security: add Slack, JWT, Azure, and Discord patterns to sanitize.js

src/gep/sanitize.js

@@ -24,6 +24,19 @@ const REDACT_PATTERNS = [
   /sk-ant-[A-Za-z0-9\-_]{20,}/g,
   // npm tokens
   /npm_[A-Za-z0-9]{36,}/g,
+  // Slack tokens (bot/user/app/refresh/verification)
+  /xox[baprsv]-[A-Za-z0-9-]{10,}/g,
+  // JSON Web Tokens (header.payload.signature)
+  /eyJ[A-Za-z0-9_\-]+\.eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]{20,}/g,
+  // Azure storage connection strings (redact the key field only)
+  /AccountKey=[^;\s]+/gi,
+  // Discord bot tokens. Three base64url segments:
+  //   1. 24+ chars starting with [MNO] (user-id snowflake, base64-encoded)
+  //   2. exactly 6 chars (timestamp)
+  //   3. 27+ chars (HMAC signature)
+  // Requiring an uppercase leading char avoids false-matching dotted
+  // lowercase identifiers (Python module paths, hostnames, etc.).
+  /\b[MNO][A-Za-z0-9_-]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}\b/g,
   // Private keys
   /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g,
   // Basic auth in URLs (redact only credentials, keep :// and @)
@@ -75,6 +88,10 @@ const LEAK_SCANNERS = [
   { type: 'github_token', pattern: /ghp_[A-Za-z0-9]{36,}/g, suggest: 'process.env.GITHUB_TOKEN' },
   { type: 'github_token', pattern: /github_pat_[A-Za-z0-9_]{22,}/g, suggest: 'process.env.GITHUB_TOKEN' },
   { type: 'npm_token', pattern: /npm_[A-Za-z0-9]{36,}/g, suggest: 'process.env.NPM_TOKEN' },
+  { type: 'slack_token', pattern: /xox[baprsv]-[A-Za-z0-9-]{10,}/g, suggest: 'process.env.SLACK_TOKEN' },
+  { type: 'jwt', pattern: /eyJ[A-Za-z0-9_\-]+\.eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]{20,}/g, suggest: 'process.env.JWT' },
+  { type: 'azure_key', pattern: /AccountKey=[^;\s]+/gi, suggest: 'process.env.AZURE_STORAGE_KEY' },
+  { type: 'discord_token', pattern: /\b[MNO][A-Za-z0-9_-]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}\b/g, suggest: 'process.env.DISCORD_TOKEN' },
   { type: 'bearer_token', pattern: /Bearer\s+[A-Za-z0-9\-._~+\/]{20,}=*/g, suggest: 'process.env.AUTH_TOKEN' },
   { type: 'private_key', pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g, suggest: 'process.env.PRIVATE_KEY_PATH' },
   // Database connection strings with credentials