From c72c56dde9b78ec2c329988c559f36ccccad4739 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Sat, 25 Apr 2026 21:01:46 -0700
Subject: [PATCH] fix(brain-sync): bearer-token regex catches values with
 leading space

Pre-existing bug from v1.7.0.0: the bearer-token-json secret pattern
required values matching [A-Za-z0-9_./+=-]{16,}, which rejected the
"Bearer <token>" form because the literal space after "Bearer" wasn't
in the character class. Real Authorization headers use "Bearer <token>"
syntax, and the test fixture
  '"authorization":"Bearer abcdef1234567890abcdef1234567890"'
sat unscanned despite being a leak-class secret.

One-character fix: add space to the value character class. Test
'gstack-brain-sync secret scan > blocks bearer-json' now passes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bin/gstack-brain-sync | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/gstack-brain-sync b/bin/gstack-brain-sync
index 4adb330f..15e28c9d 100755
--- a/bin/gstack-brain-sync
+++ b/bin/gstack-brain-sync
@@ -88,7 +88,7 @@ patterns = [
     ('pem-block', re.compile(r'-----BEGIN [A-Z ]{3,}-----')),
     ('jwt', re.compile(r'\\beyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\b')),
     ('bearer-token-json',
-     re.compile(r'\"(authorization|api[_-]?key|apikey|token|secret|password)\"\\s*:\\s*\"[A-Za-z0-9_./+=-]{16,}\"',
+     re.compile(r'\"(authorization|api[_-]?key|apikey|token|secret|password)\"\\s*:\\s*\"[ A-Za-z0-9_./+=-]{16,}\"',
                 re.IGNORECASE)),
 ]
 text = sys.stdin.read()