package scanning

// pattern holds a compiled regex-like pattern string and its metadata.
// We use raw string patterns rather than importing regexp for each check;
// the Scanner compiles all patterns once at startup.
type pattern struct {
	Name        string
	Description string
	Raw         string // the regex pattern (compiled at init)
	Severity    string // "high", "medium", "low"
}

// Patterns is the list of secret patterns checked against every pushed commit.
// Patterns are ordered by severity — high first.
var Patterns = []pattern{
	{
		Name:        "aws-access-key-id",
		Description: "AWS Access Key ID",
		Raw:         `AKIA[0-9A-Z]{16}`,
		Severity:    "high",
	},
	{
		Name:        "aws-secret-key",
		Description: "AWS Secret Access Key",
		Raw:         `(?i)aws[_-]?(secret|private)[_-]?(access[_-]?)?key['"]?\s*[:=]\s*['"]?[A-Za-z0-9\/+=]{40}`,
		Severity:    "high",
	},
	{
		Name:        "github-token",
		Description: "GitHub Personal Access Token",
		Raw:         `gh[pousr]_[A-Za-z0-9_]{36,}`,
		Severity:    "high",
	},
	{
		Name:        "gitlab-token",
		Description: "GitLab Personal Access Token",
		Raw:         `glpat-[A-Za-z0-9\-_]{20,}`,
		Severity:    "high",
	},
	{
		Name:        "generic-api-key",
		Description: "Generic API key assignment (high entropy)",
		Raw:         `(?i)(api[_-]?key|apikey|api[_-]?secret|api[_-]?token)['"]?\s*[:=]\s*['"][A-Za-z0-9_\-\.]{20,64}`,
		Severity:    "high",
	},
	{
		Name:        "bearer-token",
		Description: "Bearer token in HTTP header",
		Raw:         `(?i)authorization:\s*bearer\s+[A-Za-z0-9_\-\.]{20,}`,
		Severity:    "high",
	},
	{
		Name:        "slack-token",
		Description: "Slack Bot / Webhook token",
		Raw:         `xox[baprs]-[A-Za-z0-9\-]{10,}`,
		Severity:    "high",
	},
	{
		Name:        "google-api-key",
		Description: "Google API Key",
		Raw:         `AIza[0-9A-Za-z\-_]{35}`,
		Severity:    "high",
	},
	{
		Name:        "google-service-account",
		Description: "Google Service Account",
		Raw:         `[0-9]+-[0-9a-z]{32}\.apps\.googleusercontent\.com`,
		Severity:    "high",
	},
	{
		Name:        "ssh-private-key",
		Description: "SSH / TLS private key embed",
		Raw:         `-----BEGIN\s+(RSA|EC|OPENSSH|DSA|PRIVATE)(\s+PRIVATE)?\s+KEY-----`,
		Severity:    "high",
	},
	{
		Name:        "jwt-token",
		Description: "JSON Web Token (JWT)",
		Raw:         `eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}`,
		Severity:    "medium",
	},
	{
		Name:        "generic-password",
		Description: "Generic password/secret field assignment",
		Raw:         `(?i)(password|passwd|pwd|secret)['"]?\s*[:=]\s*['"][A-Za-z0-9!@#$%^&*()_+\-=\[\]{}|;:,.<>?]{8,}`,
		Severity:    "medium",
	},
	{
		Name:        "npm-token",
		Description: "npm access token",
		Raw:         `npm_[A-Za-z0-9]{36,}`,
		Severity:    "high",
	},
	{
		Name:        "pg-connection-string",
		Description: "PostgreSQL connection string",
		Raw:         `postgres(ql)?://[A-Za-z0-9_]+:[^@\s]+@`,
		Severity:    "high",
	},
	{
		Name:        "redis-connection-string",
		Description: "Redis connection string with password",
		Raw:         `redis://[^:@\s]+:[^@\s]+@`,
		Severity:    "high",
	},
}