# Prismor Warden cloaking — built-in secret detection patterns.
#
# One POSIX ERE per line (the form accepted by `grep -oE`). Blank lines and
# lines beginning with `#` are ignored. This file is the SINGLE SOURCE OF
# TRUTH for the patterns used by every cloaking component:
#
#   * hooks/_patterns.sh   (bash loader, sourced by the PreToolUse/UserPrompt hooks)
#   * patterns.py          (Python loader, used by `warden cloak pattern …`)
#
# Patterns are conservative and known-prefix only: they target credential
# formats with a recognizable, high-entropy shape so that benign prose does
# not trip them. Add org-specific patterns through your user config file
# (`warden cloak pattern add '<regex>'`) rather than editing this file.
#
# Order matters: longest / most-specific first, so a partial match does not
# fire for the wrong pattern.

sk_live_[0-9a-zA-Z]{16,}
sk_test_[0-9a-zA-Z]{16,}
rk_live_[0-9a-zA-Z]{16,}
github_pat_[0-9a-zA-Z_]{20,}
ghp_[0-9a-zA-Z]{36}
gho_[0-9a-zA-Z]{36}
ghs_[0-9a-zA-Z]{36}
ghu_[0-9a-zA-Z]{36}
AKIA[0-9A-Z]{16}
ASIA[0-9A-Z]{16}
AIza[0-9A-Za-z_-]{35}
xox[bpoar]-[0-9]+-[0-9]+-[0-9a-zA-Z]{24,}
glpat-[0-9a-zA-Z_-]{20,}
eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
