From b58eed26967576fc4d5cb4533bc7c5df038ba2b1 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 18 May 2026 15:19:11 -0700
Subject: [PATCH] preparing for v1.100.0

---
 Cargo.toml                                      | 1 +
 crates/kingfisher-scanner/Cargo.toml            | 1 +
 crates/kingfisher-scanner/src/validation/aws.rs | 4 +++-
 src/decompress.rs                               | 9 ++++-----
 src/scanner/validation.rs                       | 9 ++++++++-
 5 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index b348e5e..e6876a9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -150,6 +150,7 @@ crossbeam-skiplist = "0.1.3"
 tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"] }
 # Temporary Git pin: keeps MongoDB SRV validation enabled while using the upstream
 # Hickory 0.26 DNS-resolver fix before it is available in a crates.io release.
+# TODO: switch back to a crates.io mongodb release once it includes that fix.
 mongodb = { git = "https://github.com/mongodb/mongo-rust-driver", rev = "bdddefc50c4794d51d10b944320d42c6eb216b04", default-features = false, features = ["rustls-tls", "aws-auth", "compat-3-0-0", "dns-resolver"] }
 mysql_async = { version = "0.36.2", default-features = false, features = ["default-rustls"] }
 aws-config = { version = "1.8.14", default-features = false, features = ["default-https-client", "rt-tokio", "credentials-process", "sso"] }
diff --git a/crates/kingfisher-scanner/Cargo.toml b/crates/kingfisher-scanner/Cargo.toml
index 71e4856..efcc753 100644
--- a/crates/kingfisher-scanner/Cargo.toml
+++ b/crates/kingfisher-scanner/Cargo.toml
@@ -189,6 +189,7 @@ hex = { workspace = true, optional = true }
 url = { version = "2.5.7", optional = true }
 # Temporary Git pin: keeps MongoDB SRV validation enabled while using the upstream
 # Hickory 0.26 DNS-resolver fix before it is available in a crates.io release.
+# TODO: switch back to a crates.io mongodb release once it includes that fix.
 mongodb = { git = "https://github.com/mongodb/mongo-rust-driver", rev = "bdddefc50c4794d51d10b944320d42c6eb216b04", default-features = false, features = ["rustls-tls", "aws-auth", "compat-3-0-0", "dns-resolver"], optional = true }
 mysql_async = { version = "0.36.2", default-features = false, features = ["default-rustls"], optional = true }
 tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"], optional = true }
diff --git a/crates/kingfisher-scanner/src/validation/aws.rs b/crates/kingfisher-scanner/src/validation/aws.rs
index d0d3a5e..d211551 100644
--- a/crates/kingfisher-scanner/src/validation/aws.rs
+++ b/crates/kingfisher-scanner/src/validation/aws.rs
@@ -192,7 +192,7 @@ pub fn generate_aws_cache_key(aws_access_key_id: &str, aws_secret_access_key: &s
 
 /// Validate AWS credentials format before attempting validation.
 pub fn validate_aws_credentials_input(access_key_id: &str, secret_key: &str) -> Result<(), String> {
-    // Validate access key ID format (20 chars, known AWS prefixes including STS)
+    // Validate access key ID format (20 chars, usable AWS access-key prefixes including STS)
     if access_key_id.len() != 20 {
         return Err("Invalid AWS access key ID format".to_string());
     }
@@ -200,6 +200,8 @@ pub fn validate_aws_credentials_input(access_key_id: &str, secret_key: &str) ->
         return Err("AWS access key ID contains invalid characters".to_string());
     }
     let prefix = &access_key_id[..4];
+    // IAM principal IDs (for example AIDA/AROA) are deliberately rejected here:
+    // they are not usable access-key IDs for STS credential validation.
     let valid_prefix = matches!(prefix, "AKIA" | "ASIA") || prefix.starts_with("A3T");
     if !valid_prefix {
         return Err("Invalid AWS access key ID format".to_string());
diff --git a/src/decompress.rs b/src/decompress.rs
index 3dcdd9c..0ece0ec 100644
--- a/src/decompress.rs
+++ b/src/decompress.rs
@@ -225,12 +225,11 @@ pub fn extract_zip_archive_in_memory(
     Ok(entries)
 }
 
-/// Return true if `data` begins with the standard local-file ZIP signature
-/// (`PK\x03\x04`) — used to short-circuit extraction attempts on blobs whose
-/// extension matches a ZIP-based format but whose contents are not actually
-/// a real ZIP (e.g., a stub or partial download).
+/// Return true if `data` begins with a standard ZIP signature — used to
+/// short-circuit extraction attempts on blobs whose extension matches a
+/// ZIP-based format but whose contents are not actually a real ZIP.
 pub fn looks_like_zip(data: &[u8]) -> bool {
-    data.len() >= 4 && data[0] == b'P' && data[1] == b'K' && data[2] == 0x03 && data[3] == 0x04
+    matches!(data.get(..4), Some(b"PK\x03\x04" | b"PK\x05\x06" | b"PK\x07\x08"))
 }
 
 fn handle_zip_archive_streaming(
diff --git a/src/scanner/validation.rs b/src/scanner/validation.rs
index 8e4149f..77eab98 100644
--- a/src/scanner/validation.rs
+++ b/src/scanner/validation.rs
@@ -964,7 +964,14 @@ fn build_cache_key(
     // Build key
     let capture0 = om.captures.captures.get(0).map_or(String::new(), |c| c.raw_value().to_string());
 
-    if !om.rule.syntax().depends_on_rule.is_empty() {
+    let has_context_dependency = om
+        .rule
+        .syntax()
+        .depends_on_rule
+        .iter()
+        .flatten()
+        .any(|dep| !dep.variable.eq_ignore_ascii_case("TOKEN"));
+    if has_context_dependency {
         return format!(
             "{}|{}|{}|{}|{}",
             om.rule.name(),