performance improvements and rule improvements

AGENTS.md

@@ -7,7 +7,7 @@ Guidance for coding agents working in this repository.
 Kingfisher is an open-source secret scanner and live secret validator written in Rust by MongoDB. It detects, validates, and helps remediate leaked API keys, tokens, and credentials across code repositories, git history, and integrated platforms.
 
 Key capabilities:
-- Secret detection with 500+ built-in rules (YAML-based, SIMD-accelerated via Hyperscan/vectorscan)
+- Secret detection with 942 built-in rules (820 standalone detectors + 122 dependent rules; 484 standalone detectors include live validation as of 2026-04-24)
 - Live credential validation against provider APIs
 - Direct secret revocation from CLI
 - Blast radius mapping (AWS, GCP, Azure, GitHub, GitLab, Slack)
@@ -18,7 +18,6 @@ Key capabilities:
 - Applies to the entire repository rooted at this file.
 - If a deeper `AGENTS.md` exists in a subdirectory, that file takes precedence for its subtree.
 
-
 ## Repository Structure
 - `src/`: main binary source
 - `src/cli/commands/`: CLI command implementations
@@ -35,6 +34,8 @@ Key capabilities:
 - `tests/`: integration/e2e tests
 - `testdata/`: test fixtures
 - `docs/`: user and developer docs
+- `docs/viewer/`: static hosted/local report viewer assets
+- `docs-site/`: MkDocs documentation sources, overrides, and generated site output
 - `vendor/vectorscan-rs/`: vendored vectorscan bindings
 
 ## Toolchain and Environment
@@ -96,6 +97,7 @@ Key capabilities:
 - Add a detection rule: follow the workflow below and validate with relevant tests.
 - Add a CLI command: implement under `src/cli/commands/` and register in the CLI command wiring.
 - Add a validator (rare exception path): implement it in `crates/kingfisher-scanner/src/validation/`, prefer `raw.rs` for one-off provider flows, and wire the narrowest feature/dependencies in `crates/kingfisher-scanner/Cargo.toml` only when YAML validation cannot express the required logic.
+- Update docs-site rule counts: use `uv run '/Users/mickg/src/kingfisher/data/default/rule_cleanup/count_rules.py'` and update `docs-site/overrides/` plus `docs-site/mkdocs.yml` to match the reported totals before rebuilding the docs site.
 
 ## Rule Authoring Workflow
 Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/`.
@@ -135,6 +137,7 @@ Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/
 - If validation commands cannot be run, report exactly what was skipped and why.
 - Prefer `kingfisher scan --format toon` when invoking Kingfisher from an LLM or agent workflow; keep `pretty` for interactive human CLI use unless the task explicitly calls for a different format.
 - After markdown/doc changes, verify local documentation links when practical.
+- After `docs-site/` source changes, rebuild with `docs-site/.venv/bin/mkdocs build -f docs-site/mkdocs.yml` when practical so checked-in generated output stays in sync.
 
 ## Documentation Pointers
 - `docs/USAGE.md`

CLAUDE.md

@@ -0,0 +1 @@
+IMPORTANT: Read and follow all instructions in AGENTS.md before starting any task.

docs-site/mkdocs.yml

@@ -1,7 +1,7 @@
 site_name: Kingfisher
 site_url: https://mongodb.github.io/kingfisher
 site_description: >-
-  Open source secret scanner with live validation. 938 detection rules,
+  Open source secret scanner with live validation. 942 detection rules,
   blast radius mapping, credential revocation, and a browser-based
   report viewer that also imports Gitleaks and TruffleHog output.
   Built in Rust by MongoDB.

docs-site/overrides/home.html

@@ -36,7 +36,7 @@
   <section class="kf-stats">
     <div class="kf-stats__inner md-grid">
       <div class="kf-stats__item">
-        <span class="kf-stats__number">934</span>
+        <span class="kf-stats__number">942</span>
         <span class="kf-stats__label">Detection Rules</span>
       </div>
       <div class="kf-stats__item">

docs-site/overrides/main.html

@@ -7,7 +7,7 @@
     "@context": "https://schema.org",
     "@type": "SoftwareApplication",
     "name": "Kingfisher",
-    "description": "Open source secret scanner with live validation. 934 detection rules, blast radius mapping, and credential revocation.",
+    "description": "Open source secret scanner with live validation. 942 detection rules, blast radius mapping, and credential revocation.",
     "applicationCategory": "DeveloperApplication",
     "operatingSystem": "Linux, macOS, Windows",
     "license": "https://opensource.org/licenses/Apache-2.0",

tests/library_crates_external_project.rs

@@ -17,6 +17,7 @@ fn library_crates_work_from_external_project() -> anyhow::Result<()> {
     let temp = tempfile::tempdir()?;
     let project_dir = temp.path().join("external-kingfisher-consumer");
     fs::create_dir_all(project_dir.join("src"))?;
+    fs::copy(repo_root.join("Cargo.lock"), project_dir.join("Cargo.lock"))?;
 
     fs::write(
         project_dir.join("Cargo.toml"),
@@ -74,8 +75,24 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 "#,
     )?;
 
-    let output =
-        Command::new("cargo").arg("run").arg("--quiet").current_dir(&project_dir).output()?;
+    let lock_output = Command::new("cargo")
+        .arg("generate-lockfile")
+        .arg("--offline")
+        .current_dir(&project_dir)
+        .output()?;
+    let lock_stdout = String::from_utf8_lossy(&lock_output.stdout);
+    let lock_stderr = String::from_utf8_lossy(&lock_output.stderr);
+    assert!(
+        lock_output.status.success(),
+        "external project lockfile generation failed\nstdout:\n{lock_stdout}\nstderr:\n{lock_stderr}"
+    );
+
+    let output = Command::new("cargo")
+        .arg("run")
+        .arg("--quiet")
+        .arg("--frozen")
+        .current_dir(&project_dir)
+        .output()?;
 
     let stdout = String::from_utf8_lossy(&output.stdout);
     let stderr = String::from_utf8_lossy(&output.stderr);