scrub-ai 1.0.0__tar.gz

scrub_ai-1.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Rajwinder Marwaha
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

scrub_ai-1.0.0/PKG-INFO

@@ -0,0 +1,218 @@
+Metadata-Version: 2.4
+Name: scrub-ai
+Version: 1.0.0
+Summary: Sanitize sensitive content from any text before sharing with AI assistants
+Author: Rajwinder Marwaha
+License: MIT License
+        
+        Copyright (c) 2026 Rajwinder Marwaha
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://github.com/rajwindermarwaha/scrub-ai
+Project-URL: Repository, https://github.com/rajwindermarwaha/scrub-ai
+Project-URL: Issues, https://github.com/rajwindermarwaha/scrub-ai/issues
+Keywords: security,privacy,ai,sanitize,secrets,redact
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Operating System :: MacOS
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click>=8.0
+Requires-Dist: pyperclip>=1.8
+Requires-Dist: keyboard>=0.13; sys_platform == "win32"
+Requires-Dist: pystray>=0.19; sys_platform == "win32"
+Requires-Dist: Pillow>=10.0; sys_platform == "win32"
+Requires-Dist: win10toast>=0.9; sys_platform == "win32"
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Dynamic: license-file
+
+# 🧹 scrub-ai
+
+> Sanitize sensitive content from any text before sharing with AI assistants.
+
+[![PyPI version](https://badge.fury.io/py/scrub-ai.svg)](https://badge.fury.io/py/scrub-ai)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Platform](https://img.shields.io/badge/platform-Windows%20%7C%20Linux%20%7C%20macOS-blue.svg)]()
+[![CI](https://github.com/rajwindermarwaha/scrub-ai/actions/workflows/ci.yml/badge.svg)](https://github.com/rajwindermarwaha/scrub-ai/actions/workflows/ci.yml)
+
+---
+
+## The Problem
+
+Every day, developers copy sensitive content into AI assistants without thinking:
+
+```
+❌ Stack trace with internal hostnames    → pasted into ChatGPT
+❌ Application logs with session tokens   → pasted into Copilot
+❌ Config files with database passwords   → pasted into Claude
+❌ kubectl output with cluster names      → pasted into AI
+❌ AWS CLI output with account IDs        → pasted into ChatGPT
+```
+
+Once that data leaves your machine, you have no control over it.
+
+**scrub-ai fixes this** — it detects and masks sensitive content before you share it with any AI tool.
+
+---
+
+## Features
+
+- 🔑 **Secrets detection** — API keys, tokens, passwords, private keys
+- ☁️ **Cloud detection** — AWS account IDs, ARNs, GCP project IDs, Azure subscriptions
+- 🌐 **Network detection** — IP addresses, internal hostnames, internal URLs
+- ⌨️ **Windows hotkey** — press `Ctrl+Alt+S` to sanitize clipboard instantly
+- 🖥️ **System tray** — runs quietly in the background
+- 📋 **CLI** — pipe any text through it from the terminal
+- 📦 **PyPI** — install with a single `pip install scrub-ai`
+
+---
+
+## Quick Start
+
+### Install
+
+```bash
+pip install scrub-ai
+```
+
+### CLI Usage
+
+```bash
+# Pipe any text through it
+cat error.log | scrub-ai
+
+# Sanitize a file
+scrub-ai --file crash.log
+
+# See what would be detected without changing anything
+scrub-ai --dry-run --file logs.txt
+
+# Sanitize and copy result to clipboard
+scrub-ai --file logs.txt --copy
+```
+
+### Hotkey Usage (Windows only)
+
+```bash
+# Start scrub-ai in the background
+scrub-ai --start
+
+# Icon appears in system tray (bottom right)
+# Copy any text with Ctrl+C as normal
+# Press Ctrl+Alt+S to sanitize clipboard
+# Paste clean text with Ctrl+V
+```
+
+---
+
+## Example
+
+**Input:**
+```
+ERROR 2024-01-15 14:32:01 - Connection failed
+  host: db01.prod.internal
+  password: myS3cretP@ss123
+  aws_access_key_id: AKIAIOSFODNN7EXAMPLE
+  aws_account_id: 123456789012
+  ip: 10.0.1.45
+```
+
+**Output:**
+```
+ERROR 2024-01-15 14:32:01 - Connection failed
+  host: [INTERNAL_HOST]
+  password: [REDACTED]
+  aws_access_key_id: [AWS_ACCESS_KEY]
+  aws_account_id: [AWS_ACCOUNT_ID]
+  ip: [IP_ADDRESS]
+```
+
+**Detection summary (stderr):**
+```
+Detected 5 sensitive value(s): aws_access_key=1, aws_account_id=1, internal_host=1, ipv4=1, password=1
+```
+
+---
+
+## What Gets Detected
+
+| Category | Examples |
+|---|---|
+| AWS credentials | Access keys, secret keys, session tokens |
+| AWS infrastructure | Account IDs, ARNs, S3 URLs |
+| GCP credentials | Service account keys, project IDs |
+| Azure credentials | Subscription IDs, connection strings |
+| Generic secrets | API keys, bearer tokens, JWTs, private keys, hex tokens |
+| Passwords | `password=`, `passwd=`, `pwd=` key-value patterns |
+| Network | IPv4, IPv6, internal hostnames, internal URLs |
+
+---
+
+## Roadmap
+
+- [x] Project setup
+- [x] **v1.0** — CLI + secrets + cloud + network detection + Windows hotkey + system tray
+- [ ] **v1.1** — PII detection (emails, phones) via Presidio
+- [ ] **v1.2** — Watch mode (automatic clipboard monitoring)
+- [ ] **v2.0** — VS Code extension
+- [ ] **v2.1** — Browser extension (warns before pasting into ChatGPT)
+- [ ] **v3.0** — Team policies + audit log
+
+---
+
+## Contributing
+
+Contributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) first.
+
+```bash
+# Clone
+git clone https://github.com/rajwindermarwaha/scrub-ai
+cd scrub-ai
+
+# Install dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+```
+
+---
+
+## License
+
+MIT — see [LICENSE](LICENSE)
+
+---
+
+## Author
+
+Built by [@rajwindermarwaha](https://github.com/rajwindermarwaha)
+
+> *Built this because I had to put in the extra effort of copying everything into Notepad first and manually scrubbing it before sharing with AI tools. Figured others do the same.*

scrub_ai-1.0.0/README.md

@@ -0,0 +1,164 @@
+# 🧹 scrub-ai
+
+> Sanitize sensitive content from any text before sharing with AI assistants.
+
+[![PyPI version](https://badge.fury.io/py/scrub-ai.svg)](https://badge.fury.io/py/scrub-ai)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Platform](https://img.shields.io/badge/platform-Windows%20%7C%20Linux%20%7C%20macOS-blue.svg)]()
+[![CI](https://github.com/rajwindermarwaha/scrub-ai/actions/workflows/ci.yml/badge.svg)](https://github.com/rajwindermarwaha/scrub-ai/actions/workflows/ci.yml)
+
+---
+
+## The Problem
+
+Every day, developers copy sensitive content into AI assistants without thinking:
+
+```
+❌ Stack trace with internal hostnames    → pasted into ChatGPT
+❌ Application logs with session tokens   → pasted into Copilot
+❌ Config files with database passwords   → pasted into Claude
+❌ kubectl output with cluster names      → pasted into AI
+❌ AWS CLI output with account IDs        → pasted into ChatGPT
+```
+
+Once that data leaves your machine, you have no control over it.
+
+**scrub-ai fixes this** — it detects and masks sensitive content before you share it with any AI tool.
+
+---
+
+## Features
+
+- 🔑 **Secrets detection** — API keys, tokens, passwords, private keys
+- ☁️ **Cloud detection** — AWS account IDs, ARNs, GCP project IDs, Azure subscriptions
+- 🌐 **Network detection** — IP addresses, internal hostnames, internal URLs
+- ⌨️ **Windows hotkey** — press `Ctrl+Alt+S` to sanitize clipboard instantly
+- 🖥️ **System tray** — runs quietly in the background
+- 📋 **CLI** — pipe any text through it from the terminal
+- 📦 **PyPI** — install with a single `pip install scrub-ai`
+
+---
+
+## Quick Start
+
+### Install
+
+```bash
+pip install scrub-ai
+```
+
+### CLI Usage
+
+```bash
+# Pipe any text through it
+cat error.log | scrub-ai
+
+# Sanitize a file
+scrub-ai --file crash.log
+
+# See what would be detected without changing anything
+scrub-ai --dry-run --file logs.txt
+
+# Sanitize and copy result to clipboard
+scrub-ai --file logs.txt --copy
+```
+
+### Hotkey Usage (Windows only)
+
+```bash
+# Start scrub-ai in the background
+scrub-ai --start
+
+# Icon appears in system tray (bottom right)
+# Copy any text with Ctrl+C as normal
+# Press Ctrl+Alt+S to sanitize clipboard
+# Paste clean text with Ctrl+V
+```
+
+---
+
+## Example
+
+**Input:**
+```
+ERROR 2024-01-15 14:32:01 - Connection failed
+  host: db01.prod.internal
+  password: myS3cretP@ss123
+  aws_access_key_id: AKIAIOSFODNN7EXAMPLE
+  aws_account_id: 123456789012
+  ip: 10.0.1.45
+```
+
+**Output:**
+```
+ERROR 2024-01-15 14:32:01 - Connection failed
+  host: [INTERNAL_HOST]
+  password: [REDACTED]
+  aws_access_key_id: [AWS_ACCESS_KEY]
+  aws_account_id: [AWS_ACCOUNT_ID]
+  ip: [IP_ADDRESS]
+```
+
+**Detection summary (stderr):**
+```
+Detected 5 sensitive value(s): aws_access_key=1, aws_account_id=1, internal_host=1, ipv4=1, password=1
+```
+
+---
+
+## What Gets Detected
+
+| Category | Examples |
+|---|---|
+| AWS credentials | Access keys, secret keys, session tokens |
+| AWS infrastructure | Account IDs, ARNs, S3 URLs |
+| GCP credentials | Service account keys, project IDs |
+| Azure credentials | Subscription IDs, connection strings |
+| Generic secrets | API keys, bearer tokens, JWTs, private keys, hex tokens |
+| Passwords | `password=`, `passwd=`, `pwd=` key-value patterns |
+| Network | IPv4, IPv6, internal hostnames, internal URLs |
+
+---
+
+## Roadmap
+
+- [x] Project setup
+- [x] **v1.0** — CLI + secrets + cloud + network detection + Windows hotkey + system tray
+- [ ] **v1.1** — PII detection (emails, phones) via Presidio
+- [ ] **v1.2** — Watch mode (automatic clipboard monitoring)
+- [ ] **v2.0** — VS Code extension
+- [ ] **v2.1** — Browser extension (warns before pasting into ChatGPT)
+- [ ] **v3.0** — Team policies + audit log
+
+---
+
+## Contributing
+
+Contributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) first.
+
+```bash
+# Clone
+git clone https://github.com/rajwindermarwaha/scrub-ai
+cd scrub-ai
+
+# Install dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+```
+
+---
+
+## License
+
+MIT — see [LICENSE](LICENSE)
+
+---
+
+## Author
+
+Built by [@rajwindermarwaha](https://github.com/rajwindermarwaha)
+
+> *Built this because I had to put in the extra effort of copying everything into Notepad first and manually scrubbing it before sharing with AI tools. Figured others do the same.*

scrub_ai-1.0.0/pyproject.toml

@@ -0,0 +1,50 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "scrub-ai"
+version = "1.0.0"
+description = "Sanitize sensitive content from any text before sharing with AI assistants"
+readme = "README.md"
+license = { file = "LICENSE" }
+authors = [{ name = "Rajwinder Marwaha" }]
+requires-python = ">=3.10"
+keywords = ["security", "privacy", "ai", "sanitize", "secrets", "redact"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: Microsoft :: Windows",
+    "Operating System :: POSIX :: Linux",
+    "Operating System :: MacOS",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+dependencies = [
+    "click>=8.0",
+    "pyperclip>=1.8",
+    "keyboard>=0.13; sys_platform == 'win32'",
+    "pystray>=0.19; sys_platform == 'win32'",
+    "Pillow>=10.0; sys_platform == 'win32'",
+    "win10toast>=0.9; sys_platform == 'win32'",
+]
+
+[project.urls]
+Homepage = "https://github.com/rajwindermarwaha/scrub-ai"
+Repository = "https://github.com/rajwindermarwaha/scrub-ai"
+Issues = "https://github.com/rajwindermarwaha/scrub-ai/issues"
+
+[project.optional-dependencies]
+dev = ["pytest>=7.0", "pytest-cov"]
+
+[project.scripts]
+scrub-ai = "scrub_ai.cli:main"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["scrub_ai*"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

scrub_ai-1.0.0/scrub_ai/__init__.py

@@ -0,0 +1 @@
+__version__ = "1.0.0"

scrub_ai-1.0.0/scrub_ai/cli.py

@@ -0,0 +1,73 @@
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import click
+import pyperclip
+
+from scrub_ai.sanitizer import sanitize_text
+from scrub_ai import config as cfg
+
+
+def _load_input(file_path: str | None) -> str:
+    if file_path is not None:
+        return Path(file_path).read_text(encoding="utf-8")
+
+    if not sys.stdin.isatty():
+        return sys.stdin.read()
+
+    raise click.ClickException("No input provided. Use --file or pipe text via stdin.")
+
+
+def _format_report(report: dict[str, object]) -> str:
+    total = int(report.get("total_matches", 0))
+    if total == 0:
+        return "No sensitive content detected."
+
+    by_label = report.get("by_label", {})
+    if isinstance(by_label, dict) and by_label:
+        details = ", ".join(f"{label}={count}" for label, count in sorted(by_label.items()))
+        return f"Detected {total} sensitive value(s): {details}"
+
+    return f"Detected {total} sensitive value(s)."
+
+
+@click.command()
+@click.option("--file", "file_path", type=click.Path(exists=True, dir_okay=False, path_type=str), help="Read input from a file.")
+@click.option("--dry-run", is_flag=True, help="Show detections but do not modify the output text.")
+@click.option("--copy", "copy_output", is_flag=True, help="Copy output text to clipboard.")
+@click.option("--start", is_flag=True, help="Start background hotkey listener and system tray (Windows only).")
+def main(file_path: str | None, dry_run: bool, copy_output: bool, start: bool) -> None:
+    """Sanitize sensitive content from text."""
+
+    if start:
+        if sys.platform != "win32":
+            raise click.ClickException("--start is only supported on Windows.")
+        from scrub_ai import tray
+        click.echo("scrub-ai running. Press Ctrl+Alt+S to sanitize clipboard. Right-click the tray icon to quit.", err=True)
+        tray.start()
+        return
+
+    input_text = _load_input(file_path)
+    clean_text, report = sanitize_text(input_text)
+
+    output_text = input_text if dry_run else clean_text
+    sys.stdout.write(output_text)
+
+    click.echo("", err=True)
+    if dry_run:
+        click.echo(f"Dry run: {_format_report(report)}", err=True)
+    else:
+        click.echo(_format_report(report), err=True)
+
+    if copy_output:
+        try:
+            pyperclip.copy(output_text)
+            click.echo("Copied output to clipboard.", err=True)
+        except pyperclip.PyperclipException as exc:
+            raise click.ClickException(f"Clipboard copy failed: {exc}") from exc
+
+
+if __name__ == "__main__":
+    main()

scrub_ai-1.0.0/scrub_ai/config.py

@@ -0,0 +1,68 @@
+"""
+config.py — Persistent user configuration for scrub-ai.
+
+Settings are stored in a JSON file:
+  - Windows: %APPDATA%\\scrub-ai\\config.json
+  - Linux/macOS: ~/.config/scrub-ai/config.json
+
+Only a small set of knobs exist in v1:
+  - enabled (bool)  — whether the hotkey listener is active
+  - hotkey (str)    — the keyboard shortcut string (default "ctrl+alt+s")
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+from pathlib import Path
+
+
+_DEFAULTS: dict[str, object] = {
+    "enabled": True,
+    "hotkey": "ctrl+alt+s",
+}
+
+
+def _config_dir() -> Path:
+    if sys.platform == "win32":
+        appdata = os.environ.get("APPDATA") or Path.home() / "AppData" / "Roaming"
+        return Path(appdata) / "scrub-ai"
+    return Path.home() / ".config" / "scrub-ai"
+
+
+def _config_path() -> Path:
+    return _config_dir() / "config.json"
+
+
+def load() -> dict[str, object]:
+    """Return the current config, falling back to defaults for any missing key."""
+    path = _config_path()
+    if not path.exists():
+        return dict(_DEFAULTS)
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+        return {**_DEFAULTS, **data}
+    except (json.JSONDecodeError, OSError):
+        return dict(_DEFAULTS)
+
+
+def save(config: dict[str, object]) -> None:
+    """Persist config to disk, creating directories as needed."""
+    path = _config_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(config, indent=2), encoding="utf-8")
+
+
+def set_enabled(value: bool) -> None:
+    cfg = load()
+    cfg["enabled"] = value
+    save(cfg)
+
+
+def is_enabled() -> bool:
+    return bool(load().get("enabled", True))
+
+
+def get_hotkey() -> str:
+    return str(load().get("hotkey", _DEFAULTS["hotkey"]))

scrub_ai-1.0.0/scrub_ai/detectors/__init__.py

@@ -0,0 +1,5 @@
+from .secrets import SecretsDetector
+from .cloud import CloudDetector
+from .network import NetworkDetector
+
+__all__ = ["SecretsDetector", "CloudDetector", "NetworkDetector"]

scrub_ai-1.0.0/scrub_ai/detectors/base.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+import re
+from dataclasses import dataclass
+
+
+@dataclass
+class Match:
+    start: int
+    end: int
+    original: str
+    replacement: str
+    category: str
+    label: str
+    confidence: float = 1.0
+
+
+class BaseDetector:
+    name: str = ""
+    priority: int = 99
+    patterns: list[tuple[re.Pattern, str, str]] = []  # (pattern, replacement, label)
+
+    def detect(self, text: str) -> list[Match]:
+        matches = []
+        for pattern, replacement, label in self.patterns:
+            for m in pattern.finditer(text):
+                matches.append(Match(
+                    start=m.start(),
+                    end=m.end(),
+                    original=m.group(),
+                    replacement=replacement,
+                    category=self.name,
+                    label=label,
+                ))
+        return matches

scrub_ai-1.0.0/scrub_ai/detectors/cloud.py

@@ -0,0 +1,51 @@
+from __future__ import annotations
+import re
+from .base import BaseDetector
+
+
+class CloudDetector(BaseDetector):
+    name = "cloud"
+    priority = 2
+    patterns = [
+        # ── AWS ──────────────────────────────────────────────────────────────
+
+        # AWS Access Key IDs (AKIA / ASIA / AROA / AIDA / ANPA / ANVA / APKA prefixes)
+        (re.compile(r"\b(?:AKIA|ASIA|AROA|AIDA|ANPA|ANVA|APKA)[0-9A-Z]{16}\b"), "[AWS_ACCESS_KEY_ID]", "aws_access_key_id"),
+
+        # AWS Secret Access Keys — 40-char base64 in key=value context
+        (re.compile(r"(?i)aws[_-]?secret[_-]?access[_-]?key\s*[=:]\s*['\"]?([A-Za-z0-9+/]{40})['\"]?"), "[AWS_SECRET_ACCESS_KEY]", "aws_secret_access_key"),
+
+        # AWS Account IDs — 12-digit numbers in ARN or account= context
+        (re.compile(r"(?i)(?:account[_-]?id|aws[_-]?account)\s*[=:]\s*['\"]?(\d{12})['\"]?"), "[AWS_ACCOUNT_ID]", "aws_account_id"),
+
+        # ARNs — arn:aws:service:region:account-id:resource
+        (re.compile(r"\barn:aws[a-z0-9-]*:[a-z0-9\-]*:[a-z0-9\-]*:\d{12}:[^\s\"']+"), "[AWS_ARN]", "aws_arn"),
+
+        # AWS Session Tokens (base64, 100–300 chars, in token= context)
+        (re.compile(r"(?i)(?:aws[_-]?session[_-]?token|session[_-]?token)\s*[=:]\s*['\"]?([A-Za-z0-9+/=]{100,300})['\"]?"), "[AWS_SESSION_TOKEN]", "aws_session_token"),
+
+        # ── GCP ──────────────────────────────────────────────────────────────
+
+        # GCP API keys (AIza prefix, 39 chars total)
+        (re.compile(r"\bAIza[0-9A-Za-z\-_]{35}\b"), "[GCP_API_KEY]", "gcp_api_key"),
+
+        # GCP service account email
+        (re.compile(r"\b[a-z0-9\-]+@[a-z0-9\-]+\.iam\.gserviceaccount\.com\b"), "[GCP_SERVICE_ACCOUNT]", "gcp_service_account"),
+
+        # GCP project IDs in project= / project_id= context
+        (re.compile(r"(?i)(?:project[_-]?id|gcp[_-]?project)\s*[=:]\s*['\"]?([a-z][a-z0-9\-]{4,28}[a-z0-9])['\"]?"), "[GCP_PROJECT_ID]", "gcp_project_id"),
+
+        # ── Azure ─────────────────────────────────────────────────────────────
+
+        # Azure Subscription / Tenant / Client IDs (UUIDs in context)
+        (re.compile(r"(?i)(?:subscription[_-]?id|tenant[_-]?id|client[_-]?id)\s*[=:]\s*['\"]?([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"), "[AZURE_ID]", "azure_id"),
+
+        # Azure Client Secrets (34-char random string in client_secret= context)
+        (re.compile(r"(?i)client[_-]?secret\s*[=:]\s*['\"]?([A-Za-z0-9~._\-]{34,})['\"]?"), "[AZURE_CLIENT_SECRET]", "azure_client_secret"),
+
+        # Azure Storage connection strings
+        (re.compile(r"DefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{88};[^\s\"']*"), "[AZURE_STORAGE_CONNECTION_STRING]", "azure_storage_connection_string"),
+
+        # Azure SAS tokens (sv=...&sig=... in URL or standalone)
+        (re.compile(r"(?i)(?:sv|se|sr|sp|sig)=[A-Za-z0-9%+/=]+(?:&(?:sv|se|sr|sp|sig)=[A-Za-z0-9%+/=]+){3,}"), "[AZURE_SAS_TOKEN]", "azure_sas_token"),
+    ]