jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e73bf3c4b7
stemedb/applications/aphoria/tests/llm_fixtures/secrets/secrets-001-hardcoded-api-key.toml
jordan 157dbbb9eb feat: Complete Aphoria Phase 8-9 + UAT suite (90/90 tests passing) 
## Phase 8: Enterprise Extractor Improvements 
- 14 security extractors (TLS, JWT, SQL injection, XSS, etc.)
- 10 framework-specific extractors (Spring, Django, Rails, etc.)
- Config file security detection (YAML, TOML)

## Phase 9: Autonomous Extractor Generation 
- Shadow mode executor with TP/FP tracking
- Graduation pipeline with confidence thresholds
- Auto-rollback on regression detection
- Cross-project pattern syncing

## UAT Suite Complete (14 scripts, 90 tests)
- test-core-detection.sh (6 tests)
- test-declarative-extractors.sh (5 tests)
- test-domain-frameworks.sh (5 tests)
- test-domain-unreal.sh (3 tests)
- test-llm-extraction.sh (6 tests)
- test-eval-harness.sh (5 tests)
- test-cross-language.sh (3 tests)
- test-precommit-performance.sh (4 tests)
- test-output-formats.sh (8 tests)
- test-drift-detection.sh (6 tests)
- test-exit-codes.sh (12 tests)
+ 3 more scripts

## Other Changes
- Updated roadmap to mark Phase 8-9 complete
- Added .gitignore entries for build artifacts
- Updated pre-commit: 800 line limit, exclude tests/data/cmd

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-06 22:50:55 -07:00

47 lines
1.3 KiB
TOML
Raw Blame History

# SECRETS-001: Hardcoded API Key
#
# API key hardcoded directly in source code instead of using environment
# variables or secret management.
[metadata]
id = "secrets-001"
name = "Hardcoded API key in source"
category = "secrets"
language = "python"
difficulty = "easy"
source = "hand-curated"
created = "2025-02-05"
notes = "Common credential exposure pattern"
[input]
filename = "config.py"
content = """
# Application configuration
DATABASE_URL = "postgresql://localhost/mydb"
API_KEY = "sk-live-a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
DEBUG = True
def get_api_key():
return API_KEY
"""
[expected]
must_contain = [
{ subject = "secrets/api_key", predicate = "hardcoded", value = true, rationale = "API_KEY is directly assigned a string literal" },
{ subject = "secrets/api_key", predicate = "is_stripe_key", value = true, rationale = "Value starts with sk-live- indicating a Stripe live API key" }
]
must_not_contain = [
{ subject = "secrets/api_key", predicate = "from_env", value = true, rationale = "Key is not loaded from environment" }
]
# Valid findings that LLM may extract but are not required
acceptable_variants = [
{ subject = "auth/bypass", predicate = "debug_mode", value = true, rationale = "LLM may detect DEBUG=True as debug mode bypass - valid but secondary finding" }
]
[scoring]
weight = 1.0
min_confidence = 0.9
Reference in New Issue View Git Blame Copy Permalink