# SECRETS-001: Hardcoded API Key
#
# API key hardcoded directly in source code instead of using environment
# variables or secret management.

[metadata]
id = "secrets-001"
name = "Hardcoded API key in source"
category = "secrets"
language = "python"
difficulty = "easy"
source = "hand-curated"
created = "2025-02-05"
notes = "Common credential exposure pattern"

[input]
filename = "config.py"
content = """
# Application configuration

DATABASE_URL = "postgresql://localhost/mydb"
API_KEY = "sk-live-a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
DEBUG = True

def get_api_key():
    return API_KEY
"""

[expected]
must_contain = [
    { subject = "secrets/api_key", predicate = "hardcoded", value = true, rationale = "API_KEY is directly assigned a string literal" },
    { subject = "secrets/api_key", predicate = "is_stripe_key", value = true, rationale = "Value starts with sk-live- indicating a Stripe live API key" }
]

must_not_contain = [
    { subject = "secrets/api_key", predicate = "from_env", value = true, rationale = "Key is not loaded from environment" }
]

# Valid findings that LLM may extract but are not required
acceptable_variants = [
    { subject = "auth/bypass", predicate = "debug_mode", value = true, rationale = "LLM may detect DEBUG=True as debug mode bypass - valid but secondary finding" }
]

[scoring]
weight = 1.0
min_confidence = 0.9