# NEGATIVE-002: Secrets from Environment
#
# This is a NEGATIVE test - secrets are properly loaded from environment
# variables, not hardcoded. Should NOT trigger secrets findings.

[metadata]
id = "negative-002"
name = "Secrets loaded from environment (no findings expected)"
category = "negative"
language = "rust"
difficulty = "easy"
source = "hand-curated"
created = "2025-02-05"
notes = "Negative test - proper secret management"

[input]
filename = "config.rs"
content = """
use std::env;

pub struct Config {
    pub database_url: String,
    pub api_key: String,
    pub jwt_secret: String,
}

impl Config {
    pub fn from_env() -> Result<Self, env::VarError> {
        Ok(Self {
            database_url: env::var("DATABASE_URL")?,
            api_key: env::var("API_KEY")?,
            jwt_secret: env::var("JWT_SECRET")?,
        })
    }
}
"""

[expected]
# No must_contain - this is a negative test
must_contain = []

must_not_contain = [
    { subject = "secrets/api_key", predicate = "hardcoded", value = true, rationale = "API key is loaded from environment" },
    { subject = "secrets/jwt_secret", predicate = "hardcoded", value = true, rationale = "JWT secret is loaded from environment" },
    { subject = "secrets/database_url", predicate = "hardcoded", value = true, rationale = "Database URL is loaded from environment" }
]

[scoring]
weight = 1.0
min_confidence = 0.9