[^>]*?\b(?:key|name)\s*=\s*["\'](?P<xml_key>[^"\']+)["\']',
+    re.IGNORECASE,
+)
+
+
+def xml_attr_finditer(line: str):
+    """Yield (xml_key, xml_val) from XML attribute matches in either order."""
+    seen = set()
+    for pattern in (_XML_KEY_FIRST, _XML_VAL_FIRST):
+        for m in pattern.finditer(line):
+            key, val = m.group('xml_key'), m.group('xml_val')
+            if (key, val) not in seen:
+                seen.add((key, val))
+                yield key, val
+
+
+# Keep for backward compat in tests
+XML_ATTR_RE = _XML_KEY_FIRST
+
+# ---------------------------------------------------------------------------
+# Inline suppression comment pattern (#3)
+# ---------------------------------------------------------------------------
+SUPPRESS_RE = re.compile(r'credactor:\s*ignore', re.IGNORECASE)