# forbidden-strings built-in baseline deny-list.
#
# THIS FILE IS GENERATED. Do not edit by hand. Source of truth is
# package/cli/forbidden-strings/src/mise.port-betterleaks.ts
# plus the upstream TOML at
# package/cli/forbidden-strings/data/betterleaks-default-config.toml.
# Re-generate via:
# mise run //package/cli/forbidden-strings:generate:rules
#
# Composition:
# - This file ports the betterleaks default ruleset into
# forbidden-strings format. It is a sane baseline of common
# credential shapes (PEM, AWS, Slack, GitHub PAT, etc.) plus
# resharp set-algebra demonstrations.
# - The build embeds it into the forbidden-strings binary via
# `include_str!`; the `--builtin-rules` flag appends it to
# whatever rules file resolves at scan time (and scans with it
# alone when the implicit default rules file is absent). Without
# the flag the scanner never reads these rules.
#
# Attribution:
# Rules are ported from betterleaks' default configuration
# (https://github.com/betterleaks/betterleaks, MIT-licensed). The port
# is mechanical and lossy -- entropy filters, CEL validate steps,
# keyword prefilters, and allowlists are dropped because the
# forbidden-strings engine has no equivalent. Expect more false
# positives than betterleaks would produce; consult the converter
# source for the full list of conversions and intentional omissions.
#
# Format reminder:
# - Bare line = case-sensitive literal substring
# - /PATTERN/FLAGS = regex (resharp; supports A&B, ~(A))
# - Lines starting with `#` = comment
# - Empty lines = ignored
#
# A literal that itself looks like /.../flags must be expressed as a regex
# (escape the slashes), e.g. ban literal `/etc/passwd` as `/\/etc\/passwd/`.
# === 1password-secret-key ===
# Uncovered a possible 1Password secret key, potentially compromising access to secrets in vaults.
/\bA3-[A-Z0-9]{6}-(?:(?:[A-Z0-9]{11})|(?:[A-Z0-9]{6}-[A-Z0-9]{5}))-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}\b/
# === 1password-service-account-token ===
# Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults.
/ops\_eyJ[a-zA-Z0-9+/]{250,}={0,3}/
# === adafruit-api-key ===
# Identified a potential Adafruit API Key, which could lead to unauthorized access to Adafruit services and sensitive data exposure.
/(?i)[\w.-]{0,50}(?:adafruit)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === adobe-client-id ===
# Detected a pattern that resembles an Adobe OAuth Web Client ID, posing a risk of compromised Adobe integrations and data breaches.
/(?i)[\w.-]{0,50}(?:adobe)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === adobe-client-secret ===
# Discovered a potential Adobe Client Secret, which, if exposed, could allow unauthorized Adobe service access and data manipulation.
/\b(p8e-(?i)[a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === age-secret-key ===
# Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.
/AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}/
# === airtable-api-key ===
# Uncovered a possible Airtable API Key, potentially compromising database access and leading to data leakage or alteration.
/(?i)[\w.-]{0,50}(?:airtable)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{17})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === airtable-personnal-access-token ===
# Uncovered a possible Airtable Personal AccessToken, potentially compromising database access and leading to data leakage or alteration.
/\b(pat[[:alnum:]]{14}\.[a-f0-9]{64})\b/
# === algolia-api-key ===
# Identified an Algolia API Key, which could result in unauthorized search operations and data exposure on Algolia-managed platforms.
/(?i)[\w.-]{0,50}(?:algolia)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === alibaba-access-key-id ===
# Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise.
/\b(LTAI(?i)[a-z0-9]{20})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === alibaba-secret-key ===
# Discovered a potential Alibaba Cloud Secret Key, potentially allowing unauthorized operations and data access within Alibaba Cloud.
/(?i)[\w.-]{0,50}(?:alibaba)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{30})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === anthropic-admin-api-key ===
# Detected an Anthropic Admin API Key, risking unauthorized access to administrative functions and sensitive AI model configurations.
/\b(sk-ant-admin01-[a-zA-Z0-9_\-]{93}AA)(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === anthropic-api-key ===
# Identified an Anthropic API Key, which may compromise AI assistant integrations and expose sensitive data to unauthorized access.
/\b(sk-ant-api03-[a-zA-Z0-9_\-]{93}AA)(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === artifactory-api-key ===
# Detected an Artifactory api key, posing a risk unauthorized access to the central repository.
/\bAKCp[A-Za-z0-9]{69}\b/
# === artifactory-reference-token ===
# Detected an Artifactory reference token, posing a risk of impersonation and unauthorized access to the central repository.
/\bcmVmd[A-Za-z0-9]{59}\b/
# === asana-client-id ===
# Discovered a potential Asana Client ID, risking unauthorized access to Asana projects and sensitive task information.
/(?i)[\w.-]{0,50}(?:asana)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === asana-client-secret ===
# Identified an Asana Client Secret, which could lead to compromised project management integrity and unauthorized access.
/(?i)[\w.-]{0,50}(?:asana)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === assemblyai-api-key ===
# Detected an AssemblyAI API Key, which may expose speech-to-text services and associated audio data to unauthorized access.
/(?i)[\w.-]{0,50}(?:assemblyai)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === atlassian-api-token ===
# Detected an Atlassian API token, posing a threat to project management and collaboration tool security and data confidentiality.
# RELAXATION: kept only the `ATATT3...` prefix arm; the label-based ([Aa]tlassian / [Jj]ira / [Cc]onfluence + 24-char body) arm is dropped.
/\b(ATATT3[A-Za-z0-9_\-=]{186})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === authress-service-client-access-key ===
# Uncovered a possible Authress Service Client Access Key, which may compromise access control services and sensitive data.
/\b((?:sc|ext|scauth|authress)\_(?i)[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.(?-i:acc)[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === aws-access-token ===
# Identified an AWS access key ID paired with a secret access key, which together can provide full access to AWS services.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
# RELAXATION: excluded documented placeholder `AKIA2222222222222222` via resharp intersection/complement.
/\b((?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})\b&~(AKIA2{16})/
# === aws-amazon-bedrock-api-key-long-lived ===
# Identified a pattern that may indicate long-lived Amazon Bedrock API keys, risking unauthorized Amazon Bedrock usage
/\b(ABSK[A-Za-z0-9+/]{109,269}={0,2})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === aws-amazon-bedrock-api-key-short-lived ===
# Identified a pattern that may indicate short-lived Amazon Bedrock API keys, risking unauthorized Amazon Bedrock usage
/bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t/
# === azure-ad-client-secret ===
# Azure AD Client Secret
# RELAXATION: dropped `^|` start-anchor arm; rule no longer fires when the secret starts at byte 0 of a file.
/(?:[\\'"\x60\s>=:(,)])([a-zA-Z0-9_~.]{3}\dQ\~[a-zA-Z0-9_~.-]{31,34})(?:$|[\\'"\x60\s<),])/
# === beamer-api-token ===
# Detected a Beamer API token, potentially compromising content management and exposing sensitive notifications and updates.
/(?i)[\w.-]{0,50}(?:beamer)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(b\_[a-z0-9=_\-]{44})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === bitbucket-client-id ===
# Discovered a potential Bitbucket Client ID, risking unauthorized repository access and potential codebase exposure.
/(?i)[\w.-]{0,50}(?:bitbucket)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === bitbucket-client-secret ===
# Discovered a potential Bitbucket Client Secret, posing a risk of compromised code repositories and unauthorized access.
/(?i)[\w.-]{0,50}(?:bitbucket)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === bittrex-access-key ===
# Identified a Bittrex Access Key, which could lead to unauthorized access to cryptocurrency trading accounts and financial loss.
/(?i)[\w.-]{0,50}(?:bittrex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === bittrex-secret-key ===
# Detected a Bittrex Secret Key, potentially compromising cryptocurrency transactions and financial security.
/(?i)[\w.-]{0,50}(?:bittrex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === cerebras-api-key ===
# Identified a Cerebras AI API Key, which may expose AI inference services to unauthorized access.
/(?i)\b(csk-[a-z0-9]{48})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === cisco-meraki-api-key ===
# Cisco Meraki is a cloud-managed IT solution that provides networking, security, and device management through an easy-to-use interface.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:(?-i:[Mm]eraki|MERAKI))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === clickhouse-cloud-api-secret-key ===
# Identified a pattern that may indicate clickhouse cloud API secret key, risking unauthorized clickhouse cloud api access and data breaches on ClickHouse Cloud platforms.
/\b(4b1d[A-Za-z0-9]{38})\b/
# === clojars-api-token ===
# Uncovered a possible Clojars API token, risking unauthorized access to Clojure libraries and potential code manipulation.
/(?i)CLOJARS\_[a-z0-9]{60}/
# === cloudflare-api-key ===
# Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security.
/(?i)[\w.-]{0,50}(?:cloudflare)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === cloudflare-global-api-key ===
# Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security.
/(?i)[\w.-]{0,50}(?:cloudflare)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{37})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === cloudflare-origin-ca-key ===
# Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security.
/\b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === codecov-access-token ===
# Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data.
/(?i)[\w.-]{0,50}(?:codecov)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === cohere-api-token ===
# Identified a Cohere Token, posing a risk of unauthorized access to AI services and data manipulation.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:cohere|CO\_API\_KEY)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-zA-Z0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === coinbase-access-token ===
# Detected a Coinbase Access Token, posing a risk of unauthorized access to cryptocurrency accounts and financial transactions.
/(?i)[\w.-]{0,50}(?:coinbase)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === confluent-access-token ===
# Identified a Confluent Access Token, which could compromise access to streaming data platforms and sensitive data flow.
/(?i)[\w.-]{0,50}(?:confluent)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === confluent-secret-key ===
# Found a Confluent Secret Key, potentially risking unauthorized operations and data access within Confluent services.
/(?i)[\w.-]{0,50}(?:confluent)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === contentful-delivery-api-token ===
# Discovered a Contentful delivery API token, posing a risk to content management systems and data integrity.
/(?i)[\w.-]{0,50}(?:contentful)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{43})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === curl-auth-user ===
# Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.
/\bcurl\b(?:.*|.*(?:[\r\n]{1,2}.*){1,5})[ \t\n\r](?:-u|--user)(?:=|[ \t]{0,5})("(:[^"]{3,}|[^:"]{3,}:|[^:"]{3,}:[^"]{3,})"|'([^:']{3,}:[^']{3,})'|((?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+):(?:"[^"]{3,}"|'[^']{3,}'|[\w${}@.-]+)))(?:\s|\z)/
# === cursor-api-key ===
# Detected a Cursor Integrations API Key, which may expose AI-assisted development services to unauthorized access.
/(?i)[\w.-]{0,50}(?:cursor)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(key\_[0-9a-f]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === databricks-api-token ===
# Uncovered a Databricks API token, which may compromise big data analytics platforms and sensitive data processing.
/\b(dapi[a-f0-9]{32}(?:-\d)?)(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === datadog-access-token ===
# Detected a Datadog Access Token, potentially risking monitoring and analytics data exposure and manipulation.
/(?i)[\w.-]{0,50}(?:datadog)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === deepgram-api-key ===
# Detected a Deepgram API Key, which may expose speech recognition services and audio data to unauthorized access.
/(?i)[\w.-]{0,50}(?:deepgram)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === deepseek-api-key ===
# Detected a DeepSeek API Key, which may expose AI model access and associated usage to unauthorized parties.
/(?i)[\w.-]{0,50}(?:deepseek)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(sk-[a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === defined-networking-api-token ===
# Identified a Defined Networking API token, which could lead to unauthorized network operations and data breaches.
/(?i)[\w.-]{0,50}(?:dnkey)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === digitalocean-access-token ===
# Found a DigitalOcean OAuth Access Token, risking unauthorized cloud resource access and data compromise.
/\b(doo\_v1\_[a-f0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === digitalocean-pat ===
# Discovered a DigitalOcean Personal Access Token, posing a threat to cloud infrastructure security and data privacy.
/\b(dop\_v1\_[a-f0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === digitalocean-refresh-token ===
# Uncovered a DigitalOcean OAuth Refresh Token, which could allow prolonged unauthorized access and resource manipulation.
/(?i)\b(dor\_v1\_[a-f0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === discord-api-token ===
# Detected a Discord API key, potentially compromising communication channels and user data privacy on Discord.
/(?i)[\w.-]{0,50}(?:discord)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === discord-client-id ===
# Identified a Discord client ID, which may lead to unauthorized integrations and data exposure in Discord applications.
/(?i)[\w.-]{0,50}(?:discord)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{18})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === discord-client-secret ===
# Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.
/(?i)[\w.-]{0,50}(?:discord)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === doppler-api-token ===
# Discovered a Doppler API token, posing a risk to environment and secrets management security.
/dp\.pt\.(?i)[a-z0-9]{43}/
# === droneci-access-token ===
# Detected a Droneci Access Token, potentially compromising continuous integration and deployment workflows.
/(?i)[\w.-]{0,50}(?:droneci)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === dropbox-api-token ===
# Identified a Dropbox API secret, which could lead to unauthorized file access and data breaches in Dropbox storage.
/(?i)[\w.-]{0,50}(?:dropbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{15})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === dropbox-long-lived-api-token ===
# Found a Dropbox long-lived API token, risking prolonged unauthorized access to cloud storage and sensitive data.
/(?i)[\w.-]{0,50}(?:dropbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === dropbox-short-lived-api-token ===
# Discovered a Dropbox short-lived API token, posing a risk of temporary but potentially harmful data access and manipulation.
/(?i)[\w.-]{0,50}(?:dropbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(sl\.[a-z0-9\-=_]{135})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === duffel-api-token ===
# Uncovered a Duffel API token, which may compromise travel platform integrations and sensitive customer data.
/duffel\_(?:test|live)\_(?i)[a-z0-9_\-=]{43}/
# === dynatrace-api-token ===
# Detected a Dynatrace API token, potentially risking application performance monitoring and data exposure.
/dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64}/
# === easypost-api-token ===
# Identified an EasyPost API token, which could lead to unauthorized postal and shipment service access and data exposure.
# RELAXATION: hoisted `(?i)` to the front and dropped trailing `\b` (resharp rejects `\b` immediately after a case-folded class).
/(?i)\bEZAK[a-z0-9]{54}/
# === easypost-test-api-token ===
# Detected an EasyPost test API token, risking exposure of test environments and potentially sensitive shipment data.
# RELAXATION: hoisted `(?i)` to the front and dropped trailing `\b` (resharp rejects `\b` immediately after a case-folded class).
/(?i)\bEZTK[a-z0-9]{54}/
# === elevenlabs-api-key ===
# Detected an ElevenLabs API Key, which may expose AI voice synthesis services to unauthorized access.
/(?i)[\w.-]{0,50}(?:elevenlabs)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(sk\_[0-9a-f]{48})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === endorlabs-api-key ===
# Detected an Endor Labs API Key, which may compromise supply chain security scanning and software composition analysis.
/(?i)[\w.-]{0,50}(?:endor(?:labs)?|key)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(endr\+[A-Za-z0-9-]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === endorlabs-api-secret ===
# Detected an Endor Labs API Secret, which together with an API key grants full access to Endor Labs supply chain security services.
/(?i)[\w.-]{0,50}(?:endor(?:labs)?|secret)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(endr\+[A-Za-z0-9-]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === etsy-access-token ===
# Found an Etsy Access Token, potentially compromising Etsy shop management and customer data.
/(?i)[\w.-]{0,50}(?:(?-i:ETSY|[Ee]tsy))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{24})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === facebook-access-token ===
# Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.
/(?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === facebook-page-access-token ===
# Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.
/\b(EAA[MC](?i)[a-z0-9]{100,})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === facebook-secret ===
# Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.
/(?i)[\w.-]{0,50}(?:facebook)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === fastly-api-token ===
# Uncovered a Fastly API key, which may compromise CDN and edge cloud services, leading to content delivery and security issues.
/(?i)[\w.-]{0,50}(?:fastly)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === figma-personal-access-header-token ===
# Uncovered a Figma Personal Access Token in a header, which may compromise design assets and team collaboration.
/(?i)[\w.-]{0,50}(?:x-figma-token|xfigmatoken|x\_figma\_token)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9A-F]{4}-[0-9A-F]{8}(?:-[0-9A-F]{4}){3}-[0-9A-F]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === figma-personal-access-token ===
# Uncovered a Figma Personal Access Token, which may compromise design assets and team collaboration.
/(?i)\b(figd\_[A-Z0-9_-]{38,42})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === finicity-api-token ===
# Detected a Finicity API token, potentially risking financial data access and unauthorized financial operations.
/(?i)[\w.-]{0,50}(?:finicity)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === finicity-client-secret ===
# Identified a Finicity Client Secret, which could lead to compromised financial service integrations and data breaches.
/(?i)[\w.-]{0,50}(?:finicity)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{20})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === finnhub-access-token ===
# Found a Finnhub Access Token, risking unauthorized access to financial market data and analytics.
/(?i)[\w.-]{0,50}(?:finnhub)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{20})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === flickr-access-token ===
# Discovered a Flickr Access Token, posing a risk of unauthorized photo management and potential data leakage.
/(?i)[\w.-]{0,50}(?:flickr)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === flutterwave-encryption-key ===
# Uncovered a Flutterwave Encryption Key, which may compromise payment processing and sensitive financial information.
/FLWSECK\_TEST-(?i)[a-h0-9]{12}/
# === flutterwave-public-key ===
# Detected a Finicity Public Key, potentially exposing public cryptographic operations and integrations.
/FLWPUBK\_TEST-(?i)[a-h0-9]{32}-X/
# === flutterwave-secret-key ===
# Identified a Flutterwave Secret Key, risking unauthorized financial transactions and data breaches.
/FLWSECK\_TEST-(?i)[a-h0-9]{32}-X/
# === flyio-access-token ===
# Uncovered a Fly.io API key
/\b(FlyV1\s[A-Za-z0-9=_\-,/+]{100,})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === frameio-api-token ===
# Found a Frame.io API token, potentially compromising video collaboration and project management.
/fio-u-(?i)[a-z0-9\-_=]{64}/
# === freemius-secret-key ===
# Detected a Freemius secret key, potentially exposing sensitive information.
# NOTE: upstream restricts this rule to files matching: (?i)\.php$
# Forbidden-strings has no per-rule path scoping; the rule fires on every scanned file.
/(?i)["']secret\_key["']\s*=>\s*["'](sk\_[\S]{29})["']/
# === freshbooks-access-token ===
# Discovered a Freshbooks Access Token, posing a risk to accounting software access and sensitive financial data exposure.
/(?i)[\w.-]{0,50}(?:freshbooks)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === gcp-api-key ===
# Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
/\b(AIza[\w-]{35})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === gitea-access-token ===
# Detected a Gitea Access Token, which may expose self-hosted Git repositories and associated code to unauthorized access.
/(?i)[\w.-]{0,50}(?:gitea[_.-]?(?:token|key|secret|access))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === github-app-token ===
# Identified a GitHub App Token, which may compromise GitHub application integrations and source code security.
/(?:ghu|ghs)\_[0-9a-zA-Z]{36}/
# === github-fine-grained-pat ===
# Found a GitHub Fine-Grained Personal Access Token, risking unauthorized repository access and code manipulation.
/github\_pat\_\w{82}/
# === github-oauth ===
# Discovered a GitHub OAuth Access Token, posing a risk of compromised GitHub account integrations and data leaks.
/gho\_[0-9a-zA-Z]{36}/
# === github-pat ===
# Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.
# RELAXATION: excluded documented placeholder `ghp_000000000000000000000000000000000000` via resharp intersection/complement.
/ghp\_[0-9a-zA-Z]{36}&~(ghp\_0{36})/
# === github-refresh-token ===
# Detected a GitHub Refresh Token, which could allow prolonged unauthorized access to GitHub services.
/ghr\_[0-9a-zA-Z]{36}/
# === gitlab-cicd-job-token ===
# Identified a GitLab CI/CD Job Token, potential access to projects and some APIs on behalf of a user while the CI job is running.
/glcbt-[0-9a-zA-Z]{1,5}\_[0-9a-zA-Z_-]{20}/
# === gitlab-deploy-token ===
# Identified a GitLab Deploy Token, risking access to repositories, packages and containers with write access.
/gldt-[0-9a-zA-Z_\-]{20}/
# === gitlab-feature-flag-client-token ===
# Identified a GitLab feature flag client token, risks exposing user lists and features flags used by an application.
/glffct-[0-9a-zA-Z_\-]{20}/
# === gitlab-feed-token ===
# Identified a GitLab feed token, risking exposure of user data.
/glft-[0-9a-zA-Z_\-]{20}/
# === gitlab-incoming-mail-token ===
# Identified a GitLab incoming mail token, risking manipulation of data sent by mail.
/glimt-[0-9a-zA-Z_\-]{25}/
# === gitlab-kubernetes-agent-token ===
# Identified a GitLab Kubernetes Agent token, risking access to repos and registry of projects connected via agent.
/glagent-[0-9a-zA-Z_\-]{50}/
# === gitlab-oauth-app-secret ===
# Identified a GitLab OIDC Application Secret, risking access to apps using GitLab as authentication provider.
/gloas-[0-9a-zA-Z_\-]{64}/
# === gitlab-pat ===
# Identified a GitLab Personal Access Token, risking unauthorized access to GitLab repositories and codebase exposure.
/glpat-[\w-]{20}/
# === gitlab-pat-routable ===
# Identified a GitLab Personal Access Token (routable), risking unauthorized access to GitLab repositories and codebase exposure.
/\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b/
# === gitlab-pat-routable-versioned ===
# Identified a GitLab Personal Access Token (routable, versioned), risking unauthorized access to GitLab repositories and codebase exposure.
/\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}\.[0-9a-z]{9}\b/
# === gitlab-ptt ===
# Found a GitLab Pipeline Trigger Token, potentially compromising continuous integration workflows and project security.
/glptt-[0-9a-f]{40}/
# === gitlab-rrt ===
# Discovered a GitLab Runner Registration Token, posing a risk to CI/CD pipeline integrity and unauthorized access.
/GR1348941[\w-]{20}/
# === gitlab-runner-authentication-token ===
# Discovered a GitLab Runner Authentication Token, posing a risk to CI/CD pipeline integrity and unauthorized access.
/glrt-[0-9a-zA-Z_\-]{20}/
# === gitlab-runner-authentication-token-routable ===
# Discovered a GitLab Runner Authentication Token (Routable), posing a risk to CI/CD pipeline integrity and unauthorized access.
/\bglrt-t\d\_[0-9a-zA-Z_\-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b/
# === gitlab-scim-token ===
# Discovered a GitLab SCIM Token, posing a risk to unauthorized access for a organization or instance.
/glsoat-[0-9a-zA-Z_\-]{20}/
# === gitlab-session-cookie ===
# Discovered a GitLab Session Cookie, posing a risk to unauthorized access to a user account.
/\_gitlab\_session=[0-9a-z]{32}/
# === gitter-access-token ===
# Uncovered a Gitter Access Token, which may lead to unauthorized access to chat and communication services.
/(?i)[\w.-]{0,50}(?:gitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === gocardless-api-token ===
# Detected a GoCardless API token, potentially risking unauthorized direct debit payment operations and financial data exposure.
/(?i)[\w.-]{0,50}(?:gocardless)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(live\_(?i)[a-z0-9\-_=]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === grafana-api-key ===
# Identified a Grafana API key, which could compromise monitoring dashboards and sensitive data analytics.
/(?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,3})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === grafana-cloud-api-token ===
# Found a Grafana cloud API token, risking unauthorized access to cloud-based monitoring services and data exposure.
/(?i)\b(glc\_[A-Za-z0-9+/]{32,400}={0,3})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === grafana-service-account-token ===
# Discovered a Grafana service account token, posing a risk of compromised monitoring services and data integrity.
/(?i)\b(glsa\_[A-Za-z0-9]{32}\_[A-Fa-f0-9]{8})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === greptile-api-key ===
# Detected a Greptile API Key, which may expose AI-powered code search and analysis services to unauthorized access.
/(?i)[\w.-]{0,50}(?:greptile)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-zA-Z0-9+/]{48})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === groq-api-key ===
# Identified a Groq API Key, which may expose high-speed AI inference services to unauthorized access.
/(?i)\b(gsk\_[A-Z0-9]{52})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === harness-api-key ===
# Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account.
/(?:pat|sat)\.[a-zA-Z0-9_-]{22}\.[0-9a-f]{24}\.[a-zA-Z0-9]{20}/
# === hashicorp-tf-api-token ===
# Uncovered a HashiCorp Terraform user/org API token, which may lead to unauthorized infrastructure management and security breaches.
/(?i)[a-z0-9]{14}\.(?-i:atlasv1)\.[a-z0-9\-_=]{60,70}/
# === hashicorp-tf-password ===
# Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.
# NOTE: upstream restricts this rule to files matching: (?i)\.(?:tf|hcl)$
# Forbidden-strings has no per-rule path scoping; the rule fires on every scanned file.
/(?i)[\w.-]{0,50}(?:administrator\_login\_password|password)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}("[a-z0-9=_\-]{8,20}")(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === heroku-api-key ===
# Detected a Heroku API Key, potentially compromising cloud application deployments and operational security.
/(?i)[\w.-]{0,50}(?:heroku)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === heroku-api-key-v2 ===
# Detected a Heroku API Key, potentially compromising cloud application deployments and operational security.
/\b((HRKU-AA[0-9a-zA-Z_-]{58}))(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === hubspot-api-key ===
# Found a HubSpot API Token, posing a risk to CRM data integrity and unauthorized marketing operations.
/(?i)[\w.-]{0,50}(?:hubspot)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === huggingface-access-token ===
# Discovered a Hugging Face Access token, which could lead to unauthorized access to AI models and sensitive data.
/\b(hf\_(?i:[a-z]{34}))(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === huggingface-organization-api-token ===
# Uncovered a Hugging Face Organization API token, potentially compromising AI organization accounts and associated data.
/\b(api\_org\_(?i:[a-z]{34}))(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === infracost-api-token ===
# Detected an Infracost API Token, risking unauthorized access to cloud cost estimation tools and financial data.
/\b(ico-[a-zA-Z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === intercom-api-key ===
# Identified an Intercom API Token, which could compromise customer communication channels and data privacy.
/(?i)[\w.-]{0,50}(?:intercom)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{60})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === intra42-client-secret ===
# Found a Intra42 client secret, which could lead to unauthorized access to the 42School API and sensitive data.
/\b(s-s4t2(?:ud|af)-(?i)[abcdef0123456789]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === jfrog-api-key ===
# Found a JFrog API Key, posing a risk of unauthorized access to software artifact repositories and build pipelines.
/(?i)[\w.-]{0,50}(?:jfrog|artifactory|bintray|xray)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{73})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === jfrog-identity-token ===
# Discovered a JFrog Identity Token, potentially compromising access to JFrog services and sensitive software artifacts.
/(?i)[\w.-]{0,50}(?:jfrog|artifactory|bintray|xray)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === jwt ===
# Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
/\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === jwt-base64 ===
# Detected a Base64-encoded JSON Web Token, posing a risk of exposing encoded authentication and data exchange information.
/\bZXlK(?:(?:aGJHY2lPaU)|(?:aGNIVWlPaU)|(?:aGNIWWlPaU)|(?:aGRXUWlPaU)|(?:aU5qUWlP)|(?:amNtbDBJanBi)|(?:amRIa2lPaU)|(?:bGNHc2lPbn)|(?:bGJtTWlPaU)|(?:cWEzVWlPaU)|(?:cWQyc2lPb)|(?:cGMzTWlPaU)|(?:cGRpSTZJ)|(?:cmFXUWlP)|(?:clpYbGZiM0J6SWpwY)|(?:cmRIa2lPaUp)|(?:dWIyNWpaU0k2)|(?:d01tTWlP)|(?:d01uTWlPaU)|(?:d2NIUWlPaU)|(?:emRXSWlPaU)|(?:emRuUWlP)|(?:MFlXY2lPaU)|(?:MGVYQWlPaUp)|(?:MWNtd2l)|(?:MWMyVWlPaUp)|(?:MlpYSWlPaU)|(?:MlpYSnphVzl1SWpv)|(?:NElqb2)|(?:NE5XTWlP)|(?:NE5YUWlPaU)|(?:NE5YUWpVekkxTmlJNkl)|(?:NE5YVWlPaU)|(?:NmFYQWlPaU))[a-zA-Z0-9\/\\_+\-\r\n]{40,}={0,2}/
# === kraken-access-token ===
# Identified a Kraken Access Token, potentially compromising cryptocurrency trading accounts and financial security.
/(?i)[\w.-]{0,50}(?:kraken)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9\/=_\+\-]{80,90})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === kucoin-access-token ===
# Found a Kucoin Access Token, risking unauthorized access to cryptocurrency exchange services and transactions.
/(?i)[\w.-]{0,50}(?:kucoin)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{24})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === kucoin-secret-key ===
# Discovered a Kucoin Secret Key, which could lead to compromised cryptocurrency operations and financial data breaches.
/(?i)[\w.-]{0,50}(?:kucoin)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === launchdarkly-access-token ===
# Uncovered a Launchdarkly Access Token, potentially compromising feature flag management and application functionality.
/(?i)[\w.-]{0,50}(?:launchdarkly)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === linear-api-key ===
# Detected a Linear API Token, posing a risk to project management tools and sensitive task data.
/lin\_api\_(?i)[a-z0-9]{40}/
# === linear-client-secret ===
# Identified a Linear Client Secret, which may compromise secure integrations and sensitive project management data.
/(?i)[\w.-]{0,50}(?:linear)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === linkedin-client-id ===
# Found a LinkedIn Client ID, risking unauthorized access to LinkedIn integrations and professional data exposure.
/(?i)[\w.-]{0,50}(?:linked[_-]?in)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{14})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === linkedin-client-secret ===
# Discovered a LinkedIn Client secret, potentially compromising LinkedIn application integrations and user data.
/(?i)[\w.-]{0,50}(?:linked[_-]?in)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === lob-api-key ===
# Uncovered a Lob API Key, which could lead to unauthorized access to mailing and address verification services.
/(?i)[\w.-]{0,50}(?:lob)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}((live|test)\_[a-f0-9]{35})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === lob-pub-api-key ===
# Detected a Lob Publishable API Key, posing a risk of exposing mail and print service integrations.
/(?i)[\w.-]{0,50}(?:lob)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}((test|live)\_pub\_[a-f0-9]{31})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === looker-client-id ===
# Found a Looker Client ID, risking unauthorized access to a Looker account and exposing sensitive data.
/(?i)[\w.-]{0,50}(?:looker)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{20})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === looker-client-secret ===
# Found a Looker Client Secret, risking unauthorized access to a Looker account and exposing sensitive data.
/(?i)[\w.-]{0,50}(?:looker)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{24})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mailchimp-api-key ===
# Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.
/(?i)[\w.-]{0,50}(?:MailchimpSDK.initialize|mailchimp)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32}-us\d\d)(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mailgun-private-api-token ===
# Found a Mailgun private API token, risking unauthorized email service operations and data breaches.
/(?i)[\w.-]{0,50}(?:mailgun)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(key-[a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mailgun-pub-key ===
# Discovered a Mailgun public validation key, which could expose email verification processes and associated data.
/(?i)[\w.-]{0,50}(?:mailgun)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(pubkey-[a-f0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mailgun-signing-key ===
# Uncovered a Mailgun webhook signing key, potentially compromising email automation and data integrity.
/(?i)[\w.-]{0,50}(?:mailgun)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mapbox-api-token ===
# Detected a MapBox API token, posing a risk to geospatial services and sensitive location data exposure.
/(?i)[\w.-]{0,50}(?:mapbox)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mattermost-access-token ===
# Identified a Mattermost Access Token, which may compromise team communication channels and data privacy.
/(?i)[\w.-]{0,50}(?:mattermost)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{26})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === maxmind-license-key ===
# Discovered a potential MaxMind license key.
/\b([A-Za-z0-9]{6}\_[A-Za-z0-9]{29}\_mmk)(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === messagebird-api-token ===
# Found a MessageBird API token, risking unauthorized access to communication platforms and message data.
/(?i)[\w.-]{0,50}(?:message[_-]?bird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{25})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === messagebird-client-id ===
# Discovered a MessageBird client ID, potentially compromising API integrations and sensitive communication data.
/(?i)[\w.-]{0,50}(?:message[_-]?bird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === microsoft-teams-webhook ===
# Uncovered a Microsoft Teams Webhook, which could lead to unauthorized access to team collaboration tools and data leaks.
/https://[a-z0-9]+\.webhook\.office\.com/webhookb2/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}/IncomingWebhook/[a-z0-9]{32}/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}/
# === mistral-api-key ===
# Detected a Mistral AI API Key, which may expose AI language model services to unauthorized access.
/(?i)[\w.-]{0,50}(?:mistral)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([A-Z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mongodb-atlas-service-account-secret ===
# Detected a MongoDB Atlas service account client secret, which could allow unauthorized Atlas administration API access when paired with a service account client ID.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/\b(mdb\_sa\_sk\_[A-Za-z0-9_-]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === mongodb-connection-string ===
# Detected a MongoDB connection string with embedded credentials, potentially exposing direct database access and sensitive application data.
# RELAXATION: dropped optional query-string tail (everything after `[/authdb]?`) and the trailing `\b` alternation arm.
/\b(mongodb(?:\+srv)?://(?:[!-9;-~]{3,50}):(?:[!-?A-~]{3,88})@(?:(?:[a-zA-Z0-9][\w.-]+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?::\d{1,5})?(?:,(?:[a-zA-Z0-9][\w.-]+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?::\d{1,5})?)*)/?(?:[\w-]+)?)(?:['"\s;\x60]|\\[nr]|$)/
# === netlify-access-token ===
# Detected a Netlify Access Token, potentially compromising web hosting services and site management.
/(?i)[\w.-]{0,50}(?:netlify)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{40,46})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === new-relic-browser-api-token ===
# Identified a New Relic ingest browser API token, risking unauthorized access to application performance data and analytics.
/(?i)[\w.-]{0,50}(?:new-relic|newrelic|new\_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(NRJS-[a-f0-9]{19})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === new-relic-insert-key ===
# Discovered a New Relic insight insert key, compromising data injection into the platform.
/(?i)[\w.-]{0,50}(?:new-relic|newrelic|new\_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(NRII-[a-z0-9-]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === new-relic-user-api-id ===
# Found a New Relic user API ID, posing a risk to application monitoring services and data integrity.
/(?i)[\w.-]{0,50}(?:new-relic|newrelic|new\_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === new-relic-user-api-key ===
# Discovered a New Relic user API Key, which could lead to compromised application insights and performance monitoring.
/(?i)[\w.-]{0,50}(?:new-relic|newrelic|new\_relic)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(NRAK-[a-z0-9]{27})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === notion-api-token ===
# Notion API token
/\b(ntn\_[0-9]{11}[A-Za-z0-9]{32}[A-Za-z0-9]{3})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === npm-access-token ===
# Uncovered an npm access token, potentially compromising package management and code repository access.
/(?i)\b(npm\_[a-z0-9]{36})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === nuget-config-password ===
# Identified a password within a Nuget config file, potentially compromising package management access.
# NOTE: upstream restricts this rule to files matching: (?i)nuget\.config$
# Forbidden-strings has no per-rule path scoping; the rule fires on every scanned file.
/(?i)<add key=\"(?:(?:ClearText)?Password)\"\s*value=\"(.{8,})\"\s*/>/
# === nvidia-api-key ===
# Detected an NVIDIA NIM API Key, which may expose AI inference and GPU cloud services to unauthorized access.
/(?i)\b(nvapi-[A-Z0-9_-]{60,70})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === nytimes-access-token ===
# Detected a Nytimes Access Token, risking unauthorized access to New York Times APIs and content services.
/(?i)[\w.-]{0,50}(?:nytimes|new-york-times,|newyorktimes)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9=_\-]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === octopus-deploy-api-key ===
# Discovered a potential Octopus Deploy API key, risking application deployments and operational security.
/\b(API-[A-Z0-9]{26})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === okta-access-token ===
# Identified an Okta Access Token, which may compromise identity management services and user authentication data.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:(?-i:[Oo]kta|OKTA))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(00[\w=\-]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === ollama-api-key ===
# Detected an Ollama API Key, which may expose local and hosted AI model serving to unauthorized access.
/(?i)[\w.-]{0,50}(?:ollama)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{32}\.[a-zA-Z0-9_-]{24})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === openai-api-key ===
# Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
# RELAXATION: collapsed length cohort {20,58,74} to {20,74}, removed inner `\b`, dropped trailing `\b` (resharp rejects `\b` after a class containing both word and non-word chars), dropped trailing punctuation requirement.
/\bsk-(?:[a-zA-Z0-9]{20}|(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,74})T3BlbkFJ[A-Za-z0-9_-]{20,74}/
# === openrouter-api-key ===
# Detected an OpenRouter API Key, which may expose access to multiple AI models through the OpenRouter gateway.
/(?i)\b(sk-or-v1-[0-9a-f]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === openshift-user-token ===
# Found an OpenShift user token, potentially compromising an OpenShift/Kubernetes cluster.
/\b(sha256\~[\w-]{43})(?:[^\w-]|\z)/
# === ovh-application-secret ===
# OVHcloud Application Secret - component of authenticated OVH API requests, which could allow unauthorized access to OVHcloud infrastructure when combined with Application and Consumer keys.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/(?i)[\w.-]{0,50}(?:app(?:lication)?[_.-]{0,1}secret)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([A-Za-z0-9-]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === perplexity-api-key ===
# Detected a Perplexity API key, which could lead to unauthorized access to Perplexity AI services and data exposure.
# RELAXATION: dropped trailing `\b` alternation arm.
/\b(pplx-[a-zA-Z0-9]{48})(?:[\x60'"\s;]|\\[nr]|$)/
# === plaid-api-token ===
# Discovered a Plaid API Token, potentially compromising financial data aggregation and banking services.
/(?i)[\w.-]{0,50}(?:plaid)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === plaid-client-id ===
# Uncovered a Plaid Client ID, which could lead to unauthorized financial service integrations and data breaches.
/(?i)[\w.-]{0,50}(?:plaid)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{24})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === plaid-secret-key ===
# Detected a Plaid Secret key, risking unauthorized access to financial accounts and sensitive transaction data.
/(?i)[\w.-]{0,50}(?:plaid)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{30})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === planetscale-api-token ===
# Identified a PlanetScale API token, potentially compromising database management and operations.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/\b(pscale\_tkn\_(?i)[\w=\.-]{32,64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === planetscale-oauth-token ===
# Found a PlanetScale OAuth token, posing a risk to database access control and sensitive data integrity.
/\b(pscale\_oauth\_[\w=\.-]{32,64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === planetscale-password ===
# Discovered a PlanetScale password, which could lead to unauthorized database operations and data breaches.
/(?i)\b(pscale\_pw\_(?i)[\w=\.-]{32,64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === polymarket-api-key ===
# Identified a Polymarket API key, potentially compromising access to the Polymarket trading platform.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:poly.{0,20}key)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === polymarket-private-key ===
# Discovered a Polymarket private key, which could allow unauthorized trading and fund transfers.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:poly.{0,20}private.{0,20}key)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(0x[a-fA-F0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === posthog-personal-api-key ===
# Detected a PostHog Personal API Key, which may expose administrative access to PostHog analytics projects.
/(?i)\b(phx\_[a-zA-Z0-9_\-]{47})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === posthog-project-api-key ===
# Detected a PostHog Project API Key, which may expose product analytics data and event tracking to unauthorized access.
/(?i)\b(phc\_[a-zA-Z0-9_\-]{43})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === postman-api-token ===
# Uncovered a Postman API token, potentially compromising API testing and development workflows.
/\b(PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === prefect-api-token ===
# Detected a Prefect API token, risking unauthorized access to workflow management and automation services.
/\b(pnu\_[a-zA-Z0-9]{36})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === private-key ===
# Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
/(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]{64,}KEY(?: BLOCK)?-----/
# === privateai-api-token ===
# Identified a PrivateAI Token, posing a risk of unauthorized access to AI services and data manipulation.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:private[_-]?ai)(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === pulumi-api-token ===
# Found a Pulumi API token, posing a risk to infrastructure as code services and cloud resource management.
/\b(pul-[a-f0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === pypi-upload-token ===
# Discovered a PyPI upload token, potentially compromising Python package distribution and repository integrity.
/pypi-AgEIcHlwaS5vcmc[\w-]{50,1000}/
# === rapidapi-access-token ===
# Uncovered a RapidAPI Access Token, which could lead to unauthorized access to various APIs and data services.
/(?i)[\w.-]{0,50}(?:rapidapi)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9_-]{50})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === readme-api-token ===
# Detected a Readme API token, risking unauthorized documentation management and content exposure.
/\b(rdme\_[a-z0-9]{70})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === replicate-api-token ===
# Detected a Replicate API Token, which may expose AI model hosting and inference services to unauthorized access.
/(?i)\b(r8\_[A-Za-z0-9]{37})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === rubygems-api-token ===
# Identified a Rubygem API token, potentially compromising Ruby library distribution and package management.
/\b(rubygems\_[a-f0-9]{48})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === scalingo-api-token ===
# Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.
/\b(tk-us-[\w-]{48})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sendbird-access-id ===
# Discovered a Sendbird Access ID, which could compromise chat and messaging platform integrations.
/(?i)[\w.-]{0,50}(?:sendbird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sendbird-access-token ===
# Uncovered a Sendbird Access Token, potentially risking unauthorized access to communication services and user data.
/(?i)[\w.-]{0,50}(?:sendbird)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sendgrid-api-token ===
# Detected a SendGrid API token, posing a risk of unauthorized email service operations and data exposure.
/\b(SG\.(?i)[a-z0-9=_\-\.]{66})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sendinblue-api-token ===
# Identified a Sendinblue API token, which may compromise email marketing services and subscriber data privacy.
/\b(xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sentry-access-token ===
# Found a Sentry.io Access Token (old format), risking unauthorized access to error tracking services and sensitive application data.
/(?i)[\w.-]{0,50}(?:sentry)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sentry-org-token ===
# Found a Sentry.io Organization Token, risking unauthorized access to error tracking services and sensitive application data.
/\bsntrys\_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}\_[a-zA-Z0-9+/]{43}(?:[^a-zA-Z0-9+/]|\z)/
# === sentry-user-token ===
# Found a Sentry.io User Token, risking unauthorized access to error tracking services and sensitive application data.
/\b(sntryu\_[a-f0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === settlemint-application-access-token ===
# Found a Settlemint Application Access Token.
/\b(sm\_aat\_[a-zA-Z0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === settlemint-personal-access-token ===
# Found a Settlemint Personal Access Token.
/\b(sm\_pat\_[a-zA-Z0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === settlemint-service-access-token ===
# Found a Settlemint Service Access Token.
/\b(sm\_sat\_[a-zA-Z0-9]{16})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === shippo-api-token ===
# Discovered a Shippo API token, potentially compromising shipping services and customer order data.
/\b(shippo\_(?:live|test)\_[a-fA-F0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === shopify-access-token ===
# Uncovered a Shopify access token, which could lead to unauthorized e-commerce platform access and data breaches.
/shpat\_[a-fA-F0-9]{32}/
# === shopify-custom-access-token ===
# Detected a Shopify custom access token, potentially compromising custom app integrations and e-commerce data security.
/shpca\_[a-fA-F0-9]{32}/
# === shopify-private-app-access-token ===
# Identified a Shopify private app access token, risking unauthorized access to private app data and store operations.
/shppa\_[a-fA-F0-9]{32}/
# === shopify-shared-secret ===
# Found a Shopify shared secret, posing a risk to application authentication and e-commerce platform security.
/shpss\_[a-fA-F0-9]{32}/
# === sidekiq-secret ===
# Discovered a Sidekiq Secret, which could lead to compromised background job processing and application data breaches.
/(?i)[\w.-]{0,50}(?:BUNDLE\_ENTERPRISE\_\_CONTRIBSYS\_\_COM|BUNDLE\_GEMS\_\_CONTRIBSYS\_\_COM)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sidekiq-sensitive-url ===
# Uncovered a Sidekiq Sensitive URL, potentially exposing internal job queues and sensitive operation details.
/(?i)\bhttps?://([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)/
# === slack-app-token ===
# Detected a Slack App-level token, risking unauthorized access to Slack applications and workspace data.
/(?i)xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+/
# === slack-bot-token ===
# Identified a Slack Bot token, which may compromise bot integrations and communication channel security.
/xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*/
# === slack-config-access-token ===
# Found a Slack Configuration access token, posing a risk to workspace configuration and sensitive data access.
/(?i)xoxe.xox[bp]-\d-[A-Z0-9]{163,166}/
# === slack-config-refresh-token ===
# Discovered a Slack Configuration refresh token, potentially allowing prolonged unauthorized access to configuration settings.
/(?i)xoxe-\d-[A-Z0-9]{146}/
# === slack-legacy-bot-token ===
# Uncovered a Slack Legacy bot token, which could lead to compromised legacy bot operations and data exposure.
/xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26}/
# === slack-legacy-token ===
# Detected a Slack Legacy token, risking unauthorized access to older Slack integrations and user data.
/xox[os]-\d+-\d+-\d+-[a-fA-F\d]+/
# === slack-legacy-workspace-token ===
# Identified a Slack Legacy Workspace token, potentially compromising access to workspace data and legacy features.
/xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48}/
# === slack-session-cookie ===
# Detected a Slack session cookie (xoxd-), which authenticates browser and desktop sessions across all of a user's workspaces.
/(xoxd-[\w\/\\+-]{100,}={0,2})(?:[^\w\/+=-]|\z)/
# === slack-session-token ===
# Detected a Slack client session token (xoxc-), which provides full user-level API access when paired with a session cookie.
/xoxc-\d{9,15}-\d{9,15}-\d{9,15}-[a-f0-9]{64}\b/
# === slack-user-token ===
# Found a Slack User token, posing a risk of unauthorized user impersonation and data access within Slack workspaces.
/xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}/
# === slack-webhook-url ===
# Discovered a Slack Webhook, which could lead to unauthorized message posting and data leakage in Slack channels.
/(?:https?://)?hooks.slack.com/(?:services|workflows|triggers)/[A-Za-z0-9+/]{43,56}/
# === snyk-api-token ===
# Uncovered a Snyk API token, potentially compromising software vulnerability scanning and code security.
/(?i)[\w.-]{0,50}(?:snyk[_.-]?(?:(?:api|oauth)[_.-]?)?(?:key|token))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sonar-api-token ===
# Uncovered a Sonar API token, potentially compromising software vulnerability scanning and code security.
# NOTE: upstream extracts capture group 2 as the secret for redaction.
# Forbidden-strings reports the full match span; the narrowing is lost.
/(?i)[\w.-]{0,50}(?:sonar[_.-]?(login|token))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}((?:squ\_|sqp\_|sqa\_)?[a-z0-9=_\-]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sourcegraph-access-token ===
# Sourcegraph is a code search and navigation engine.
# RELAXATION: removed redundant outer `\b(\b...\b)` wrapping AND dropped the bare `[a-fA-F0-9]{40}` arm. The bare-hex arm fires on any 40-char hex string -- e.g. GitHub Actions SHA pins (`uses: x/y@<sha>`) -- which is unacceptable false-positive density. Only `sgp_`-prefixed forms remain.
/(?i)\b(sgp\_(?:[a-fA-F0-9]{16}|local)\_[a-fA-F0-9]{40}|sgp\_[a-fA-F0-9]{40})\b(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === square-access-token ===
# Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.
/\b((?:EAAA|sq0atp-)[\w-]{22,60})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === squarespace-access-token ===
# Identified a Squarespace Access Token, which may compromise website management and content control on Squarespace.
/(?i)[\w.-]{0,50}(?:squarespace)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === stability-ai-api-key ===
# Detected a Stability AI API Key, which may expose AI image generation services to unauthorized access.
/(?i)[\w.-]{0,50}(?:stability)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(sk-[A-Za-z0-9]{48})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === stripe-access-token ===
# Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
/\b((?:sk|rk)\_(?:test|live|prod)\_[a-zA-Z0-9]{10,99})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sumologic-access-id ===
# Discovered a SumoLogic Access ID, potentially compromising log management services and data analytics integrity.
/[\w.-]{0,50}(?i:[\w.-]{0,50}(?:(?-i:[Ss]umo|SUMO))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(su[a-zA-Z0-9]{12})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === sumologic-access-token ===
# Uncovered a SumoLogic Access Token, which could lead to unauthorized access to log data and analytics insights.
/(?i)[\w.-]{0,50}(?:(?-i:[Ss]umo|SUMO))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{64})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === telegram-bot-api-token ===
# Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.
/(?i)[\w.-]{0,50}(?:telegr)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{5,16}:(?-i:A)[a-z0-9_\-]{34})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === togetherai-api-key ===
# Detected a Together.ai API Key, which may expose access to open-source AI models and inference services.
/(?i)\b(tgp\_v1\_[A-Za-z0-9_-]{43})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === travisci-access-token ===
# Identified a Travis CI Access Token, potentially compromising continuous integration services and codebase security.
/(?i)[\w.-]{0,50}(?:travis)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{22})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === twilio-api-key ===
# Found a Twilio API Key, posing a risk to communication services and sensitive customer interaction data.
/SK[0-9a-fA-F]{32}/
# === twitch-api-token ===
# Discovered a Twitch API token, which could compromise streaming services and account integrations.
/(?i)[\w.-]{0,50}(?:twitch)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{30})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === twitter-access-secret ===
# Uncovered a Twitter Access Secret, potentially risking unauthorized Twitter integrations and data breaches.
/(?i)[\w.-]{0,50}(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{45})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === twitter-access-token ===
# Detected a Twitter Access Token, posing a risk of unauthorized account operations and social media data exposure.
/(?i)[\w.-]{0,50}(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === twitter-api-key ===
# Identified a Twitter API Key, which may compromise Twitter application integrations and user data security.
/(?i)[\w.-]{0,50}(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{25})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === twitter-api-secret ===
# Found a Twitter API Secret, risking the security of Twitter app integrations and sensitive data access.
/(?i)[\w.-]{0,50}(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{50})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === twitter-bearer-token ===
# Discovered a Twitter Bearer Token, potentially compromising API access and data retrieval from Twitter.
/(?i)[\w.-]{0,50}(?:twitter)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === typeform-api-token ===
# Uncovered a Typeform API token, which could lead to unauthorized survey management and data collection.
/(?i)[\w.-]{0,50}(?:typeform)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(tfp\_[a-z0-9\-_\.=]{59})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vault-batch-token ===
# Detected a Vault Batch Token, risking unauthorized access to secret management services and sensitive data.
/\b(hvb\.[\w-]{138,300})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vault-service-token ===
# Identified a Vault Service Token, potentially compromising infrastructure security and access to sensitive credentials.
/\b((?:hvs\.[\w-]{90,120}|s\.(?i:[a-z0-9]{24})))(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vercel-ai-gateway-key ===
# Detected a Vercel AI Gateway API Key (vck_), which may expose AI model routing and gateway access to unauthorized parties.
/(?i)\b(vck\_[A-Za-z0-9_-]{56})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vercel-api-token ===
# Detected a Vercel API Token, which may expose deployment and serverless infrastructure to unauthorized access.
/(?i)[\w.-]{0,50}(?:vercel)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([A-Z0-9]{24})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vercel-app-access-token ===
# Detected a Vercel App Access Token (vca_), which may allow Sign in with Vercel apps to access user resources.
/(?i)\b(vca\_[A-Za-z0-9_-]{56})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vercel-app-refresh-token ===
# Detected a Vercel App Refresh Token (vcr_), which may allow persistent unauthorized access through token refresh flows.
/(?i)\b(vcr\_[A-Za-z0-9_-]{56})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vercel-integration-token ===
# Detected a Vercel Integration Token (vci_), which may allow third-party service integrations to act on behalf of users.
/(?i)\b(vci\_[A-Za-z0-9_-]{56})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === vercel-personal-access-token ===
# Detected a Vercel Personal Access Token (vcp_), which may expose full account and deployment management capabilities.
/(?i)\b(vcp\_[A-Za-z0-9_-]{56})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === weights-and-biases-api-key ===
# Detected a Weights & Biases API Key, which may expose ML experiment tracking and model registry access to unauthorized parties.
/(?i)[\w.-]{0,50}(?:wandb|weightsandbiases)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-f0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === weights-and-biases-api-key-v1 ===
# Detected a Weights & Biases v1 API Key (wandb_v1_), which may expose ML experiment tracking and artifact storage to unauthorized access.
/(?i)\b(wandb\_v1\_[A-Za-z0-9_]{77})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === xai-api-key ===
# Detected an xAI (Grok) API Key, which may expose Grok AI model access to unauthorized parties.
/(?i)\b(xai-[A-Za-z0-9_-]{70,120})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === yandex-access-token ===
# Found a Yandex Access Token, posing a risk to Yandex service integrations and user data privacy.
/(?i)[\w.-]{0,50}(?:yandex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === yandex-api-key ===
# Discovered a Yandex API Key, which could lead to unauthorized access to Yandex services and data manipulation.
/(?i)[\w.-]{0,50}(?:yandex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === yandex-aws-access-token ===
# Uncovered a Yandex AWS Access Token, potentially compromising cloud resource access and data security on Yandex Cloud.
/(?i)[\w.-]{0,50}(?:yandex)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(YC[a-zA-Z0-9_\-]{38})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === zendesk-secret-key ===
# Detected a Zendesk Secret Key, risking unauthorized access to customer support services and sensitive ticketing data.
/(?i)[\w.-]{0,50}(?:zendesk)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{40})(?:\\?['"\x60]|[\s;]|\\[nr]|$)/
# === resharp set-algebra demonstrations (engine-specific) ===
#
# Resharp extends standard regex with two top-level set operators that
# pure-PCRE engines lack:
# - A&B intersection: matches strings matched by both A and B
# - ~(A) complement: matches strings that do NOT match A
# Combined, these express "match X but not Y" without lookaround. PCRE
# engines (gitleaks, trufflehog, secretlint, plain RE2) cannot do this;
# the workaround is per-rule allowlists, which scale badly.
# Reads as: "match any 6-digit BUILD_ tag, EXCEPT the all-zeros placeholder."
/BUILD_[0-9]{6}&~(BUILD_000000)/
# Intersection composed with two complements: ban any 32-char hex hash
# under `RELEASE_TAG_`, except the documented placeholders.
# The complements inline their quantifier bodies: `0{32}` is a
# quantified literal (not a quantified group), and the deadbeef
# placeholder is written as 16 concatenated unquantified
# `(de|ad|be|ef)` groups (32 chars total). Either form avoids
# resharp Bug E (intersection co-occurring with a `)`-quantifier
# hangs `calc_prefix_sets_inner`; see doc/troubleshooting/resharp.md
# Bug E) and is enforced by the
# `complement_intersection_quantified_group` pre-validator.
/RELEASE_TAG_[a-f0-9]{32}&~(RELEASE_TAG_0{32})&~(RELEASE_TAG_(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef)(de|ad|be|ef))/