kingfisher/crates/kingfisher-rules/data/rules/temporal.yml

rules:
  - name: Temporal Cloud API Key
    id: kingfisher.temporal.1
    pattern: |
      (?x)
      \b
      (
        eyJ[A-Za-z0-9_-]{10,}
        \.
        [A-Za-z0-9_-]*Y2NvdW50X2lk          (?# payload contains "account_id" )
        [A-Za-z0-9_-]*InRlbXBvcmFsLmlv      (?# payload contains "temporal.io" )
        [A-Za-z0-9_-]*(?:ICJrZXlfaWQiOi|a2V5X2lk|rZXlfaWQi) (?# payload contains "key_id" )
        [A-Za-z0-9_-]{20,}
        \.
        [A-Za-z0-9_-]{20,}
      )
      \b
    pattern_requirements:
      min_digits: 3
    min_entropy: 3.2
    confidence: medium
    examples:
      - 'temporal_api_key="eyJhbGciOiJFUzI1NiIsImtpZCI6IlNhbXBsZSJ9.eyJhY2NvdW50X2lkIjoic2FtcGxlIiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoic2FtcGxlLWtleSIsInN1YiI6InVzZXItMTIzIiwiZXhwIjoyMDAwMDAwMDAwfQ.c2lnbmF0dXJlX3BsYWNlaG9sZGVyXzEyMzQ1Njc4OTA"'
      - 'temporal --profile cloud config set --prop api_key --value "eyJhbGciOiJFUzI1NiIsImtpZCI6IkFub3RoZXJLZXkifQ.eyJhY2NvdW50X2lkIjoidGVzdC1hY2N0IiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoidGVzdC1rZXktaWQiLCJzdWIiOiJ1c2VyLXRlc3QiLCJleHAiOjIwMDAwMDAwMDB9.c2lnbmF0dXJlX3Rlc3RfdmFsdWVfMDEyMzQ1Njc4OTAi'
    negative_examples:
      - 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInN1YiI6InVzZXIiLCJleHAiOjE5NzIxNzI0NjF9.WQWcwBAQFNE259f2o8ruFln_UMLTFEnEaUD7KHrs9Aw'
    references:
      - https://docs.temporal.io/cloud/api-keys
      - https://docs.temporal.io/cli/env-config
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://saas-api.tmprl.cloud/cloud/current-identity
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: WordMatch
              words:
                - '"user"'
                - '"serviceAccount"'
              match_all_words: false
- Added kingfisher.temporal.1 rule for Temporal Cloud API keys (namespace-scoped and user-scoped JWT formats) with Temporal-specific pattern matching. - Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery. - Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures. - Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change. 2026-02-11 23:27:05 -08:00			`rules:`
			`- name: Temporal Cloud API Key`
			`id: kingfisher.temporal.1`
			`pattern: \|`
			`(?x)`
			`\b`
			`(`
			`eyJ[A-Za-z0-9_-]{10,}`
			`\.`
			`[A-Za-z0-9_-]*Y2NvdW50X2lk (?# payload contains "account_id" )`
			`[A-Za-z0-9_-]*InRlbXBvcmFsLmlv (?# payload contains "temporal.io" )`
			`[A-Za-z0-9_-]*(?:ICJrZXlfaWQiOi\|a2V5X2lk\|rZXlfaWQi) (?# payload contains "key_id" )`
			`[A-Za-z0-9_-]{20,}`
			`\.`
			`[A-Za-z0-9_-]{20,}`
			`)`
			`\b`
			`pattern_requirements:`
			`min_digits: 3`
			`min_entropy: 3.2`
			`confidence: medium`
			`examples:`
			`- 'temporal_api_key="eyJhbGciOiJFUzI1NiIsImtpZCI6IlNhbXBsZSJ9.eyJhY2NvdW50X2lkIjoic2FtcGxlIiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoic2FtcGxlLWtleSIsInN1YiI6InVzZXItMTIzIiwiZXhwIjoyMDAwMDAwMDAwfQ.c2lnbmF0dXJlX3BsYWNlaG9sZGVyXzEyMzQ1Njc4OTA"'`
			`- 'temporal --profile cloud config set --prop api_key --value "eyJhbGciOiJFUzI1NiIsImtpZCI6IkFub3RoZXJLZXkifQ.eyJhY2NvdW50X2lkIjoidGVzdC1hY2N0IiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoidGVzdC1rZXktaWQiLCJzdWIiOiJ1c2VyLXRlc3QiLCJleHAiOjIwMDAwMDAwMDB9.c2lnbmF0dXJlX3Rlc3RfdmFsdWVfMDEyMzQ1Njc4OTAi'`
			`negative_examples:`
			`- 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInN1YiI6InVzZXIiLCJleHAiOjE5NzIxNzI0NjF9.WQWcwBAQFNE259f2o8ruFln_UMLTFEnEaUD7KHrs9Aw'`
			`references:`
			`- https://docs.temporal.io/cloud/api-keys`
			`- https://docs.temporal.io/cli/env-config`
			`validation:`
			`type: Http`
			`content:`
			`request:`
			`method: GET`
			`url: https://saas-api.tmprl.cloud/cloud/current-identity`
			`headers:`
			`Authorization: "Bearer {{ TOKEN }}"`
			`Accept: application/json`
			`response_matcher:`
			`- report_response: true`
			`- type: StatusMatch`
			`status: [200]`
			`- type: WordMatch`
			`words:`
			`- '"user"'`
			`- '"serviceAccount"'`
			`match_all_words: false`