# Catching Hardcoded Secrets in a 50-Crate Rust Monorepo

Citadel is a production observability platform built on Rust. The codebase spans over 1,400 files across 50+ crates - authentication, ingestion pipelines, storage engines, CLI tools, and a Next.js frontend.

We pointed Aphoria at it.

## The Scan

```
$ aphoria scan ./citadel

Scanning... 1,438 files
Extracted 1,259 claims
Detected 3 conflicts

  BLOCK  tools/citadel-cli/src/commands/agent.rs:903
         API key hardcoded in source
         ck_live_5ecb66c2_3iAiCOXmjLctkPWbz6Gytw

  BLOCK  crates/citadel-cli/src/commands/query.rs:736
         API key hardcoded in source
         ck_live_1234567890abcdef

  BLOCK  crates/citadel-agent/src/config.rs:101
         API key hardcoded in source
         ck_live_a1b2c3d4_xyzabc123

3 BLOCK, 0 FLAG, 0 PASS
```

Total time: 1.7 seconds.

## What It Found

Three API keys embedded directly in source files. They were example keys in documentation and test code - the kind that get copy-pasted into real configs by tired developers at 2am.

Aphoria flagged them because they match production key patterns (`ck_live_*`). Even in examples, these create risk: they train developers to hardcode secrets, and sometimes example keys are real keys with the serial numbers filed off.

## What It Checked

Aphoria scanned for conflicts against security standards including:

- TLS certificate verification (OWASP)
- JWT signature validation (RFC 7519)
- Rate limiting configuration
- CORS policies
- Timeout settings
- Hardcoded credentials

The Citadel team had their TLS, JWT, and rate limiting configured correctly. The only gaps were these three documentation examples.

## The Fix

```
$ aphoria ack citadel-cli/src/commands/query.rs:736 \
    --reason "Example key for documentation"
```

Or replace with environment variable references and re-scan to verify.