Expand description
Built-in pattern catalogue per ADR-023 §3.6.
Thirty hard-coded patterns covering the long tail of provider
tokens, private keys, JWTs, and connection strings. Each pattern
implements SecretPattern through the shared Builtin
adapter struct so the catalogue stays declarative — adding a
pattern is one entry in BUILTINS.
Patterns expose:
- Mandatory —
id,display_name,format_regex,severity. - Metadata (optional) — for patterns with a known retrieval URL
(
github-pat→ GitHub settings page,openai-key→ OpenAI platform). Patterns whose value shape we recognise but which have no central retrieval URL (jwt,private-key-*,postgres-url) omit the metadata layer. - Rotation / liveness — left to a follow-up phase (P2.4 and
P9.x respectively); each entry’s slot is
Nonehere.
Structs§
- Builtin
- Adapter struct that turns a static data row into a
SecretPatternimplementation. EachBUILTINSentry is aBuiltin; the regex compiles lazily on first access viaOnceLockso process startup pays nothing for patterns that are never consulted.
Statics§
- BUILTINS
- The 30-pattern catalogue. Order is purely cosmetic.
Functions§
- builtins
- Iterate over every built-in pattern as
&dyn SecretPattern. - find
- Look up a built-in by its
SecretPattern::id.