coreason-urn-authority 0.45.1

// Copyright (c) 2026 CoReason, Inc.
// All rights reserved.

pub mod ceremony;
pub mod cost_tracker;
pub mod crypto;
pub mod epistemic;
pub mod init;
pub mod ledger;
pub mod nats_registry;
pub mod routing;

use regex::Regex;
use std::sync::OnceLock;

struct DlpScanner {
    vault_token: Regex,
    aws_access_key: Regex,
    base64_seq: Regex,
    aws_secret_context: Regex,
    ssn: Regex,
    credit_card: Regex,
    github_pat: Regex,
    coreason_key: Regex,
}

impl DlpScanner {
    fn new() -> Self {
        Self {
            vault_token: Regex::new(r"hvs\.[a-zA-Z0-9_-]{20,}").unwrap(),
            aws_access_key: Regex::new(r"AKIA[0-9A-Z]{16}").unwrap(),
            base64_seq: Regex::new(r"[A-Za-z0-9/+=]+").unwrap(),
            aws_secret_context: Regex::new(
                r"(?i)(?:secret|key|token|password|credential)[\x22':\s]*[A-Za-z0-9/+=]{40}",
            )
            .unwrap(),
            ssn: Regex::new(r"\b\d{3}-\d{2}-\d{4}\b").unwrap(),
            credit_card: Regex::new(
                r"\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})\b",
            )
            .unwrap(),
            github_pat: Regex::new(r"ghp_[a-zA-Z0-9]{36}").unwrap(),
            coreason_key: Regex::new(r"COREASON_(?:ROOT_CA|DEV)_KEY[\x22':\s]*[a-fA-F0-9]{64}")
                .unwrap(),
        }
    }

    fn scan(&self, text: &str) -> Vec<String> {
        let mut violations = Vec::new();

        if self.vault_token.is_match(text) {
            violations.push("vault_token".to_string());
        }
        if self.aws_access_key.is_match(text) {
            violations.push("aws_access_key".to_string());
        }
        let has_isolated_40_base64 = self
            .base64_seq
            .find_iter(text)
            .any(|m| m.as_str().len() == 40);
        if has_isolated_40_base64 && self.aws_secret_context.is_match(text) {
            violations.push("aws_secret_key".to_string());
        }
        if text.contains("-----BEGIN") && text.contains("PRIVATE KEY-----") {
            violations.push("pem_private_key".to_string());
        }
        if text.contains("-----BEGIN OPENSSH PRIVATE KEY-----") {
            violations.push("ssh_private_key".to_string());
        }
        if self.ssn.is_match(text) {
            violations.push("ssn".to_string());
        }
        if self.credit_card.is_match(text) {
            violations.push("credit_card".to_string());
        }
        if self.github_pat.is_match(text) {
            violations.push("github_pat".to_string());
        }
        if self.coreason_key.is_match(text) {
            violations.push("coreason_signing_key".to_string());
        }

        violations
    }
}

static SCANNER: OnceLock<DlpScanner> = OnceLock::new();

pub fn scan_dlp_violations(text: &str) -> Vec<String> {
    let scanner = SCANNER.get_or_init(DlpScanner::new);
    scanner.scan(text)
}