From 5f7d82a524217e1766e9dbee277fb1bee3865881 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Sun, 5 Apr 2026 16:36:08 -0700
Subject: [PATCH 01/17] fix github action

---
 .github/workflows/release.yml               | 26 +++------------------
 .gitignore                                  |  1 +
 docs-site/docs/assets/stylesheets/extra.css |  3 +++
 docs-site/docs/rules/builtin-rules.md       | 12 +++++-----
 docs-site/overrides/home.html               |  9 +++++++
 5 files changed, 22 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8fb9341..7d7ee6a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -411,7 +411,7 @@ jobs:
 
   provenance:
     name: Generate SLSA provenance
-    needs: [hash]
+    needs: [hash, release]
     permissions:
       actions: read
       id-token: write
@@ -419,28 +419,8 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.hash.outputs.hashes }}"
-      upload-assets: false
-
-  upload-provenance:
-    name: Upload provenance to release
-    needs: [provenance, release]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Download provenance artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: ${{ needs.provenance.outputs.provenance-name }}
-      - name: Upload to release
-        env:
-          GH_TOKEN: ${{ github.token }}
-          TAG: ${{ needs.release.outputs.tag }}
-          PROVENANCE_FILE: ${{ needs.provenance.outputs.provenance-name }}
-        run: |
-          gh release upload "${TAG}" "${PROVENANCE_FILE}" \
-            --repo "${{ github.repository }}" \
-            --clobber
+      upload-assets: true
+      upload-tag-name: "${{ needs.release.outputs.tag }}"
 
   # ──────────────── Publish Docker image ────────────────
   publish-docker:
diff --git a/.gitignore b/.gitignore
index 1fa6b8b..1490502 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,7 @@ logs/*
 *.rej
 *.html
 !docs/access-map-viewer/index.html
+!docs-site/overrides/*.html
 *.dot
 fuzz/*
 !fuzz/Cargo.toml
diff --git a/docs-site/docs/assets/stylesheets/extra.css b/docs-site/docs/assets/stylesheets/extra.css
index b3df9bd..c590f93 100644
--- a/docs-site/docs/assets/stylesheets/extra.css
+++ b/docs-site/docs/assets/stylesheets/extra.css
@@ -99,6 +99,7 @@
   max-width: 700px;
   margin: 0 auto 2rem;
   color: var(--md-default-fg-color--light);
+  font-size: 1rem;
   line-height: 1.6;
 }
 
@@ -127,11 +128,13 @@
 
 .kf-feature h3 {
   margin-top: 0;
+  font-size: 1.3rem;
   color: var(--md-primary-fg-color);
 }
 
 .kf-feature p {
   color: var(--md-default-fg-color--light);
+  font-size: 0.85rem;
   line-height: 1.6;
   margin-bottom: 0;
 }
diff --git a/docs-site/docs/rules/builtin-rules.md b/docs-site/docs/rules/builtin-rules.md
index f165577..6951c17 100644
--- a/docs-site/docs/rules/builtin-rules.md
+++ b/docs-site/docs/rules/builtin-rules.md
@@ -2485,7 +2485,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Hashicorp</td>
-<td>Hashicorp Vault Service Token (< v1.10)</td>
+<td>Hashicorp Vault Service Token (&lt; v1.10)</td>
 <td><code>kingfisher.hashicorp.1</code></td>
 <td>Medium</td>
 <td></td>
@@ -2493,7 +2493,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Hashicorp</td>
-<td>Hashicorp Vault Batch Token (< v1.10)</td>
+<td>Hashicorp Vault Batch Token (&lt; v1.10)</td>
 <td><code>kingfisher.hashicorp.2</code></td>
 <td>Medium</td>
 <td></td>
@@ -2501,7 +2501,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Hashicorp</td>
-<td>Hashicorp Vault Recovery Token (< v1.10)</td>
+<td>Hashicorp Vault Recovery Token (&lt; v1.10)</td>
 <td><code>kingfisher.hashicorp.3</code></td>
 <td>Medium</td>
 <td></td>
@@ -2509,7 +2509,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Hashicorp</td>
-<td>Hashicorp Vault Service Token (>= v1.10)</td>
+<td>Hashicorp Vault Service Token (&gt;= v1.10)</td>
 <td><code>kingfisher.hashicorp.4</code></td>
 <td>Medium</td>
 <td></td>
@@ -2517,7 +2517,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Hashicorp</td>
-<td>Hashicorp Vault Batch Token (>= v1.10)</td>
+<td>Hashicorp Vault Batch Token (&gt;= v1.10)</td>
 <td><code>kingfisher.hashicorp.5</code></td>
 <td>Medium</td>
 <td></td>
@@ -2525,7 +2525,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Hashicorp</td>
-<td>Hashicorp Vault Recovery Token (>= v1.10)</td>
+<td>Hashicorp Vault Recovery Token (&gt;= v1.10)</td>
 <td><code>kingfisher.hashicorp.6</code></td>
 <td>Medium</td>
 <td></td>
diff --git a/docs-site/overrides/home.html b/docs-site/overrides/home.html
index bcbb144..28bc386 100644
--- a/docs-site/overrides/home.html
+++ b/docs-site/overrides/home.html
@@ -95,6 +95,15 @@
           </p>
         </div>
 
+        <div class="kf-feature">
+          <h3>Open Source</h3>
+          <p>
+            Apache 2.0 licensed. Free to use, modify, and distribute. No vendor
+            lock-in, no usage limits, no telemetry. Fully auditable codebase
+            backed by MongoDB.
+          </p>
+        </div>
+
         <div class="kf-feature">
           <h3>Built for Accuracy</h3>
           <p>

From 45a565fa6e24c16b2d62b69b4ef70f64e611f007 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 6 Apr 2026 22:18:58 -0700
Subject: [PATCH 02/17] added more rules

---
 AGENTS.md                                     |  15 +-
 CHANGELOG.md                                  |   5 +
 Cargo.lock                                    | 359 ++++++++--
 Cargo.toml                                    |   2 +-
 README.md                                     |  12 +-
 crates/kingfisher-rules/data/rules/AGENTS.md  |   7 +-
 crates/kingfisher-rules/data/rules/agora.yml  |  24 +-
 .../data/rules/amazonoauth.yml                |  19 +
 crates/kingfisher-rules/data/rules/asaas.yml  |  18 +
 crates/kingfisher-rules/data/rules/azure.yml  |  22 +
 .../kingfisher-rules/data/rules/azureapim.yml |  64 ++
 .../data/rules/azurebatch.yml                 |  71 ++
 .../data/rules/azurecognitive.yml             |  46 ++
 .../data/rules/azurecommunication.yml         |  20 +
 .../data/rules/azurecosmosdb.yml              |  77 +++
 .../data/rules/azureeventgrid.yml             |  28 +
 .../data/rules/azurefunctionkey.yml           |  56 ++
 .../data/rules/azurelogicapps.yml             |  22 +
 .../kingfisher-rules/data/rules/azuremaps.yml |  21 +
 .../data/rules/azuremixedreality.yml          |  28 +
 .../data/rules/azuresastoken.yml              |  50 ++
 .../data/rules/azuresignalr.yml               |  20 +
 .../kingfisher-rules/data/rules/azuresql.yml  |  46 ++
 .../data/rules/azurewebpubsub.yml             |  20 +
 .../kingfisher-rules/data/rules/bitfinex.yml  |  29 +-
 .../kingfisher-rules/data/rules/bitrise.yml   |  35 +
 .../data/rules/blockprotocol.yml              |  19 +
 crates/kingfisher-rules/data/rules/canva.yml  |  20 +
 crates/kingfisher-rules/data/rules/cfxre.yml  |  19 +
 .../data/rules/cockroachlabs.yml              |  28 +
 crates/kingfisher-rules/data/rules/docker.yml |  40 +-
 .../kingfisher-rules/data/rules/docusign.yml  | 104 ++-
 .../kingfisher-rules/data/rules/dropbox.yml   |  35 +
 crates/kingfisher-rules/data/rules/dwolla.yml |  47 +-
 crates/kingfisher-rules/data/rules/ebay.yml   |  58 ++
 .../kingfisher-rules/data/rules/elastic.yml   |  48 ++
 .../data/rules/flutterwave.yml                |  23 +-
 crates/kingfisher-rules/data/rules/ftp.yml    |  21 +-
 crates/kingfisher-rules/data/rules/gitlab.yml | 261 ++++++++
 .../kingfisher-rules/data/rules/hcaptcha.yml  |  24 +
 .../kingfisher-rules/data/rules/highnote.yml  |  20 +
 crates/kingfisher-rules/data/rules/hop.yml    |  38 ++
 .../kingfisher-rules/data/rules/iterative.yml |  19 +
 crates/kingfisher-rules/data/rules/kraken.yml |  39 ++
 crates/kingfisher-rules/data/rules/kucoin.yml |  57 ++
 crates/kingfisher-rules/data/rules/ldap.yml   |  33 +-
 .../kingfisher-rules/data/rules/lichess.yml   |  31 +
 .../data/rules/localstack.yml                 |  21 +
 .../data/rules/mailersend.yml                 |  32 +
 crates/kingfisher-rules/data/rules/onfido.yml |  32 +
 .../kingfisher-rules/data/rules/openvsx.yml   |  19 +
 crates/kingfisher-rules/data/rules/paddle.yml |  34 +
 crates/kingfisher-rules/data/rules/pangea.yml |  34 +
 .../kingfisher-rules/data/rules/persona.yml   |  34 +
 .../kingfisher-rules/data/rules/pinterest.yml |  50 ++
 crates/kingfisher-rules/data/rules/polar.yml  |  20 +
 crates/kingfisher-rules/data/rules/proof.yml  |  22 +
 .../kingfisher-rules/data/rules/rabbitmq.yml  |  23 +-
 .../data/rules/rainforestpay.yml              |  21 +
 crates/kingfisher-rules/data/rules/redis.yml  |  19 +-
 .../data/rules/ringcentral.yml                |  74 ++-
 crates/kingfisher-rules/data/rules/rootly.yml |  31 +
 crates/kingfisher-rules/data/rules/runpod.yml |  36 ++
 .../kingfisher-rules/data/rules/snowflake.yml |  73 +++
 .../kingfisher-rules/data/rules/tableau.yml   |  86 ++-
 crates/kingfisher-rules/data/rules/telnyx.yml |  31 +
 .../data/rules/thunderstore.yml               |  19 +
 crates/kingfisher-rules/data/rules/trello.yml |  54 ++
 .../kingfisher-rules/data/rules/ubidots.yml   |  24 +-
 .../kingfisher-rules/data/rules/valtown.yml   |  19 +
 .../data/rules/volcengine.yml                 |  19 +
 crates/kingfisher-rules/data/rules/webex.yml  |  53 +-
 crates/kingfisher-rules/src/liquid_filters.rs | 101 ++-
 crates/kingfisher-scanner/Cargo.toml          |  22 +-
 .../src/validation/http_validation.rs         |  58 ++
 .../kingfisher-scanner/src/validation/mod.rs  |  10 +-
 .../kingfisher-scanner/src/validation/raw.rs  | 612 ++++++++++++++++++
 data/default/rule_cleanup/count_rules.py      |  25 +-
 docs-site/docs/reference/library.md           |   2 +-
 docs-site/docs/usage/advanced.md              |   2 +-
 docs/ADVANCED.md                              |   2 +-
 docs/ARCHITECTURE.md                          |   3 +-
 docs/LIBRARY.md                               |  16 +-
 docs/RULES.md                                 |  34 +-
 src/direct_validate.rs                        |  55 +-
 src/reporter.rs                               |  10 +-
 src/validation.rs                             |  46 +-
 src/validation_rate_limit.rs                  |   5 +-
 88 files changed, 3824 insertions(+), 159 deletions(-)
 create mode 100644 crates/kingfisher-rules/data/rules/amazonoauth.yml
 create mode 100644 crates/kingfisher-rules/data/rules/asaas.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azureapim.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurebatch.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurecognitive.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurecommunication.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurecosmosdb.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azureeventgrid.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurefunctionkey.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurelogicapps.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azuremaps.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azuremixedreality.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azuresastoken.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azuresignalr.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azuresql.yml
 create mode 100644 crates/kingfisher-rules/data/rules/azurewebpubsub.yml
 create mode 100644 crates/kingfisher-rules/data/rules/bitrise.yml
 create mode 100644 crates/kingfisher-rules/data/rules/blockprotocol.yml
 create mode 100644 crates/kingfisher-rules/data/rules/canva.yml
 create mode 100644 crates/kingfisher-rules/data/rules/cfxre.yml
 create mode 100644 crates/kingfisher-rules/data/rules/cockroachlabs.yml
 create mode 100644 crates/kingfisher-rules/data/rules/ebay.yml
 create mode 100644 crates/kingfisher-rules/data/rules/elastic.yml
 create mode 100644 crates/kingfisher-rules/data/rules/hcaptcha.yml
 create mode 100644 crates/kingfisher-rules/data/rules/highnote.yml
 create mode 100644 crates/kingfisher-rules/data/rules/hop.yml
 create mode 100644 crates/kingfisher-rules/data/rules/iterative.yml
 create mode 100644 crates/kingfisher-rules/data/rules/lichess.yml
 create mode 100644 crates/kingfisher-rules/data/rules/localstack.yml
 create mode 100644 crates/kingfisher-rules/data/rules/mailersend.yml
 create mode 100644 crates/kingfisher-rules/data/rules/onfido.yml
 create mode 100644 crates/kingfisher-rules/data/rules/openvsx.yml
 create mode 100644 crates/kingfisher-rules/data/rules/paddle.yml
 create mode 100644 crates/kingfisher-rules/data/rules/pangea.yml
 create mode 100644 crates/kingfisher-rules/data/rules/persona.yml
 create mode 100644 crates/kingfisher-rules/data/rules/pinterest.yml
 create mode 100644 crates/kingfisher-rules/data/rules/polar.yml
 create mode 100644 crates/kingfisher-rules/data/rules/proof.yml
 create mode 100644 crates/kingfisher-rules/data/rules/rainforestpay.yml
 create mode 100644 crates/kingfisher-rules/data/rules/rootly.yml
 create mode 100644 crates/kingfisher-rules/data/rules/runpod.yml
 create mode 100644 crates/kingfisher-rules/data/rules/telnyx.yml
 create mode 100644 crates/kingfisher-rules/data/rules/thunderstore.yml
 create mode 100644 crates/kingfisher-rules/data/rules/valtown.yml
 create mode 100644 crates/kingfisher-rules/data/rules/volcengine.yml
 create mode 100644 crates/kingfisher-scanner/src/validation/raw.rs

diff --git a/AGENTS.md b/AGENTS.md
index 0f6d292..917c3f7 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -22,7 +22,6 @@ Key capabilities:
 ## Repository Structure
 - `src/`: main binary source
 - `src/cli/commands/`: CLI command implementations
-- `src/validation/`: provider-specific credential validators
 - `src/matcher/`: pattern matching engine
 - `src/scanner/`: core scanning logic
 - `src/parser/`: language-aware parsing (`tree-sitter`)
@@ -32,6 +31,7 @@ Key capabilities:
 - `crates/kingfisher-rules/`: rule loading and rule data
 - `crates/kingfisher-rules/data/rules/`: YAML detection rules
 - `crates/kingfisher-scanner/`: embeddable high-level scanning API
+- `crates/kingfisher-scanner/src/validation/`: shared typed and raw credential validators
 - `tests/`: integration/e2e tests
 - `testdata/`: test fixtures
 - `docs/`: user and developer docs
@@ -81,18 +81,21 @@ Key capabilities:
   - `use-mimalloc` (default)
   - `use-jemalloc`
   - `system-alloc`
-- Validation modules live in `crates/kingfisher-scanner/src/validation/`; optional validation feature sets are defined in `crates/kingfisher-scanner/Cargo.toml` (e.g., `validation-aws`, `validation-gcp`, `validation-database`, `validation-all`).
+- Validation modules live in `crates/kingfisher-scanner/src/validation/`; optional validation feature sets are defined in `crates/kingfisher-scanner/Cargo.toml` (e.g., `validation-raw`, `validation-aws`, `validation-gcp`, `validation-database`, `validation-all`).
 
 ## Validation and Revocation Policy
-- Default rule: define validation logic in rule YAML (`validation:` block), not Rust code.
-- Code-based validation in `crates/kingfisher-scanner/src/validation/` is an exception path for cases that cannot be expressed reliably in YAML alone (for example AWS, GCP, Coinbase, MongoDB, and similar complex/provider-specific flows).
+- Default rule: define validation logic in rule YAML (`validation:` block), especially `Http` or `Grpc`, not Rust code.
+- Typed validators are first-class schema variants (`AWS`, `AzureStorage`, `Coinbase`, `GCP`, `MongoDB`, `MySQL`, `Postgres`, `Jdbc`, `JWT`) for stable, reusable validation families.
+- Raw validators use `validation: { type: Raw, content: <name> }` and are the ad-hoc exception path for provider-specific or protocol-specific validation that cannot be expressed reliably in YAML alone. Implement them in `crates/kingfisher-scanner/src/validation/raw.rs`.
 - Treat Rust validation additions as rare; prefer extending YAML-based validation first.
+- If a Rust exception path is required, prefer adding a raw validator before introducing a new typed validator. Add a new typed validator only when it represents a reusable schema-level validation family.
+- Do not convert existing typed validators to `Raw` just for consistency.
 - For rules that include validation, add a `revocation:` section whenever the third-party API safely supports revocation.
 
 ## Common Development Tasks
 - Add a detection rule: follow the workflow below and validate with relevant tests.
 - Add a CLI command: implement under `src/cli/commands/` and register in the CLI command wiring.
-- Add a validator (rare exception path): implement in `crates/kingfisher-scanner/src/validation/` and wire feature flags/dependencies in `crates/kingfisher-scanner/Cargo.toml` only when YAML validation cannot express the required logic.
+- Add a validator (rare exception path): implement it in `crates/kingfisher-scanner/src/validation/`, prefer `raw.rs` for one-off provider flows, and wire the narrowest feature/dependencies in `crates/kingfisher-scanner/Cargo.toml` only when YAML validation cannot express the required logic.
 
 ## Rule Authoring Workflow
 Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/`.
@@ -105,7 +108,7 @@ Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/
    - `pattern_requirements` (e.g., `min_digits`, `min_uppercase`, `min_lowercase`, `min_special_chars`, `ignore_if_contains`) when format constraints are known.
    - `pattern_requirements.checksum` when provider formats include check digits/signatures.
 5. Add `validation` only when a reliable provider/API check exists.
-6. Put validation in YAML by default; only use Rust validator logic for rare, justified exceptions.
+6. Put validation in YAML by default. If YAML cannot express the check, use an existing typed validator or `type: Raw` exception path; add new Rust validator logic only for rare, justified cases.
 7. Add `revocation` when the provider API supports safe revocation and the flow is well understood.
 8. If a rule needs context from another match (for example ID + secret pair), use `depends_on_rule` and consider `visible: false` on the helper rule.
 9. Verify locally:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6921720..6f507c0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v1.95.0]
+- Added 80+ built-in rules, bringing the bundled ruleset to 820 total. New coverage includes Amazon OAuth, Asaas, multiple Azure credential families, Bitrise, Canva, CockroachDB, eBay, Elastic, hCaptcha, Highnote, Lichess, MailerSend, Onfido, Paddle, Pangea, Persona, Pinterest, Proof, Rootly, Runpod, Telnyx, Thunderstore, Valtown, Volcengine, and more.
+- Added a `validation: type: Raw` exception path for provider-specific checks, with new raw validators for Azure Batch, FTP, Kraken, LDAP, RabbitMQ, and Redis. Also added stable request-scoped template values plus new Liquid filters for HMAC-SHA384 hex output and timestamp generation.
+- Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex, and fixed newly added rule patterns/examples so `kingfisher rules check` passes cleanly.
+
 ## [v1.94.0]
 - Updated vendored `vectorscan-rs` from v0.0.5 (Vectorscan 5.4.11) to v0.0.6 (Vectorscan 5.4.12). The upstream crate now ships pre-extracted sources instead of a tarball+patch, and fixes the `cpu_native` feature flag. Local Windows and musl build patches have been re-applied.
 - Added more built-in rules
diff --git a/Cargo.lock b/Cargo.lock
index 475da1d..54f32a1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -191,6 +191,45 @@ dependencies = [
  "wax",
 ]
 
+[[package]]
+name = "asn1-rs"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f6fd5ddaf0351dff5b8da21b2fb4ff8e08ddd02857f0bf69c47639106c0fff0"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+ "synstructure 0.12.6",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
 [[package]]
 name = "assert-json-diff"
 version = "2.0.2"
@@ -875,11 +914,11 @@ dependencies = [
  "hyper-rustls",
  "hyper-util",
  "pin-project-lite",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "rustls-pki-types",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "tower",
  "tracing",
 ]
@@ -1215,8 +1254,8 @@ dependencies = [
  "num",
  "pin-project-lite",
  "rand 0.9.2",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "rustls-pki-types",
  "serde",
  "serde_derive",
@@ -1768,6 +1807,16 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.10.1"
@@ -1826,7 +1875,7 @@ dependencies = [
  "crc",
  "digest 0.10.7",
  "rustversion",
- "spin",
+ "spin 0.10.0",
 ]
 
 [[package]]
@@ -2143,6 +2192,20 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "der-parser"
+version = "8.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbd676fbbab537128ef0278adb5576cf363cff6aa22a7b24effe97347cfab61e"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "der_derive"
 version = "0.7.3"
@@ -2863,7 +2926,7 @@ dependencies = [
  "regex",
  "reqwest 0.13.2",
  "reqwest-middleware 0.5.1",
- "ring",
+ "ring 0.17.14",
  "serde",
  "serde_json",
  "sha2 0.10.9",
@@ -4197,7 +4260,7 @@ dependencies = [
  "ipnet",
  "once_cell",
  "rand 0.9.2",
- "ring",
+ "ring 0.17.14",
  "thiserror 2.0.18",
  "tinyvec",
  "tokio",
@@ -4415,11 +4478,11 @@ dependencies = [
  "http 1.4.0",
  "hyper",
  "hyper-util",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "rustls-pki-types",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "tower-service",
  "webpki-roots 1.0.6",
 ]
@@ -4959,7 +5022,7 @@ dependencies = [
  "base64 0.22.1",
  "js-sys",
  "pem",
- "ring",
+ "ring 0.17.14",
  "serde",
  "serde_json",
  "simple_asn1",
@@ -4993,7 +5056,7 @@ dependencies = [
 
 [[package]]
 name = "kingfisher"
-version = "1.94.0"
+version = "1.95.0"
 dependencies = [
  "anyhow",
  "asar",
@@ -5089,12 +5152,12 @@ dependencies = [
  "reqwest 0.12.28",
  "reqwest-middleware 0.4.2",
  "reqwest-middleware 0.5.1",
- "ring",
+ "ring 0.17.14",
  "roaring",
  "rusqlite",
  "rustc-hash",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "schemars 0.8.22",
  "self_update",
  "semver",
@@ -5122,7 +5185,7 @@ dependencies = [
  "tokio",
  "tokio-postgres",
  "tokio-postgres-rustls",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "toon-format",
  "tracing",
  "tracing-core",
@@ -5241,6 +5304,7 @@ dependencies = [
  "jsonwebtoken 10.3.0",
  "kingfisher-core",
  "kingfisher-rules",
+ "ldap3",
  "liquid",
  "liquid-core",
  "mongodb",
@@ -5255,10 +5319,10 @@ dependencies = [
  "rand 0.10.0",
  "regex",
  "reqwest 0.12.28",
- "ring",
+ "ring 0.17.14",
  "rustc-hash",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "schemars 0.8.22",
  "serde",
  "serde_json",
@@ -5268,9 +5332,11 @@ dependencies = [
  "tempfile",
  "thiserror 2.0.18",
  "thread_local",
+ "time",
  "tokio",
  "tokio-postgres",
  "tokio-postgres-rustls",
+ "tokio-rustls 0.26.4",
  "tracing",
  "url",
  "vectorscan-rs",
@@ -5293,6 +5359,43 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 
+[[package]]
+name = "lber"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2df7f9fd9f64cf8f59e1a4a0753fe7d575a5b38d3d7ac5758dcee9357d83ef0a"
+dependencies = [
+ "bytes",
+ "nom 7.1.3",
+]
+
+[[package]]
+name = "ldap3"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "166199a8207874a275144c8a94ff6eed5fcbf5c52303e4d9b4d53a0c7ac76554"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures",
+ "futures-util",
+ "lazy_static",
+ "lber",
+ "log",
+ "nom 7.1.3",
+ "percent-encoding",
+ "ring 0.16.20",
+ "rustls 0.21.12",
+ "rustls-native-certs 0.6.3",
+ "thiserror 1.0.69",
+ "tokio",
+ "tokio-rustls 0.24.1",
+ "tokio-stream",
+ "tokio-util",
+ "url",
+ "x509-parser",
+]
+
 [[package]]
 name = "leb128fmt"
 version = "0.1.0"
@@ -5710,7 +5813,7 @@ dependencies = [
  "percent-encoding",
  "rand 0.9.2",
  "rustc_version_runtime",
- "rustls",
+ "rustls 0.23.37",
  "rustversion",
  "serde",
  "serde_bytes",
@@ -5723,7 +5826,7 @@ dependencies = [
  "take_mut",
  "thiserror 2.0.18",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "tokio-util",
  "typed-builder",
  "uuid",
@@ -5778,14 +5881,14 @@ dependencies = [
  "pem",
  "percent-encoding",
  "rand 0.9.2",
- "rustls",
- "rustls-pemfile",
+ "rustls 0.23.37",
+ "rustls-pemfile 2.2.0",
  "serde",
  "serde_json",
  "socket2 0.5.10",
  "thiserror 2.0.18",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "tokio-util",
  "twox-hash",
  "url",
@@ -6103,7 +6206,7 @@ dependencies = [
  "reqwest-middleware 0.4.2",
  "reqwest-retry",
  "reqwest-tracing",
- "ring",
+ "ring 0.17.14",
  "schemars 0.8.22",
  "serde",
  "serde_json",
@@ -6114,6 +6217,15 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "oid-registry"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "olpc-cjson"
 version = "0.1.4"
@@ -6141,6 +6253,12 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "openssl-probe"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
+
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
@@ -6759,7 +6877,7 @@ dependencies = [
  "quinn-proto",
  "quinn-udp",
  "rustc-hash",
- "rustls",
+ "rustls 0.23.37",
  "socket2 0.6.3",
  "thiserror 2.0.18",
  "tokio",
@@ -6778,9 +6896,9 @@ dependencies = [
  "getrandom 0.3.4",
  "lru-slab",
  "rand 0.9.2",
- "ring",
+ "ring 0.17.14",
  "rustc-hash",
- "rustls",
+ "rustls 0.23.37",
  "rustls-pki-types",
  "slab",
  "thiserror 2.0.18",
@@ -7051,15 +7169,15 @@ dependencies = [
  "percent-encoding",
  "pin-project-lite",
  "quinn",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "rustls-pki-types",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "sync_wrapper",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "tokio-util",
  "tower",
  "tower-http",
@@ -7097,7 +7215,7 @@ dependencies = [
  "percent-encoding",
  "pin-project-lite",
  "quinn",
- "rustls",
+ "rustls 0.23.37",
  "rustls-pki-types",
  "rustls-platform-verifier",
  "serde",
@@ -7105,7 +7223,7 @@ dependencies = [
  "serde_urlencoded",
  "sync_wrapper",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "tokio-util",
  "tower",
  "tower-http",
@@ -7222,6 +7340,21 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "ring"
+version = "0.16.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+dependencies = [
+ "cc",
+ "libc",
+ "once_cell",
+ "spin 0.5.2",
+ "untrusted 0.7.1",
+ "web-sys",
+ "winapi",
+]
+
 [[package]]
 name = "ring"
 version = "0.17.14"
@@ -7302,6 +7435,15 @@ dependencies = [
  "semver",
 ]
 
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom 7.1.3",
+]
+
 [[package]]
 name = "rustix"
 version = "1.1.4"
@@ -7315,6 +7457,18 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.21.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
+dependencies = [
+ "log",
+ "ring 0.17.14",
+ "rustls-webpki 0.101.7",
+ "sct",
+]
+
 [[package]]
 name = "rustls"
 version = "0.23.37"
@@ -7324,23 +7478,44 @@ dependencies = [
  "aws-lc-rs",
  "log",
  "once_cell",
- "ring",
+ "ring 0.17.14",
  "rustls-pki-types",
- "rustls-webpki",
+ "rustls-webpki 0.103.10",
  "subtle",
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
+dependencies = [
+ "openssl-probe 0.1.6",
+ "rustls-pemfile 1.0.4",
+ "schannel",
+ "security-framework 2.11.1",
+]
+
 [[package]]
 name = "rustls-native-certs"
 version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
 dependencies = [
- "openssl-probe",
+ "openssl-probe 0.2.1",
  "rustls-pki-types",
  "schannel",
- "security-framework",
+ "security-framework 3.7.0",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
+dependencies = [
+ "base64 0.21.7",
 ]
 
 [[package]]
@@ -7368,16 +7543,16 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
 dependencies = [
- "core-foundation",
+ "core-foundation 0.10.1",
  "core-foundation-sys",
  "jni 0.21.1",
  "log",
  "once_cell",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.23.37",
+ "rustls-native-certs 0.8.3",
  "rustls-platform-verifier-android",
- "rustls-webpki",
- "security-framework",
+ "rustls-webpki 0.103.10",
+ "security-framework 3.7.0",
  "security-framework-sys",
  "webpki-root-certs",
  "windows-sys 0.61.2",
@@ -7389,6 +7564,16 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
 
+[[package]]
+name = "rustls-webpki"
+version = "0.101.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
+dependencies = [
+ "ring 0.17.14",
+ "untrusted 0.9.0",
+]
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.10"
@@ -7396,7 +7581,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
  "aws-lc-rs",
- "ring",
+ "ring 0.17.14",
  "rustls-pki-types",
  "untrusted 0.9.0",
 ]
@@ -7534,6 +7719,16 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "sct"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
+dependencies = [
+ "ring 0.17.14",
+ "untrusted 0.9.0",
+]
+
 [[package]]
 name = "sec1"
 version = "0.7.3"
@@ -7548,6 +7743,19 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags 2.11.0",
+ "core-foundation 0.9.4",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
 [[package]]
 name = "security-framework"
 version = "3.7.0"
@@ -7555,7 +7763,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
 dependencies = [
  "bitflags 2.11.0",
- "core-foundation",
+ "core-foundation 0.10.1",
  "core-foundation-sys",
  "libc",
  "security-framework-sys",
@@ -7995,6 +8203,12 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "spin"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+
 [[package]]
 name = "spin"
 version = "0.10.0"
@@ -8182,6 +8396,18 @@ dependencies = [
  "futures-core",
 ]
 
+[[package]]
+name = "synstructure"
+version = "0.12.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+ "unicode-xid",
+]
+
 [[package]]
 name = "synstructure"
 version = "0.13.2"
@@ -8622,21 +8848,31 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "27d684bad428a0f2481f42241f821db42c54e2dc81d8c00db8536c506b0a0144"
 dependencies = [
  "const-oid 0.9.6",
- "ring",
- "rustls",
+ "ring 0.17.14",
+ "rustls 0.23.37",
  "tokio",
  "tokio-postgres",
- "tokio-rustls",
+ "tokio-rustls 0.26.4",
  "x509-cert",
 ]
 
+[[package]]
+name = "tokio-rustls"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
+dependencies = [
+ "rustls 0.21.12",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-rustls"
 version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
- "rustls",
+ "rustls 0.23.37",
  "tokio",
 ]
 
@@ -9273,7 +9509,7 @@ dependencies = [
  "flate2",
  "log",
  "percent-encoding",
- "rustls",
+ "rustls 0.23.37",
  "rustls-pki-types",
  "serde",
  "serde_json",
@@ -9637,7 +9873,7 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fe985f41e291eecef5e5c0770a18d28390addb03331c043964d9e916453d6f16"
 dependencies = [
- "core-foundation",
+ "core-foundation 0.10.1",
  "jni 0.22.4",
  "log",
  "ndk-context",
@@ -10307,6 +10543,23 @@ dependencies = [
  "tls_codec",
 ]
 
+[[package]]
+name = "x509-parser"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7069fba5b66b9193bd2c5d3d4ff12b839118f6bcbef5328efafafb5395cf63da"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom 7.1.3",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
 [[package]]
 name = "xattr"
 version = "1.6.1"
@@ -10355,7 +10608,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "syn 2.0.117",
- "synstructure",
+ "synstructure 0.13.2",
 ]
 
 [[package]]
@@ -10396,7 +10649,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "syn 2.0.117",
- "synstructure",
+ "synstructure 0.13.2",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index 37e6d19..e4f8b78 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,7 +48,7 @@ http = "1.4"
 
 [package]
 name = "kingfisher"
-version = "1.94.0"
+version = "1.95.0"
 description = "MongoDB's blazingly fast and accurate secret scanning and validation tool"
 edition.workspace = true
 rust-version.workspace = true
diff --git a/README.md b/README.md
index decb35a..5e1aad6 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
     <img src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" alt="License" style="height: 24px;" />
   </a>
   <a href="https://github.com/mongodb/kingfisher">
-    <img src="https://img.shields.io/badge/Detection%20Rules-734-2ea043.svg" alt="Detection Rules" style="height: 24px;" />
+    <img src="https://img.shields.io/badge/Detection%20Rules-820-2ea043.svg" alt="Detection Rules" style="height: 24px;" />
   </a>
   <br>
   <a href="https://github.com/mongodb/kingfisher/pkgs/container/kingfisher">
@@ -17,7 +17,7 @@
 
 Kingfisher is an open source secret scanner and **live secret validation** tool built in Rust.
 
-It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 700+ built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production.
+It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and **ships with 800+ built-in rules** to detect, **validate**, and triage leaked API keys, tokens, and credentials before they ever reach production.
 
 Designed for offensive security engineers and blue-team defenders alike, Kingfisher helps you scan repositories, cloud storage, chat, docs, and CI pipelines to find and verify exposed secrets quickly.
 
@@ -49,9 +49,9 @@ Kingfisher is a high-performance, open source secret detection tool for source c
 
 </div>
 
-### Performance, Accuracy, and 700+ Rules
+### Performance, Accuracy, and 800+ Rules
 - **Performance**: multithreaded, Hyperscan‑powered scanning built for huge codebases  
-- **Extensible rules**: 700+ built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md))  
+- **Extensible rules**: 800+ built-in rules plus YAML-defined custom rules ([docs/RULES.md](/docs/RULES.md))  
 - **Validate & Revoke**: live validation of discovered secrets, plus direct revocation for supported platforms (GitHub, GitLab, Slack, AWS, GCP, and more) ([docs/USAGE.md](/docs/USAGE.md))
 - **Revocation support matrix**: current built-in revocation coverage across providers and rule IDs ([docs/REVOCATION_PROVIDERS.md](/docs/REVOCATION_PROVIDERS.md))
 - **Blast Radius Mapping**: instantly map leaked keys to their effective cloud identities and exposed resources with `--access-map`. Supports 39 providers (see table below).
@@ -345,7 +345,7 @@ gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher
 
 # Detection Rules
 
-Kingfisher ships with [700+ built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/):
+Kingfisher ships with [800+ built-in rules](crates/kingfisher-rules/data/rules/) covering cloud keys, AI tokens, CI/CD secrets, database credentials, and SaaS API keys. Below is an overview — see the full list in [crates/kingfisher-rules/data/rules/](crates/kingfisher-rules/data/rules/):
 
 | Category | What we catch |
 |----------|---------------|
@@ -362,7 +362,7 @@ Kingfisher ships with [700+ built-in rules](crates/kingfisher-rules/data/rules/)
 
 ## Write Custom Rules
 
-Kingfisher ships with 700+ rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.
+Kingfisher ships with 800+ rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.
 
 However, you may want to add your own custom rules, or modify a detection to better suit your needs / environment.
 
diff --git a/crates/kingfisher-rules/data/rules/AGENTS.md b/crates/kingfisher-rules/data/rules/AGENTS.md
index cfc2b77..433d951 100644
--- a/crates/kingfisher-rules/data/rules/AGENTS.md
+++ b/crates/kingfisher-rules/data/rules/AGENTS.md
@@ -57,8 +57,11 @@ Strongly recommended fields:
 ## Validation Policy (Important)
 - Default: define validation logic in YAML under `validation:`.
 - Do not move validation logic into Rust unless YAML cannot reliably express it.
-- Code-backed validation types (for example AWS, GCP, Coinbase, MongoDB) are notable exceptions and should remain rare.
 - For new rules, first attempt `Http`/`Grpc` YAML validation before considering exception paths.
+- Typed validation kinds such as `AWS`, `AzureStorage`, `Coinbase`, `GCP`, `MongoDB`, `MySQL`, `Postgres`, `Jdbc`, and `JWT` are schema-level validator families. Use them when an existing typed validator already matches the problem.
+- `validation: { type: Raw, content: <name> }` is the ad-hoc exception path for provider-specific or protocol-specific flows that cannot be expressed cleanly in YAML. Raw implementations live in `crates/kingfisher-scanner/src/validation/raw.rs`.
+- When Rust validation is unavoidable for a one-off provider, prefer adding a raw validator instead of inventing a new typed validator.
+- Do not convert existing typed validators to `Raw` just for consistency.
 
 ## Revocation Policy
 - If a rule has validation and the provider API safely supports revocation, add `revocation:` in the same YAML rule.
@@ -70,7 +73,7 @@ Strongly recommended fields:
 1. Choose the target provider file (or add a new provider file if no suitable file exists).
 2. Copy a structurally similar rule from this directory.
 3. Implement/adjust `pattern`, `examples`, and filtering (`pattern_requirements`, `min_entropy`).
-4. Add YAML `validation` (default path).
+4. Add YAML `validation` (default path). Prefer `Http`/`Grpc`; if that fails, use an existing typed validator or `type: Raw` only when justified.
 5. Add YAML `revocation` when supported.
 6. Add `references` for token format/API behavior.
 7. Verify locally (below).
diff --git a/crates/kingfisher-rules/data/rules/agora.yml b/crates/kingfisher-rules/data/rules/agora.yml
index 61e1edf..2a328dc 100644
--- a/crates/kingfisher-rules/data/rules/agora.yml
+++ b/crates/kingfisher-rules/data/rules/agora.yml
@@ -47,6 +47,28 @@ rules:
     examples:
       - "agora.app_certificate=397a3af3db1950bdbd84f4e4ec18ebef"
       - "agora.app_secret = \"127a3af3db1950b8dbd4fe440c28ebef\""
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.agora.io/dev/v1/projects
+          headers:
+            Accept: application/json
+            Authorization: "Basic {{ AGORA_ID | append: ':' | append: TOKEN | b64enc }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - '"projects"'
+                - '"vendor_key"'
+    depends_on_rule:
+      - rule_id: kingfisher.agora.1
+        variable: AGORA_ID
     references:
+      - https://docs.agora.io/en/voice-calling/reference/agora-console-rest-api
       - https://docs.agora.io/en/rtc/restfulapi
-      - https://docs.agora.io/en/video-calling/reference/authentication-workflow
diff --git a/crates/kingfisher-rules/data/rules/amazonoauth.yml b/crates/kingfisher-rules/data/rules/amazonoauth.yml
new file mode 100644
index 0000000..b83242b
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/amazonoauth.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: Login with Amazon OAuth Client ID
+    id: kingfisher.amazonoauth.1
+    pattern: |
+      (?x)
+      \b
+      (
+        amzn1\.application-oa2-client\.[a-f0-9]{20,40}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.0
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'AMAZON_CLIENT_ID=amzn1.application-oa2-client.1a2b3c4d5e6f7890abcdef1234567890'
+    references:
+      - https://developer.amazon.com/docs/login-with-amazon/authorization-code-grant.html
diff --git a/crates/kingfisher-rules/data/rules/asaas.yml b/crates/kingfisher-rules/data/rules/asaas.yml
new file mode 100644
index 0000000..3b06e7b
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/asaas.yml
@@ -0,0 +1,18 @@
+rules:
+  - name: Asaas API Token
+    id: kingfisher.asaas.1
+    pattern: |
+      (?x)
+      (
+        \$aact_(?:prod|hmlg)_[a-zA-Z0-9_-]{20,100}
+      )
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'ASAAS_API_KEY=$aact_prod_abcdefghijklmnop1234567890ABCDEF'
+      - 'api_token: $aact_hmlg_abcdefghijklmnop1234567890ABCDEF'
+    references:
+      - https://docs.asaas.com/docs/authentication-2
diff --git a/crates/kingfisher-rules/data/rules/azure.yml b/crates/kingfisher-rules/data/rules/azure.yml
index 45fb88d..f909148 100644
--- a/crates/kingfisher-rules/data/rules/azure.yml
+++ b/crates/kingfisher-rules/data/rules/azure.yml
@@ -114,3 +114,25 @@ rules:
         variable: ACR_USERNAME
     references:
       - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
+
+  - name: Azure AD Client Secret (Microsoft Entra ID)
+    id: kingfisher.azure.6
+    pattern: |
+      (?x)
+      (?:^|['"\x60\s>=:(,])
+      (
+        [a-zA-Z0-9_~.]{3}
+        \d
+        Q~
+        [a-zA-Z0-9_~.\-]{31,34}
+      )
+      (?:$|['"\x60\s<),])
+    pattern_requirements:
+      min_digits: 1
+    min_entropy: 3.5
+    confidence: medium
+    examples:
+      - '"aBc4Q~xY9kLmNpQrStUvWxYz01234567890abcd"'
+      - 'AZURE_CLIENT_SECRET=xY14Q~abcdefghijklmnopqrstuvwxyz01234'
+    references:
+      - https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
diff --git a/crates/kingfisher-rules/data/rules/azureapim.yml b/crates/kingfisher-rules/data/rules/azureapim.yml
new file mode 100644
index 0000000..8ebe0da
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azureapim.yml
@@ -0,0 +1,64 @@
+rules:
+  - name: Azure API Management Subscription Key
+    id: kingfisher.azureapim.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:(?:apim|api[_\s-]*management)[_\s-]*(?:subscription[_\s-]*key|key))
+        |
+        (?i:Ocp-Apim-Subscription-Key)
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-f0-9]{32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_lowercase: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'Ocp-Apim-Subscription-Key: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d'
+      - 'APIM_SUBSCRIPTION_KEY=abcdef0123456789abcdef0123456789'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: "{{ APIM_URL }}"
+          headers:
+            Ocp-Apim-Subscription-Key: "{{ TOKEN }}"
+          response_is_html: true
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 201, 202, 204, 400, 404, 405]
+            - type: StatusMatch
+              status: [401, 403]
+              negative: true
+    depends_on_rule:
+      - rule_id: kingfisher.azureapim.2
+        variable: APIM_URL
+    references:
+      - https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions
+
+  - name: Azure API Management Gateway URL
+    id: kingfisher.azureapim.2
+    pattern: |
+      (?xi)
+      \b
+      (
+        https://[a-z0-9-]+(?:\.developer)?\.azure-api\.net(?:/[^\s"'<>]{0,200})?
+      )
+    min_entropy: 1.0
+    confidence: medium
+    visible: false
+    examples:
+      - https://contoso.azure-api.net/echo
+      - APIM_URL=https://contoso.developer.azure-api.net/api
+    references:
+      - https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions
+      - https://learn.microsoft.com/en-us/troubleshoot/azure/api-mgmt/availability/unauthorized-errors-invoke-apis
diff --git a/crates/kingfisher-rules/data/rules/azurebatch.yml b/crates/kingfisher-rules/data/rules/azurebatch.yml
new file mode 100644
index 0000000..df34ba2
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurebatch.yml
@@ -0,0 +1,71 @@
+rules:
+  - name: Azure Batch Account Key
+    id: kingfisher.azurebatch.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:azure[_\s-]*batch[_\s-]*(?:key|account[_\s-]*key|access[_\s-]*key))
+        |
+        (?i:batch[_\s-]*account[_\s-]*key)
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9+/]{86}==
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_lowercase: 2
+      min_special_chars: 1
+    min_entropy: 4.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'AZURE_BATCH_KEY=oqb4TdY9T0hphvktd5fJnMiHuQqzVy1jd5sSuOpAbGkaoqTlrHl0BOJN2okcasinVLOJzfDbZo1L+ASt68RAhA=='
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: '{{ BATCH_URL }}/applications?api-version=2020-09-01.12.0'
+          headers:
+            Accept: application/json
+            Content-Type: application/json
+            Date: '{{ REQUEST_RFC1123_DATE }}'
+            Authorization: |
+              {%- assign host = BATCH_URL | split: "://" | last | split: "/" | first -%}
+              {%- assign account_name = host | split: "." | first -%}
+              {%- assign resource_path = "/" | append: account_name | append: "/applications" | downcase -%}
+              {%- assign string_to_sign = "GET\n\n\n\n\napplication/json\n" | append: REQUEST_RFC1123_DATE | append: "\n\n\n\n\n\n" | append: resource_path | append: "\napi-version:2020-09-01.12.0" -%}
+              {%- assign signature = string_to_sign | hmac_sha256_b64key: TOKEN -%}
+              SharedKey {{ account_name }}:{{ signature }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+    depends_on_rule:
+      - rule_id: kingfisher.azurebatch.2
+        variable: BATCH_URL
+    references:
+      - https://learn.microsoft.com/en-us/azure/batch/batch-account-create-portal
+      - https://learn.microsoft.com/en-us/rest/api/batchservice/authenticate-requests-to-the-azure-batch-service
+
+  - name: Azure Batch Account Endpoint
+    id: kingfisher.azurebatch.2
+    pattern: |
+      (?xi)
+      \b
+      (
+        https://[a-z0-9-]+\.[a-z0-9-]+\.batch\.azure\.com
+      )
+      \b
+    min_entropy: 1.0
+    confidence: medium
+    visible: false
+    examples:
+      - BATCH_URL=https://mybatch.westus.batch.azure.com
+      - batchAccountUrl="https://contoso-prod.eastus.batch.azure.com"
+    references:
+      - https://learn.microsoft.com/en-us/rest/api/batchservice/authenticate-requests-to-the-azure-batch-service
diff --git a/crates/kingfisher-rules/data/rules/azurecognitive.yml b/crates/kingfisher-rules/data/rules/azurecognitive.yml
new file mode 100644
index 0000000..41812a5
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurecognitive.yml
@@ -0,0 +1,46 @@
+rules:
+  - name: Azure Cognitive Services / AI Services Key
+    id: kingfisher.azurecognitive.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:azure[_\s-]*(?:cognitive|ai)[_\s-]*(?:service|key))
+        |
+        (?i:cognitive[_\s-]*service[_\s-]*(?:key|secret|subscription))
+        |
+        (?i:
+          (?:azure[_\s-]*)?(?:anomaly[_\s-]*detector|computer[_\s-]*vision|content[_\s-]*moderator|content[_\s-]*safety
+            |custom[_\s-]*vision|face[_\s-]*(?:api)?|form[_\s-]*recognizer|document[_\s-]*intelligence
+            |immersive[_\s-]*reader|language[_\s-]*understanding|luis
+            |personalizer|qna[_\s-]*maker|text[_\s-]*analytics|video[_\s-]*indexer
+            |metrics[_\s-]*advisor|health[_\s-]*insights|cognitive[_\s-]*service|ai[_\s-]*service)
+          [_\s-]*(?:key|api[_\s-]*key|subscription[_\s-]*key|secret)
+        )
+      )
+      \b
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-f0-9]{32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_lowercase: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - AZURE_COGNITIVE_SERVICE_KEY=1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
+      - AZURE_COMPUTER_VISION_KEY=abcdef0123456789abcdef0123456789
+      - content_moderator_key="1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d"
+      - AZURE_FACE_KEY=abcdef0123456789abcdef0123456789
+      - AZURE_FORM_RECOGNIZER_KEY=1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
+      - AZURE_LUIS_KEY=abcdef0123456789abcdef0123456789
+      - AZURE_QNA_MAKER_KEY=1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
+      - AZURE_TEXT_ANALYTICS_KEY=abcdef0123456789abcdef0123456789
+    references:
+      - https://learn.microsoft.com/en-us/azure/ai-services/
+      - https://learn.microsoft.com/en-us/azure/ai-services/computer-vision/
+      - https://learn.microsoft.com/en-us/azure/ai-services/content-moderator/
+      - https://learn.microsoft.com/en-us/azure/ai-services/luis/
diff --git a/crates/kingfisher-rules/data/rules/azurecommunication.yml b/crates/kingfisher-rules/data/rules/azurecommunication.yml
new file mode 100644
index 0000000..ce44bbf
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurecommunication.yml
@@ -0,0 +1,20 @@
+rules:
+  - name: Azure Communication Services Connection String
+    id: kingfisher.azurecommunication.1
+    pattern: |
+      (?x)
+      (?i:endpoint=https://(?:[a-z0-9-]+\.)?(?:communication|comm)\.azure\.com/;accesskey=)
+      (
+        [A-Za-z0-9+/]{40,90}={0,2}
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_special_chars: 1
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'endpoint=https://myresource.communication.azure.com/;accesskey=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFGHIJKLMNOPQRS+/=='
+    references:
+      - https://learn.microsoft.com/en-us/azure/communication-services/
diff --git a/crates/kingfisher-rules/data/rules/azurecosmosdb.yml b/crates/kingfisher-rules/data/rules/azurecosmosdb.yml
new file mode 100644
index 0000000..a531cb1
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurecosmosdb.yml
@@ -0,0 +1,77 @@
+rules:
+  - name: Azure CosmosDB Account Key
+    id: kingfisher.azurecosmosdb.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:cosmos(?:db)?[_\s-]*(?:key|account[_\s-]*key|primary[_\s-]*key|secondary[_\s-]*key|master[_\s-]*key))
+        |
+        (?i:azure[_\s-]*cosmos(?:db)?[_\s-]*(?:key|account_key|primary_key|master_key))
+        |
+        (?i:documentdb(?:authkey|key))
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9+/]{86}==
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_lowercase: 2
+      min_special_chars: 1
+    min_entropy: 4.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - AZURE_COSMOSDB_KEY=oqb4TdY9T0hphvktd5fJnMiHuQqzVy1jd5sSuOpAbGkaoqTlrHl0BOJN2okcasinVLOJzfDbZo1L+ASt68RAhA==
+      - 'DocumentDbAuthKey=B/1EVX2Ui47X09tqU3GI/j+Nko9r5COPm0Hea9tfzitF9MQX9lZZiNO3tYQckWnt+rtlGIWS+sCx+AStkq8ZLg=='
+    references:
+      - https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-obtain-account-keys
+
+  - name: Azure CosmosDB Connection String
+    id: kingfisher.azurecosmosdb.2
+    pattern: |
+      (?x)
+      (?i:AccountEndpoint=(?P<COSMOS_ENDPOINT>https://[a-z0-9-]+\.documents\.azure\.com(?::\d+)?)/?;)
+      AccountKey=
+      (?P<secret>
+        (?P<TOKEN>
+          [A-Za-z0-9+/]{86}==
+        )
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_special_chars: 1
+    min_entropy: 4.0
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'AccountEndpoint=https://myaccount.documents.azure.com:443;AccountKey=oqb4TdY9T0hphvktd5fJnMiHuQqzVy1jd5sSuOpAbGkaoqTlrHl0BOJN2okcasinVLOJzfDbZo1L+ASt68RAhA==;'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: "{{ COSMOS_ENDPOINT }}/dbs"
+          headers:
+            Accept: application/json
+            x-ms-date: '{%- assign x_ms_date = "" | date: "%a, %d %b %Y %H:%M:%S GMT" | downcase -%}{{ x_ms_date }}'
+            x-ms-version: "2018-12-31"
+            Authorization: |
+              {%- assign x_ms_date = "" | date: "%a, %d %b %Y %H:%M:%S GMT" | downcase -%}
+              {%- assign string_to_sign = "get\ndbs\n\n" | append: x_ms_date | append: "\n\n" -%}
+              {%- assign signature = string_to_sign | hmac_sha256_b64key: TOKEN | url_encode -%}
+              type=master&ver=1.0&sig={{ signature }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"Databases"'
+    references:
+      - https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-obtain-account-keys
+      - https://learn.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources
diff --git a/crates/kingfisher-rules/data/rules/azureeventgrid.yml b/crates/kingfisher-rules/data/rules/azureeventgrid.yml
new file mode 100644
index 0000000..12b1f19
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azureeventgrid.yml
@@ -0,0 +1,28 @@
+rules:
+  - name: Azure Event Grid Key
+    id: kingfisher.azureeventgrid.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:event[_\s-]*grid[_\s-]*(?:key|access[_\s-]*key|topic[_\s-]*key))
+        |
+        (?i:azure_event_grid[_\s-]*(?:key|access_key|topic_key))
+        |
+        (?i:aeg-sas-key)
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9+/]{40,50}={0,2}
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'AZURE_EVENT_GRID_KEY=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFG=='
+      - 'aeg-sas-key: AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFG=='
+    references:
+      - https://learn.microsoft.com/en-us/azure/event-grid/
diff --git a/crates/kingfisher-rules/data/rules/azurefunctionkey.yml b/crates/kingfisher-rules/data/rules/azurefunctionkey.yml
new file mode 100644
index 0000000..f0eddaf
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurefunctionkey.yml
@@ -0,0 +1,56 @@
+rules:
+  - name: Azure Function Key in URL
+    id: kingfisher.azurefunctionkey.1
+    pattern: |
+      (?x)
+      (
+        (?i:https://[a-z0-9-]+\.azurewebsites\.net/api/)[a-zA-Z0-9_-]+
+        (?i:\?code=)[a-zA-Z0-9_/+=-]{20,100}
+      )
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'https://myfunc.azurewebsites.net/api/HttpTrigger1?code=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890/+=='
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: "{{ TOKEN }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 202, 204, 400, 404, 405]
+            - type: StatusMatch
+              status: [401, 403]
+              negative: true
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger
+
+  - name: Azure Function Master/Host Key
+    id: kingfisher.azurefunctionkey.2
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:azure[_\s-]*function[_\s-]*(?:key|master[_\s-]*key|host[_\s-]*key))
+        |
+        (?i:x-functions-key)
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-zA-Z0-9_/+=-]{40,100}
+      )
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'AZURE_FUNCTION_KEY=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFGH/+=='
+      - 'x-functions-key: AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFGH'
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger
diff --git a/crates/kingfisher-rules/data/rules/azurelogicapps.yml b/crates/kingfisher-rules/data/rules/azurelogicapps.yml
new file mode 100644
index 0000000..380fca8
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurelogicapps.yml
@@ -0,0 +1,22 @@
+rules:
+  - name: Azure Logic Apps SAS URL
+    id: kingfisher.azurelogicapps.1
+    pattern: |
+      (?x)
+      (
+        (?i:https://(?:[a-z0-9-]+\.)+logic\.azure\.com)
+        (?::\d+)?/workflows/[A-Fa-f0-9]+/triggers/[a-zA-Z0-9_-]+/paths/invoke
+        (?i:\?api-version=)[0-9-]+
+        (?i:&sp=)[%a-zA-Z0-9/]+
+        (?i:&sv=)[0-9.]+
+        (?i:&sig=)[a-zA-Z0-9_/+=-]+
+      )
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.0
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'https://prod-00.eastus.logic.azure.com/workflows/abcdef1234567890/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
diff --git a/crates/kingfisher-rules/data/rules/azuremaps.yml b/crates/kingfisher-rules/data/rules/azuremaps.yml
new file mode 100644
index 0000000..177a382
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azuremaps.yml
@@ -0,0 +1,21 @@
+rules:
+  - name: Azure Maps Subscription Key
+    id: kingfisher.azuremaps.1
+    pattern: |
+      (?x)
+      \b
+      (?i:azure[_\s-]*maps[_\s-]*(?:key|subscription[_\s-]*key|api[_\s-]*key|secret))
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-zA-Z0-9_-]{32,44}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - AZURE_MAPS_KEY=AbCdEfGhIjKlMnOpQrStUvWxYz123456
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-maps/how-to-manage-authentication
diff --git a/crates/kingfisher-rules/data/rules/azuremixedreality.yml b/crates/kingfisher-rules/data/rules/azuremixedreality.yml
new file mode 100644
index 0000000..6694b91
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azuremixedreality.yml
@@ -0,0 +1,28 @@
+rules:
+  - name: Azure Mixed Reality / Spatial Anchors Key
+    id: kingfisher.azuremixedreality.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:
+          (?:azure[_\s-]*)?(?:mixed[_\s-]*reality|spatial[_\s-]*anchors?|remote[_\s-]*rendering)
+          [_\s-]*(?:key|account[_\s-]*key|access[_\s-]*key)
+        )
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-f0-9]{32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_lowercase: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'AZURE_SPATIAL_ANCHORS_KEY=1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d'
+      - 'AZURE_REMOTE_RENDERING_KEY=abcdef0123456789abcdef0123456789'
+    references:
+      - https://learn.microsoft.com/en-us/azure/spatial-anchors/
diff --git a/crates/kingfisher-rules/data/rules/azuresastoken.yml b/crates/kingfisher-rules/data/rules/azuresastoken.yml
new file mode 100644
index 0000000..448849e
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azuresastoken.yml
@@ -0,0 +1,50 @@
+rules:
+  - name: Azure SAS Token
+    id: kingfisher.azuresastoken.1
+    pattern: |
+      (?x)
+      (
+        (?i:(?:sv|SharedAccessSignature\s+sr))=[0-9]{4}-[0-9]{2}-[0-9]{2}
+        (?:&(?i:[a-z]{2,4})=[^&\s"']{1,200}){2,10}
+        (?i:&sig=)[a-zA-Z0-9%+/=]{20,100}
+      )
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'sv=2021-06-08&ss=bfqt&srt=sco&sp=rwdlacupiytfx&se=2024-12-31&st=2024-01-01&spr=https&sig=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890%2BABCDE%3D'
+    references:
+      - https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
+
+  - name: Azure SAS Token in URL
+    id: kingfisher.azuresastoken.2
+    pattern: |
+      (?x)
+      (
+        (?i:https://[a-z0-9-]+\.(?:blob|queue|table|file|dfs)\.core\.windows\.net/)[^\s"']*
+        \?[^\s"']*(?i:sig=)[a-zA-Z0-9%+/=]{20,100}[^\s"']*
+      )
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'https://mystorageaccount.blob.core.windows.net/mycontainer/myblob?sv=2021-06-08&st=2024-01-01&se=2024-12-31&sr=b&sp=r&sig=AbCdEfGhIjKlMnOp%2BQrStUvWxYz%3D'
+    validation:
+      type: Http
+      content:
+        request:
+          method: HEAD
+          url: "{{ TOKEN }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 206, 404]
+            - type: StatusMatch
+              status: [401, 403]
+              negative: true
+    references:
+      - https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
diff --git a/crates/kingfisher-rules/data/rules/azuresignalr.yml b/crates/kingfisher-rules/data/rules/azuresignalr.yml
new file mode 100644
index 0000000..3b952cc
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azuresignalr.yml
@@ -0,0 +1,20 @@
+rules:
+  - name: Azure SignalR Connection String
+    id: kingfisher.azuresignalr.1
+    pattern: |
+      (?x)
+      (?i:Endpoint=https://(?:[a-z0-9-]+\.service\.signalr\.net);AccessKey=)
+      (
+        [A-Za-z0-9+/]{40,90}={0,2}
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_special_chars: 1
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'Endpoint=https://myservice.service.signalr.net;AccessKey=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFGHIJKLMNOPQRS+/==;Version=1.0;'
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-signalr/
diff --git a/crates/kingfisher-rules/data/rules/azuresql.yml b/crates/kingfisher-rules/data/rules/azuresql.yml
new file mode 100644
index 0000000..e4cb7ba
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azuresql.yml
@@ -0,0 +1,46 @@
+rules:
+  - name: Azure SQL Connection String
+    id: kingfisher.azuresql.1
+    pattern: |
+      (?x)
+      (?i:Server=tcp:(?:[a-z0-9-]+\.database\.windows\.net),\d+;)
+      (?:.|[\n\r]){0,100}?
+      (?i:Password=)(
+        [^;'"]{8,128}
+      )
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'Server=tcp:myserver.database.windows.net,1433;Initial Catalog=mydb;Persist Security Info=False;User ID=admin;Password=MyP@ssw0rd!123;'
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-content-reference-guide
+
+  - name: Azure SQL Password Assignment
+    id: kingfisher.azuresql.2
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:azure[_\s-]*sql[_\s-]*password)
+        |
+        (?i:sql_admin_password)
+        |
+        (?i:mssql_sa_password)
+      )
+      \b
+      (?:.|[\n\r]){0,8}?
+      [=:]
+      \s*["']?
+      ([^\s"']{8,128})
+      ["']?
+    min_entropy: 3.0
+    confidence: medium
+    categories: [password]
+    examples:
+      - 'AZURE_SQL_PASSWORD=MyStr0ngP@ssword!'
+      - 'SQL_ADMIN_PASSWORD="Compl3x!Pass#2024"'
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-content-reference-guide
diff --git a/crates/kingfisher-rules/data/rules/azurewebpubsub.yml b/crates/kingfisher-rules/data/rules/azurewebpubsub.yml
new file mode 100644
index 0000000..713c46c
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/azurewebpubsub.yml
@@ -0,0 +1,20 @@
+rules:
+  - name: Azure Web PubSub Connection String
+    id: kingfisher.azurewebpubsub.1
+    pattern: |
+      (?x)
+      (?i:Endpoint=https://(?:[a-z0-9-]+\.webpubsub\.azure\.com);AccessKey=)
+      (
+        [A-Za-z0-9+/]{40,90}={0,2}
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_special_chars: 1
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'Endpoint=https://myservice.webpubsub.azure.com;AccessKey=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFGHIJKLMNOPQRS+/==;Version=1.0;'
+    references:
+      - https://learn.microsoft.com/en-us/azure/azure-web-pubsub/
diff --git a/crates/kingfisher-rules/data/rules/bitfinex.yml b/crates/kingfisher-rules/data/rules/bitfinex.yml
index d78769f..b79baed 100644
--- a/crates/kingfisher-rules/data/rules/bitfinex.yml
+++ b/crates/kingfisher-rules/data/rules/bitfinex.yml
@@ -47,9 +47,30 @@ rules:
     examples:
       - "bitfinex\nsecret = 8d7c3965318b8d20f7648dbda96fbfa23f4d1c449aa"
       - "bitfinex\napi-secret = 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1d2"
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://api.bitfinex.com/v2/auth/r/wallets
+          headers:
+            Accept: application/json
+            Content-Type: application/json
+            bfx-apikey: "{{ BITFINEX_KEY }}"
+            bfx-nonce: "{{ REQUEST_UNIX_MILLIS }}"
+            bfx-signature: |
+              {%- assign request_path = "/v2/auth/r/wallets" -%}
+              {%- assign request_body = "{}" -%}
+              {%- assign signature_payload = "/api" | append: request_path | append: REQUEST_UNIX_MILLIS | append: request_body -%}
+              {{ signature_payload | hmac_sha384_hex: TOKEN }}
+          body: "{}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+    depends_on_rule:
+      - rule_id: kingfisher.bitfinex.1
+        variable: BITFINEX_KEY
     references:
-      - https://docs.bitfinex.com/docs
       - https://docs.bitfinex.com/docs/rest-auth
-    # No simple validation: Bitfinex REST API v2 uses HMAC-SHA384
-    # request signing with a nonce and payload. Cannot validate with
-    # a static Bearer/API-key style header.
diff --git a/crates/kingfisher-rules/data/rules/bitrise.yml b/crates/kingfisher-rules/data/rules/bitrise.yml
new file mode 100644
index 0000000..b27ce22
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/bitrise.yml
@@ -0,0 +1,35 @@
+rules:
+  - name: Bitrise Personal Access Token
+    id: kingfisher.bitrise.1
+    pattern: |
+      (?x)
+      \b
+      (?i:bitrise)
+      (?:.|[\n\r]){0,24}?
+      (?i:token|pat|personal[_\s-]*access)
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-zA-Z0-9_-]{60,120}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'BITRISE_TOKEN=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWxYz12'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.bitrise.io/v0.1/me
+          headers:
+            Authorization: '{{ TOKEN }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://devcenter.bitrise.io/en/api/authenticating-with-the-bitrise-api.html
diff --git a/crates/kingfisher-rules/data/rules/blockprotocol.yml b/crates/kingfisher-rules/data/rules/blockprotocol.yml
new file mode 100644
index 0000000..0797b1e
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/blockprotocol.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: Block Protocol API Key
+    id: kingfisher.blockprotocol.1
+    pattern: |
+      (?x)
+      \b
+      (
+        b10ck5\.[a-zA-Z0-9]{28,36}\.[a-zA-Z0-9]{32,40}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'BLOCK_PROTOCOL_API_KEY=b10ck5.AbCdEfGhIjKlMnOpQrStUvWxYz1234.AbCdEfGhIjKlMnOpQrStUvWxYz12345678'
+    references:
+      - https://blockprotocol.org/docs/hub/api
diff --git a/crates/kingfisher-rules/data/rules/canva.yml b/crates/kingfisher-rules/data/rules/canva.yml
new file mode 100644
index 0000000..e8d84cb
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/canva.yml
@@ -0,0 +1,20 @@
+rules:
+  - name: Canva Connect API Client Secret
+    id: kingfisher.canva.1
+    pattern: |
+      (?x)
+      \b
+      (
+        cnvca[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'CANVA_CLIENT_SECRET=cnvcaAbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://www.canva.dev/docs/connect/authentication/
+      - https://www.canva.dev/docs/connect/guidelines/security/
diff --git a/crates/kingfisher-rules/data/rules/cfxre.yml b/crates/kingfisher-rules/data/rules/cfxre.yml
new file mode 100644
index 0000000..f0325d2
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/cfxre.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: Cfx.re FiveM Server Key
+    id: kingfisher.cfxre.1
+    pattern: |
+      (?x)
+      \b
+      (
+        cfxk_[a-zA-Z0-9_-]{20,100}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'sv_licenseKey "cfxk_AbCdEfGhIjKlMnOpQrStUvWxYz1234567890_abcdef"'
+    references:
+      - https://docs.fivem.net/docs/server-manual/setting-up-a-server/
diff --git a/crates/kingfisher-rules/data/rules/cockroachlabs.yml b/crates/kingfisher-rules/data/rules/cockroachlabs.yml
new file mode 100644
index 0000000..9fbcc40
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/cockroachlabs.yml
@@ -0,0 +1,28 @@
+rules:
+  - name: CockroachDB Cloud API Key
+    id: kingfisher.cockroachlabs.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:cockroach(?:db)?(?:cloud)?)
+        (?:.|[\n\r]){0,24}?
+        (?i:api[_\s-]*key|secret|token)
+        |
+        (?i:CC_API_KEY)
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Z0-9_]{20,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 4
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'COCKROACHDB_API_KEY=B81649_8F7D11A_92BCE13_56782D_C53'
+    references:
+      - https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api
diff --git a/crates/kingfisher-rules/data/rules/docker.yml b/crates/kingfisher-rules/data/rules/docker.yml
index 888e717..2ec5055 100644
--- a/crates/kingfisher-rules/data/rules/docker.yml
+++ b/crates/kingfisher-rules/data/rules/docker.yml
@@ -45,4 +45,42 @@ rules:
           response_matcher:
             - report_response: true
             - type: StatusMatch
-              status: [200]
\ No newline at end of file
+              status: [200]
+
+  - name: Docker Swarm Join Token
+    id: kingfisher.docker.2
+    pattern: |
+      (?x)
+      \b
+      (
+        SWMTKN-1-[a-z0-9]{50,60}-[a-z0-9]{24,30}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx 192.168.99.100:2377'
+    references:
+      - https://docs.docker.com/engine/swarm/join-nodes/
+
+  - name: Docker Swarm Unlock Key
+    id: kingfisher.docker.3
+    pattern: |
+      (?x)
+      \b
+      (
+        SWMKEY-1-[A-Za-z0-9+/]{40,50}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'docker swarm unlock --key SWMKEY-1-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890ABCDEFG'
+    references:
+      - https://docs.docker.com/engine/swarm/swarm_manager_locking/
diff --git a/crates/kingfisher-rules/data/rules/docusign.yml b/crates/kingfisher-rules/data/rules/docusign.yml
index 207bdc2..56cf8a1 100644
--- a/crates/kingfisher-rules/data/rules/docusign.yml
+++ b/crates/kingfisher-rules/data/rules/docusign.yml
@@ -25,7 +25,107 @@ rules:
     examples:
       - "docusign.secret_key = 7a39ce6d-94cf-4bf6-9e9e-9213373c15f4"
       - "docusign\nds_secret = 3d2f18c9-2075-4e78-834b-64f57f8757d0"
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: "https://{{ DOCUSIGN_AUTH_HOST }}/oauth/token"
+          headers:
+            Accept: application/json
+            Content-Type: application/x-www-form-urlencoded
+          body: >
+            grant_type=authorization_code&code=INVALID_AUTH_CODE&client_id={{ DOCUSIGN_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ REDIRECT_URI | url_encode }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - invalid_grant
+                - invalid authorization code
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    depends_on_rule:
+      - rule_id: kingfisher.docusign.2
+        variable: DOCUSIGN_CLIENT_ID
+      - rule_id: kingfisher.docusign.3
+        variable: DOCUSIGN_AUTH_HOST
+      - rule_id: kingfisher.docusign.4
+        variable: REDIRECT_URI
+    references:
+      - https://developers.docusign.com/platform/auth/
+      - https://developers.docusign.com/platform/build-integration/
+
+  - name: DocuSign Integration Key
+    id: kingfisher.docusign.2
+    pattern: |
+      (?xi)
+      \b
+      docusign
+      (?:.|[\n\r]){0,64}?
+      (?:integration[_-]?key|client[_-]?id|app[_-]?id)\b
+      (?:.|[\n\r]){0,16}?
+      [=:"'\s]
+      ['"]*
+      (
+        [a-f0-9]{8}-
+        [a-f0-9]{4}-
+        [a-f0-9]{4}-
+        [a-f0-9]{4}-
+        [a-f0-9]{12}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 6
+    min_entropy: 3.0
+    confidence: medium
+    visible: false
+    examples:
+      - DOCUSIGN_CLIENT_ID=7a39ce6d-94cf-4bf6-9e9e-9213373c15f4
+      - 'docusign.integration_key = "3d2f18c9-2075-4e78-834b-64f57f8757d0"'
     references:
       - https://developers.docusign.com/platform/build-integration/
-    # No public validation endpoint: DocuSign OAuth secret keys cannot be
-    # validated without a full Authorization Code Grant flow.
+
+  - name: DocuSign Auth Host
+    id: kingfisher.docusign.3
+    pattern: |
+      (?xi)
+      \b
+      (
+        account(?:-d)?\.docusign\.com
+      )
+      \b
+    min_entropy: 1.0
+    confidence: medium
+    visible: false
+    examples:
+      - account.docusign.com
+      - account-d.docusign.com
+    references:
+      - https://developers.docusign.com/platform/auth/
+
+  - name: DocuSign Redirect URI
+    id: kingfisher.docusign.4
+    pattern: |
+      (?xi)
+      \b
+      docusign
+      (?:.|[\n\r]){0,64}?
+      (?:redirect[_-]?uri|oauth[_-]?redirect)\b
+      (?:.|[\n\r]){0,16}?
+      [=:"'\s]
+      (
+        https?://[^\s"'<>]{6,200}
+      )
+    min_entropy: 1.5
+    confidence: medium
+    visible: false
+    examples:
+      - DOCUSIGN_REDIRECT_URI=https://example.com/docusign/callback
+      - 'docusign.redirect_uri = "https://localhost:3000/oauth/docusign"'
+    references:
+      - https://developers.docusign.com/platform/auth/
diff --git a/crates/kingfisher-rules/data/rules/dropbox.yml b/crates/kingfisher-rules/data/rules/dropbox.yml
index 9dd5aca..051047a 100644
--- a/crates/kingfisher-rules/data/rules/dropbox.yml
+++ b/crates/kingfisher-rules/data/rules/dropbox.yml
@@ -33,5 +33,40 @@ rules:
                 - '"account_id":'
                 - '"email":'
           url: https://api.dropboxapi.com/2/users/get_current_account
+    references:
+      - https://www.dropbox.com/developers/documentation/http/documentation#auth
+
+  - name: Dropbox Long-Lived API Token
+    id: kingfisher.dropbox.2
+    pattern: |
+      (?x)
+      \b
+      (
+        [a-z0-9]{11}
+        AAAAAAAAAA
+        [a-z0-9\-_=]{43}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - 'ab3cd5ef7g9AAAAAAAAAAbcdefghij-klmnopqrstuvwxyz01234567890abcdef'
+    validation:
+      type: Http
+      content:
+        request:
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          method: POST
+          response_matcher:
+            - report_response: true
+            - match_all_words: true
+              type: WordMatch
+              words:
+                - '"account_id":'
+                - '"email":'
+          url: https://api.dropboxapi.com/2/users/get_current_account
     references:
       - https://www.dropbox.com/developers/documentation/http/documentation#auth
\ No newline at end of file
diff --git a/crates/kingfisher-rules/data/rules/dwolla.yml b/crates/kingfisher-rules/data/rules/dwolla.yml
index e1509e1..7c66a3b 100644
--- a/crates/kingfisher-rules/data/rules/dwolla.yml
+++ b/crates/kingfisher-rules/data/rules/dwolla.yml
@@ -47,7 +47,48 @@ rules:
     examples:
       - "dwolla secret = 4d1d407752bfd562bZ=9b7c21f8862fdfc57bc1e45\n"
       - "dwolla\nclient_secret = 7e4e5297691a673cA=0c7d43b997ec1h8dcaf56\n"
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: "{{ DWOLLA_API_BASE }}/token"
+          headers:
+            Accept: application/json
+            Content-Type: application/x-www-form-urlencoded
+            Authorization: "Basic {{ CLIENT_ID | append: ':' | append: TOKEN | b64enc }}"
+          body: grant_type=client_credentials
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"access_token"'
+    depends_on_rule:
+      - rule_id: kingfisher.dwolla.1
+        variable: CLIENT_ID
+      - rule_id: kingfisher.dwolla.3
+        variable: DWOLLA_API_BASE
     references:
-      - https://developers.dwolla.com/
-    # No simple validation: Dwolla OAuth2 requires both client_id and
-    # client_secret together for the token endpoint.
+      - https://developers.dwolla.com/docs/api-reference/tokens/create-an-application-access-token
+      - https://developers.dwolla.com/docs/balance/auth/application-access-tokens
+
+  - name: Dwolla API Base URL
+    id: kingfisher.dwolla.3
+    visible: false
+    pattern: |
+      (?xi)
+      \b
+      (
+        https://api(?:-sandbox)?\.dwolla\.com
+      )
+      \b
+    min_entropy: 1.0
+    confidence: medium
+    examples:
+      - DWOLLA_API_BASE=https://api.dwolla.com
+      - DWOLLA_BASE_URL="https://api-sandbox.dwolla.com"
+    references:
+      - https://developers.dwolla.com/docs/api-reference/tokens/create-an-application-access-token
diff --git a/crates/kingfisher-rules/data/rules/ebay.yml b/crates/kingfisher-rules/data/rules/ebay.yml
new file mode 100644
index 0000000..3e71f77
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/ebay.yml
@@ -0,0 +1,58 @@
+rules:
+  - name: eBay Production Client ID
+    id: kingfisher.ebay.1
+    pattern: |
+      (?x)
+      \b
+      (
+        [a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-PRD-[a-f0-9]{8,12}-[a-f0-9]{8,12}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'EBAY_CLIENT_ID=MyApp-MyApp-PRD-1a2b3c4d-567890ab'
+    references:
+      - https://developer.ebay.com/api-docs/static/oauth-credentials.html
+
+  - name: eBay Sandbox Client ID
+    id: kingfisher.ebay.2
+    pattern: |
+      (?x)
+      \b
+      (
+        [a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-SBX-[a-f0-9]{8,12}-[a-f0-9]{8,12}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'EBAY_SANDBOX_CLIENT_ID=MyApp-MyApp-SBX-1a2b3c4d-567890ab'
+    references:
+      - https://developer.ebay.com/api-docs/static/oauth-credentials.html
+
+  - name: eBay Client Secret
+    id: kingfisher.ebay.3
+    pattern: |
+      (?x)
+      \b
+      (
+        (?:PRD|SBX)-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4,12}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 8
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'EBAY_CLIENT_SECRET=PRD-1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b'
+      - 'EBAY_SANDBOX_SECRET=SBX-1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b'
+    references:
+      - https://developer.ebay.com/api-docs/static/oauth-credentials.html
diff --git a/crates/kingfisher-rules/data/rules/elastic.yml b/crates/kingfisher-rules/data/rules/elastic.yml
new file mode 100644
index 0000000..e4040d7
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/elastic.yml
@@ -0,0 +1,48 @@
+rules:
+  - name: Elastic Cloud API Key
+    id: kingfisher.elastic.1
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:elastic(?:[_\s-]*(?:search|cloud))?)
+        (?:.|[\n\r]){0,24}?
+        (?i:api[_\s-]*key|apikey)
+        |
+        (?i:EC_API_KEY)
+      )
+      (?:.|[\n\r]){0,16}?
+      (
+        [A-Za-z0-9+/=]{40,120}
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+      min_lowercase: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'ELASTIC_CLOUD_API_KEY=VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=='
+    references:
+      - https://www.elastic.co/docs/deploy-manage/api-keys/elastic-cloud-api-keys
+
+  - name: Elasticsearch API Key with Prefix
+    id: kingfisher.elastic.2
+    pattern: |
+      (?x)
+      \b
+      (?i:Authorization:\s*ApiKey\s+)
+      (
+        [A-Za-z0-9+/=]{40,120}
+      )
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=='
+    references:
+      - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html
diff --git a/crates/kingfisher-rules/data/rules/flutterwave.yml b/crates/kingfisher-rules/data/rules/flutterwave.yml
index ae0819d..da74a8c 100644
--- a/crates/kingfisher-rules/data/rules/flutterwave.yml
+++ b/crates/kingfisher-rules/data/rules/flutterwave.yml
@@ -38,6 +38,27 @@ rules:
       - FLW_SECRET_KEY=FLWSECK_TEST-a514d8f1abd080db1502a144f22954dc-X
       - 'Authorization: Bearer FLWSECK_TEST-5b1f0a33de9c41748c2a7e9b51d3c6af-X'
       - seckey=FLWSECK-e6db11d1f8a6208de8cb2f94e293450e-X
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://idp.flutterwave.com/realms/flutterwave/protocol/openid-connect/token
+          headers:
+            Accept: application/json
+            Content-Type: application/x-www-form-urlencoded
+          body: >
+            client_id={{ CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&grant_type=client_credentials
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"access_token"'
+    depends_on_rule:
+      - rule_id: kingfisher.flutterwave.1
+        variable: CLIENT_ID
     references:
       - https://developer.flutterwave.com/docs/authentication
-      - https://developer.flutterwave.com/v2.0/reference/api-request-and-response-standards
diff --git a/crates/kingfisher-rules/data/rules/ftp.yml b/crates/kingfisher-rules/data/rules/ftp.yml
index 7371036..a239e6f 100644
--- a/crates/kingfisher-rules/data/rules/ftp.yml
+++ b/crates/kingfisher-rules/data/rules/ftp.yml
@@ -4,12 +4,16 @@ rules:
     pattern: |
       (?xi)
       \b
-      ftps?://
-      [^:@\s]{1,64}
-      :
-      ([^@\s]{6,128})
-      @
-      [^\s/"']{4,128}
+      (?P<TOKEN>
+        (?P<FTP_SCHEME>ftps?)://
+        (?P<FTP_USERNAME>[^:@\s]{1,64})
+        :
+        (?P<FTP_PASSWORD>[^@\s]{6,128})
+        @
+        (?P<FTP_HOST>[^\s/"':]{4,128})
+        (?::(?P<FTP_PORT>\d{2,5}))?
+        (?:/[^\s"']*)?
+      )
     pattern_requirements:
       min_digits: 2
     min_entropy: 2.5
@@ -17,6 +21,9 @@ rules:
     examples:
       - "ftp://johndoe:pg9stqu2018@files.example.edu.cn"
       - "BACKUP_URL=ftps://backupuser:S5ec4rePassWord@ftp.corp.example.com"
+    validation:
+      type: Raw
+      content: ftp
     references:
       - https://datatracker.ietf.org/doc/html/rfc959
-    # No public validation endpoint: FTP servers are instance-specific.
+      - https://datatracker.ietf.org/doc/html/rfc4217
diff --git a/crates/kingfisher-rules/data/rules/gitlab.yml b/crates/kingfisher-rules/data/rules/gitlab.yml
index 1f49d88..2fa5320 100644
--- a/crates/kingfisher-rules/data/rules/gitlab.yml
+++ b/crates/kingfisher-rules/data/rules/gitlab.yml
@@ -191,3 +191,264 @@ rules:
             - type: StatusMatch
               status: [204]
           url: https://gitlab.com/api/v4/personal_access_tokens/self
+
+  - name: GitLab CI/CD Job Token
+    id: kingfisher.gitlab.5
+    pattern: |
+      (?x)
+      \b
+      (
+        glcbt-
+        [0-9a-zA-Z]{1,5}
+        _
+        [0-9a-zA-Z_-]{20}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glcbt-ab12_xY9kLmNpQrStUvWxYz01
+      - 'CI_JOB_TOKEN=glcbt-a1b2c_3dEfGhIjKlMnOpQrStUv'
+    references:
+      - https://docs.gitlab.com/ci/jobs/ci_job_token/
+
+  - name: GitLab Deploy Token
+    id: kingfisher.gitlab.6
+    pattern: |
+      (?x)
+      \b
+      (
+        gldt-
+        [0-9a-zA-Z_-]{20}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - gldt-xY9kLmNpQrStUvWxYz01
+      - 'DEPLOY_TOKEN=gldt-3dEfGhIjK4MnOpQrStUv'
+    references:
+      - https://docs.gitlab.com/user/project/deploy_tokens/
+
+  - name: GitLab Feature Flag Client Token
+    id: kingfisher.gitlab.7
+    pattern: |
+      (?x)
+      \b
+      (
+        glffct-
+        [0-9a-zA-Z_-]{20}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glffct-xY9kLmNpQrStUvWxYz01
+    references:
+      - https://docs.gitlab.com/operations/feature_flags/
+
+  - name: GitLab Feed Token
+    id: kingfisher.gitlab.8
+    pattern: |
+      (?x)
+      \b
+      (
+        glft-
+        [0-9a-zA-Z_-]{20}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glft-xY9kLmNpQrStUvWxYz01
+    references:
+      - https://docs.gitlab.com/user/profile/contributions_calendar/#feed-token
+
+  - name: GitLab Incoming Mail Token
+    id: kingfisher.gitlab.9
+    pattern: |
+      (?x)
+      \b
+      (
+        glimt-
+        [0-9a-zA-Z_-]{25}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glimt-xY9kLmNpQrStUvWxYz0123456
+    references:
+      - https://docs.gitlab.com/administration/incoming_email/
+
+  - name: GitLab Kubernetes Agent Token
+    id: kingfisher.gitlab.10
+    pattern: |
+      (?x)
+      \b
+      (
+        glagent-
+        [0-9a-zA-Z_-]{50}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glagent-xY9kLmNpQrStUvWxYz01234567890abcdefghijklmnopqrstu
+    references:
+      - https://docs.gitlab.com/user/clusters/agent/
+
+  - name: GitLab OAuth Application Secret
+    id: kingfisher.gitlab.11
+    pattern: |
+      (?x)
+      \b
+      (
+        gloas-
+        [0-9a-zA-Z_-]{64}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - gloas-xY9kLmNpQrStUvWxYz01234567890abcdefghijklmnopqrstuvwxyz012345678
+    references:
+      - https://docs.gitlab.com/integration/oauth_provider/
+
+  - name: GitLab Runner Authentication Token
+    id: kingfisher.gitlab.12
+    pattern: |
+      (?x)
+      \b
+      (
+        glrt-
+        [0-9a-zA-Z_-]{20}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glrt-xY9kLmNpQrStUvWxYz01
+      - |
+        gitlab-runner register \
+        --url https://gitlab.com \
+        --token glrt-3dEfGhIjK4MnOpQrStUv
+    references:
+      - https://docs.gitlab.com/runner/register/
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: token={{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: 200
+            - type: WordMatch
+              words:
+                - '"token is missing"'
+                - '"403 Forbidden"'
+              negative: true
+          url: https://gitlab.com/api/v4/runners/verify
+
+  - name: GitLab Runner Authentication Token - Routable Format
+    id: kingfisher.gitlab.13
+    pattern: |
+      (?x)
+      \b
+      (
+        glrt-t
+        \d
+        _
+        [0-9a-zA-Z_-]{27,300}
+        \.
+        [0-9a-z]{2}
+        [0-9a-z]{7}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 4.0
+    confidence: medium
+    examples:
+      - glrt-t1_xY9kLmNpQrStUvWxYz01234567890.01abc1234
+    references:
+      - https://docs.gitlab.com/runner/register/
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: token={{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: 200
+            - type: WordMatch
+              words:
+                - '"token is missing"'
+                - '"403 Forbidden"'
+              negative: true
+          url: https://gitlab.com/api/v4/runners/verify
+
+  - name: GitLab SCIM Token
+    id: kingfisher.gitlab.14
+    pattern: |
+      (?x)
+      \b
+      (
+        glsoat-
+        [0-9a-zA-Z_-]{20}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - glsoat-xY9kLmNpQrStUvWxYz01
+    references:
+      - https://docs.gitlab.com/api/scim/
+
+  - name: GitLab Session Cookie
+    id: kingfisher.gitlab.15
+    pattern: |
+      (?x)
+      (?:^|[;\s])
+      _gitlab_session=
+      (
+        [0-9a-f]{32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    examples:
+      - '_gitlab_session=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6'
+      - 'Cookie: _gitlab_session=0f1e2d3c4b5a69788796a5b4c3d2e1f0'
+    references:
+      - https://docs.gitlab.com/
diff --git a/crates/kingfisher-rules/data/rules/hcaptcha.yml b/crates/kingfisher-rules/data/rules/hcaptcha.yml
new file mode 100644
index 0000000..cc1a129
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/hcaptcha.yml
@@ -0,0 +1,24 @@
+rules:
+  - name: hCaptcha Site Verify Secret Key
+    id: kingfisher.hcaptcha.1
+    pattern: |
+      (?x)
+      \b
+      (
+        (?:
+          0x[a-fA-F0-9]{40}
+          |
+          ES_[a-fA-F0-9]{32}
+        )
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000'
+      - 'hcaptcha_secret: ES_abcdef1234567890abcdef1234567890'
+    references:
+      - https://docs.hcaptcha.com/
diff --git a/crates/kingfisher-rules/data/rules/highnote.yml b/crates/kingfisher-rules/data/rules/highnote.yml
new file mode 100644
index 0000000..953ff32
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/highnote.yml
@@ -0,0 +1,20 @@
+rules:
+  - name: Highnote API Key
+    id: kingfisher.highnote.1
+    pattern: |
+      (?x)
+      \b
+      (
+        (?:sk|rk)_(?:live|test)_[a-zA-Z0-9]{20,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'HIGHNOTE_API_KEY=sk_live_AbCdEfGhIjKlMnOpQrStUvWxYz1234'
+      - 'highnote_key: rk_test_AbCdEfGhIjKlMnOpQrStUvWxYz1234'
+    references:
+      - https://docs.highnote.com/docs/developers/api/using-the-api
diff --git a/crates/kingfisher-rules/data/rules/hop.yml b/crates/kingfisher-rules/data/rules/hop.yml
new file mode 100644
index 0000000..06fbd0b
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/hop.yml
@@ -0,0 +1,38 @@
+rules:
+  - name: HOP Project Token
+    id: kingfisher.hop.1
+    pattern: |
+      (?x)
+      \b
+      (
+        ptk_[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'HOP_TOKEN=ptk_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://docs.hop.io/reference/rest-api
+
+  - name: HOP Personal Access Token
+    id: kingfisher.hop.2
+    pattern: |
+      (?x)
+      (?:^|['"\x60\s>=:(,])
+      (
+        hop_pat_[a-zA-Z0-9_-]{20,80}
+      )
+      (?:$|['"\x60\s<),])
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'HOP_PAT="hop_pat_AbCdEfGhIjKlMnOpQrStUvWxYz123456"'
+    references:
+      - https://docs.hop.io/reference/rest-api
diff --git a/crates/kingfisher-rules/data/rules/iterative.yml b/crates/kingfisher-rules/data/rules/iterative.yml
new file mode 100644
index 0000000..9d132ae
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/iterative.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: Iterative DVC Studio Access Token
+    id: kingfisher.iterative.1
+    pattern: |
+      (?x)
+      \b
+      (
+        isat_[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'DVC_STUDIO_TOKEN=isat_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://dvc.org/doc/command-reference/studio/token
diff --git a/crates/kingfisher-rules/data/rules/kraken.yml b/crates/kingfisher-rules/data/rules/kraken.yml
index bd3fc2e..2f547cd 100644
--- a/crates/kingfisher-rules/data/rules/kraken.yml
+++ b/crates/kingfisher-rules/data/rules/kraken.yml
@@ -26,6 +26,45 @@ rules:
     examples:
       - KRAKEN_API_SECRET=dGhpcy1sb29rcy1saWtlLWEtYmFzZTY0LWtyYWtlbi1zZWNyZXQtdGhhdC1pcy1sb25nLWVub3VnaA==
       - kraken_secret="Aq1Bq2Cr3Ds4Et5Fu6Gv7Hw8Ix9Jy0Kz1La2Mb3Nc4Od5Pe6Qf7Rg8Sh9Ti0Uj1Vk2Wm3Xn4Yo5Za6Bc7"
+    validation:
+      type: Raw
+      content: kraken
+    depends_on_rule:
+      - rule_id: kingfisher.kraken.2
+        variable: KRAKEN_API_KEY
     references:
       - https://docs.kraken.com/api/docs/guides/spot-rest-auth/
       - https://docs.kraken.com/api/docs/rest-api/get-account-balance/
+
+  - name: Kraken API Key
+    id: kingfisher.kraken.2
+    pattern: |
+      (?xi)
+      \b
+      kraken
+      (?:.|[\n\r]){0,32}?
+      (?:
+        api[_-]?key |
+        key |
+        public[_-]?key
+      )
+      (?:.|[\n\r]){0,12}?
+      (
+        [A-Za-z0-9]{16,64}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 1
+      min_lowercase: 4
+      ignore_if_contains:
+        - your_api_key
+        - xxxxxx
+    min_entropy: 3.0
+    confidence: medium
+    visible: false
+    examples:
+      - KRAKEN_API_KEY=Ab12Cd34Ef56Gh78Ij90Kl12Mn34Op56
+      - 'kraken_key: 5A6b7C8d9E0f1G2h3I4J5K6L7M8N9P0Q'
+    references:
+      - https://docs.kraken.com/api/docs/guides/spot-rest-auth/
diff --git a/crates/kingfisher-rules/data/rules/kucoin.yml b/crates/kingfisher-rules/data/rules/kucoin.yml
index c2d92ed..0d6fac4 100644
--- a/crates/kingfisher-rules/data/rules/kucoin.yml
+++ b/crates/kingfisher-rules/data/rules/kucoin.yml
@@ -57,6 +57,63 @@ rules:
     examples:
       - KUCOIN_API_SECRET=7d70f6c7-42e9-4261-8a8d-8ca2d5028d4f
       - 'kucoin_secret: a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.kucoin.com/api/v1/accounts
+          headers:
+            Accept: application/json
+            Content-Type: application/json
+            KC-API-KEY: "{{ KUCOIN_KEY }}"
+            KC-API-TIMESTAMP: '{%- assign ts = "" | unix_timestamp | times: 1000 -%}{{ ts }}'
+            KC-API-KEY-VERSION: "2"
+            KC-API-PASSPHRASE: '{%- assign passphrase = KUCOIN_PASSPHRASE | hmac_sha256: TOKEN -%}{{ passphrase }}'
+            KC-API-SIGN: '{%- assign ts = "" | unix_timestamp | times: 1000 -%}{%- assign prehash = ts | append: "GET" | append: "/api/v1/accounts" -%}{{ prehash | hmac_sha256: TOKEN }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - '"data"'
+                - '"code":"200000"'
+    depends_on_rule:
+      - rule_id: kingfisher.kucoin.1
+        variable: KUCOIN_KEY
+      - rule_id: kingfisher.kucoin.3
+        variable: KUCOIN_PASSPHRASE
     references:
       - https://www.kucoin.com/docs-new/authentication
 
+  - name: KuCoin API Passphrase
+    id: kingfisher.kucoin.3
+    pattern: |
+      (?xi)
+      \b
+      kucoin
+      (?:.|[\n\r]){0,32}?
+      (?:
+        api[_-]?passphrase |
+        passphrase
+      )
+      (?:.|[\n\r]){0,12}?
+      (
+        [A-Za-z0-9!@\#$%^&*()_+=./:-]{6,64}
+      )
+      \b
+    pattern_requirements:
+      ignore_if_contains:
+        - your_passphrase
+        - xxxxxx
+    min_entropy: 2.5
+    confidence: medium
+    visible: false
+    examples:
+      - KUCOIN_API_PASSPHRASE=my-strong-passphrase
+      - 'kucoin_passphrase: S3cur3Passphrase123'
+    references:
+      - https://www.kucoin.com/docs-new/authentication
diff --git a/crates/kingfisher-rules/data/rules/ldap.yml b/crates/kingfisher-rules/data/rules/ldap.yml
index 4176173..719a099 100644
--- a/crates/kingfisher-rules/data/rules/ldap.yml
+++ b/crates/kingfisher-rules/data/rules/ldap.yml
@@ -1,4 +1,33 @@
 rules:
+  - name: LDAP Bind URI Credentials
+    id: kingfisher.ldap.2
+    pattern: |
+      (?xi)
+      \b
+      (?P<TOKEN>
+        (?P<LDAP_SCHEME>ldaps?)://
+        (?P<LDAP_BIND_DN>[^:@\s]{1,128})
+        :
+        (?P<LDAP_PASSWORD>[^@\s]{6,128})
+        @
+        (?P<LDAP_HOST>[^\s/"':]{4,128})
+        (?::(?P<LDAP_PORT>\d{2,5}))?
+        (?:/[^\s"']*)?
+      )
+    pattern_requirements:
+      min_digits: 1
+    min_entropy: 2.5
+    confidence: medium
+    examples:
+      - ldap://cn=admin,dc=example,dc=com:Tr0ub4dor%263!@ldap.example.com:389
+      - ldaps://uid=svc-reader,ou=people,dc=corp,dc=example,dc=com:S3cur3BindPass@directory.corp.example.com
+    validation:
+      type: Raw
+      content: ldap
+    references:
+      - https://datatracker.ietf.org/doc/html/rfc4511
+      - https://datatracker.ietf.org/doc/html/rfc4516
+
   - name: LDAP Credentials
     id: kingfisher.ldap.1
     pattern: |
@@ -22,6 +51,4 @@ rules:
       - "ldap_pwd = 'Tr0ub4dor&3!'"
       - "LDAP_PASSWORD=s3cur3P@ssw0rd\n"
     references:
-      - https://tools.ietf.org/html/rfc2251
-    # No public validation endpoint: LDAP servers are self-hosted;
-    # the host, port, and DN are instance-specific.
+      - https://datatracker.ietf.org/doc/html/rfc4511
diff --git a/crates/kingfisher-rules/data/rules/lichess.yml b/crates/kingfisher-rules/data/rules/lichess.yml
new file mode 100644
index 0000000..efe968c
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/lichess.yml
@@ -0,0 +1,31 @@
+rules:
+  - name: Lichess Personal Access Token
+    id: kingfisher.lichess.1
+    pattern: |
+      (?x)
+      \b
+      (
+        lip_[a-zA-Z0-9_]{16,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'LICHESS_TOKEN=lip_AbCdEfGhIjKlMnOpQr12'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://lichess.org/api/account
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://lichess.org/api
diff --git a/crates/kingfisher-rules/data/rules/localstack.yml b/crates/kingfisher-rules/data/rules/localstack.yml
new file mode 100644
index 0000000..7f610d4
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/localstack.yml
@@ -0,0 +1,21 @@
+rules:
+  - name: LocalStack Simulated AWS Access Key
+    id: kingfisher.localstack.1
+    pattern: |
+      (?x)
+      \b
+      (
+        (?:LSIA|LKIA)[A-Z0-9]{16,}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_uppercase: 4
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'AWS_ACCESS_KEY_ID=LSIAQAAAAAAVNCBMPN59'
+      - 'aws_access_key=LKIAQAAAAAAVNCBMPN59'
+    references:
+      - https://docs.localstack.cloud/aws/capabilities/config/credentials/
diff --git a/crates/kingfisher-rules/data/rules/mailersend.yml b/crates/kingfisher-rules/data/rules/mailersend.yml
new file mode 100644
index 0000000..7401624
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/mailersend.yml
@@ -0,0 +1,32 @@
+rules:
+  - name: MailerSend API Token
+    id: kingfisher.mailersend.1
+    pattern: |
+      (?x)
+      \b
+      (
+        mlsn\.[a-zA-Z0-9]{30,100}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'MAILERSEND_API_TOKEN=mlsn.AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIj'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.mailersend.com/v1/api-quota
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://www.mailersend.com/help/managing-api-tokens
+      - https://developers.mailersend.com/
diff --git a/crates/kingfisher-rules/data/rules/onfido.yml b/crates/kingfisher-rules/data/rules/onfido.yml
new file mode 100644
index 0000000..6f84055
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/onfido.yml
@@ -0,0 +1,32 @@
+rules:
+  - name: Onfido API Token
+    id: kingfisher.onfido.1
+    pattern: |
+      (?x)
+      \b
+      (
+        api_(?:live|sandbox)\.[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'ONFIDO_API_TOKEN=api_live.AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+      - 'onfido_token: api_sandbox.AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.eu.onfido.com/v3.6/ping
+          headers:
+            Authorization: Token token={{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://documentation.identity.entrust.com/api/latest/
diff --git a/crates/kingfisher-rules/data/rules/openvsx.yml b/crates/kingfisher-rules/data/rules/openvsx.yml
new file mode 100644
index 0000000..981ea9c
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/openvsx.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: OpenVSX Access Token
+    id: kingfisher.openvsx.1
+    pattern: |
+      (?x)
+      \b
+      (
+        (?:ovsxat|ovsxp)_[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'OVSX_PAT=ovsxat_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://github.com/eclipse/openvsx/wiki/Publishing-Extensions
diff --git a/crates/kingfisher-rules/data/rules/paddle.yml b/crates/kingfisher-rules/data/rules/paddle.yml
new file mode 100644
index 0000000..17851c0
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/paddle.yml
@@ -0,0 +1,34 @@
+rules:
+  - name: Paddle API Key
+    id: kingfisher.paddle.1
+    pattern: |
+      (?x)
+      \b
+      (
+        pdl_(?:live|sdbx)_apikey_[a-z0-9_]{30,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_lowercase: 4
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'PADDLE_API_KEY=pdl_live_apikey_01gtgztp8f4kek3yd4g1wrksa3_q6tgtjyvoiz7ldtxt65bx7_aqo'
+      - 'paddle_key: pdl_sdbx_apikey_01h9fjk2z4qqw8n3m7xr5bc6y1_p3rstuvwxyz'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.paddle.com/event-types
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://developer.paddle.com/api-reference/about/api-keys
+      - https://developer.paddle.com/api-reference/about/authentication
diff --git a/crates/kingfisher-rules/data/rules/pangea.yml b/crates/kingfisher-rules/data/rules/pangea.yml
new file mode 100644
index 0000000..0300170
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/pangea.yml
@@ -0,0 +1,34 @@
+rules:
+  - name: Pangea Service Token
+    id: kingfisher.pangea.1
+    pattern: |
+      (?x)
+      \b
+      (
+        pts_[a-z0-9]{20,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'PANGEA_TOKEN=pts_gqmqvvxk4yhirapuhw6bs7nswu'
+      - 'pangea_token: pts_hpbc3klkkq54tigu4osc5eygthxps6vf'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://audit.aws.us.pangea.cloud/v1/log
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+            Content-Type: application/json
+          body: '{"event":{"message":"test"}}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 401, 403]
+    references:
+      - https://pangea.cloud/docs/
diff --git a/crates/kingfisher-rules/data/rules/persona.yml b/crates/kingfisher-rules/data/rules/persona.yml
new file mode 100644
index 0000000..db610d9
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/persona.yml
@@ -0,0 +1,34 @@
+rules:
+  - name: Persona API Key
+    id: kingfisher.persona.1
+    pattern: |
+      (?x)
+      \b
+      (
+        persona_(?:production|sandbox)_[a-z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_lowercase: 4
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'PERSONA_API_KEY=persona_production_abc123def456ghi789jkl012mno345pqr'
+      - 'api_key: persona_sandbox_abc123def456ghi789jkl012mno345pqr'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://withpersona.com/api/v1/accounts
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+            Persona-Version: "2023-01-05"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://docs.withpersona.com/api-keys
diff --git a/crates/kingfisher-rules/data/rules/pinterest.yml b/crates/kingfisher-rules/data/rules/pinterest.yml
new file mode 100644
index 0000000..04a815f
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/pinterest.yml
@@ -0,0 +1,50 @@
+rules:
+  - name: Pinterest Access Token
+    id: kingfisher.pinterest.1
+    pattern: |
+      (?x)
+      \b
+      (
+        pina_[a-zA-Z0-9_-]{20,200}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'PINTEREST_ACCESS_TOKEN=pina_AbCdEfGhIjKlMnOpQrStUvWxYz1234567890'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.pinterest.com/v5/user_account
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://developers.pinterest.com/docs/api/v5/
+
+  - name: Pinterest Refresh Token
+    id: kingfisher.pinterest.2
+    pattern: |
+      (?x)
+      \b
+      (
+        pinr_[a-zA-Z0-9._-]{20,500}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'PINTEREST_REFRESH_TOKEN=pinr_eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc123'
+    references:
+      - https://developers.pinterest.com/docs/api/v5/oauth-token/
diff --git a/crates/kingfisher-rules/data/rules/polar.yml b/crates/kingfisher-rules/data/rules/polar.yml
new file mode 100644
index 0000000..15b3eee
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/polar.yml
@@ -0,0 +1,20 @@
+rules:
+  - name: Polar Personal Access Token
+    id: kingfisher.polar.1
+    pattern: |
+      (?x)
+      \b
+      (
+        polar_(?:at|oat|rt)_[a-zA-Z0-9_-]{20,100}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'POLAR_TOKEN=polar_at_AbCdEfGhIjKlMnOpQrStUvWxYz1234'
+      - 'polar_org_token: polar_oat_AbCdEfGhIjKlMnOpQrStUvWx12'
+    references:
+      - https://docs.polar.sh/api/authentication
diff --git a/crates/kingfisher-rules/data/rules/proof.yml b/crates/kingfisher-rules/data/rules/proof.yml
new file mode 100644
index 0000000..965926e
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/proof.yml
@@ -0,0 +1,22 @@
+rules:
+  - name: Proof API Key
+    id: kingfisher.proof.1
+    pattern: |
+      (?x)
+      \b
+      (
+        prf_(?:(?:cli_)?test_)?[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'PROOF_API_KEY=prf_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+      - 'proof_key: prf_test_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+      - 'proof_key: prf_cli_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+      - 'proof_key: prf_cli_test_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://dev.proof.com/docs/api-keys
diff --git a/crates/kingfisher-rules/data/rules/rabbitmq.yml b/crates/kingfisher-rules/data/rules/rabbitmq.yml
index 293ec81..9545676 100644
--- a/crates/kingfisher-rules/data/rules/rabbitmq.yml
+++ b/crates/kingfisher-rules/data/rules/rabbitmq.yml
@@ -3,22 +3,25 @@ rules:
     id: kingfisher.rabbitmq.1
     pattern: |
       (?xi)
-      (?:
-        amqps?
+      (?P<TOKEN>
+        (?P<RABBITMQ_SCHEME>amqps?)
+        :\/\/
+        (?P<RABBITMQ_USERNAME>[\S]{3,50})
+        :
+        (?P<RABBITMQ_PASSWORD>[\S]{3,50})
+        @
+        (?P<RABBITMQ_HOST>[-.%\w]+)
+        (?::(?P<RABBITMQ_PORT>\d{2,5}))?
+        (?:\/(?P<RABBITMQ_VHOST>[-.%\w\/]+))?
       )
-      :\/\/
-      [\S]{3,50}
-      :
-      (
-        [\S]{3,50}
-      )
-      @
-      [-.%\w\/:]+
       \b
     min_entropy: 3.5
     confidence: medium
     examples:
       - amqp://user:password@rabbitmq.example.com/queue
       - amqps://admin:3eCa3P@192.168.1.10:5671/vhost
+    validation:
+      type: Raw
+      content: rabbitmq
     references:
       - https://www.rabbitmq.com/uri-spec.html
diff --git a/crates/kingfisher-rules/data/rules/rainforestpay.yml b/crates/kingfisher-rules/data/rules/rainforestpay.yml
new file mode 100644
index 0000000..1376c76
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/rainforestpay.yml
@@ -0,0 +1,21 @@
+rules:
+  - name: Rainforest Pay API Key
+    id: kingfisher.rainforestpay.1
+    pattern: |
+      (?x)
+      \b
+      (
+        (?:sbx_)?apikey_[a-f0-9]{64}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'RAINFOREST_API_KEY=apikey_1ad1c535b0c0093e7b9bf093d7e3444cd0e2ddefab36199216f555c3efa65d63'
+      - 'api_key: sbx_apikey_2bd2c646e7e1194f8c9cf194e8f4555de1f3eefbbc472003276666d4efb76e74'
+    references:
+      - https://docs.rainforestpay.com/docs/api-keys
+      - https://docs.rainforestpay.com/reference/authentication
diff --git a/crates/kingfisher-rules/data/rules/redis.yml b/crates/kingfisher-rules/data/rules/redis.yml
index 3d6d5b8..3c52e5f 100644
--- a/crates/kingfisher-rules/data/rules/redis.yml
+++ b/crates/kingfisher-rules/data/rules/redis.yml
@@ -5,13 +5,15 @@ rules:
     # Host supports hostnames, IPv4, and IPv6 in brackets
     pattern: |
       (?xi)
-      (?: redis | rediss | redis\+sentinel ) ://
-        (?: (?P<username>[a-zA-Z0-9%;._~!$&'()*+,;=-]*)
-          :
-        )?
-        (?P<password>[a-zA-Z0-9%;._~!$&'()*+,;:=/+-]{8,})
-      @ (?P<host>(?:\[[0-9a-fA-F:.]+\]|[a-zA-Z0-9_.-]{1,})) (?: :(?P<port>\d{1,5}))?
-      (?: / (?P<db>\d{1,2}))?
+      (?P<TOKEN>
+        (?: redis | rediss | redis\+sentinel ) ://
+          (?: (?P<username>[a-zA-Z0-9%;._~!$&'()*+,;=-]*)
+            :
+          )?
+          (?P<password>[a-zA-Z0-9%;._~!$&'()*+,;:=/+-]{8,})
+        @ (?P<host>(?:\[[0-9a-fA-F:.]+\]|[a-zA-Z0-9_.-]{1,})) (?: :(?P<port>\d{1,5}))?
+        (?: / (?P<db>\d{1,2}))?
+      )
       \b
 
     pattern_requirements:
@@ -42,6 +44,9 @@ rules:
       - https://redis.io/docs/latest/develop/clients/redis-py/connect/
       - https://redis.io/docs/latest/commands/auth/
       - https://github.com/redis/redis-py/blob/master/redis/client.py
+    validation:
+      type: Raw
+      content: redis
 
   - id: kingfisher.redis.2
     name: Python Redis Client Debug Output
diff --git a/crates/kingfisher-rules/data/rules/ringcentral.yml b/crates/kingfisher-rules/data/rules/ringcentral.yml
index 170089f..9244dc2 100644
--- a/crates/kingfisher-rules/data/rules/ringcentral.yml
+++ b/crates/kingfisher-rules/data/rules/ringcentral.yml
@@ -51,5 +51,77 @@ rules:
       - 'RINGCENTRAL_CLIENT_SECRET="xY9zW8vU7tS6rQ5pO4nM3l"'
     negative_examples:
       - 'RINGCENTRAL_URL="https://platform.ringcentral.com"'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: "{{ RINGCENTRAL_BASE_URL }}/restapi/oauth/token"
+          headers:
+            Accept: application/json
+            Content-Type: application/x-www-form-urlencoded
+            Authorization: "Basic {{ CLIENT_ID | append: ':' | append: TOKEN | b64enc }}"
+          body: >
+            grant_type=authorization_code&code=INVALID_AUTH_CODE&redirect_uri={{ REDIRECT_URI | url_encode }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - invalid_grant
+                - authentication_error
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    depends_on_rule:
+      - rule_id: kingfisher.ringcentral.1
+        variable: CLIENT_ID
+      - rule_id: kingfisher.ringcentral.3
+        variable: RINGCENTRAL_BASE_URL
+      - rule_id: kingfisher.ringcentral.4
+        variable: REDIRECT_URI
     references:
-      - https://developers.ringcentral.com/api-reference/
+      - https://developers.ringcentral.com/guide/authentication/auth-code-flow
+
+  - name: RingCentral OAuth Base URL
+    id: kingfisher.ringcentral.3
+    pattern: |
+      (?xi)
+      \b
+      (
+        https://platform(?:\.devtest)?\.ringcentral\.com
+      )
+      \b
+    min_entropy: 1.0
+    confidence: medium
+    visible: false
+    examples:
+      - RINGCENTRAL_BASE_URL=https://platform.ringcentral.com
+      - RINGCENTRAL_SANDBOX_URL=https://platform.devtest.ringcentral.com
+    references:
+      - https://developers.ringcentral.com/guide/authentication/auth-code-flow
+
+  - name: RingCentral Redirect URI
+    id: kingfisher.ringcentral.4
+    pattern: |
+      (?xi)
+      \b
+      ring.?central
+      (?:.|[\n\r]){0,64}?
+      (?:redirect[_-]?uri|oauth[_-]?redirect)\b
+      (?:.|[\n\r]){0,16}?
+      [=:"'\s]
+      (
+        https?://[^\s"'<>]{6,200}
+      )
+    min_entropy: 1.5
+    confidence: medium
+    visible: false
+    examples:
+      - RINGCENTRAL_REDIRECT_URI=https://example.com/ringcentral/callback
+      - 'ringcentral.redirect_uri = "https://localhost:8080/oauth/ringcentral"'
+    references:
+      - https://developers.ringcentral.com/guide/authentication/auth-code-flow
diff --git a/crates/kingfisher-rules/data/rules/rootly.yml b/crates/kingfisher-rules/data/rules/rootly.yml
new file mode 100644
index 0000000..8fe48ac
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/rootly.yml
@@ -0,0 +1,31 @@
+rules:
+  - name: Rootly API Key
+    id: kingfisher.rootly.1
+    pattern: |
+      (?x)
+      \b
+      (
+        rootly_[a-f0-9]{64}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 4
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'ROOTLY_API_KEY=rootly_abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.rootly.com/v1/users/me
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://rootly.com/api
diff --git a/crates/kingfisher-rules/data/rules/runpod.yml b/crates/kingfisher-rules/data/rules/runpod.yml
new file mode 100644
index 0000000..f8e913a
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/runpod.yml
@@ -0,0 +1,36 @@
+rules:
+  - name: RunPod API Key
+    id: kingfisher.runpod.1
+    pattern: |
+      (?x)
+      \b
+      (
+        rpa_[a-zA-Z0-9]{20,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'RUNPOD_API_KEY=rpa_ABC123DEF456GHI789JKL012MNO345PQR678'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://api.runpod.io/graphql
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+            Content-Type: application/json
+          body: '{"query":"{ myself { id } }"}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              match_all_words: true
+              words: ['"myself"']
+    references:
+      - https://docs.runpod.io/get-started/api-keys
diff --git a/crates/kingfisher-rules/data/rules/snowflake.yml b/crates/kingfisher-rules/data/rules/snowflake.yml
index 5f266af..7585c8d 100644
--- a/crates/kingfisher-rules/data/rules/snowflake.yml
+++ b/crates/kingfisher-rules/data/rules/snowflake.yml
@@ -24,3 +24,76 @@ rules:
       - https://docs.snowflake.com/en/
       - https://docs.snowflake.com/en/developer-guide/python-connector/python-connector-api
     # Snowflake credentials are endpoint-specific; no public REST endpoint for standalone validation.
+
+  - name: Snowflake Programmatic Access Token
+    id: kingfisher.snowflake.2
+    pattern: |
+      (?x)
+      \b
+      (?:
+        (?i:snowflake[_\s-]*(?:programmatic[_\s-]*)?(?:access[_\s-]*)?token)
+        |
+        (?i:SF_TOKEN)
+      )
+      \b
+      (?:.|[\n\r]){0,16}?
+      [=:]
+      \s*["']?
+      (
+        [a-zA-Z0-9_-]{100,500}
+      )
+      ["']?
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'SNOWFLAKE_TOKEN=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWxYz12'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: "https://{{ SNOWFLAKE_HOST }}/api/v2/statements"
+          headers:
+            Accept: application/json
+            Content-Type: application/json
+            Authorization: "Bearer {{ TOKEN }}"
+            X-Snowflake-Authorization-Token-Type: PROGRAMMATIC_ACCESS_TOKEN
+          body: '{"statement":"select 1","timeout":5}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200, 202]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - '"statementHandle"'
+                - '"resultSetMetaData"'
+    depends_on_rule:
+      - rule_id: kingfisher.snowflake.3
+        variable: SNOWFLAKE_HOST
+    references:
+      - https://docs.snowflake.com/en/user-guide/programmatic-access-tokens
+      - https://docs.snowflake.com/en/developer-guide/sql-api/submitting-requests
+
+  - name: Snowflake Account Host
+    id: kingfisher.snowflake.3
+    pattern: |
+      (?xi)
+      \b
+      (
+        [a-z0-9_-]+(?:\.[a-z0-9_-]+)*\.snowflakecomputing\.com
+      )
+      \b
+    min_entropy: 1.0
+    confidence: medium
+    visible: false
+    examples:
+      - account = "xy12345.us-east-1.snowflakecomputing.com"
+      - host=acme-prod.eu-west-1.aws.snowflakecomputing.com
+    references:
+      - https://docs.snowflake.com/en/user-guide/programmatic-access-tokens
+      - https://docs.snowflake.com/en/developer-guide/sql-api/submitting-requests
diff --git a/crates/kingfisher-rules/data/rules/tableau.yml b/crates/kingfisher-rules/data/rules/tableau.yml
index d47df68..803bbcf 100644
--- a/crates/kingfisher-rules/data/rules/tableau.yml
+++ b/crates/kingfisher-rules/data/rules/tableau.yml
@@ -14,10 +14,11 @@ rules:
         (?:.|[\n\r]){0,16}?
       )
       (
-        [A-Za-z0-9+/]{12,24}
+        (?P<TABLEAU_PAT_NAME>[A-Za-z0-9+/]{12,24}
         (?:={1,2})?
+        )
         :
-        [A-Za-z0-9+/=_-]{24,48}
+        (?P<TOKEN>[A-Za-z0-9+/=_-]{24,48})
       )
     pattern_requirements:
       min_digits: 2
@@ -28,7 +29,84 @@ rules:
     examples:
       - "tableau_auth = TSC.PersonalAccessTokenAuth('prod_svc', 'WLQKWBs1TnuBx4G7gIzz/w==:yDwZ74EWDPIgU6cSlz8RDJHp7CV2rtFP', 'companysite')"
       - 'curl -H "X-Tableau-Auth:oJzK8bqwPTnmSl1/E2+aXw==:ZvTsRqFmKpWuLdNhYcBjXiGe" https://tableau.example.com/api/3.17/sites'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: "{{ TABLEAU_SERVER }}/api/3.28/auth/signin"
+          headers:
+            Accept: application/json
+            Content-Type: application/json
+          body: >
+            {"credentials":{"personalAccessTokenName":"{{ TABLEAU_PAT_NAME }}","personalAccessTokenSecret":"{{ TOKEN }}","site":{"contentUrl":"{{ TABLEAU_SITE | default: "" }}"}}}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - '"token"'
+                - '"site"'
+    depends_on_rule:
+      - rule_id: kingfisher.tableau.2
+        variable: TABLEAU_SERVER
+      - rule_id: kingfisher.tableau.3
+        variable: TABLEAU_SITE
     references:
-      - https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref.htm
+      - https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref_authentication.htm
       - https://help.tableau.com/current/server/en-us/security_personal_access_tokens.htm
-    # Tableau PATs are instance-specific; no universal public endpoint for standalone validation.
+
+  - name: Tableau Server URL
+    id: kingfisher.tableau.2
+    pattern: |
+      (?xi)
+      \b
+      (
+        https://[a-z0-9.-]{3,200}
+      )
+      (?:
+        /api/\d+\.\d+
+      )?
+      (?:
+        /[^\s"'<>]{0,120}
+      )?
+    min_entropy: 1.5
+    confidence: medium
+    visible: false
+    examples:
+      - https://tableau.example.com
+      - https://10ax.online.tableau.com
+      - server="https://analytics.example.com"
+    references:
+      - https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref_authentication.htm
+
+  - name: Tableau Site Content URL
+    id: kingfisher.tableau.3
+    pattern: |
+      (?xi)
+      \b
+      (?:
+        tableau
+        (?:.|[\n\r]){0,48}?
+      )?
+      (?:
+        site |
+        content[_-]?url
+      )
+      (?:.|[\n\r]){0,12}?
+      [=:"'\s]
+      (
+        [A-Za-z0-9._-]{1,64}
+      )
+      \b
+    min_entropy: 1.0
+    confidence: medium
+    visible: false
+    examples:
+      - tableau_site=companysite
+      - contentUrl="default"
+    references:
+      - https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref_authentication.htm
diff --git a/crates/kingfisher-rules/data/rules/telnyx.yml b/crates/kingfisher-rules/data/rules/telnyx.yml
new file mode 100644
index 0000000..79f5dc9
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/telnyx.yml
@@ -0,0 +1,31 @@
+rules:
+  - name: Telnyx API V2 Key
+    id: kingfisher.telnyx.1
+    pattern: |
+      (?x)
+      \b
+      (
+        KEY[0-9A-Za-z_-]{55}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'TELNYX_API_KEY=KEYabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRS'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.telnyx.com/v2/balance
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://developers.telnyx.com/development/api-fundamentals/authentication
diff --git a/crates/kingfisher-rules/data/rules/thunderstore.yml b/crates/kingfisher-rules/data/rules/thunderstore.yml
new file mode 100644
index 0000000..50a8d81
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/thunderstore.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: Thunderstore API Token
+    id: kingfisher.thunderstore.1
+    pattern: |
+      (?x)
+      \b
+      (
+        tss_[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'THUNDERSTORE_TOKEN=tss_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://thunderstore.io/api/docs/
diff --git a/crates/kingfisher-rules/data/rules/trello.yml b/crates/kingfisher-rules/data/rules/trello.yml
index fbe8821..1678f28 100644
--- a/crates/kingfisher-rules/data/rules/trello.yml
+++ b/crates/kingfisher-rules/data/rules/trello.yml
@@ -27,5 +27,59 @@ rules:
     examples:
       - TRELLO_TOKEN=0a1b2c3d4e5f6g7h8i9j0k1l2m3n4p5q
       - trello_access_token="Ab12Cd34Ef56Gh78Ij90Kl12Mn34Op56"
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: "https://api.trello.com/1/members/me?key={{ TRELLO_KEY | url_encode }}&token={{ TOKEN | url_encode }}"
+          headers:
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - '"id"'
+                - '"username"'
+    depends_on_rule:
+      - rule_id: kingfisher.trello.2
+        variable: TRELLO_KEY
     references:
       - https://developer.atlassian.com/cloud/trello/guides/rest-api/api-introduction/
+      - https://developer.atlassian.com/cloud/trello/guides/rest-api/authorization/
+
+  - name: Trello API Key
+    id: kingfisher.trello.2
+    visible: false
+    pattern: |
+      (?xi)
+      \b
+      trello
+      (?:.|[\n\r]){0,32}?
+      (?:
+        api[_-]?key |
+        app[_-]?key |
+        key
+      )
+      (?:.|[\n\r]){0,12}?
+      (
+        [A-Za-z0-9]{32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+      min_lowercase: 6
+      ignore_if_contains:
+        - yourkey
+        - placeholder
+    min_entropy: 3.1
+    confidence: medium
+    examples:
+      - TRELLO_KEY=0a1b2c3d4e5f6g7h8i9j0k1l2m3n4p5q
+      - trello_api_key="Ab12Cd34Ef56Gh78Ij90Kl12Mn34Op56"
+    references:
+      - https://developer.atlassian.com/cloud/trello/guides/rest-api/authorization/
diff --git a/crates/kingfisher-rules/data/rules/ubidots.yml b/crates/kingfisher-rules/data/rules/ubidots.yml
index b0b1928..ff7a694 100644
--- a/crates/kingfisher-rules/data/rules/ubidots.yml
+++ b/crates/kingfisher-rules/data/rules/ubidots.yml
@@ -16,7 +16,25 @@ rules:
     examples:
       - "API_KEY = \"BBUS-kDvT2Vrm6JThnHZvgzNyO2K7DAHdWs12abc\""
       - "UBIDOTS_TOKEN=BBUS-AbCdEfGhIjKlMnOpQrStUvWxYz0123456"
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://industrial.api.ubidots.com/api/v2.0/devices
+          headers:
+            Accept: application/json
+            X-Auth-Token: "{{ TOKEN }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - '"count"'
+                - '"results"'
     references:
-      - https://docs.ubidots.com/v1.6/reference/authentication
-    # No API validation available: Ubidots API keys generate tokens but cannot
-    # themselves be validated against a public endpoint.
+      - https://docs.ubidots.com/reference/authentication
+      - https://docs.ubidots.com/reference/get-devices
diff --git a/crates/kingfisher-rules/data/rules/valtown.yml b/crates/kingfisher-rules/data/rules/valtown.yml
new file mode 100644
index 0000000..fdaa9b5
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/valtown.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: Val Town API Token
+    id: kingfisher.valtown.1
+    pattern: |
+      (?x)
+      \b
+      (
+        vtwn_[a-zA-Z0-9_-]{20,80}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.5
+    confidence: high
+    categories: [api, key]
+    examples:
+      - 'VALTOWN_TOKEN=vtwn_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    references:
+      - https://docs.val.town/api/authentication/
diff --git a/crates/kingfisher-rules/data/rules/volcengine.yml b/crates/kingfisher-rules/data/rules/volcengine.yml
new file mode 100644
index 0000000..68e5dfd
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/volcengine.yml
@@ -0,0 +1,19 @@
+rules:
+  - name: VolcEngine Access Key ID
+    id: kingfisher.volcengine.1
+    pattern: |
+      (?x)
+      \b
+      (
+        AKLT[a-zA-Z0-9_-]{16,60}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 2
+    min_entropy: 3.0
+    confidence: medium
+    categories: [api, key]
+    examples:
+      - 'VOLCENGINE_ACCESS_KEY=AKLTabcdefghijklmnop1234567890'
+    references:
+      - https://www.volcengine.com/docs/6291/65568
diff --git a/crates/kingfisher-rules/data/rules/webex.yml b/crates/kingfisher-rules/data/rules/webex.yml
index a66d125..3cf82c4 100644
--- a/crates/kingfisher-rules/data/rules/webex.yml
+++ b/crates/kingfisher-rules/data/rules/webex.yml
@@ -47,6 +47,57 @@ rules:
     examples:
       - "webex.secret = 8ab9b3c77035e1121e2d7d64529749682b3ce5b93dc1f1e6677f0800dcf00d1e"
       - "webex\nclient_secret=1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b"
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://webexapis.com/v1/access_token
+          headers:
+            Accept: application/json
+            Content-Type: application/x-www-form-urlencoded
+          body: >
+            grant_type=authorization_code&client_id={{ CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&code=INVALID_AUTH_CODE&redirect_uri={{ REDIRECT_URI | url_encode }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              match_all_words: false
+              words:
+                - invalid_grant
+                - Invalid authorization code
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    depends_on_rule:
+      - rule_id: kingfisher.webex.1
+        variable: CLIENT_ID
+      - rule_id: kingfisher.webex.3
+        variable: REDIRECT_URI
     references:
-      - https://developer.webex.com/docs/platform-introduction
+      - https://developer.webex.com/create/docs/authentication
       - https://developer.webex.com/docs/integrations
+
+  - name: Webex Redirect URI
+    id: kingfisher.webex.3
+    pattern: |
+      (?xi)
+      \b
+      webex
+      (?:.|[\n\r]){0,64}?
+      (?:redirect[_-]?uri|oauth[_-]?redirect)\b
+      (?:.|[\n\r]){0,16}?
+      [=:"'\s]
+      (
+        https?://[^\s"'<>]{6,200}
+      )
+    min_entropy: 1.5
+    confidence: medium
+    visible: false
+    examples:
+      - WEBEX_REDIRECT_URI=https://example.com/webex/callback
+      - 'webex.redirect_uri = "https://localhost:3000/oauth/webex"'
+    references:
+      - https://developer.webex.com/create/docs/authentication
diff --git a/crates/kingfisher-rules/src/liquid_filters.rs b/crates/kingfisher-rules/src/liquid_filters.rs
index 77fba6e..cf6b73e 100644
--- a/crates/kingfisher-rules/src/liquid_filters.rs
+++ b/crates/kingfisher-rules/src/liquid_filters.rs
@@ -12,7 +12,10 @@ use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
 use rand::{distr::Alphanumeric, RngExt};
 use sha1::Sha1;
 use sha2::{Digest, Sha256, Sha384};
-use time::{format_description::well_known::Iso8601, OffsetDateTime};
+use time::{
+    format_description::well_known::{Iso8601, Rfc2822},
+    OffsetDateTime,
+};
 use uuid::Uuid;
 
 // -----------------------------------------------------------------------------
@@ -297,6 +300,42 @@ impl Filter for HmacSha384Filter {
     }
 }
 
+#[derive(Clone, ParseFilter, FilterReflection, Default)]
+#[filter(
+    name = "hmac_sha384_hex",
+    description = "HMAC-SHA384 - returns lowercase hex.",
+    parameters(Hmac384Args),
+    parsed(HmacSha384HexFilter)
+)]
+pub struct HmacSha384Hex;
+
+#[derive(Debug, FromFilterParameters, Display_filter)]
+#[name = "hmac_sha384_hex"]
+struct HmacSha384HexFilter {
+    #[parameters]
+    args: Hmac384Args,
+}
+
+impl Filter for HmacSha384HexFilter {
+    fn evaluate(&self, input: &dyn ValueView, runtime: &dyn Runtime) -> Result<Value> {
+        use std::fmt::Write as _;
+
+        let args = self.args.evaluate(runtime)?;
+        let key = args.key.to_kstr();
+
+        let mut mac = Hmac::<Sha384>::new_from_slice(key.as_bytes()).unwrap();
+        mac.update(input.to_kstr().as_bytes());
+
+        let bytes = mac.finalize().into_bytes();
+        let mut hex = String::with_capacity(bytes.len() * 2);
+        for byte in bytes {
+            let _ = write!(&mut hex, "{byte:02x}");
+        }
+
+        Ok(Value::scalar(hex))
+    }
+}
+
 // ── random_string ────────────────────────────────
 #[derive(Debug, FilterParameters)]
 struct RandomStringArgs {
@@ -903,6 +942,15 @@ static_filter!(
     }
 );
 
+// {{ "" | unix_timestamp_ms }}
+static_filter!(
+    /// Current Unix epoch milliseconds.
+    UnixTimestampMsFilter, "unix_timestamp_ms",
+    |_input: &dyn ValueView| -> i64 {
+        (OffsetDateTime::now_utc().unix_timestamp_nanos() / 1_000_000) as i64
+    }
+);
+
 // {{ "" | iso_timestamp_no_frac }}
 static_filter!(
     /// Current ISO-8601 timestamp (UTC) with no fractional seconds.
@@ -933,6 +981,21 @@ static_filter!(
     }
 );
 
+// {{ "" | rfc1123_date }}
+static_filter!(
+    /// Current RFC-1123 timestamp in GMT.
+    Rfc1123DateFilter, "rfc1123_date",
+    |_input: &dyn ValueView| -> String {
+        let rendered = OffsetDateTime::now_utc()
+            .format(&Rfc2822)
+            .unwrap_or_else(|_| "Thu, 01 Jan 1970 00:00:00 +0000".into());
+        rendered
+            .strip_suffix(" +0000")
+            .map(|prefix| format!("{prefix} GMT"))
+            .unwrap_or(rendered)
+    }
+);
+
 // -----------------------------------------------------------------------------
 // Request Uniqueness
 // -----------------------------------------------------------------------------
@@ -953,8 +1016,10 @@ pub fn register_all(builder: liquid::ParserBuilder) -> liquid::ParserBuilder {
         .filter(UrlEncodeFilter::default())
         .filter(JsonEscapeFilter::default())
         .filter(UnixTimestampFilter::default())
+        .filter(UnixTimestampMsFilter::default())
         .filter(IsoTimestampFilter::default())
         .filter(IsoTimestampNoFracFilter::default())
+        .filter(Rfc1123DateFilter::default())
         .filter(UuidFilter::default())
         .filter(JwtHeaderFilter::default())
         .filter(B64EncFilter::default())
@@ -974,6 +1039,7 @@ pub fn register_all(builder: liquid::ParserBuilder) -> liquid::ParserBuilder {
         .filter(HmacSha256B64Key::default())
         .filter(HmacSha1::default())
         .filter(HmacSha384::default())
+        .filter(HmacSha384Hex::default())
 }
 
 #[cfg(test)]
@@ -1148,6 +1214,24 @@ mod tests {
         assert_eq!(render(r#"{{ "payload" | hmac_sha384: "topsecret" }}"#), expect);
     }
 
+    #[test]
+    fn hmac_sha384_hex_filter() {
+        use std::fmt::Write as _;
+
+        let key = b"topsecret";
+        let data = b"payload";
+        let mut mac = Hmac::<Sha384>::new_from_slice(key).unwrap();
+        mac.update(data);
+
+        let bytes = mac.finalize().into_bytes();
+        let mut expect = String::with_capacity(bytes.len() * 2);
+        for byte in bytes {
+            let _ = write!(&mut expect, "{byte:02x}");
+        }
+
+        assert_eq!(render(r#"{{ "payload" | hmac_sha384_hex: "topsecret" }}"#), expect);
+    }
+
     // -------------------------------------------------------------------------
     // Random string
     // -------------------------------------------------------------------------
@@ -1174,6 +1258,13 @@ mod tests {
         assert!((now - tmpl_val).abs() < 5, "timestamp differs by >5 s");
     }
 
+    #[test]
+    fn unix_timestamp_ms_filter_is_nowish() {
+        let tmpl_val: i64 = render(r#"{{ "" | unix_timestamp_ms }}"#).parse().unwrap();
+        let now = (OffsetDateTime::now_utc().unix_timestamp_nanos() / 1_000_000) as i64;
+        assert!((now - tmpl_val).abs() < 5_000, "timestamp differs by >5 s");
+    }
+
     #[test]
     fn iso_timestamp_filter_parses() {
         let out = render(r#"{{ "" | iso_timestamp }}"#);
@@ -1192,6 +1283,14 @@ mod tests {
         let v = render(r#"{{ "" | uuid }}"#);
         assert!(uuid_re.is_match(&v));
     }
+
+    #[test]
+    fn rfc1123_date_filter_format() {
+        let out = render(r#"{{ "" | rfc1123_date }}"#);
+        assert!(out.ends_with(" GMT"), "unexpected RFC-1123 date: {out}");
+        let normalized = out.replace(" GMT", " +0000");
+        assert!(OffsetDateTime::parse(&normalized, &Rfc2822).is_ok());
+    }
     // -------------------------------------------------------------------------
     // Replace filter
     // -------------------------------------------------------------------------
diff --git a/crates/kingfisher-scanner/Cargo.toml b/crates/kingfisher-scanner/Cargo.toml
index 09521ca..f5b5dd2 100644
--- a/crates/kingfisher-scanner/Cargo.toml
+++ b/crates/kingfisher-scanner/Cargo.toml
@@ -24,6 +24,22 @@ validation-http = [
     "dep:liquid-core",
     "dep:quick-xml",
     "dep:sha1",
+    "dep:time",
+]
+
+# Provider/protocol-specific validation flows that need custom network logic.
+validation-raw = [
+    "validation-http",
+    "dep:chrono",
+    "dep:hmac",
+    "dep:sha2",
+    "dep:hex",
+    "dep:url",
+    "dep:percent-encoding",
+    "dep:rustls",
+    "dep:rustls-native-certs",
+    "dep:tokio-rustls",
+    "dep:ldap3",
 ]
 
 # AWS credential validation
@@ -94,6 +110,7 @@ validation-database = [
 # All validation features
 validation-all = [
     "validation",
+    "validation-raw",
     "validation-aws",
     "validation-azure",
     "validation-coinbase",
@@ -153,11 +170,12 @@ tracing.workspace = true
 reqwest = { version = "0.12", default-features = false, features = [
     "json", "gzip", "brotli", "deflate", "stream", "rustls-tls", "rustls-tls-native-roots", "multipart"
 ], optional = true }
-tokio = { version = "1.48", features = ["net", "time", "sync"], optional = true }
+tokio = { version = "1.48", features = ["net", "time", "sync", "io-util"], optional = true }
 liquid = { version = "0.26", optional = true }
 liquid-core = { version = "0.26", optional = true }
 quick-xml = { version = "0.39", features = ["serde", "serialize"], optional = true }
 sha1 = { workspace = true, optional = true }
+time = { workspace = true, optional = true }
 chrono = { version = "0.4.42", optional = true }
 hmac = { workspace = true, optional = true }
 sha2 = { workspace = true, optional = true }
@@ -176,6 +194,8 @@ tokio-postgres = { version = "0.7", default-features = false, features = ["runti
 tokio-postgres-rustls = { version = "0.13.0", optional = true }
 rustls = { version = "0.23.35", optional = true }
 rustls-native-certs = { version = "0.8.2", optional = true }
+tokio-rustls = { version = "0.26.4", optional = true }
+ldap3 = { version = "0.11.5", default-features = false, features = ["tls-rustls"], optional = true }
 
 # AWS validation
 aws-config = { version = "1.8.14", default-features = false, features = ["default-https-client", "rt-tokio"], optional = true }
diff --git a/crates/kingfisher-scanner/src/validation/http_validation.rs b/crates/kingfisher-scanner/src/validation/http_validation.rs
index 2dc70de..2fb1f0e 100644
--- a/crates/kingfisher-scanner/src/validation/http_validation.rs
+++ b/crates/kingfisher-scanner/src/validation/http_validation.rs
@@ -3,6 +3,7 @@ use std::{collections::BTreeMap, future::Future, net::IpAddr, str::FromStr, time
 use anyhow::{anyhow, Error, Result};
 use http::StatusCode;
 use liquid::Object;
+use liquid_core::Value;
 use quick_xml::de::from_str as xml_from_str;
 use reqwest::{
     header,
@@ -11,6 +12,7 @@ use reqwest::{
 };
 use serde::de::IgnoredAny;
 use sha1::{Digest, Sha1};
+use time::{format_description::well_known::Rfc2822, OffsetDateTime};
 use tokio::{net::lookup_host, time::sleep};
 use tracing::debug;
 
@@ -68,6 +70,33 @@ pub fn parse_http_method(method_str: &str) -> Result<Method, String> {
     Method::from_str(method_str).map_err(|_| format!("Invalid HTTP method: {}", method_str))
 }
 
+fn format_rfc1123(now: OffsetDateTime) -> String {
+    let rendered =
+        now.format(&Rfc2822).unwrap_or_else(|_| "Thu, 01 Jan 1970 00:00:00 +0000".to_string());
+    rendered.strip_suffix(" +0000").map(|prefix| format!("{prefix} GMT")).unwrap_or(rendered)
+}
+
+/// Clone `globals` and add stable request-scoped values for templated request rendering.
+///
+/// These values are computed once so the same generated timestamp can be reused across the URL,
+/// headers, body, and multipart parts of a single request.
+pub fn with_request_template_globals(globals: &Object) -> Object {
+    let mut out = globals.clone();
+    let now = OffsetDateTime::now_utc();
+
+    if !out.contains_key("REQUEST_RFC1123_DATE") {
+        out.insert("REQUEST_RFC1123_DATE".into(), Value::scalar(format_rfc1123(now)));
+    }
+    if !out.contains_key("REQUEST_UNIX_MILLIS") {
+        out.insert(
+            "REQUEST_UNIX_MILLIS".into(),
+            Value::scalar((now.unix_timestamp_nanos() / 1_000_000).to_string()),
+        );
+    }
+
+    out
+}
+
 /// Build a reqwest RequestBuilder using the provided parameters.
 pub fn build_request_builder(
     client: &Client,
@@ -566,7 +595,36 @@ pub async fn check_url_resolvable_safe(url: &Url) -> Result<(), Box<dyn std::err
 #[cfg(test)]
 mod tests {
     use super::*;
+    use liquid_core::ValueView;
     use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+    use time::OffsetDateTime;
+
+    #[test]
+    fn request_template_globals_add_stable_values() {
+        let globals = Object::new();
+        let rendered = with_request_template_globals(&globals);
+
+        let date = rendered.get("REQUEST_RFC1123_DATE").unwrap().to_kstr().to_string();
+        let millis = rendered.get("REQUEST_UNIX_MILLIS").unwrap().to_kstr().to_string();
+
+        assert!(date.ends_with(" GMT"), "unexpected date format: {date}");
+        assert!(OffsetDateTime::parse(&date.replace(" GMT", " +0000"), &Rfc2822).is_ok());
+
+        let millis_val: i128 = millis.parse().unwrap();
+        assert!(millis_val > 0);
+    }
+
+    #[test]
+    fn request_template_globals_preserve_explicit_overrides() {
+        let mut globals = Object::new();
+        globals.insert("REQUEST_RFC1123_DATE".into(), Value::scalar("custom-date"));
+        globals.insert("REQUEST_UNIX_MILLIS".into(), Value::scalar("123"));
+
+        let rendered = with_request_template_globals(&globals);
+
+        assert_eq!(rendered.get("REQUEST_RFC1123_DATE").unwrap().to_kstr(), "custom-date");
+        assert_eq!(rendered.get("REQUEST_UNIX_MILLIS").unwrap().to_kstr(), "123");
+    }
 
     #[test]
     fn rejects_ipv4_loopback() {
diff --git a/crates/kingfisher-scanner/src/validation/mod.rs b/crates/kingfisher-scanner/src/validation/mod.rs
index 443f821..b242e90 100644
--- a/crates/kingfisher-scanner/src/validation/mod.rs
+++ b/crates/kingfisher-scanner/src/validation/mod.rs
@@ -20,6 +20,8 @@
 //! - **Azure**: Azure Storage credential validation (requires `validation-azure` feature)
 //! - **Databases**: MongoDB, MySQL, Postgres, JDBC (requires `validation-database` feature)
 //! - **JWT**: JWT token validation (requires `validation-jwt` feature)
+//! - **Raw**: provider/protocol-specific validators that need custom logic
+//!   (requires `validation-raw` feature)
 
 mod utils;
 mod validation_body;
@@ -54,6 +56,9 @@ pub mod mysql;
 #[cfg(feature = "validation-database")]
 pub mod postgres;
 
+#[cfg(feature = "validation-raw")]
+pub mod raw;
+
 // Re-exports
 pub use utils::{find_closest_variable, process_captures};
 pub use validation_body::{as_str, clone_as_string, from_string, ValidationResponseBody};
@@ -62,9 +67,12 @@ pub use validation_body::{as_str, clone_as_string, from_string, ValidationRespon
 pub use http_validation::{
     build_request_builder, check_url_resolvable, generate_http_cache_key_parts, is_ssrf_safe_ip,
     parse_http_method, process_headers, retry_multipart_request, retry_request, validate_response,
-    SsrfBlockedError,
+    with_request_template_globals, SsrfBlockedError,
 };
 
+#[cfg(feature = "validation-raw")]
+pub use raw::{required_vars as raw_required_vars, validate_raw, RawValidationOutcome};
+
 #[cfg(feature = "validation-http")]
 #[allow(deprecated)]
 pub use http_validation::check_url_resolvable_safe;
diff --git a/crates/kingfisher-scanner/src/validation/raw.rs b/crates/kingfisher-scanner/src/validation/raw.rs
new file mode 100644
index 0000000..dc006e6
--- /dev/null
+++ b/crates/kingfisher-scanner/src/validation/raw.rs
@@ -0,0 +1,612 @@
+//! Provider-specific raw validators for secret formats that need custom protocol logic.
+
+use std::{
+    collections::BTreeSet,
+    sync::{Arc, OnceLock},
+    time::{Duration, SystemTime, UNIX_EPOCH},
+};
+
+use anyhow::{anyhow, Context, Result};
+use base64::{engine::general_purpose::STANDARD as B64, Engine};
+use hmac::{digest::KeyInit, Hmac, Mac};
+use http::StatusCode;
+use ldap3::LdapConnSettings;
+use liquid::Object;
+use liquid_core::ValueView;
+use once_cell::sync::OnceCell;
+use percent_encoding::percent_decode_str;
+use reqwest::Client;
+use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
+use rustls::crypto::{ring, verify_tls12_signature, verify_tls13_signature, CryptoProvider};
+use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use rustls::{ClientConfig, DigitallySignedStruct, RootCertStore, SignatureScheme};
+use sha2::{Digest, Sha256, Sha512};
+use tokio::{
+    io::{AsyncBufReadExt, AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, BufStream},
+    net::TcpStream,
+    time::timeout,
+};
+use tokio_rustls::TlsConnector;
+use url::Url;
+
+pub struct RawValidationOutcome {
+    pub valid: bool,
+    pub status: StatusCode,
+    pub body: String,
+}
+
+static INIT_PROVIDER: OnceCell<()> = OnceCell::new();
+static LAX_PROVIDER: OnceLock<Arc<CryptoProvider>> = OnceLock::new();
+
+fn ensure_crypto_provider() {
+    INIT_PROVIDER.get_or_init(|| {
+        let _ = CryptoProvider::install_default(ring::default_provider());
+    });
+}
+
+#[derive(Debug)]
+struct LaxCertVerifier(Arc<CryptoProvider>);
+
+impl ServerCertVerifier for LaxCertVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> std::result::Result<ServerCertVerified, rustls::Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> {
+        verify_tls12_signature(message, cert, dss, &self.0.signature_verification_algorithms)
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> {
+        verify_tls13_signature(message, cert, dss, &self.0.signature_verification_algorithms)
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        self.0.signature_verification_algorithms.supported_schemes()
+    }
+}
+
+pub fn required_vars(kind: &str) -> BTreeSet<String> {
+    let mut vars = BTreeSet::new();
+    vars.insert("TOKEN".to_string());
+
+    match kind {
+        "azurebatch" => {
+            vars.insert("BATCH_URL".to_string());
+        }
+        "kraken" => {
+            vars.insert("KRAKEN_API_KEY".to_string());
+        }
+        _ => {}
+    }
+
+    vars
+}
+
+pub async fn validate_raw(
+    kind: &str,
+    globals: &Object,
+    client: &Client,
+    use_lax_tls: bool,
+) -> Result<RawValidationOutcome> {
+    match kind {
+        "azurebatch" => validate_azure_batch(globals, client).await,
+        "ftp" => validate_ftp(globals, use_lax_tls).await,
+        "kraken" => validate_kraken(globals, client).await,
+        "ldap" => validate_ldap(globals, use_lax_tls).await,
+        "rabbitmq" => validate_rabbitmq(globals, use_lax_tls).await,
+        "redis" => validate_redis(globals, use_lax_tls).await,
+        other => Ok(RawValidationOutcome {
+            valid: false,
+            status: StatusCode::NOT_IMPLEMENTED,
+            body: format!("Raw validator `{other}` is not implemented."),
+        }),
+    }
+}
+
+fn string_var(globals: &Object, name: &str) -> Option<String> {
+    globals.get(name).map(|v| v.to_kstr().to_string()).filter(|s| !s.is_empty())
+}
+
+fn decode_userinfo(input: &str) -> String {
+    percent_decode_str(input).decode_utf8_lossy().to_string()
+}
+
+fn current_unix_millis() -> String {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_else(|_| Duration::from_millis(0))
+        .as_millis()
+        .to_string()
+}
+
+fn rfc1123_now() -> String {
+    chrono::Utc::now().format("%a, %d %b %Y %H:%M:%S GMT").to_string()
+}
+
+fn build_root_store() -> Result<RootCertStore> {
+    let mut roots = RootCertStore::empty();
+    let native = rustls_native_certs::load_native_certs();
+    for cert in native.certs {
+        roots.add(cert).map_err(|e| anyhow!("failed to add native root cert: {e:?}"))?;
+    }
+    Ok(roots)
+}
+
+fn lax_provider() -> Arc<CryptoProvider> {
+    LAX_PROVIDER.get_or_init(|| Arc::new(ring::default_provider())).clone()
+}
+
+fn tls_connector(use_lax_tls: bool) -> Result<TlsConnector> {
+    let cfg = if use_lax_tls {
+        ensure_crypto_provider();
+        ClientConfig::builder()
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(LaxCertVerifier(lax_provider())))
+            .with_no_client_auth()
+    } else {
+        ClientConfig::builder().with_root_certificates(build_root_store()?).with_no_client_auth()
+    };
+    Ok(TlsConnector::from(Arc::new(cfg)))
+}
+
+trait AsyncStream: AsyncRead + AsyncWrite + Unpin + Send {}
+impl<T> AsyncStream for T where T: AsyncRead + AsyncWrite + Unpin + Send {}
+type DynStream = Box<dyn AsyncStream>;
+
+async fn connect_plain(host: &str, port: u16) -> Result<DynStream> {
+    let stream = timeout(Duration::from_secs(10), TcpStream::connect((host, port)))
+        .await
+        .context("connection timed out")??;
+    Ok(Box::new(stream))
+}
+
+async fn connect_tls(host: &str, port: u16, use_lax_tls: bool) -> Result<DynStream> {
+    let stream = timeout(Duration::from_secs(10), TcpStream::connect((host, port)))
+        .await
+        .context("connection timed out")??;
+    let server_name =
+        ServerName::try_from(host.to_string()).map_err(|_| anyhow!("invalid TLS host: {host}"))?;
+    let tls =
+        timeout(Duration::from_secs(10), tls_connector(use_lax_tls)?.connect(server_name, stream))
+            .await
+            .context("TLS handshake timed out")??;
+    Ok(Box::new(tls))
+}
+
+async fn connect_from_url(
+    url: &Url,
+    tls_default_port: u16,
+    plain_default_port: u16,
+    use_lax_tls: bool,
+) -> Result<DynStream> {
+    let host = url.host_str().ok_or_else(|| anyhow!("URL is missing host"))?;
+    let tls = matches!(url.scheme(), "ftps" | "amqps" | "rediss" | "ldaps");
+    let port = url.port().unwrap_or(if tls { tls_default_port } else { plain_default_port });
+    if tls {
+        connect_tls(host, port, use_lax_tls).await
+    } else {
+        connect_plain(host, port).await
+    }
+}
+
+async fn validate_azure_batch(globals: &Object, client: &Client) -> Result<RawValidationOutcome> {
+    let endpoint = string_var(globals, "BATCH_URL").ok_or_else(|| anyhow!("missing BATCH_URL"))?;
+    let account_key = string_var(globals, "TOKEN").ok_or_else(|| anyhow!("missing TOKEN"))?;
+    let parsed = Url::parse(&endpoint).context("invalid BATCH_URL")?;
+    let host = parsed.host_str().ok_or_else(|| anyhow!("BATCH_URL is missing host"))?;
+    let account_name = host
+        .split('.')
+        .next()
+        .filter(|s| !s.is_empty())
+        .ok_or_else(|| anyhow!("failed to derive Batch account name from host"))?;
+
+    let api_version = "2020-09-01.12.0";
+    let url = format!("{endpoint}/applications?api-version={api_version}");
+    let date = rfc1123_now();
+    let string_to_sign = format!(
+        "GET\n\n\n\n\napplication/json\n{}\n\n\n\n\n\n{}\napi-version:{}",
+        date,
+        format!("/{account_name}/applications").to_lowercase(),
+        api_version
+    );
+
+    let key = B64.decode(account_key.as_bytes()).context("Azure Batch key is not valid base64")?;
+    let mut mac = <Hmac<Sha256> as KeyInit>::new_from_slice(&key)
+        .map_err(|e| anyhow!("invalid HMAC key: {e}"))?;
+    mac.update(string_to_sign.as_bytes());
+    let signature = B64.encode(mac.finalize().into_bytes());
+
+    let resp = client
+        .get(&url)
+        .header("Content-Type", "application/json")
+        .header("Date", &date)
+        .header("Authorization", format!("SharedKey {account_name}:{signature}"))
+        .send()
+        .await
+        .context("Azure Batch validation request failed")?;
+
+    let status = resp.status();
+    let body = resp.text().await.unwrap_or_default();
+    let valid = status == StatusCode::OK;
+
+    Ok(RawValidationOutcome { valid, status, body })
+}
+
+async fn validate_ftp(globals: &Object, use_lax_tls: bool) -> Result<RawValidationOutcome> {
+    let token = string_var(globals, "TOKEN").ok_or_else(|| anyhow!("missing TOKEN"))?;
+    let url = Url::parse(&token).context("invalid FTP URI")?;
+    let host = url.host_str().ok_or_else(|| anyhow!("FTP URI is missing host"))?;
+    let username = decode_userinfo(url.username());
+    let password =
+        decode_userinfo(url.password().ok_or_else(|| anyhow!("FTP URI is missing password"))?);
+    let scheme = url.scheme().to_ascii_lowercase();
+
+    let mut stream = if scheme == "ftp" {
+        BufStream::new(connect_plain(host, url.port().unwrap_or(21)).await?)
+    } else {
+        let port = url.port().unwrap_or(990);
+        if url.port().unwrap_or(990) == 990 {
+            BufStream::new(connect_tls(host, port, use_lax_tls).await?)
+        } else {
+            let tcp = timeout(Duration::from_secs(10), TcpStream::connect((host, port)))
+                .await
+                .context("connection timed out")??;
+            let mut plain = BufStream::new(tcp);
+            let _ = read_ftp_reply(&mut plain).await?;
+            plain.write_all(b"AUTH TLS\r\n").await?;
+            plain.flush().await?;
+            let (code, auth_body) = read_ftp_reply(&mut plain).await?;
+            if code != 234 {
+                return Ok(RawValidationOutcome {
+                    valid: false,
+                    status: StatusCode::UNAUTHORIZED,
+                    body: auth_body,
+                });
+            }
+            let tcp = plain.into_inner();
+            let server_name = ServerName::try_from(host.to_string())
+                .map_err(|_| anyhow!("invalid TLS host: {host}"))?;
+            let tls = timeout(
+                Duration::from_secs(10),
+                tls_connector(use_lax_tls)?.connect(server_name, tcp),
+            )
+            .await
+            .context("TLS handshake timed out")??;
+            BufStream::new(Box::new(tls) as DynStream)
+        }
+    };
+
+    let _ = read_ftp_reply(&mut stream).await?;
+    stream.write_all(format!("USER {username}\r\n").as_bytes()).await?;
+    stream.flush().await?;
+    let (user_code, user_body) = read_ftp_reply(&mut stream).await?;
+    if user_code == 230 {
+        return Ok(RawValidationOutcome { valid: true, status: StatusCode::OK, body: user_body });
+    }
+    if user_code != 331 {
+        return Ok(RawValidationOutcome {
+            valid: false,
+            status: StatusCode::UNAUTHORIZED,
+            body: user_body,
+        });
+    }
+
+    stream.write_all(format!("PASS {password}\r\n").as_bytes()).await?;
+    stream.flush().await?;
+    let (pass_code, pass_body) = read_ftp_reply(&mut stream).await?;
+    let _ = stream.write_all(b"QUIT\r\n").await;
+    let _ = stream.flush().await;
+
+    Ok(RawValidationOutcome {
+        valid: pass_code == 230,
+        status: if pass_code == 230 { StatusCode::OK } else { StatusCode::UNAUTHORIZED },
+        body: pass_body,
+    })
+}
+
+async fn read_ftp_reply<S>(stream: &mut BufStream<S>) -> Result<(u16, String)>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    let mut body = String::new();
+    let mut code_prefix: Option<String> = None;
+
+    loop {
+        let mut line = String::new();
+        let read = timeout(Duration::from_secs(10), stream.read_line(&mut line))
+            .await
+            .context("FTP server did not reply in time")??;
+        if read == 0 {
+            return Err(anyhow!("FTP server closed the connection"));
+        }
+
+        body.push_str(&line);
+        let trimmed = line.trim_end_matches(['\r', '\n']);
+        if trimmed.len() < 4 {
+            continue;
+        }
+
+        let code = &trimmed[0..3];
+        if !code.chars().all(|c| c.is_ascii_digit()) {
+            continue;
+        }
+
+        match trimmed.as_bytes()[3] {
+            b' ' => return Ok((code.parse().unwrap_or(0), body)),
+            b'-' => {
+                code_prefix = Some(code.to_string());
+            }
+            _ => {}
+        }
+
+        if let Some(prefix) = &code_prefix {
+            if trimmed.starts_with(prefix) && trimmed.as_bytes()[3] == b' ' {
+                return Ok((code.parse().unwrap_or(0), body));
+            }
+        }
+    }
+}
+
+async fn validate_kraken(globals: &Object, client: &Client) -> Result<RawValidationOutcome> {
+    let api_key =
+        string_var(globals, "KRAKEN_API_KEY").ok_or_else(|| anyhow!("missing KRAKEN_API_KEY"))?;
+    let api_secret = string_var(globals, "TOKEN").ok_or_else(|| anyhow!("missing TOKEN"))?;
+    let secret = B64.decode(api_secret.as_bytes()).context("Kraken secret is not valid base64")?;
+
+    let nonce = current_unix_millis();
+    let body = format!("nonce={nonce}");
+    let mut sha = Sha256::new();
+    sha.update(format!("{nonce}{body}").as_bytes());
+    let shasum = sha.finalize();
+
+    let path = "/0/private/Balance";
+    let mut mac = <Hmac<Sha512> as KeyInit>::new_from_slice(&secret)
+        .map_err(|e| anyhow!("invalid HMAC key: {e}"))?;
+    let mut payload = Vec::with_capacity(path.len() + shasum.len());
+    payload.extend_from_slice(path.as_bytes());
+    payload.extend_from_slice(&shasum);
+    mac.update(&payload);
+    let signature = B64.encode(mac.finalize().into_bytes());
+
+    let resp = client
+        .post(format!("https://api.kraken.com{path}"))
+        .header("Content-Type", "application/x-www-form-urlencoded")
+        .header("API-Key", api_key)
+        .header("API-Sign", signature)
+        .body(body)
+        .send()
+        .await
+        .context("Kraken validation request failed")?;
+
+    let status = resp.status();
+    let body = resp.text().await.unwrap_or_default();
+    let valid = status == StatusCode::OK && body.contains(r#""error":[]"#);
+
+    Ok(RawValidationOutcome { valid, status, body })
+}
+
+async fn validate_ldap(globals: &Object, use_lax_tls: bool) -> Result<RawValidationOutcome> {
+    let token = string_var(globals, "TOKEN").ok_or_else(|| anyhow!("missing TOKEN"))?;
+    let url = Url::parse(&token).context("invalid LDAP URI")?;
+    let scheme = url.scheme().to_ascii_lowercase();
+    let host = url.host_str().ok_or_else(|| anyhow!("LDAP URI is missing host"))?;
+    let port = url.port().unwrap_or(if scheme == "ldaps" { 636 } else { 389 });
+    let bind_dn = if let Some(bind_dn) = string_var(globals, "LDAP_BIND_DN") {
+        bind_dn
+    } else {
+        decode_userinfo(url.username())
+    };
+    let password = if let Some(password) = string_var(globals, "LDAP_PASSWORD") {
+        password
+    } else {
+        decode_userinfo(url.password().ok_or_else(|| anyhow!("LDAP URI is missing password"))?)
+    };
+
+    let ldap_url = format!("{scheme}://{host}:{port}");
+    let settings = LdapConnSettings::new().set_no_tls_verify(use_lax_tls);
+    let (conn, mut ldap) = ldap3::LdapConnAsync::with_settings(settings, &ldap_url)
+        .await
+        .with_context(|| format!("failed to connect to LDAP server {ldap_url}"))?;
+    ldap3::drive!(conn);
+    let bind_result = ldap.simple_bind(&bind_dn, &password).await;
+    let _ = ldap.unbind().await;
+
+    match bind_result {
+        Ok(res) => match res.success() {
+            Ok(_) => Ok(RawValidationOutcome {
+                valid: true,
+                status: StatusCode::OK,
+                body: "LDAP bind succeeded.".to_string(),
+            }),
+            Err(err) => Ok(RawValidationOutcome {
+                valid: false,
+                status: StatusCode::UNAUTHORIZED,
+                body: err.to_string(),
+            }),
+        },
+        Err(err) => Ok(RawValidationOutcome {
+            valid: false,
+            status: StatusCode::BAD_GATEWAY,
+            body: err.to_string(),
+        }),
+    }
+}
+
+async fn validate_rabbitmq(globals: &Object, use_lax_tls: bool) -> Result<RawValidationOutcome> {
+    let token = string_var(globals, "TOKEN").ok_or_else(|| anyhow!("missing TOKEN"))?;
+    let url = Url::parse(&token).context("invalid AMQP URI")?;
+    let _host = url.host_str().ok_or_else(|| anyhow!("AMQP URI is missing host"))?;
+    let username = decode_userinfo(url.username());
+    let password =
+        decode_userinfo(url.password().ok_or_else(|| anyhow!("AMQP URI is missing password"))?);
+
+    let mut stream = connect_from_url(&url, 5671, 5672, use_lax_tls).await?;
+    timeout(Duration::from_secs(10), stream.write_all(b"AMQP\x00\x00\x09\x01"))
+        .await
+        .context("failed to write AMQP protocol header")??;
+    timeout(Duration::from_secs(10), stream.flush()).await.context("flush timed out")??;
+
+    let (_, _, start_payload) = read_amqp_frame(&mut stream).await?;
+    let (class_id, method_id) = amqp_method_ids(&start_payload)?;
+    if class_id != 10 || method_id != 10 {
+        return Ok(RawValidationOutcome {
+            valid: false,
+            status: StatusCode::BAD_GATEWAY,
+            body: format!("unexpected AMQP frame {class_id}.{method_id}"),
+        });
+    }
+
+    let start_ok = build_amqp_start_ok_frame(&username, &password);
+    timeout(Duration::from_secs(10), stream.write_all(&start_ok))
+        .await
+        .context("failed to write AMQP start-ok frame")??;
+    timeout(Duration::from_secs(10), stream.flush()).await.context("flush timed out")??;
+
+    let (_, _, next_payload) = read_amqp_frame(&mut stream).await?;
+    let (class_id, method_id) = amqp_method_ids(&next_payload)?;
+    let valid = class_id == 10 && method_id == 30;
+    Ok(RawValidationOutcome {
+        valid,
+        status: if valid { StatusCode::OK } else { StatusCode::UNAUTHORIZED },
+        body: format!("received AMQP method frame {class_id}.{method_id}"),
+    })
+}
+
+fn build_amqp_start_ok_frame(username: &str, password: &str) -> Vec<u8> {
+    let mut payload = Vec::new();
+    payload.extend_from_slice(&10u16.to_be_bytes());
+    payload.extend_from_slice(&11u16.to_be_bytes());
+    payload.extend_from_slice(&0u32.to_be_bytes()); // empty client properties table
+
+    payload.extend_from_slice(&(5u32).to_be_bytes());
+    payload.extend_from_slice(b"PLAIN");
+
+    let mut response = Vec::with_capacity(username.len() + password.len() + 2);
+    response.push(0);
+    response.extend_from_slice(username.as_bytes());
+    response.push(0);
+    response.extend_from_slice(password.as_bytes());
+    payload.extend_from_slice(&(response.len() as u32).to_be_bytes());
+    payload.extend_from_slice(&response);
+
+    payload.extend_from_slice(&(5u32).to_be_bytes());
+    payload.extend_from_slice(b"en_US");
+
+    let mut frame = Vec::with_capacity(payload.len() + 8);
+    frame.push(1); // method frame
+    frame.extend_from_slice(&0u16.to_be_bytes());
+    frame.extend_from_slice(&(payload.len() as u32).to_be_bytes());
+    frame.extend_from_slice(&payload);
+    frame.push(0xCE);
+    frame
+}
+
+async fn read_amqp_frame(stream: &mut DynStream) -> Result<(u8, u16, Vec<u8>)> {
+    let mut header = [0u8; 7];
+    timeout(Duration::from_secs(10), stream.read_exact(&mut header))
+        .await
+        .context("timed out while reading AMQP frame header")??;
+    let frame_type = header[0];
+    let channel = u16::from_be_bytes([header[1], header[2]]);
+    let size = u32::from_be_bytes([header[3], header[4], header[5], header[6]]) as usize;
+    let mut payload = vec![0u8; size];
+    timeout(Duration::from_secs(10), stream.read_exact(&mut payload))
+        .await
+        .context("timed out while reading AMQP frame payload")??;
+    let mut end = [0u8; 1];
+    timeout(Duration::from_secs(10), stream.read_exact(&mut end))
+        .await
+        .context("timed out while reading AMQP frame terminator")??;
+    if end[0] != 0xCE {
+        return Err(anyhow!("invalid AMQP frame terminator"));
+    }
+    Ok((frame_type, channel, payload))
+}
+
+fn amqp_method_ids(payload: &[u8]) -> Result<(u16, u16)> {
+    if payload.len() < 4 {
+        return Err(anyhow!("AMQP payload too short"));
+    }
+    Ok((u16::from_be_bytes([payload[0], payload[1]]), u16::from_be_bytes([payload[2], payload[3]])))
+}
+
+async fn validate_redis(globals: &Object, use_lax_tls: bool) -> Result<RawValidationOutcome> {
+    let token = string_var(globals, "TOKEN").ok_or_else(|| anyhow!("missing TOKEN"))?;
+    let url = Url::parse(&token).context("invalid Redis URI")?;
+    let username = if let Some(username) = string_var(globals, "USERNAME") {
+        username
+    } else if !url.username().is_empty() {
+        decode_userinfo(url.username())
+    } else {
+        String::new()
+    };
+    let password = if let Some(password) = string_var(globals, "PASSWORD") {
+        password
+    } else {
+        decode_userinfo(url.password().ok_or_else(|| anyhow!("Redis URI is missing password"))?)
+    };
+
+    let mut stream = BufStream::new(connect_from_url(&url, 6380, 6379, use_lax_tls).await?);
+    let auth_cmd = if username.is_empty() {
+        format!("*2\r\n$4\r\nAUTH\r\n${}\r\n{}\r\n", password.len(), password)
+    } else {
+        format!(
+            "*3\r\n$4\r\nAUTH\r\n${}\r\n{}\r\n${}\r\n{}\r\n",
+            username.len(),
+            username,
+            password.len(),
+            password
+        )
+    };
+    stream.write_all(auth_cmd.as_bytes()).await?;
+    stream.flush().await?;
+    let auth_reply = read_resp_line(&mut stream).await?;
+    if !auth_reply.starts_with("+OK") {
+        return Ok(RawValidationOutcome {
+            valid: false,
+            status: StatusCode::UNAUTHORIZED,
+            body: auth_reply,
+        });
+    }
+
+    stream.write_all(b"*1\r\n$4\r\nPING\r\n").await?;
+    stream.flush().await?;
+    let ping_reply = read_resp_line(&mut stream).await?;
+    Ok(RawValidationOutcome {
+        valid: ping_reply.starts_with("+PONG"),
+        status: if ping_reply.starts_with("+PONG") {
+            StatusCode::OK
+        } else {
+            StatusCode::UNAUTHORIZED
+        },
+        body: ping_reply,
+    })
+}
+
+async fn read_resp_line<S>(stream: &mut BufStream<S>) -> Result<String>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    let mut line = String::new();
+    timeout(Duration::from_secs(10), stream.read_line(&mut line))
+        .await
+        .context("Redis server did not reply in time")??;
+    Ok(line)
+}
diff --git a/data/default/rule_cleanup/count_rules.py b/data/default/rule_cleanup/count_rules.py
index a390464..7a54ffe 100644
--- a/data/default/rule_cleanup/count_rules.py
+++ b/data/default/rule_cleanup/count_rules.py
@@ -38,6 +38,11 @@ def parse_args() -> argparse.Namespace:
         default=DEFAULT_RULES_DIR,
         help="Directory containing rule YAML files (default: %(default)s)",
     )
+    parser.add_argument(
+        "--list-validators",
+        action="store_true",
+        help="Print the names of detectors with and without a validator",
+    )
     return parser.parse_args()
 
 
@@ -74,6 +79,8 @@ def main() -> int:
 
     total_rules = 0
     dependent_rules = 0
+    with_validator: list[str] = []
+    without_validator: list[str] = []
 
     for path in rule_files:
         try:
@@ -86,14 +93,28 @@ def main() -> int:
         dependent_rules += sum(
             1 for rule in rules if rule.get("depends_on_rule")
         )
+        if any(rule.get("validation") for rule in rules):
+            with_validator.append(path.stem)
+        else:
+            without_validator.append(path.stem)
 
     detector_rules = total_rules - dependent_rules
 
     print(f"Rules directory: {rules_dir}")
-    print(f"Rule files: {len(rule_files)}")
+    print(f"Detectors: {len(rule_files)}")
+    print(f"Detectors with validator: {len(with_validator)}")
+    print(f"Detectors without validator: {len(without_validator)}")
     print(f"Total rules: {total_rules}")
     print(f"Dependent rules: {dependent_rules}")
-    print(f"Detectors: {detector_rules}")
+    print(f"Non-dependent rules: {detector_rules}")
+
+    if args.list_validators:
+        print(f"\nWith validator ({len(with_validator)}):")
+        for name in with_validator:
+            print(f"  {name}")
+        print(f"\nWithout validator ({len(without_validator)}):")
+        for name in without_validator:
+            print(f"  {name}")
 
     return 0
 
diff --git a/docs-site/docs/reference/library.md b/docs-site/docs/reference/library.md
index 8b4d871..15b5f15 100644
--- a/docs-site/docs/reference/library.md
+++ b/docs-site/docs/reference/library.md
@@ -262,7 +262,7 @@ flowchart TD
 
 ### Loading Builtin Rules
 
-Kingfisher comes with 700+ builtin rules for common secret types:
+Kingfisher comes with 800+ builtin rules for common secret types:
 
 ```rust
 use kingfisher_rules::{get_builtin_rules, Confidence};
diff --git a/docs-site/docs/usage/advanced.md b/docs-site/docs/usage/advanced.md
index 6d06d28..5e95c8c 100644
--- a/docs-site/docs/usage/advanced.md
+++ b/docs-site/docs/usage/advanced.md
@@ -300,7 +300,7 @@ kingfisher scan ./my-project \
 
 ## Custom Rules
 
-Kingfisher ships with 700+ rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
+Kingfisher ships with 800+ rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
 
 First, review [RULES.md](../rules/overview.md) to learn how to create custom Kingfisher rules.
 
diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md
index bf9bcf0..cb35da1 100644
--- a/docs/ADVANCED.md
+++ b/docs/ADVANCED.md
@@ -297,7 +297,7 @@ kingfisher scan ./my-project \
 
 ## Custom Rules
 
-Kingfisher ships with 700+ rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
+Kingfisher ships with 800+ rules, but you may want to add your own custom rules or modify existing detection to better suit your needs.
 
 First, review [RULES.md](RULES.md) to learn how to create custom Kingfisher rules.
 
diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index 448e20a..3a2366f 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -110,7 +110,7 @@ flowchart LR
 - `src/parser.rs`: tree-sitter integration for language-aware parsing, supporting 17+ languages (Bash, C, C#, C++, CSS, Go, HTML, Java, JavaScript, PHP, Python, Ruby, Rust, TOML, TypeScript, YAML, and regex).
 - `src/scanner_pool.rs`: thread-local vectorscan `BlockScanner` pool, providing safe reuse of compiled pattern databases across scan threads.
 - `src/reporter.rs` and `src/reporter/*`: report rendering for pretty, JSON, BSON, TOON, SARIF, and HTML outputs, plus the data model used by the viewer.
-- `src/direct_validate.rs`: direct validation of a known secret without going through pattern matching. Supports HTTP, AWS, Azure, GCP, JDBC, MongoDB, MySQL, PostgreSQL, JWT, and Coinbase validators, with Liquid template integration for custom validation logic.
+- `src/direct_validate.rs`: direct validation of a known secret without going through pattern matching. Supports HTTP, gRPC, plus schema-level typed validators such as AWS, AzureStorage, GCP, JDBC, MongoDB, MySQL, PostgreSQL, JWT, and Coinbase, and delegates ad-hoc `Raw` validators to `crates/kingfisher-scanner/src/validation/raw.rs`.
 - `src/direct_revoke.rs`: direct revocation of a known secret without going through the scan pipeline. Uses Liquid templates for revocation configurations and supports multi-step HTTP revocation flows.
 - `src/access_map.rs` and `src/access_map/*`: standalone blast-radius mapping with 24 provider implementations including AWS, Azure, GCP, GitHub, GitLab, Slack, Bitbucket, Gitea, Hugging Face, Buildkite, Anthropic, OpenAI, and more.
 
@@ -118,6 +118,7 @@ flowchart LR
 
 - The main CLI scan path is implemented primarily in the application modules under `src/`, not in `kingfisher-scanner`.
 - `kingfisher-scanner` is still important: it provides the embeddable scanner API plus shared validation and primitive functionality reused by the application.
+- The shared validation layer in `crates/kingfisher-scanner/src/validation/` contains both reusable typed validator families and the `Raw` exception-path validators used by rule YAML.
 - Direct `validate`, `revoke`, and standalone `access-map` are sibling command paths. They are not downstream stages of `FindingsStore`.
 - Reporting is downstream from the datastore, which lets Kingfisher emit multiple output formats and drive the local viewer from the same finding set.
 - The matching layer is intentionally hybrid: vectorscan provides high-throughput SIMD-accelerated pattern detection, while regex helpers, Base64 support, and tree-sitter verification improve accuracy and reduce false positives.
diff --git a/docs/LIBRARY.md b/docs/LIBRARY.md
index 1b51fff..b2174fb 100644
--- a/docs/LIBRARY.md
+++ b/docs/LIBRARY.md
@@ -36,7 +36,13 @@ The `kingfisher-scanner` crate supports optional validation features:
 | ------- | ----------- |
 | `validation` | Core validation support (includes HTTP validation) |
 | `validation-http` | HTTP-based validation for API tokens |
+| `validation-raw` | Provider/protocol-specific raw validation flows for `validation: type: Raw` rules |
 | `validation-aws` | AWS credential validation via STS GetCallerIdentity |
+| `validation-azure` | Azure storage credential validation |
+| `validation-coinbase` | Coinbase credential validation |
+| `validation-gcp` | GCP credential validation |
+| `validation-jwt` | JWT validation |
+| `validation-database` | MongoDB, MySQL, PostgreSQL, and JDBC validation |
 | `validation-all` | Enable all validation features |
 
 ## Quick Start
@@ -259,7 +265,7 @@ flowchart TD
 
 ### Loading Builtin Rules
 
-Kingfisher comes with 700+ builtin rules for common secret types:
+Kingfisher comes with 800+ builtin rules for common secret types:
 
 ```rust
 use kingfisher_rules::{get_builtin_rules, Confidence};
@@ -724,9 +730,17 @@ kingfisher-scanner = { git = "https://github.com/mongodb/kingfisher", features =
 | ------- | ----------- |
 | `validation` | Core validation support with HTTP validation |
 | `validation-http` | HTTP-based validation for API tokens |
+| `validation-raw` | Provider/protocol-specific raw validation flows for `validation: type: Raw` rules |
 | `validation-aws` | AWS credential validation via STS |
+| `validation-azure` | Azure storage credential validation |
+| `validation-coinbase` | Coinbase credential validation |
+| `validation-gcp` | GCP credential validation |
+| `validation-jwt` | JWT validation |
+| `validation-database` | MongoDB, MySQL, PostgreSQL, and JDBC validation |
 | `validation-all` | Enable all validation features |
 
+`validation: type: Raw` is the ad-hoc validator path for provider-specific or protocol-specific checks that are not generic enough to become schema-level validator families. Typed validators such as `AWS`, `GCP`, `MongoDB`, and `JWT` remain separate validator kinds in the rule schema.
+
 ### HTTP Validation Example
 
 ```rust
diff --git a/docs/RULES.md b/docs/RULES.md
index 5fe9bad..6386da9 100644
--- a/docs/RULES.md
+++ b/docs/RULES.md
@@ -168,9 +168,29 @@ revocation:
 | visible                 | false to hide non‑secret captures (e.g. IDs)                         |
 | depends_on_rule         | Chain rules: use captures from one rule in another's validation      |
 | pattern_requirements  | Require character types and/or exclude placeholder words from matches |
-| validation              | Configure HTTP, AWS, GCP, etc. checks to verify live validity        |
+| validation              | Configure `Http`, `Grpc`, typed validators (`AWS`, `GCP`, etc.), or `Raw` exception-path checks to verify live validity |
 | revocation              | Configure HTTP, AWS, or multi-step revocation for a detected secret  |
 
+## Validation Types
+
+Kingfisher supports three validation buckets:
+
+1. `Http` and `Grpc`: YAML-native validation flows. Prefer these first.
+2. Typed validators: schema-level validation families already modeled in the rule schema, such as `AWS`, `AzureStorage`, `Coinbase`, `GCP`, `MongoDB`, `MySQL`, `Postgres`, `Jdbc`, and `JWT`.
+3. Raw validators: provider-specific or protocol-specific exception paths dispatched through `validation: type: Raw`.
+
+Raw validation looks like this:
+
+```yaml
+validation:
+  type: Raw
+  content: kraken
+```
+
+Use `Raw` only when the provider check cannot be expressed reliably with `Http` or `Grpc` and does not justify a new reusable validator family. Raw validator implementations live in `crates/kingfisher-scanner/src/validation/raw.rs`.
+
+Typed validators are safer and more reusable because the validator kind is part of the schema. `Raw` validators are string-dispatched and fail at runtime if the `content` name is unknown. If you need a Rust-backed exception path for one provider, prefer `Raw`; reserve new typed validators for stable validation families that can be reused across rules.
+
 ## gRPC Validation (Grpc)
 
 Some services (notably CLI/SDK control planes) are **gRPC-only**. For these, `validation: type: Http`
@@ -468,6 +488,7 @@ Below is the complete list of Liquid filters available in Kingfisher, along with
 | `hmac_sha1`           | `key` (string)                               | Computes HMAC-SHA1 over the input, returns Base64-encoded result.                                              | `{{ TOKEN \| hmac_sha1: "secret-key" }}`                             |
 | `hmac_sha256`         | `key` (string)                               | Computes HMAC-SHA256 over the input, returns Base64-encoded result.                                            | `{{ TOKEN \| hmac_sha256: "secret-key" }}`                           |
 | `hmac_sha384`         | `key` (string)                               | Computes HMAC-SHA384 over the input, returns Base64-encoded result.                                            | `{{ TOKEN \| hmac_sha384: "secret-key" }}`                           |
+| `hmac_sha384_hex`     | `key` (string)                               | Computes HMAC-SHA384 over the input, returns lowercase hexadecimal output.                                     | `{{ TOKEN \| hmac_sha384_hex: "secret-key" }}`                       |
 | `hmac_sha256_b64key`  | `key` (string, base64-encoded)               | Decodes the key from Base64 to raw bytes, then computes HMAC-SHA256. Returns Base64. Use for Azure SAS and other protocols where the signing key is base64-encoded. | `{{ to_sign \| hmac_sha256_b64key: TOKEN }}`                         |
 | `random_string`       | `len` (integer, optional)                    | Generates a cryptographically-secure random alphanumeric string of the specified length (default: 32).        | `{{ "" \| random_string: 16 }}`                                      |
 | `prefix`              | `len` (integer, optional)                    | Returns the first `len` characters from the string (default: full).                                            | `{{ TOKEN \| prefix: 6 }}`                                           |
@@ -476,8 +497,10 @@ Below is the complete list of Liquid filters available in Kingfisher, along with
 | `url_encode`          | –                                            | Percent-encodes the input according to RFC 3986.                                                                | `{{ TOKEN \| url_encode }}`                                          |
 | `json_escape`         | –                                            | Escapes special characters so a string can be safely injected into JSON contexts.                              | `{{ TOKEN \| json_escape }}`                                         |
 | `unix_timestamp`      | –                                            | Returns the current Unix epoch time in seconds (UTC).                                                          | `{{ "" \| unix_timestamp }}`                                         |
+| `unix_timestamp_ms`   | –                                            | Returns the current Unix epoch time in milliseconds (UTC).                                                     | `{{ "" \| unix_timestamp_ms }}`                                      |
 | `iso_timestamp`       | –                                            | Returns the current UTC timestamp in full ISO-8601 format (may include fractional seconds).                    | `{{ "" \| iso_timestamp }}`                                          |
 | `iso_timestamp_no_frac` | –                                          | Current ISO-8601 timestamp (UTC) **without** fractional seconds.                                               | `{{ "" \| iso_timestamp_no_frac }}`                                  |
+| `rfc1123_date`        | –                                            | Returns the current RFC-1123 timestamp in GMT.                                                                 | `{{ "" \| rfc1123_date }}`                                           |
 | `uuid`                | –                                            | Generates a random UUIDv4 string.                                                                              | `{{ "" \| uuid }}`                                                   |
 | `jwt_header`          | –                                            | Builds a minimal JWT header JSON (`{"typ":"JWT","alg":…}`) and Base64URL-encodes it.                           | `{{ "HS256" \| jwt_header }}`                                        |
 | `replace`             | `from` (string), `to` (string)               | Replaces every occurrence of `from` with `to` in the input string.                                             | `{{ "hello world" \| replace: "world", "mars" }}`                    |
@@ -492,6 +515,11 @@ Authorization: Basic {{ "api:" | append: TOKEN | b64enc }}
 ```
 
 **Runtime Values:** Filters like unix_timestamp and uuid are evaluated at runtime, enabling nonces, timestamps, and unique IDs in your requests.
+
+**Stable Request Values:** HTTP and gRPC validation requests also expose stable per-request template variables. Use these when the same generated value must appear in multiple places within one request. Currently:
+- `REQUEST_RFC1123_DATE`
+- `REQUEST_UNIX_MILLIS`
+
 ### How depends_on_rule Works
 
 - **Dependency Declaration:**  
@@ -738,7 +766,7 @@ When writing custom rules, consider the following best practices:
 
 1. **Multi-line Regex:** Write your regex patterns over multiple lines for clarity. Use the `(?x)` flag to enable free-spacing mode.
 2. **Optimize for Performance:** Structure your regex to minimize backtracking. Use non-capturing groups where possible and keep the pattern as concise as possible.
-3. **Validation Integration:** Define a `validation` section if you want to verify the detected secret. You can use Liquid templating to insert dynamic values—use the unnamed capture as `TOKEN` and any named captures in uppercase.
+3. **Validation Integration:** Define a `validation` section if you want to verify the detected secret. Prefer `Http` or `Grpc`; use an existing typed validator when the rule matches a supported validator family; use `Raw` only for rare provider-specific exception paths. You can use Liquid templating to insert dynamic values where supported. Use the unnamed capture as `TOKEN` and any named captures in uppercase.
 4. **Revocation Integration:** Define a `revocation` section if you want to revoke a detected secret. It uses the same HTTP request format and template variables as `validation`.
 5. **Test with Examples:** Always include examples that should match and, optionally, negative examples to ensure your rule behaves as expected.
 
@@ -915,4 +943,4 @@ rules:
               words: ['"Arn"']
     depends_on_rule:
       - rule_id: kingfisher.alibabacloud.1
-        variable: AKID```
\ No newline at end of file
+        variable: AKID```
diff --git a/src/direct_validate.rs b/src/direct_validate.rs
index 5d68d22..1cea920 100644
--- a/src/direct_validate.rs
+++ b/src/direct_validate.rs
@@ -133,6 +133,10 @@ fn extract_template_vars(text: &str) -> BTreeSet<String> {
     re.captures_iter(text).filter_map(|cap| cap.get(1).map(|m| m.as_str().to_uppercase())).collect()
 }
 
+fn is_auto_provided_request_var(var: &str) -> bool {
+    matches!(var, "REQUEST_RFC1123_DATE" | "REQUEST_UNIX_MILLIS")
+}
+
 /// Extract all template variables used in a validation configuration.
 fn extract_validation_vars(validation: &Validation) -> BTreeSet<String> {
     let mut vars = BTreeSet::new();
@@ -201,11 +205,13 @@ fn extract_validation_vars(validation: &Validation) -> BTreeSet<String> {
             vars.insert("TOKEN".to_string());
             vars.insert("CRED_NAME".to_string());
         }
-        Validation::Raw(_) => {
-            vars.insert("TOKEN".to_string());
+        Validation::Raw(raw) => {
+            vars.extend(kingfisher_scanner::validation::raw::required_vars(raw));
         }
     }
 
+    vars.retain(|var| !is_auto_provided_request_var(var));
+
     vars
 }
 
@@ -298,8 +304,10 @@ async fn execute_http_validation(
     retries: u32,
     allow_internal_ips: bool,
 ) -> Result<DirectValidationResult> {
+    let request_globals = kingfisher_scanner::validation::with_request_template_globals(globals);
+
     // Render the URL
-    let url = render_and_parse_url(parser, globals, &http_validation.request.url).await?;
+    let url = render_and_parse_url(parser, &request_globals, &http_validation.request.url).await?;
 
     // SSRF check: verify the resolved IP is public before making the request
     crate::validation::utils::check_url_resolvable(&url, allow_internal_ips)
@@ -317,7 +325,7 @@ async fn execute_http_validation(
         &http_validation.request.body,
         timeout,
         parser,
-        globals,
+        &request_globals,
     )
     .map_err(|e| anyhow!("Failed to build request: {}", e))?;
 
@@ -359,8 +367,11 @@ async fn execute_grpc_validation(
     timeout: Duration,
     allow_internal_ips: bool,
 ) -> Result<DirectValidationResult> {
+    let request_globals = kingfisher_scanner::validation::with_request_template_globals(globals);
+
     // Render the URL
-    let url = render_and_parse_url(parser, globals, &grpc_validation_cfg.request.url).await?;
+    let url =
+        render_and_parse_url(parser, &request_globals, &grpc_validation_cfg.request.url).await?;
 
     // SSRF check: verify the resolved IP is public before making the request
     crate::validation::utils::check_url_resolvable(&url, allow_internal_ips)
@@ -374,7 +385,7 @@ async fn execute_grpc_validation(
         &grpc_validation_cfg.request.headers,
         &grpc_validation_cfg.request.body,
         parser,
-        globals,
+        &request_globals,
         timeout,
     )
     .await
@@ -840,13 +851,31 @@ pub async fn run_direct_validation(
                 }
             }
 
-            Validation::Raw(_) => DirectValidationResult {
-                rule_id: String::new(),
-                rule_name: String::new(),
-                is_valid: false,
-                status_code: None,
-                message: "Raw validation type is not supported via direct validation.".to_string(),
-            },
+            Validation::Raw(raw) => {
+                match kingfisher_scanner::validation::raw::validate_raw(
+                    raw,
+                    &globals,
+                    &client,
+                    use_lax_tls,
+                )
+                .await
+                {
+                    Ok(result) => DirectValidationResult {
+                        rule_id: String::new(),
+                        rule_name: String::new(),
+                        is_valid: result.valid,
+                        status_code: Some(result.status.as_u16()),
+                        message: result.body,
+                    },
+                    Err(e) => DirectValidationResult {
+                        rule_id: String::new(),
+                        rule_name: String::new(),
+                        is_valid: false,
+                        status_code: None,
+                        message: format!("Raw validation error: {}", e),
+                    },
+                }
+            }
         };
 
         result.rule_id = rule_id;
diff --git a/src/reporter.rs b/src/reporter.rs
index b01c6df..d1a5a24 100644
--- a/src/reporter.rs
+++ b/src/reporter.rs
@@ -86,6 +86,10 @@ fn extract_template_vars(text: &str) -> BTreeSet<String> {
     vars
 }
 
+fn is_auto_provided_request_var(var: &str) -> bool {
+    matches!(var, "REQUEST_RFC1123_DATE" | "REQUEST_UNIX_MILLIS")
+}
+
 fn required_vars_for_validation(validation: &crate::rules::Validation) -> BTreeSet<String> {
     use crate::rules::Validation;
     let mut vars = BTreeSet::new();
@@ -133,11 +137,13 @@ fn required_vars_for_validation(validation: &crate::rules::Validation) -> BTreeS
             vars.insert("TOKEN".to_string());
             vars.insert("CRED_NAME".to_string());
         }
-        Validation::Raw(_) => {
-            vars.insert("TOKEN".to_string());
+        Validation::Raw(raw) => {
+            vars.extend(kingfisher_scanner::validation::raw::required_vars(raw));
         }
     }
 
+    vars.retain(|var| !is_auto_provided_request_var(var));
+
     vars
 }
 
diff --git a/src/validation.rs b/src/validation.rs
index fd33662..3e90b07 100644
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -614,10 +614,11 @@ async fn timed_validate_single_match<'a>(
             let request_timeout = validation_timeout;
             let multipart_timeout = validation_timeout;
             let max_retries: u32 = validation_retries;
+            let request_globals = httpvalidation::with_request_template_globals(&globals);
             // render URL
             let url = match render_and_parse_url(
                 parser,
-                &globals,
+                &request_globals,
                 &rule_syntax.name,
                 &http_validation.request.url,
                 clients.allow_internal_ips,
@@ -643,7 +644,7 @@ async fn timed_validate_single_match<'a>(
                 &http_validation.request.body,
                 request_timeout,
                 parser,
-                &globals,
+                &request_globals,
             ) {
                 Ok(rb) => rb,
                 Err(e) => {
@@ -663,7 +664,7 @@ async fn timed_validate_single_match<'a>(
                 let rendered_headers = httpvalidation::process_headers(
                     &http_validation.request.headers,
                     parser,
-                    &globals,
+                    &request_globals,
                     &url,
                 )
                 .unwrap_or_default();
@@ -681,7 +682,7 @@ async fn timed_validate_single_match<'a>(
                         parser
                             .parse(body_template)
                             .ok()
-                            .and_then(|template| template.render(&globals).ok())
+                            .and_then(|template| template.render(&request_globals).ok())
                     });
 
                 cache_key = httpvalidation::generate_http_cache_key_parts(
@@ -726,7 +727,7 @@ async fn timed_validate_single_match<'a>(
                     if let Ok(mut headers) = httpvalidation::process_headers(
                         &http_validation.request.headers,
                         parser,
-                        &globals,
+                        &request_globals,
                         &url,
                     ) {
                         // add realistic UA & accept headers
@@ -752,7 +753,7 @@ async fn timed_validate_single_match<'a>(
                             "file" => {
                                 let path = render_template(
                                     parser,
-                                    &globals,
+                                    &request_globals,
                                     &rule_syntax.name,
                                     &part.content,
                                 )
@@ -771,7 +772,7 @@ async fn timed_validate_single_match<'a>(
                             "text" => {
                                 let txt = render_template(
                                     parser,
-                                    &globals,
+                                    &request_globals,
                                     &rule_syntax.name,
                                     &part.content,
                                 )
@@ -872,11 +873,12 @@ async fn timed_validate_single_match<'a>(
         // ---------------------------------------------------- gRPC validator
         Some(Validation::Grpc(grpc_validation_cfg)) => {
             let request_timeout = validation_timeout;
+            let request_globals = httpvalidation::with_request_template_globals(&globals);
 
             // Render URL
             let url = match render_and_parse_url(
                 parser,
-                &globals,
+                &request_globals,
                 &rule_syntax.name,
                 &grpc_validation_cfg.request.url,
                 clients.allow_internal_ips,
@@ -899,7 +901,7 @@ async fn timed_validate_single_match<'a>(
                 &grpc_validation_cfg.request.headers,
                 &grpc_validation_cfg.request.body,
                 parser,
-                &globals,
+                &request_globals,
                 request_timeout,
             )
             .await
@@ -1481,11 +1483,27 @@ async fn timed_validate_single_match<'a>(
         }
         // --------------------------------------------------------- Raw / none
         Some(Validation::Raw(raw)) => {
-            debug!("Raw validation not implemented: {}", raw);
-            m.validation_success = false;
-            m.validation_response_body =
-                validation_body::from_string("Validator not implemented".to_string());
-            m.validation_response_status = StatusCode::NOT_IMPLEMENTED;
+            match kingfisher_scanner::validation::raw::validate_raw(
+                raw,
+                &globals,
+                client,
+                clients.should_use_lax(rule_syntax.tls_mode),
+            )
+            .await
+            {
+                Ok(result) => {
+                    m.validation_success = result.valid;
+                    m.validation_response_body = validation_body::from_string(result.body);
+                    m.validation_response_status = result.status;
+                }
+                Err(e) => {
+                    debug!("Raw validation error for {}: {}", raw, e);
+                    m.validation_success = false;
+                    m.validation_response_body =
+                        validation_body::from_string(format!("Raw validation error: {}", e));
+                    m.validation_response_status = StatusCode::BAD_GATEWAY;
+                }
+            }
         }
         None => { /* no validation specified */ }
     }
diff --git a/src/validation_rate_limit.rs b/src/validation_rate_limit.rs
index 8b1ac1c..9eb9eb8 100644
--- a/src/validation_rate_limit.rs
+++ b/src/validation_rate_limit.rs
@@ -118,7 +118,10 @@ fn selector_matches(rule_id: &str, selector: &str) -> bool {
 }
 
 pub fn should_rate_limit_validation(validation: &Validation) -> bool {
-    !matches!(validation, Validation::Raw(_))
+    match validation {
+        Validation::Raw(raw) => raw != "custom",
+        _ => true,
+    }
 }
 
 #[cfg(test)]

From 4cc1a3413065798aef2667115b489a014671295d Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 6 Apr 2026 22:25:54 -0700
Subject: [PATCH 03/17] added more rules

---
 crates/kingfisher-rules/data/rules/highnote.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crates/kingfisher-rules/data/rules/highnote.yml b/crates/kingfisher-rules/data/rules/highnote.yml
index 953ff32..cfdffcb 100644
--- a/crates/kingfisher-rules/data/rules/highnote.yml
+++ b/crates/kingfisher-rules/data/rules/highnote.yml
@@ -4,6 +4,9 @@ rules:
     pattern: |
       (?x)
       \b
+      (?i:highnote)
+      (?:.|[\n\r]){0,24}?
+      \b
       (
         (?:sk|rk)_(?:live|test)_[a-zA-Z0-9]{20,60}
       )

From f72d0c06225dd5e5c0f81fc8d1935d543072f681 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 6 Apr 2026 22:36:09 -0700
Subject: [PATCH 04/17] Bump jsonwebtoken to 10.3.0

---
 Cargo.toml                           | 2 +-
 crates/kingfisher-scanner/Cargo.toml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index e4f8b78..b8607b8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -226,7 +226,7 @@ percent-encoding = "2.3.2"
 self_update = { version = "0.43.1", default-features = false, features = ["reqwest", "rustls", "archive-tar", "archive-zip", "compression-flate2"] }
 semver = "1.0.27"
 globset = "0.4.18"
-jsonwebtoken = { version = "10.2.0", features = ["aws-lc-rs"] }
+jsonwebtoken = { version = "10.3.0", features = ["aws-lc-rs"] }
 ipnet = "2.11.0"
 gouqi = { version = "0.20.0", features = ["async"] }
 oci-client = { version = "0.16", default-features = false, features = ["rustls-tls"] }
diff --git a/crates/kingfisher-scanner/Cargo.toml b/crates/kingfisher-scanner/Cargo.toml
index f5b5dd2..013d0a7 100644
--- a/crates/kingfisher-scanner/Cargo.toml
+++ b/crates/kingfisher-scanner/Cargo.toml
@@ -183,7 +183,7 @@ pem = { version = "3.0.6", optional = true }
 percent-encoding = { workspace = true, optional = true }
 ring = { version = "0.17", optional = true }
 
-jsonwebtoken = { version = "10.2.0", features = ["aws-lc-rs"], optional = true }
+jsonwebtoken = { version = "10.3.0", features = ["aws-lc-rs"], optional = true }
 p256 = { version = "0.13.2", optional = true }
 ed25519-dalek = { version = "2.2", features = ["pkcs8"], optional = true }
 hex = { workspace = true, optional = true }

From 413798e27d7f9de8a16481712b87e6799dea8b46 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 6 Apr 2026 23:58:55 -0700
Subject: [PATCH 05/17] Apply open Dependabot updates

---
 .github/workflows/docs.yml           |  6 +++---
 Cargo.lock                           | 24 ++++++++++++------------
 Cargo.toml                           |  2 +-
 crates/kingfisher-scanner/Cargo.toml |  4 ++--
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index f6cf749..4111f6b 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -27,7 +27,7 @@ jobs:
 
       - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
@@ -46,7 +46,7 @@ jobs:
           CI: true
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: docs-site/site
 
@@ -59,4 +59,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
diff --git a/Cargo.lock b/Cargo.lock
index 54f32a1..36fd53a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1611,9 +1611,9 @@ checksum = "de0758edba32d61d1fd9f4d69491b47604b91ee2f7e6b33de7e54ca4ebe55dc3"
 
 [[package]]
 name = "color-backtrace"
-version = "0.7.2"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "308329d5d62e877ba02943db3a8e8c052de9fde7ab48283395ba0e6494efbabd"
+checksum = "83c39683d44e712e45134c852c21c2f60139c3846047c9dde39cddf7066c78c6"
 dependencies = [
  "backtrace",
  "termcolor",
@@ -7156,7 +7156,6 @@ dependencies = [
  "futures-channel",
  "futures-core",
  "futures-util",
- "h2",
  "http 1.4.0",
  "http-body 1.0.1",
  "http-body-util",
@@ -7202,6 +7201,7 @@ dependencies = [
  "futures-channel",
  "futures-core",
  "futures-util",
+ "h2",
  "http 1.4.0",
  "http-body 1.0.1",
  "http-body-util",
@@ -7792,9 +7792,9 @@ dependencies = [
 
 [[package]]
 name = "self_update"
-version = "0.43.1"
+version = "0.44.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6644febaa58f323b28f7321d04e24d0020d117c27619ab869d6abdf76be9aac6"
+checksum = "2e79722b5a505d4ddc77527455a97244e9e8c4c07533ff44cf4421cce7bb6d17"
 dependencies = [
  "either",
  "flate2",
@@ -7803,7 +7803,7 @@ dependencies = [
  "log",
  "quick-xml 0.38.4",
  "regex",
- "reqwest 0.12.28",
+ "reqwest 0.13.2",
  "self-replace",
  "semver",
  "serde",
@@ -7818,9 +7818,9 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.27"
+version = "1.0.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
 dependencies = [
  "serde",
  "serde_core",
@@ -8789,9 +8789,9 @@ dependencies = [
 
 [[package]]
 name = "tokio"
-version = "1.50.0"
+version = "1.51.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+checksum = "2bd1c4c0fc4a7ab90fc15ef6daaa3ec3b893f004f915f2392557ed23237820cd"
 dependencies = [
  "bytes",
  "libc",
@@ -8806,9 +8806,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-macros"
-version = "2.6.1"
+version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
+checksum = "385a6cb71ab9ab790c5fe8d67f1645e6c450a7ce006a33de03daa956cf70a496"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/Cargo.toml b/Cargo.toml
index b8607b8..3bc7011 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -223,7 +223,7 @@ bloomfilter = "3.0.1"
 uuid = "1.19.0"
 rand = "0.10.0"
 percent-encoding = "2.3.2"
-self_update = { version = "0.43.1", default-features = false, features = ["reqwest", "rustls", "archive-tar", "archive-zip", "compression-flate2"] }
+self_update = { version = "0.44.0", default-features = false, features = ["reqwest", "rustls", "archive-tar", "archive-zip", "compression-flate2"] }
 semver = "1.0.27"
 globset = "0.4.18"
 jsonwebtoken = { version = "10.3.0", features = ["aws-lc-rs"] }
diff --git a/crates/kingfisher-scanner/Cargo.toml b/crates/kingfisher-scanner/Cargo.toml
index 013d0a7..69d0d8c 100644
--- a/crates/kingfisher-scanner/Cargo.toml
+++ b/crates/kingfisher-scanner/Cargo.toml
@@ -170,7 +170,7 @@ tracing.workspace = true
 reqwest = { version = "0.12", default-features = false, features = [
     "json", "gzip", "brotli", "deflate", "stream", "rustls-tls", "rustls-tls-native-roots", "multipart"
 ], optional = true }
-tokio = { version = "1.48", features = ["net", "time", "sync", "io-util"], optional = true }
+tokio = { version = "1.51", features = ["net", "time", "sync", "io-util"], optional = true }
 liquid = { version = "0.26", optional = true }
 liquid-core = { version = "0.26", optional = true }
 quick-xml = { version = "0.39", features = ["serde", "serialize"], optional = true }
@@ -213,4 +213,4 @@ rand = { version = "0.10", optional = true }
 [dev-dependencies]
 pretty_assertions = "1.4"
 tempfile = "3.23"
-tokio = { version = "1.48", features = ["macros", "rt"] }
+tokio = { version = "1.51", features = ["macros", "rt"] }

From afee0b7181228fd5de87f3796d9a12db5a8b626f Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Tue, 7 Apr 2026 10:42:44 -0700
Subject: [PATCH 06/17] updated rules

---
 CHANGELOG.md                                  |  2 +-
 crates/kingfisher-rules/data/rules/AGENTS.md  |  4 +
 crates/kingfisher-rules/data/rules/adobe.yml  | 51 ++++++++++-
 crates/kingfisher-rules/data/rules/asaas.yml  | 29 ++++++
 crates/kingfisher-rules/data/rules/asana.yml  | 26 ++++++
 crates/kingfisher-rules/data/rules/azure.yml  | 24 +++++
 .../kingfisher-rules/data/rules/azuremaps.yml | 21 +++++
 .../kingfisher-rules/data/rules/branchio.yml  | 14 +++
 .../data/rules/cockroachlabs.yml              | 23 +++++
 .../data/rules/databricks.yml                 | 24 ++++-
 crates/kingfisher-rules/data/rules/gitlab.yml | 21 +++++
 crates/kingfisher-rules/data/rules/google.yml | 90 ++++++++++++++++++-
 .../data/rules/googleoauth2.yml               | 17 +++-
 .../kingfisher-rules/data/rules/highnote.yml  | 30 +++++++
 .../kingfisher-rules/data/rules/langfuse.yml  | 11 +--
 .../kingfisher-rules/data/rules/posthog.yml   | 16 ++++
 crates/kingfisher-rules/data/rules/proof.yml  | 27 ++++++
 .../kingfisher-rules/data/rules/tableau.yml   | 17 ++--
 .../kingfisher-scanner/src/validation/raw.rs  | 27 ++++++
 data/default/rule_cleanup/count_rules.py      | 63 +++++++++----
 docs-site/docs/changelog.md                   |  5 ++
 src/direct_validate.rs                        |  1 +
 src/reporter.rs                               |  8 +-
 src/validation.rs                             |  3 +-
 24 files changed, 513 insertions(+), 41 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f507c0..5ee1dde 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 ## [v1.95.0]
 - Added 80+ built-in rules, bringing the bundled ruleset to 820 total. New coverage includes Amazon OAuth, Asaas, multiple Azure credential families, Bitrise, Canva, CockroachDB, eBay, Elastic, hCaptcha, Highnote, Lichess, MailerSend, Onfido, Paddle, Pangea, Persona, Pinterest, Proof, Rootly, Runpod, Telnyx, Thunderstore, Valtown, Volcengine, and more.
 - Added a `validation: type: Raw` exception path for provider-specific checks, with new raw validators for Azure Batch, FTP, Kraken, LDAP, RabbitMQ, and Redis. Also added stable request-scoped template values plus new Liquid filters for HMAC-SHA384 hex output and timestamp generation.
-- Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex, and fixed newly added rule patterns/examples so `kingfisher rules check` passes cleanly.
+- Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex. Also tightened newly added helper regex to avoid high-match scan regressions, and made preflight-blocked raw validations report as skipped/not attempted instead of failed.
 
 ## [v1.94.0]
 - Updated vendored `vectorscan-rs` from v0.0.5 (Vectorscan 5.4.11) to v0.0.6 (Vectorscan 5.4.12). The upstream crate now ships pre-extracted sources instead of a tarball+patch, and fixes the `cpu_native` feature flag. Local Windows and musl build patches have been re-applied.
diff --git a/crates/kingfisher-rules/data/rules/AGENTS.md b/crates/kingfisher-rules/data/rules/AGENTS.md
index 433d951..0287d66 100644
--- a/crates/kingfisher-rules/data/rules/AGENTS.md
+++ b/crates/kingfisher-rules/data/rules/AGENTS.md
@@ -30,6 +30,7 @@ Strongly recommended fields:
 
 ## Pattern Quality Rules
 - Prefer specific anchors/prefixes and provider context over broad generic regex.
+- Keep helper/context regex narrow. Avoid patterns that match generic URLs, hostnames, query params, or assignments without strong provider-specific constraints; broad helpers can create huge match counts and cause major memory/time regressions on large repos and git history.
 - When the token format is generic or common-looking (for example bare 32-hex keys), prefer contextual patterns of the form: provider keyword -> short flexible gap -> key/secret label -> short flexible gap -> token. A good default is:
   - `\b`
   - provider identifier (for example `amplitude`, `azure`, `speech`, `translator`)
@@ -83,6 +84,9 @@ Strongly recommended fields:
   - `cargo test -p kingfisher-rules`
 - Broader regression check:
   - `cargo test --workspace --all-targets`
+- Match-volume check on a realistic large target:
+  - `kingfisher scan <large-repo-or-test-corpus> --rule-stats`
+  - Review unexpected high-match helper/generic rules before submitting.
 - **Warning-free build**: `cargo check` (or `make darwin` / `make linux`) must produce zero warnings. Address all `dead_code`, `unused_*`, and other warnings before submitting. Use `#[allow(dead_code)]` on individual struct fields kept for deserialization completeness, and remove truly unused code.
 - Behavioral check against sample content:
   - `kingfisher scan ./testdata --rule <rule-family-or-id> --rule-stats`
diff --git a/crates/kingfisher-rules/data/rules/adobe.yml b/crates/kingfisher-rules/data/rules/adobe.yml
index ec72a85..63a2062 100644
--- a/crates/kingfisher-rules/data/rules/adobe.yml
+++ b/crates/kingfisher-rules/data/rules/adobe.yml
@@ -73,4 +73,53 @@ rules:
             "client_credentials": {
             "client_id": "a65b0146769d433a835f36660881db50",
             "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
-          },
\ No newline at end of file
+          },
+    depends_on_rule:
+      - rule_id: "kingfisher.adobe.4"
+        variable: ADOBE_CLIENT_ID
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://ims-na1.adobelogin.com/ims/token/v3
+          headers:
+            Authorization: 'Basic {{ ADOBE_CLIENT_ID | append: ":" | append: TOKEN | b64enc }}'
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: 'code=invalid_code&grant_type=authorization_code'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    # Revocation not added: Adobe documents revocation for access and refresh
+    # tokens, not for the OAuth client secret itself.
+    references:
+      - https://developer.adobe.com/developer-console/docs/guides/authentication/UserAuthentication/ims
+
+  - name: Adobe OAuth Client ID
+    id: kingfisher.adobe.4
+    pattern: |
+      (?xi)
+      \b
+      adobe
+      (?:.|[\n\r]){0,64}?
+      client_id
+      (?:.|[\n\r]){0,16}?
+      (
+        [a-f0-9]{32}
+      )
+      \b
+    min_entropy: 3.0
+    visible: false
+    examples:
+      - |
+          {
+            "client_credentials": {
+            "client_id": "a65b0146769d433a835f36660881db50",
+            "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
+          },
diff --git a/crates/kingfisher-rules/data/rules/asaas.yml b/crates/kingfisher-rules/data/rules/asaas.yml
index 3b06e7b..1746083 100644
--- a/crates/kingfisher-rules/data/rules/asaas.yml
+++ b/crates/kingfisher-rules/data/rules/asaas.yml
@@ -14,5 +14,34 @@ rules:
     examples:
       - 'ASAAS_API_KEY=$aact_prod_abcdefghijklmnop1234567890ABCDEF'
       - 'api_token: $aact_hmlg_abcdefghijklmnop1234567890ABCDEF'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: >
+            {%- if TOKEN contains "$aact_hmlg_" -%}
+            https://api-sandbox.asaas.com/v3/myAccount/commercialInfo/
+            {%- else -%}
+            https://api.asaas.com/v3/myAccount/commercialInfo/
+            {%- endif -%}
+          headers:
+            Accept: application/json
+            User-Agent: kingfisher
+            access_token: "{{ TOKEN }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"object"'
+                - '"commercialInfo"'
+    # Revocation not added: Asaas documents key deletion in the dashboard and
+    # parent-driven sub-account key management, but not a self-revoke endpoint
+    # for the current access_token alone.
     references:
       - https://docs.asaas.com/docs/authentication-2
+      - https://docs.asaas.com/docs/change-the-name-of-a-business-subaccount-via-api
diff --git a/crates/kingfisher-rules/data/rules/asana.yml b/crates/kingfisher-rules/data/rules/asana.yml
index 0def56b..0c767d9 100644
--- a/crates/kingfisher-rules/data/rules/asana.yml
+++ b/crates/kingfisher-rules/data/rules/asana.yml
@@ -41,6 +41,32 @@ rules:
     examples:
       - "asana :'20c2F0d03201af478ca1aBE9515A1A4FEfb'"
       - ASANA_PAT = 1234567890abcdef1234567890abcdef12
+    depends_on_rule:
+      - rule_id: kingfisher.asana.1
+        variable: ASANA_CLIENT_ID
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://app.asana.com/-/oauth_token
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: >
+            grant_type=authorization_code&client_id={{ ASANA_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ "https://example.com/oauth/callback" | url_encode }}&code=invalid_code
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    # Revocation not added: Asana's revoke endpoint deauthorizes refresh tokens,
+    # not OAuth client secrets.
+    references:
+      - https://developers.asana.com/docs/oauth
 
   - name: Asana OAuth / Personal Access Token (Legacy)
     id: kingfisher.asana.3
diff --git a/crates/kingfisher-rules/data/rules/azure.yml b/crates/kingfisher-rules/data/rules/azure.yml
index f909148..dd782e1 100644
--- a/crates/kingfisher-rules/data/rules/azure.yml
+++ b/crates/kingfisher-rules/data/rules/azure.yml
@@ -70,6 +70,30 @@ rules:
       - |
         if __name__ == "__main__":
             ado_pat =  "iyfmob6xjrfmit67anxbot64umfx2clwx7dz5ynxi4q2z3uqegvq"
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.1
+          headers:
+            Authorization: 'Basic {{ ":" | append: TOKEN | b64enc }}'
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"id"'
+                - '"displayName"'
+    # Revocation not added: Azure DevOps PAT lifecycle management is documented
+    # separately and is not a self-revoke flow driven solely by the PAT itself.
+    references:
+      - https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops
+      - https://learn.microsoft.com/en-us/rest/api/azure/devops/profile/profiles/get?view=azure-devops-rest-7.1
   - name: Azure Container Registry URL
     id: kingfisher.azure.4
     pattern: |
diff --git a/crates/kingfisher-rules/data/rules/azuremaps.yml b/crates/kingfisher-rules/data/rules/azuremaps.yml
index 177a382..762e41e 100644
--- a/crates/kingfisher-rules/data/rules/azuremaps.yml
+++ b/crates/kingfisher-rules/data/rules/azuremaps.yml
@@ -17,5 +17,26 @@ rules:
     categories: [api, key]
     examples:
       - AZURE_MAPS_KEY=AbCdEfGhIjKlMnOpQrStUvWxYz123456
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://atlas.microsoft.com/geocode?api-version=2025-01-01&addressLine=15127%20NE%2024th%20Street%20Redmond%20WA&countryRegion=US&subscription-key={{ TOKEN }}
+          headers:
+            Accept: application/geo+json, application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"FeatureCollection"'
+                - '"features"'
+    # Revocation not added: Azure Maps shared-key docs cover rotation and
+    # authentication, but I did not find a token self-revoke API.
     references:
       - https://learn.microsoft.com/en-us/azure/azure-maps/how-to-manage-authentication
+      - https://learn.microsoft.com/en-us/rest/api/maps/search/get-geocoding
diff --git a/crates/kingfisher-rules/data/rules/branchio.yml b/crates/kingfisher-rules/data/rules/branchio.yml
index 04cf378..7a0a655 100644
--- a/crates/kingfisher-rules/data/rules/branchio.yml
+++ b/crates/kingfisher-rules/data/rules/branchio.yml
@@ -45,6 +45,20 @@ rules:
       - 'branch.init("key_test_plqYW3Aq9Xija1cobGMieipndBzO5y7J");'
     references:
       - https://help.branch.io/developers-hub/docs/deep-linking-api
+      - https://help.branch.io/apidocs/app-api
+    depends_on_rule:
+      - rule_id: kingfisher.branchio.3
+        variable: BRANCH_SECRET
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: "https://api2.branch.io/v1/app/{{ TOKEN }}?branch_secret={{ BRANCH_SECRET }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
 
   - name: Branch.io Secret
     id: kingfisher.branchio.3
diff --git a/crates/kingfisher-rules/data/rules/cockroachlabs.yml b/crates/kingfisher-rules/data/rules/cockroachlabs.yml
index 9fbcc40..a4b8d7e 100644
--- a/crates/kingfisher-rules/data/rules/cockroachlabs.yml
+++ b/crates/kingfisher-rules/data/rules/cockroachlabs.yml
@@ -24,5 +24,28 @@ rules:
     categories: [api, key]
     examples:
       - 'COCKROACHDB_API_KEY=B81649_8F7D11A_92BCE13_56782D_C53'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://cockroachlabs.cloud/api/v1/clusters?show_inactive=true
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+            Accept: application/json
+            Cc-Version: "2024-09-16"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"clusters"'
+                - '"pagination"'
+    # Revocation not added: the public Cloud API docs describe bearer-token
+    # authentication for service-account secret keys, but not a documented
+    # self-revocation endpoint for the current secret key value.
     references:
       - https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api
diff --git a/crates/kingfisher-rules/data/rules/databricks.yml b/crates/kingfisher-rules/data/rules/databricks.yml
index 2405d5c..4190d22 100644
--- a/crates/kingfisher-rules/data/rules/databricks.yml
+++ b/crates/kingfisher-rules/data/rules/databricks.yml
@@ -22,6 +22,26 @@ rules:
       - secret
     references:
       - https://docs.databricks.com/dev-tools/api/latest/authentication.html
+      - https://docs.databricks.com/en/dev-tools/auth/pat.html
+    validation:
+      type: Http
+      content:
+        request:
+          headers:
+            Authorization: Bearer {{ TOKEN }}
+          method: GET
+          response_matcher:
+            - report_response: true
+            - status:
+                - 200
+              type: StatusMatch
+          url: https://{{ DOMAIN }}/api/2.0/clusters/list
+    depends_on_rule:
+      - rule_id: "kingfisher.databricks.3"
+        variable: DOMAIN
+    # Revocation not added: Databricks PAT docs describe token creation and
+    # use, but I did not find a PAT-only self-revoke endpoint suitable for YAML
+    # revocation here.
 
   - name: Databricks API Token
     id: kingfisher.databricks.2
@@ -51,7 +71,7 @@ rules:
               type: StatusMatch
           url: https://{{ DOMAIN }}/api/2.0/clusters/list
     depends_on_rule:
-      - rule_id: "kingfisher.databricks.2"
+      - rule_id: "kingfisher.databricks.3"
         variable: DOMAIN
 
   - name: Databricks Domain
@@ -83,4 +103,4 @@ rules:
     references:
       - https://docs.databricks.com/workspace/workspace-details.html
       - https://docs.gcp.databricks.com/workspace/workspace-details.html
-      - https://docs.microsoft.com/en-us/azure/databricks/scenarios/what-is-azure-databricks
\ No newline at end of file
+      - https://docs.microsoft.com/en-us/azure/databricks/scenarios/what-is-azure-databricks
diff --git a/crates/kingfisher-rules/data/rules/gitlab.yml b/crates/kingfisher-rules/data/rules/gitlab.yml
index 2fa5320..2ac05bb 100644
--- a/crates/kingfisher-rules/data/rules/gitlab.yml
+++ b/crates/kingfisher-rules/data/rules/gitlab.yml
@@ -213,6 +213,27 @@ rules:
       - 'CI_JOB_TOKEN=glcbt-a1b2c_3dEfGhIjKlMnOpQrStUv'
     references:
       - https://docs.gitlab.com/ci/jobs/ci_job_token/
+      - https://docs.gitlab.com/api/jobs/
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://gitlab.com/api/v4/job
+          headers:
+            JOB-TOKEN: '{{ TOKEN }}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"id"'
+                - '"status"'
+    # Revocation not added: CI/CD job tokens are short-lived and automatically
+    # invalidated when the job finishes.
 
   - name: GitLab Deploy Token
     id: kingfisher.gitlab.6
diff --git a/crates/kingfisher-rules/data/rules/google.yml b/crates/kingfisher-rules/data/rules/google.yml
index c6c9e66..4cfbde6 100644
--- a/crates/kingfisher-rules/data/rules/google.yml
+++ b/crates/kingfisher-rules/data/rules/google.yml
@@ -23,6 +23,32 @@ rules:
     confidence: medium
     examples:
       - 'const CLIENTSECRET = "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"'
+    depends_on_rule:
+      - rule_id: "kingfisher.google.1"
+        variable: GOOGLE_CLIENT_ID
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://oauth2.googleapis.com/token
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: >
+            code=invalid_code&client_id={{ GOOGLE_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ "https://example.com/oauth/callback" | url_encode }}&grant_type=authorization_code
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    # Revocation not added: Google's OAuth revocation endpoint revokes tokens,
+    # not client secrets.
+    references:
+      - https://developers.google.com/identity/protocols/oauth2/web-server
 
   - name: Google OAuth Client Secret
     id: kingfisher.google.3
@@ -36,6 +62,32 @@ rules:
     examples:
       - "                 //$google_client_secret = 'fnhqAakzWrX-mtFQ4PRdMoy0';"
       - "                'clientSecret' : 'Ufvuj-d6alhwGKvvLh_8Nq0K'"
+    depends_on_rule:
+      - rule_id: "kingfisher.google.1"
+        variable: GOOGLE_CLIENT_ID
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://oauth2.googleapis.com/token
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: >
+            code=invalid_code&client_id={{ GOOGLE_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ "https://example.com/oauth/callback" | url_encode }}&grant_type=authorization_code
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: WordMatch
+              words:
+                - invalid_client
+              negative: true
+    # Revocation not added: Google's OAuth revocation endpoint revokes tokens,
+    # not client secrets.
+    references:
+      - https://developers.google.com/identity/protocols/oauth2/web-server
 
   - name: Google OAuth Access Token
     id: kingfisher.google.4
@@ -61,6 +113,42 @@ rules:
       - |
         -- Clear login if it's a new connection.
         --propertyTable.access_token = 'ya29.Ci_UA7aEsvT6-oVI8f96kvB6i8oO13WgdZUviLaCVtpEPYZqhQcQycR-u2X9xtmYGA'
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={{ TOKEN | url_encode }}
+          headers:
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"aud"'
+                - '"expires_in"'
+    revocation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://oauth2.googleapis.com/revoke
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: token={{ TOKEN | url_encode }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+    references:
+      - https://developers.google.com/identity/openid-connect/openid-connect
+      - https://developers.google.com/data-portability/user-guide/quickstart
+      - https://developers.google.com/identity/protocols/oauth2/web-server
 
   - name: Google OAuth Credentials
     id: kingfisher.google.6
@@ -118,4 +206,4 @@ rules:
               match_all_words: true
               words:
                 - '"models"'
-                - '"name"'
\ No newline at end of file
+                - '"name"'
diff --git a/crates/kingfisher-rules/data/rules/googleoauth2.yml b/crates/kingfisher-rules/data/rules/googleoauth2.yml
index ddbd412..be4664b 100644
--- a/crates/kingfisher-rules/data/rules/googleoauth2.yml
+++ b/crates/kingfisher-rules/data/rules/googleoauth2.yml
@@ -30,5 +30,20 @@ rules:
             - type: WordMatch
               words:
                 - '"email":'
+    revocation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://oauth2.googleapis.com/revoke
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: token={{ TOKEN | url_encode }}
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
     references:
-      - https://developers.google.com/identity/protocols/oauth2
\ No newline at end of file
+      - https://developers.google.com/identity/protocols/oauth2
+      - https://developers.google.com/identity/protocols/oauth2/web-server
diff --git a/crates/kingfisher-rules/data/rules/highnote.yml b/crates/kingfisher-rules/data/rules/highnote.yml
index cfdffcb..c8ddf35 100644
--- a/crates/kingfisher-rules/data/rules/highnote.yml
+++ b/crates/kingfisher-rules/data/rules/highnote.yml
@@ -19,5 +19,35 @@ rules:
     examples:
       - 'HIGHNOTE_API_KEY=sk_live_AbCdEfGhIjKlMnOpQrStUvWxYz1234'
       - 'highnote_key: rk_test_AbCdEfGhIjKlMnOpQrStUvWxYz1234'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: >
+            {%- if TOKEN contains "_test_" -%}
+            https://api.us.test.highnote.com/graphql
+            {%- else -%}
+            https://api.us.highnote.com/graphql
+            {%- endif -%}
+          headers:
+            Authorization: "Basic {{ TOKEN | b64enc }}"
+            Content-Type: application/json
+            Accept: application/json
+          body: '{"query":"query { ping }"}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+            - type: WordMatch
+              match_all_words: true
+              words:
+                - '"data"'
+                - '"ping"'
+                - '"pong"'
+    # Revocation not added: the public Highnote docs I found describe API key
+    # usage and rotation guidance, but not an API endpoint to revoke the
+    # current key directly.
     references:
       - https://docs.highnote.com/docs/developers/api/using-the-api
diff --git a/crates/kingfisher-rules/data/rules/langfuse.yml b/crates/kingfisher-rules/data/rules/langfuse.yml
index 3a010d8..845e6cb 100644
--- a/crates/kingfisher-rules/data/rules/langfuse.yml
+++ b/crates/kingfisher-rules/data/rules/langfuse.yml
@@ -2,10 +2,10 @@ rules:
   - name: Langfuse Secret Key
     id: kingfisher.langfuse.1
     pattern: |
-      (?xi)
+      (?x)
       \b
       (
-        sk-lf-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
+        sk-lf-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}
       )
       \b
     pattern_requirements:
@@ -42,10 +42,10 @@ rules:
   - name: Langfuse Public Key
     id: kingfisher.langfuse.2
     pattern: |
-      (?xi)
+      (?x)
       \b
       (
-        pk-lf-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
+        pk-lf-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}
       )
       \b
     pattern_requirements:
@@ -57,9 +57,6 @@ rules:
     examples:
       - pk-lf-a1b2c3d4-e5f6-7890-abcd-ef1234567890
       - 'LANGFUSE_PUBLIC_KEY="pk-lf-9f8e7d6c-5b4a-3210-fedc-ba0987654321"'
-    negative_examples:
-      - pk-lf-test
-      - pk-lf-
     references:
       - https://langfuse.com/docs/sdk/typescript
       - https://langfuse.com/docs/get-started
diff --git a/crates/kingfisher-rules/data/rules/posthog.yml b/crates/kingfisher-rules/data/rules/posthog.yml
index 904c202..6f65b0e 100644
--- a/crates/kingfisher-rules/data/rules/posthog.yml
+++ b/crates/kingfisher-rules/data/rules/posthog.yml
@@ -57,6 +57,22 @@ rules:
     examples:
       - "pha_XgrXUnvwyoPLmjwHES5lc8scZUtheBpa1QV1qmssutB"
       - "pha_35kHVLA1E068nvrwUTgabkh8xvGGTpSpsVjGcpVNfis"
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://app.posthog.com/api/users/@me/
+          headers:
+            Authorization: "Bearer {{ TOKEN }}"
+            Content-Type: "application/json"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: JsonValid
+    # Revocation not added: I did not find a documented token self-revoke
+    # endpoint for OAuth access tokens in the public PostHog API docs.
     references:
       - https://posthog.com/docs/api
       - https://github.com/PostHog/posthog/blob/e408aac5debe02b39a6a67cfd028f16a2ca7bc90/posthog/models/utils.py#L260-L290
diff --git a/crates/kingfisher-rules/data/rules/proof.yml b/crates/kingfisher-rules/data/rules/proof.yml
index 965926e..6fddb22 100644
--- a/crates/kingfisher-rules/data/rules/proof.yml
+++ b/crates/kingfisher-rules/data/rules/proof.yml
@@ -18,5 +18,32 @@ rules:
       - 'proof_key: prf_test_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
       - 'proof_key: prf_cli_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
       - 'proof_key: prf_cli_test_AbCdEfGhIjKlMnOpQrStUvWxYz123456'
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: >
+            {%- if TOKEN contains "_test_" -%}
+            https://api.fairfax.proof.com/v1/transactions
+            {%- else -%}
+            https://api.proof.com/v1/transactions
+            {%- endif -%}
+          headers:
+            ApiKey: "{{ TOKEN }}"
+            Content-Type: application/json
+            Accept: application/json
+          body: '{}'
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [422]
+            - type: WordMatch
+              words:
+                - signer
+    # Revocation not added: the public Proof docs describe dashboard key
+    # management and secret-scanning guidance, but not a self-revoke API.
     references:
       - https://dev.proof.com/docs/api-keys
+      - https://dev.proof.com/docs/environments
+      - https://dev.proof.com/reference/createtransaction
diff --git a/crates/kingfisher-rules/data/rules/tableau.yml b/crates/kingfisher-rules/data/rules/tableau.yml
index 803bbcf..14b0510 100644
--- a/crates/kingfisher-rules/data/rules/tableau.yml
+++ b/crates/kingfisher-rules/data/rules/tableau.yml
@@ -65,7 +65,11 @@ rules:
       (?xi)
       \b
       (
-        https://[a-z0-9.-]{3,200}
+        https://(?:
+          (?:[a-z0-9-]+\.)?online\.tableau\.com
+          |
+          (?:[a-z0-9-]+\.)*tableau(?:\.[a-z0-9-]+)+
+        )
       )
       (?:
         /api/\d+\.\d+
@@ -79,7 +83,7 @@ rules:
     examples:
       - https://tableau.example.com
       - https://10ax.online.tableau.com
-      - server="https://analytics.example.com"
+      - server="https://analytics.tableau.example.com"
     references:
       - https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref_authentication.htm
 
@@ -89,12 +93,11 @@ rules:
       (?xi)
       \b
       (?:
+        tableau[_-]?(?:site|content[_-]?url)
+        |
         tableau
         (?:.|[\n\r]){0,48}?
-      )?
-      (?:
-        site |
-        content[_-]?url
+        (?:site|content[_-]?url)
       )
       (?:.|[\n\r]){0,12}?
       [=:"'\s]
@@ -107,6 +110,6 @@ rules:
     visible: false
     examples:
       - tableau_site=companysite
-      - contentUrl="default"
+      - tableau_content_url="default"
     references:
       - https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref_authentication.htm
diff --git a/crates/kingfisher-scanner/src/validation/raw.rs b/crates/kingfisher-scanner/src/validation/raw.rs
index dc006e6..3436272 100644
--- a/crates/kingfisher-scanner/src/validation/raw.rs
+++ b/crates/kingfisher-scanner/src/validation/raw.rs
@@ -29,6 +29,8 @@ use tokio::{
 use tokio_rustls::TlsConnector;
 use url::Url;
 
+use crate::validation::http_validation::check_url_resolvable;
+
 pub struct RawValidationOutcome {
     pub valid: bool,
     pub status: StatusCode,
@@ -104,7 +106,20 @@ pub async fn validate_raw(
     globals: &Object,
     client: &Client,
     use_lax_tls: bool,
+    allow_internal_ips: bool,
 ) -> Result<RawValidationOutcome> {
+    if let Some(url) = raw_validation_target_url(kind, globals)? {
+        if let Err(e) = check_url_resolvable(&url, allow_internal_ips).await {
+            return Ok(RawValidationOutcome {
+                valid: false,
+                status: StatusCode::PRECONDITION_REQUIRED,
+                body: format!(
+                    "Validation skipped - raw validation target blocked or not resolvable: {e}"
+                ),
+            });
+        }
+    }
+
     match kind {
         "azurebatch" => validate_azure_batch(globals, client).await,
         "ftp" => validate_ftp(globals, use_lax_tls).await,
@@ -120,6 +135,18 @@ pub async fn validate_raw(
     }
 }
 
+fn raw_validation_target_url(kind: &str, globals: &Object) -> Result<Option<Url>> {
+    match kind {
+        "azurebatch" => string_var(globals, "BATCH_URL")
+            .map(|s| Url::parse(&s).context("invalid BATCH_URL"))
+            .transpose(),
+        "ftp" | "ldap" | "rabbitmq" | "redis" => string_var(globals, "TOKEN")
+            .map(|s| Url::parse(&s).context("invalid raw validation URI"))
+            .transpose(),
+        _ => Ok(None),
+    }
+}
+
 fn string_var(globals: &Object, name: &str) -> Option<String> {
     globals.get(name).map(|v| v.to_kstr().to_string()).filter(|s| !s.is_empty())
 }
diff --git a/data/default/rule_cleanup/count_rules.py b/data/default/rule_cleanup/count_rules.py
index 7a54ffe..f9363ac 100644
--- a/data/default/rule_cleanup/count_rules.py
+++ b/data/default/rule_cleanup/count_rules.py
@@ -27,8 +27,8 @@ DEFAULT_RULES_DIR = (
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(
         description=(
-            "Count total rules and detector rules. "
-            "Detector rules are rules that do not "
+            "Count total rules and standalone detector rules. "
+            "Standalone detector rules are rules that do not "
             "declare depends_on_rule."
         )
     )
@@ -41,7 +41,10 @@ def parse_args() -> argparse.Namespace:
     parser.add_argument(
         "--list-validators",
         action="store_true",
-        help="Print the names of detectors with and without a validator",
+        help=(
+            "Print the IDs of standalone detectors with and "
+            "without a validator"
+        ),
     )
     return parser.parse_args()
 
@@ -64,6 +67,14 @@ def iter_rule_entries(path: Path) -> list[dict]:
     return entries
 
 
+def rule_identifier(rule: dict, path: Path, index: int) -> str:
+    if isinstance(rule.get("id"), str) and rule["id"].strip():
+        return rule["id"]
+    if isinstance(rule.get("name"), str) and rule["name"].strip():
+        return rule["name"]
+    return f"{path.stem}#{index}"
+
+
 def main() -> int:
     args = parse_args()
     rules_dir = args.rules_dir.resolve()
@@ -79,8 +90,8 @@ def main() -> int:
 
     total_rules = 0
     dependent_rules = 0
-    with_validator: list[str] = []
-    without_validator: list[str] = []
+    standalone_with_validator: list[str] = []
+    standalone_without_validator: list[str] = []
 
     for path in rule_files:
         try:
@@ -93,27 +104,43 @@ def main() -> int:
         dependent_rules += sum(
             1 for rule in rules if rule.get("depends_on_rule")
         )
-        if any(rule.get("validation") for rule in rules):
-            with_validator.append(path.stem)
-        else:
-            without_validator.append(path.stem)
+        for index, rule in enumerate(rules, start=1):
+            if rule.get("depends_on_rule"):
+                continue
 
-    detector_rules = total_rules - dependent_rules
+            identifier = rule_identifier(rule, path, index)
+            if rule.get("validation"):
+                standalone_with_validator.append(identifier)
+            else:
+                standalone_without_validator.append(identifier)
+
+    standalone_detector_rules = total_rules - dependent_rules
 
     print(f"Rules directory: {rules_dir}")
-    print(f"Detectors: {len(rule_files)}")
-    print(f"Detectors with validator: {len(with_validator)}")
-    print(f"Detectors without validator: {len(without_validator)}")
     print(f"Total rules: {total_rules}")
     print(f"Dependent rules: {dependent_rules}")
-    print(f"Non-dependent rules: {detector_rules}")
+    print(f"Standalone detectors: {standalone_detector_rules}")
+    print(
+        "Standalone detectors with validator: "
+        f"{len(standalone_with_validator)}"
+    )
+    print(
+        "Standalone detectors without validator: "
+        f"{len(standalone_without_validator)}"
+    )
 
     if args.list_validators:
-        print(f"\nWith validator ({len(with_validator)}):")
-        for name in with_validator:
+        print(
+            "\nStandalone detectors with validator "
+            f"({len(standalone_with_validator)}):"
+        )
+        for name in standalone_with_validator:
             print(f"  {name}")
-        print(f"\nWithout validator ({len(without_validator)}):")
-        for name in without_validator:
+        print(
+            "\nStandalone detectors without validator "
+            f"({len(standalone_without_validator)}):"
+        )
+        for name in standalone_without_validator:
             print(f"  {name}")
 
     return 0
diff --git a/docs-site/docs/changelog.md b/docs-site/docs/changelog.md
index 6439801..323e91b 100644
--- a/docs-site/docs/changelog.md
+++ b/docs-site/docs/changelog.md
@@ -7,6 +7,11 @@ description: "Kingfisher release history: new features, rules, bug fixes, and im
 
 All notable changes to this project will be documented in this file.
 
+## [v1.95.0]
+- Added 80+ built-in rules, bringing the bundled ruleset to 820 total. New coverage includes Amazon OAuth, Asaas, multiple Azure credential families, Bitrise, Canva, CockroachDB, eBay, Elastic, hCaptcha, Highnote, Lichess, MailerSend, Onfido, Paddle, Pangea, Persona, Pinterest, Proof, Rootly, Runpod, Telnyx, Thunderstore, Valtown, Volcengine, and more.
+- Added a `validation: type: Raw` exception path for provider-specific checks, with new raw validators for Azure Batch, FTP, Kraken, LDAP, RabbitMQ, and Redis. Also added stable request-scoped template values plus new Liquid filters for HMAC-SHA384 hex output and timestamp generation.
+- Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex. Also tightened newly added helper regex to avoid high-match scan regressions, and made preflight-blocked raw validations report as skipped/not attempted instead of failed.
+
 ## [v1.94.0]
 - Updated vendored `vectorscan-rs` from v0.0.5 (Vectorscan 5.4.11) to v0.0.6 (Vectorscan 5.4.12). The upstream crate now ships pre-extracted sources instead of a tarball+patch, and fixes the `cpu_native` feature flag. Local Windows and musl build patches have been re-applied.
 - Added more built-in rules
diff --git a/src/direct_validate.rs b/src/direct_validate.rs
index 1cea920..9a03bbe 100644
--- a/src/direct_validate.rs
+++ b/src/direct_validate.rs
@@ -857,6 +857,7 @@ pub async fn run_direct_validation(
                     &globals,
                     &client,
                     use_lax_tls,
+                    global_args.allow_internal_ips,
                 )
                 .await
                 {
diff --git a/src/reporter.rs b/src/reporter.rs
index d1a5a24..9233cc7 100644
--- a/src/reporter.rs
+++ b/src/reporter.rs
@@ -942,7 +942,11 @@ impl DetailsReporter {
 
         let validation_status = if rm.validation_success {
             "Active Credential".to_string()
-        } else if rm.validation_response_status == StatusCode::CONTINUE.as_u16() {
+        } else if matches!(
+            rm.validation_response_status,
+            status if status == StatusCode::CONTINUE.as_u16()
+                || status == StatusCode::PRECONDITION_REQUIRED.as_u16()
+        ) {
             "Not Attempted".to_string()
         } else {
             "Inactive Credential".to_string()
@@ -1975,7 +1979,7 @@ mod tests {
 
         let (report_match, _) = sample_report_match(
             "(skip list entry) AWS validation not attempted for account 111122223333.",
-            StatusCode::CONTINUE.as_u16(),
+            StatusCode::PRECONDITION_REQUIRED.as_u16(),
             false,
         );
         let scan_args = sample_scan_args();
diff --git a/src/validation.rs b/src/validation.rs
index 3e90b07..5cdf823 100644
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -1311,7 +1311,7 @@ async fn timed_validate_single_match<'a>(
                     "(skip list entry) AWS validation not attempted for account {}.",
                     account_id
                 ));
-                m.validation_response_status = StatusCode::CONTINUE;
+                m.validation_response_status = StatusCode::PRECONDITION_REQUIRED;
                 cache.insert(
                     cache_key,
                     CachedResponse {
@@ -1488,6 +1488,7 @@ async fn timed_validate_single_match<'a>(
                 &globals,
                 client,
                 clients.should_use_lax(rule_syntax.tls_mode),
+                clients.allow_internal_ips,
             )
             .await
             {

From 0cb854872bb66bdec03c37a75829e0c61605768b Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Tue, 7 Apr 2026 23:20:17 -0700
Subject: [PATCH 07/17] Replaced tree-sitter with a lighter parser-based
 context verifier built from handwritten lexers plus tl/cssparser, preserving
 context-dependent matching while cutting about 19 MB from the release binary.

---
 AGENTS.md                                     |    2 +-
 CHANGELOG.md                                  |    1 +
 Cargo.lock                                    |  249 +---
 Cargo.toml                                    |   21 +-
 README.md                                     |    8 +-
 crates/kingfisher-rules/data/rules/adobe.yml  |    4 +-
 crates/kingfisher-scanner/src/scanner.rs      |    2 +-
 .../assets/images/binary-size-comparison.png  |  Bin 0 -> 35660 bytes
 docs-site/docs/changelog.md                   |    1 +
 docs-site/docs/features/parsing.md            |   51 +-
 docs-site/docs/reference/architecture.md      |    8 +-
 docs-site/docs/reference/comparison.md        |   90 +-
 docs/ARCHITECTURE.md                          |    8 +-
 docs/COMPARISON.md                            |   89 +-
 docs/CONTEXT_VERIFICATION.md                  |   49 +
 docs/PARSING.md                               |   50 +-
 docs/TREE_SITTER.md                           |  100 --
 docs/binary-size-comparison.png               |  Bin 0 -> 35660 bytes
 src/cli/commands/scan.rs                      |    2 +-
 src/matcher/mod.rs                            |  131 +-
 src/parser.rs                                 |  494 ++-----
 src/parser/css.rs                             |  173 +++
 src/parser/html.rs                            |   67 +
 src/parser/lexer.rs                           | 1276 +++++++++++++++++
 src/parser/queries.rs                         | 1105 --------------
 src/scanner/processing.rs                     |    4 +-
 testdata/css_vulnerable.css                   |    8 +
 testdata/parsers/comment_only_context.py      |    2 +
 tests/int_base64.rs                           |    6 +-
 tests/int_context_verification.rs             |   83 ++
 30 files changed, 2056 insertions(+), 2028 deletions(-)
 create mode 100644 docs-site/docs/assets/images/binary-size-comparison.png
 create mode 100644 docs/CONTEXT_VERIFICATION.md
 delete mode 100644 docs/TREE_SITTER.md
 create mode 100644 docs/binary-size-comparison.png
 create mode 100644 src/parser/css.rs
 create mode 100644 src/parser/html.rs
 create mode 100644 src/parser/lexer.rs
 delete mode 100644 src/parser/queries.rs
 create mode 100644 testdata/css_vulnerable.css
 create mode 100644 testdata/parsers/comment_only_context.py
 create mode 100644 tests/int_context_verification.rs

diff --git a/AGENTS.md b/AGENTS.md
index 917c3f7..4d39dbc 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -24,7 +24,7 @@ Key capabilities:
 - `src/cli/commands/`: CLI command implementations
 - `src/matcher/`: pattern matching engine
 - `src/scanner/`: core scanning logic
-- `src/parser/`: language-aware parsing (`tree-sitter`)
+- `src/parser/`: language-aware context verification (lightweight lexers, `tl` for HTML, `cssparser` for CSS)
 - `src/reporter/`: TOON/JSON/SARIF/HTML report generation
 - `src/access_map/`: access mapping analysis
 - `crates/kingfisher-core/`: shared types and core logic
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5ee1dde..94ec62d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file.
 
 ## [v1.95.0]
 - Added 80+ built-in rules, bringing the bundled ruleset to 820 total. New coverage includes Amazon OAuth, Asaas, multiple Azure credential families, Bitrise, Canva, CockroachDB, eBay, Elastic, hCaptcha, Highnote, Lichess, MailerSend, Onfido, Paddle, Pangea, Persona, Pinterest, Proof, Rootly, Runpod, Telnyx, Thunderstore, Valtown, Volcengine, and more.
+- Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus `tl`/`cssparser`, preserving context-dependent matching while cutting about 19 MB from the release binary.
 - Added a `validation: type: Raw` exception path for provider-specific checks, with new raw validators for Azure Batch, FTP, Kraken, LDAP, RabbitMQ, and Redis. Also added stable request-scoped template values plus new Liquid filters for HMAC-SHA384 hex output and timestamp generation.
 - Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex. Also tightened newly added helper regex to avoid high-match scan regressions, and made preflight-blocked raw validations report as skipped/not attempted instead of failed.
 
diff --git a/Cargo.lock b/Cargo.lock
index 36fd53a..a8b5e17 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1994,6 +1994,17 @@ dependencies = [
  "hybrid-array",
 ]
 
+[[package]]
+name = "cssparser"
+version = "0.37.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c9cdaae01d5ed7882b04d795e7f752f46ff52d2fa3b50a20d28c464510bba98"
+dependencies = [
+ "dtoa-short",
+ "itoa",
+ "smallvec",
+]
+
 [[package]]
 name = "ctutils"
 version = "0.4.0"
@@ -2418,6 +2429,21 @@ dependencies = [
  "litrs",
 ]
 
+[[package]]
+name = "dtoa"
+version = "1.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c3cf4824e2d5f025c7b531afcb2325364084a16806f6d47fbc1f5fbd9960590"
+
+[[package]]
+name = "dtoa-short"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd1511a7b6a56299bd043a9c167a6d2bfb37bf84a6dfceaba651168adfb43c87"
+dependencies = [
+ "dtoa",
+]
+
 [[package]]
 name = "dunce"
 version = "1.0.5"
@@ -5097,6 +5123,7 @@ dependencies = [
  "crc32fast",
  "crossbeam-channel",
  "crossbeam-skiplist",
+ "cssparser",
  "dashmap",
  "ed25519-dalek",
  "fixedbitset",
@@ -5168,7 +5195,6 @@ dependencies = [
  "sha1 0.11.0",
  "sha2 0.11.0",
  "smallvec",
- "streaming-iterator",
  "strum 0.28.0",
  "strum_macros 0.28.0",
  "sysinfo",
@@ -5181,6 +5207,7 @@ dependencies = [
  "thread_local",
  "tikv-jemallocator",
  "time",
+ "tl",
  "tokei",
  "tokio",
  "tokio-postgres",
@@ -5190,24 +5217,6 @@ dependencies = [
  "tracing",
  "tracing-core",
  "tracing-subscriber",
- "tree-sitter",
- "tree-sitter-bash",
- "tree-sitter-c",
- "tree-sitter-c-sharp",
- "tree-sitter-cpp",
- "tree-sitter-css",
- "tree-sitter-go",
- "tree-sitter-html",
- "tree-sitter-java",
- "tree-sitter-javascript",
- "tree-sitter-php",
- "tree-sitter-python",
- "tree-sitter-regex",
- "tree-sitter-ruby",
- "tree-sitter-rust",
- "tree-sitter-toml-ng",
- "tree-sitter-typescript",
- "tree-sitter-yaml",
  "tree_magic_mini",
  "url",
  "uuid",
@@ -8249,12 +8258,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 
-[[package]]
-name = "streaming-iterator"
-version = "0.1.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b2231b7c3057d5e4ad0156fb3dc807d900806020c5ffa3ee6ff2c8c76fb8520"
-
 [[package]]
 name = "stringprep"
 version = "0.1.5"
@@ -8724,6 +8727,12 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
+[[package]]
+name = "tl"
+version = "0.7.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b130bd8a58c163224b44e217b4239ca7b927d82bf6cc2fea1fc561d15056e3f7"
+
 [[package]]
 name = "tls_codec"
 version = "0.4.2"
@@ -9150,196 +9159,6 @@ dependencies = [
  "tracing-log",
 ]
 
-[[package]]
-name = "tree-sitter"
-version = "0.26.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538"
-dependencies = [
- "cc",
- "regex",
- "regex-syntax",
- "serde_json",
- "streaming-iterator",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-bash"
-version = "0.25.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5ec769279cc91b561d3df0d8a5deb26b0ad40d183127f409494d6d8fc53062"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-c"
-version = "0.24.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a3aad8f0129083a59fe8596157552d2bb7148c492d44c21558d68ca1c722707"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-c-sharp"
-version = "0.23.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67f06accca7b45351758663b8215089e643d53bd9a660ce0349314263737fcb0"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-cpp"
-version = "0.23.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df2196ea9d47b4ab4a31b9297eaa5a5d19a0b121dceb9f118f6790ad0ab94743"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-css"
-version = "0.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5cbc5e18f29a2c6d6435891f42569525cf95435a3e01c2f1947abcde178686f"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-go"
-version = "0.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8560a4d2f835cc0d4d2c2e03cbd0dde2f6114b43bc491164238d333e28b16ea"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-html"
-version = "0.23.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "261b708e5d92061ede329babaaa427b819329a9d427a1d710abb0f67bbef63ee"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-java"
-version = "0.23.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0aa6cbcdc8c679b214e616fd3300da67da0e492e066df01bcf5a5921a71e90d6"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-javascript"
-version = "0.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68204f2abc0627a90bdf06e605f5c470aa26fdcb2081ea553a04bdad756693f5"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-language"
-version = "0.1.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "009994f150cc0cd50ff54917d5bc8bffe8cad10ca10d81c34da2ec421ae61782"
-
-[[package]]
-name = "tree-sitter-php"
-version = "0.24.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d8c17c3ab69052c5eeaa7ff5cd972dd1bc25d1b97ee779fec391ad3b5df5592"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-python"
-version = "0.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bf85fd39652e740bf60f46f4cda9492c3a9ad75880575bf14960f775cb74a1c"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-regex"
-version = "0.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd8a59be9f0ac131fd8f062eaaba14882b2fa5a6a7882a20134cb1d60df2e625"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-ruby"
-version = "0.23.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be0484ea4ef6bb9c575b4fdabde7e31340a8d2dbc7d52b321ac83da703249f95"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-rust"
-version = "0.24.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "439e577dbe07423ec2582ac62c7531120dbfccfa6e5f92406f93dd271a120e45"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-toml-ng"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9adc2c898ae49730e857d75be403da3f92bb81d8e37a2f918a08dd10de5ebb1"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-typescript"
-version = "0.23.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5f76ed8d947a75cc446d5fccd8b602ebf0cde64ccf2ffa434d873d7a575eff"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
-[[package]]
-name = "tree-sitter-yaml"
-version = "0.7.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53c223db85f05e34794f065454843b0668ebc15d240ada63e2b5939f43ce7c97"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
 [[package]]
 name = "tree_magic_mini"
 version = "3.2.2"
diff --git a/Cargo.toml b/Cargo.toml
index 3bc7011..a9cbb83 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -168,28 +168,11 @@ reqwest-middleware = "0.5.1"
 reqwest-middleware-octorust = { package = "reqwest-middleware", version = "0.4.2" }
 tracing-subscriber = {version = "0.3.22", features = ["env-filter"] }
 tracing-core = "0.1.35"
-tree-sitter = "0.26.5"
 aws-smithy-http-client = "1.1.10"
 aws-smithy-runtime-api = "1.11.4"
 aws-smithy-types = "1.4.4"
-tree-sitter-bash = "0.25.1"
-tree-sitter-c = "0.24.1"
-tree-sitter-c-sharp = "0.23.1"
-tree-sitter-cpp = "0.23.4"
-tree-sitter-css = "0.25.0"
-tree-sitter-go = "0.25.0"
-tree-sitter-html = "0.23.2"
-tree-sitter-java = "0.23.5"
-tree-sitter-javascript = "0.25.0"
-tree-sitter-php = "0.24.2"
-tree-sitter-python = "0.25.0"
-tree-sitter-ruby = "0.23.1"
-tree-sitter-rust = "0.24.0"
-tree-sitter-toml-ng = "0.7.0"
-tree-sitter-typescript = "0.23.2"
-tree-sitter-yaml = "0.7.2"
-streaming-iterator = "0.1.9"
-tree-sitter-regex = "0.25.0"
+cssparser = { version = "0.37.0", default-features = false }
+tl = "0.7.8"
 tree_magic_mini = "3.2"
 content_inspector = "0.2.4"
 rustc-hash = "2.1.1"
diff --git a/README.md b/README.md
index 5e1aad6..c89ea8f 100644
--- a/README.md
+++ b/README.md
@@ -401,7 +401,7 @@ kingfisher scan /path/to/code
 kingfisher scan ~/src/myrepo --no-validate
 
 # Turbo mode: run as fast as possible by disabling Git commit metadata, Base64 decoding,
-# MIME sniffing, language detection, and tree-sitter parsing
+# MIME sniffing, language detection, and parser-based context verification
 # (findings omit commit context, Base64-only matches, MIME type, and language metadata)
 kingfisher scan ~/src/myrepo --turbo
 
@@ -510,7 +510,7 @@ cat /path/to/file.py | kingfisher scan -
 kingfisher scan /some/file --max-file-size 500
 
 # Turbo mode: equivalent to --commit-metadata=false --no-base64 and disables MIME sniffing,
-# language detection/tree-sitter parsing for maximum speed
+# language detection/parser-based context verification for maximum speed
 # No Git commit metadata (author, date, hash), Base64 decoding, MIME, or language metadata in findings
 kingfisher scan /path/to/repo --turbo
 
@@ -725,7 +725,7 @@ kingfisher scan /tmp/repo --branch feature-1 \
 | [FINGERPRINT.md](docs/FINGERPRINT.md) | Understanding finding fingerprints and deduplication |
 | [COMPARISON.md](docs/COMPARISON.md) | Benchmark results and performance comparisons |
 | [PARSING.md](docs/PARSING.md) | Language-aware parsing details |
-| [TREE_SITTER.md](docs/TREE_SITTER.md) | Tree-sitter scanning flow, verification gates, and fallback behavior |
+| [CONTEXT_VERIFICATION.md](docs/CONTEXT_VERIFICATION.md) | Context-verification flow, gates, and parser backends |
 
 # Library Usage
 
@@ -751,7 +751,7 @@ Since then it has evolved far beyond that starting point, introducing live valid
 - **Live validation** of detected secrets directly within rules  
 - **Hundreds of new built-in rules** and an expanded YAML rule schema  
 - **Baseline management** to suppress known findings over time  
-- **Tree-sitter parsing** layered on Hyperscan for language-aware detection  
+- **Parser-based context verification** layered on Hyperscan for language-aware detection  
 - **More scan targets** (GitLab, Bitbucket, Gitea, Jira, Confluence, Slack, Microsoft Teams, S3, GCS, Docker, Hugging Face, etc.)  
 - **Compressed Files**, **SQLite database**, and **Python bytecode (.pyc)** scanning support
 - **New storage model** (in-memory + Bloom filter, replacing SQLite)  
diff --git a/crates/kingfisher-rules/data/rules/adobe.yml b/crates/kingfisher-rules/data/rules/adobe.yml
index 63a2062..5983e12 100644
--- a/crates/kingfisher-rules/data/rules/adobe.yml
+++ b/crates/kingfisher-rules/data/rules/adobe.yml
@@ -70,7 +70,7 @@ rules:
     examples:
       - |
           {
-            "client_credentials": {
+            "adobe_client_credentials": {
             "client_id": "a65b0146769d433a835f36660881db50",
             "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
           },
@@ -119,7 +119,7 @@ rules:
     examples:
       - |
           {
-            "client_credentials": {
+            "adobe_client_credentials": {
             "client_id": "a65b0146769d433a835f36660881db50",
             "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
           },
diff --git a/crates/kingfisher-scanner/src/scanner.rs b/crates/kingfisher-scanner/src/scanner.rs
index dc8ef6c..55dff65 100644
--- a/crates/kingfisher-scanner/src/scanner.rs
+++ b/crates/kingfisher-scanner/src/scanner.rs
@@ -26,7 +26,7 @@ pub struct ScannerConfig {
     /// Override the minimum entropy threshold for all rules.
     pub min_entropy_override: Option<f32>,
 
-    /// Language hint for tree-sitter parsing (e.g., "python", "javascript").
+    /// Language hint for parser-based context verification (e.g., "python", "javascript").
     pub language_hint: Option<String>,
 
     /// Whether to redact secrets in findings.
diff --git a/docs-site/docs/assets/images/binary-size-comparison.png b/docs-site/docs/assets/images/binary-size-comparison.png
new file mode 100644
index 0000000000000000000000000000000000000000..1353d6d42e90249c6c7479f853d1f0efbc2c8fb0
GIT binary patch
literal 35660
zcmdSBbyU>t`!0$iph$>d(5Q4O-6192Ag$6ZEg(aTA}FPF_s}4n17gq&DKMmTGxPvM
zoM-s{&R*w_z4lsrt$ohkXV!XOS;Xh_^nKmeb=^;xrn(|AAr&DG4i2%>3ps5ZoEua)
zIM-j^#0TH$P5pQs{3Gfi|I$Op#oELBwVM@=+G~%ujxHXKc5fKGtlZq~T%7s1pFQOk
z=47z-@ObMk%EROI-+qJJ#m$DN&DawGo^tE$3qyAtoCkNY|6Q}m7y|G5T(2Z2qx&v(
zYx>rd>LKQGH;SnemDhRqE0aq0M`g@o2V0#-SrIP^@5Cv`D^EPpp0JI%bBpPb3cCv9
zBc-DkM<-G<8K}!%RBuE76uNh6WyZX}!(wXN5RockgP7WHKzN#Fm}F_PT7vh3&-G}r
z(2xK5@{a9){tbGZbM5M@8zIuTS6|#D3c~gs2j|Yi>%>=IFg(SM3HV6Ay2*d_Mc|MB
z_V<qluD*kFT{iQ7*Mp>)_s7fwl58^kN2?u?L%N09e<*m&rWSh=`eV6_M@LGH$2>Mh
z`&5(pyJ$q*7?-W+gx~%Mr<a<kwi|9w^<6K7z4-drE6J)m_SxSeJ-(H6zp{p{+R5Gm
zt(;z=+4mMCw4$-F@@Ha`wN5FN&)$4!INR${`$%|CHRw8?>R`6~R*U%M*?u1`srW0&
z%QJWPgVn*r1QE}5-53soGR6d$S_;hGbfq_Gp~+<B8;b@V#!O@>R%g>);$T45`ebjZ
zi@QoYPnoP|0CjUF!5m^I>b>n~KUU_X9LxGTQfyloqtoFH#V79d95b~^_g!b>bDH3<
zav0;DwYqT*=?*_a&ALcos!I{V3q<boVJs8<Ek8fro<uL}8JJq(lhUQmW2h)QQ112v
znKGMq8LDny!{PlHaCt7|(Jz7i5Gi$W94(oy)2Lf!B6841K%ZMbm8X&rqAs>oofyAn
z(sFr$@$l(G_6=mo%F2JH2(zPhnXKi4SzYY+OJ(V(i~RAXd|>wOb<wEz(I(Or&g0P)
z$6-*QlE9rM`-$X)yXwuK&t&K^)J;Srt=MzWJs%T{<M{X2Ej@&%=dnrH2{{<i(fFtw
z$9`|$%YGQ9rcf^U<}8&;_$|XEVdvtWwMQl{&Z}PffV0=h0uI)Yv)ztFp^nqT4K>Ws
zmKtgXzD4OFl_KcGn_%jdgsiY2ND(2n>xJ>b7TP0jzejdI9)R?!mV1IpfqASA9fgYw
zMOD5!5UF_8c3seqx7KCWd7{?IVHuG|J?3Rp=S(|!59j)Gu$Fmc>|MUx=lXVoGM3J_
zPhf0ZI!GIJ@8vu6w09q9$m4BvFJFHmxw>%M!PcZuS0w=nO(J7wrmlnkEgpliRJFR%
zguM*NX;*KGP!!L^Eh<6Bm){s<XPSM~iuFrXW0=)c3$^olXW)K)-Eka!o5-rZ&-Xaq
z7;T@O?DzHXv^oyOT))Yl<r+-rI}6|WdE2@to{J3axBKUT)2Z9V*~yc#F^kJ{^z04_
ztVHE}f&L3-)x>DffNw?A&h>4nUK4h;G_U&8C9DtE|5}4pYP~!E$BSMer=MKNKhn~Z
zo!nujxxwYBLf&0=`eHM9BUi>T2G!aJmQG)965rNtSZ|?qU$W9n@u?U-Lrl+VEFn(k
z8r{2pL5y};c!U%;)iNX{y8PqHAd^mYObr3sQw_2l`X!<Ds0xdY=S<46q4l#OE2-oH
zOQw*ElNC)cQL<n=sK$&X)1F^oP+1F+V%%@UGT!fXWi9n2DEfyV{SCq;_-4A@1|^Uc
zupha}gWVNt+M;s?>pR05QYWzF%j1QpLSM-5e5;;#vPp9*(G($<NZ-rWi&GB%_s2Vl
z$|aSz{UIlC1A3puuLT+Y>>5K}jsJpg5Bd9FV`zFjfWx3O5ZHzJGeG&<6E!nU0@+*X
zr!UgXdcJxz=|Wm+T*v)J`n;Xm<pV+t)vQ_Z=Ff95wuFC+4f;oW6sdc+ChK?(X8cee
zPmi{!8#gO^HUrBXk(EaxBTwc&kgI?1X+pJNzR^DQO*mOEE)OY#A59Dt=BHD!8&%t~
znzy{qa$D;D2-d;Fb?`{r<=!N+C}fL&lc_n%Az<#~gKWwE!5l?dVk-U@dx;z6t&;PQ
z^=tp&QKOGa&-Z$GvJ%XEyGD02{Ev`X?0Q8Xl;b%myHkY9X&>7Ccn{X+2Zac#dlL=r
zHX};~_+w2MR1Z<Jty27!op+juKR@81(<*O*oS!mAH5`r_Z#l)VXw=qh89i8$*xRh?
zS0IwCbwu861bbapuUNkZh4<In-2d=zmSL5(yr~9UvAO@`uYq}<ubBO-MNSP=4x0|l
z@@1xsasqeSV$1CZ+^PkN(4#PK!wK(oo%u~;S}DT%G}m^@EHIao=jrhsZf>YFyI~ko
zrX@ZFdjcjO(4l88!K_9!p6Qnw$xj(<<U?-n7J!%k=3O5vr&o@MozZ}Fyi!iEt=XTb
zD{tQWJWVnI5yh_wI7lk%@AaPbAA{89wS&WT)9bJ-Cb*$uz>lo~t$2BHE~}Qze=F_X
zeArPUr%C<yt+?Sb)24yr-Gvz9c?G}z4R@mqk@cLMtt^H-$)14Yxlf@T0SAMMSt>m6
z5eV}dBtHY<TVUP_$(nBR?wB5v&R{wv@-q8$6m)&uVXQ2o@d9kc+Y;z0_bg-QhCg%}
zr!-?L<&gxm#izZxQD4CFpYW$ec@4~7ho?`}IDEoP*&4FJ@0a&WU5b0`_X&NnA1$#P
zQwi`sfJ<-W`;XN)j17S4c5XG6+n)`%{Ma5&X)&ANn>Nuup*~?osIb<6UH1i18qWUt
z>S^{;DydH8=hNVH9VpT(&gLfVECNxvvpNXh|MdX<yH=hmQJq$BxMBW0ZD_YW)z0Mm
zWoGa7P-DNz4+S5?=g&@h`Z}2Q2dtVCmFX~5@2a$&b8UL=*Qc0iGkVDJ>u())n#&|5
ztBx?V<f(R*W!E=NqsEQ0rZ+RSAVA*gOMLdrTLc14^`7zRfV4#(F(F*O7x1J(3>gqh
z*<ZLTC!N3%=cP%tC6O7FNAIuXJ!@bdYXx?HR)hP>g#Y262j+~JKchU*A8Aa_YzG)-
z$KuU`@ZtCUU!$!D&%l8egh%DkjIna6uX5$bc~NX3Vw9Ps7)94I`65Gt>PLOK3wZtr
z-|`G|IoOY+e|j)8V+<M@;3yJgVu4>LCj7DbQe&;cb7PeF{B)x{ORjJ&Z`LM!7Q?K6
z$_d$NBiO1{w>v+)NRtX^LAjmH?1Pi|bED}2WY9}TM}>GhM<O481agg|)xz&b;I%Hu
z{dJK;pQU`T5uUXYP}mxf&%dmLUZ-bC^U(gbv2cr@wKHddXVlXpIMmD>a*}s0mNc|*
zcyb1241?csHj2*rL|1w3qiv7QKeYg8;N}Nu+(1=o+Z{2!rIuBqk3w<dsJ(HEs66|(
z^Cly0;-frugWNMR39|`hDb9^-f41_fnjq%y0eB#9iE6=F3s<k^$@iXe{UqU#bAXm3
zU@s)*7dHQXhR8i3cFXQtjW)@Al!yMxO)KW5S|J8UNcs@Sh(g!l8Hn-qp61#8_0494
zDzhR+Er|hP;c?%%tup*3|Eho1iW2}g-!L`K(-YoFVfa*UlAPoX>Fhi?F;26#D4`Vr
zHru%tvyR-^Bt+dTM68Q9mWiy~7Aip;e$bG`hoCCS)s0_x5hV>p9CYlz!@~$Vj^9!K
zz-!dpGrXdeeQ?n_7eYO66hMnM4><Q!MV-V-rcg9*j}+>B?ni=kkr?U3g3H<P<@#qx
z70DlR+W~o`RFl`%XFD-DF~s~We)02zVb{_O^Gum*Q7^A6Z-2RnY_Ht1IC-xVs1U@&
z(3DBZ7^u4OuMN6<w%;!VFk2OPYW~*Sas``6@W#JpBLh2SP1}|3x&2`MHiKi1tjFi@
zuR&knHQaBU<`KgP3ABm(a+1x2wLg<ee09%|yRG^mc8Q;%X9MOiq?EkB0f6{L!TIv(
z`!uRBiJc#~O7Z@CT`VcsBS4T=C;y$mC1y1z>dm?vok~pcbv(jEa7Z)S5uHrBv?kr=
zX&$(c^4^}RU0a}bY5uynYp-1JB}XpoZtbq+SedEQ{?8E*hk_eGu<8XN!@jOGK45j=
z(d2tI%!~bOu@T|7s{>ifHDhKft_}9%urbeR&#|O0+>M<yVqU%5#k^MCj2KC6i*^vV
zhDSiWl0<{!?#cE7zuU;^j6Zt1R%@#B>ytik9Q{HMo;nyy?*1m9+i0FNmpoaFDcHz{
zrPwQY12{1`wyD@haoBPfKKjg}ef&^~hg#6_d&G;FoCSrAdmiMidrLi&7AL>SHTYdx
zPOQHf;+la8-3J|qbyaM3*xh+q=WOaetR{rC4r{%<@T+$%9@RsU=g(zF9)g20`QjX-
z$hiU~l?**Ljd=NYQNYZ1HUPi_rLs!^C!KO$m@a~yQ<s5TH{)BJmc*=)F3wDLdL|6!
z-`@o@_ldq2#0*;3v`9Ym$|tHYueBkjdC3VL0RQ3B=Drz)WI32Btqii$-YD<(P}>fR
zUm?V5*#`~(oSqjr0c@y<5k0&Z@~`Ha$`G2+ICUIb@o@8)74=*n@1K667?}u;!AZ(c
zn$xCybWCkbx=sKo=mdt5_)X31q2!2bbSj7llgp*x|3ZfwV|B!4e@FhFry7w?mnmdB
z8-23>TZHr+SZRu^nE&%-azPo@+AoRe<ut5he2)bwJ<SJ0D$Ae~f^37Xu)`tDVX8Z#
zB7pqh%s!Z=I7;e5cpe?2F4{E(!EC_*R+vMBbfg#?>TDn<O9_lovo#J0YXezOiI8b3
z0ej2xvD&}0kzhYgUQD~%nwx-Ms@-)_&T#QXO?gc^EjRBY_@pk+s+<-#&EhX00pJ<S
zpE=4xPdssxj1&|_aTtsgpzB4`gXaL2Bhj3JW!_@@y?ilKHUK)4p$94FW4p;`d^buN
zd$f%5Qr6LM^q_-QQT1$+ecCfucOi^B_xk>w+h{|VmFyM@XX83&HMbCvyf4~~F~xf7
zN^XY@kt*B`jPoKr2|O8#l7k2s`?N4sYt;}0Mb_$+&;KqiML2eC4&D!90!;-?sfzgI
zsJ|96JfWLoN<z$|UA$o|{yrr!n`!LHoIgFm*TKvsuv9Y0Itscqo6-B}TO{i*BaddZ
zmKEG=DB&5`lry|-Zf+r~Sh|uN^0Zi<XFP&rh=j#IVLXKxRavWj<9!l0R1p44?cDRt
zn#JzUFH)9<jPA&Jz3;Euq<Ix-x|8?0QDBRGsgJ5u9O3xo*ZRQx{j)#lX2h!|DTkUe
z2uAZ<acbmtn;*T)efesO$rP<T3j|M&bY9r*`?3vqp(OdXRRK$I!mO8O?aS(KF)#V3
zn)@YO=YJRU4BLcy`xTOgo3G`etK<VL;AkCESnTK+$^{dnA(^x&86|mYJ93C$nLI^F
zyNVNN>x<r|b!Aq!;edM_RqEuclZ~x81|@jgORf;@f;eu|ue)CI4biyao7ONWZ}YdA
z-znA4s2fBnCXpQUsIg1ZWBJdFJ|zfsA%{`U@3du0K0f)C!;~-8_D35%Hxd(ytI9=x
z#j~a{jZ$)_ZH**Rs<Gv7W%;i;8l$|1DFx86p@X&)jSl5-!Lq|$zo=t)LUpSr^K=#w
zC5rMn3iHCI@N88zb;ei}TELf*3>i={6r4H#3n284*FaJ|fPE>w3d4Eqm?eOhi9H&+
zNd^pGe2SEB-K0umBR+i@sbDkf+0NS#9_Y8-z%uV`CBDiDUjTc%#-?oA!%K9~!i<tH
zxqDQs)Rw<{b-;BMvHBvSFGXn5ktpqv*Dyta(9AoF-<~=!)v#mJB*oLIkrp@eGf5uL
z5OFhzjt?w0jXa_<DfZcle#IO4VGv<LH>&B+5EB|{q5^+bG~?s^P7PZ7na<UA=^QG~
zBKC7EeqrjQJ5mvqegO6wC`pdhsPS7>R(8eu=k_bYS!yCY!|VBeypd>6?U%5s&kZ?>
zm;?uwOI3iN^VGwy0u0@qn$`-+n2oQBbQP1ce$5VquY|139YLmyJRDwW@D?+Fzx#&`
z(sIp^GLIaGm&>KQSX<z{McAkHEoQnO!(<GVA~uRsrX<ZXXdDiP<KE26Nq6gJb0rRj
z$8u9|1orn}@LqJsb2;e59Oh|QF;OjUe9>~lCCy9TP>ENTn$L^%^{4#e{VK<4<6>w_
z5yNR#(V}>!UE<m5k2(4nfNp`=7Q#s-4x-gE;z34^JXkMpy_g^wq5+w6CEJ*9f9Q2x
z&_wxTuefiy)e=L&GqUWnZ&z<u&+t(_ZDP}F0_dF$M%2;GcH*k@gFzy4$@U=qEkVYa
z?VW%LyL@?~O5OP^5Bt{2u=WV*Ns0qGw&Sd!C`td*ahXQtuPx_Cla^9K)e#35%4#@T
z2Q<E>?B%Y0Ab$4IdQXwLrd_w*j(xuZUwq)PpEI)ejx9PXC~tDK)L8BD+0X_xzwJM2
z4{cw6PAi(QvxwnYa{rKgkJguxE;(^ukMV??W#T*N1E%7+d{l00`-L-|Hf-m~G<TEG
z%)Z}`fQL$6>e&|ziTGQyz1*4(fnY#DF5*;@Sw&XaDBh^|IAbyRnV(sRhLiWKP)Emo
z9mHW6cFUNiKqcX|V&uf2OOnHRRJz2G^R$V=QJ$-gH3_^o=d;pr%+^<;@A^~jZlM0v
ziGQ*$^%PXbHT!#?$EdoK<RyUkYkmRKJZ41!dZvz#&Euyg1xKs&D|Y;%7*Eai(w{{f
z{n55LoAU57#Z~3`yC^yZr;iPCUCT>I4$u4-V!xX9C0If93uM+G&D2o7-UQ9&%Y{JK
z4}{}&_94T5a{dxi6tRPp0kk%RH|l+=9JI;r4DG9@izD%A1vIq-pG;twzorv76V{u0
z{?#Lco64OlP`upV!@LjgINF+AfP|alC}y~ay+z|HukBCsJiOPlp;6rGIw*%}-t#jB
zY?j9HC7~wA4vj{%%o}*X<BScn(-JDceYw2VXSs3EqK9MJCMc0n=l#_?fFtu?f?dq&
zh5F(?ap(F~E^>Bplf{jmN5Eq*ooiTHQ>`bKxpdjQ@mL_*L+1%+dF&7i+{5dS!|A~q
z8%Z!o;o=unQd=Gte%0r!2D@K{ZCttZNJT3OT_cREfqKA{7ta183ucX|)ywIWV;rJ*
zHi~}n7{!!^+!On?hMw6G^IKA1^GtXxO#E-^L4IM9_s;5+B*-md;t%8{L#q(Go0G9a
zGf>g^1w$4o_K$B9kTjC-#|5i&f5@oGO|PxkBNFfPcaCo8BijKqdDywTIpCn#4fh@>
z%Y0J}gF!l^#jA-ImMp*4v*j=vh3UA(hAl2}Jy7CycpN{Lp&zi29aeh*8EdMlnW9wR
z?w7QxT=n0ku>mB;3tM=wy;rfDO57G(W~MeL-uuIbH7-8g0acV~eqr(K#i(Dq9X|E%
z{~A2jG@R&#`c@NR59Z%~`fdPnc5y43zl!~~#+~u9(W6l9!I79B8JCqVl=LrGQ~#nJ
zjL2VWFQ=`r<)2TD?ch&*>SiQajs0I`FItcLYUTqgeJKxI{l#fpbDWI*8?+NVT*5-v
z8>(>ABy=V!%yLp@aAzvXU8ov<pGtNSHG3j<a}{ikEJSKNN(wAm#D2;47k(o|agq!o
zzO_HMu@XpBu?utq$K#|U6H1i%`8Bmev$y$qU#>HQ^jx{JBgA@k@JD~v7MY5YjD7HH
zLiPr!n0v3ZGKa-vL+IoDgl&GGcefv$lx@usbNfaGD5?3V8tocuxc1+lD=@0DA6ZbX
zg0ZeHp8MsvrH8}N4c+cjOrpM0tow>6(iL}ADXFs^S!1J>P1MQ$iXx{<`R+FrZl$|{
z1Di6=qIA=fw|`tlgU#EqE2guoRyTsfp2q_tyz{R011q@<E{V5kYl={W(OUn^gf$B-
z(zG09<}HBOgFG9dq(;U1W)l$zZ0qQh*c#pyHC{uT48m%@*i5e9Zb0`GBscrC4p>=1
zBF<CSc&E=FHscETKa$)isZ!O?g5Xr-dfNQ45V=X{T#t)GrRhiAn^)`jTxZR`NbOL@
zHNUoF=*6?I3x@oEv+ymQ*|P@t10ck9(+9`}n5Y+OB;1VsnwI+?IbV)~jG)<-!b<Mg
zU2-m!=Qd>mHMwR9VyyGD;zfh`=<(5&e3;ph8xKd-01i@&I5+tPJCwa)j|b(YgM&=5
z%lcQ*M4;xYv!LZ-e(RI^O+bY6c6ropw|^l-_!Lr>3%P5y$+;Lt`Fj607QD51!xB&i
zu4hAHeuwK;8%uwmDyz}`4dsd7?k_Udql7k@NKZE&(yV)wS23PuXY=$c=Zqrn_#1la
zK)Le7n);~<JAzsY*cW63#*{ZkeA$>rP~rb9q9m+!4B^#gguJWSnIWQ18!BJzRpYuc
z+wF>44@XUl<HsiB#P0h}Z>ul((z26k?Z}&}|E*TXjosA!R3r^umi0#W4mjw>f2P7K
z3QBMJ;79%GXm#+(d{5(0OiYT8tc~^IL)6izpC%y3X*)LtMeCu2gUK?Vt?4_tJKXH;
z7|JdFN-TW9_?Ho}wuU5x5#85&ob@B*6p{)!Gq1o>oG;q{^n90y?Ug{#n}=`{Bj88|
zWil6#fPMQ1l|{*}zzcqa;#X`36<Hf;Cc`CXDGG)Jhx}Ci1!MJ=i0+d+nG`zm;PJw(
z=uT5<r6A2tHwyZ#X#EJSS0RKr9OIb`ktx0!?`#M)|5?rb{OC1VTxOn!+wJjIXTLqu
z*Y$=PlFgUc{&}$@IdLjnhGTk}``555;N2>BP@-iANEkZkqGe5@T#}noDWl=k7`C99
z7ud}@I4izoLwniS=XYJ2QiuevAcUCu{$R08o}p2^b(NM~tn%Ljy1l&=&l^83FK%9!
z4jDe%nmNgZpDj0xrB0b8n@{>l^*L;%qniPn$%c?J2P6{3%66n+xmUHypU?Ml5F4f-
z*G^1WXaVQVlXWjH-2%<$Jv2hjCah!td8)Z0efF1${}yOH={lTf-Q84_l7TDIOqf?}
zwt^pgB)rf0aQ{dGvsopJL8GD^CQsplv_gesPA%w{+#hd0P_OKNGi^P=!nSpJAQ^Ar
zk7BghTkO&rn;TT5C(hHavhKS(VUQ;3xo2vojACi+Uy9|P*%I~I9RDziM4jI$2ADD=
zncwa%+8y8lp*JEOk+ipKTxKQ9tboA7!*7E~{V=;<L9+mv)E&$7a7^Gb7KHV$;N8A2
z$GMT0V5Yq5D*xp^v0jlbTi0Qj^QTy|FKB-+kUsyZ$pGR?J(fiKM$-x)Vx)rz7zj06
zf9PrNHC{et7Mw+4<(v^DajUgCiPc@!IKlhu?gL1QR_lO@q2`&}_c_1YV48KFDdZrK
zqI?B*_&I}y)9+Yo4!~P0DQ|`i7%B@ShAS8nD`SpQ1UWf|k!o=nzj<p4lh@Zu+_Bn`
zejd6Qaoqqk&6u{Q@NbDB-z+SRz3|0BqTBG1dZ9@hrn#F)vp*rc_gG6%RlIPC-S9=<
zNSQCUnp6QB<vA=k{BU1;QX^w)UE)rU*O+V8W(EVV!BBAb_BI?nV;RL_)yJmNj;UXS
zG3il`{|+O^O_F#lv07!2#5&{l*k7Mjc2F#>fZpmx5n53>Pg+`CVeLjBjgnm!IBB7!
zrGGOuJc~{%b7Rf@pN(cRq_6#pH7c|_0y@Jhf>h-^J=*-CCB2YL3bnjf_6&C;T3&KQ
z=)vz(NDn-)5^x_G@l^h0z#z*+YUC~8G7|XLMU-Etk2OpCHkS(9Pj&|&0YTF~t5^}A
z{><Z<w}0pZl#LXiwB<H#o2jkx@947yCP&##AO2BeqF5&^JFtvPuoRkTW&f&GRFAK(
z>^jymoZu~>F)TRf*W(fr)eAQ1!OVz*rcdPhb{y~47W}Je<kHB%D_u1cxZ19VBi^%{
zI=3S6g{XSjpBADMl`C|8GZ$1d2nZWlozAA*`)ihrAxwH}Y7zE&);Zs3h!+n|3V2CN
zt7eQ(-w$MJY?NRMn>lK#xeg4Aw3C%$n34TI{(N~bxuQ2qk~hLpV`fDm%B=Uxyxa`V
z*fV$@t6e_gi>GvGHe^#IDSJ=&?@H6C0aTZ`9hxljs8k$m7D0xRRsmnqHBZ*3IjwAj
zcQFDLBN(G=p&aGSL-CK-P@jD-R#C~ytOt;>k#30E=ix8GcA_(Sf;mI?<Ng)!D+H`m
zYaDp1V~jf9tRT{!bTdy?)9U)>wJxn!WJ6w@8kg<SpA(NBX<ZWb8Ih^HqU`K)V=H}>
zV*mtg1~E;B{*<+>s(C_%>ud7ocvHl*@-ju$>G%(DXkyiYo_pi>B!xyFIl0~Mn>f<?
zU{wI^H#qilxi*8Edx3WTN=AU>yjP!5bR5PN2PgXGl}>zXXyp4K)lwl$tYNtT2glOj
zKTlFsyU`Iv?~;Od9VdGDN;SS2Xe~N$5a0cFK=omA7A{U;YN#R0m540;s`LMrrT@pW
za&E(YE~D|=*gs;x^rQ@O1a7)aH+oXSu{u6ZpvQBC|DS5v45lB(v1S435aIWWH;w7m
z*m)+Y*B&K2gL$`h^Z|JY`49V3(XJSlD4*r9YmP3t9M_3o2odrEA~2kb1pE*O`4D87
z*w6pzx;?gy|2-!`%oAMV{gr+p0~6PeY+BhLy3)kzfT)}Rs7j4Dji#4lc-X(h$#u_c
zqm1qFI{~7>uw$BjxtSAp!{S{&i*_QN@2_Osw;NWHK{A>GRK!0XegpW#RF>xMKws8r
zF0b+j>RSx+2G-qyBW=GVVD|#oqZ~>=nvC7kml>X;hRgvMXG+`dKyA)Pibl{$Owa(+
z0M=gc9!N!k7LU>=uj~%e_;^&yeJKfxqE;M0K}TK$%>NF9fmbq1l$taQUFh0<Fu(IC
z@4tT8L&TZ!9B4eq44|OCSoOlb9w%D<I&rtxTOnhtXyAkj{>G#-u>m=rBk+TlsgxN6
zm7$L$R>vzWep>*dk^;g#&6782aR`X8$;vO4Rz1n@Pxg=*fWH?2Ivl^96A)ryK>Z-=
zpN6SX1G#CI5mOJ?)E<8OkxmMB-A?BX>=9#~BaC?huflG292`Rf7$JW>F|Ftb$v3@j
z%^G_>F<bQrESs5527+fzYX(r0kGxHR!yuf(MWYKaxvJpM0ivUc1)yjh1IkUCYPXbj
z0kt`?)V$kH&0H#eIHDuSkd1tHFa;VT00f+xw&dH~^*@NH1$)u1aNk4Tx+%9WCqM~S
z1H!ag9J`*Qrd-dE#nq^G-VX}7hKrvF2)Mzs!!h$K{d#}74+a$JTRbT6o?4r=4ImTl
zHgV@DL@4hb#fo1XFIaDmR|raH^#%jhc9PSyab$C<VYnH%HI5{KW};Y6AQx?oNVOX?
zKob1=L|Qkg8iadJ!)qA|*O+bb?=vv>zqeZtl+8ro06{Ev#dL&I^0k8nK!4;4xJ?1T
z!`Ar|T@4uW@xWWmR$U69+xe!VwWRb&qA9n=D}GtOvc-?kkUAf+z9Y<k3`DP{wZWWE
zA|9*JwBs19w~zDeq;h-!>#@}j1izUn@WeSM7*237-k6zR>8+2?t#|&lkwp!Qei>Cm
zK18_NiaAIC{{7*P(W_BeWV93Akh3qad9MEqxJ#-6E+Ot%#sF}^$20jrI$cKEWJF9D
zJZGY2i?e+X8mLr;0s6%+iH86Wn9X*u9cS(lPit%#g6&b|GTXAV=iIa<INRa5HuR@A
zLrMzid9@)JRBljZ6OZ%d0MEtXg-OMmk9I@3VJLqR8sS#~MdEEy%7WQ=k7yu<#DLT;
z-ulC^ervAd)+=D;_&w9Ao+f&f?<+zB23)Jo6U_5BQ+n)}A^QRG&<7^;wO`#@Hteh$
z;WY)QWow{7KI2k}(o3rCuGb?echySbwd!TdPkqDJ78ghBG?mrSf^|OtZwb}`;kBvV
z;AZ8H%|T;ISW@3Ue_pP^V)|D~!)ih5{2+$Q&mg{$_m>JV&ZtYBdrUHz8y=lXm;pMw
zD(3b(_&!2xIfU9dG&ygk+`N@>Y@?=$h2<f?ZL|;A)BXury&h>lMg>Iy{jn9c5Kd)a
zGa(JNmhNQtLd`e@toN0xxTUV~K`XscW|*qCb3X-j+M=9?k93cq?g6wW*&Auvx61+T
zdZV!n+hJa*L$`fu)(%+~*?UBqvl4NxO>2wA+<?(ZBNji7ODIPA1Fd?iOAGzd9+-fR
z_J&k=k^l|dX#$u+*YcF~CY%2BmO2p&QR1Dyn&!w2nYh?iARx2^;X4%@nE5dM?J;=z
zLguk4g&d`bTP{}4%CY{w(n&{Lk%~mOyr!kn%x589l$T(tR%bH}Uc7-zA*^Zmfqr_~
zk$mL>A-eHw8#>l^OBvf%X>n(u=A=aYqrF@W_fv+W6{6^zQl^_a*r;0T>FaFz>BJUh
z0Z`V4TX_5&MKKoRZxRyS5C{SOi}b$Col{^T=mj*+T_aefxVreRoZoJGi2=?6kla2e
z>t)1OT4uH(1Cwdn`hjs~$kRXd+sBN63uLa4nqna=s!O8P-5-d$Te?}<8QqqeBM!i^
z(h{YUdk5Pxgf@W3?pV2t?1{p7+b(cf-5Fb$_1)mw-)=&M1Yo^3X;~U=*Gx(1#BDp=
z)}MGItrFzL_3O}U!z}ZnX>peTuJi&2fFrq|cgQcG+moX=ILw;sx%4y*L*2FYdkmPN
z)`T8li<@Th5wsl7e^Dyak!IFfN%KxmbJBbOk0+HpX2@PNoAd>Q6*JtbOBxD`rpTLk
zS4i3h_HlaIM$U@~a7?(QaIwoXNw8JspHhbj=KSI77q<u~!tZ7)A6TFga(28dKV_5}
zEF%EjiuM<9nVD)v&-lT-Q8Qk>nwio;iS)%)ml|O7j=dvdz-U^hoO7hKWnB<DO;kSv
zmZLB4n$r#1@H?0iOx`qlZP^p_Q}u*X39vuLyc#Vrbj`5kHm)u4S<U*S3Xa6bl{g-7
zZ<wTaD_riLM_j!|;?p*K0UFV@;xPu_h+RhqsjZ0`72d8uUcMpYcp`q=S3LIY*%OqX
zyb`Ir3I<>MYA1ICF3gscy>yZ#<NY^AxHZtytdDo*ywaes>c=aYy5HNBo(*Y8tbn{?
zD@9*G-C5mIyG9Hv3m*GgiP*wEgB<Ke%hg_}EC-gdWT1~TJ=V-5a=@cdmpIf-G4%hd
zXMl7a#F`JpA;9)P*6Ls_g~~h!a6F>k8HDJdlBUY*bimBR*lz%i5?wBINfm<7CZ1#C
zhs2TgEIztcxw<VcrO7oP<g9JEb)1y810=S{$~-mK!OO!Cr-95M+MNJ!gxA_B`VLd?
zffZ9rs{&@)X*gnpU(TfnE4S$u>2^&4KisXc8Aio5h0j#%^@GI*Jec>N5p0k1S7IN@
zh9m;1m37{g@N>bf&y~^?uQ`F6=h&4{a`oAKto79fa$D}t0MW=gr5=PoC!Ie)9-P#^
zk+<idaKp;Pp_TxpO72Xx;bW)&agmOk<M8RgxZ(q=_YO2mTuuYRJ!>ur1ttw{NC+en
zE5!+|W<m%HvzFKvewk90SH=N{OwvI-6E5){2$z#>@R@hX%<{zCvA#JsjR5Q&_V+(n
z9#qHL9kzmUJ?I2ZH4oI+cz`{kZa9hcoRy2USO!UpNC5+5<&}1TnQCy)8P#LMeeU9n
zC+D?2Wj9)8>Tp?pkj7C~|8u4zZ63gV9GpSNsrqNjhUi$Ct+bD?fjxk%6{E(p21j5L
zU#`iO`pU1)r)mBJJHNKd#dbNI!DD@d&E$C&emvoif`pGc3R!ECdX;y1A`bbthvh8>
z=p=kUxD0o_v+|QmNqcIn=2FOq8Eo`o_D(SXZnmwnEQot3`|%wo5%=X@C9ejy>GYw~
zLi6BZzDM_y3G@<P<{nHXoBx&QurG0LSi0}G3n&5Ycdb`ruME!Tw8chX37nLv;Vl5^
z2K}>#qtY)ep4!kXq$z0-Z=G8k?WA{+CQ~gqi04+A-eEEO@_@%#<As9)alYkG(>FtK
zKlBg2t~iN30IO0!JWV`^x8kFUK1#KYuE19ZNNCA#keUX(P5LOG{HGa^bxUX;P;lt?
zBJR2Z>z2aQcKW?GzoY5$C@8v7PKBD{_du7)VXe-s=3qMZmA6#Vk<>zn`1Ru7k8gT6
zcC+v=gz$-F!nSnTl<f2C4y=7yS97#|oh}a)G9P^!)@7f8Mfst(Yv6PvwEBZhAS<>U
zKgB|TPEp|cT1y#>o<gxhy<^#QnCAu6?AG$Wxd@>w=JP6Xxnv_)?j5`p(lBX$=PEob
zRs+0L8M$Bcs+}eU=a{3n*SKm-brsys562Xz6#49IlY0*2u&)ft74lmf%5!?s>3g`2
zgsQ@+DQI<s#$V1J08ifz99U|Z`pmHhS77)`nvqsB)3upd0X&%O0+~?j=ISg2!!_@X
zve1@2KOCt-sI`S;PAv`ZJgZS-nC34Veu+@K7J7i-Wf_S6#pbUV!5-I;31e(z{hrAg
zf@-~-Q5eHcBg1|6FFQwiZ<TLkpF>X9@)dgvR*seu%oWbcU=cInjwp+}Yft7hlRkK#
z2lwLJ0@Chxm<gUzY}_5j))|Q1V8>&T8&q!f#pNv%h<{lHnaa!_cM5e%l4~q~Z_;94
zP{~c44IgF$Fl5Yewq=?mkVQS!*19*5?CbOZ&_s7o${24U^O0U(tl7-Jgi3yWv(<0l
z{h<7VB(MPF#WSc>MERbr&O05Khi^|hH}xG^zU>#Ru<oN0yBz|7>9xzXyg%s$juJ-{
zfhkywHo>_=w@|8-fLc;VbMAX&{0Ch{`}Ac<%>wH&^E&cvT7ieqTL7GL8@3xaezua*
zOHSdFrxsER;N@Ju!>+P}V9#2P-j?}pZSzpjF>wtrV8@MswE86|APzt!yk3PH>-s})
z49BL}zc2rCoy=alaN~^k0lPt&Bi|3G2QaHns%T=0ur|fZ2|<Vi7w{s!23}jMA@cv&
zyrmQIOTd8`(J0UV1j<c9JT%R&Ut)_(M)i+9MkY1<Mjf#2PGklffbrhqyn{<XQqA}L
z7*8zrFq1hVx$m(+wb`IDTlFRYF06BgTtiUne=nTP*{EeHAFW0F$5GCp$*!S!E4Y#t
zn<}J`u?uJQ;!k@4bjmVmoE30+0RyVFpoL5xsd24iMc+DyUXf)_tAI*6%tQ4zaIrX{
zK7p9h9v@LWB`tFYkD@z)$Aw^p%ec1Mkang$F3A)yX`6!jl+DW8BYyppd`~162~Rvf
z2bR)m_aTPzRQdqaumg1B>kT{LY39d-7)+}?USlyrgpxh!1y(=%(Q<Pa(s+POk^y!_
zHt6U{k>8d-0s))G`2(-l=1Xd_@D7mTIel;jVb&UZhALB(MrkLMH7rwMsC2~i!iBZk
zRZ{A1D>7pDXs$#Aj{*thZ<s>k<D5sIS<>JA1mR+8u|H!r)niBr23{iQuZZhrYUZ~k
zVC+qy@#{ATjDHli1f3=<2@Zf8uvQBWc+-i%HsENtmIQfC;$wB5=AGx?oQrowS5n=7
zx{uno7?(!b`;J&00_BrGM=`3FO=HH#`6^8a4KZZN))dka;2KmV>J}f+jlz0(aNiPl
z-t)jlC$$oOwQk^ZaDWm4qhtk}Xm|X}2Ddz7TWkzfP2&9{el%{u#tksJ_Yi<E!>}Vp
zWf=+q{lVt%MQKKrmSJiB&x7!}jLWsw1h-E)uv-h~n{4JI!oNhOZ`<$$_kV1K^C6yE
zw1-z*8brSW9v0^NfJYVpC&_oHpBn9&2fk<g$@~|diOb@W#|=KF@@>}yOtkdn?d?Ni
zm3FZ(806~X&c%`7ARhll2=~G>n4-11>e~yFppYB34BI<i>JioeGajuN+N4=gC%!9W
zd7kzB<L2H->!W0>ZwsG`pZ4?h8--s@qHcM9_B6{^mb_|cC?0r#unevzQ>hu;S2YUj
z6FWC7GifM5yE+e>6bw=+70KjuGtmW{xyFp9+SvnoJ8`-HigD<qv&E-;(ifj;NI8O2
z3G%0-Mt}`|i|5;e4E7hFgxtbZt?!}z?4-cQFEBGLL)ov7<yDQeTSLH{PF#Xzcw%>I
zf^9|MCNw;RLL4|qYXgFOAF(b-4{H`3yq>7Gt9@-*0vy7&0Y$snr*!WMY32c2P;)uf
zOKL{=wxCWH7}6b~?bRN~JFndVKApHUcl~qEi_Y+>Z*OEWAK?*l^E*$CUnw5RDtNS5
z9)S;Xc1)2X*jNMDi+FJw@pl6z0q2KaN4Gv%SFZvC`bZ1uscBvDCn&5&)d4gr%COq@
zYv0dzAfp&QJGpu^k{~FAqS|2$ab)@O`>UW6tXV5sM&=X9V8={62Iajbx?kGXh5?}b
z0~-~&i-CQq7MTqZ1f&B#Ip~-LYJ=;`>TGLk+8Z4mbF8(2nQKji!ernSwD40c8{^e$
zDjpBq$p<V)BJj#i#d4cY;L`&C2t1J<xI|Wxf$KX7;P{En5D;+s1WiD;p98<ZI<L|0
z8vcbFV1#{iS|R?!RW=$i@%%N*KZ0<#s^iI7)cHZ)>6$Egm54H69t}j}SkaigoBKEi
z3)|Jihw|b>F3-J<6|(SSEIJ}<k_fRz_SF>zpfA)JlH2zd@RHy?0?P6YS(%&X+m`ab
zRhTIKPY){KtTPad({QuT{)hN0!m$&X==oSiF_I?iILT<T&P51hd#3dn(6JVO%qCMZ
zSOFbosdoGey8x=C07Nu?K@PUbGl0~h{3x$R;3g&Ut$|k%P{4C^$!>Qu`1C2OZB`*8
zut3~tF|)b{YI)ZGtYu}EfOeD^l*Ga_6=HlhvE>5J@WWAQGg9nB7;GL7{IdW&5SC7;
zZEkY_k=?7iL&EQ9TpM5Di^uRtLL;^q#+$ImrS)8JUbN4|6$M96xDocTlO1r9Ca3Fc
z4CgAvFxL5Fxvpr}&GBb^Zi_F5ffOU1L5+Py^uDI(oCSyp*1#ltl-)u=$XehXbovOy
znLjg%V`|_Oq2M+Vp0B_jJyPf0G$78tCOE*7Nzed8xNi-X6JgUUilsevVE)X&7Cl!I
zGe#^l^$H^eJeC89(5x>R*hnsZw(~2f?7>y9{6Mc3u%5Pl@%?ZvSxsoWfWv4ah)9Wd
znUu%bxc;(MfT|NESeB|1sIce-v9b@4A1;vdLxV~3EFdt$!0WN;mf(1FI>o;`YNcy^
z)o+Wz4@ArEUA=*$=bpB!WON7!_f`RB6U}K{!&jY^bX!3<VbAnsg~n{f|F@`R>CCGm
z4#!dwh_l$we~%mepR2Ok!>?my@bTGOd`*sh_F5?FU+2w+=U^4drc;V2lp589&scI8
zlyt7@VSnzH`U{vK7xvsDDc3#?-OBx9;%EcD%^-WnQrh>)|NcTR(3bxNgYrL9!^ZGm
zo#v(I{Xe<{?*IFd`CnEh_&+_wYmY6TJKE(Y$tsdoc!FgcsQTDNp&Z98#DqCP1hZwm
z+*$F263*Ufy|;{TxbJl=o@0RBvOg{rGq0^F$b>w}%5ikPvGI_a0(`eq6?ks0K0*Iu
z$?58M{?99kjIO#)47hXN2Dc?%z<M`z5n*YtQ#8t@NWat`xV3G@ut4XiRtAcXoIT_d
z0E&oB!Z1ib0!Ob_bfDvX+ks4xJegxG-Gc&kL3Dfo^u|yE+P+U5*u<@YWC8;W1k81z
z9R@0hDB(s|V_{j}%p7y`<8v6GDXm8ew3tC*#`0F(tl*fbcN)AD<QU69&k*XM^)^u`
zhaus9b*4givcL&w>^^E}BR^%<=wYV=_w~eFiB*BA%sMxyK(1kprM9poFrYTeMe_I`
z?r^sJmz^zO6W~qy13-E&5W)Ixv7~}hHwJ({>fl$6i6*ytmpKP4?#saYDu8O<k7RrK
zJrgS!^;#vETJshI8+ZQ&C!pCB%C9s+oFw%SK`1tf;)>FY&axfMwg%*0i%f`ZAA^|J
z=ELoi@4#a)T<2o$zFwF=Q4$J<GNoy|v1fClhGTsn$h;HPF0(Tr1#ia}!4_*Ogg<=E
zcRv+!7w{Jq=)dkwDSXc3-`g&>O;RyTV?=vjcv_wU1FI0o2eP?vv9cCdRsG3w%9c}C
zTwL>BH%Be$hf!>~4Ga+Z*1(t1<vfc;L0HKNTg56^I?`Y3G?@%CgVUK=xP&*zXnYS=
zUt=>p`r?(Vpu{k2&5xC-O#HTLtk*{hy?&Gic>&sv+-Nji!mqbsCEY>4%*4)qq~JA_
z7?d&z@W2ngod8m-HyH2s<}0My`Mt9GdBS~=luvAa0E0b|DVHJXziH7t^5nT1{h<lg
zO-^iGufhUK72`KW*)`vS=^el1(A3OVrxo-2NTpn~@(Uo!t<z(z_6}ngxD_rpp(?BN
z-dcXf#J_gnir?CNFry8SUE_xoJND>ohHj83_kE&=*j6cE^C4i>wV7SP7TVeY?#@)m
z>4E8p&{f|8Rg(rY+x)>gaEz9LlkmS%=kH|TX*tej(=CWLtaDByzFuNf)6HpI+lx)J
zj#g4!S}0vF&oSr}Y&~SzC&b7lAa}fely&r{iVXLHIuNYnG5@R^KM}ClPWo#X(+!M5
z8y|QXvAO%@<<HwZiB~$3Vdd|#;_DB(p90Py4P{Y7NBFZhO>7LG@W5BlWyTR9b@?7M
z4oVl9eR>z7q@1Bd`DtFs{;BCM0CrgenQR%57`14v0ofo*sq&W7qQ1ssuuXb_Ok{~g
z=hUlLE0{qCpDNvNTVx;9*&(F^@qdaoWl#a?KoCqui^Kv7NN;?-K<T9Ce)JYVV)Q2R
z6ku#*Wds=1PcBVB7;rlI4VY9l&DckoGA-$fOEk%i!=+j|3d^t*=RN<D(FM?bp$8^!
zWsXIy<icr0hAzz8sD$FgiGc2BZNj?Ib}k$z?*Zx}<K+q*<uPqhl@DT1uvL&do(H-A
z+484!#OuY;CZr!<n))ookwM>dfD%uO0Ct@=H8_KuAu$AZ6_8cq+F_Xm9x^>T_|M(o
z56@VI=T!ICU_^v?<owgH;M*j4bg>m#;RL|D>w3y1?9bFp;iwgLCFbK)%4N#fjNH4S
zX&zi$*4X_Xl%y0Ir7Pb!V?Cd}W&19_AQmt+r;_Sz*jkIEOjc+Xz;m^QIl+%@(tTik
zwa4Jd(IKjShvBI&-29C>1=Yfe7@dg6Dg1WxeuIsjK+&3OnzFq{2s{uWI$#$&K2`5i
z{~J1LhbY2HuZ+~4SX4}s#`=c2G#Y_$=oF|!Y;<@GXoN|k?AO0SkeP4n*)}%fjh&wX
z>Y$NLJ2$kCe@Np{Rcm1s_=#DnP4ZutqUXm_+OyU^ozsz*%9PK_XB4xG4BHG~nIU~F
z%CF2PTHDFz=|K>Y6Y>_^nlCY|`nKgBO><}ys;~Ws>R*!xu6wDX+s4COZ22VTwZj<A
z3_Mdg+*rU6B!Ygnr-Gu{XRWoi<r<VEKmoq*7iLw2c$ZGzxlX~jlj0-a5qbJ`HCv&Q
zibx8i@?_{FaUZu42zxiD_MPVs;+WVnwLs55jB53n0EshZ(bwOrkRXD4T_Q)DH6NvH
zza~&zST^eg>I9!N5C?i98$FAi+KcZB#M!cq1N}2_lj)Z-3%?4q`zFZW4E^zFQ>%9E
zN`WADl+Vkat+ZV$w;G;K^|a_(Zn8*G{s+X}b;p8>^5sOCgO6{`CeyrU>~Qa}nFgk+
z8eU)bnZL2sd@T%^(MA6_GFi#JD{R{YvT_V#3j6(a>IGun)%{=7D(w;}eONLi_^Io>
zTorJ%Gmb@J2~`WG=S&veoWp;NBVp3{yg-%|2Y?{j)5<mqKabrZo<IOPf|NeQ4;3VT
z9-UelY8ynH=IP$eF%-=EV4}{&#m4((%lig3woyY}wO>g_$?e({130hV`+c|lY>;MX
z!1h7XkAGb6M}JD!qEM)T=5w8WcFm$|_1%p8Pr|)@jqoT0-bE#h_NnFJ8yVnP3OP^N
z=GS`;+t}XWpWa>_%z09#^He*DBuqOX30wYS#^2MwGxzI>v%xD_B=%~BPBUKq0fs!~
zI9_b&V4+@dd|KKZFtt8wJ=;@Bmdrn86t2=>E%=wm|GIT!IM}{9?c1$1JT<N~`M*iB
zc`o_2XuN3JX;9t;1F3OsM;I?2BM>G8kH<iG55@RO5sZ*3oKrKaC0qLOuexSax}06V
zryiy&-i*YhDk;t?Nd;;6(L-+)rv)P`JrRmCaS-^Az10qZ9dLpXt@7bIKj05D`mEje
zd$K`urAOoEg760uY!7WUhxyV@8i7>S2WBqWy5Acx$|;2R*vG9cll6zD>(z+I53F9o
z$%C^wBY@w2TF}@%fn)XdIj}MGft=HtK-~Url9963RYB&yt#o!(&dl8~Vrs#0zAq4g
zf70r?y&+giu}hV6#zLFeGUw2A0LLifwX-_I6S|ot4vwEmh6)*m*!qupIB+2{3zW5-
zuJ8Oa@1va_zE+$cz5vR&`3v*<n?YHZoJoHF8_<4Bo+OY$5=Gy09H5j<LmGUSS?jcu
zv02t7D9xZUVa>?|8{8{|z)E*@o?l*v*y|4TVIE@!V3Uq+!%wwWPey{^?kfnvI|Ho&
zmjzWezpsitY@7hJa2am&bVw1%UJ(PX;9ez`G|T=L`_bEtEl*g6pJiKUc6{ni&?TAM
z?#s4Nu)1F%>U&VY<@8nz9O?6B<sdXGsPYs`l6ALe7AEm#riSz2$^P}wuCmDuNp8i~
zU(L;?Y2R`gkg0Ob4N;b&^Id&p{CsY}Cd(WbtKM2VB{2^$Q0;K!`~w#$)IeY1Q8$}U
zL5J#HEvnw_zL}IUgAyI`cV<Yn`T$zJkAVLD9d+{~hlBVR8aMH%VwJMS3UEIA^0J14
zO9F0#yCtd_r?+%uZL}04sH_NBMQ;~+Y-8^+Xi<Rc=Y?_%%&WTJT9ivxlYx^0?TAu~
zJM$WxN(PZ8CREnTEMPsdM`J%zQ29xYw^{cnH;E;+@@8qq=vbG!cA(sn7NPPDnLdlO
z&D)3Rpi(d`t?wt2oA4VmFEqru{Vl9cceoGKHHWz9XwX^NFn&A4qWfMhgU~{P_x-Bt
zocYS^9`_ODlVWf3FR0z#&+aY1SY=Hi3F=Pah%$8RdEhFgjwBp}Iq3>QEAjY$M1Dk^
zarkv6i6}sA@HhdeaJZW#c_-OS2MY1N^II)Q8IKiIJkQm~OMqGdYz<>bfPo;?I)0#6
zYCU1WlBeKPgidAFR&HjV5Nl>;A#W}XD66e*`}mTzNjYd5;0uwmL!gOBFDDf8Qt{sI
z+bUy#4yE7X#X$~(HSffCgCB1R0Ht26WKH*iBS)H25Ab)N?L@X2px7HjZV^y|(RaIP
zCCb(b?&iR)@>tV0c6;hFBd!C^gtyYwpaxwF$`ocPQ18blEQ25C#CU2nHEir#^$WO$
z-#}^D%>gu$KKf>H<(ERI(L;c<76z1~pb^HE-@SOPUxvO1^(spcVk^%3%ZkZL{2Dv3
zNCh*Fy)0$Qt%qxl0a{6ft>K)!e53{B=<+n@VF~gNzLW*|;mR#jO9a`yUl<C)RjQ2M
z6@K`YWcoy4*qHrYu|o9&QxC0UFFfDa2J9qlGIiinjl9KHs@2jp0g8JWD-7C9^KYef
zGhyjJo6k7W?k0d9CTlH@QsK9EERbYTKTJB!Slw*KUk=kA4L+@_XS+GC547vhSp(qZ
z3eIFus&k&!Zsr!?|Mgo(Ln6*npU&k6mJ2d8HjBYt5z$F<mw)&V_GXa&+CsZGAW?A=
zEk|hE&v^e<Ut8%qw8h~~rebF{AX%ba<S1@aVY&?rz5*`Iy9&pm0;0MWzeW(5|I)v<
zWg+RO+VIY|@Bi)<Cc!iKi<aSA64tT7mpIQgH)e<{XSKjWP^4@mG5>1MKF|$#eFboG
zpTtr20wk%<;RgyUKdIn>+C=(Ehu2sO4;qcAe*5poHDi*@yBwcjsi~6wjUu3i)xwBC
zKtuOdkh!dUpRg84fUvPFRQvPpLdRq{$FzYz<&>^I8O5Q6X8C7umjvQso15uYur--B
zb7)Fs_dzl?xcM)RgBtSG$qe}igN7bzuM5MOrNC1nj!pTL>Y+s0YtQ0tEh$#%{~q4d
z>|>47`^U|b_{<_C4WZpfaqrG9VPir#?1-ov-1XrCeX1Va?jptk4c~l*oy3pe!89C3
zE;x7$vF8H-mV|Dc!;+_(yvyOoT6Z3s*-M`Qs*&-Q<~t}6RVo@aD>X;?Xb2j7yHO5n
zL}KoG3>qjs3i52}$gFR-;#h16l@2M80L?pH6qVrTp^DFBpyr3RTK8oXu;)?Q8-pYq
z_LTwM6ksH&#r5io&eA6Clg#S<gw-7^?{$xA{^|wwk;t+-Wlesr0=_&}Fb|bcCXZSX
zCendGob5n!xkP@5taKtPXl~d`WU71LrjO<7d2hk=cCtifu|ARE97WPec{7_ik5Mio
zS}$?hrB6hZZ~B+*LcU<{$+30^_tX%3`=E0aTzxMVxx4aMSXMxowgwJmnDcbwkz*lM
zm0ddK-Fi3Z9S+W0z<e$Mdo>@{!zOczy)y;t$N-m|*ccm|f;v+%t~7|juZA#kmSh0;
zyYU&a3xPe3O}``&<rK!Rqw{vYvWJ@wxY?>UvU_pyWP#7Yg2#vlPXYUMoX~qg`1I@B
zWujZa=ReT{;GOn#n5n=lA$tM-SyjIzANGEZF^A-)crN2Bx8nA0ayxf2!1;Ni#Xr@8
zZs1X3Q$nnNq{yJ$x!l0u94MYC0Ig1p1`C0+<@?H&yl?3et1f5vP{@5*bswb36V_JA
z#*zX+cxBoD^Wd`h5j~%^s&FTR{pQhfipxa!4FQNTply{%u}(N_xzD?_R0e1@s5ue`
zweUxm;C>?I1nhYY;t}Z$s-d7t{9NE@z}6tExHX+VVI7w77ZE_c_tgYD{rT1HG%Qd9
zu)jC^vDOekHstk)Uj2Ec<aOe;S0Hbila}QNH^bCPtpIDqp=7so{c^H{WBDg=F+$fx
z3&8y!M(x^y@s3tNUW4*$8r5UEw~e_nutneX<<Es;Yp^q}ZivYMcO3n?P%ZQLnX<J5
z?siE8-oo(=`}K!WfI%M50JQ;OzVy?zkaORCu)crSIAXgYjgVK671fkgVj1|CK$}TN
zf_Mc1gtwBj0qzTdFq0blxU_rE(OR-yAYDuW4E|&~A-n4f#-41D!)u`yrk3meW3D^~
zasvravM5LdJvPS&5t4H+o4iW7puzwIoMSCuN_0}rQ^M}RsyQi10z5O-ly}*)j=_yI
zeMvUycKL-K$wKYQQD1@0Qy#8?^-A;u#KBW$b(I#oaf8va{Q2S5GML2Lq}!hBBNcoa
zwlD%bQVK_KX8;s#4pgW&X4XI@?IqU`e|;(CceGj0OA79NdWX>=ev~8fZs*mp54OiR
zSaHlF8%Yb6mNh6qcJiYyV1ahi@%t}>u~Y+wp{;XJf=WH+mS)I_rD{N(dR-#DLAG32
z=v_i7gcHL5Y6f520*~?dd5a|xYuO^gkK+bP%`dFtFjAz~Q}VI`m`vCzLgShau#C+!
zsWL#pAFTi&Np&cRsE+@CJVo^%b|V5}=I9a#zTq1c+YnL&MN)+@P(e5Q0q#4QDQk~Q
zcKzvZe$@f(=b4YlHRFE)qU7ot1)J#54p3C=6abXl;aCm>?&S`)OxG#b4&)}`q4$n2
zP`I`<`W&+$;8Hg5`5i1R8wiXgZ@|?JmLM5#V60<v{|A_xoBiB#y~{fQUL^qr45U+g
ziGYThY-^na?dt>gggGXCOo5<AOH;Vu(H(StoL%nr>}sV^+`t*>g}suiqsOUk`hL2Z
z4!`FzxJYa3|EliGqp9xyeMN>uAq^-r5E_&*WQtVgDN`9Lwt0w@c}z4IGNf%DH(N4o
zp@ft&&*L^0l9`H4w7Kuketv7+b=N)ju5;Eo>z;M}^E}VuVSk6u=ktEQruQ~Vi~8C}
z`Ky!4o}yl~BAFVA5=7BIqj+BNWJ`b!KK0wHURx`T=4^2W9BF>E3Q{+Emy6+OyzkWn
zkx@gVjGV*v(rTtTf~SSwO=p~l>=ps$$<~WBZ%ac5SuMpop1@u~Okn~Pp{(`^@^Uxc
zc{6H~YD4B?S2qG87ePM`sSM&-!+>*DNPdD&;@|^8B=Z0c>3GLiC1d(gCTi=V#cDIf
zAR}?d!5$F#Gy-fg2HK#`vvaX}n&%Bo-Q$=Q^z)56*Y2Vi2J%~%Z<jVJVBrqU)5jSj
zmTd}_oET{OL?3sQ#sNHb9?55t{oFv)CP9_)eblX8wz~G8{y#eA6gy)`bQOJ+YSW9T
ziOm<1S1xTEN>lGV>RfOU(|E?b=sdh)0qQ~A|EFj=DvB8aF5vgk|K?=7NoFS<1xDwx
zVb5@>F9w%5-xs1AYsu-ObmbibHp+P5n_HPgS6zB$sCxCqKLhXJn+p62GdsI3pN)BX
zCR|J@3azGwi~kY6;=c@)|1bMR|6zC^-6X1=|No{DqL2TdXYT$Z5B>kqEmnBPP@Mc}
z50BJG%Dxrl_`P*{zd~D7^P%p_v56_bJNQpF|I3%cQAHsaqA(0%ydwe)F2Ep{T|jrn
z@(#ro^#A%6{g=JY@QWU8I|Dt>Z&+{>2cZaeo$ElNF(OxnJRh01<TqzQZQlG3pGq~U
zKosdH0!@e;0GWwU&?P`p&r3+YYeOmtbQ&TJ{M4tt@?!LRxu1D@LK#&O5AiZNGhUSA
zJ*xM+II#hGVs$|5TEMt*8_wMWZ6cr+E%^iNb}P_1l>9&tN@)NG<nZAeYP=%P0Q-T5
zP(M6`+eLqu+nCNIS%YyBSuMKBh%|#n;<{y`!Y4S!G(cD1x-!!ZYFVVl0uEgwv-a*}
z1FNY2md|g1!3TIhf%f}j;3LqQ5!D&c|4bEC;jquf1E>*)sC0!u>aww*CjR%ordsXK
zR(z%Q242H?Tqu?DlT=b!S3Uu8aOcrp9;a=2m#+$AyutlYvpJuwTIsS(RLm0&E^y1;
zsZ=9#P?rCI(8No~C!<7c!Xc;uk~(!z$2-=9*%-5f<3keY3{g;X6yuGGGa8|XKun71
z5;~2ozNoclcd@+oj^vhA7hq=`Bf;^O00}g8u|n6INTnTKc{!J%f<qC96MkpWhf`>a
zJtM-2YGv>j+z~w>c5crTy6@p!k`kaWc}*sR+PH+qFO*XqX9<NG4oo)pk9<dk7R@?}
zl_EWPdEsuxnTd+oyjRD#*B})MI;}4QA}q3~alioLK+!0PfFtQQBx~0FHDNz()0dA@
zDnmWzi|dhC@MAe82DBmSC}|sUL%s#j%n^xVJ>8e)zQ(?!+`^~@8fH!pHB^8ZZ>QZ`
z944A2<<rs9jwgTog<`D~=~e?g0D;p08}0mR=w2QPurieeZ=p&VKx|=F@(BndG}#=6
zvMHi5d2^dh3ko7+C$j9nY|J1z?4tB!E-g(NY|$+sgtj*G`(xD&lGtTO(6E$a_c3-M
zr8>#4ZSH#C!xD*}tN&1ThxMe3p$2oYRl;OA1VHLmHyw){SQ}lU6!lZmh^HY<(-DwF
zt6&zVCYK99${h=0(tT|rUa795qO8h(ky6iFC~ZHW=TOG(x68uwh6iyi>axm~t4byS
zC$lU;x%$b|V7Dovm@eRLt}dU;uc|B$a?=r1HqpKIaD&%I;u%WeT$2MiLy0_jLl$bK
zq4yiJugc<sH)L|<l_245UM#T$v?-RU<^=m;kBRWI;R%p1Ng@rrE049bmX&H&=|#$4
zb5)*EhKhN<-9~V$iCepnwjP$ZBPgU3r{-3H-x*9rSS>Tly3RR8kmf~(&F%Nlwop)v
zw&`&``j+<-xVIei>hXFxDvnY3t-XvY&;iNdfPI|;Rl7K#CeKIA5|WRbEYr<gSqcOK
z>m!NS@f{ejbD?{VFpd={^i<rP7&pN{xT)ix@I+30-VVEC`nsinO|mcLZ1I?EdrTX3
zcz4Y;o=hzzU;aBy&W}D(2#%~rH0~J-INdCpR4(8M%L+C4)V-2a)6hjt1}G@O<}j}%
zF1(V73)kccjio!N=o-XeQfM<b<-|FYa{1FP5gUbEj$_C+vnk!9rdYKPu%tT?ho#uu
zJ%t{##5vmZJ(;vw&Zdh?XuS<x2<cdY&<f%~fXBM09xnV`0;i5;o8G)`b#ate$so%i
z6*N!$g2K_TSkHr1<?ZvPgnK$=ksFB@e>EI0o7@GTOF=?7*`<UQHJt<y$;KE@JLDoZ
z>V@`+2Y2a@#RjJF2Dhc;eakG_Ew+#q#3X1XQqfMztN94q(Y#ix5o<VZ$Oq(O6i8Wk
zmJF43=(2?-$KD2R_PTd)-@8|&VrespYJbl*743Q=BB0MUnf+|nNuvY8v}cmskrp<3
zsQ3LU^zd3XMD&3)pP!*-woA%Y3~XDrw@5P1t<Crgk#cusoyZ%j->9C95eK0|%c@|~
zxP}+)XB0ur3@+v5K?j%I^eOP#IUu;!WsHGV4!9cjetQKMcFT7l?QH?j$N|#^NMO`*
ziN4*}*qMqPJ7!%VS6g5s`R=X5p%VqNU44nzT!_@=dtZ<svIf=?2~c<X)cMK*bo4MD
zX}czO!dgh<rBv#26S>kPUi?D^F<HxtD8trY6Iv{&%+EuYbCnm=wAWk{OL$=0<^Js&
zd*8p2FMhy6Nfpa%HcR}<qyhkB`%9is3){ZEt%tfQA2=tDjKAlZ$R_+%-Hu1xFJ7H+
zY;CT;=d~s_Dz`<E%<;ZnH=`%udbrU@^jsopw0RSEa%KTYIfVcX=xB<pm*5z4NR;zB
z1Liwql)QVU5`+MxA7D9{@Jiww!v`j92-_4bt*t`@>JYzAlblQLuFTws(PYj7qWHUe
zGq=Im%if=+-rV>56yYP6!%K1d7tCE3!cUE?&Ir|9@K{bel8>SY3i=~jF1H?E9o0!w
zH5QqzPmjiyLbxN(OQc`t&`1h+l%iFSVG#>{I@+GmKe1CQ$?v$P!g6W1=59+2$Abxt
zHT5%a1ym)TX^O3^;%SS6Z(begU^;Z}L!WUfL_$;WOPUDe4@t@HC$IP?AC35o1Zw`H
zck7Q#A%QFOYj5I>-u<v=xwr79e~?h%r4HiYg^eW7DXava8I6b4t%}XFJ%#3Dq|4fZ
z4ah8M9^7Xh*{jebTcqk(q*(hDk$H5NLDO$r9@(c6EG1suEtUq1#mZ~LD}A87&>HYN
z;tF~SBJpz9lN4(>2+M|5wox2tD^SQzk;xv-VHutFE|L$fyMP)K5@H2?s=Rcj$%z7I
z^lIfEybZ-v=mhJd3nlvW?F#Ms+nbpVdX1@Y$<cEJ>-I9{39+v_!O|MvbH!}3Gv?Ur
z!{6DBi+2a>mh3<0LZ{Z2&(^5pTMlerhhdb0)sb0?!Y>hd^!;9?5EOY6q^GQr-hf*y
zsIzb?<8`tU)&;x2fkmY}Fv!FDs7nwttgs@Qle9--Thn@$0iq&qzrs$zyX9~oIEWKG
zY}q3(5(f7g_oD>lsG~|BttaB}(X998r+o|NIcSNxN=tW+$V->?QW<FI?Z0>v7=tQP
z;|opv8*m1Xn-s_iXV9LEJ(@mI4B!af<N;hJZ)LMVAYEwJn>!14zG{~RwuNozXrsD@
zG@b($nhwvLOAuFamzy0wgXv#oZ@HYnJEaz%An-WmrauzP?=In?ZHU$Qnzen3<wwgS
zwiR}Qoe};^KEhRK$VkY`VF;qng=KQjoDzpvQ_)pNIz51~KGtW6aIhbC8@|`Af%Et|
z&VSV|1OFj}+SyOT1eIHs6Cj4)#~mP}Cu`TFYlY9EZGH5ub*DD|Ax5}!o_Ue`#D>2e
z4Rc1yJ|P)h7OTc+KGt$R>5v?12Gq%K8_q<R@Fk_Cs0u<6i4pbF*F+%R2cDeoEQjK}
z)=iV{-OrLgd0Zv<2Y6S{wx*nXYsP@O@uij5_-yXev;O1mqn<yAm{@%Bs4hWG;HoP~
z2vmlz$m+ffL3n9cgaS=eIG&i3`^Or}E=PqAZ*%vC4P{2k*%fNti{cJ{aDR84+s@A;
z>>_XH*s`Z0kE=W@k~JF^Evf5bH~_z(0WXlOU}2DN^v%1fgfq(57hVe-9R4`SxU4Ss
z<`MzniB!=Kr{Rj?<nxyaH^VS$wnJsFcO{gcY=VP=+J6uH65dMQ%pDD1^vzfnGB|XG
z@AaAWpZZ-pB+#3@>zm_+4P-ACG+L@$lKTxph)~f3v6s`0bs>&|<?c2JlxR0Nds%b|
zxzibf##J2b_*RBau?mPJ(GsDd$hZALR*6kYkSe2CFIJ#>9#e-5>%Wzp`|ao$bP5A)
z#K@VIJ{el6au}dvcD>HTdG$K5y+c;k`;Yc%G|u+ZD7NoAVRde2+~>3zk!0ej_pQ7~
zP!J?Vpt=P;8#W1ZeE_(?o}s;9mKEO98WEKuw*OV4*P-cg!%M#*@`P4y!7?f~{P}QM
z0aUP_@EE$>kpe9sA6ni3eGafAqvE#}DBKn(R2NPk2R61u?{XfKlJ&N@OdZ;TKpK^r
zT~^j-Sg5EN4c3H2VBZo!!h>0{L+={aq##OC_z=U(Zl+&dQw!9|cX>~Bef6G<s%xSY
zZoH?`I4r^0FmQ_-0)K(BIigqLa%;%409FwWs!vq3-gTY_PjYMD=T~ag35)m_rnZx)
zc;t}2XA}L%%?zr<@);r_$MJoRieDa|;Tb=>oIyYX$L6snRT9ay*N>0^@WOz#A~o+j
z1(S8<7U9f5$md(I^R@!QIBz@+M*|krU4x}A?iq$_WIzjFf>!PG`{Moj0|e_x$5`mG
zq&7F<3K!fiB+py7CRovLm?6_KG9<s|>7S>9V?+`Rexb~A0#qU(4nS(LiZLqWveoc5
z3|7?8%H@4zmYJ}*Ur@Ks2Z$ORY(xCw4L0lY|EO#m78`8BGJrFaph~OVMxq@0F=&Vg
zG~OB$IZtBfxjjD6ow%JHu?5s!NwAl!rrr(|LMb6Lj{1Q98PBSfn@~m)6dxg5J>AI{
zr;Ts>?}2kfV)y$QT;j(aPmRb>UzFW9o6CGg_qrKrpj=VqO(XP9wkmNq<>r(CiYq7f
z0hr)2@^;a!PwD`TeJaOWD)wK0ZPKghzXl1Jb?=MeWijh6x~1f8F!UPKc*yPz-T<)>
zMyd*5pmxhHW*8OUo&teIv3#=AcBCxnB?^>vD6#<C=FfTW-=I1lN((Y;Mt!7t;&0AX
zZ)CggtAo~k!i3Tg@%}&}YY5Vnc&Z>aK++{XbgLQ@^Lq>s=OZ#6^LP=@c-e|IBcCo#
z(!+gWuy^b4*WkV5UYgc#XSve-Se=CGwGEVxHB;8x<jtL&J~q-a;wrHa*md%)DF?kK
z&6ggMu*-#3zTVv#U@BuRheq|omi|;wDwN}6Tl%EHCc)cxSEhAt@Uu3%ULQ~2{HG0O
zqh{7&f)HNJS>)6#yZ05);u6B8-1?w|vw7y1pmcU1DrM+<72lmu`3;55&<`DhTEG<#
z-sM>}Ux(cy6Jr>ba7Bnl5hba<Ou5nAQxbEdz^zK;B8n=mKSlX7lll}S_LR7xzVJho
zVF@&@?06X}0#J$o4!Dn9XKqw+sze;-xSNde^MDFxK|kIpA^XyIcHI)oYh&L9c{4ap
z_vE@lpLzcECs>!Cwj;}KuB{fIrR)(=gy)@6Od5jt+Dg$XD`?l$fx&R3`3z4JyZ@BI
ziPBE-kSvj-;Lbh`+6E5q5lDBnM<#<r*{@TJ{a-E5tfQuv%rVErT70_S7<2Jo_u2t0
z`xOw=jc@{onnwWqVqs%S1Q?dWO^AddN0Ei%F+N&ZuazQMj-E}0z-Mq12T^Fndk}J<
z=9YEM9TUWo(^DI{FHHcnlIn9T&8{Pgkw)<pbhd%WAhx~^MrTLchhF?P7^IWG%v1q4
z-wp+Dz!ThlnUmrr)GMQ?aS%n7r#d&q3QAPgrvGBLmR5i8HaHQ}FaSbOa?MyiyWjBI
z)Bokpu-YuAJJ2wXYJp2j4`MsVm~&DX$6JP@Ozfs}yO@mO{wf;>6ZQywUnT(X;$jda
zBM^N!F6aW^zRnkw&~Ur#x?H*d`yXtkTtK41niem1U6a0gruEXdtr-_iWj{ESsw3SB
z`eT#YN|OW|Aw3^thKlOVjsr#M5UHZoQuxp7<_4eTn<Z_&X{ChS-bWmwn1NK-X!crO
znSP6!mCbG7e69>ntvG6PgpSScEvzCXkcnVTsYvNIF5tYuE$4G#T*B(=vm-JR>HpgP
zV1?^69n-w<ZKuq7AFnqoa8`ma;?6M8ij&qLMw;*1wV<;ojl2TTcJQo^qU4KfDb4^*
zOy#{QDCss5YH*>LO-J*tpSod?jz25Dfb(lYg4pAc7jGwCvy*rRiJK>k%L=+Tkj3Yk
zQ};>|NQ2&F?*mL}ueJ4bj-TO79dwQkP-;j2t)yT%0o%gDH;&;U9Spl`AOFCPYRn_F
z+!u7Tv#zqr2#nSE`+H!Xz>ckQv9B>;0H}hxRm9g4j8^7}-K0AmROY_C$Uq|#6Vd}b
z3y9NBew&KiLoQGVNl?*DlxPL!r7a0=T$yAr=C$^|YZ~GBw1D^*uibTvYM0!FcwIm5
zH+%_+uAh9ss(pX971?_*nqVLqK;4~07zM9VI1L;1IJm>!5VVF-q;>2iEJMPSE<r({
zB8_;|%;OvFzEiYkQha`0OFWbAN001g&4x-UR-*5>Hs+9T4+oc69oa8^VGh<7)&(2V
z#3R;=nd^J4aZK!T4sPK+nvC#_(`yfz;w&1S+54|Q>>6^<<j7Se2v#hS7j_(Ndl5Qm
z*`&!KWvQ)FNST$B#qs}xJ%B<;{DQVVW<rv62(1%^`|*fx5%J=Sssf*0^Rz~p>*puW
z%;MC)ErXW2;(gsZ`Y}tbSWRBj$=foatd{7%qmo%|&_AiD{+mVfRR0=P6!iy^A1Pn|
za|{u`Az*;C<rjGIkje29@?H{w)hnV9oxD3ZwKO0s)shzN_fcdxAN(JA7?6scMx-}m
zKIrt-SGULw#1rW^MZ9nMV|eD9=YxH*a)4#GUN1BoL6Io5H)ObATEz=;<5tVYKR>!@
zVU7`=Z%04sTO`~~FH3>I|D8jV_zlB6>Hm4%6#ktdSd{Diw;c(*^PpT7jlB3P3~%r{
zK?-oHR<!8RU?Gq!AMQ8UfJ@c@*W)}NB&;{e`2kb>Z4)31vGFo6;6HSBGcR?5GejIp
z-%uh5$s&e>p^}z_X)TY@Xe4!D^A;qK@*01mynq5_LJ{x7BZ&q&IL_YW_F1m2=*xtL
z>sx*G=3=GJQaLE>!+!kybt4|3-_`W6Wtt#-IVO3gDs|WoE9dLgQ;$sYl$at|`LU;s
zyKX`j^DakWlGV8kUnfstY0Z%f5~6K@u(d$5s19f)f`&8wG-=)c`a<zZ@_SdqodfoN
zdAY^aMUWbLm{z*a9a!}PP@=T``>^3sXRMq*@^bNH4xvLe#&qpFAZL^zPcYeLM>mMD
z^kCDAk@xol3D$nVKpzl*@O>EZ+pSINWWg%NoQ@!`w`tr|jD1V8I_<9p_}zF|y^90p
zEagp-Lh5_&e24}-2LmFaZHXn>%!l9<=tH(zGk<`~zf|2Mv-VS!LX%NlUjK`B3PtHd
zCv3I8hQ#Jb@H`b~Xm%c{zR91oGgX*lVi1Bj1$uz;?S6ab&WsQ!KmF$q4ug<u&{6Ke
z;!QW8+Slc(p@xt!n#dM5d7OX{beOo{<NS2>>Fn$BQO>PxG-wDs46Rpqd@aFKe5djm
z3?k^Xv}Vk+`TFfT)Y)U3W1uU?Og22n0iZtxuyJ|)PiTx=AqA-g+<@v}s$(<ROR^eA
z8i1d2_hr0RY}Sn~0FLCl^r;xTg)FnbLFoU5T%jCMvseCa$IS;L?j+|4+JiS?j>}m`
z2ye0)69p|sCWoAl$ECts5S2x7j(}+On$sqfZLM&I>fZda-|*(Gu^LU6+YoL+S_(Uh
zv@-r~grVxcsKfAMsk-mGw`&(0Z9UAWxxQI`AFK{Ih~%q|G*tMwBw?B=K(d;RY*m(1
zlade}tA0i*@A-3csM^=NrzZPwB379JTq^+Q?Vee10bA)K(&7l$C_idw`^|x^KJT1^
z!aM504Sf`%LGaq}A$*t0eg3$5*C1KaniQrz<;d#WHxY=2s6y&fDJLFyb<g&oNiG0o
z9H$I3P(qF2(09liy85dEJ*%NF5l6Thybx7>R;wKgTAU8hDMSw=u~9l8*hlrj+@OsF
z9^|Tf$z!XKnZ>*cVFjbOwJrcQFA<-QPI!e&-@h#m9QyKoaLsG1Z$M=o3Xk=mklA|=
zl!<U&IMNqO0+YGj8WB>I*dR#LsLt_lB8N3F4C$bIc?d52!-FMOYCY}v9&Uf|x-jfN
zW6~qH2qYAf`8I$CA;>vY*gsZfG=j9J?dD_@Oy;}P57K+>l#8D8W4CL5xXAhcP1yuJ
z((dm~am}OEXim)ip?K)c?56<@+zs{3sqvQ=f$hl!OYOHMk<l92wzYi=!MsJn!Nk<Z
zelJ`B5B22;m%EW%Un%b&a!1rH{T?+EM@)qrG%LC>4lU2K3z>reOrj3eTSduM>!<dt
zH*~}E#xtl^emf#X=!Y9qu@=-<3@9XN8=zG8h@q!Xe$6^Om5fm$3Jiv3s8cNrt+>EM
z3M}Ai15EpblSlLps2<xio~cwl-wqWZB4d^|1#-M#{KtGd45&!#)|5HpLq={HJwK2c
zIf5H$-<m5i-nRZvOSeRXxVZeAfmFe{q4Gj<k}dSg>(Bg54*Me$KGwSFkp4!IjJ=lC
zLy_Bc4EuzwqGt%Y*sEqHdy}8nOh&8S_H%UVzv-s2{>;~4{RY=kb&s(YIb4@Nc=M(H
zpE{U8WC@B<jG9>YD<61}8+Sxm4<{Pin+wfdF*X#^arNKA@kO-OvDgHhkwq;sIrv76
zANj<MEU4Z|KS0!ZV6D%UE`GGfGbig(J6;&`*rkbD?8E16om9Hc&?34YGm6<<d5){6
zo_Dx!Q0MH>Iu^^AFYNuXdaK4y2(6~NpBz2so2%8ikgEBD;|dUY5;GxWtY?IL_J)eL
zI`ZEXCJWd6?RsHRr?dmZ9D98#x8}POkI!--`9{>$G|8Op*VnH-^D<}zJ2v)gdt-IW
zA-II6zfDDDx8b4l1I*#@B@lt6)i*x9HCxU6DGk(+I=n`X$rIZmliOD~*r21ol4rMg
zP}t1Df2wqgskkRenuE`7>iZS*=<DYBqRzl?MabOvytEtJ)`5=?o%K3mr;4wQYYV#$
zt2W*06-PWZzn84v>I>rIwg5oBlBa+Rlz;}srw5Y*>iVZgE+Xre#C67BFRjdR%vOg4
z2huE@;H}LZjl3iJTWw`sZPEEPbsmaiP<#Y3vAQZv#>v^@JkbYwFO;BZ)1cIi>^Gr6
z<#C-HGf8G4LZT_zzf`mcIjd0A{tRHsp74D~QW$qU=X|q8-EVYqxKDdO=d75ON#7Vz
zhJ90t#YVy7+{9W)qi@x3dP#2SnAa9TziU~Pi4PNMrcZ}=6|rFjk5=lriRjR1WczP;
z&b=<5C+qv2xA;JXoODEjLnr1{SO`IQWTw(?JeNa+jo5B-P@LC(th$P9N_d85AzE5*
zh^)YtKJ+UdK!(8&PdEiWd$-upu{oX+575(V^(Yn=U1Vaa$4tdH{LG2ob#jRJ%vN9C
z^ZcNPi}@lymI_qG|0cBXU$J@sr$7nesDMX46}D2)O*1WDEsiXhmKDSAr>~o?xdAQZ
zJ5NLlV^l#OInR4i2VM6Dy6!jAGC0kfW)Mh^gVtYXss5j9Usp1;md)_BjaH^RJ)YGf
zL!<p8UkzB^PqvR6bx6V9LR{odLv{kx4^yDTD)Nv0DKDLvK^T9svcaq^?sDDGZB@F%
z4+2$UMuZc36*f<Z+uEp(T(`r@bfgJaG2YKLymESY(>VLkEPp;BbQZS-Je<|gNPfYO
z4c#o^6~>lnae08+%Opc^N$x>cin$4RStnwAE$op`lZ_Qd<}+JcKEhKw;rjP2y`=5W
za)Z?PJm0=CHEUJdAG<yC14mIf)Zag^+8wP%1-O2KZtOgQ)|bYTF8Oo0OWf2qTx1@6
zm9&I_abusRitfwx6?R|zp^uc={kZ%YpTT@{&*L>h>>W{W+66eV4&us{6ZGC?>t0S4
zOw=#WlmAfc_vfdkGhX<Xba%$nt&X|9SL|@nO=nT!WjVguXb+df>ETzkt(C2-pA9%p
zZUlLL;jn(GCHJS!@9vWadt7uxMVK>sPH1#TqTB`2(|Ef&NXTPd(^pZ|=)+R7Mufcv
z>z`OyU-9yFV*DV;Y-nvE_C0Be*3hn?%?L+NvRbxQ5r2~{SD%q>;pTAc%?h_}S!xi?
z#!zl;+{P)J4zAs6D=$>H4b7>^vK>UPGgrce-KgU(;Mui_F$n<lteG_}FOy1j0}PBk
zHoWuH*~DY?jV~V?h<~is+}_obzpoxMizuUfh|I)16D*nyy(1daIBhE&^%M9UtDLY-
zElT>k2WOK9t~?*=%Jp}^o$y~I8vrafuO9};%$ss(3Lo6nau$T0c#pi+{bbTP1GJHN
zczuN8=VU4BjR)%O?Q)Hz+TQ{OytxUsu7xFtMPOQTTN87FTRd}`0HZ)jvIO|6+L~x}
z@nO9dK|#o@Wq&Xn*Wc}nu)minp}yGrNi*~(Vd7%Pgp@?Lp=x&lpX*;Vd*-iH&i1Bl
zZ(dxLX?M+MQND5Hg7ohnQ$()|VIAI%U1Qs53Xiu}GgN#s7im{PG;qmS<GtRrEf-oH
zr1NNg-2x2nTl|qEVx>CV9Yhem6O$mwn(2#9&1B!1XNFESWYWWwm^-3m9qB-q7&&q4
zm5H0?VAgwB-UqOObNAV}&T~-DyFnOUh>Y>c*|H%gg0)Ya)8aj*w#O*+tKDd3-XBmJ
zhbD_-NrFMKQ^^9CqvL9SLEr`!>Ctlub_RM%&GR5?bX3J{(MpAn`CXfN*~=lNVV|SU
zmi>)C$d`l3$_#{=Eqx7h^EStzIFDD3kdNDtBK*ke9W#jo4Q4p!kl=AuUD2V3x%!=r
z6}rKL^XkTjoASCJu&)|xldO&zTPhwdoNq4uR_=U3f<R|QJ6maGC)a;LqMIj>?xEg%
zT=Zo9+iGwW;8PB$m<B*XQqruj{GL{uqj=l*v2pk^?e9BP`SkK~bZ?Hh1=cHtHxIji
zeB4zHRoklt{en@ZPEOq~$4@R<*N}C=ZCq(u?l^RypnlKB%l%L#;@2Kcud5f}<fWi6
zRLiJ0clEbleee?s>@vNZU%Dy<IDa_Lfi`Br6%@Rdx~Fn{w(<^!G$oae^lS@uPJL43
zF8o-{q*>|<8~GnRyWx&ww6}X}PQjr)6RAL>4pN{6>;Wsf3*AO<;h{EeJu}$5|CD>7
zL8y^?pXN%7St<VT#6oWJk=)S0caPENkiNdz-MSgA@ARwEIF3apPKg=hg+P*N=}13{
zOWk!zbEKWK;R4}J#oE)h5<!=fv%b*=^`|#Q-0$7Qo0+jWmcmB+=Y-c^DWYlHf)n5z
z#o^K5^3~;XxEhPO(vfy8wI*5SfrMhiuGE@Y`ScXVCIhUL8zxWWY_gz=-e!5MFGv0)
zrEr#Cb8vs0qCGLtLdBt75U7qOB9<-AKr^x%)Xu^_WT3Ri3&dCEI-`<$NHz@spG`yc
z$o%~Ts8DyINpjU_M6CP@v@*E$L%oA2$Mc#UX${KlS$L^T4FHn4V`5PHZYwqmcO}?~
z2PMu|{((lvafxj~Z|N>5A?|Fx>+P?z2Z=mMqSvy}n85Eth5@My_YK0=p;x$V2K~q~
z%x<+`(*c3QB`BH0z2qZW^9^N^8h(~T<*5y(rkIriotg~L45%!`u-KdWtFkS0eqA{<
z10AA(%%WOOYSh-&+chiK6c`iG0fMUI1yB_mO+y=2OnwL^+x;dGrq(joSj~j-=cgQH
zZ@tBA{P#nbIx3%SW(u#)Zh|K7;nr<9VHe&L@^0yxM0fu*7f(P|lSgg1GzW$UZv$pi
zuAk+FUD+}s(S00hT!t%Cak4Iu;<GWTMdrL$sVC_J8(1RvvpO`-<hdS5K5xibh?~+)
z$Zad-OBg+}bIq^s;-c5yJeg8EYxn!-#Jim_2KIgV#Z}@x3#Qh_r93O|;(>i=cj*Ht
z=S7{zObbxGvI{-&c_$6V_Bo0shwIIwh}>N{TXaWHE;id(Tf}l?U@vBT8)z|_{W+1c
z$7sp$?t^Tea~2B9HCSlkP!w@Z_G~6JDmNfAKrhiVt)^;rrUQy{Z&MY-RdGl<C6Q|)
z^s)sJeM%zZYl=5+B#w}>OD+IWSMBmR47Z=uovn5d1<EWhB{;o>&X**5BeL824erg&
z8ow&pzTWl>(8us+TEe#4u%*6&j>6vyYLcz&8B1G(IYOptd+IU#F`du%SaQ!6T!gwO
z@o|)}xg6JOFUK>Zc7vSjD#2?R1X{?cbj<};J{@cqLb3bscS^>}ewvjEAAYjD27Q#1
zb@Hw2Vs9;KgHRYu2o!{JGH#dO2g&VTteym<Ucbb$Q5$)P%70I`F<4ujGAv*k0kXf0
z;0>9y^P81GuA~DFP>*5H?pgJL8<~!Bs(kT;TtsEJMu#2T6fpuB1VfyF&d2KbcwzID
zd0#ltUqqzG%Bi`hrbVEE3B=8rEw3cZi)$xtoSG(l9evuyE0n0{@0`&Z`@DC}s&t7%
zZ~;Y@%H2alUBSz7SO{<ya$8n=2Y9O=B7MY~7XdX<c=GA*11(9Zgf{ha(A=p1^h7)G
z&5e_p!IZ!|Dqe3Gj7Wir{&)Rjz(3(^R1H4=dAJD>L1r}5m!gS;!x_>yjJwhlgXc-z
z?JbbC=R1`ZqbY(6(^6o1Xv{}h3FXM3kL`R#O?8zXjTdjoN|120qqiPyMoFs3!XkZd
z+M*iTkY{GC>L}eE1x-*WWpEm!bZ#7?D?t`TDeY0n6B51|cY;&Q3IJbWQRqEkPfE#M
zN(CZFlK36)1$i7O$i8iE(i;68efrKO(QXKu|DnHdrdK!D05H|^_+$ztJOeJKM!(vQ
zN&y3ACeWKNBB?v*0{57+TMj^Bh-RpQ_1&!n_K=v1Qxy{tqKJtEC&_s!BE0GIyzB5w
zC0`j9N}#dg0GAPhXHk9?U<REiIKpA%o%r}&u)dTHX~~P8VxEP$zQ%eWjzdwmeBNWA
zG6LyKpK_IH?F+~-s9$+Mn9}C0vx6daLqP`xPo2;_#ORASc%gBysHR|mV9^>4m8CP~
zc1|L&517+~)i&DYp1(2Ou!P+}hU;zM2i_XiNI}TWJz@lbyv>vPT#`;==y;KG`5N#R
z65?7xWYB_w8PG6j==E+Rb)+0j-*JP$R_yTG<27uyiFTVaFpvcX9S_b2fGCyU*k3a4
zdIRWCGr`?q>#~@b1Waql*i)3`4#i61AGjeJ;hf?qidP*D0biaR-{+FfX1`J38@#@C
z%ZxjyjKTc`qMS5%iLgjYxdYdx><`c$N0lnJ4fYdz`f-3I-vm3*nh(eJc0j_pC?sLK
zp+TJa$~5i^{&8oK0;6$s4Y*E8KnF#^ZCnP)+F;vBQ-EEDne!zqe!fyUMiHbm+cFP4
z9CzD8@b@<WEeMJwkp6vQ<sy*rfoORc>%-}x@tBQoetYi`X?8c!tEM?a$gYJlrDU|B
z^2uKyr|p;k#?}G%Fg}49P2hqd<DZjY_Aw415z=|!!}8w3^s|MMztf(>a~V5+0cq>l
zZ{82_aU&!R?Z_QgN0l>Uy+_d55ox<=Lv;qcP#Rq|yw5RFZ4w$Y8B8?7RbN0KIN&6?
zDyAK!#CLeMn8m&^Xb28lNBVg$$NfV3SI-N$qfG2)dlq&J)81ka(Eg%mS21Sa>1BrU
zL$-Y2l+j(i31(VKCZlmIT^Ag2VN%~m)MOd&9oPh2V_7R}Z;irt>b)1210b~gO7!L{
z;fHij-~@Yw417p#E45JCJ<kiFBb`$)`n<G?Dw>i(rw~HdXktx!DpnIBqEB%RFV9JS
zbAe#-vZ32vzKoV(UUVKb=O1fpe;$FEiaJ!a?Lg5Zg4<DB(U+~qO^LW)NK$(_9RR$t
zNnUPnSih0y0=rZ<*|}=fV6$6hE|{8$Q7ktnv`I}@sZei4PS@pAB(=I`+D<S-A|itK
zsgC?3tf+MYM1BoH#?ABCH9(^WRl<-;!T7yLF%g<WPe4`|j6Hihy%XsVfEIv`qvwK-
z=n(<!pHSWt6@nKFMSn{tF2$z^+wHsneypK`irf7k^lNw1?u=zU`fg<DXM(9xd-jKi
zL2Shx#y-}4k5O7K=FWQdO1-Kv&!QQ}Vl#m1&gM0$?Ce+X+6<MUd0dztCY>QwS&34|
zxE-!YfwSPzF1uFu=By^Z1(FN*casxgrajjUyP<8^alXyf{F&k!D!()&^!!Ua;~rZc
zyBb@rFwBcE6^<h?F`#Ja=xQUPWBys;+z`(e*5i|W#^6st6VoFwH3ri>?r@+*_Pjc*
z2Q4><Xr1UcXHCC?F6VqVUhky$mqCqSdkynkGb+xD($-~URbg)L`SU{uYsp5d*b2a>
z9Ckfw+6PwpS0^H`2PlbU=QN$ZeHS87L+F=<IJ6~HKtR6Wz-AI5azb~XhYJD*?|X9I
zt04{AODNTz2gpk%*T6VPRhK>gZak+=8NH)Fq*pBS84PN&**ovDI&HH(KUCh1q=Db&
zl9@t1n)pjilh-m-bxZenndj1fg6ijMBJ)HC*<D@-oJhP7`UW)Bfy7bWH)PIpkf=Yj
z$Ds!3>W430i7xq7?H04b#q9d}1GWYNk%hBD5<E(K^4;%teRF>#m(A`c%nWklN8O)l
zH3%w5!+bYR<AT`h?{K_2(TH+7oC?Trpw?i{`_XM7|JF4;_5#Ol&JV99Avi>=3U?3m
z4QoF+vm_k`I_Lz)1y5=}dMNPexWVYJT~-zX9qCp#-CD)Z3)jn5WuFxa)Oiuq<b(oT
z2%vhh<XOrmlpTSO-vq-+-~^7&*->06m~LZ{XS@^5wy6bqkHeL1kKCG|RB+{WZuNX6
zYA|o<b3WHSE}!H4Fkbg}6_LeB`ji};Vnd>r6xnI@lxMa!Ovxtz>_$<)RHkAyA*#yv
zbX=yuvshZiTI$=Iq(eOX6KN#R+~~x5(wg=J*J|)FYAQ7W1=CK-Se}T@t&8bQ`}(w7
z@|b}TLAx*vGE0Vj=%$8(*gFBG8)075se-}#!z6C43319?_wx>0LKxAv7FuCizTv_h
zR8eF^wJ99Pa;3?xd?lv9w+o;y?cwH*uhN4hpNCE<;<p(^1T4~~B4^L15ys!8o~5B<
zx_bXhpiTP^xynK_YR-Un!5o@I<@ZD;Kbm1A`&gOnZ3ZRQ2%6YHGG(zIndpQ`Plz4j
z`m5bhPjuQtd*yJ#FCE|gf6r>(zjTqHb)ogZgyS(hXyEY_!7WCq^mL3z?q4OVV|EOA
za_nvT@tt1Ju9iM}4qG`iVz8CJ)a_4prA@x2rIwJa(6g=;yajaN!*<P+@r^8da|E;Y
z-P9JQP7dt<ops+}r!Xx;(wC4XAs2c&-HgCey4j|!b?{aASSPud=ZNe$$-8f1yw&7d
zM2!15)8L(KGd9MsT+bh1n4Z4}Gj17zn#^Ncc^g~h#@}mYSb?q_d0JuJ-jbGC`1{N{
zEs3F3lNXYB0+$v9H5@sfqNp29a)o6h+mK}^He`IzzVJ<}KrqhY@$o)|aO&MnygGVK
z2+u(Yt!sWJ<{Df=2~8qb5yK!48YzzciCA%0a9|I1?W(dKx25K2-#l;9agDgA>8rML
z6yWxB8^f^q2mf;?a0cuetk{N?hd%|tCPK!~Fja}^Jyd1YRin{fwPT617U+nwAu6A4
zrAxLw21wC!hi!&X+<-nNgs#WVWJav*84i5(q#wYB+zGk|iiE+`PR#n%2uw)FX`Xii
zpN<L)@(c0(q;nb8zjREfc)6K+2gMW&MP86tZnwiO)xdZt{)i9g9`j0JnP6EuE0Z4L
zB6@lr{}kg_j|gH^{e*@UJ7!*HHc1Y2zewTqn+l`%It$Z?+v!hS%83sM;u_`NZ6>{M
zspT9R<(mjz2f@$o9rK5U++K=UJy{6(%G`BW`d$MBJsm$B6&A<oZ|8sNDX?3|@5&nZ
zp6g-IJ9u*9*qa`G-KD3H0#UnFfJ^sF!ipC_7MDWGL8>UJ^K+oF#3pU*x6z*FKJn_=
zEoi1l4>ZoqB>&_+gEDgO%Zhypq00s0oUnubbu))`(yi|0UY2uj#J*?Ib#VsBC{odK
zk7w802x*$G_@6N}-fi*&YRE^{vK?t_P~~df^-SQ`lRaK~n%1y%glzL@H|;THMLI`e
zS^@TD?e43sq;w|61$m95c@|3VlfGb~nk^f;){Zsn3FtBXk|DCo@u0Q0(47px{;zT8
zupQFS%L~x7<MO7a5|O05Z>~U*mK+SlUF%V}{)W_aqJub5+J<52?RnLsAS&hqY8VWB
z_%iug6#a%$uaH)Jz|EF7Z%3(_VJTsv*iuX&EDeA9`t1zGDr%;LCLMx?&ATgciZ)N0
zJZwJ9$1<$rp`42LW1Q_wW1>tx$%kaLwt;llgCqCh5!P4jfo$~$TsGRv$7Dg<<F~Jk
zgr;9<09CcHDPkfKTvpTf1_sj3l$JrZc+{!M<VwhA;|-PtS`iie_qFrXsZV4Vy3Des
zyM_Q7ui~hRHAY2^M3?^CE07i;;^j_7WgCVJp}gHX$FG8XRZXQ(6_?GnCoV5{<u>Fo
z@QZezJ_hM3bbA!(s2a8?iGSE9UK}>}>66nTw$4+fP!orfV-;!~fH+|2QEcADcAU5k
z2tVfQhrksKRlwn(E-)-aeM60fciD|_PH66&3cUe}r%v``h0y1{NB{z}_ny(B0w(;d
zc;aO^tRM>n#{0lXS;`l+lIT^+zx>;zJ>^^fH|HQ_dKUZ?b}t89EPVYp4S0H)_E-La
Xg<y?P+IbiBF|J+KR4%w=5%fO*ceaS%

literal 0
HcmV?d00001

diff --git a/docs-site/docs/changelog.md b/docs-site/docs/changelog.md
index 323e91b..0e5334f 100644
--- a/docs-site/docs/changelog.md
+++ b/docs-site/docs/changelog.md
@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
 
 ## [v1.95.0]
 - Added 80+ built-in rules, bringing the bundled ruleset to 820 total. New coverage includes Amazon OAuth, Asaas, multiple Azure credential families, Bitrise, Canva, CockroachDB, eBay, Elastic, hCaptcha, Highnote, Lichess, MailerSend, Onfido, Paddle, Pangea, Persona, Pinterest, Proof, Rootly, Runpod, Telnyx, Thunderstore, Valtown, Volcengine, and more.
+- Replaced tree-sitter with a lighter parser-based context verifier built from handwritten lexers plus `tl`/`cssparser`, preserving context-dependent matching while cutting about 19 MB from the release binary.
 - Added a `validation: type: Raw` exception path for provider-specific checks, with new raw validators for Azure Batch, FTP, Kraken, LDAP, RabbitMQ, and Redis. Also added stable request-scoped template values plus new Liquid filters for HMAC-SHA384 hex output and timestamp generation.
 - Expanded live validation coverage for several built-in rules, including Agora, Bitfinex, DocuSign, Dwolla, GitLab, KuCoin, RingCentral, Snowflake, Tableau, Trello, and Webex. Also tightened newly added helper regex to avoid high-match scan regressions, and made preflight-blocked raw validations report as skipped/not attempted instead of failed.
 
diff --git a/docs-site/docs/features/parsing.md b/docs-site/docs/features/parsing.md
index fc90e8d..da71121 100644
--- a/docs-site/docs/features/parsing.md
+++ b/docs-site/docs/features/parsing.md
@@ -1,47 +1,54 @@
 ---
 title: "Source Code Parsing"
-description: "Language-aware secret detection using tree-sitter parsing for 13+ languages including Python, JavaScript, Go, Rust, and more."
+description: "Language-aware secret detection using lightweight lexers for 16 languages including Python, JavaScript, Go, Rust, and more."
 ---
 
 # Kingfisher Source Code Parsing
 
-Kingfisher leverages tree-sitter as an extra layer of analysis when scanning source files written in supported programming languages. In practice, after its initial regex-based scan (powered by Vectorscan/Hyperscan), Kingfisher can run a targeted verification pass for context-dependent rules.
+Kingfisher uses a parser-based context verifier as a second pass on supported source files. After its initial regex scan (powered by Vectorscan/Hyperscan), it extracts assignment-style snippets from code and configuration files to confirm that generic keyword+token matches appear in plausible contexts.
 
-If so, it creates a Checker (see below) that uses tree‐sitter to parse the file and run language‐specific queries. This additional pass refines the detection by capturing more structured patterns—such as secret-like tokens—that might be obscured or spread over code constructs.
+The implementation favors lightweight extractors over full AST parsing:
 
-## How It’s Called
+- **Handwritten lexers** for common programming and config languages — comment-aware stripping followed by regex-based `key = value` extraction
+- **`tl`** for HTML — attribute values, element text, and embedded `<script>` / `<style>` delegation
+- **`cssparser`** for CSS — declaration parsing via Mozilla's CSS tokenizer
+
+> **History:** Earlier versions used tree-sitter with 17 statically-linked
+> grammar crates. This added ~20 MB to the binary and required building a
+> full syntax tree just to extract assignment pairs. The current lexer-based
+> approach achieves the same extraction quality with near-zero binary overhead
+> and no external grammar dependencies.
+
+## How It's Called
 
 In the scanning phase (in the Matcher's implementation), Kingfisher does the following:
 
 - **Primary Regex Pass:** Kingfisher always scans the full blob with Vectorscan/Hyperscan first.
-- **Candidate Selection:** Findings from rules classified as context-dependent become tree-sitter verification candidates.
-- **Language Detection:** If a language string is provided (for example from metadata or extension), the code calls a helper (such as `get_language_and_queries`) to retrieve the corresponding tree-sitter language and queries.
-- **Checker Creation:** With those values, a `Checker` is instantiated with the target language and query map.
-- **Parsing and Querying:** The Checker retrieves a thread-local parser (to avoid recreating it on every call), sets language, parses source, and runs queries to extract structured snippets (for example `key = value` pairs).
-- **Verification Decision:** Candidate findings are kept only if parser-extracted context verifies the matched secret. If tree-sitter is unavailable, fallback behavior is profile-driven (for strict generic keyword+token rules, findings are suppressed).
-  *(See the implementation details in the parser module – for example, the `modify_regex` function in the Checker, and the conditional tree‐sitter call in Matcher::scan_blob)*
+- **Candidate Selection:** Findings from rules classified as context-dependent become parser-verification candidates.
+- **Language Detection:** If a language string is provided (for example from metadata or extension), the code maps it to a supported parser backend.
+- **Parsing and Querying:** The parser streams normalized snippets such as `key = value` without materializing a full syntax tree.
+- **Verification Decision:** Candidate findings are kept only if parser-extracted context verifies the matched secret.
 
 ## Supported Languages
 
 The design supports many common source code languages. The Language enum (defined in the parser module) includes variants for:
 
-- **Scripting:** Bash, Python, Ruby, PHP  
-- **Compiled languages:** C, C++, C#, Rust, Java  
-- **Web-related languages:** CSS, HTML, JavaScript, TypeScript, YAML, Toml  
-- **Others:** Go, and even a generic “Regex” mode  
+- **Scripting:** Bash, Python, Ruby, PHP
+- **Compiled languages:** C, C++, C#, Rust, Java
+- **Web-related languages:** CSS, HTML, JavaScript, TypeScript, YAML, TOML
+- **Others:** Go
 
-Each variant maps to its corresponding tree‐sitter language through the `get_ts_language()` method.
+## When Context Verification Is Not Called
 
-## When Tree‐sitter Is Not Called
+Context verification is skipped in certain cases:
 
-Tree‐sitter won’t be invoked in certain cases:
-
-- **No Language Identified:** If the file isn’t recognized as belonging to one of the supported languages or no language hint is provided, the Checker isn’t even constructed.
-- **Non-source Files:** Binary files or files that aren’t expected to contain code (or aren’t extracted from archives) bypass tree‐sitter parsing.
-- **Fallback on Errors:** If tree‐sitter parsing fails (e.g. due to malformed code or other errors), Kingfisher will fall back on its regex/Vectorscan matches without the additional tree‐sitter insights.
+- **No Language Identified:** If the file isn't recognized as belonging to one of the supported languages or no language hint is provided, the context verifier isn't even constructed.
+- **Non-source Files:** Binary files or files that aren't expected to contain code (or aren't extracted from archives) bypass parser-based context verification.
+- **Large Blobs:** Files larger than 2 MiB skip context verification to avoid spending time on generated or minified content.
+- **Verification Errors:** If extraction fails, context-dependent matches are suppressed instead of falling back to raw regex hits.
 
 ## Summary
 
-In essence, Kingfisher’s use of tree‐sitter is conditional and complementary. It is called only when the scanned file is a source code file written in a supported language, and its role is to enrich the scanning results by leveraging the syntax tree and language-specific queries. When files are non-source, binary, or if no language is provided, tree‐sitter is not invoked, and Kingfisher relies solely on its regex-based detection.
+Parser-based context verification is conditional and complementary. It is called only when the scanned file is a supported source or config file, and its role is to reduce noisy context-dependent findings by checking them against extracted code/config structure.
 
 This layered approach helps improve the accuracy of secret detection while maintaining high performance.
diff --git a/docs-site/docs/reference/architecture.md b/docs-site/docs/reference/architecture.md
index 73b35cf..2ea4e06 100644
--- a/docs-site/docs/reference/architecture.md
+++ b/docs-site/docs/reference/architecture.md
@@ -64,7 +64,7 @@ flowchart LR
     subgraph Engines[Engines]
         Vector[vectorscan]
         ScanPool[scanner pool]
-        Tree[tree-sitter]
+        Context["context verifier"]
         Liquid[Liquid templates]
     end
 
@@ -94,7 +94,7 @@ flowchart LR
     ScannerLib --> Validate
 
     Match --> Vector --> ScanPool
-    Match --> Tree
+    Match --> Context
     Validate --> Liquid
     Validate --> APIs
 
@@ -112,7 +112,7 @@ flowchart LR
 - `src/scanner/runner.rs`: the orchestration hub for `scan`, including repo enumeration, clone streaming, artifact fetching, validation setup, sequential or parallel scan execution (threshold: >10 git repos triggers parallel mode), reporting, and summary generation.
 - `src/scanner/*`: input enumeration (`enumerate.rs`), repository handling and artifact fetching (`repos.rs`), blob processing (`processing.rs`), validation coordination (`validation.rs`), scan summaries (`summary.rs`), Docker image scanning (`docker.rs`), and utilities (`util.rs`).
 - `src/matcher/*`: the main detection engine (`mod.rs`), including vectorscan callbacks, regex helpers, Base64 discovery (`base64_decode.rs`), capture group handling (`captures.rs`), dedup support (`dedup.rs`), filtering (`filter.rs`), and finding fingerprinting (`fingerprint.rs`).
-- `src/parser.rs`: tree-sitter integration for language-aware parsing, supporting 17+ languages (Bash, C, C#, C++, CSS, Go, HTML, Java, JavaScript, PHP, Python, Ruby, Rust, TOML, TypeScript, YAML, and regex).
+- `src/parser.rs` and `src/parser/*`: parser-based context verification for language-aware matching, with handwritten lexers plus lightweight HTML and CSS parsers.
 - `src/scanner_pool.rs`: thread-local vectorscan `BlockScanner` pool, providing safe reuse of compiled pattern databases across scan threads.
 - `src/reporter.rs` and `src/reporter/*`: report rendering for pretty, JSON, BSON, TOON, SARIF, and HTML outputs, plus the data model used by the viewer.
 - `src/direct_validate.rs`: direct validation of a known secret without going through pattern matching. Supports HTTP, AWS, Azure, GCP, JDBC, MongoDB, MySQL, PostgreSQL, JWT, and Coinbase validators, with Liquid template integration for custom validation logic.
@@ -125,6 +125,6 @@ flowchart LR
 - `kingfisher-scanner` is still important: it provides the embeddable scanner API plus shared validation and primitive functionality reused by the application.
 - Direct `validate`, `revoke`, and standalone `access-map` are sibling command paths. They are not downstream stages of `FindingsStore`.
 - Reporting is downstream from the datastore, which lets Kingfisher emit multiple output formats and drive the local viewer from the same finding set.
-- The matching layer is intentionally hybrid: vectorscan provides high-throughput SIMD-accelerated pattern detection, while regex helpers, Base64 support, and tree-sitter verification improve accuracy and reduce false positives.
+- The matching layer is intentionally hybrid: vectorscan provides high-throughput SIMD-accelerated pattern detection, while regex helpers, Base64 support, and parser-based context verification improve accuracy and reduce false positives.
 - `FindingsStore` uses an in-memory store with a Bloom filter for deduplication, replacing the earlier SQLite-based storage model.
 - Validation and revocation templates are rendered via Liquid, allowing rule authors to define HTTP request sequences, variable extraction, and multi-step flows in YAML without touching Rust code.
diff --git a/docs-site/docs/reference/comparison.md b/docs-site/docs/reference/comparison.md
index b9bce2b..67e33e4 100644
--- a/docs-site/docs/reference/comparison.md
+++ b/docs-site/docs/reference/comparison.md
@@ -7,18 +7,17 @@ description: "Benchmark results comparing Kingfisher performance against Truffle
 
 ## Runtime Comparison (seconds)
 *Lower runtimes are better.*
-
-| Repository | Kingfisher Runtime | TruffleHog Runtime | GitLeaks Runtime | detect-secrets Runtime |
-|------------|--------------------|--------------------|------------------|------------------------|
-| croc | 2.64 | 10.36 | 3.10 | 0.16 |
-| rails | 8.75 | 24.19 | 24.24 | 0.48 |
-| ruby | 22.93 | 132.68 | 61.37 | 0.79 |
-| gitlab | 135.41 | 325.93 | 350.84 | 5.04 |
-| django | 6.91 | 227.63 | 59.50 | 0.61 |
-| lucene | 15.62 | 89.11 | 76.24 | 0.66 |
-| mongodb | 25.37 | 174.93 | 175.80 | 2.74 |
-| linux | 205.19 | 597.51 | 548.96 | 5.49 |
-| typescript | 64.99 | 183.04 | 232.34 | 4.23 |
+| Repository | Kingfisher Runtime | TruffleHog Runtime | GitLeaks Runtime |
+|------------|--------------------|--------------------|------------------|
+| croc | 2.64 | 10.36 | 3.10 |
+| rails | 8.75 | 24.19 | 24.24 |
+| ruby | 22.93 | 132.68 | 61.37 |
+| gitlab | 135.41 | 325.93 | 350.84 |
+| django | 6.91 | 227.63 | 59.50 |
+| lucene | 15.62 | 89.11 | 76.24 |
+| mongodb | 25.37 | 174.93 | 175.80 |
+| linux | 205.19 | 597.51 | 548.96 |
+| typescript | 64.99 | 183.04 | 232.34 |
 
 <p align="center">
   <img src="../assets/images/runtime-comparison.png" alt="Kingfisher Runtime Comparison" style="vertical-align: center;" />
@@ -28,37 +27,52 @@ description: "Benchmark results comparing Kingfisher performance against Truffle
 
 Note: For GitLeaks and detect-secrets, validated/verified counts are not available.
 
-| Repository | Kingfisher Validated | TruffleHog Verified | GitLeaks Verified | detect-secrets Verified |
-|------------|----------------------|---------------------|-------------------|-------------------------|
-| croc | 0 | 0 | 0 | 0 |
-| rails | 0 | 0 | 0 | 0 |
-| ruby | 0 | 0 | 0 | 0 |
-| gitlab | 6 | 6 | 0 | 0 |
-| django | 0 | 0 | 0 | 0 |
-| lucene | 0 | 0 | 0 | 0 |
-| mongodb | 0 | 0 | 0 | 0 |
-| linux | 0 | 0 | 0 | 0 |
-| typescript | 0 | 0 | 0 | 0 |
+| Repository | Kingfisher Validated | TruffleHog Verified | GitLeaks Verified |
+|------------|----------------------|---------------------|-------------------|
+| croc | 0 | 0 | 0 |
+| rails | 0 | 0 | 0 |
+| ruby | 0 | 0 | 0 |
+| gitlab | **6** | **6** | 0 |
+| django | 0 | 0 | 0 |
+| lucene | 0 | 0 | 0 |
+| mongodb | 0 | 0 | 0 |
+| linux | 0 | 0 | 0 |
+| typescript | 0 | 0 | 0 |
 
 ### Network Requests Comparison
 *'Network Requests' shows the total number of HTTP calls made during a scan. Since Gitleaks and detect‑secrets don’t validate secrets, they never make any network requests.*
 
-| Repository | Kingfisher Network Requests | TruffleHog Network Requests | GitLeaks Network Requests | detect-secrets Network Requests |
-|------------|-----------------------------|-----------------------------|---------------------------|----------------------------------|
-| croc | 0 | 17 | 0 | 0 |
-| rails | 1 | 25 | 0 | 0 |
-| ruby | 3 | 33 | 0 | 0 |
-| gitlab | 17 | 15624 | 0 | 0 |
-| django | 0 | 66 | 0 | 0 |
-| lucene | 0 | 116 | 0 | 0 |
-| mongodb | 1 | 191 | 0 | 0 |
-| linux | 0 | 287 | 0 | 0 |
-| typescript | 0 | 10 | 0 | 0 |
+| Repository | Kingfisher Network Requests | TruffleHog Network Requests | GitLeaks Network Requests |
+|------------|-----------------------------|-----------------------------|---------------------------|
+| croc | 0 | 17 | 0 |
+| rails | 1 | 25 | 0 |
+| ruby | 3 | 33 | 0 |
+| gitlab | 17 | **15624** | 0 |
+| django | 0 | 66 | 0 |
+| lucene | 0 | 116 | 0 |
+| mongodb | 1 | 191 | 0 |
+| linux | 0 | 287 | 0 |
+| typescript | 0 | 10 | 0 |
 
 *Lower runtimes are better. Validated/Verified counts are reported where available. 'Network Requests' indicates the number of HTTP requests made during scanning.*
 
-OS: darwin  
-Architecture: arm64  
-CPU Cores: 16  
-RAM: 48.00 GB  
+### Binary Size Comparison (macOS arm64)
 
+| Tool | Version | Binary Size |
+|------|---------|-------------|
+| Gitleaks | 8.30.0 | 14.5 MB |
+| **Kingfisher** | **1.95.0** | **32.8 MB** |
+| TruffleHog | 3.94.2 | 160.3 MB |
+
+*Smaller binaries are easier to distribute, deploy in CI, and embed in container images*
+
+<p align="center">
+  <img src="../assets/images/binary-size-comparison.png" alt="Binary Size Comparison" />
+</p>
+
+## Benchmark Environment
+
+OS: darwin
+Architecture: arm64
+CPU Cores: 16
+RAM: 48.00 GB
diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index 3a2366f..a5a8169 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -59,7 +59,7 @@ flowchart LR
     subgraph Engines[Engines]
         Vector[vectorscan]
         ScanPool[scanner pool]
-        Tree[tree-sitter]
+        Context["context verifier"]
         Liquid[Liquid templates]
     end
 
@@ -89,7 +89,7 @@ flowchart LR
     ScannerLib --> Validate
 
     Match --> Vector --> ScanPool
-    Match --> Tree
+    Match --> Context
     Validate --> Liquid
     Validate --> APIs
 
@@ -107,7 +107,7 @@ flowchart LR
 - `src/scanner/runner.rs`: the orchestration hub for `scan`, including repo enumeration, clone streaming, artifact fetching, validation setup, sequential or parallel scan execution (threshold: >10 git repos triggers parallel mode), reporting, and summary generation.
 - `src/scanner/*`: input enumeration (`enumerate.rs`), repository handling and artifact fetching (`repos.rs`), blob processing (`processing.rs`), validation coordination (`validation.rs`), scan summaries (`summary.rs`), Docker image scanning (`docker.rs`), and utilities (`util.rs`).
 - `src/matcher/*`: the main detection engine (`mod.rs`), including vectorscan callbacks, regex helpers, Base64 discovery (`base64_decode.rs`), capture group handling (`captures.rs`), dedup support (`dedup.rs`), filtering (`filter.rs`), and finding fingerprinting (`fingerprint.rs`).
-- `src/parser.rs`: tree-sitter integration for language-aware parsing, supporting 17+ languages (Bash, C, C#, C++, CSS, Go, HTML, Java, JavaScript, PHP, Python, Ruby, Rust, TOML, TypeScript, YAML, and regex).
+- `src/parser.rs` and `src/parser/*`: parser-based context verification for language-aware matching, with handwritten lexers plus lightweight HTML and CSS parsers.
 - `src/scanner_pool.rs`: thread-local vectorscan `BlockScanner` pool, providing safe reuse of compiled pattern databases across scan threads.
 - `src/reporter.rs` and `src/reporter/*`: report rendering for pretty, JSON, BSON, TOON, SARIF, and HTML outputs, plus the data model used by the viewer.
 - `src/direct_validate.rs`: direct validation of a known secret without going through pattern matching. Supports HTTP, gRPC, plus schema-level typed validators such as AWS, AzureStorage, GCP, JDBC, MongoDB, MySQL, PostgreSQL, JWT, and Coinbase, and delegates ad-hoc `Raw` validators to `crates/kingfisher-scanner/src/validation/raw.rs`.
@@ -121,6 +121,6 @@ flowchart LR
 - The shared validation layer in `crates/kingfisher-scanner/src/validation/` contains both reusable typed validator families and the `Raw` exception-path validators used by rule YAML.
 - Direct `validate`, `revoke`, and standalone `access-map` are sibling command paths. They are not downstream stages of `FindingsStore`.
 - Reporting is downstream from the datastore, which lets Kingfisher emit multiple output formats and drive the local viewer from the same finding set.
-- The matching layer is intentionally hybrid: vectorscan provides high-throughput SIMD-accelerated pattern detection, while regex helpers, Base64 support, and tree-sitter verification improve accuracy and reduce false positives.
+- The matching layer is intentionally hybrid: vectorscan provides high-throughput SIMD-accelerated pattern detection, while regex helpers, Base64 support, and parser-based context verification improve accuracy and reduce false positives.
 - `FindingsStore` uses an in-memory store with a Bloom filter for deduplication, replacing the earlier SQLite-based storage model.
 - Validation and revocation templates are rendered via Liquid, allowing rule authors to define HTTP request sequences, variable extraction, and multi-step flows in YAML without touching Rust code.
diff --git a/docs/COMPARISON.md b/docs/COMPARISON.md
index 023826c..abc9bba 100644
--- a/docs/COMPARISON.md
+++ b/docs/COMPARISON.md
@@ -4,17 +4,17 @@
 
 ## Runtime Comparison (seconds)
 *Lower runtimes are better.*
-| Repository | Kingfisher Runtime | TruffleHog Runtime | GitLeaks Runtime | detect-secrets Runtime |
-|------------|--------------------|--------------------|------------------|------------------------|
-| croc | 2.64 | 10.36 | 3.10 | 0.16 |
-| rails | 8.75 | 24.19 | 24.24 | 0.48 |
-| ruby | 22.93 | 132.68 | 61.37 | 0.79 |
-| gitlab | 135.41 | 325.93 | 350.84 | 5.04 |
-| django | 6.91 | 227.63 | 59.50 | 0.61 |
-| lucene | 15.62 | 89.11 | 76.24 | 0.66 |
-| mongodb | 25.37 | 174.93 | 175.80 | 2.74 |
-| linux | 205.19 | 597.51 | 548.96 | 5.49 |
-| typescript | 64.99 | 183.04 | 232.34 | 4.23 |
+| Repository | Kingfisher Runtime | TruffleHog Runtime | GitLeaks Runtime |
+|------------|--------------------|--------------------|------------------|
+| croc | 2.64 | 10.36 | 3.10 |
+| rails | 8.75 | 24.19 | 24.24 |
+| ruby | 22.93 | 132.68 | 61.37 |
+| gitlab | 135.41 | 325.93 | 350.84 |
+| django | 6.91 | 227.63 | 59.50 |
+| lucene | 15.62 | 89.11 | 76.24 |
+| mongodb | 25.37 | 174.93 | 175.80 |
+| linux | 205.19 | 597.51 | 548.96 |
+| typescript | 64.99 | 183.04 | 232.34 |
 
 <p align="center">
   <img src="./runtime-comparison.png" alt="Kingfisher Runtime Comparison" style="vertical-align: center;" />
@@ -24,37 +24,52 @@
 
 Note: For GitLeaks and detect-secrets, validated/verified counts are not available.
 
-| Repository | Kingfisher Validated | TruffleHog Verified | GitLeaks Verified | detect-secrets Verified |
-|------------|----------------------|---------------------|-------------------|-------------------------|
-| croc | 0 | 0 | 0 | 0 |
-| rails | 0 | 0 | 0 | 0 |
-| ruby | 0 | 0 | 0 | 0 |
-| gitlab | 6 | 6 | 0 | 0 |
-| django | 0 | 0 | 0 | 0 |
-| lucene | 0 | 0 | 0 | 0 |
-| mongodb | 0 | 0 | 0 | 0 |
-| linux | 0 | 0 | 0 | 0 |
-| typescript | 0 | 0 | 0 | 0 |
+| Repository | Kingfisher Validated | TruffleHog Verified | GitLeaks Verified |
+|------------|----------------------|---------------------|-------------------|
+| croc | 0 | 0 | 0 |
+| rails | 0 | 0 | 0 |
+| ruby | 0 | 0 | 0 |
+| gitlab | **6** | **6** | 0 |
+| django | 0 | 0 | 0 |
+| lucene | 0 | 0 | 0 |
+| mongodb | 0 | 0 | 0 |
+| linux | 0 | 0 | 0 |
+| typescript | 0 | 0 | 0 |
 
 ### Network Requests Comparison
 *'Network Requests' shows the total number of HTTP calls made during a scan. Since Gitleaks and detect‑secrets don’t validate secrets, they never make any network requests.*
 
-| Repository | Kingfisher Network Requests | TruffleHog Network Requests | GitLeaks Network Requests | detect-secrets Network Requests |
-|------------|-----------------------------|-----------------------------|---------------------------|----------------------------------|
-| croc | 0 | 17 | 0 | 0 |
-| rails | 1 | 25 | 0 | 0 |
-| ruby | 3 | 33 | 0 | 0 |
-| gitlab | 17 | 15624 | 0 | 0 |
-| django | 0 | 66 | 0 | 0 |
-| lucene | 0 | 116 | 0 | 0 |
-| mongodb | 1 | 191 | 0 | 0 |
-| linux | 0 | 287 | 0 | 0 |
-| typescript | 0 | 10 | 0 | 0 |
+| Repository | Kingfisher Network Requests | TruffleHog Network Requests | GitLeaks Network Requests |
+|------------|-----------------------------|-----------------------------|---------------------------|
+| croc | 0 | 17 | 0 |
+| rails | 1 | 25 | 0 |
+| ruby | 3 | 33 | 0 |
+| gitlab | 17 | **15624** | 0 |
+| django | 0 | 66 | 0 |
+| lucene | 0 | 116 | 0 |
+| mongodb | 1 | 191 | 0 |
+| linux | 0 | 287 | 0 |
+| typescript | 0 | 10 | 0 |
 
 *Lower runtimes are better. Validated/Verified counts are reported where available. 'Network Requests' indicates the number of HTTP requests made during scanning.*
 
-OS: darwin  
-Architecture: arm64  
-CPU Cores: 16  
-RAM: 48.00 GB  
+### Binary Size Comparison (macOS arm64)
 
+| Tool | Version | Binary Size |
+|------|---------|-------------|
+| Gitleaks | 8.30.0 | 14.5 MB |
+| **Kingfisher** | **1.95.0** | **32.8 MB** |
+| TruffleHog | 3.94.2 | 160.3 MB |
+
+*Smaller binaries are easier to distribute, deploy in CI, and embed in container images*
+
+<p align="center">
+  <img src="./binary-size-comparison.png" alt="Binary Size Comparison" />
+</p>
+
+## Benchmark Environment
+
+OS: darwin
+Architecture: arm64
+CPU Cores: 16
+RAM: 48.00 GB
diff --git a/docs/CONTEXT_VERIFICATION.md b/docs/CONTEXT_VERIFICATION.md
new file mode 100644
index 0000000..91ec815
--- /dev/null
+++ b/docs/CONTEXT_VERIFICATION.md
@@ -0,0 +1,49 @@
+# Parser-Based Context Verification
+
+[← Back to README](../README.md)
+
+Kingfisher starts with a fast regex pass powered by Vectorscan/Hyperscan. For rules classified as `ContextDependent`, it then runs a lightweight parser-based verification pass that extracts likely assignment-style snippets such as `api_key = secret`.
+
+> **Why not tree-sitter?** Earlier versions used tree-sitter for this step.
+> Statically linking 17 grammar crates added roughly 20 MB to the binary and
+> required a full AST parse just to extract `key = value` pairs. The current
+> approach — handwritten regex-based lexers with comment-aware stripping —
+> produces the same (or better) extraction quality at a fraction of the binary
+> and runtime cost.
+
+## Where It Runs
+
+1. `BlobProcessor::run` decides whether to compute a language hint.
+2. `Matcher::scan_blob` performs the primary regex scan and other filtering.
+3. `maybe_apply_context_verification` streams parser candidates near the end of `scan_blob`.
+4. Only context-dependent, non-Base64 matches are checked.
+5. Candidates that cannot be verified are removed.
+
+## Gates
+
+Context verification runs only when all of these are true:
+
+- Blob length is between `0 KiB` and `2 MiB` (`should_attempt_context_verification`).
+- Turbo mode is disabled.
+- A supported language hint is available.
+
+If any gate fails, context-dependent matches are suppressed rather than falling back to raw regex hits.
+
+## Backends
+
+Kingfisher uses lightweight language-specific extractors instead of a full AST layer:
+
+- Handwritten lexers for Bash, C, C#, C++, Go, Java, JavaScript, PHP, Python, Ruby, Rust, TOML, TypeScript, and YAML
+- `tl` for HTML attributes, element text, and embedded `<script>` / `<style>` blocks
+- `cssparser` for CSS declarations and function-style values
+
+Each lexer runs a comment-aware stripping pass (tracking string boundaries to avoid false comment detection) followed by a small set of regex patterns that extract assignment-style pairs.
+
+## Verification Model
+
+- Rule profiling decides which matches are `ContextDependent`.
+- The parser streams candidate text snippets like `secret_key = abcd1234`.
+- Kingfisher re-runs the rule's anchored regex against each candidate snippet.
+- Verification succeeds only when the regex secret capture exactly matches the original hit.
+
+This keeps the fast regex engine on the hot path while still filtering noisy generic keyword+token matches with language-aware context.
diff --git a/docs/PARSING.md b/docs/PARSING.md
index a6f2a43..23a8b4c 100644
--- a/docs/PARSING.md
+++ b/docs/PARSING.md
@@ -1,43 +1,51 @@
 # Kingfisher Source Code Parsing
 
 [← Back to README](../README.md)
-Kingfisher leverages tree-sitter as an extra layer of analysis when scanning source files written in supported programming languages. In practice, after its initial regex-based scan (powered by Vectorscan/Hyperscan), Kingfisher can run a targeted verification pass for context-dependent rules.
 
-If so, it creates a Checker (see below) that uses tree‐sitter to parse the file and run language‐specific queries. This additional pass refines the detection by capturing more structured patterns—such as secret-like tokens—that might be obscured or spread over code constructs.
+Kingfisher uses a parser-based context verifier as a second pass on supported source files. After its initial regex scan (powered by Vectorscan/Hyperscan), it extracts assignment-style snippets from code and configuration files to confirm that generic keyword+token matches appear in plausible contexts.
+
+The implementation favors lightweight extractors over full AST parsing:
+
+- **Handwritten lexers** for common programming and config languages — comment-aware stripping followed by regex-based `key = value` extraction
+- **`tl`** for HTML — attribute values, element text, and embedded `<script>` / `<style>` delegation
+- **`cssparser`** for CSS — declaration parsing via Mozilla’s CSS tokenizer
+
+> **History:** Earlier versions used tree-sitter with 17 statically-linked
+> grammar crates. This added ~20 MB to the binary and required building a
+> full syntax tree just to extract assignment pairs. The current lexer-based
+> approach achieves the same extraction quality with near-zero binary overhead
+> and no external grammar dependencies.
 
 ## How It’s Called
 
-In the scanning phase (in the Matcher's implementation), Kingfisher does the following:
+In the scanning phase (in the Matcher’s implementation), Kingfisher does the following:
 
 - **Primary Regex Pass:** Kingfisher always scans the full blob with Vectorscan/Hyperscan first.
-- **Candidate Selection:** Findings from rules classified as context-dependent become tree-sitter verification candidates.
-- **Language Detection:** If a language string is provided (for example from metadata or extension), the code calls a helper (such as `get_language_and_queries`) to retrieve the corresponding tree-sitter language and queries.
-- **Checker Creation:** With those values, a `Checker` is instantiated with the target language and query map.
-- **Parsing and Querying:** The Checker retrieves a thread-local parser (to avoid recreating it on every call), sets language, parses source, and runs queries to extract structured snippets (for example `key = value` pairs).
-- **Verification Decision:** Candidate findings are kept only if parser-extracted context verifies the matched secret. If tree-sitter is unavailable, fallback behavior is profile-driven (for strict generic keyword+token rules, findings are suppressed).
-  *(See the implementation details in the parser module – for example, the `modify_regex` function in the Checker, and the conditional tree‐sitter call in Matcher::scan_blob)*
+- **Candidate Selection:** Findings from rules classified as context-dependent become parser-verification candidates.
+- **Language Detection:** If a language string is provided (for example from metadata or extension), the code maps it to a supported parser backend.
+- **Parsing and Querying:** The parser streams normalized snippets such as `key = value` without materializing a full syntax tree.
+- **Verification Decision:** Candidate findings are kept only if parser-extracted context verifies the matched secret.
 
 ## Supported Languages
 
 The design supports many common source code languages. The Language enum (defined in the parser module) includes variants for:
 
-- **Scripting:** Bash, Python, Ruby, PHP  
-- **Compiled languages:** C, C++, C#, Rust, Java  
-- **Web-related languages:** CSS, HTML, JavaScript, TypeScript, YAML, Toml  
-- **Others:** Go, and even a generic “Regex” mode  
+- **Scripting:** Bash, Python, Ruby, PHP
+- **Compiled languages:** C, C++, C#, Rust, Java
+- **Web-related languages:** CSS, HTML, JavaScript, TypeScript, YAML, TOML
+- **Others:** Go
 
-Each variant maps to its corresponding tree‐sitter language through the `get_ts_language()` method.
+## When Context Verification Is Not Called
 
-## When Tree‐sitter Is Not Called
+Context verification is skipped in certain cases:
 
-Tree‐sitter won’t be invoked in certain cases:
-
-- **No Language Identified:** If the file isn’t recognized as belonging to one of the supported languages or no language hint is provided, the Checker isn’t even constructed.
-- **Non-source Files:** Binary files or files that aren’t expected to contain code (or aren’t extracted from archives) bypass tree‐sitter parsing.
-- **Fallback on Errors:** If tree‐sitter parsing fails (e.g. due to malformed code or other errors), Kingfisher will fall back on its regex/Vectorscan matches without the additional tree‐sitter insights.
+- **No Language Identified:** If the file isn’t recognized as belonging to one of the supported languages or no language hint is provided, the context verifier isn’t even constructed.
+- **Non-source Files:** Binary files or files that aren’t expected to contain code (or aren’t extracted from archives) bypass parser-based context verification.
+- **Large Blobs:** Files larger than 2 MiB skip context verification to avoid spending time on generated or minified content.
+- **Verification Errors:** If extraction fails, context-dependent matches are suppressed instead of falling back to raw regex hits.
 
 ## Summary
 
-In essence, Kingfisher’s use of tree‐sitter is conditional and complementary. It is called only when the scanned file is a source code file written in a supported language, and its role is to enrich the scanning results by leveraging the syntax tree and language-specific queries. When files are non-source, binary, or if no language is provided, tree‐sitter is not invoked, and Kingfisher relies solely on its regex-based detection.
+Parser-based context verification is conditional and complementary. It is called only when the scanned file is a supported source or config file, and its role is to reduce noisy context-dependent findings by checking them against extracted code/config structure.
 
 This layered approach helps improve the accuracy of secret detection while maintaining high performance.
diff --git a/docs/TREE_SITTER.md b/docs/TREE_SITTER.md
deleted file mode 100644
index 999826a..0000000
--- a/docs/TREE_SITTER.md
+++ /dev/null
@@ -1,100 +0,0 @@
-# Tree-sitter in Kingfisher Scanning
-
-[← Back to README](../README.md)
-
-This document explains how Tree-sitter is used during scanning, and when it is intentionally skipped.
-
-## What Tree-sitter Is Used For
-
-Kingfisher always starts with a fast regex pass (Vectorscan/Hyperscan). Tree-sitter is a secondary verification layer used only for context-dependent findings.
-
-The goal is to confirm that a regex hit appears in a plausible code assignment/config context (for example `api_key = "..."`) before keeping the finding.
-
-## Where It Runs in the Scan Pipeline
-
-1. `BlobProcessor::run` decides whether to compute a language hint.
-   - It skips language hinting in `turbo_mode`.
-   - It also skips when blob size is outside the Tree-sitter window.
-2. `Matcher::scan_blob` performs the primary regex scan and other filtering.
-3. `maybe_apply_tree_sitter_verification` runs near the end of `scan_blob`.
-4. Only candidate matches are checked against Tree-sitter extracted text.
-5. Matches that fail verification are dropped for context-dependent rules.
-
-## Size and Mode Gates
-
-Tree-sitter is attempted only when all of these are true:
-
-- Blob length is between `0 KiB` and `128 KiB` (`should_attempt_tree_sitter`).
-- `turbo_mode` is disabled.
-- A language hint is available.
-- The language maps to a supported Tree-sitter grammar + query set.
-
-If any of these conditions fails, Tree-sitter verification is considered unavailable for that blob.
-
-## Candidate Selection (Not Every Match)
-
-Tree-sitter verification is only applied to matches that are:
-
-- Classified as `ContextDependent` by rule profiling.
-- Not base64-derived findings (`is_base64 == false`).
-
-Classification comes from rule profiles in `kingfisher-rules`:
-
-- `SelfIdentifying`: keep raw regex result.
-- `ContextDependent`: may require Tree-sitter confirmation.
-
-## How Verification Works
-
-When Tree-sitter is available:
-
-1. `load_tree_sitter_results` builds a `Checker` with:
-   - `Language` enum value
-   - language-specific queries from `src/parser/queries.rs`
-2. `Checker::check`:
-   - Reuses a thread-local parser cache (`PARSER_CACHE`)
-   - Parses source into a syntax tree
-   - Runs language query patterns capturing `@key` and `@val`
-   - Produces normalized strings like `key = value`
-   - Attempts base64 decode of value and keeps decoded ASCII form when valid
-3. For each candidate finding, Kingfisher re-runs that rule's anchored regex on each extracted Tree-sitter text fragment.
-4. Verification succeeds only when the rule's secret capture equals the original matched secret bytes.
-
-If no extracted fragment verifies the secret, that candidate finding is removed.
-
-## Behavior When Tree-sitter Is Unavailable
-
-If Tree-sitter cannot run (size/mode/language/parse errors), Kingfisher keeps the original regex finding.
-
-## Supported Languages in This Path
-
-Language mapping for verification currently includes:
-
-- `bash`/`shell`
-- `c`
-- `c#`/`csharp`
-- `c++`/`cpp`
-- `css`
-- `go`
-- `html`
-- `java`
-- `javascript`/`js`
-- `php`
-- `python`/`py`/`starlark`
-- `ruby`
-- `rust`
-- `toml`
-- `typescript`/`ts`
-- `yaml`
-
-The Tree-sitter query definitions for these languages live in `src/parser/queries.rs`.
-
-## Operational Summary
-
-Tree-sitter in Kingfisher is a conditional verifier, not the primary detector:
-
-- Regex finds candidates quickly.
-- Rule profiling decides which candidates need context verification.
-- Tree-sitter confirms contextual plausibility from parsed syntax.
-- If verification cannot run, scan results fall back to the regex pass.
-
-This keeps scanning fast while reducing noisy matches for context-dependent secret patterns.
diff --git a/docs/binary-size-comparison.png b/docs/binary-size-comparison.png
new file mode 100644
index 0000000000000000000000000000000000000000..1353d6d42e90249c6c7479f853d1f0efbc2c8fb0
GIT binary patch
literal 35660
zcmdSBbyU>t`!0$iph$>d(5Q4O-6192Ag$6ZEg(aTA}FPF_s}4n17gq&DKMmTGxPvM
zoM-s{&R*w_z4lsrt$ohkXV!XOS;Xh_^nKmeb=^;xrn(|AAr&DG4i2%>3ps5ZoEua)
zIM-j^#0TH$P5pQs{3Gfi|I$Op#oELBwVM@=+G~%ujxHXKc5fKGtlZq~T%7s1pFQOk
z=47z-@ObMk%EROI-+qJJ#m$DN&DawGo^tE$3qyAtoCkNY|6Q}m7y|G5T(2Z2qx&v(
zYx>rd>LKQGH;SnemDhRqE0aq0M`g@o2V0#-SrIP^@5Cv`D^EPpp0JI%bBpPb3cCv9
zBc-DkM<-G<8K}!%RBuE76uNh6WyZX}!(wXN5RockgP7WHKzN#Fm}F_PT7vh3&-G}r
z(2xK5@{a9){tbGZbM5M@8zIuTS6|#D3c~gs2j|Yi>%>=IFg(SM3HV6Ay2*d_Mc|MB
z_V<qluD*kFT{iQ7*Mp>)_s7fwl58^kN2?u?L%N09e<*m&rWSh=`eV6_M@LGH$2>Mh
z`&5(pyJ$q*7?-W+gx~%Mr<a<kwi|9w^<6K7z4-drE6J)m_SxSeJ-(H6zp{p{+R5Gm
zt(;z=+4mMCw4$-F@@Ha`wN5FN&)$4!INR${`$%|CHRw8?>R`6~R*U%M*?u1`srW0&
z%QJWPgVn*r1QE}5-53soGR6d$S_;hGbfq_Gp~+<B8;b@V#!O@>R%g>);$T45`ebjZ
zi@QoYPnoP|0CjUF!5m^I>b>n~KUU_X9LxGTQfyloqtoFH#V79d95b~^_g!b>bDH3<
zav0;DwYqT*=?*_a&ALcos!I{V3q<boVJs8<Ek8fro<uL}8JJq(lhUQmW2h)QQ112v
znKGMq8LDny!{PlHaCt7|(Jz7i5Gi$W94(oy)2Lf!B6841K%ZMbm8X&rqAs>oofyAn
z(sFr$@$l(G_6=mo%F2JH2(zPhnXKi4SzYY+OJ(V(i~RAXd|>wOb<wEz(I(Or&g0P)
z$6-*QlE9rM`-$X)yXwuK&t&K^)J;Srt=MzWJs%T{<M{X2Ej@&%=dnrH2{{<i(fFtw
z$9`|$%YGQ9rcf^U<}8&;_$|XEVdvtWwMQl{&Z}PffV0=h0uI)Yv)ztFp^nqT4K>Ws
zmKtgXzD4OFl_KcGn_%jdgsiY2ND(2n>xJ>b7TP0jzejdI9)R?!mV1IpfqASA9fgYw
zMOD5!5UF_8c3seqx7KCWd7{?IVHuG|J?3Rp=S(|!59j)Gu$Fmc>|MUx=lXVoGM3J_
zPhf0ZI!GIJ@8vu6w09q9$m4BvFJFHmxw>%M!PcZuS0w=nO(J7wrmlnkEgpliRJFR%
zguM*NX;*KGP!!L^Eh<6Bm){s<XPSM~iuFrXW0=)c3$^olXW)K)-Eka!o5-rZ&-Xaq
z7;T@O?DzHXv^oyOT))Yl<r+-rI}6|WdE2@to{J3axBKUT)2Z9V*~yc#F^kJ{^z04_
ztVHE}f&L3-)x>DffNw?A&h>4nUK4h;G_U&8C9DtE|5}4pYP~!E$BSMer=MKNKhn~Z
zo!nujxxwYBLf&0=`eHM9BUi>T2G!aJmQG)965rNtSZ|?qU$W9n@u?U-Lrl+VEFn(k
z8r{2pL5y};c!U%;)iNX{y8PqHAd^mYObr3sQw_2l`X!<Ds0xdY=S<46q4l#OE2-oH
zOQw*ElNC)cQL<n=sK$&X)1F^oP+1F+V%%@UGT!fXWi9n2DEfyV{SCq;_-4A@1|^Uc
zupha}gWVNt+M;s?>pR05QYWzF%j1QpLSM-5e5;;#vPp9*(G($<NZ-rWi&GB%_s2Vl
z$|aSz{UIlC1A3puuLT+Y>>5K}jsJpg5Bd9FV`zFjfWx3O5ZHzJGeG&<6E!nU0@+*X
zr!UgXdcJxz=|Wm+T*v)J`n;Xm<pV+t)vQ_Z=Ff95wuFC+4f;oW6sdc+ChK?(X8cee
zPmi{!8#gO^HUrBXk(EaxBTwc&kgI?1X+pJNzR^DQO*mOEE)OY#A59Dt=BHD!8&%t~
znzy{qa$D;D2-d;Fb?`{r<=!N+C}fL&lc_n%Az<#~gKWwE!5l?dVk-U@dx;z6t&;PQ
z^=tp&QKOGa&-Z$GvJ%XEyGD02{Ev`X?0Q8Xl;b%myHkY9X&>7Ccn{X+2Zac#dlL=r
zHX};~_+w2MR1Z<Jty27!op+juKR@81(<*O*oS!mAH5`r_Z#l)VXw=qh89i8$*xRh?
zS0IwCbwu861bbapuUNkZh4<In-2d=zmSL5(yr~9UvAO@`uYq}<ubBO-MNSP=4x0|l
z@@1xsasqeSV$1CZ+^PkN(4#PK!wK(oo%u~;S}DT%G}m^@EHIao=jrhsZf>YFyI~ko
zrX@ZFdjcjO(4l88!K_9!p6Qnw$xj(<<U?-n7J!%k=3O5vr&o@MozZ}Fyi!iEt=XTb
zD{tQWJWVnI5yh_wI7lk%@AaPbAA{89wS&WT)9bJ-Cb*$uz>lo~t$2BHE~}Qze=F_X
zeArPUr%C<yt+?Sb)24yr-Gvz9c?G}z4R@mqk@cLMtt^H-$)14Yxlf@T0SAMMSt>m6
z5eV}dBtHY<TVUP_$(nBR?wB5v&R{wv@-q8$6m)&uVXQ2o@d9kc+Y;z0_bg-QhCg%}
zr!-?L<&gxm#izZxQD4CFpYW$ec@4~7ho?`}IDEoP*&4FJ@0a&WU5b0`_X&NnA1$#P
zQwi`sfJ<-W`;XN)j17S4c5XG6+n)`%{Ma5&X)&ANn>Nuup*~?osIb<6UH1i18qWUt
z>S^{;DydH8=hNVH9VpT(&gLfVECNxvvpNXh|MdX<yH=hmQJq$BxMBW0ZD_YW)z0Mm
zWoGa7P-DNz4+S5?=g&@h`Z}2Q2dtVCmFX~5@2a$&b8UL=*Qc0iGkVDJ>u())n#&|5
ztBx?V<f(R*W!E=NqsEQ0rZ+RSAVA*gOMLdrTLc14^`7zRfV4#(F(F*O7x1J(3>gqh
z*<ZLTC!N3%=cP%tC6O7FNAIuXJ!@bdYXx?HR)hP>g#Y262j+~JKchU*A8Aa_YzG)-
z$KuU`@ZtCUU!$!D&%l8egh%DkjIna6uX5$bc~NX3Vw9Ps7)94I`65Gt>PLOK3wZtr
z-|`G|IoOY+e|j)8V+<M@;3yJgVu4>LCj7DbQe&;cb7PeF{B)x{ORjJ&Z`LM!7Q?K6
z$_d$NBiO1{w>v+)NRtX^LAjmH?1Pi|bED}2WY9}TM}>GhM<O481agg|)xz&b;I%Hu
z{dJK;pQU`T5uUXYP}mxf&%dmLUZ-bC^U(gbv2cr@wKHddXVlXpIMmD>a*}s0mNc|*
zcyb1241?csHj2*rL|1w3qiv7QKeYg8;N}Nu+(1=o+Z{2!rIuBqk3w<dsJ(HEs66|(
z^Cly0;-frugWNMR39|`hDb9^-f41_fnjq%y0eB#9iE6=F3s<k^$@iXe{UqU#bAXm3
zU@s)*7dHQXhR8i3cFXQtjW)@Al!yMxO)KW5S|J8UNcs@Sh(g!l8Hn-qp61#8_0494
zDzhR+Er|hP;c?%%tup*3|Eho1iW2}g-!L`K(-YoFVfa*UlAPoX>Fhi?F;26#D4`Vr
zHru%tvyR-^Bt+dTM68Q9mWiy~7Aip;e$bG`hoCCS)s0_x5hV>p9CYlz!@~$Vj^9!K
zz-!dpGrXdeeQ?n_7eYO66hMnM4><Q!MV-V-rcg9*j}+>B?ni=kkr?U3g3H<P<@#qx
z70DlR+W~o`RFl`%XFD-DF~s~We)02zVb{_O^Gum*Q7^A6Z-2RnY_Ht1IC-xVs1U@&
z(3DBZ7^u4OuMN6<w%;!VFk2OPYW~*Sas``6@W#JpBLh2SP1}|3x&2`MHiKi1tjFi@
zuR&knHQaBU<`KgP3ABm(a+1x2wLg<ee09%|yRG^mc8Q;%X9MOiq?EkB0f6{L!TIv(
z`!uRBiJc#~O7Z@CT`VcsBS4T=C;y$mC1y1z>dm?vok~pcbv(jEa7Z)S5uHrBv?kr=
zX&$(c^4^}RU0a}bY5uynYp-1JB}XpoZtbq+SedEQ{?8E*hk_eGu<8XN!@jOGK45j=
z(d2tI%!~bOu@T|7s{>ifHDhKft_}9%urbeR&#|O0+>M<yVqU%5#k^MCj2KC6i*^vV
zhDSiWl0<{!?#cE7zuU;^j6Zt1R%@#B>ytik9Q{HMo;nyy?*1m9+i0FNmpoaFDcHz{
zrPwQY12{1`wyD@haoBPfKKjg}ef&^~hg#6_d&G;FoCSrAdmiMidrLi&7AL>SHTYdx
zPOQHf;+la8-3J|qbyaM3*xh+q=WOaetR{rC4r{%<@T+$%9@RsU=g(zF9)g20`QjX-
z$hiU~l?**Ljd=NYQNYZ1HUPi_rLs!^C!KO$m@a~yQ<s5TH{)BJmc*=)F3wDLdL|6!
z-`@o@_ldq2#0*;3v`9Ym$|tHYueBkjdC3VL0RQ3B=Drz)WI32Btqii$-YD<(P}>fR
zUm?V5*#`~(oSqjr0c@y<5k0&Z@~`Ha$`G2+ICUIb@o@8)74=*n@1K667?}u;!AZ(c
zn$xCybWCkbx=sKo=mdt5_)X31q2!2bbSj7llgp*x|3ZfwV|B!4e@FhFry7w?mnmdB
z8-23>TZHr+SZRu^nE&%-azPo@+AoRe<ut5he2)bwJ<SJ0D$Ae~f^37Xu)`tDVX8Z#
zB7pqh%s!Z=I7;e5cpe?2F4{E(!EC_*R+vMBbfg#?>TDn<O9_lovo#J0YXezOiI8b3
z0ej2xvD&}0kzhYgUQD~%nwx-Ms@-)_&T#QXO?gc^EjRBY_@pk+s+<-#&EhX00pJ<S
zpE=4xPdssxj1&|_aTtsgpzB4`gXaL2Bhj3JW!_@@y?ilKHUK)4p$94FW4p;`d^buN
zd$f%5Qr6LM^q_-QQT1$+ecCfucOi^B_xk>w+h{|VmFyM@XX83&HMbCvyf4~~F~xf7
zN^XY@kt*B`jPoKr2|O8#l7k2s`?N4sYt;}0Mb_$+&;KqiML2eC4&D!90!;-?sfzgI
zsJ|96JfWLoN<z$|UA$o|{yrr!n`!LHoIgFm*TKvsuv9Y0Itscqo6-B}TO{i*BaddZ
zmKEG=DB&5`lry|-Zf+r~Sh|uN^0Zi<XFP&rh=j#IVLXKxRavWj<9!l0R1p44?cDRt
zn#JzUFH)9<jPA&Jz3;Euq<Ix-x|8?0QDBRGsgJ5u9O3xo*ZRQx{j)#lX2h!|DTkUe
z2uAZ<acbmtn;*T)efesO$rP<T3j|M&bY9r*`?3vqp(OdXRRK$I!mO8O?aS(KF)#V3
zn)@YO=YJRU4BLcy`xTOgo3G`etK<VL;AkCESnTK+$^{dnA(^x&86|mYJ93C$nLI^F
zyNVNN>x<r|b!Aq!;edM_RqEuclZ~x81|@jgORf;@f;eu|ue)CI4biyao7ONWZ}YdA
z-znA4s2fBnCXpQUsIg1ZWBJdFJ|zfsA%{`U@3du0K0f)C!;~-8_D35%Hxd(ytI9=x
z#j~a{jZ$)_ZH**Rs<Gv7W%;i;8l$|1DFx86p@X&)jSl5-!Lq|$zo=t)LUpSr^K=#w
zC5rMn3iHCI@N88zb;ei}TELf*3>i={6r4H#3n284*FaJ|fPE>w3d4Eqm?eOhi9H&+
zNd^pGe2SEB-K0umBR+i@sbDkf+0NS#9_Y8-z%uV`CBDiDUjTc%#-?oA!%K9~!i<tH
zxqDQs)Rw<{b-;BMvHBvSFGXn5ktpqv*Dyta(9AoF-<~=!)v#mJB*oLIkrp@eGf5uL
z5OFhzjt?w0jXa_<DfZcle#IO4VGv<LH>&B+5EB|{q5^+bG~?s^P7PZ7na<UA=^QG~
zBKC7EeqrjQJ5mvqegO6wC`pdhsPS7>R(8eu=k_bYS!yCY!|VBeypd>6?U%5s&kZ?>
zm;?uwOI3iN^VGwy0u0@qn$`-+n2oQBbQP1ce$5VquY|139YLmyJRDwW@D?+Fzx#&`
z(sIp^GLIaGm&>KQSX<z{McAkHEoQnO!(<GVA~uRsrX<ZXXdDiP<KE26Nq6gJb0rRj
z$8u9|1orn}@LqJsb2;e59Oh|QF;OjUe9>~lCCy9TP>ENTn$L^%^{4#e{VK<4<6>w_
z5yNR#(V}>!UE<m5k2(4nfNp`=7Q#s-4x-gE;z34^JXkMpy_g^wq5+w6CEJ*9f9Q2x
z&_wxTuefiy)e=L&GqUWnZ&z<u&+t(_ZDP}F0_dF$M%2;GcH*k@gFzy4$@U=qEkVYa
z?VW%LyL@?~O5OP^5Bt{2u=WV*Ns0qGw&Sd!C`td*ahXQtuPx_Cla^9K)e#35%4#@T
z2Q<E>?B%Y0Ab$4IdQXwLrd_w*j(xuZUwq)PpEI)ejx9PXC~tDK)L8BD+0X_xzwJM2
z4{cw6PAi(QvxwnYa{rKgkJguxE;(^ukMV??W#T*N1E%7+d{l00`-L-|Hf-m~G<TEG
z%)Z}`fQL$6>e&|ziTGQyz1*4(fnY#DF5*;@Sw&XaDBh^|IAbyRnV(sRhLiWKP)Emo
z9mHW6cFUNiKqcX|V&uf2OOnHRRJz2G^R$V=QJ$-gH3_^o=d;pr%+^<;@A^~jZlM0v
ziGQ*$^%PXbHT!#?$EdoK<RyUkYkmRKJZ41!dZvz#&Euyg1xKs&D|Y;%7*Eai(w{{f
z{n55LoAU57#Z~3`yC^yZr;iPCUCT>I4$u4-V!xX9C0If93uM+G&D2o7-UQ9&%Y{JK
z4}{}&_94T5a{dxi6tRPp0kk%RH|l+=9JI;r4DG9@izD%A1vIq-pG;twzorv76V{u0
z{?#Lco64OlP`upV!@LjgINF+AfP|alC}y~ay+z|HukBCsJiOPlp;6rGIw*%}-t#jB
zY?j9HC7~wA4vj{%%o}*X<BScn(-JDceYw2VXSs3EqK9MJCMc0n=l#_?fFtu?f?dq&
zh5F(?ap(F~E^>Bplf{jmN5Eq*ooiTHQ>`bKxpdjQ@mL_*L+1%+dF&7i+{5dS!|A~q
z8%Z!o;o=unQd=Gte%0r!2D@K{ZCttZNJT3OT_cREfqKA{7ta183ucX|)ywIWV;rJ*
zHi~}n7{!!^+!On?hMw6G^IKA1^GtXxO#E-^L4IM9_s;5+B*-md;t%8{L#q(Go0G9a
zGf>g^1w$4o_K$B9kTjC-#|5i&f5@oGO|PxkBNFfPcaCo8BijKqdDywTIpCn#4fh@>
z%Y0J}gF!l^#jA-ImMp*4v*j=vh3UA(hAl2}Jy7CycpN{Lp&zi29aeh*8EdMlnW9wR
z?w7QxT=n0ku>mB;3tM=wy;rfDO57G(W~MeL-uuIbH7-8g0acV~eqr(K#i(Dq9X|E%
z{~A2jG@R&#`c@NR59Z%~`fdPnc5y43zl!~~#+~u9(W6l9!I79B8JCqVl=LrGQ~#nJ
zjL2VWFQ=`r<)2TD?ch&*>SiQajs0I`FItcLYUTqgeJKxI{l#fpbDWI*8?+NVT*5-v
z8>(>ABy=V!%yLp@aAzvXU8ov<pGtNSHG3j<a}{ikEJSKNN(wAm#D2;47k(o|agq!o
zzO_HMu@XpBu?utq$K#|U6H1i%`8Bmev$y$qU#>HQ^jx{JBgA@k@JD~v7MY5YjD7HH
zLiPr!n0v3ZGKa-vL+IoDgl&GGcefv$lx@usbNfaGD5?3V8tocuxc1+lD=@0DA6ZbX
zg0ZeHp8MsvrH8}N4c+cjOrpM0tow>6(iL}ADXFs^S!1J>P1MQ$iXx{<`R+FrZl$|{
z1Di6=qIA=fw|`tlgU#EqE2guoRyTsfp2q_tyz{R011q@<E{V5kYl={W(OUn^gf$B-
z(zG09<}HBOgFG9dq(;U1W)l$zZ0qQh*c#pyHC{uT48m%@*i5e9Zb0`GBscrC4p>=1
zBF<CSc&E=FHscETKa$)isZ!O?g5Xr-dfNQ45V=X{T#t)GrRhiAn^)`jTxZR`NbOL@
zHNUoF=*6?I3x@oEv+ymQ*|P@t10ck9(+9`}n5Y+OB;1VsnwI+?IbV)~jG)<-!b<Mg
zU2-m!=Qd>mHMwR9VyyGD;zfh`=<(5&e3;ph8xKd-01i@&I5+tPJCwa)j|b(YgM&=5
z%lcQ*M4;xYv!LZ-e(RI^O+bY6c6ropw|^l-_!Lr>3%P5y$+;Lt`Fj607QD51!xB&i
zu4hAHeuwK;8%uwmDyz}`4dsd7?k_Udql7k@NKZE&(yV)wS23PuXY=$c=Zqrn_#1la
zK)Le7n);~<JAzsY*cW63#*{ZkeA$>rP~rb9q9m+!4B^#gguJWSnIWQ18!BJzRpYuc
z+wF>44@XUl<HsiB#P0h}Z>ul((z26k?Z}&}|E*TXjosA!R3r^umi0#W4mjw>f2P7K
z3QBMJ;79%GXm#+(d{5(0OiYT8tc~^IL)6izpC%y3X*)LtMeCu2gUK?Vt?4_tJKXH;
z7|JdFN-TW9_?Ho}wuU5x5#85&ob@B*6p{)!Gq1o>oG;q{^n90y?Ug{#n}=`{Bj88|
zWil6#fPMQ1l|{*}zzcqa;#X`36<Hf;Cc`CXDGG)Jhx}Ci1!MJ=i0+d+nG`zm;PJw(
z=uT5<r6A2tHwyZ#X#EJSS0RKr9OIb`ktx0!?`#M)|5?rb{OC1VTxOn!+wJjIXTLqu
z*Y$=PlFgUc{&}$@IdLjnhGTk}``555;N2>BP@-iANEkZkqGe5@T#}noDWl=k7`C99
z7ud}@I4izoLwniS=XYJ2QiuevAcUCu{$R08o}p2^b(NM~tn%Ljy1l&=&l^83FK%9!
z4jDe%nmNgZpDj0xrB0b8n@{>l^*L;%qniPn$%c?J2P6{3%66n+xmUHypU?Ml5F4f-
z*G^1WXaVQVlXWjH-2%<$Jv2hjCah!td8)Z0efF1${}yOH={lTf-Q84_l7TDIOqf?}
zwt^pgB)rf0aQ{dGvsopJL8GD^CQsplv_gesPA%w{+#hd0P_OKNGi^P=!nSpJAQ^Ar
zk7BghTkO&rn;TT5C(hHavhKS(VUQ;3xo2vojACi+Uy9|P*%I~I9RDziM4jI$2ADD=
zncwa%+8y8lp*JEOk+ipKTxKQ9tboA7!*7E~{V=;<L9+mv)E&$7a7^Gb7KHV$;N8A2
z$GMT0V5Yq5D*xp^v0jlbTi0Qj^QTy|FKB-+kUsyZ$pGR?J(fiKM$-x)Vx)rz7zj06
zf9PrNHC{et7Mw+4<(v^DajUgCiPc@!IKlhu?gL1QR_lO@q2`&}_c_1YV48KFDdZrK
zqI?B*_&I}y)9+Yo4!~P0DQ|`i7%B@ShAS8nD`SpQ1UWf|k!o=nzj<p4lh@Zu+_Bn`
zejd6Qaoqqk&6u{Q@NbDB-z+SRz3|0BqTBG1dZ9@hrn#F)vp*rc_gG6%RlIPC-S9=<
zNSQCUnp6QB<vA=k{BU1;QX^w)UE)rU*O+V8W(EVV!BBAb_BI?nV;RL_)yJmNj;UXS
zG3il`{|+O^O_F#lv07!2#5&{l*k7Mjc2F#>fZpmx5n53>Pg+`CVeLjBjgnm!IBB7!
zrGGOuJc~{%b7Rf@pN(cRq_6#pH7c|_0y@Jhf>h-^J=*-CCB2YL3bnjf_6&C;T3&KQ
z=)vz(NDn-)5^x_G@l^h0z#z*+YUC~8G7|XLMU-Etk2OpCHkS(9Pj&|&0YTF~t5^}A
z{><Z<w}0pZl#LXiwB<H#o2jkx@947yCP&##AO2BeqF5&^JFtvPuoRkTW&f&GRFAK(
z>^jymoZu~>F)TRf*W(fr)eAQ1!OVz*rcdPhb{y~47W}Je<kHB%D_u1cxZ19VBi^%{
zI=3S6g{XSjpBADMl`C|8GZ$1d2nZWlozAA*`)ihrAxwH}Y7zE&);Zs3h!+n|3V2CN
zt7eQ(-w$MJY?NRMn>lK#xeg4Aw3C%$n34TI{(N~bxuQ2qk~hLpV`fDm%B=Uxyxa`V
z*fV$@t6e_gi>GvGHe^#IDSJ=&?@H6C0aTZ`9hxljs8k$m7D0xRRsmnqHBZ*3IjwAj
zcQFDLBN(G=p&aGSL-CK-P@jD-R#C~ytOt;>k#30E=ix8GcA_(Sf;mI?<Ng)!D+H`m
zYaDp1V~jf9tRT{!bTdy?)9U)>wJxn!WJ6w@8kg<SpA(NBX<ZWb8Ih^HqU`K)V=H}>
zV*mtg1~E;B{*<+>s(C_%>ud7ocvHl*@-ju$>G%(DXkyiYo_pi>B!xyFIl0~Mn>f<?
zU{wI^H#qilxi*8Edx3WTN=AU>yjP!5bR5PN2PgXGl}>zXXyp4K)lwl$tYNtT2glOj
zKTlFsyU`Iv?~;Od9VdGDN;SS2Xe~N$5a0cFK=omA7A{U;YN#R0m540;s`LMrrT@pW
za&E(YE~D|=*gs;x^rQ@O1a7)aH+oXSu{u6ZpvQBC|DS5v45lB(v1S435aIWWH;w7m
z*m)+Y*B&K2gL$`h^Z|JY`49V3(XJSlD4*r9YmP3t9M_3o2odrEA~2kb1pE*O`4D87
z*w6pzx;?gy|2-!`%oAMV{gr+p0~6PeY+BhLy3)kzfT)}Rs7j4Dji#4lc-X(h$#u_c
zqm1qFI{~7>uw$BjxtSAp!{S{&i*_QN@2_Osw;NWHK{A>GRK!0XegpW#RF>xMKws8r
zF0b+j>RSx+2G-qyBW=GVVD|#oqZ~>=nvC7kml>X;hRgvMXG+`dKyA)Pibl{$Owa(+
z0M=gc9!N!k7LU>=uj~%e_;^&yeJKfxqE;M0K}TK$%>NF9fmbq1l$taQUFh0<Fu(IC
z@4tT8L&TZ!9B4eq44|OCSoOlb9w%D<I&rtxTOnhtXyAkj{>G#-u>m=rBk+TlsgxN6
zm7$L$R>vzWep>*dk^;g#&6782aR`X8$;vO4Rz1n@Pxg=*fWH?2Ivl^96A)ryK>Z-=
zpN6SX1G#CI5mOJ?)E<8OkxmMB-A?BX>=9#~BaC?huflG292`Rf7$JW>F|Ftb$v3@j
z%^G_>F<bQrESs5527+fzYX(r0kGxHR!yuf(MWYKaxvJpM0ivUc1)yjh1IkUCYPXbj
z0kt`?)V$kH&0H#eIHDuSkd1tHFa;VT00f+xw&dH~^*@NH1$)u1aNk4Tx+%9WCqM~S
z1H!ag9J`*Qrd-dE#nq^G-VX}7hKrvF2)Mzs!!h$K{d#}74+a$JTRbT6o?4r=4ImTl
zHgV@DL@4hb#fo1XFIaDmR|raH^#%jhc9PSyab$C<VYnH%HI5{KW};Y6AQx?oNVOX?
zKob1=L|Qkg8iadJ!)qA|*O+bb?=vv>zqeZtl+8ro06{Ev#dL&I^0k8nK!4;4xJ?1T
z!`Ar|T@4uW@xWWmR$U69+xe!VwWRb&qA9n=D}GtOvc-?kkUAf+z9Y<k3`DP{wZWWE
zA|9*JwBs19w~zDeq;h-!>#@}j1izUn@WeSM7*237-k6zR>8+2?t#|&lkwp!Qei>Cm
zK18_NiaAIC{{7*P(W_BeWV93Akh3qad9MEqxJ#-6E+Ot%#sF}^$20jrI$cKEWJF9D
zJZGY2i?e+X8mLr;0s6%+iH86Wn9X*u9cS(lPit%#g6&b|GTXAV=iIa<INRa5HuR@A
zLrMzid9@)JRBljZ6OZ%d0MEtXg-OMmk9I@3VJLqR8sS#~MdEEy%7WQ=k7yu<#DLT;
z-ulC^ervAd)+=D;_&w9Ao+f&f?<+zB23)Jo6U_5BQ+n)}A^QRG&<7^;wO`#@Hteh$
z;WY)QWow{7KI2k}(o3rCuGb?echySbwd!TdPkqDJ78ghBG?mrSf^|OtZwb}`;kBvV
z;AZ8H%|T;ISW@3Ue_pP^V)|D~!)ih5{2+$Q&mg{$_m>JV&ZtYBdrUHz8y=lXm;pMw
zD(3b(_&!2xIfU9dG&ygk+`N@>Y@?=$h2<f?ZL|;A)BXury&h>lMg>Iy{jn9c5Kd)a
zGa(JNmhNQtLd`e@toN0xxTUV~K`XscW|*qCb3X-j+M=9?k93cq?g6wW*&Auvx61+T
zdZV!n+hJa*L$`fu)(%+~*?UBqvl4NxO>2wA+<?(ZBNji7ODIPA1Fd?iOAGzd9+-fR
z_J&k=k^l|dX#$u+*YcF~CY%2BmO2p&QR1Dyn&!w2nYh?iARx2^;X4%@nE5dM?J;=z
zLguk4g&d`bTP{}4%CY{w(n&{Lk%~mOyr!kn%x589l$T(tR%bH}Uc7-zA*^Zmfqr_~
zk$mL>A-eHw8#>l^OBvf%X>n(u=A=aYqrF@W_fv+W6{6^zQl^_a*r;0T>FaFz>BJUh
z0Z`V4TX_5&MKKoRZxRyS5C{SOi}b$Col{^T=mj*+T_aefxVreRoZoJGi2=?6kla2e
z>t)1OT4uH(1Cwdn`hjs~$kRXd+sBN63uLa4nqna=s!O8P-5-d$Te?}<8QqqeBM!i^
z(h{YUdk5Pxgf@W3?pV2t?1{p7+b(cf-5Fb$_1)mw-)=&M1Yo^3X;~U=*Gx(1#BDp=
z)}MGItrFzL_3O}U!z}ZnX>peTuJi&2fFrq|cgQcG+moX=ILw;sx%4y*L*2FYdkmPN
z)`T8li<@Th5wsl7e^Dyak!IFfN%KxmbJBbOk0+HpX2@PNoAd>Q6*JtbOBxD`rpTLk
zS4i3h_HlaIM$U@~a7?(QaIwoXNw8JspHhbj=KSI77q<u~!tZ7)A6TFga(28dKV_5}
zEF%EjiuM<9nVD)v&-lT-Q8Qk>nwio;iS)%)ml|O7j=dvdz-U^hoO7hKWnB<DO;kSv
zmZLB4n$r#1@H?0iOx`qlZP^p_Q}u*X39vuLyc#Vrbj`5kHm)u4S<U*S3Xa6bl{g-7
zZ<wTaD_riLM_j!|;?p*K0UFV@;xPu_h+RhqsjZ0`72d8uUcMpYcp`q=S3LIY*%OqX
zyb`Ir3I<>MYA1ICF3gscy>yZ#<NY^AxHZtytdDo*ywaes>c=aYy5HNBo(*Y8tbn{?
zD@9*G-C5mIyG9Hv3m*GgiP*wEgB<Ke%hg_}EC-gdWT1~TJ=V-5a=@cdmpIf-G4%hd
zXMl7a#F`JpA;9)P*6Ls_g~~h!a6F>k8HDJdlBUY*bimBR*lz%i5?wBINfm<7CZ1#C
zhs2TgEIztcxw<VcrO7oP<g9JEb)1y810=S{$~-mK!OO!Cr-95M+MNJ!gxA_B`VLd?
zffZ9rs{&@)X*gnpU(TfnE4S$u>2^&4KisXc8Aio5h0j#%^@GI*Jec>N5p0k1S7IN@
zh9m;1m37{g@N>bf&y~^?uQ`F6=h&4{a`oAKto79fa$D}t0MW=gr5=PoC!Ie)9-P#^
zk+<idaKp;Pp_TxpO72Xx;bW)&agmOk<M8RgxZ(q=_YO2mTuuYRJ!>ur1ttw{NC+en
zE5!+|W<m%HvzFKvewk90SH=N{OwvI-6E5){2$z#>@R@hX%<{zCvA#JsjR5Q&_V+(n
z9#qHL9kzmUJ?I2ZH4oI+cz`{kZa9hcoRy2USO!UpNC5+5<&}1TnQCy)8P#LMeeU9n
zC+D?2Wj9)8>Tp?pkj7C~|8u4zZ63gV9GpSNsrqNjhUi$Ct+bD?fjxk%6{E(p21j5L
zU#`iO`pU1)r)mBJJHNKd#dbNI!DD@d&E$C&emvoif`pGc3R!ECdX;y1A`bbthvh8>
z=p=kUxD0o_v+|QmNqcIn=2FOq8Eo`o_D(SXZnmwnEQot3`|%wo5%=X@C9ejy>GYw~
zLi6BZzDM_y3G@<P<{nHXoBx&QurG0LSi0}G3n&5Ycdb`ruME!Tw8chX37nLv;Vl5^
z2K}>#qtY)ep4!kXq$z0-Z=G8k?WA{+CQ~gqi04+A-eEEO@_@%#<As9)alYkG(>FtK
zKlBg2t~iN30IO0!JWV`^x8kFUK1#KYuE19ZNNCA#keUX(P5LOG{HGa^bxUX;P;lt?
zBJR2Z>z2aQcKW?GzoY5$C@8v7PKBD{_du7)VXe-s=3qMZmA6#Vk<>zn`1Ru7k8gT6
zcC+v=gz$-F!nSnTl<f2C4y=7yS97#|oh}a)G9P^!)@7f8Mfst(Yv6PvwEBZhAS<>U
zKgB|TPEp|cT1y#>o<gxhy<^#QnCAu6?AG$Wxd@>w=JP6Xxnv_)?j5`p(lBX$=PEob
zRs+0L8M$Bcs+}eU=a{3n*SKm-brsys562Xz6#49IlY0*2u&)ft74lmf%5!?s>3g`2
zgsQ@+DQI<s#$V1J08ifz99U|Z`pmHhS77)`nvqsB)3upd0X&%O0+~?j=ISg2!!_@X
zve1@2KOCt-sI`S;PAv`ZJgZS-nC34Veu+@K7J7i-Wf_S6#pbUV!5-I;31e(z{hrAg
zf@-~-Q5eHcBg1|6FFQwiZ<TLkpF>X9@)dgvR*seu%oWbcU=cInjwp+}Yft7hlRkK#
z2lwLJ0@Chxm<gUzY}_5j))|Q1V8>&T8&q!f#pNv%h<{lHnaa!_cM5e%l4~q~Z_;94
zP{~c44IgF$Fl5Yewq=?mkVQS!*19*5?CbOZ&_s7o${24U^O0U(tl7-Jgi3yWv(<0l
z{h<7VB(MPF#WSc>MERbr&O05Khi^|hH}xG^zU>#Ru<oN0yBz|7>9xzXyg%s$juJ-{
zfhkywHo>_=w@|8-fLc;VbMAX&{0Ch{`}Ac<%>wH&^E&cvT7ieqTL7GL8@3xaezua*
zOHSdFrxsER;N@Ju!>+P}V9#2P-j?}pZSzpjF>wtrV8@MswE86|APzt!yk3PH>-s})
z49BL}zc2rCoy=alaN~^k0lPt&Bi|3G2QaHns%T=0ur|fZ2|<Vi7w{s!23}jMA@cv&
zyrmQIOTd8`(J0UV1j<c9JT%R&Ut)_(M)i+9MkY1<Mjf#2PGklffbrhqyn{<XQqA}L
z7*8zrFq1hVx$m(+wb`IDTlFRYF06BgTtiUne=nTP*{EeHAFW0F$5GCp$*!S!E4Y#t
zn<}J`u?uJQ;!k@4bjmVmoE30+0RyVFpoL5xsd24iMc+DyUXf)_tAI*6%tQ4zaIrX{
zK7p9h9v@LWB`tFYkD@z)$Aw^p%ec1Mkang$F3A)yX`6!jl+DW8BYyppd`~162~Rvf
z2bR)m_aTPzRQdqaumg1B>kT{LY39d-7)+}?USlyrgpxh!1y(=%(Q<Pa(s+POk^y!_
zHt6U{k>8d-0s))G`2(-l=1Xd_@D7mTIel;jVb&UZhALB(MrkLMH7rwMsC2~i!iBZk
zRZ{A1D>7pDXs$#Aj{*thZ<s>k<D5sIS<>JA1mR+8u|H!r)niBr23{iQuZZhrYUZ~k
zVC+qy@#{ATjDHli1f3=<2@Zf8uvQBWc+-i%HsENtmIQfC;$wB5=AGx?oQrowS5n=7
zx{uno7?(!b`;J&00_BrGM=`3FO=HH#`6^8a4KZZN))dka;2KmV>J}f+jlz0(aNiPl
z-t)jlC$$oOwQk^ZaDWm4qhtk}Xm|X}2Ddz7TWkzfP2&9{el%{u#tksJ_Yi<E!>}Vp
zWf=+q{lVt%MQKKrmSJiB&x7!}jLWsw1h-E)uv-h~n{4JI!oNhOZ`<$$_kV1K^C6yE
zw1-z*8brSW9v0^NfJYVpC&_oHpBn9&2fk<g$@~|diOb@W#|=KF@@>}yOtkdn?d?Ni
zm3FZ(806~X&c%`7ARhll2=~G>n4-11>e~yFppYB34BI<i>JioeGajuN+N4=gC%!9W
zd7kzB<L2H->!W0>ZwsG`pZ4?h8--s@qHcM9_B6{^mb_|cC?0r#unevzQ>hu;S2YUj
z6FWC7GifM5yE+e>6bw=+70KjuGtmW{xyFp9+SvnoJ8`-HigD<qv&E-;(ifj;NI8O2
z3G%0-Mt}`|i|5;e4E7hFgxtbZt?!}z?4-cQFEBGLL)ov7<yDQeTSLH{PF#Xzcw%>I
zf^9|MCNw;RLL4|qYXgFOAF(b-4{H`3yq>7Gt9@-*0vy7&0Y$snr*!WMY32c2P;)uf
zOKL{=wxCWH7}6b~?bRN~JFndVKApHUcl~qEi_Y+>Z*OEWAK?*l^E*$CUnw5RDtNS5
z9)S;Xc1)2X*jNMDi+FJw@pl6z0q2KaN4Gv%SFZvC`bZ1uscBvDCn&5&)d4gr%COq@
zYv0dzAfp&QJGpu^k{~FAqS|2$ab)@O`>UW6tXV5sM&=X9V8={62Iajbx?kGXh5?}b
z0~-~&i-CQq7MTqZ1f&B#Ip~-LYJ=;`>TGLk+8Z4mbF8(2nQKji!ernSwD40c8{^e$
zDjpBq$p<V)BJj#i#d4cY;L`&C2t1J<xI|Wxf$KX7;P{En5D;+s1WiD;p98<ZI<L|0
z8vcbFV1#{iS|R?!RW=$i@%%N*KZ0<#s^iI7)cHZ)>6$Egm54H69t}j}SkaigoBKEi
z3)|Jihw|b>F3-J<6|(SSEIJ}<k_fRz_SF>zpfA)JlH2zd@RHy?0?P6YS(%&X+m`ab
zRhTIKPY){KtTPad({QuT{)hN0!m$&X==oSiF_I?iILT<T&P51hd#3dn(6JVO%qCMZ
zSOFbosdoGey8x=C07Nu?K@PUbGl0~h{3x$R;3g&Ut$|k%P{4C^$!>Qu`1C2OZB`*8
zut3~tF|)b{YI)ZGtYu}EfOeD^l*Ga_6=HlhvE>5J@WWAQGg9nB7;GL7{IdW&5SC7;
zZEkY_k=?7iL&EQ9TpM5Di^uRtLL;^q#+$ImrS)8JUbN4|6$M96xDocTlO1r9Ca3Fc
z4CgAvFxL5Fxvpr}&GBb^Zi_F5ffOU1L5+Py^uDI(oCSyp*1#ltl-)u=$XehXbovOy
znLjg%V`|_Oq2M+Vp0B_jJyPf0G$78tCOE*7Nzed8xNi-X6JgUUilsevVE)X&7Cl!I
zGe#^l^$H^eJeC89(5x>R*hnsZw(~2f?7>y9{6Mc3u%5Pl@%?ZvSxsoWfWv4ah)9Wd
znUu%bxc;(MfT|NESeB|1sIce-v9b@4A1;vdLxV~3EFdt$!0WN;mf(1FI>o;`YNcy^
z)o+Wz4@ArEUA=*$=bpB!WON7!_f`RB6U}K{!&jY^bX!3<VbAnsg~n{f|F@`R>CCGm
z4#!dwh_l$we~%mepR2Ok!>?my@bTGOd`*sh_F5?FU+2w+=U^4drc;V2lp589&scI8
zlyt7@VSnzH`U{vK7xvsDDc3#?-OBx9;%EcD%^-WnQrh>)|NcTR(3bxNgYrL9!^ZGm
zo#v(I{Xe<{?*IFd`CnEh_&+_wYmY6TJKE(Y$tsdoc!FgcsQTDNp&Z98#DqCP1hZwm
z+*$F263*Ufy|;{TxbJl=o@0RBvOg{rGq0^F$b>w}%5ikPvGI_a0(`eq6?ks0K0*Iu
z$?58M{?99kjIO#)47hXN2Dc?%z<M`z5n*YtQ#8t@NWat`xV3G@ut4XiRtAcXoIT_d
z0E&oB!Z1ib0!Ob_bfDvX+ks4xJegxG-Gc&kL3Dfo^u|yE+P+U5*u<@YWC8;W1k81z
z9R@0hDB(s|V_{j}%p7y`<8v6GDXm8ew3tC*#`0F(tl*fbcN)AD<QU69&k*XM^)^u`
zhaus9b*4givcL&w>^^E}BR^%<=wYV=_w~eFiB*BA%sMxyK(1kprM9poFrYTeMe_I`
z?r^sJmz^zO6W~qy13-E&5W)Ixv7~}hHwJ({>fl$6i6*ytmpKP4?#saYDu8O<k7RrK
zJrgS!^;#vETJshI8+ZQ&C!pCB%C9s+oFw%SK`1tf;)>FY&axfMwg%*0i%f`ZAA^|J
z=ELoi@4#a)T<2o$zFwF=Q4$J<GNoy|v1fClhGTsn$h;HPF0(Tr1#ia}!4_*Ogg<=E
zcRv+!7w{Jq=)dkwDSXc3-`g&>O;RyTV?=vjcv_wU1FI0o2eP?vv9cCdRsG3w%9c}C
zTwL>BH%Be$hf!>~4Ga+Z*1(t1<vfc;L0HKNTg56^I?`Y3G?@%CgVUK=xP&*zXnYS=
zUt=>p`r?(Vpu{k2&5xC-O#HTLtk*{hy?&Gic>&sv+-Nji!mqbsCEY>4%*4)qq~JA_
z7?d&z@W2ngod8m-HyH2s<}0My`Mt9GdBS~=luvAa0E0b|DVHJXziH7t^5nT1{h<lg
zO-^iGufhUK72`KW*)`vS=^el1(A3OVrxo-2NTpn~@(Uo!t<z(z_6}ngxD_rpp(?BN
z-dcXf#J_gnir?CNFry8SUE_xoJND>ohHj83_kE&=*j6cE^C4i>wV7SP7TVeY?#@)m
z>4E8p&{f|8Rg(rY+x)>gaEz9LlkmS%=kH|TX*tej(=CWLtaDByzFuNf)6HpI+lx)J
zj#g4!S}0vF&oSr}Y&~SzC&b7lAa}fely&r{iVXLHIuNYnG5@R^KM}ClPWo#X(+!M5
z8y|QXvAO%@<<HwZiB~$3Vdd|#;_DB(p90Py4P{Y7NBFZhO>7LG@W5BlWyTR9b@?7M
z4oVl9eR>z7q@1Bd`DtFs{;BCM0CrgenQR%57`14v0ofo*sq&W7qQ1ssuuXb_Ok{~g
z=hUlLE0{qCpDNvNTVx;9*&(F^@qdaoWl#a?KoCqui^Kv7NN;?-K<T9Ce)JYVV)Q2R
z6ku#*Wds=1PcBVB7;rlI4VY9l&DckoGA-$fOEk%i!=+j|3d^t*=RN<D(FM?bp$8^!
zWsXIy<icr0hAzz8sD$FgiGc2BZNj?Ib}k$z?*Zx}<K+q*<uPqhl@DT1uvL&do(H-A
z+484!#OuY;CZr!<n))ookwM>dfD%uO0Ct@=H8_KuAu$AZ6_8cq+F_Xm9x^>T_|M(o
z56@VI=T!ICU_^v?<owgH;M*j4bg>m#;RL|D>w3y1?9bFp;iwgLCFbK)%4N#fjNH4S
zX&zi$*4X_Xl%y0Ir7Pb!V?Cd}W&19_AQmt+r;_Sz*jkIEOjc+Xz;m^QIl+%@(tTik
zwa4Jd(IKjShvBI&-29C>1=Yfe7@dg6Dg1WxeuIsjK+&3OnzFq{2s{uWI$#$&K2`5i
z{~J1LhbY2HuZ+~4SX4}s#`=c2G#Y_$=oF|!Y;<@GXoN|k?AO0SkeP4n*)}%fjh&wX
z>Y$NLJ2$kCe@Np{Rcm1s_=#DnP4ZutqUXm_+OyU^ozsz*%9PK_XB4xG4BHG~nIU~F
z%CF2PTHDFz=|K>Y6Y>_^nlCY|`nKgBO><}ys;~Ws>R*!xu6wDX+s4COZ22VTwZj<A
z3_Mdg+*rU6B!Ygnr-Gu{XRWoi<r<VEKmoq*7iLw2c$ZGzxlX~jlj0-a5qbJ`HCv&Q
zibx8i@?_{FaUZu42zxiD_MPVs;+WVnwLs55jB53n0EshZ(bwOrkRXD4T_Q)DH6NvH
zza~&zST^eg>I9!N5C?i98$FAi+KcZB#M!cq1N}2_lj)Z-3%?4q`zFZW4E^zFQ>%9E
zN`WADl+Vkat+ZV$w;G;K^|a_(Zn8*G{s+X}b;p8>^5sOCgO6{`CeyrU>~Qa}nFgk+
z8eU)bnZL2sd@T%^(MA6_GFi#JD{R{YvT_V#3j6(a>IGun)%{=7D(w;}eONLi_^Io>
zTorJ%Gmb@J2~`WG=S&veoWp;NBVp3{yg-%|2Y?{j)5<mqKabrZo<IOPf|NeQ4;3VT
z9-UelY8ynH=IP$eF%-=EV4}{&#m4((%lig3woyY}wO>g_$?e({130hV`+c|lY>;MX
z!1h7XkAGb6M}JD!qEM)T=5w8WcFm$|_1%p8Pr|)@jqoT0-bE#h_NnFJ8yVnP3OP^N
z=GS`;+t}XWpWa>_%z09#^He*DBuqOX30wYS#^2MwGxzI>v%xD_B=%~BPBUKq0fs!~
zI9_b&V4+@dd|KKZFtt8wJ=;@Bmdrn86t2=>E%=wm|GIT!IM}{9?c1$1JT<N~`M*iB
zc`o_2XuN3JX;9t;1F3OsM;I?2BM>G8kH<iG55@RO5sZ*3oKrKaC0qLOuexSax}06V
zryiy&-i*YhDk;t?Nd;;6(L-+)rv)P`JrRmCaS-^Az10qZ9dLpXt@7bIKj05D`mEje
zd$K`urAOoEg760uY!7WUhxyV@8i7>S2WBqWy5Acx$|;2R*vG9cll6zD>(z+I53F9o
z$%C^wBY@w2TF}@%fn)XdIj}MGft=HtK-~Url9963RYB&yt#o!(&dl8~Vrs#0zAq4g
zf70r?y&+giu}hV6#zLFeGUw2A0LLifwX-_I6S|ot4vwEmh6)*m*!qupIB+2{3zW5-
zuJ8Oa@1va_zE+$cz5vR&`3v*<n?YHZoJoHF8_<4Bo+OY$5=Gy09H5j<LmGUSS?jcu
zv02t7D9xZUVa>?|8{8{|z)E*@o?l*v*y|4TVIE@!V3Uq+!%wwWPey{^?kfnvI|Ho&
zmjzWezpsitY@7hJa2am&bVw1%UJ(PX;9ez`G|T=L`_bEtEl*g6pJiKUc6{ni&?TAM
z?#s4Nu)1F%>U&VY<@8nz9O?6B<sdXGsPYs`l6ALe7AEm#riSz2$^P}wuCmDuNp8i~
zU(L;?Y2R`gkg0Ob4N;b&^Id&p{CsY}Cd(WbtKM2VB{2^$Q0;K!`~w#$)IeY1Q8$}U
zL5J#HEvnw_zL}IUgAyI`cV<Yn`T$zJkAVLD9d+{~hlBVR8aMH%VwJMS3UEIA^0J14
zO9F0#yCtd_r?+%uZL}04sH_NBMQ;~+Y-8^+Xi<Rc=Y?_%%&WTJT9ivxlYx^0?TAu~
zJM$WxN(PZ8CREnTEMPsdM`J%zQ29xYw^{cnH;E;+@@8qq=vbG!cA(sn7NPPDnLdlO
z&D)3Rpi(d`t?wt2oA4VmFEqru{Vl9cceoGKHHWz9XwX^NFn&A4qWfMhgU~{P_x-Bt
zocYS^9`_ODlVWf3FR0z#&+aY1SY=Hi3F=Pah%$8RdEhFgjwBp}Iq3>QEAjY$M1Dk^
zarkv6i6}sA@HhdeaJZW#c_-OS2MY1N^II)Q8IKiIJkQm~OMqGdYz<>bfPo;?I)0#6
zYCU1WlBeKPgidAFR&HjV5Nl>;A#W}XD66e*`}mTzNjYd5;0uwmL!gOBFDDf8Qt{sI
z+bUy#4yE7X#X$~(HSffCgCB1R0Ht26WKH*iBS)H25Ab)N?L@X2px7HjZV^y|(RaIP
zCCb(b?&iR)@>tV0c6;hFBd!C^gtyYwpaxwF$`ocPQ18blEQ25C#CU2nHEir#^$WO$
z-#}^D%>gu$KKf>H<(ERI(L;c<76z1~pb^HE-@SOPUxvO1^(spcVk^%3%ZkZL{2Dv3
zNCh*Fy)0$Qt%qxl0a{6ft>K)!e53{B=<+n@VF~gNzLW*|;mR#jO9a`yUl<C)RjQ2M
z6@K`YWcoy4*qHrYu|o9&QxC0UFFfDa2J9qlGIiinjl9KHs@2jp0g8JWD-7C9^KYef
zGhyjJo6k7W?k0d9CTlH@QsK9EERbYTKTJB!Slw*KUk=kA4L+@_XS+GC547vhSp(qZ
z3eIFus&k&!Zsr!?|Mgo(Ln6*npU&k6mJ2d8HjBYt5z$F<mw)&V_GXa&+CsZGAW?A=
zEk|hE&v^e<Ut8%qw8h~~rebF{AX%ba<S1@aVY&?rz5*`Iy9&pm0;0MWzeW(5|I)v<
zWg+RO+VIY|@Bi)<Cc!iKi<aSA64tT7mpIQgH)e<{XSKjWP^4@mG5>1MKF|$#eFboG
zpTtr20wk%<;RgyUKdIn>+C=(Ehu2sO4;qcAe*5poHDi*@yBwcjsi~6wjUu3i)xwBC
zKtuOdkh!dUpRg84fUvPFRQvPpLdRq{$FzYz<&>^I8O5Q6X8C7umjvQso15uYur--B
zb7)Fs_dzl?xcM)RgBtSG$qe}igN7bzuM5MOrNC1nj!pTL>Y+s0YtQ0tEh$#%{~q4d
z>|>47`^U|b_{<_C4WZpfaqrG9VPir#?1-ov-1XrCeX1Va?jptk4c~l*oy3pe!89C3
zE;x7$vF8H-mV|Dc!;+_(yvyOoT6Z3s*-M`Qs*&-Q<~t}6RVo@aD>X;?Xb2j7yHO5n
zL}KoG3>qjs3i52}$gFR-;#h16l@2M80L?pH6qVrTp^DFBpyr3RTK8oXu;)?Q8-pYq
z_LTwM6ksH&#r5io&eA6Clg#S<gw-7^?{$xA{^|wwk;t+-Wlesr0=_&}Fb|bcCXZSX
zCendGob5n!xkP@5taKtPXl~d`WU71LrjO<7d2hk=cCtifu|ARE97WPec{7_ik5Mio
zS}$?hrB6hZZ~B+*LcU<{$+30^_tX%3`=E0aTzxMVxx4aMSXMxowgwJmnDcbwkz*lM
zm0ddK-Fi3Z9S+W0z<e$Mdo>@{!zOczy)y;t$N-m|*ccm|f;v+%t~7|juZA#kmSh0;
zyYU&a3xPe3O}``&<rK!Rqw{vYvWJ@wxY?>UvU_pyWP#7Yg2#vlPXYUMoX~qg`1I@B
zWujZa=ReT{;GOn#n5n=lA$tM-SyjIzANGEZF^A-)crN2Bx8nA0ayxf2!1;Ni#Xr@8
zZs1X3Q$nnNq{yJ$x!l0u94MYC0Ig1p1`C0+<@?H&yl?3et1f5vP{@5*bswb36V_JA
z#*zX+cxBoD^Wd`h5j~%^s&FTR{pQhfipxa!4FQNTply{%u}(N_xzD?_R0e1@s5ue`
zweUxm;C>?I1nhYY;t}Z$s-d7t{9NE@z}6tExHX+VVI7w77ZE_c_tgYD{rT1HG%Qd9
zu)jC^vDOekHstk)Uj2Ec<aOe;S0Hbila}QNH^bCPtpIDqp=7so{c^H{WBDg=F+$fx
z3&8y!M(x^y@s3tNUW4*$8r5UEw~e_nutneX<<Es;Yp^q}ZivYMcO3n?P%ZQLnX<J5
z?siE8-oo(=`}K!WfI%M50JQ;OzVy?zkaORCu)crSIAXgYjgVK671fkgVj1|CK$}TN
zf_Mc1gtwBj0qzTdFq0blxU_rE(OR-yAYDuW4E|&~A-n4f#-41D!)u`yrk3meW3D^~
zasvravM5LdJvPS&5t4H+o4iW7puzwIoMSCuN_0}rQ^M}RsyQi10z5O-ly}*)j=_yI
zeMvUycKL-K$wKYQQD1@0Qy#8?^-A;u#KBW$b(I#oaf8va{Q2S5GML2Lq}!hBBNcoa
zwlD%bQVK_KX8;s#4pgW&X4XI@?IqU`e|;(CceGj0OA79NdWX>=ev~8fZs*mp54OiR
zSaHlF8%Yb6mNh6qcJiYyV1ahi@%t}>u~Y+wp{;XJf=WH+mS)I_rD{N(dR-#DLAG32
z=v_i7gcHL5Y6f520*~?dd5a|xYuO^gkK+bP%`dFtFjAz~Q}VI`m`vCzLgShau#C+!
zsWL#pAFTi&Np&cRsE+@CJVo^%b|V5}=I9a#zTq1c+YnL&MN)+@P(e5Q0q#4QDQk~Q
zcKzvZe$@f(=b4YlHRFE)qU7ot1)J#54p3C=6abXl;aCm>?&S`)OxG#b4&)}`q4$n2
zP`I`<`W&+$;8Hg5`5i1R8wiXgZ@|?JmLM5#V60<v{|A_xoBiB#y~{fQUL^qr45U+g
ziGYThY-^na?dt>gggGXCOo5<AOH;Vu(H(StoL%nr>}sV^+`t*>g}suiqsOUk`hL2Z
z4!`FzxJYa3|EliGqp9xyeMN>uAq^-r5E_&*WQtVgDN`9Lwt0w@c}z4IGNf%DH(N4o
zp@ft&&*L^0l9`H4w7Kuketv7+b=N)ju5;Eo>z;M}^E}VuVSk6u=ktEQruQ~Vi~8C}
z`Ky!4o}yl~BAFVA5=7BIqj+BNWJ`b!KK0wHURx`T=4^2W9BF>E3Q{+Emy6+OyzkWn
zkx@gVjGV*v(rTtTf~SSwO=p~l>=ps$$<~WBZ%ac5SuMpop1@u~Okn~Pp{(`^@^Uxc
zc{6H~YD4B?S2qG87ePM`sSM&-!+>*DNPdD&;@|^8B=Z0c>3GLiC1d(gCTi=V#cDIf
zAR}?d!5$F#Gy-fg2HK#`vvaX}n&%Bo-Q$=Q^z)56*Y2Vi2J%~%Z<jVJVBrqU)5jSj
zmTd}_oET{OL?3sQ#sNHb9?55t{oFv)CP9_)eblX8wz~G8{y#eA6gy)`bQOJ+YSW9T
ziOm<1S1xTEN>lGV>RfOU(|E?b=sdh)0qQ~A|EFj=DvB8aF5vgk|K?=7NoFS<1xDwx
zVb5@>F9w%5-xs1AYsu-ObmbibHp+P5n_HPgS6zB$sCxCqKLhXJn+p62GdsI3pN)BX
zCR|J@3azGwi~kY6;=c@)|1bMR|6zC^-6X1=|No{DqL2TdXYT$Z5B>kqEmnBPP@Mc}
z50BJG%Dxrl_`P*{zd~D7^P%p_v56_bJNQpF|I3%cQAHsaqA(0%ydwe)F2Ep{T|jrn
z@(#ro^#A%6{g=JY@QWU8I|Dt>Z&+{>2cZaeo$ElNF(OxnJRh01<TqzQZQlG3pGq~U
zKosdH0!@e;0GWwU&?P`p&r3+YYeOmtbQ&TJ{M4tt@?!LRxu1D@LK#&O5AiZNGhUSA
zJ*xM+II#hGVs$|5TEMt*8_wMWZ6cr+E%^iNb}P_1l>9&tN@)NG<nZAeYP=%P0Q-T5
zP(M6`+eLqu+nCNIS%YyBSuMKBh%|#n;<{y`!Y4S!G(cD1x-!!ZYFVVl0uEgwv-a*}
z1FNY2md|g1!3TIhf%f}j;3LqQ5!D&c|4bEC;jquf1E>*)sC0!u>aww*CjR%ordsXK
zR(z%Q242H?Tqu?DlT=b!S3Uu8aOcrp9;a=2m#+$AyutlYvpJuwTIsS(RLm0&E^y1;
zsZ=9#P?rCI(8No~C!<7c!Xc;uk~(!z$2-=9*%-5f<3keY3{g;X6yuGGGa8|XKun71
z5;~2ozNoclcd@+oj^vhA7hq=`Bf;^O00}g8u|n6INTnTKc{!J%f<qC96MkpWhf`>a
zJtM-2YGv>j+z~w>c5crTy6@p!k`kaWc}*sR+PH+qFO*XqX9<NG4oo)pk9<dk7R@?}
zl_EWPdEsuxnTd+oyjRD#*B})MI;}4QA}q3~alioLK+!0PfFtQQBx~0FHDNz()0dA@
zDnmWzi|dhC@MAe82DBmSC}|sUL%s#j%n^xVJ>8e)zQ(?!+`^~@8fH!pHB^8ZZ>QZ`
z944A2<<rs9jwgTog<`D~=~e?g0D;p08}0mR=w2QPurieeZ=p&VKx|=F@(BndG}#=6
zvMHi5d2^dh3ko7+C$j9nY|J1z?4tB!E-g(NY|$+sgtj*G`(xD&lGtTO(6E$a_c3-M
zr8>#4ZSH#C!xD*}tN&1ThxMe3p$2oYRl;OA1VHLmHyw){SQ}lU6!lZmh^HY<(-DwF
zt6&zVCYK99${h=0(tT|rUa795qO8h(ky6iFC~ZHW=TOG(x68uwh6iyi>axm~t4byS
zC$lU;x%$b|V7Dovm@eRLt}dU;uc|B$a?=r1HqpKIaD&%I;u%WeT$2MiLy0_jLl$bK
zq4yiJugc<sH)L|<l_245UM#T$v?-RU<^=m;kBRWI;R%p1Ng@rrE049bmX&H&=|#$4
zb5)*EhKhN<-9~V$iCepnwjP$ZBPgU3r{-3H-x*9rSS>Tly3RR8kmf~(&F%Nlwop)v
zw&`&``j+<-xVIei>hXFxDvnY3t-XvY&;iNdfPI|;Rl7K#CeKIA5|WRbEYr<gSqcOK
z>m!NS@f{ejbD?{VFpd={^i<rP7&pN{xT)ix@I+30-VVEC`nsinO|mcLZ1I?EdrTX3
zcz4Y;o=hzzU;aBy&W}D(2#%~rH0~J-INdCpR4(8M%L+C4)V-2a)6hjt1}G@O<}j}%
zF1(V73)kccjio!N=o-XeQfM<b<-|FYa{1FP5gUbEj$_C+vnk!9rdYKPu%tT?ho#uu
zJ%t{##5vmZJ(;vw&Zdh?XuS<x2<cdY&<f%~fXBM09xnV`0;i5;o8G)`b#ate$so%i
z6*N!$g2K_TSkHr1<?ZvPgnK$=ksFB@e>EI0o7@GTOF=?7*`<UQHJt<y$;KE@JLDoZ
z>V@`+2Y2a@#RjJF2Dhc;eakG_Ew+#q#3X1XQqfMztN94q(Y#ix5o<VZ$Oq(O6i8Wk
zmJF43=(2?-$KD2R_PTd)-@8|&VrespYJbl*743Q=BB0MUnf+|nNuvY8v}cmskrp<3
zsQ3LU^zd3XMD&3)pP!*-woA%Y3~XDrw@5P1t<Crgk#cusoyZ%j->9C95eK0|%c@|~
zxP}+)XB0ur3@+v5K?j%I^eOP#IUu;!WsHGV4!9cjetQKMcFT7l?QH?j$N|#^NMO`*
ziN4*}*qMqPJ7!%VS6g5s`R=X5p%VqNU44nzT!_@=dtZ<svIf=?2~c<X)cMK*bo4MD
zX}czO!dgh<rBv#26S>kPUi?D^F<HxtD8trY6Iv{&%+EuYbCnm=wAWk{OL$=0<^Js&
zd*8p2FMhy6Nfpa%HcR}<qyhkB`%9is3){ZEt%tfQA2=tDjKAlZ$R_+%-Hu1xFJ7H+
zY;CT;=d~s_Dz`<E%<;ZnH=`%udbrU@^jsopw0RSEa%KTYIfVcX=xB<pm*5z4NR;zB
z1Liwql)QVU5`+MxA7D9{@Jiww!v`j92-_4bt*t`@>JYzAlblQLuFTws(PYj7qWHUe
zGq=Im%if=+-rV>56yYP6!%K1d7tCE3!cUE?&Ir|9@K{bel8>SY3i=~jF1H?E9o0!w
zH5QqzPmjiyLbxN(OQc`t&`1h+l%iFSVG#>{I@+GmKe1CQ$?v$P!g6W1=59+2$Abxt
zHT5%a1ym)TX^O3^;%SS6Z(begU^;Z}L!WUfL_$;WOPUDe4@t@HC$IP?AC35o1Zw`H
zck7Q#A%QFOYj5I>-u<v=xwr79e~?h%r4HiYg^eW7DXava8I6b4t%}XFJ%#3Dq|4fZ
z4ah8M9^7Xh*{jebTcqk(q*(hDk$H5NLDO$r9@(c6EG1suEtUq1#mZ~LD}A87&>HYN
z;tF~SBJpz9lN4(>2+M|5wox2tD^SQzk;xv-VHutFE|L$fyMP)K5@H2?s=Rcj$%z7I
z^lIfEybZ-v=mhJd3nlvW?F#Ms+nbpVdX1@Y$<cEJ>-I9{39+v_!O|MvbH!}3Gv?Ur
z!{6DBi+2a>mh3<0LZ{Z2&(^5pTMlerhhdb0)sb0?!Y>hd^!;9?5EOY6q^GQr-hf*y
zsIzb?<8`tU)&;x2fkmY}Fv!FDs7nwttgs@Qle9--Thn@$0iq&qzrs$zyX9~oIEWKG
zY}q3(5(f7g_oD>lsG~|BttaB}(X998r+o|NIcSNxN=tW+$V->?QW<FI?Z0>v7=tQP
z;|opv8*m1Xn-s_iXV9LEJ(@mI4B!af<N;hJZ)LMVAYEwJn>!14zG{~RwuNozXrsD@
zG@b($nhwvLOAuFamzy0wgXv#oZ@HYnJEaz%An-WmrauzP?=In?ZHU$Qnzen3<wwgS
zwiR}Qoe};^KEhRK$VkY`VF;qng=KQjoDzpvQ_)pNIz51~KGtW6aIhbC8@|`Af%Et|
z&VSV|1OFj}+SyOT1eIHs6Cj4)#~mP}Cu`TFYlY9EZGH5ub*DD|Ax5}!o_Ue`#D>2e
z4Rc1yJ|P)h7OTc+KGt$R>5v?12Gq%K8_q<R@Fk_Cs0u<6i4pbF*F+%R2cDeoEQjK}
z)=iV{-OrLgd0Zv<2Y6S{wx*nXYsP@O@uij5_-yXev;O1mqn<yAm{@%Bs4hWG;HoP~
z2vmlz$m+ffL3n9cgaS=eIG&i3`^Or}E=PqAZ*%vC4P{2k*%fNti{cJ{aDR84+s@A;
z>>_XH*s`Z0kE=W@k~JF^Evf5bH~_z(0WXlOU}2DN^v%1fgfq(57hVe-9R4`SxU4Ss
z<`MzniB!=Kr{Rj?<nxyaH^VS$wnJsFcO{gcY=VP=+J6uH65dMQ%pDD1^vzfnGB|XG
z@AaAWpZZ-pB+#3@>zm_+4P-ACG+L@$lKTxph)~f3v6s`0bs>&|<?c2JlxR0Nds%b|
zxzibf##J2b_*RBau?mPJ(GsDd$hZALR*6kYkSe2CFIJ#>9#e-5>%Wzp`|ao$bP5A)
z#K@VIJ{el6au}dvcD>HTdG$K5y+c;k`;Yc%G|u+ZD7NoAVRde2+~>3zk!0ej_pQ7~
zP!J?Vpt=P;8#W1ZeE_(?o}s;9mKEO98WEKuw*OV4*P-cg!%M#*@`P4y!7?f~{P}QM
z0aUP_@EE$>kpe9sA6ni3eGafAqvE#}DBKn(R2NPk2R61u?{XfKlJ&N@OdZ;TKpK^r
zT~^j-Sg5EN4c3H2VBZo!!h>0{L+={aq##OC_z=U(Zl+&dQw!9|cX>~Bef6G<s%xSY
zZoH?`I4r^0FmQ_-0)K(BIigqLa%;%409FwWs!vq3-gTY_PjYMD=T~ag35)m_rnZx)
zc;t}2XA}L%%?zr<@);r_$MJoRieDa|;Tb=>oIyYX$L6snRT9ay*N>0^@WOz#A~o+j
z1(S8<7U9f5$md(I^R@!QIBz@+M*|krU4x}A?iq$_WIzjFf>!PG`{Moj0|e_x$5`mG
zq&7F<3K!fiB+py7CRovLm?6_KG9<s|>7S>9V?+`Rexb~A0#qU(4nS(LiZLqWveoc5
z3|7?8%H@4zmYJ}*Ur@Ks2Z$ORY(xCw4L0lY|EO#m78`8BGJrFaph~OVMxq@0F=&Vg
zG~OB$IZtBfxjjD6ow%JHu?5s!NwAl!rrr(|LMb6Lj{1Q98PBSfn@~m)6dxg5J>AI{
zr;Ts>?}2kfV)y$QT;j(aPmRb>UzFW9o6CGg_qrKrpj=VqO(XP9wkmNq<>r(CiYq7f
z0hr)2@^;a!PwD`TeJaOWD)wK0ZPKghzXl1Jb?=MeWijh6x~1f8F!UPKc*yPz-T<)>
zMyd*5pmxhHW*8OUo&teIv3#=AcBCxnB?^>vD6#<C=FfTW-=I1lN((Y;Mt!7t;&0AX
zZ)CggtAo~k!i3Tg@%}&}YY5Vnc&Z>aK++{XbgLQ@^Lq>s=OZ#6^LP=@c-e|IBcCo#
z(!+gWuy^b4*WkV5UYgc#XSve-Se=CGwGEVxHB;8x<jtL&J~q-a;wrHa*md%)DF?kK
z&6ggMu*-#3zTVv#U@BuRheq|omi|;wDwN}6Tl%EHCc)cxSEhAt@Uu3%ULQ~2{HG0O
zqh{7&f)HNJS>)6#yZ05);u6B8-1?w|vw7y1pmcU1DrM+<72lmu`3;55&<`DhTEG<#
z-sM>}Ux(cy6Jr>ba7Bnl5hba<Ou5nAQxbEdz^zK;B8n=mKSlX7lll}S_LR7xzVJho
zVF@&@?06X}0#J$o4!Dn9XKqw+sze;-xSNde^MDFxK|kIpA^XyIcHI)oYh&L9c{4ap
z_vE@lpLzcECs>!Cwj;}KuB{fIrR)(=gy)@6Od5jt+Dg$XD`?l$fx&R3`3z4JyZ@BI
ziPBE-kSvj-;Lbh`+6E5q5lDBnM<#<r*{@TJ{a-E5tfQuv%rVErT70_S7<2Jo_u2t0
z`xOw=jc@{onnwWqVqs%S1Q?dWO^AddN0Ei%F+N&ZuazQMj-E}0z-Mq12T^Fndk}J<
z=9YEM9TUWo(^DI{FHHcnlIn9T&8{Pgkw)<pbhd%WAhx~^MrTLchhF?P7^IWG%v1q4
z-wp+Dz!ThlnUmrr)GMQ?aS%n7r#d&q3QAPgrvGBLmR5i8HaHQ}FaSbOa?MyiyWjBI
z)Bokpu-YuAJJ2wXYJp2j4`MsVm~&DX$6JP@Ozfs}yO@mO{wf;>6ZQywUnT(X;$jda
zBM^N!F6aW^zRnkw&~Ur#x?H*d`yXtkTtK41niem1U6a0gruEXdtr-_iWj{ESsw3SB
z`eT#YN|OW|Aw3^thKlOVjsr#M5UHZoQuxp7<_4eTn<Z_&X{ChS-bWmwn1NK-X!crO
znSP6!mCbG7e69>ntvG6PgpSScEvzCXkcnVTsYvNIF5tYuE$4G#T*B(=vm-JR>HpgP
zV1?^69n-w<ZKuq7AFnqoa8`ma;?6M8ij&qLMw;*1wV<;ojl2TTcJQo^qU4KfDb4^*
zOy#{QDCss5YH*>LO-J*tpSod?jz25Dfb(lYg4pAc7jGwCvy*rRiJK>k%L=+Tkj3Yk
zQ};>|NQ2&F?*mL}ueJ4bj-TO79dwQkP-;j2t)yT%0o%gDH;&;U9Spl`AOFCPYRn_F
z+!u7Tv#zqr2#nSE`+H!Xz>ckQv9B>;0H}hxRm9g4j8^7}-K0AmROY_C$Uq|#6Vd}b
z3y9NBew&KiLoQGVNl?*DlxPL!r7a0=T$yAr=C$^|YZ~GBw1D^*uibTvYM0!FcwIm5
zH+%_+uAh9ss(pX971?_*nqVLqK;4~07zM9VI1L;1IJm>!5VVF-q;>2iEJMPSE<r({
zB8_;|%;OvFzEiYkQha`0OFWbAN001g&4x-UR-*5>Hs+9T4+oc69oa8^VGh<7)&(2V
z#3R;=nd^J4aZK!T4sPK+nvC#_(`yfz;w&1S+54|Q>>6^<<j7Se2v#hS7j_(Ndl5Qm
z*`&!KWvQ)FNST$B#qs}xJ%B<;{DQVVW<rv62(1%^`|*fx5%J=Sssf*0^Rz~p>*puW
z%;MC)ErXW2;(gsZ`Y}tbSWRBj$=foatd{7%qmo%|&_AiD{+mVfRR0=P6!iy^A1Pn|
za|{u`Az*;C<rjGIkje29@?H{w)hnV9oxD3ZwKO0s)shzN_fcdxAN(JA7?6scMx-}m
zKIrt-SGULw#1rW^MZ9nMV|eD9=YxH*a)4#GUN1BoL6Io5H)ObATEz=;<5tVYKR>!@
zVU7`=Z%04sTO`~~FH3>I|D8jV_zlB6>Hm4%6#ktdSd{Diw;c(*^PpT7jlB3P3~%r{
zK?-oHR<!8RU?Gq!AMQ8UfJ@c@*W)}NB&;{e`2kb>Z4)31vGFo6;6HSBGcR?5GejIp
z-%uh5$s&e>p^}z_X)TY@Xe4!D^A;qK@*01mynq5_LJ{x7BZ&q&IL_YW_F1m2=*xtL
z>sx*G=3=GJQaLE>!+!kybt4|3-_`W6Wtt#-IVO3gDs|WoE9dLgQ;$sYl$at|`LU;s
zyKX`j^DakWlGV8kUnfstY0Z%f5~6K@u(d$5s19f)f`&8wG-=)c`a<zZ@_SdqodfoN
zdAY^aMUWbLm{z*a9a!}PP@=T``>^3sXRMq*@^bNH4xvLe#&qpFAZL^zPcYeLM>mMD
z^kCDAk@xol3D$nVKpzl*@O>EZ+pSINWWg%NoQ@!`w`tr|jD1V8I_<9p_}zF|y^90p
zEagp-Lh5_&e24}-2LmFaZHXn>%!l9<=tH(zGk<`~zf|2Mv-VS!LX%NlUjK`B3PtHd
zCv3I8hQ#Jb@H`b~Xm%c{zR91oGgX*lVi1Bj1$uz;?S6ab&WsQ!KmF$q4ug<u&{6Ke
z;!QW8+Slc(p@xt!n#dM5d7OX{beOo{<NS2>>Fn$BQO>PxG-wDs46Rpqd@aFKe5djm
z3?k^Xv}Vk+`TFfT)Y)U3W1uU?Og22n0iZtxuyJ|)PiTx=AqA-g+<@v}s$(<ROR^eA
z8i1d2_hr0RY}Sn~0FLCl^r;xTg)FnbLFoU5T%jCMvseCa$IS;L?j+|4+JiS?j>}m`
z2ye0)69p|sCWoAl$ECts5S2x7j(}+On$sqfZLM&I>fZda-|*(Gu^LU6+YoL+S_(Uh
zv@-r~grVxcsKfAMsk-mGw`&(0Z9UAWxxQI`AFK{Ih~%q|G*tMwBw?B=K(d;RY*m(1
zlade}tA0i*@A-3csM^=NrzZPwB379JTq^+Q?Vee10bA)K(&7l$C_idw`^|x^KJT1^
z!aM504Sf`%LGaq}A$*t0eg3$5*C1KaniQrz<;d#WHxY=2s6y&fDJLFyb<g&oNiG0o
z9H$I3P(qF2(09liy85dEJ*%NF5l6Thybx7>R;wKgTAU8hDMSw=u~9l8*hlrj+@OsF
z9^|Tf$z!XKnZ>*cVFjbOwJrcQFA<-QPI!e&-@h#m9QyKoaLsG1Z$M=o3Xk=mklA|=
zl!<U&IMNqO0+YGj8WB>I*dR#LsLt_lB8N3F4C$bIc?d52!-FMOYCY}v9&Uf|x-jfN
zW6~qH2qYAf`8I$CA;>vY*gsZfG=j9J?dD_@Oy;}P57K+>l#8D8W4CL5xXAhcP1yuJ
z((dm~am}OEXim)ip?K)c?56<@+zs{3sqvQ=f$hl!OYOHMk<l92wzYi=!MsJn!Nk<Z
zelJ`B5B22;m%EW%Un%b&a!1rH{T?+EM@)qrG%LC>4lU2K3z>reOrj3eTSduM>!<dt
zH*~}E#xtl^emf#X=!Y9qu@=-<3@9XN8=zG8h@q!Xe$6^Om5fm$3Jiv3s8cNrt+>EM
z3M}Ai15EpblSlLps2<xio~cwl-wqWZB4d^|1#-M#{KtGd45&!#)|5HpLq={HJwK2c
zIf5H$-<m5i-nRZvOSeRXxVZeAfmFe{q4Gj<k}dSg>(Bg54*Me$KGwSFkp4!IjJ=lC
zLy_Bc4EuzwqGt%Y*sEqHdy}8nOh&8S_H%UVzv-s2{>;~4{RY=kb&s(YIb4@Nc=M(H
zpE{U8WC@B<jG9>YD<61}8+Sxm4<{Pin+wfdF*X#^arNKA@kO-OvDgHhkwq;sIrv76
zANj<MEU4Z|KS0!ZV6D%UE`GGfGbig(J6;&`*rkbD?8E16om9Hc&?34YGm6<<d5){6
zo_Dx!Q0MH>Iu^^AFYNuXdaK4y2(6~NpBz2so2%8ikgEBD;|dUY5;GxWtY?IL_J)eL
zI`ZEXCJWd6?RsHRr?dmZ9D98#x8}POkI!--`9{>$G|8Op*VnH-^D<}zJ2v)gdt-IW
zA-II6zfDDDx8b4l1I*#@B@lt6)i*x9HCxU6DGk(+I=n`X$rIZmliOD~*r21ol4rMg
zP}t1Df2wqgskkRenuE`7>iZS*=<DYBqRzl?MabOvytEtJ)`5=?o%K3mr;4wQYYV#$
zt2W*06-PWZzn84v>I>rIwg5oBlBa+Rlz;}srw5Y*>iVZgE+Xre#C67BFRjdR%vOg4
z2huE@;H}LZjl3iJTWw`sZPEEPbsmaiP<#Y3vAQZv#>v^@JkbYwFO;BZ)1cIi>^Gr6
z<#C-HGf8G4LZT_zzf`mcIjd0A{tRHsp74D~QW$qU=X|q8-EVYqxKDdO=d75ON#7Vz
zhJ90t#YVy7+{9W)qi@x3dP#2SnAa9TziU~Pi4PNMrcZ}=6|rFjk5=lriRjR1WczP;
z&b=<5C+qv2xA;JXoODEjLnr1{SO`IQWTw(?JeNa+jo5B-P@LC(th$P9N_d85AzE5*
zh^)YtKJ+UdK!(8&PdEiWd$-upu{oX+575(V^(Yn=U1Vaa$4tdH{LG2ob#jRJ%vN9C
z^ZcNPi}@lymI_qG|0cBXU$J@sr$7nesDMX46}D2)O*1WDEsiXhmKDSAr>~o?xdAQZ
zJ5NLlV^l#OInR4i2VM6Dy6!jAGC0kfW)Mh^gVtYXss5j9Usp1;md)_BjaH^RJ)YGf
zL!<p8UkzB^PqvR6bx6V9LR{odLv{kx4^yDTD)Nv0DKDLvK^T9svcaq^?sDDGZB@F%
z4+2$UMuZc36*f<Z+uEp(T(`r@bfgJaG2YKLymESY(>VLkEPp;BbQZS-Je<|gNPfYO
z4c#o^6~>lnae08+%Opc^N$x>cin$4RStnwAE$op`lZ_Qd<}+JcKEhKw;rjP2y`=5W
za)Z?PJm0=CHEUJdAG<yC14mIf)Zag^+8wP%1-O2KZtOgQ)|bYTF8Oo0OWf2qTx1@6
zm9&I_abusRitfwx6?R|zp^uc={kZ%YpTT@{&*L>h>>W{W+66eV4&us{6ZGC?>t0S4
zOw=#WlmAfc_vfdkGhX<Xba%$nt&X|9SL|@nO=nT!WjVguXb+df>ETzkt(C2-pA9%p
zZUlLL;jn(GCHJS!@9vWadt7uxMVK>sPH1#TqTB`2(|Ef&NXTPd(^pZ|=)+R7Mufcv
z>z`OyU-9yFV*DV;Y-nvE_C0Be*3hn?%?L+NvRbxQ5r2~{SD%q>;pTAc%?h_}S!xi?
z#!zl;+{P)J4zAs6D=$>H4b7>^vK>UPGgrce-KgU(;Mui_F$n<lteG_}FOy1j0}PBk
zHoWuH*~DY?jV~V?h<~is+}_obzpoxMizuUfh|I)16D*nyy(1daIBhE&^%M9UtDLY-
zElT>k2WOK9t~?*=%Jp}^o$y~I8vrafuO9};%$ss(3Lo6nau$T0c#pi+{bbTP1GJHN
zczuN8=VU4BjR)%O?Q)Hz+TQ{OytxUsu7xFtMPOQTTN87FTRd}`0HZ)jvIO|6+L~x}
z@nO9dK|#o@Wq&Xn*Wc}nu)minp}yGrNi*~(Vd7%Pgp@?Lp=x&lpX*;Vd*-iH&i1Bl
zZ(dxLX?M+MQND5Hg7ohnQ$()|VIAI%U1Qs53Xiu}GgN#s7im{PG;qmS<GtRrEf-oH
zr1NNg-2x2nTl|qEVx>CV9Yhem6O$mwn(2#9&1B!1XNFESWYWWwm^-3m9qB-q7&&q4
zm5H0?VAgwB-UqOObNAV}&T~-DyFnOUh>Y>c*|H%gg0)Ya)8aj*w#O*+tKDd3-XBmJ
zhbD_-NrFMKQ^^9CqvL9SLEr`!>Ctlub_RM%&GR5?bX3J{(MpAn`CXfN*~=lNVV|SU
zmi>)C$d`l3$_#{=Eqx7h^EStzIFDD3kdNDtBK*ke9W#jo4Q4p!kl=AuUD2V3x%!=r
z6}rKL^XkTjoASCJu&)|xldO&zTPhwdoNq4uR_=U3f<R|QJ6maGC)a;LqMIj>?xEg%
zT=Zo9+iGwW;8PB$m<B*XQqruj{GL{uqj=l*v2pk^?e9BP`SkK~bZ?Hh1=cHtHxIji
zeB4zHRoklt{en@ZPEOq~$4@R<*N}C=ZCq(u?l^RypnlKB%l%L#;@2Kcud5f}<fWi6
zRLiJ0clEbleee?s>@vNZU%Dy<IDa_Lfi`Br6%@Rdx~Fn{w(<^!G$oae^lS@uPJL43
zF8o-{q*>|<8~GnRyWx&ww6}X}PQjr)6RAL>4pN{6>;Wsf3*AO<;h{EeJu}$5|CD>7
zL8y^?pXN%7St<VT#6oWJk=)S0caPENkiNdz-MSgA@ARwEIF3apPKg=hg+P*N=}13{
zOWk!zbEKWK;R4}J#oE)h5<!=fv%b*=^`|#Q-0$7Qo0+jWmcmB+=Y-c^DWYlHf)n5z
z#o^K5^3~;XxEhPO(vfy8wI*5SfrMhiuGE@Y`ScXVCIhUL8zxWWY_gz=-e!5MFGv0)
zrEr#Cb8vs0qCGLtLdBt75U7qOB9<-AKr^x%)Xu^_WT3Ri3&dCEI-`<$NHz@spG`yc
z$o%~Ts8DyINpjU_M6CP@v@*E$L%oA2$Mc#UX${KlS$L^T4FHn4V`5PHZYwqmcO}?~
z2PMu|{((lvafxj~Z|N>5A?|Fx>+P?z2Z=mMqSvy}n85Eth5@My_YK0=p;x$V2K~q~
z%x<+`(*c3QB`BH0z2qZW^9^N^8h(~T<*5y(rkIriotg~L45%!`u-KdWtFkS0eqA{<
z10AA(%%WOOYSh-&+chiK6c`iG0fMUI1yB_mO+y=2OnwL^+x;dGrq(joSj~j-=cgQH
zZ@tBA{P#nbIx3%SW(u#)Zh|K7;nr<9VHe&L@^0yxM0fu*7f(P|lSgg1GzW$UZv$pi
zuAk+FUD+}s(S00hT!t%Cak4Iu;<GWTMdrL$sVC_J8(1RvvpO`-<hdS5K5xibh?~+)
z$Zad-OBg+}bIq^s;-c5yJeg8EYxn!-#Jim_2KIgV#Z}@x3#Qh_r93O|;(>i=cj*Ht
z=S7{zObbxGvI{-&c_$6V_Bo0shwIIwh}>N{TXaWHE;id(Tf}l?U@vBT8)z|_{W+1c
z$7sp$?t^Tea~2B9HCSlkP!w@Z_G~6JDmNfAKrhiVt)^;rrUQy{Z&MY-RdGl<C6Q|)
z^s)sJeM%zZYl=5+B#w}>OD+IWSMBmR47Z=uovn5d1<EWhB{;o>&X**5BeL824erg&
z8ow&pzTWl>(8us+TEe#4u%*6&j>6vyYLcz&8B1G(IYOptd+IU#F`du%SaQ!6T!gwO
z@o|)}xg6JOFUK>Zc7vSjD#2?R1X{?cbj<};J{@cqLb3bscS^>}ewvjEAAYjD27Q#1
zb@Hw2Vs9;KgHRYu2o!{JGH#dO2g&VTteym<Ucbb$Q5$)P%70I`F<4ujGAv*k0kXf0
z;0>9y^P81GuA~DFP>*5H?pgJL8<~!Bs(kT;TtsEJMu#2T6fpuB1VfyF&d2KbcwzID
zd0#ltUqqzG%Bi`hrbVEE3B=8rEw3cZi)$xtoSG(l9evuyE0n0{@0`&Z`@DC}s&t7%
zZ~;Y@%H2alUBSz7SO{<ya$8n=2Y9O=B7MY~7XdX<c=GA*11(9Zgf{ha(A=p1^h7)G
z&5e_p!IZ!|Dqe3Gj7Wir{&)Rjz(3(^R1H4=dAJD>L1r}5m!gS;!x_>yjJwhlgXc-z
z?JbbC=R1`ZqbY(6(^6o1Xv{}h3FXM3kL`R#O?8zXjTdjoN|120qqiPyMoFs3!XkZd
z+M*iTkY{GC>L}eE1x-*WWpEm!bZ#7?D?t`TDeY0n6B51|cY;&Q3IJbWQRqEkPfE#M
zN(CZFlK36)1$i7O$i8iE(i;68efrKO(QXKu|DnHdrdK!D05H|^_+$ztJOeJKM!(vQ
zN&y3ACeWKNBB?v*0{57+TMj^Bh-RpQ_1&!n_K=v1Qxy{tqKJtEC&_s!BE0GIyzB5w
zC0`j9N}#dg0GAPhXHk9?U<REiIKpA%o%r}&u)dTHX~~P8VxEP$zQ%eWjzdwmeBNWA
zG6LyKpK_IH?F+~-s9$+Mn9}C0vx6daLqP`xPo2;_#ORASc%gBysHR|mV9^>4m8CP~
zc1|L&517+~)i&DYp1(2Ou!P+}hU;zM2i_XiNI}TWJz@lbyv>vPT#`;==y;KG`5N#R
z65?7xWYB_w8PG6j==E+Rb)+0j-*JP$R_yTG<27uyiFTVaFpvcX9S_b2fGCyU*k3a4
zdIRWCGr`?q>#~@b1Waql*i)3`4#i61AGjeJ;hf?qidP*D0biaR-{+FfX1`J38@#@C
z%ZxjyjKTc`qMS5%iLgjYxdYdx><`c$N0lnJ4fYdz`f-3I-vm3*nh(eJc0j_pC?sLK
zp+TJa$~5i^{&8oK0;6$s4Y*E8KnF#^ZCnP)+F;vBQ-EEDne!zqe!fyUMiHbm+cFP4
z9CzD8@b@<WEeMJwkp6vQ<sy*rfoORc>%-}x@tBQoetYi`X?8c!tEM?a$gYJlrDU|B
z^2uKyr|p;k#?}G%Fg}49P2hqd<DZjY_Aw415z=|!!}8w3^s|MMztf(>a~V5+0cq>l
zZ{82_aU&!R?Z_QgN0l>Uy+_d55ox<=Lv;qcP#Rq|yw5RFZ4w$Y8B8?7RbN0KIN&6?
zDyAK!#CLeMn8m&^Xb28lNBVg$$NfV3SI-N$qfG2)dlq&J)81ka(Eg%mS21Sa>1BrU
zL$-Y2l+j(i31(VKCZlmIT^Ag2VN%~m)MOd&9oPh2V_7R}Z;irt>b)1210b~gO7!L{
z;fHij-~@Yw417p#E45JCJ<kiFBb`$)`n<G?Dw>i(rw~HdXktx!DpnIBqEB%RFV9JS
zbAe#-vZ32vzKoV(UUVKb=O1fpe;$FEiaJ!a?Lg5Zg4<DB(U+~qO^LW)NK$(_9RR$t
zNnUPnSih0y0=rZ<*|}=fV6$6hE|{8$Q7ktnv`I}@sZei4PS@pAB(=I`+D<S-A|itK
zsgC?3tf+MYM1BoH#?ABCH9(^WRl<-;!T7yLF%g<WPe4`|j6Hihy%XsVfEIv`qvwK-
z=n(<!pHSWt6@nKFMSn{tF2$z^+wHsneypK`irf7k^lNw1?u=zU`fg<DXM(9xd-jKi
zL2Shx#y-}4k5O7K=FWQdO1-Kv&!QQ}Vl#m1&gM0$?Ce+X+6<MUd0dztCY>QwS&34|
zxE-!YfwSPzF1uFu=By^Z1(FN*casxgrajjUyP<8^alXyf{F&k!D!()&^!!Ua;~rZc
zyBb@rFwBcE6^<h?F`#Ja=xQUPWBys;+z`(e*5i|W#^6st6VoFwH3ri>?r@+*_Pjc*
z2Q4><Xr1UcXHCC?F6VqVUhky$mqCqSdkynkGb+xD($-~URbg)L`SU{uYsp5d*b2a>
z9Ckfw+6PwpS0^H`2PlbU=QN$ZeHS87L+F=<IJ6~HKtR6Wz-AI5azb~XhYJD*?|X9I
zt04{AODNTz2gpk%*T6VPRhK>gZak+=8NH)Fq*pBS84PN&**ovDI&HH(KUCh1q=Db&
zl9@t1n)pjilh-m-bxZenndj1fg6ijMBJ)HC*<D@-oJhP7`UW)Bfy7bWH)PIpkf=Yj
z$Ds!3>W430i7xq7?H04b#q9d}1GWYNk%hBD5<E(K^4;%teRF>#m(A`c%nWklN8O)l
zH3%w5!+bYR<AT`h?{K_2(TH+7oC?Trpw?i{`_XM7|JF4;_5#Ol&JV99Avi>=3U?3m
z4QoF+vm_k`I_Lz)1y5=}dMNPexWVYJT~-zX9qCp#-CD)Z3)jn5WuFxa)Oiuq<b(oT
z2%vhh<XOrmlpTSO-vq-+-~^7&*->06m~LZ{XS@^5wy6bqkHeL1kKCG|RB+{WZuNX6
zYA|o<b3WHSE}!H4Fkbg}6_LeB`ji};Vnd>r6xnI@lxMa!Ovxtz>_$<)RHkAyA*#yv
zbX=yuvshZiTI$=Iq(eOX6KN#R+~~x5(wg=J*J|)FYAQ7W1=CK-Se}T@t&8bQ`}(w7
z@|b}TLAx*vGE0Vj=%$8(*gFBG8)075se-}#!z6C43319?_wx>0LKxAv7FuCizTv_h
zR8eF^wJ99Pa;3?xd?lv9w+o;y?cwH*uhN4hpNCE<;<p(^1T4~~B4^L15ys!8o~5B<
zx_bXhpiTP^xynK_YR-Un!5o@I<@ZD;Kbm1A`&gOnZ3ZRQ2%6YHGG(zIndpQ`Plz4j
z`m5bhPjuQtd*yJ#FCE|gf6r>(zjTqHb)ogZgyS(hXyEY_!7WCq^mL3z?q4OVV|EOA
za_nvT@tt1Ju9iM}4qG`iVz8CJ)a_4prA@x2rIwJa(6g=;yajaN!*<P+@r^8da|E;Y
z-P9JQP7dt<ops+}r!Xx;(wC4XAs2c&-HgCey4j|!b?{aASSPud=ZNe$$-8f1yw&7d
zM2!15)8L(KGd9MsT+bh1n4Z4}Gj17zn#^Ncc^g~h#@}mYSb?q_d0JuJ-jbGC`1{N{
zEs3F3lNXYB0+$v9H5@sfqNp29a)o6h+mK}^He`IzzVJ<}KrqhY@$o)|aO&MnygGVK
z2+u(Yt!sWJ<{Df=2~8qb5yK!48YzzciCA%0a9|I1?W(dKx25K2-#l;9agDgA>8rML
z6yWxB8^f^q2mf;?a0cuetk{N?hd%|tCPK!~Fja}^Jyd1YRin{fwPT617U+nwAu6A4
zrAxLw21wC!hi!&X+<-nNgs#WVWJav*84i5(q#wYB+zGk|iiE+`PR#n%2uw)FX`Xii
zpN<L)@(c0(q;nb8zjREfc)6K+2gMW&MP86tZnwiO)xdZt{)i9g9`j0JnP6EuE0Z4L
zB6@lr{}kg_j|gH^{e*@UJ7!*HHc1Y2zewTqn+l`%It$Z?+v!hS%83sM;u_`NZ6>{M
zspT9R<(mjz2f@$o9rK5U++K=UJy{6(%G`BW`d$MBJsm$B6&A<oZ|8sNDX?3|@5&nZ
zp6g-IJ9u*9*qa`G-KD3H0#UnFfJ^sF!ipC_7MDWGL8>UJ^K+oF#3pU*x6z*FKJn_=
zEoi1l4>ZoqB>&_+gEDgO%Zhypq00s0oUnubbu))`(yi|0UY2uj#J*?Ib#VsBC{odK
zk7w802x*$G_@6N}-fi*&YRE^{vK?t_P~~df^-SQ`lRaK~n%1y%glzL@H|;THMLI`e
zS^@TD?e43sq;w|61$m95c@|3VlfGb~nk^f;){Zsn3FtBXk|DCo@u0Q0(47px{;zT8
zupQFS%L~x7<MO7a5|O05Z>~U*mK+SlUF%V}{)W_aqJub5+J<52?RnLsAS&hqY8VWB
z_%iug6#a%$uaH)Jz|EF7Z%3(_VJTsv*iuX&EDeA9`t1zGDr%;LCLMx?&ATgciZ)N0
zJZwJ9$1<$rp`42LW1Q_wW1>tx$%kaLwt;llgCqCh5!P4jfo$~$TsGRv$7Dg<<F~Jk
zgr;9<09CcHDPkfKTvpTf1_sj3l$JrZc+{!M<VwhA;|-PtS`iie_qFrXsZV4Vy3Des
zyM_Q7ui~hRHAY2^M3?^CE07i;;^j_7WgCVJp}gHX$FG8XRZXQ(6_?GnCoV5{<u>Fo
z@QZezJ_hM3bbA!(s2a8?iGSE9UK}>}>66nTw$4+fP!orfV-;!~fH+|2QEcADcAU5k
z2tVfQhrksKRlwn(E-)-aeM60fciD|_PH66&3cUe}r%v``h0y1{NB{z}_ny(B0w(;d
zc;aO^tRM>n#{0lXS;`l+lIT^+zx>;zJ>^^fH|HQ_dKUZ?b}t89EPVYp4S0H)_E-La
Xg<y?P+IbiBF|J+KR4%w=5%fO*ceaS%

literal 0
HcmV?d00001

diff --git a/src/cli/commands/scan.rs b/src/cli/commands/scan.rs
index c61fc93..0e7f928 100644
--- a/src/cli/commands/scan.rs
+++ b/src/cli/commands/scan.rs
@@ -166,7 +166,7 @@ pub struct ScanArgs {
     #[arg(global = true, long, default_value_t = false)]
     pub no_base64: bool,
 
-    /// Turbo mode: equivalent to --commit-metadata=false --no-base64 and disables MIME sniffing, language detection, and tree-sitter parsing
+    /// Turbo mode: equivalent to --commit-metadata=false --no-base64 and disables MIME sniffing, language detection, and parser-based context verification
     #[arg(global = true, long = "turbo", default_value_t = false)]
     pub turbo: bool,
 
diff --git a/src/matcher/mod.rs b/src/matcher/mod.rs
index a1e862c..9fe0fa5 100644
--- a/src/matcher/mod.rs
+++ b/src/matcher/mod.rs
@@ -24,7 +24,7 @@ use crate::{
     location::OffsetSpan,
     origin::OriginSet,
     parser,
-    parser::{Checker, Language},
+    parser::Language,
     rule_profiling::{ConcurrentRuleProfiler, RuleStats},
     rules::rule::Rule,
     rules_database::{RuleDetectionProfileKind, RulesDatabase},
@@ -40,12 +40,16 @@ use self::{
 const MAX_CHUNK_SIZE: usize = 1 << 30; // 1 GiB per scan segment
 const CHUNK_OVERLAP: usize = 64 * 1024; // 64 KiB overlap to catch boundary matches
 const BASE64_SCAN_LIMIT: usize = 64 * 1024 * 1024; // skip expensive Base64 pass on huge blobs
-const TREE_SITTER_MAX_LIMIT: usize = 128 * 1024; // only run tree-sitter on blobs <= 128 KiB
-const TREE_SITTER_MIN_LIMIT: usize = 0; // allow tree-sitter starting at 0 bytes
+                                                   // The old tree-sitter limit was 128 KiB due to full-AST parsing cost.
+                                                   // The lightweight regex-based lexer is O(n) line-by-line, so we can afford
+                                                   // a much higher ceiling.  We still cap it to avoid spending time on huge
+                                                   // generated/minified blobs where context verification adds little value.
+const CONTEXT_VERIFIER_MAX_LIMIT: usize = 2 * 1024 * 1024; // verify code context on blobs <= 2 MiB
+const CONTEXT_VERIFIER_MIN_LIMIT: usize = 0; // allow context verification starting at 0 bytes
 
 #[inline]
-pub(crate) fn should_attempt_tree_sitter(blob_len: usize) -> bool {
-    blob_len <= TREE_SITTER_MAX_LIMIT && blob_len >= TREE_SITTER_MIN_LIMIT
+pub(crate) fn should_attempt_context_verification(blob_len: usize) -> bool {
+    blob_len <= CONTEXT_VERIFIER_MAX_LIMIT && blob_len >= CONTEXT_VERIFIER_MIN_LIMIT
 }
 
 // -------------------------------------------------------------------------------------------------
@@ -374,7 +378,7 @@ impl<'a> Matcher<'a> {
                 }
             }
         }
-        maybe_apply_tree_sitter_verification(
+        maybe_apply_context_verification(
             rules_db,
             blob,
             lang_hint,
@@ -407,7 +411,7 @@ impl<'a> Matcher<'a> {
     }
 }
 
-fn maybe_apply_tree_sitter_verification<'a>(
+fn maybe_apply_context_verification<'a>(
     rules_db: &RulesDatabase,
     blob: &'a Blob,
     lang_hint: Option<&str>,
@@ -439,36 +443,44 @@ fn maybe_apply_tree_sitter_verification<'a>(
         return;
     }
 
-    let ts_results = load_tree_sitter_results(blob, lang_hint, blob_len);
     let mut keep = vec![true; matches.len()];
-
-    for idx in candidate_indices {
-        let Some(rule_idx) = match_rule_indices.get(idx).copied() else {
-            continue;
-        };
-        let match_secret = matches[idx].matching_input;
-        let re = &rules_db.anchored_regexes()[rule_idx];
-
-        match ts_results.as_ref() {
-            Some(results) => {
-                let verified = results.iter().any(|text| {
-                    verify_match_in_tree_sitter_text(re, match_secret, text.as_bytes())
-                });
-                if !verified {
-                    keep[idx] = false;
-                }
-            }
-            None => {
-                // Tree-sitter is an optional precision layer. If parser context
-                // is unavailable, always fall back to the original regex match.
-            }
+    let Some(language) = load_context_verifier_language(lang_hint, blob_len) else {
+        for idx in candidate_indices {
+            keep[idx] = false;
         }
+        filter_kept_matches(matches, &keep);
+        return;
+    };
+
+    let mut remaining = candidate_indices.clone();
+    let verification = parser::stream_context_candidates(blob.bytes(), &language, |text| {
+        remaining.retain(|idx| {
+            let Some(rule_idx) = match_rule_indices.get(*idx).copied() else {
+                return false;
+            };
+            let re = &rules_db.anchored_regexes()[rule_idx];
+            let expected_secret = matches[*idx].matching_input;
+            !verify_match_in_context_text(re, expected_secret, text.as_bytes())
+        });
+        !remaining.is_empty()
+    });
+
+    if let Err(e) = verification {
+        debug!("context verification unavailable: {e}");
+        remaining = candidate_indices;
     }
 
+    for idx in remaining {
+        keep[idx] = false;
+    }
+
+    filter_kept_matches(matches, &keep);
+}
+
+fn filter_kept_matches<'a>(matches: &mut Vec<BlobMatch<'a>>, keep: &[bool]) {
     if keep.iter().all(|k| *k) {
         return;
     }
-
     let mut filtered = Vec::with_capacity(matches.len());
     for (idx, item) in std::mem::take(matches).into_iter().enumerate() {
         if keep[idx] {
@@ -478,27 +490,15 @@ fn maybe_apply_tree_sitter_verification<'a>(
     *matches = filtered;
 }
 
-fn load_tree_sitter_results(
-    blob: &Blob,
-    lang_hint: Option<&str>,
-    blob_len: usize,
-) -> Option<Vec<String>> {
-    if !should_attempt_tree_sitter(blob_len) {
+fn load_context_verifier_language(lang_hint: Option<&str>, blob_len: usize) -> Option<Language> {
+    if !should_attempt_context_verification(blob_len) {
         return None;
     }
     let lang = lang_hint?;
-    let (language, queries) = get_language_and_queries(lang)?;
-    let checker = Checker { language, rules: queries };
-    match checker.check(&blob.bytes()) {
-        Ok(results) => Some(results.into_iter().map(|m| m.text).collect()),
-        Err(e) => {
-            debug!("tree-sitter verification unavailable: {e}");
-            None
-        }
-    }
+    Language::from_hint(lang)
 }
 
-fn verify_match_in_tree_sitter_text(
+fn verify_match_in_context_text(
     re: &regex::bytes::Regex,
     expected_secret: &[u8],
     text: &[u8],
@@ -507,34 +507,6 @@ fn verify_match_in_tree_sitter_text(
         .any(|captures| find_secret_capture(re, &captures).as_bytes() == expected_secret)
 }
 
-fn get_language_and_queries(lang: &str) -> Option<(Language, FxHashMap<String, String>)> {
-    match lang.to_lowercase().as_str() {
-        "bash" | "shell" => Some((Language::Bash, parser::queries::bash::get_bash_queries())),
-        "c" => Some((Language::C, parser::queries::c::get_c_queries())),
-        "c#" | "csharp" => Some((Language::CSharp, parser::queries::csharp::get_csharp_queries())),
-        "c++" | "cpp" => Some((Language::Cpp, parser::queries::cpp::get_cpp_queries())),
-        "css" => Some((Language::Css, parser::queries::css::get_css_queries())),
-        "go" => Some((Language::Go, parser::queries::go::get_go_queries())),
-        "html" => Some((Language::Html, parser::queries::html::get_html_queries())),
-        "java" => Some((Language::Java, parser::queries::java::get_java_queries())),
-        "javascript" | "js" => {
-            Some((Language::JavaScript, parser::queries::javascript::get_javascript_queries()))
-        }
-        "php" => Some((Language::Php, parser::queries::php::get_php_queries())),
-        "python" | "py" | "starlark" => {
-            Some((Language::Python, parser::queries::python::get_python_queries()))
-        }
-        "ruby" => Some((Language::Ruby, parser::queries::ruby::get_ruby_queries())),
-        "rust" => Some((Language::Rust, parser::queries::rust::get_rust_queries())),
-        "toml" => Some((Language::Toml, parser::queries::toml::get_toml_queries())),
-        "typescript" | "ts" => {
-            Some((Language::TypeScript, parser::queries::typescript::get_typescript_queries()))
-        }
-        "yaml" => Some((Language::Yaml, parser::queries::yaml::get_yaml_queries())),
-        _ => None,
-    }
-}
-
 // -------------------------------------------------------------------------------------------------
 // test
 // -------------------------------------------------------------------------------------------------
@@ -1161,13 +1133,13 @@ line2
         };
         assert!(
             found.is_empty(),
-            "comment-only contextual hits should be suppressed when tree-sitter cannot verify assignment context"
+            "comment-only contextual hits should be suppressed when parser-based verification cannot confirm assignment context"
         );
         Ok(())
     }
 
     #[test]
-    fn strict_context_rule_keeps_raw_when_tree_sitter_unavailable() -> Result<()> {
+    fn strict_context_rule_suppresses_raw_when_context_verification_is_unavailable() -> Result<()> {
         let token = "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234";
         let rule = Rule::new(RuleSyntax {
             id: "kingfisher.auth0.2".into(),
@@ -1200,10 +1172,9 @@ line2
             ScanResult::New(matches) => matches,
             _ => panic!("unexpected scan result"),
         };
-        assert_eq!(
-            found.len(),
-            1,
-            "strict contextual rules should fall back to raw regex findings when tree-sitter is unavailable"
+        assert!(
+            found.is_empty(),
+            "strict contextual rules should be suppressed when parser-based verification cannot run"
         );
         Ok(())
     }
diff --git a/src/parser.rs b/src/parser.rs
index 4dcae85..9a34338 100644
--- a/src/parser.rs
+++ b/src/parser.rs
@@ -1,34 +1,13 @@
-use std::{cell::RefCell, error::Error as StdError, ops::Range, str, str::FromStr};
+use std::str::FromStr;
 
-use base64::{engine::general_purpose::STANDARD, Engine};
-use rustc_hash::FxHashMap;
+use anyhow::Result;
+use regex::bytes::Regex;
 use serde::Deserialize;
-use streaming_iterator::StreamingIterator;
-use tree_sitter::{Parser as TreeSitterParser, Query, QueryCursor};
-use tree_sitter_bash;
-use tree_sitter_c;
-use tree_sitter_c_sharp;
-use tree_sitter_cpp;
-use tree_sitter_css;
-use tree_sitter_go;
-use tree_sitter_html;
-use tree_sitter_java;
-use tree_sitter_javascript;
-use tree_sitter_php;
-use tree_sitter_python;
-use tree_sitter_regex;
-use tree_sitter_ruby;
-use tree_sitter_rust;
-use tree_sitter_toml_ng;
-use tree_sitter_typescript;
-use tree_sitter_yaml;
 
-// use tree_sitter_php;
-use crate::util::is_base64;
-//
-pub mod queries;
-// pub(crate) type Error = Box<dyn std::error::Error>;
-type Result<T> = std::result::Result<T, Box<dyn StdError>>;
+mod css;
+mod html;
+mod lexer;
+
 #[derive(Clone, Debug, Deserialize, PartialEq, Eq, Hash)]
 #[serde(rename_all = "lowercase")]
 pub enum Language {
@@ -43,22 +22,15 @@ pub enum Language {
     JavaScript,
     Php,
     Python,
-    Regex,
     Ruby,
     Rust,
     Toml,
     TypeScript,
     Yaml,
 }
-#[derive(Debug, Clone)]
-pub struct MatchResult {
-    pub range: Range<usize>,
-    pub text: String,
-    pub is_base64_decoded: bool,
-    pub original_base64: Option<String>, // Store original base64 if decoded
-}
+
 impl Language {
-    fn name(&self) -> &'static str {
+    pub fn name(&self) -> &'static str {
         match self {
             Language::Bash => "bash",
             Language::C => "c",
@@ -71,7 +43,6 @@ impl Language {
             Language::JavaScript => "javascript",
             Language::Php => "php",
             Language::Python => "python",
-            Language::Regex => "regex",
             Language::Ruby => "ruby",
             Language::Rust => "rust",
             Language::Toml => "toml",
@@ -80,248 +51,89 @@ impl Language {
         }
     }
 
-    pub fn get_ts_language(&self) -> Result<tree_sitter::Language> {
-        match self {
-            Language::Bash => Ok(tree_sitter_bash::LANGUAGE.into()),
-            Language::C => Ok(tree_sitter_c::LANGUAGE.into()),
-            Language::CSharp => Ok(tree_sitter_c_sharp::LANGUAGE.into()),
-            Language::Cpp => Ok(tree_sitter_cpp::LANGUAGE.into()),
-            Language::Css => Ok(tree_sitter_css::LANGUAGE.into()),
-            Language::Go => Ok(tree_sitter_go::LANGUAGE.into()),
-            Language::Html => Ok(tree_sitter_html::LANGUAGE.into()),
-            Language::Java => Ok(tree_sitter_java::LANGUAGE.into()),
-            Language::JavaScript => Ok(tree_sitter_javascript::LANGUAGE.into()),
-            Language::Php => Ok(tree_sitter_php::LANGUAGE_PHP.into()),
-            Language::Python => Ok(tree_sitter_python::LANGUAGE.into()),
-            Language::Regex => Ok(tree_sitter_regex::LANGUAGE.into()),
-            Language::Ruby => Ok(tree_sitter_ruby::LANGUAGE.into()),
-            Language::Rust => Ok(tree_sitter_rust::LANGUAGE.into()),
-            Language::Toml => Ok(tree_sitter_toml_ng::LANGUAGE.into()),
-            Language::TypeScript => Ok(tree_sitter_typescript::LANGUAGE_TYPESCRIPT.into()),
-            Language::Yaml => Ok(tree_sitter_yaml::LANGUAGE.into()),
+    pub fn from_hint(hint: &str) -> Option<Self> {
+        match hint.to_lowercase().as_str() {
+            "bash" | "shell" => Some(Language::Bash),
+            "c" => Some(Language::C),
+            "c#" | "csharp" => Some(Language::CSharp),
+            "c++" | "cpp" => Some(Language::Cpp),
+            "css" => Some(Language::Css),
+            "go" => Some(Language::Go),
+            "html" => Some(Language::Html),
+            "java" => Some(Language::Java),
+            "javascript" | "js" => Some(Language::JavaScript),
+            "php" => Some(Language::Php),
+            "python" | "py" | "starlark" => Some(Language::Python),
+            "ruby" => Some(Language::Ruby),
+            "rust" | "rs" => Some(Language::Rust),
+            "toml" => Some(Language::Toml),
+            "typescript" | "ts" => Some(Language::TypeScript),
+            "yaml" | "yml" => Some(Language::Yaml),
+            _ => None,
         }
     }
 }
+
 impl FromStr for Language {
-    // type Err = Box<dyn Error>;
-    type Err = Box<dyn StdError + Send + Sync>;
+    type Err = String;
 
     fn from_str(s: &str) -> std::result::Result<Self, Self::Err> {
-        match s.to_lowercase().as_str() {
-            "bash" => Ok(Language::Bash),
-            "c" => Ok(Language::C),
-            "csharp" | "c_sharp" => Ok(Language::CSharp),
-            "cpp" => Ok(Language::Cpp),
-            "css" => Ok(Language::Css),
-            "go" => Ok(Language::Go),
-            "html" => Ok(Language::Html),
-            "java" => Ok(Language::Java),
-            "javascript" | "js" => Ok(Language::JavaScript),
-            "php" => Ok(Language::Php),
-            "python" | "py" => Ok(Language::Python),
-            "ruby" => Ok(Language::Ruby),
-            "rust" | "rs" => Ok(Language::Rust),
-            "toml" => Ok(Language::Toml),
-            "typescript" | "ts" => Ok(Language::TypeScript),
-            "yaml" | "yml" => Ok(Language::Yaml),
-            _ => Err(format!("Unknown language: {}", s).into()),
-        }
+        Self::from_hint(s).ok_or_else(|| format!("Unknown language: {s}"))
     }
 }
-thread_local! {
-    static PARSER_CACHE: RefCell<Option<TreeSitterParser>> = RefCell::new(None);
-}
-#[derive(Debug, Deserialize)]
-pub struct Checker {
-    pub language: Language,
-    pub rules: FxHashMap<String, String>,
-}
-impl Checker {
-    pub fn modify_regex(&self, source: &[u8]) -> Result<String> {
-        if source.is_empty() {
-            return Err("Source code is empty".into());
-        }
-        let tree_sitter_language = self.language.get_ts_language()?;
-        PARSER_CACHE.with(|cache| {
-            let mut cache = cache.borrow_mut();
-            if cache.is_none() {
-                *cache = Some(TreeSitterParser::new());
-            }
-            let parser = cache.as_mut().unwrap();
-            parser
-                .set_language(&tree_sitter_language)
-                .map_err(|e| format!("Failed to set language '{}': {}", self.language.name(), e))?;
-            let tree = parser.parse(source, None).ok_or_else(|| {
-                format!("Failed to parse source for language '{}'", self.language.name())
-            })?;
-            let mut modified_regex = String::from_utf8_lossy(source).to_string();
-            for (_name, rule) in &self.rules {
-                let query = Query::new(&tree_sitter_language, rule)
-                    .map_err(|e| format!("Failed to create query: {}", e))?;
-                // Store matches in a Vec so we can process them in reverse order
-                let mut matches = Vec::new();
-                let mut query_cursor = QueryCursor::new();
-                let mut cursor = query_cursor.matches(&query, tree.root_node(), source);
-                // Collect matches, converting them into owned data structures
-                while cursor.next().is_some() {
-                    if let Some(m) = cursor.get() {
-                        let captures: Vec<_> = m
-                            .captures
-                            .iter()
-                            .map(|capture| {
-                                let range = capture.node.byte_range();
-                                let text = source[range.clone()].to_vec();
-                                (capture.index, range, text)
-                            })
-                            .collect();
-                        matches.push(captures);
-                    }
-                }
-                // Process matches in reverse order to maintain correct byte offsets
-                for captures in matches.iter().rev() {
-                    let mut boundary_text = None;
-                    let mut boundary_range = None;
-                    let mut key_text = None;
-                    let mut key_range = None;
-                    for (index, range, _) in captures {
-                        let capture_name = query.capture_names()[*index as usize];
-                        let captured_text = &source[range.clone()];
-                        if capture_name == "key" {
-                            key_text = Some(String::from_utf8_lossy(captured_text).to_string());
-                            key_range = Some(range.clone());
-                        } else if capture_name == "boundary" {
-                            boundary_text =
-                                Some(String::from_utf8_lossy(captured_text).to_string());
-                            boundary_range = Some(range.clone());
-                        }
-                    }
-                    if let Some(key_str) = key_text {
-                        // Include the boundary text if available
-                        let new_pattern = if let Some(boundary_str) = boundary_text {
-                            format!(
-                                r#"(?:
-                                        {}
-                                        {}
-                                    )
-                                    |
-                                    (?:
-                                        [A-Za-z0-9+/]{{16,64}}={{0,3}}
-                                    )"#,
-                                key_str, boundary_str
-                            )
-                        } else {
-                            format!(
-                                r#"(?:
-                                        {}
-                                    )
-                                    |
-                                    (?:
-                                        [A-Za-z0-9+/]{{16,64}}={{0,3}}
-                                    )"#,
-                                key_str
-                            )
-                        };
-                        // Remove the `boundary` part if it exists
-                        if let Some(range) = boundary_range {
-                            modified_regex.replace_range(range, "");
-                        }
-                        // Replace the captured part with the new pattern
-                        if let Some(range) = key_range {
-                            modified_regex.replace_range(range, &new_pattern);
-                        }
-                    }
-                }
-            }
-            Ok(modified_regex)
-        })
-    }
 
-    pub fn check(&self, source: &[u8]) -> Result<Vec<MatchResult>> {
-        if source.is_empty() {
-            return Err("Source code is empty".into());
-        }
-        let tree_sitter_language = self.language.get_ts_language()?;
-        PARSER_CACHE.with(|cache| {
-            let mut cache = cache.borrow_mut();
-            if cache.is_none() {
-                *cache = Some(TreeSitterParser::new());
-            }
-            let parser = cache.as_mut().unwrap();
-            parser
-                .set_language(&tree_sitter_language)
-                .map_err(|e| format!("Failed to set language '{}': {}", self.language.name(), e))?;
-            let tree = parser.parse(source, None).ok_or_else(|| {
-                format!("Failed to parse source for language '{}'", self.language.name())
-            })?;
-            let mut all_matches = Vec::new();
-            for (_name, rule) in &self.rules {
-                let query = Query::new(&tree_sitter_language, rule)
-                    .map_err(|e| format!("Failed to create query: {}", e))?;
-                let mut rule_matches = Vec::new();
-                QueryCursor::new().matches(&query, tree.root_node(), source).for_each(|m| {
-                    let captures: Vec<_> = m.captures.iter().collect();
-                    if captures.len() >= 2 {
-                        let first_range = captures[0].node.range();
-                        let second_range = captures[1].node.range();
-                        let first_text = String::from_utf8_lossy(
-                            &source[first_range.start_byte..first_range.end_byte],
-                        );
-                        let second_text = String::from_utf8_lossy(
-                            &source[second_range.start_byte..second_range.end_byte],
-                        );
-                        let second_trimmed = second_text.trim();
-                        let mut is_base64_decoded = is_base64(second_trimmed);
-                        let (final_text, original_base64) = if is_base64_decoded {
-                            if let Some(decoded) =
-                                STANDARD.decode(second_trimmed).ok().and_then(|decoded| {
-                                    if decoded.is_ascii() && std::str::from_utf8(&decoded).is_ok() {
-                                        Some(String::from_utf8_lossy(&decoded).to_string())
-                                    } else {
-                                        is_base64_decoded = false;
-                                        None
-                                    }
-                                })
-                            {
-                                (
-                                    format!("{} = {}", first_text.trim(), decoded),
-                                    Some(second_trimmed.to_string()),
-                                )
-                            } else {
-                                (format!("{} = {}", first_text.trim(), second_trimmed), None)
-                            }
-                        } else {
-                            (format!("{} = {}", first_text.trim(), second_trimmed), None)
-                        };
-                        rule_matches.push(MatchResult {
-                            range: first_range.start_byte..second_range.end_byte,
-                            text: final_text,
-                            is_base64_decoded,
-                            original_base64,
-                        });
-                    }
-                });
-                all_matches.extend(rule_matches);
-            }
-            Ok(all_matches)
-        })
+pub fn stream_context_candidates<F>(source: &[u8], language: &Language, mut sink: F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    match language {
+        Language::Css => css::stream_context_candidates(source, &mut sink),
+        Language::Html => html::stream_context_candidates(source, &mut sink),
+        _ => lexer::stream_context_candidates(source, language, &mut sink),
     }
 }
 
+pub fn verify_match_in_context(
+    source: &[u8],
+    language: &Language,
+    re: &Regex,
+    expected_secret: &[u8],
+) -> Result<bool> {
+    let mut verified = false;
+    stream_context_candidates(source, language, |text| {
+        verified = verify_match_in_context_text(re, expected_secret, text.as_bytes());
+        !verified
+    })?;
+    Ok(verified)
+}
+
+fn verify_match_in_context_text(re: &Regex, expected_secret: &[u8], text: &[u8]) -> bool {
+    use kingfisher_scanner::primitives::find_secret_capture;
+
+    re.captures_iter(text)
+        .any(|captures| find_secret_capture(re, &captures).as_bytes() == expected_secret)
+}
+
 #[cfg(test)]
 mod tests {
-    use super::*;
     use std::{collections::BTreeMap, fs, path::PathBuf};
 
+    use super::*;
+
     fn fixture_cases() -> Vec<(Language, &'static str)> {
         vec![
             (Language::Bash, "testdata/shell_vulnerable.sh"),
             (Language::C, "testdata/c_vulnerable.c"),
             (Language::CSharp, "testdata/csharp_vulnerable.cs"),
             (Language::Cpp, "testdata/cpp_vulnerable.cpp"),
+            (Language::Css, "testdata/css_vulnerable.css"),
             (Language::Go, "testdata/go_vulnerable.go"),
+            (Language::Html, "testdata/html_embedded_vulnerable.html"),
+            (Language::Html, "testdata/html_vulnerable.html"),
             (Language::Java, "testdata/java_vulnerable.java"),
             (Language::JavaScript, "testdata/javascript_vulnerable.js"),
             (Language::Php, "testdata/php_vulnerable.php"),
+            (Language::Python, "testdata/parsers/comment_only_context.py"),
             (Language::Python, "testdata/python_vulnerable.py"),
             (Language::Ruby, "testdata/ruby_vulnerable.rb"),
             (Language::Rust, "testdata/rust_vulnerable.rs"),
@@ -331,162 +143,106 @@ mod tests {
         ]
     }
 
-    fn build_checker(language: &Language) -> Checker {
-        Checker {
-            language: language.clone(),
-            rules: match language {
-                Language::Bash => queries::bash::get_bash_queries(),
-                Language::C => queries::c::get_c_queries(),
-                Language::CSharp => queries::csharp::get_csharp_queries(),
-                Language::Cpp => queries::cpp::get_cpp_queries(),
-                Language::Css => queries::css::get_css_queries(),
-                Language::Go => queries::go::get_go_queries(),
-                Language::Html => queries::html::get_html_queries(),
-                Language::Java => queries::java::get_java_queries(),
-                Language::JavaScript => queries::javascript::get_javascript_queries(),
-                Language::Php => queries::php::get_php_queries(),
-                Language::Python => queries::python::get_python_queries(),
-                Language::Regex => queries::regex::get_regex_queries(),
-                Language::Ruby => queries::ruby::get_ruby_queries(),
-                Language::Rust => queries::rust::get_rust_queries(),
-                Language::Toml => queries::toml::get_toml_queries(),
-                Language::TypeScript => queries::typescript::get_typescript_queries(),
-                Language::Yaml => queries::yaml::get_yaml_queries(),
-            },
-        }
-    }
-
-    fn current_capture_counts(
+    fn current_capture_texts(
         root: &PathBuf,
         cases: &[(Language, &'static str)],
-    ) -> BTreeMap<String, usize> {
+    ) -> BTreeMap<String, Vec<String>> {
         let mut current = BTreeMap::new();
         for (language, rel_path) in cases {
             let file_path = root.join(rel_path);
             let source = fs::read(&file_path)
                 .unwrap_or_else(|e| panic!("failed to read fixture {}: {e}", file_path.display()));
-            let checker = build_checker(language);
-            let count = checker
-                .check(&source)
-                .unwrap_or_else(|e| panic!("checker failed for {}: {e}", rel_path))
-                .len();
-            current.insert(format!("{}:{}", language.name(), rel_path), count);
+            let mut texts = Vec::new();
+            stream_context_candidates(&source, language, |text| {
+                texts.push(text.to_string());
+                true
+            })
+            .unwrap_or_else(|e| panic!("context verifier failed for {}: {e}", rel_path));
+            current.insert(format!("{}:{}", language.name(), rel_path), texts);
         }
         current
     }
 
+    /// The golden file records the minimum set of candidates each fixture must
+    /// produce.  The current output must be a **superset** of the golden set
+    /// (every golden candidate must still appear), but new candidates are
+    /// allowed — this lets us improve extraction without regenerating the
+    /// golden file every time.
     #[test]
-    fn queries_compile_for_supported_languages() {
-        let cases = vec![
-            (Language::Bash, queries::bash::get_bash_queries()),
-            (Language::C, queries::c::get_c_queries()),
-            (Language::CSharp, queries::csharp::get_csharp_queries()),
-            (Language::Cpp, queries::cpp::get_cpp_queries()),
-            (Language::Css, queries::css::get_css_queries()),
-            (Language::Go, queries::go::get_go_queries()),
-            (Language::Html, queries::html::get_html_queries()),
-            (Language::Java, queries::java::get_java_queries()),
-            (Language::JavaScript, queries::javascript::get_javascript_queries()),
-            (Language::Php, queries::php::get_php_queries()),
-            (Language::Python, queries::python::get_python_queries()),
-            (Language::Regex, queries::regex::get_regex_queries()),
-            (Language::Ruby, queries::ruby::get_ruby_queries()),
-            (Language::Rust, queries::rust::get_rust_queries()),
-            (Language::Toml, queries::toml::get_toml_queries()),
-            (Language::TypeScript, queries::typescript::get_typescript_queries()),
-            (Language::Yaml, queries::yaml::get_yaml_queries()),
-        ];
-
-        for (language, rule_set) in cases {
-            let ts_language = language
-                .get_ts_language()
-                .unwrap_or_else(|e| panic!("failed to load language {}: {e}", language.name()));
-            for (name, query) in rule_set {
-                Query::new(&ts_language, &query).unwrap_or_else(|e| {
-                    panic!("query '{name}' failed for language {}: {e}", language.name())
-                });
-            }
-        }
-    }
-
-    #[test]
-    fn tree_sitter_capture_counts_do_not_regress() {
+    fn context_verifier_outputs_are_superset_of_golden() {
         let root = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
-        let baseline_path = root.join("testdata/parsers/tree_sitter_capture_baseline.json");
+        let baseline_path = root.join("testdata/parsers/context_verifier_golden.json");
         let cases = fixture_cases();
-        let current = current_capture_counts(&root, &cases);
+        let current = current_capture_texts(&root, &cases);
 
-        if std::env::var("UPDATE_TREE_SITTER_CAPTURE_BASELINE").as_deref() == Ok("1") {
+        if std::env::var("UPDATE_CONTEXT_VERIFIER_GOLDEN").as_deref() == Ok("1") {
             let payload = serde_json::to_string_pretty(&current)
-                .unwrap_or_else(|e| panic!("failed to serialize baseline: {e}"));
+                .unwrap_or_else(|e| panic!("failed to serialize golden output: {e}"));
             fs::write(&baseline_path, format!("{payload}\n")).unwrap_or_else(|e| {
-                panic!("failed to write baseline {}: {e}", baseline_path.display())
+                panic!("failed to write golden output {}: {e}", baseline_path.display())
             });
             return;
         }
 
         let baseline_raw = fs::read_to_string(&baseline_path).unwrap_or_else(|e| {
             panic!(
-                "failed to read baseline {}: {e}. Run with UPDATE_TREE_SITTER_CAPTURE_BASELINE=1",
+                "failed to read golden output {}: {e}. Run with UPDATE_CONTEXT_VERIFIER_GOLDEN=1",
                 baseline_path.display()
             )
         });
-        let baseline: BTreeMap<String, usize> = serde_json::from_str(&baseline_raw)
-            .unwrap_or_else(|e| panic!("invalid baseline JSON {}: {e}", baseline_path.display()));
+        let baseline: BTreeMap<String, Vec<String>> = serde_json::from_str(&baseline_raw)
+            .unwrap_or_else(|e| panic!("invalid golden JSON {}: {e}", baseline_path.display()));
 
         let mut regressions = Vec::new();
-        for (key, actual) in &current {
-            let expected = baseline.get(key).unwrap_or_else(|| {
-                panic!(
-                    "missing baseline entry for {key}. Run with UPDATE_TREE_SITTER_CAPTURE_BASELINE=1"
-                )
+        for (key, expected_texts) in &baseline {
+            let actual_texts = current.get(key).unwrap_or_else(|| {
+                panic!("missing fixture key {key}. Run with UPDATE_CONTEXT_VERIFIER_GOLDEN=1")
             });
-            if actual < expected {
-                regressions.push(format!("{key}: expected >= {expected}, got {actual}"));
+            for expected in expected_texts {
+                if !actual_texts.contains(expected) {
+                    regressions.push(format!("  {key}: missing candidate: {expected:?}"));
+                }
             }
         }
 
         assert!(
             regressions.is_empty(),
-            "tree-sitter capture regression(s):\n{}",
+            "context verifier regression(s) — golden candidates no longer emitted:\n{}",
             regressions.join("\n")
         );
     }
 
     #[test]
-    fn report_tree_sitter_capture_count_deltas() {
+    fn html_embedded_context_extracts_script_and_style_candidates() {
         let root = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
-        let baseline_path = root.join("testdata/parsers/tree_sitter_capture_baseline.json");
-        let cases = fixture_cases();
-        let current = current_capture_counts(&root, &cases);
+        let source = fs::read(root.join("testdata/html_embedded_vulnerable.html")).unwrap();
+        let mut texts = Vec::new();
+        stream_context_candidates(&source, &Language::Html, |text| {
+            texts.push(text.to_string());
+            true
+        })
+        .unwrap();
 
-        let baseline_raw = match fs::read_to_string(&baseline_path) {
-            Ok(data) => data,
-            Err(e) => {
-                println!(
-                    "capture-delta report unavailable: cannot read baseline {}: {e}",
-                    baseline_path.display()
-                );
-                return;
-            }
-        };
+        assert!(
+            texts.iter().any(|text| text.contains("auth0_client_secret =")),
+            "expected script extraction to emit auth0_client_secret candidate"
+        );
+        assert!(
+            texts.iter().any(|text| text.contains("content =")),
+            "expected style extraction to emit CSS content candidate"
+        );
+    }
 
-        let baseline: BTreeMap<String, usize> = match serde_json::from_str(&baseline_raw) {
-            Ok(v) => v,
-            Err(e) => {
-                println!(
-                    "capture-delta report unavailable: invalid baseline JSON {}: {e}",
-                    baseline_path.display()
-                );
-                return;
-            }
-        };
-
-        println!("tree-sitter capture delta report (current vs baseline):");
-        for (key, actual) in &current {
-            let expected = baseline.get(key).copied().unwrap_or(0);
-            let delta = (*actual as isize) - (expected as isize);
-            println!("  {key}: current={actual}, baseline={expected}, delta={delta:+}");
-        }
+    #[test]
+    fn comment_only_python_context_is_ignored() {
+        let root = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        let source = fs::read(root.join("testdata/parsers/comment_only_context.py")).unwrap();
+        let mut texts = Vec::new();
+        stream_context_candidates(&source, &Language::Python, |text| {
+            texts.push(text.to_string());
+            true
+        })
+        .unwrap();
+        assert!(texts.is_empty());
     }
 }
diff --git a/src/parser/css.rs b/src/parser/css.rs
new file mode 100644
index 0000000..9875e5f
--- /dev/null
+++ b/src/parser/css.rs
@@ -0,0 +1,173 @@
+use anyhow::Result;
+use cssparser::{
+    parse_important, AtRuleParser, CowRcStr, DeclarationParser, ParseError, Parser, ParserInput,
+    ParserState, RuleBodyItemParser, RuleBodyParser, StyleSheetParser, ToCss, Token,
+};
+
+pub(super) fn stream_context_candidates<F>(source: &[u8], sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let css = String::from_utf8_lossy(source);
+    if css.trim().is_empty() {
+        return Ok(());
+    }
+
+    let mut input = ParserInput::new(&css);
+    let mut parser = Parser::new(&mut input);
+    let mut collector = Collector { sink, stopped: false };
+    for _ in StyleSheetParser::new(&mut parser, &mut collector) {}
+    Ok(())
+}
+
+struct Collector<'a, F> {
+    sink: &'a mut F,
+    stopped: bool,
+}
+
+impl<'a, F> Collector<'a, F>
+where
+    F: FnMut(&str) -> bool,
+{
+    fn emit(&mut self, name: &str, value: &str) {
+        if self.stopped {
+            return;
+        }
+        let candidate = format!("{name} = {value}");
+        self.stopped = !(self.sink)(&candidate);
+    }
+}
+
+impl<'i, F> DeclarationParser<'i> for Collector<'_, F>
+where
+    F: FnMut(&str) -> bool,
+{
+    type Declaration = ();
+    type Error = ();
+
+    fn parse_value<'t>(
+        &mut self,
+        name: CowRcStr<'i>,
+        input: &mut Parser<'i, 't>,
+        _declaration_start: &ParserState,
+    ) -> Result<(), ParseError<'i, ()>> {
+        let mut values = Vec::new();
+        let mut important = false;
+        loop {
+            let start = input.state();
+            let token = match input.next_including_whitespace().cloned() {
+                Ok(token) => token,
+                Err(_) => break,
+            };
+
+            if token == Token::Delim('!') {
+                input.reset(&start);
+                if parse_important(input).is_ok() && input.is_exhausted() {
+                    important = true;
+                    break;
+                }
+                input.reset(&start);
+            }
+
+            collect_token_values(token, input, &mut values);
+        }
+
+        if values.is_empty() && !important {
+            return Ok(());
+        }
+
+        if values.is_empty() && important {
+            values.push("important".to_string());
+        }
+
+        for value in values {
+            self.emit(&name, &value);
+            if self.stopped {
+                break;
+            }
+        }
+        Ok(())
+    }
+}
+
+impl<'i, F> AtRuleParser<'i> for Collector<'_, F>
+where
+    F: FnMut(&str) -> bool,
+{
+    type Prelude = ();
+    type AtRule = ();
+    type Error = ();
+}
+
+impl<'i, F> cssparser::QualifiedRuleParser<'i> for Collector<'_, F>
+where
+    F: FnMut(&str) -> bool,
+{
+    type Prelude = ();
+    type QualifiedRule = ();
+    type Error = ();
+
+    fn parse_prelude<'t>(&mut self, input: &mut Parser<'i, 't>) -> Result<(), ParseError<'i, ()>> {
+        while input.next_including_whitespace().is_ok() {}
+        Ok(())
+    }
+
+    fn parse_block<'t>(
+        &mut self,
+        _prelude: (),
+        _start: &ParserState,
+        input: &mut Parser<'i, 't>,
+    ) -> Result<(), ParseError<'i, ()>> {
+        for _ in RuleBodyParser::new(input, self) {}
+        Ok(())
+    }
+}
+
+impl<F> RuleBodyItemParser<'_, (), ()> for Collector<'_, F>
+where
+    F: FnMut(&str) -> bool,
+{
+    fn parse_qualified(&self) -> bool {
+        true
+    }
+
+    fn parse_declarations(&self) -> bool {
+        true
+    }
+}
+
+fn collect_token_values<'i, 't>(
+    token: Token<'i>,
+    input: &mut Parser<'i, 't>,
+    values: &mut Vec<String>,
+) {
+    match token {
+        Token::QuotedString(value) => values.push(value.to_string()),
+        Token::UnquotedUrl(value) => values.push(value.to_string()),
+        Token::Ident(value) => values.push(value.to_string()),
+        Token::Hash(value) | Token::IDHash(value) => values.push(value.to_string()),
+        Token::Number { .. }
+        | Token::Percentage { .. }
+        | Token::Dimension { .. }
+        | Token::Function(_) => {
+            values.push(token.to_css_string());
+            if matches!(token, Token::Function(_)) {
+                let _ = input.parse_nested_block(|nested| {
+                    while let Ok(next) = nested.next_including_whitespace().cloned() {
+                        collect_token_values(next, nested, values);
+                    }
+                    Ok::<(), ParseError<'i, ()>>(())
+                });
+            }
+        }
+        Token::ParenthesisBlock | Token::SquareBracketBlock | Token::CurlyBracketBlock => {
+            let _ = input.parse_nested_block(|nested| {
+                while let Ok(next) = nested.next_including_whitespace().cloned() {
+                    collect_token_values(next, nested, values);
+                }
+                Ok::<(), ParseError<'i, ()>>(())
+            });
+        }
+        _ => {}
+    }
+}
diff --git a/src/parser/html.rs b/src/parser/html.rs
new file mode 100644
index 0000000..0a2aeac
--- /dev/null
+++ b/src/parser/html.rs
@@ -0,0 +1,67 @@
+use anyhow::Result;
+use tl::{Node, ParserOptions};
+
+use super::{css, lexer, Language};
+
+pub(super) fn stream_context_candidates<F>(source: &[u8], sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let html = String::from_utf8_lossy(source);
+    if html.trim().is_empty() {
+        return Ok(());
+    }
+
+    let dom = match tl::parse(&html, ParserOptions::default()) {
+        Ok(dom) => dom,
+        Err(_) => return Ok(()),
+    };
+    let parser = dom.parser();
+
+    for node in dom.nodes() {
+        let Some(tag) = node.as_tag() else {
+            continue;
+        };
+        let tag_name = tag.name().as_utf8_str().to_string();
+
+        for (key, value) in tag.attributes().iter() {
+            let Some(value) = value else {
+                continue;
+            };
+            let candidate = format!("{key} = {value}");
+            if !sink(&candidate) {
+                return Ok(());
+            }
+        }
+
+        let inner_text = tag.inner_text(parser).trim().to_string();
+        match tag_name.as_str() {
+            "script" => {
+                let candidate = format!("<script> = {inner_text}");
+                if !inner_text.is_empty() && !sink(&candidate) {
+                    return Ok(());
+                }
+                lexer::stream_context_candidates(
+                    inner_text.as_bytes(),
+                    &Language::JavaScript,
+                    sink,
+                )?;
+            }
+            "style" => {
+                if !inner_text.is_empty() {
+                    css::stream_context_candidates(inner_text.as_bytes(), sink)?;
+                }
+            }
+            _ => {
+                if !inner_text.is_empty()
+                    && !matches!(node, Node::Comment(_))
+                    && !sink(&format!("{tag_name} = {inner_text}"))
+                {
+                    return Ok(());
+                }
+            }
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/parser/lexer.rs b/src/parser/lexer.rs
new file mode 100644
index 0000000..e729d82
--- /dev/null
+++ b/src/parser/lexer.rs
@@ -0,0 +1,1276 @@
+use anyhow::Result;
+use once_cell::sync::Lazy;
+use regex::Regex;
+
+use super::Language;
+
+static ASSIGNMENT_LITERAL_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?P<key>[A-Za-z_@$][\w$@.:>-]*)
+        \s*
+        (?P<op>:=|=>|=|\+=)
+        \s*
+        (?P<value>
+            @"(?s:(?:[^"]|"")*)"
+            |
+            "(?:[^"\\]|\\.)*"
+            |
+            '(?:[^'\\]|\\.)*'
+            |
+            `[^`]*`
+            |
+            [+-]?\d+(?:\.\d+)?
+        )
+    "#,
+    )
+    .unwrap()
+});
+
+static ASSIGNMENT_ANY_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?P<key>[A-Za-z_@$][\w$@.:>-]*)
+        \s*
+        (?P<op>:=|=>|=|\+=)
+        \s*
+        (?P<rhs>.+)
+    "#,
+    )
+    .unwrap()
+});
+
+static TYPED_ASSIGNMENT_LITERAL_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?P<key>[A-Za-z_@$][\w$@.-]*)
+        \s*:\s*[^=]+?
+        =\s*
+        (?P<value>
+            @"(?s:(?:[^"]|"")*)"
+            |
+            "(?:[^"\\]|\\.)*"
+            |
+            '(?:[^'\\]|\\.)*'
+            |
+            `[^`]*`
+            |
+            [+-]?\d+(?:\.\d+)?
+        )
+    "#,
+    )
+    .unwrap()
+});
+
+static PAIR_LITERAL_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?:
+            ^
+            |
+            [\{\[,]\s*
+            |
+            ,\s*
+        )
+        (?P<key>"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'|[A-Za-z_@$][\w$@.-]*)
+        \s*:\s*
+        (?P<value>
+            "(?:[^"\\]|\\.)*"
+            |
+            '(?:[^'\\]|\\.)*'
+            |
+            `[^`]*`
+            |
+            [+-]?\d+(?:\.\d+)?
+        )
+    "#,
+    )
+    .unwrap()
+});
+
+static TYPE_LITERAL_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?P<key>[A-Za-z_@$][\w$@.-]*)
+        \s*:\s*
+        (?P<value>
+            "(?:[^"\\]|\\.)*"
+            |
+            '(?:[^'\\]|\\.)*'
+            |
+            `[^`]*`
+        )
+    "#,
+    )
+    .unwrap()
+});
+
+static CALL_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?:
+            (?P<assign>[A-Za-z_@$][\w$@.:>-]*)\s*(?::=|=)\s*
+        )?
+        (?P<call>(?:new\s+)?[A-Za-z_@$][\w$@.:>-]*)
+        \s*
+        \((?P<args>[^)]*)\)
+    "#,
+    )
+    .unwrap()
+});
+
+static BRACE_LIST_ASSIGN_RE: Lazy<Regex> = Lazy::new(|| {
+    Regex::new(
+        r#"(?x)
+        (?P<key>[A-Za-z_@$][\w$@.:>-]*)
+        \s*=\s*
+        \{(?P<body>[^}]*)\}
+    "#,
+    )
+    .unwrap()
+});
+
+pub(super) fn stream_context_candidates<F>(
+    source: &[u8],
+    language: &Language,
+    sink: &mut F,
+) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let text = String::from_utf8_lossy(source);
+    if text.is_empty() {
+        return Ok(());
+    }
+
+    match language {
+        Language::Bash => extract_bash(&text, sink),
+        Language::Python => extract_python(&text, sink),
+        Language::Ruby => extract_ruby(&text, sink),
+        Language::Php => extract_php(&text, sink),
+        Language::Yaml => extract_yaml(&text, sink),
+        Language::Toml => extract_toml(&text, sink),
+        Language::JavaScript => extract_javascript_like(&text, false, sink),
+        Language::TypeScript => extract_javascript_like(&text, true, sink),
+        Language::Rust => extract_rust(&text, sink),
+        Language::C | Language::CSharp | Language::Cpp | Language::Go | Language::Java => {
+            extract_c_style(&text, language, sink)
+        }
+        Language::Css | Language::Html => Ok(()),
+    }
+}
+
+fn extract_bash<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::shell());
+    for line in cleaned.lines() {
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+fn extract_python<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::python());
+    for line in cleaned.lines() {
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_pairs(line, true, sink).is_break() {
+            return Ok(());
+        }
+        if emit_calls(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+fn extract_ruby<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::hash_only());
+    for line in cleaned.lines() {
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_assignment_lists(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_calls(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+fn extract_php<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::php());
+    for line in cleaned.lines() {
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_assignment_lists(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_calls(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+fn extract_yaml<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::hash_only());
+    for line in cleaned.lines() {
+        let trimmed = line.trim();
+        if trimmed.is_empty() || trimmed.starts_with('-') && !trimmed.contains(':') {
+            continue;
+        }
+        if let Some((key, value)) = split_mapping_pair(trimmed) {
+            let key = key.trim_start_matches('-').trim();
+            if emit_value(key, value, true, true, sink).is_break() {
+                return Ok(());
+            }
+        }
+    }
+    Ok(())
+}
+
+fn extract_toml<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::hash_only());
+    for line in cleaned.lines() {
+        let trimmed = line.trim();
+        if trimmed.is_empty() || trimmed.starts_with('[') {
+            continue;
+        }
+        if let Some((key, value)) = split_assignment(trimmed, '=') {
+            if emit_value(key, value, true, false, sink).is_break() {
+                return Ok(());
+            }
+        }
+    }
+    Ok(())
+}
+
+fn extract_javascript_like<F>(text: &str, include_type_literals: bool, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::c_style().with_backticks());
+    for line in cleaned.lines() {
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_pairs(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if include_type_literals && emit_type_literals(line, sink).is_break() {
+            return Ok(());
+        }
+        if emit_assignment_lists(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_calls(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+fn extract_rust<F>(text: &str, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let cleaned = strip_comments(text, CommentStyle::c_style());
+    for line in cleaned.lines() {
+        if emit_typed_assignment_literals(line, sink).is_break() {
+            return Ok(());
+        }
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_calls(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+fn extract_c_style<F>(text: &str, language: &Language, sink: &mut F) -> Result<()>
+where
+    F: FnMut(&str) -> bool,
+{
+    let style = match language {
+        Language::CSharp => CommentStyle::c_style().with_verbatim_strings(),
+        _ => CommentStyle::c_style(),
+    };
+    let cleaned = strip_comments(text, style);
+    for line in cleaned.lines() {
+        if emit_assignment_literals(line, false, sink).is_break() {
+            return Ok(());
+        }
+        if emit_brace_list_assignments(line, sink).is_break() {
+            return Ok(());
+        }
+        if matches!(language, Language::Cpp) && looks_like_cpp_ctor_initializer_line(line) {
+            continue;
+        }
+        if emit_calls(line, false, sink).is_break() {
+            return Ok(());
+        }
+    }
+    Ok(())
+}
+
+#[derive(Clone, Copy)]
+enum Flow {
+    Continue,
+    Break,
+}
+
+impl Flow {
+    fn is_break(self) -> bool {
+        matches!(self, Self::Break)
+    }
+}
+
+fn emit_assignment_literals<F>(line: &str, keep_full_key: bool, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    for caps in ASSIGNMENT_LITERAL_RE.captures_iter(line) {
+        let Some(key) = caps.name("key").map(|m| m.as_str()) else {
+            continue;
+        };
+        let Some(value) = caps.name("value").map(|m| m.as_str()) else {
+            continue;
+        };
+        if emit_value(key, value, keep_full_key, false, sink).is_break() {
+            return Flow::Break;
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_typed_assignment_literals<F>(line: &str, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    for caps in TYPED_ASSIGNMENT_LITERAL_RE.captures_iter(line) {
+        let Some(key) = caps.name("key").map(|m| m.as_str()) else {
+            continue;
+        };
+        let Some(value) = caps.name("value").map(|m| m.as_str()) else {
+            continue;
+        };
+        if emit_value(key, value, false, false, sink).is_break() {
+            return Flow::Break;
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_assignment_lists<F>(line: &str, keep_full_key: bool, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    if let Some(caps) = ASSIGNMENT_ANY_RE.captures(line) {
+        let Some(key) = caps.name("key").map(|m| m.as_str()) else {
+            return Flow::Continue;
+        };
+        let Some(rhs) = caps.name("rhs").map(|m| m.as_str()) else {
+            return Flow::Continue;
+        };
+        if rhs.contains(',') || rhs.contains('[') || rhs.contains('{') {
+            for value in extract_literal_values(rhs, false) {
+                if emit_value(key, &value, keep_full_key, false, sink).is_break() {
+                    return Flow::Break;
+                }
+            }
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_brace_list_assignments<F>(line: &str, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    for caps in BRACE_LIST_ASSIGN_RE.captures_iter(line) {
+        let Some(key) = caps.name("key").map(|m| m.as_str()) else {
+            continue;
+        };
+        let Some(body) = caps.name("body").map(|m| m.as_str()) else {
+            continue;
+        };
+        for value in extract_literal_values(body, false) {
+            if emit_value(key, &value, false, false, sink).is_break() {
+                return Flow::Break;
+            }
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_pairs<F>(line: &str, keep_full_key: bool, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    for caps in PAIR_LITERAL_RE.captures_iter(line) {
+        let Some(key) = caps.name("key").map(|m| m.as_str()) else {
+            continue;
+        };
+        let Some(value) = caps.name("value").map(|m| m.as_str()) else {
+            continue;
+        };
+        if emit_value(key, value, keep_full_key, false, sink).is_break() {
+            return Flow::Break;
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_type_literals<F>(line: &str, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    for caps in TYPE_LITERAL_RE.captures_iter(line) {
+        let Some(key) = caps.name("key").map(|m| m.as_str()) else {
+            continue;
+        };
+        let Some(value) = caps.name("value").map(|m| m.as_str()) else {
+            continue;
+        };
+        if emit_value(key, value, false, false, sink).is_break() {
+            return Flow::Break;
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_calls<F>(line: &str, keep_full_assign_key: bool, sink: &mut F) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    for caps in CALL_RE.captures_iter(line) {
+        let assign_key = caps.name("assign").map(|m| m.as_str());
+        let Some(call) = caps.name("call").map(|m| m.as_str()) else {
+            continue;
+        };
+        let Some(args) = caps.name("args").map(|m| m.as_str()) else {
+            continue;
+        };
+
+        let values = extract_literal_values(args, false);
+        if values.is_empty() {
+            continue;
+        }
+
+        if let Some(key) = assign_key {
+            for value in &values {
+                if emit_value(key, value, keep_full_assign_key, false, sink).is_break() {
+                    return Flow::Break;
+                }
+            }
+        }
+
+        let call_name = normalize_call_name(call);
+        for value in &values {
+            if emit_value(&call_name, value, true, false, sink).is_break() {
+                return Flow::Break;
+            }
+        }
+
+        if values.len() >= 2 {
+            let first = values[0].trim_matches('"').trim_matches('\'');
+            let second = &values[1];
+            if looks_like_embedded_key(first)
+                && emit_value(first, second, true, false, sink).is_break()
+            {
+                return Flow::Break;
+            }
+        }
+    }
+    Flow::Continue
+}
+
+fn emit_value<F>(
+    key: &str,
+    value: &str,
+    keep_full_key: bool,
+    allow_bare: bool,
+    sink: &mut F,
+) -> Flow
+where
+    F: FnMut(&str) -> bool,
+{
+    let key = normalize_key(key, keep_full_key);
+    let value = normalize_value(value, allow_bare);
+    if key.is_empty() || value.is_empty() {
+        return Flow::Continue;
+    }
+    let candidate = format!("{key} = {value}");
+    if sink(&candidate) {
+        Flow::Continue
+    } else {
+        Flow::Break
+    }
+}
+
+fn normalize_key(key: &str, keep_full_key: bool) -> String {
+    let mut key = key.trim().trim_start_matches('$').trim_start_matches('@').to_string();
+    if (key.starts_with('"') && key.ends_with('"'))
+        || (key.starts_with('\'') && key.ends_with('\''))
+    {
+        key = key[1..key.len() - 1].to_string();
+    }
+    if keep_full_key {
+        return key;
+    }
+    key.rsplit(['.', ':', '>'])
+        .find(|segment| !segment.is_empty())
+        .unwrap_or(&key)
+        .trim_matches('-')
+        .to_string()
+}
+
+fn normalize_value(value: &str, allow_bare: bool) -> String {
+    let trimmed = value.trim().trim_end_matches([',', ';']);
+    if trimmed.is_empty() {
+        return String::new();
+    }
+
+    if let Some(stripped) = trim_wrapped_literal(trimmed) {
+        return stripped;
+    }
+
+    if allow_bare || looks_like_number(trimmed) {
+        return trimmed.trim_matches([')', ']', '}']).to_string();
+    }
+
+    String::new()
+}
+
+fn trim_wrapped_literal(value: &str) -> Option<String> {
+    if value.starts_with("@\"") && value.ends_with('"') && value.len() >= 3 {
+        return Some(value[2..value.len() - 1].replace("\"\"", "\""));
+    }
+    if value.starts_with('"') && value.ends_with('"') && value.len() >= 2 {
+        return Some(value[1..value.len() - 1].to_string());
+    }
+    if value.starts_with('\'') && value.ends_with('\'') && value.len() >= 2 {
+        return Some(value[1..value.len() - 1].to_string());
+    }
+    if value.starts_with('`') && value.ends_with('`') && value.len() >= 2 {
+        return Some(value[1..value.len() - 1].to_string());
+    }
+    None
+}
+
+fn normalize_call_name(call: &str) -> String {
+    let call = call.trim().trim_start_matches("new ").trim();
+    call.rsplit(['.', ':', '>'])
+        .find(|segment| !segment.is_empty())
+        .unwrap_or(call)
+        .trim_matches('-')
+        .to_string()
+}
+
+fn looks_like_embedded_key(value: &str) -> bool {
+    !value.is_empty()
+        && value.chars().all(|ch| ch.is_ascii_alphanumeric() || matches!(ch, '_' | '-' | '.' | '='))
+}
+
+fn looks_like_number(value: &str) -> bool {
+    value.chars().all(|ch| ch.is_ascii_digit() || ch == '.' || ch == '-' || ch == '+')
+}
+
+fn looks_like_cpp_ctor_initializer_line(line: &str) -> bool {
+    let trimmed = line.trim_start();
+    trimmed.contains(") :") || trimmed.starts_with(':') || trimmed.starts_with(',')
+}
+
+fn extract_literal_values(input: &str, allow_bare: bool) -> Vec<String> {
+    let bytes = input.as_bytes();
+    let mut values = Vec::new();
+    let mut idx = 0;
+
+    while idx < bytes.len() {
+        match bytes[idx] {
+            b' ' | b'\t' | b'\r' | b'\n' | b',' => {
+                idx += 1;
+            }
+            b'@' if idx + 1 < bytes.len() && bytes[idx + 1] == b'"' => {
+                let start = idx;
+                idx += 2;
+                while idx < bytes.len() {
+                    if bytes[idx] == b'"' {
+                        if idx + 1 < bytes.len() && bytes[idx + 1] == b'"' {
+                            idx += 2;
+                            continue;
+                        }
+                        idx += 1;
+                        break;
+                    }
+                    idx += 1;
+                }
+                values.push(input[start..idx].to_string());
+            }
+            b'"' | b'\'' | b'`' => {
+                let quote = bytes[idx];
+                let start = idx;
+                idx += 1;
+                while idx < bytes.len() {
+                    if bytes[idx] == b'\\' && quote != b'`' {
+                        idx += 2;
+                        continue;
+                    }
+                    if bytes[idx] == quote {
+                        idx += 1;
+                        break;
+                    }
+                    idx += 1;
+                }
+                values.push(input[start..idx].to_string());
+            }
+            b'[' | b'(' | b'{' => {
+                let (close, start) = match bytes[idx] {
+                    b'[' => (b']', idx + 1),
+                    b'(' => (b')', idx + 1),
+                    _ => (b'}', idx + 1),
+                };
+                idx += 1;
+                let mut depth = 1usize;
+                let inner_start = start;
+                while idx < bytes.len() && depth > 0 {
+                    match bytes[idx] {
+                        b'"' | b'\'' | b'`' => {
+                            let quote = bytes[idx];
+                            idx += 1;
+                            while idx < bytes.len() {
+                                if bytes[idx] == b'\\' && quote != b'`' {
+                                    idx += 2;
+                                    continue;
+                                }
+                                if bytes[idx] == quote {
+                                    idx += 1;
+                                    break;
+                                }
+                                idx += 1;
+                            }
+                        }
+                        ch if ch == bytes[start - 1] => {
+                            depth += 1;
+                            idx += 1;
+                        }
+                        ch if ch == close => {
+                            depth -= 1;
+                            if depth == 0 {
+                                let inner = &input[inner_start..idx];
+                                values.extend(extract_literal_values(inner, allow_bare));
+                            }
+                            idx += 1;
+                        }
+                        _ => idx += 1,
+                    }
+                }
+            }
+            ch if ch.is_ascii_digit() || ch == b'+' || ch == b'-' => {
+                let start = idx;
+                idx += 1;
+                while idx < bytes.len()
+                    && (bytes[idx].is_ascii_digit() || matches!(bytes[idx], b'.' | b'_' | b'x'))
+                {
+                    idx += 1;
+                }
+                values.push(input[start..idx].to_string());
+            }
+            ch if allow_bare
+                && (ch.is_ascii_alphanumeric() || matches!(ch, b'_' | b'$' | b'@')) =>
+            {
+                let start = idx;
+                idx += 1;
+                while idx < bytes.len()
+                    && !matches!(
+                        bytes[idx],
+                        b' ' | b'\t' | b'\r' | b'\n' | b',' | b')' | b']' | b'}'
+                    )
+                {
+                    idx += 1;
+                }
+                values.push(input[start..idx].to_string());
+            }
+            _ => idx += 1,
+        }
+    }
+
+    values
+}
+
+fn split_mapping_pair(line: &str) -> Option<(&str, &str)> {
+    let mut in_single = false;
+    let mut in_double = false;
+    for (idx, ch) in line.char_indices() {
+        match ch {
+            '\'' if !in_double => in_single = !in_single,
+            '"' if !in_single => in_double = !in_double,
+            ':' if !in_single && !in_double => return Some((&line[..idx], &line[idx + 1..])),
+            _ => {}
+        }
+    }
+    None
+}
+
+fn split_assignment(line: &str, needle: char) -> Option<(&str, &str)> {
+    let mut in_single = false;
+    let mut in_double = false;
+    for (idx, ch) in line.char_indices() {
+        match ch {
+            '\'' if !in_double => in_single = !in_single,
+            '"' if !in_single => in_double = !in_double,
+            ch if ch == needle && !in_single && !in_double => {
+                return Some((&line[..idx], &line[idx + 1..]));
+            }
+            _ => {}
+        }
+    }
+    None
+}
+
+#[derive(Clone, Copy)]
+struct CommentStyle {
+    line_comment_hash: bool,
+    line_comment_slash: bool,
+    block_comments: bool,
+    backticks: bool,
+    verbatim_strings: bool,
+    triple_quotes: bool,
+}
+
+impl CommentStyle {
+    const fn c_style() -> Self {
+        Self {
+            line_comment_hash: false,
+            line_comment_slash: true,
+            block_comments: true,
+            backticks: false,
+            verbatim_strings: false,
+            triple_quotes: false,
+        }
+    }
+
+    const fn shell() -> Self {
+        Self {
+            line_comment_hash: true,
+            line_comment_slash: false,
+            block_comments: false,
+            backticks: false,
+            verbatim_strings: false,
+            triple_quotes: false,
+        }
+    }
+
+    const fn hash_only() -> Self {
+        Self {
+            line_comment_hash: true,
+            line_comment_slash: false,
+            block_comments: false,
+            backticks: false,
+            verbatim_strings: false,
+            triple_quotes: false,
+        }
+    }
+
+    const fn php() -> Self {
+        Self {
+            line_comment_hash: true,
+            line_comment_slash: true,
+            block_comments: true,
+            backticks: false,
+            verbatim_strings: false,
+            triple_quotes: false,
+        }
+    }
+
+    const fn python() -> Self {
+        Self {
+            line_comment_hash: true,
+            line_comment_slash: false,
+            block_comments: false,
+            backticks: false,
+            verbatim_strings: false,
+            triple_quotes: true,
+        }
+    }
+
+    const fn with_backticks(mut self) -> Self {
+        self.backticks = true;
+        self
+    }
+
+    const fn with_verbatim_strings(mut self) -> Self {
+        self.verbatim_strings = true;
+        self
+    }
+}
+
+// NOTE: We index `source` byte-by-byte and cast via `bytes[idx] as char`.
+// This is correct for comment/string delimiter detection because all
+// delimiters we care about (`'`, `"`, `/`, `*`, `#`, `` ` ``, `\n`, `@`)
+// are single-byte ASCII.  Interior bytes of multi-byte UTF-8 sequences
+// have their high bit set (0x80..0xFF) so they can never collide with
+// those ASCII delimiters.  The cast produces a garbage char for non-ASCII
+// bytes, but the output is only consumed by regex patterns that match
+// ASCII identifiers and quoted strings, so this is harmless.
+fn strip_comments(source: &str, style: CommentStyle) -> String {
+    #[derive(Clone, Copy)]
+    enum StringState {
+        Single,
+        Double,
+        Backtick,
+        Verbatim,
+        TripleSingle,
+        TripleDouble,
+    }
+
+    let bytes = source.as_bytes();
+    let mut out = String::with_capacity(source.len());
+    let mut idx = 0usize;
+    let mut string_state: Option<StringState> = None;
+    let mut in_block_comment = false;
+
+    while idx < bytes.len() {
+        if in_block_comment {
+            if idx + 1 < bytes.len() && bytes[idx] == b'*' && bytes[idx + 1] == b'/' {
+                in_block_comment = false;
+                idx += 2;
+            } else {
+                if bytes[idx] == b'\n' {
+                    out.push('\n');
+                }
+                idx += 1;
+            }
+            continue;
+        }
+
+        if let Some(state) = string_state {
+            match state {
+                StringState::Single => {
+                    out.push(bytes[idx] as char);
+                    if bytes[idx] == b'\\' && idx + 1 < bytes.len() {
+                        out.push(bytes[idx + 1] as char);
+                        idx += 2;
+                        continue;
+                    }
+                    if bytes[idx] == b'\'' {
+                        string_state = None;
+                    }
+                    idx += 1;
+                }
+                StringState::Double => {
+                    out.push(bytes[idx] as char);
+                    if bytes[idx] == b'\\' && idx + 1 < bytes.len() {
+                        out.push(bytes[idx + 1] as char);
+                        idx += 2;
+                        continue;
+                    }
+                    if bytes[idx] == b'"' {
+                        string_state = None;
+                    }
+                    idx += 1;
+                }
+                StringState::Backtick => {
+                    out.push(bytes[idx] as char);
+                    if bytes[idx] == b'`' {
+                        string_state = None;
+                    }
+                    idx += 1;
+                }
+                StringState::Verbatim => {
+                    out.push(bytes[idx] as char);
+                    if bytes[idx] == b'"' {
+                        if idx + 1 < bytes.len() && bytes[idx + 1] == b'"' {
+                            out.push('"');
+                            idx += 2;
+                            continue;
+                        }
+                        string_state = None;
+                    }
+                    idx += 1;
+                }
+                StringState::TripleSingle => {
+                    out.push(bytes[idx] as char);
+                    if idx + 2 < bytes.len()
+                        && bytes[idx] == b'\''
+                        && bytes[idx + 1] == b'\''
+                        && bytes[idx + 2] == b'\''
+                    {
+                        out.push('\'');
+                        out.push('\'');
+                        idx += 3;
+                        string_state = None;
+                        continue;
+                    }
+                    idx += 1;
+                }
+                StringState::TripleDouble => {
+                    out.push(bytes[idx] as char);
+                    if idx + 2 < bytes.len()
+                        && bytes[idx] == b'"'
+                        && bytes[idx + 1] == b'"'
+                        && bytes[idx + 2] == b'"'
+                    {
+                        out.push('"');
+                        out.push('"');
+                        idx += 3;
+                        string_state = None;
+                        continue;
+                    }
+                    idx += 1;
+                }
+            }
+            continue;
+        }
+
+        if style.block_comments
+            && idx + 1 < bytes.len()
+            && bytes[idx] == b'/'
+            && bytes[idx + 1] == b'*'
+        {
+            in_block_comment = true;
+            idx += 2;
+            continue;
+        }
+
+        if style.line_comment_slash
+            && idx + 1 < bytes.len()
+            && bytes[idx] == b'/'
+            && bytes[idx + 1] == b'/'
+        {
+            while idx < bytes.len() && bytes[idx] != b'\n' {
+                idx += 1;
+            }
+            continue;
+        }
+
+        if style.line_comment_hash && bytes[idx] == b'#' {
+            while idx < bytes.len() && bytes[idx] != b'\n' {
+                idx += 1;
+            }
+            continue;
+        }
+
+        if style.verbatim_strings
+            && idx + 1 < bytes.len()
+            && bytes[idx] == b'@'
+            && bytes[idx + 1] == b'"'
+        {
+            out.push('@');
+            out.push('"');
+            idx += 2;
+            string_state = Some(StringState::Verbatim);
+            continue;
+        }
+
+        if style.triple_quotes && idx + 2 < bytes.len() {
+            if bytes[idx] == b'\'' && bytes[idx + 1] == b'\'' && bytes[idx + 2] == b'\'' {
+                out.push('\'');
+                out.push('\'');
+                out.push('\'');
+                idx += 3;
+                string_state = Some(StringState::TripleSingle);
+                continue;
+            }
+            if bytes[idx] == b'"' && bytes[idx + 1] == b'"' && bytes[idx + 2] == b'"' {
+                out.push('"');
+                out.push('"');
+                out.push('"');
+                idx += 3;
+                string_state = Some(StringState::TripleDouble);
+                continue;
+            }
+        }
+
+        match bytes[idx] {
+            b'\'' => {
+                out.push('\'');
+                string_state = Some(StringState::Single);
+                idx += 1;
+            }
+            b'"' => {
+                out.push('"');
+                string_state = Some(StringState::Double);
+                idx += 1;
+            }
+            b'`' if style.backticks => {
+                out.push('`');
+                string_state = Some(StringState::Backtick);
+                idx += 1;
+            }
+            _ => {
+                out.push(bytes[idx] as char);
+                idx += 1;
+            }
+        }
+    }
+
+    out
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // ── extract_literal_values ──────────────────────────────────────────
+
+    #[test]
+    fn extract_literals_double_quoted() {
+        let vals = extract_literal_values(r#""hello", "world""#, false);
+        assert_eq!(vals, vec![r#""hello""#, r#""world""#]);
+    }
+
+    #[test]
+    fn extract_literals_single_quoted() {
+        let vals = extract_literal_values("'abc', 'def'", false);
+        assert_eq!(vals, vec!["'abc'", "'def'"]);
+    }
+
+    #[test]
+    fn extract_literals_backtick() {
+        let vals = extract_literal_values("`template ${var}`", false);
+        assert_eq!(vals, vec!["`template ${var}`"]);
+    }
+
+    #[test]
+    fn extract_literals_escaped_quotes() {
+        let vals = extract_literal_values(r#""he said \"hi\"""#, false);
+        assert_eq!(vals, vec![r#""he said \"hi\"""#]);
+    }
+
+    #[test]
+    fn extract_literals_numbers() {
+        let vals = extract_literal_values("42, -3.14, +1", false);
+        assert_eq!(vals, vec!["42", "-3.14", "+1"]);
+    }
+
+    #[test]
+    fn extract_literals_nested_brackets() {
+        let vals = extract_literal_values(r#"["a", ["b", "c"]]"#, false);
+        assert_eq!(vals, vec![r#""a""#, r#""b""#, r#""c""#]);
+    }
+
+    #[test]
+    fn extract_literals_nested_parens() {
+        let vals = extract_literal_values(r#"("x", ("y"))"#, false);
+        assert_eq!(vals, vec![r#""x""#, r#""y""#]);
+    }
+
+    #[test]
+    fn extract_literals_nested_braces() {
+        let vals = extract_literal_values(r#"{"key": "val"}"#, false);
+        assert_eq!(vals, vec![r#""key""#, r#""val""#]);
+    }
+
+    #[test]
+    fn extract_literals_mixed_nesting() {
+        let vals = extract_literal_values(r#"[{"a": "b"}, ("c")]"#, false);
+        assert_eq!(vals, vec![r#""a""#, r#""b""#, r#""c""#]);
+    }
+
+    #[test]
+    fn extract_literals_empty_input() {
+        let vals = extract_literal_values("", false);
+        assert!(vals.is_empty());
+    }
+
+    #[test]
+    fn extract_literals_only_whitespace() {
+        let vals = extract_literal_values("   \t\n  ", false);
+        assert!(vals.is_empty());
+    }
+
+    #[test]
+    fn extract_literals_unclosed_string() {
+        // Gracefully handles unclosed quote — takes everything to end
+        let vals = extract_literal_values(r#""unclosed"#, false);
+        assert_eq!(vals.len(), 1);
+        assert!(vals[0].starts_with('"'));
+    }
+
+    #[test]
+    fn extract_literals_mismatched_brackets_does_not_panic() {
+        // Must not panic on mismatched brackets — result may be empty because
+        // the unclosed bracket consumes to EOF and the inner recursion only
+        // fires once the bracket is closed.
+        let _ = extract_literal_values(r#"["a", "b""#, false);
+    }
+
+    #[test]
+    fn extract_literals_verbatim_string() {
+        let vals = extract_literal_values(r#"@"line1""line2""#, false);
+        assert_eq!(vals.len(), 1);
+        assert_eq!(vals[0], r#"@"line1""line2""#);
+    }
+
+    #[test]
+    fn extract_literals_bare_values_when_allowed() {
+        let vals = extract_literal_values("foo, bar_baz", true);
+        assert_eq!(vals, vec!["foo", "bar_baz"]);
+    }
+
+    #[test]
+    fn extract_literals_bare_values_rejected_when_disallowed() {
+        let vals = extract_literal_values("foo, bar", false);
+        assert!(vals.is_empty());
+    }
+
+    // ── strip_comments ──────────────────────────────────────────────────
+
+    #[test]
+    fn strip_c_style_line_comment() {
+        let result = strip_comments("x = 1; // comment\ny = 2;", CommentStyle::c_style());
+        assert_eq!(result, "x = 1; \ny = 2;");
+    }
+
+    #[test]
+    fn strip_c_style_block_comment() {
+        let result = strip_comments("a /* block */ b", CommentStyle::c_style());
+        assert_eq!(result, "a  b");
+    }
+
+    #[test]
+    fn strip_c_style_block_comment_multiline() {
+        let result = strip_comments("a /* line1\nline2 */ b", CommentStyle::c_style());
+        assert_eq!(result, "a \n b");
+    }
+
+    #[test]
+    fn strip_hash_comment() {
+        let result = strip_comments("key = val # comment\nnext", CommentStyle::shell());
+        assert_eq!(result, "key = val \nnext");
+    }
+
+    #[test]
+    fn strip_preserves_hash_inside_string() {
+        let result = strip_comments(r#"x = "has # inside""#, CommentStyle::shell());
+        assert_eq!(result, r#"x = "has # inside""#);
+    }
+
+    #[test]
+    fn strip_preserves_slash_inside_string() {
+        let result = strip_comments(r#"x = "has // inside""#, CommentStyle::c_style());
+        assert_eq!(result, r#"x = "has // inside""#);
+    }
+
+    #[test]
+    fn strip_python_triple_double_quotes() {
+        let result = strip_comments(
+            "x = 1\n\"\"\"docstring # not a comment\"\"\"\ny = 2",
+            CommentStyle::python(),
+        );
+        assert!(result.contains("docstring # not a comment"));
+        assert!(result.contains("y = 2"));
+    }
+
+    #[test]
+    fn strip_python_triple_single_quotes() {
+        let result = strip_comments("'''multi\nline'''# real comment", CommentStyle::python());
+        assert!(result.contains("multi\nline"));
+        assert!(!result.contains("real comment"));
+    }
+
+    #[test]
+    fn strip_csharp_verbatim_string() {
+        let style = CommentStyle::c_style().with_verbatim_strings();
+        let result = strip_comments(r#"x = @"path\to\file" // comment"#, style);
+        assert!(result.contains(r#"@"path\to\file""#));
+        assert!(!result.contains("comment"));
+    }
+
+    #[test]
+    fn strip_backtick_template_preserves_content() {
+        let style = CommentStyle::c_style().with_backticks();
+        let result = strip_comments("x = `template // not a comment`", style);
+        assert_eq!(result, "x = `template // not a comment`");
+    }
+
+    #[test]
+    fn strip_php_both_comment_styles() {
+        let result = strip_comments("a # hash\nb // slash\nc", CommentStyle::php());
+        assert_eq!(result, "a \nb \nc");
+    }
+
+    #[test]
+    fn strip_escaped_quote_in_string() {
+        let result =
+            strip_comments(r#"x = "escaped \" quote" // comment"#, CommentStyle::c_style());
+        assert!(result.contains(r#"escaped \" quote"#));
+        assert!(!result.contains("comment"));
+    }
+
+    #[test]
+    fn strip_no_comments_passthrough() {
+        let input = "let x = 42;\nlet y = \"hello\";";
+        let result = strip_comments(input, CommentStyle::c_style());
+        assert_eq!(result, input);
+    }
+
+    // ── normalize_key / normalize_value ────────────────────────────────
+
+    #[test]
+    fn normalize_key_strips_prefix_symbols() {
+        assert_eq!(normalize_key("$var", false), "var");
+        assert_eq!(normalize_key("@ivar", false), "ivar");
+    }
+
+    #[test]
+    fn normalize_key_extracts_last_segment() {
+        assert_eq!(normalize_key("self.password", false), "password");
+        assert_eq!(normalize_key("obj::field", false), "field");
+    }
+
+    #[test]
+    fn normalize_key_keeps_full_when_requested() {
+        assert_eq!(normalize_key("self.password", true), "self.password");
+    }
+
+    #[test]
+    fn normalize_value_strips_quotes() {
+        assert_eq!(normalize_value(r#""hello""#, false), "hello");
+        assert_eq!(normalize_value("'world'", false), "world");
+        assert_eq!(normalize_value("`tmpl`", false), "tmpl");
+    }
+
+    #[test]
+    fn normalize_value_rejects_bare_when_not_allowed() {
+        assert_eq!(normalize_value("bareword", false), "");
+    }
+
+    #[test]
+    fn normalize_value_accepts_bare_when_allowed() {
+        assert_eq!(normalize_value("bareword", true), "bareword");
+    }
+
+    #[test]
+    fn normalize_value_accepts_numbers() {
+        assert_eq!(normalize_value("42", false), "42");
+        assert_eq!(normalize_value("-3.14", false), "-3.14");
+    }
+}
diff --git a/src/parser/queries.rs b/src/parser/queries.rs
deleted file mode 100644
index 7213015..0000000
--- a/src/parser/queries.rs
+++ /dev/null
@@ -1,1105 +0,0 @@
-use rustc_hash::FxHashMap;
-pub mod regex {
-    use super::*;
-    pub fn get_regex_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_regex_query".to_string(), QUERIES_REGEX.to_string());
-        queries
-    }
-}
-pub mod bash {
-    use super::*;
-    pub fn get_bash_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_bash_query".to_string(), QUERIES_BASH.to_string());
-        queries
-    }
-}
-pub mod c {
-    use super::*;
-    pub fn get_c_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_c_query".to_string(), QUERIES_C.to_string());
-        queries
-    }
-}
-pub mod cpp {
-    use super::*;
-    pub fn get_cpp_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_cpp_query".to_string(), QUERIES_CPP.to_string());
-        queries
-    }
-}
-pub mod css {
-    use super::*;
-    pub fn get_css_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_css_query".to_string(), QUERIES_CSS.to_string());
-        queries
-    }
-}
-pub mod csharp {
-    use super::*;
-    pub fn get_csharp_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_csharp_query".to_string(), QUERIES_CSHARP.to_string());
-        queries
-    }
-}
-pub mod ruby {
-    use super::*;
-    pub fn get_ruby_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_ruby_query".to_string(), QUERIES_RUBY.to_string());
-        queries
-    }
-}
-pub mod rust {
-    use super::*;
-    pub fn get_rust_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_rust_query".to_string(), QUERIES_RUST.to_string());
-        queries
-    }
-}
-pub mod yaml {
-    use super::*;
-    pub fn get_yaml_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_yaml_query".to_string(), QUERIES_YAML.to_string());
-        queries
-    }
-}
-pub mod go {
-    use super::*;
-    pub fn get_go_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_go_query".to_string(), QUERIES_GO.to_string());
-        queries
-    }
-}
-pub mod html {
-    use super::*;
-    pub fn get_html_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_html_query".to_string(), QUERIES_HTML.to_string());
-        queries
-    }
-}
-pub mod java {
-    use super::*;
-    pub fn get_java_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_java_query".to_string(), QUERIES_JAVA.to_string());
-        queries
-    }
-}
-pub mod javascript {
-    use super::*;
-    pub fn get_javascript_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_javascript_query".to_string(), QUERIES_JAVASCRIPT.to_string());
-        queries
-    }
-}
-pub mod php {
-    use super::*;
-    pub fn get_php_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_php_query".to_string(), QUERIES_PHP.to_string());
-        queries
-    }
-}
-pub mod python {
-    use super::*;
-    pub fn get_python_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_python_query".to_string(), QUERIES_PYTHON.to_string());
-        queries
-    }
-}
-pub mod toml {
-    use super::*;
-    pub fn get_toml_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_toml_query".to_string(), QUERIES_TOML.to_string());
-        queries
-    }
-}
-pub mod typescript {
-    use super::*;
-    pub fn get_typescript_queries() -> FxHashMap<String, String> {
-        let mut queries = FxHashMap::default();
-        queries.insert("combined_typescript_query".to_string(), QUERIES_TYPESCRIPT.to_string());
-        queries
-    }
-}
-////////////////////////////////////////////////////////
-///
-pub const QUERIES_REGEX: &str = r#"
-(
-    (non_capturing_group
-        (pattern
-            (alternation)
-        )
-    )
-    (anonymous_capturing_group
-        (pattern) @key
-    )
-    (boundary_assertion)? @boundary
-)
-"#;
-pub const QUERIES_BASH: &str = r#"
-    (variable_assignment
-		name: (variable_name) @key
-		value: [(string)(word)] @val
-	)
-"#;
-pub const QUERIES_C: &str = r#"
-    ; Query 1: Matches variable declarations with string literal initializations
-    (declaration 
-        declarator: (init_declarator
-            declarator: (identifier) @key
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 2: Matches pointer variable declarations with string literal initializations
-    (declaration 
-        declarator: (init_declarator
-            declarator: (pointer_declarator
-                declarator: (identifier) @key
-            )
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 3: Matches assignments to variables, pointers, or struct fields with string literals
-    (assignment_expression 
-        left: [(identifier)(pointer_expression)(field_expression)] @key
-        right: (string_literal) @val
-    )
-
-    ; Query 4: Matches function calls with an identifier and string literal as arguments
-    (call_expression
-        function: (identifier)
-        arguments: (argument_list
-            (identifier) @key
-            (string_literal) @val
-        )
-    )
-
-    ; Query 5: Matches struct initializations with field designators and string literal values
-    (initializer_pair
-        designator: (field_designator
-            (field_identifier) @key
-        )
-        value: (string_literal) @val
-    )
-
-    ; Query 6: Matches struct declarations with pointer fields
-    (declaration
-        type: (struct_specifier
-            body: (field_declaration_list
-                (field_declaration
-                    declarator: (pointer_declarator
-                        declarator: (field_identifier) @key
-                    )
-                )
-            )
-        )
-    )
-
-    ; Query 7: Matches initializer lists containing string literals
-    (declaration
-        declarator: (init_declarator
-            declarator: [(identifier)(array_declarator)(pointer_declarator)] @key
-            value: (initializer_list
-                (string_literal) @val
-            )
-        )
-    )
-
-    ; Query 8: Matches function calls with string literal arguments
-    (call_expression
-        function: (identifier) @key
-        arguments: (argument_list
-            (string_literal) @val
-        )
-    )
-
-    ; Query 9: Matches array declarations with string literal initializations
-    (declaration 
-        declarator: (init_declarator
-            declarator: (array_declarator
-                declarator: (identifier) @key
-            )
-            value: (string_literal) @val
-        )
-    )
-"#;
-pub const QUERIES_CPP: &str = r#"
-    ; Query 1: Matches string declarations with literal initializations
-    ; Example: string s1 = "a string written here";
-    (declaration 
-        declarator: (init_declarator
-            declarator: (identifier) @key
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 2: Matches char pointer declarations with string literal initializations
-    ; Example: char *line = "a string written here";
-    (declaration 
-        declarator: (init_declarator
-            declarator: (pointer_declarator
-                declarator: (identifier) @key
-            )
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 3: Matches assignments to variables or object fields with string literals
-    ; Examples: s1 = "a string written here";
-    ;           myObj.myString = "Some text";
-    (assignment_expression 
-        left: [(identifier)(field_expression)] @key
-        right: (string_literal) @val
-    )
-
-    ; Query 4: Matches assignments to dereferenced pointers with string literals
-    ; Example: *msg = "a string here";
-    (assignment_expression 
-        left: (pointer_expression
-            argument: (identifier) @key
-        )
-        right: (string_literal) @val
-    )
-
-    ; Query 5: Matches string declarations with character and count initializations
-    ; Example: string s6 (15,'*');
-    (declaration 
-        declarator: (init_declarator
-                declarator: (identifier) @key
-                value: (argument_list
-                (char_literal) @val
-            )
-        )
-    )
-
-    ; Query 6: Matches function calls with identifier and string literal arguments
-    ; Example: strcpy(str, "this is a test");
-    (call_expression
-        function: (identifier)
-        arguments: (argument_list
-            (identifier) @key
-            (string_literal) @val
-        )
-    )
-
-    ; Query 7: Matches class field declarations with string literal default values
-    ; Example: string model = "test string 1";
-    (field_declaration
-        declarator: (field_identifier) @key
-        default_value: (string_literal) @val
-    )
-
-    ; Query 8: Matches class field declarations of char pointers with string literal default values
-    ; Example: char *ch = "another test string";
-    (field_declaration
-        declarator: (pointer_declarator
-            declarator: (field_identifier) @key
-        )
-        default_value: (string_literal) @val
-    )
-
-    ; Query 9: Matches function calls with string literal arguments
-    ; Example: SomeFunction("Passing a string");
-    (call_expression
-        function: (identifier) @key
-        arguments: (argument_list
-            (string_literal) @val
-        )
-    )
-
-    ; Query 10: Matches char array declarations with string literal initializations
-    ; Example: char my_str[] = "Hello";
-    (declaration 
-        declarator: (init_declarator
-            declarator: (array_declarator
-                declarator: (identifier) @key
-            )
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 11: Matches struct initializer pairs with string literal values
-    ; Example: .password = "@pple123"
-    (initializer_pair
-        designator: (field_designator
-            (field_identifier) @key
-        )
-        value: (string_literal) @val
-    )
-
-    ; Query 12: Matches struct declarations with char pointer fields and string literal initializations
-    ; Example: char* password; (in struct definition)
-    ;          employee_default = {0, "29304!@$#201u3242"}; (in struct initialization)
-    (declaration
-        type: (struct_specifier
-            body: (field_declaration_list
-                (field_declaration
-                    declarator: (pointer_declarator
-                        declarator: (field_identifier) @key
-                    )
-                )
-            )
-        )
-        declarator: (init_declarator
-            value: (initializer_list
-                (string_literal) @val
-            )
-        )
-    )
-"#;
-pub const QUERIES_CSS: &str = r#"
-    ; Query 1: Matches CSS declarations with string values
-    (declaration
-        (property_name) @key
-        (string_value) @val
-    )
-
-    ; Query 2: Matches CSS declarations with function calls
-    (declaration
-        (property_name) @key
-         (call_expression
-            (arguments
-                (plain_value) @val
-            )
-        )
-    )
-"#;
-pub const QUERIES_RUST: &str = r#"
-    ; Query 1: Matches let declarations with function calls containing string literal arguments
-    ; Example: let my_string = String::from("Hello, world!");
-    (let_declaration
-        pattern: (identifier) @key
-        value: (_
-            arguments: (arguments
-                (string_literal) @val
-            )
-        )
-    )
-
-    ; Query 2: Matches assignments to struct fields with function calls containing string literal arguments
-    ; Example: self.name = String::from("John Doe");
-    (assignment_expression
-        left: (_
-            field: (field_identifier) @key
-        )
-        right: (call_expression
-            arguments: (arguments
-                (string_literal) @val
-            )
-        )
-    )
-
-    ; Query 3: Matches let declarations with direct string literal assignments
-    ; Example: let greeting = "Hello, Rust!";
-    (let_declaration
-        pattern: (identifier) @key
-        value: (string_literal) @val
-    )
-
-    ; Query 4: Matches let declarations with macro invocations or other complex initializations
-    ; Example: let formatted = format!("Hello, {}!", name);
-    (let_declaration
-        pattern: (identifier) @key
-        value: (_
-            (token_tree) @val
-        )
-    )
-"#;
-pub const QUERIES_YAML: &str = r#"
-    ; Query 1: Matches key-value pairs in YAML block mappings
-    ; Examples:
-    ;   key: value
-    ;   another_key: "quoted value"
-    ;   third_key: 'single quoted value'
-    (block_mapping_pair
-        key: (flow_node
-            [(plain_scalar)(string_scalar)] @key
-        )
-        value: (flow_node
-            [(plain_scalar)(string_scalar)(single_quote_scalar)(double_quote_scalar)] @val
-        )
-    )
-"#;
-pub const QUERIES_CSHARP: &str = r#"
-    ; Query 1: Matches assignments to object properties
-    ; Example: obj.PropertyName = "value";
-    (assignment_expression
-        left: (member_access_expression
-            name: (identifier) @key
-        )
-        right: (string_literal) @val
-    )
-
-    ; Query 2: Matches variable declarations with object creation and string argument
-    ; Example: var obj = new SomeClass("string value");
-    (variable_declarator
-        (identifier) @key
-          (object_creation_expression
-              arguments: (argument_list
-                  (argument
-                      (string_literal) @val
-                  )
-              )
-          
-      )
-    )
-
-    ; Query 3: Matches variable declarations with string literals, verbatim strings, or interpolated strings
-    ; Examples: 
-    ;   string str = "Hello";
-    ;   string verbatim = @"C:\path\to\file";
-    ;   string interpolated = $"Hello, {name}";
-    (variable_declaration
-        (variable_declarator
-            name: (identifier) @key
-                [(string_literal)(verbatim_string_literal)(interpolated_string_expression)] @val
-            
-        )
-    )
-
-    ; Query 4: Matches variable declarations with string literal in an initializer expression
-    ; Example: SomeType var = new SomeType { StringProp = "value" };
-    (assignment_expression
-        left: (identifier) @key
-        right: (string_literal) @val
-    )
-"#;
-pub const QUERIES_RUBY: &str = r#"
-    ; Assignment with identifier or instance variable
-    (assignment
-        left: [(identifier)(instance_variable)] @key
-        right: [(string)(integer)] @val
-    )
-    
-    ; Operator assignment
-    (operator_assignment
-        left: (identifier) @key
-        right: [(string)(integer)] @val
-    )
-    
-    ; Assignment with method call on left side
-    (assignment
-        left: (call
-            method: (identifier) @key
-        )
-        right: [(string)(integer)] @val
-    )
-    
-    ; Assignment with right_assignment_list
-    (assignment
-        left: (identifier) @key
-        right: (right_assignment_list
-            [(string)(integer)] @val
-        )
-    )
-    
-    ; Assignment with method call and string argument
-    (assignment
-        left: (identifier) @key
-        right: (call
-            arguments: (argument_list
-                (string
-                    (string_content) @val
-                )
-            )
-        )
-    )
-    
-    ; Assignment with constant
-    (assignment
-        left: (constant) @key
-        right: [(string)(integer)] @val
-    )
-    
-    ; Method call with receiver and string argument
-    (call
-        receiver: (identifier) @key
-        method: (identifier)
-        arguments: (argument_list
-            (string
-                (string_content) @val
-            )
-        )
-    )
-    
-    ; Assignment with method call and two string arguments
-    (assignment
-        left: (identifier)
-        right: (call
-            arguments: (argument_list
-                (string
-                    (string_content) @key
-                )
-                (string
-                    (string_content) @val
-                )
-            )
-        )
-    )
-    
-    ; Method call with receiver and two string arguments
-    (call
-        receiver: (identifier)
-        method: (identifier)
-        arguments: (argument_list
-            (string
-                (string_content) @key
-            )
-            (string
-                (string_content) @val
-            )
-        )
-    )
-    
-    ; Method call with string argument
-    (call
-        method: (identifier) @key
-        arguments: (argument_list
-            (string) @val
-        )
-    )
-    
-    ; Assignment with string array
-    (assignment
-        left: (identifier) @key
-        right: (string_array
-            (bare_string
-                (string_content) @val
-            )
-        )
-    )
-"#;
-pub const QUERIES_GO: &str = r#"
-    ; Query 1: Matches variable declarations with string literal values
-    (var_spec
-        name: (identifier) @key
-        value: (expression_list
-            [(interpreted_string_literal)(raw_string_literal)] @val
-        )
-    )
-
-    ; Query 2: Matches short variable declarations with string literal values
-    (short_var_declaration
-        left: (expression_list
-            (identifier) @key
-        )
-        right: (expression_list
-            [(interpreted_string_literal)(raw_string_literal)] @val
-        )
-    )
-
-    ; Query 3: Matches assignment statements with string literal values
-    (assignment_statement
-        left: (expression_list
-            (identifier) @key
-        )
-        right: (expression_list
-            [(interpreted_string_literal)(raw_string_literal)] @val
-        )
-    )
-
-    ; Query 4: Matches short variable declarations with selector expressions and string literal values
-    (short_var_declaration
-        left: (expression_list
-            (selector_expression
-                field: (field_identifier) @key
-            )
-        )
-        right: (expression_list
-            [(interpreted_string_literal)(raw_string_literal)] @val
-        )
-    )
-
-    ; Query 5: Matches assignment statements with selector expressions and string literal values
-    (assignment_statement
-        left: (expression_list
-            (selector_expression) @key
-        )
-        right: (expression_list
-            [(interpreted_string_literal)(raw_string_literal)] @val
-        )
-    )
-
-    ; Query 6: Matches variable specifications with optional type and string literal values
-    (var_spec
-        (identifier) @key
-        (type_identifier)?
-        "="
-        (expression_list
-          [(interpreted_string_literal)(raw_string_literal)] @val
-        )+
-    )
-"#;
-pub const QUERIES_HTML: &str = r#"
-    ; Query 1: Matches HTML elements with text content
-    (element
-        (start_tag (tag_name) @key)
-        (text) @val
-    )
-
-    ; Query 2: Matches HTML attributes with quoted values
-    (attribute
-        (attribute_name) @key
-        (quoted_attribute_value
-            (attribute_value) @value
-        )
-    )
-
-    ; Query 3: Extracts embedded JavaScript from script tags
-    (script_element
-        (start_tag) @key
-        (raw_text) @val
-    )
-"#;
-pub const QUERIES_JAVA: &str = r#"
-    ; Query 1: Local variable declarations with direct string assignments
-    (local_variable_declaration
-        declarator: (variable_declarator
-            name: (identifier) @key
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 2: Field declarations with direct string assignments
-    (field_declaration
-        declarator: (variable_declarator
-            name: (identifier) @key
-            value: (string_literal) @val
-        )
-    )
-
-    ; Query 3: Identifier assignment with direct string literal
-    (assignment_expression
-        left: (identifier) @key
-        right: (string_literal) @val
-    )
-
-    ; Query 4: Field assignment with direct string literal
-    (assignment_expression
-        left: (field_access
-            field: (identifier) @key
-        )
-        right: (string_literal) @val
-    )
-
-    ; Query 5: Local variable assignment from constructor call containing a string
-    (local_variable_declaration
-        declarator: (variable_declarator
-            name: (identifier) @key
-            value: (object_creation_expression
-                arguments: (argument_list
-                    (string_literal) @val
-                )
-            )
-        )
-    )
-
-    ; Query 6: Local variable assignment from method call containing a string
-    (local_variable_declaration
-        declarator: (variable_declarator
-            name: (identifier) @key
-            value: (method_invocation
-                arguments: (argument_list
-                    (string_literal) @val
-                )
-            )
-        )
-    )
-"#;
-pub const QUERIES_JAVASCRIPT: &str = r#"
-   ; Query 1: Matches assignments to object properties
-    (assignment_expression
-        left: (member_expression
-            property: (property_identifier) @key
-        )
-        right: [
-            (string (string_fragment) @val)
-            (template_string) @val
-        ]
-    )
-
-    ; Query 2: Matches variable declarations with literal values
-    (variable_declarator
-        name: (identifier) @key
-        value: [
-            (string (string_fragment) @val)
-            (template_string) @val
-        ]
-    )
-
-    ; Query 3: Matches variable declarations with object literals
-    (variable_declarator
-        name: (identifier)
-        value: (object
-            (pair
-                key: (property_identifier) @key
-                value: [
-                    (string (string_fragment) @val)
-                    (template_string) @val
-                ]
-            )
-        )
-    )
-
-    ; Query 4: Matches function calls with identifier and string arguments
-    (call_expression
-        arguments: (arguments
-            (identifier) @key
-            [
-                (string (string_fragment) @val)
-                (template_string) @val
-            ]
-        )
-    )
-
-    ; Query 5: Matches object literal key-value pairs
-    (pair
-        key: (property_identifier) @key
-        value: [
-            (string (string_fragment) @val)
-            (template_string) @val
-        ]
-    )
-
-    ; Query 6: Matches assignments to array or object elements
-    (assignment_expression
-        left: (subscript_expression
-            index: [(string)(identifier)] @key
-        )
-        right: [
-            (string (string_fragment) @val)
-            (template_string) @val
-        ]
-    )
-
-    ; Query 7: Matches method calls on objects with string arguments
-    (call_expression
-        function: (member_expression
-            object: (identifier) @key
-        )
-        arguments: (arguments
-            [
-                (string
-                    (string_fragment) @val
-                )
-                (template_string) @val
-            ]
-        )
-    )
-"#;
-pub const QUERIES_PHP: &str = r#"
-    ; Query 1: Matches variable assignments
-    (expression_statement
-        (assignment_expression
-            left: (variable_name
-                (name) @key
-            )
-            right: [(string)(integer)] @val
-        )
-    )
-
-    ; Query 2: Matches property declarations with initializers
-    (property_declaration
-        (property_element
-            (variable_name
-                (name) @key
-            )
-            default_value: (string
-            	(string_content) @val	
-            )
-        )
-    )
-
-    ; Query 3: Matches assignments to object properties
-    (expression_statement
-        (assignment_expression
-            left: (member_access_expression
-                (name) @key
-            )
-            right: [(string)(integer)] @val
-        )
-    )
-
-
-    ; Query 4: Matches method calls with string or integer arguments
-    (expression_statement
-        (member_call_expression
-            name: (name) @key
-            arguments: (arguments
-                (argument
-                	[(string)(integer)] @val
-                )
-            )
-        )
-    )
-    
-    ; Query 5
-    (expression_statement
-    	(variable_name) @key
-        (_
-        	(name) @val
-        )
-    )
-    
-    ; Query 6
-    (assignment_expression
-    	left: (variable_name
-        	(name) @key
-        )
-        right: (encapsed_string
-        	(string_content) @val
-        )
-    )
-    
-    ; Query 7
-    (assignment_expression
-    	left: (member_access_expression
-        	name: (name) @key
-        )
-        right: (encapsed_string
-        	(string_content) @val
-        )
-    )
-"#;
-pub const QUERIES_PYTHON: &str = r#"
-    ; Query 1: Matches assignments to object attributes
-    (assignment
-        left: (attribute
-            attribute: (identifier) @key
-        )
-        right: [(string)(integer)] @val
-    )
-
-    ; Query 2: Matches dictionary key-value pairs
-    (pair
-        key: (string) @key
-        value: [(string)(integer)(attribute)] @val
-    )
-
-    ; Query 3: Matches function calls with keyword arguments
-    (call
-        arguments: (argument_list
-            (keyword_argument
-                name: (identifier) @key
-                value: (string) @val
-            )
-        )
-    )
-
-    ; Query 4: Matches function calls with keyword arguments containing tuples, lists, or attributes
-    (call
-        arguments: (argument_list
-            (keyword_argument
-                name: (identifier) @key
-                value: [
-                        (tuple(attribute) @val)
-                        (list(string) @val)
-                        ]
-            )
-        )
-    )
-
-    ; Query 5: Matches assignments with function calls containing string or integer arguments
-    (expression_statement
-        (assignment
-            left: (_) @key
-            right: (expression_list
-                (call
-                    arguments: (argument_list
-                        [(string)(integer)] @val
-                    )
-                ) 
-            )
-        )
-    )
-
-    ; Query 6: Matches assignments with dictionary values
-    (expression_statement
-        (assignment
-            left: (_) @key
-            right: (expression_list
-                (dictionary
-                    (pair) @val
-                )
-            )
-        )
-    )
-
-    ; Query 7: Matches function calls with keyword arguments containing lists of strings
-    (call
-        arguments: (argument_list
-            (keyword_argument
-                name: (identifier) @key
-                value: (list
-                    (string) @val
-                )
-            )
-        )
-    )
-
-    ; Query 8: Matches function calls with keyword arguments containing dictionaries
-    (call
-        arguments: (argument_list
-            (keyword_argument
-                name: (identifier) @key
-                value: (dictionary
-                    (pair) @val
-                )
-            )
-        )
-    )
-
-    ; Query 9: Matches function calls with keyword arguments containing tuples
-    (call
-        arguments: (argument_list
-            (keyword_argument
-                name: (identifier) @key
-                value: (tuple
-                    (_) @val
-                )
-            )
-        )
-    )
-
-    ; Query 10: Matches simple variable assignments
-    (assignment
-        left: (identifier) @key
-        right: [(string)(integer)] @val
-    )
-
-    ; Query 11: Matches assignments with function calls containing string arguments
-    (assignment
-        left: (identifier) @key
-        right: (call
-            arguments: (argument_list
-                (string) @val
-            )
-        )
-    )
-
-    ; Query 12: Matches assignments with method calls containing string arguments
-    (assignment
-        right: (call
-            function: (attribute) @key
-            arguments: (argument_list
-                (string) @val
-            )
-        )
-    )
-
-    ; Query 13: Matches string arguments in function calls
-    (call
-        function: (attribute) @key
-        arguments: (argument_list
-            (string
-                (string_content) @val
-            )
-        )
-    )
-"#;
-pub const QUERIES_TOML: &str = r#"
-    ; Query 1: Matches key-value pairs
-    (pair
-        [(bare_key)(string)] @key
-        [(bare_key)(string)] @val
-    )
-
-    ; Query 2: Matches key-value pairs with array values containing strings
-    (pair
-        [(bare_key)(string)] @key
-        (array
-            (string) @val
-        )
-    )
-
-    ; Query 3: Matches key-value pairs with nested array values containing strings
-    (pair
-        [(bare_key)(string)] @key
-        (array
-            (array
-                (string) @val
-            )
-        )
-    )
-"#;
-pub const QUERIES_TYPESCRIPT: &str = r#"
-    ; Query 1: Matches variable declarations with string or number values
-    (variable_declarator
-        name: (identifier) @key
-        value: [(string)(template_string)(number)] @val
-    )
-
-    ; Query 2: Matches assignments to variables or object properties
-    (assignment_expression
-        left: [(member_expression)(identifier)] @key
-        right: [(string)(template_string)(number)] @val
-    )
-
-    ; Query 3: Matches variable declarations with string literal type annotations
-    (variable_declarator
-        name: (identifier) @key
-        type: (type_annotation
-            (literal_type
-                (string) @val
-            )
-        )
-    )
-
-    ; Query 4: Matches object property definitions with array values containing strings
-    (pair
-        key: (property_identifier) @key
-        value: (
-            (array
-                [(string)(template_string)] @val
-            )
-        )
-    )
-
-    ; Query 5: Matches object property definitions with string or number values
-    (pair
-        key: (property_identifier) @key
-        value: [(string)(template_string)(number)] @val
-    )
-
-    ; Query 6: Matches property signatures with literal types
-    (property_signature
-        name: (property_identifier) @key
-        (_ 
-            (literal_type) @val
-        )
-    )
-
-    ; Query 7: Matches property signatures with union types
-    (property_signature
-        name: (property_identifier) @key
-        type: (type_annotation
-            (union_type) @val
-        )
-    )
-
-    ; Query 8: Matches method calls with string arguments
-    (call_expression
-        function: (_ 
-            property: (property_identifier) @key
-        )
-        arguments: (arguments
-            [(string)(template_string)] @val
-        )
-    )
-"#;
diff --git a/src/scanner/processing.rs b/src/scanner/processing.rs
index 42e2327..7b572e7 100644
--- a/src/scanner/processing.rs
+++ b/src/scanner/processing.rs
@@ -6,7 +6,7 @@ use crate::{
     blob::{Blob, BlobMetadata},
     content_type::ContentInspector,
     location::LocationMapping,
-    matcher::{should_attempt_tree_sitter, Match, Matcher, OwnedBlobMatch, ScanResult},
+    matcher::{should_attempt_context_verification, Match, Matcher, OwnedBlobMatch, ScanResult},
     origin::{Origin, OriginSet},
     scanner::repos::DatastoreMessage,
     Path,
@@ -32,7 +32,7 @@ impl<'a> BlobProcessor<'a> {
     ) -> Result<Option<DatastoreMessage>> {
         let _span = debug_span!("matcher", temp_id = blob.temp_id()).entered();
         let t1 = Instant::now();
-        let language_hint = if fast_mode || !should_attempt_tree_sitter(blob.len()) {
+        let language_hint = if fast_mode || !should_attempt_context_verification(blob.len()) {
             None
         } else {
             origin
diff --git a/testdata/css_vulnerable.css b/testdata/css_vulnerable.css
new file mode 100644
index 0000000..2a7040b
--- /dev/null
+++ b/testdata/css_vulnerable.css
@@ -0,0 +1,8 @@
+.banner {
+  password: "blink182";
+  background-image: url("all-along-the-watchtower");
+}
+
+.secret-key {
+  content: "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234";
+}
diff --git a/testdata/parsers/comment_only_context.py b/testdata/parsers/comment_only_context.py
new file mode 100644
index 0000000..89344d6
--- /dev/null
+++ b/testdata/parsers/comment_only_context.py
@@ -0,0 +1,2 @@
+# auth0 token abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
+# password = "superSecret123"
diff --git a/tests/int_base64.rs b/tests/int_base64.rs
index d0fc980..bb1661a 100644
--- a/tests/int_base64.rs
+++ b/tests/int_base64.rs
@@ -61,7 +61,7 @@ fn skips_base64_when_disabled() -> anyhow::Result<()> {
     Ok(())
 }
 
-// Ensure disabling Base64 decoding does not trigger tree-sitter errors on empty files
+// Ensure disabling Base64 decoding does not trigger context verifier errors on empty files
 #[test]
 fn no_base64_skips_empty_files() -> anyhow::Result<()> {
     let dir = tempdir()?;
@@ -87,9 +87,9 @@ fn no_base64_skips_empty_files() -> anyhow::Result<()> {
     Ok(())
 }
 
-// Ensure tree-sitter based decoding works even when the standalone base64 scanner is disabled
+// Ensure parser-based context extraction still surfaces base64-looking code assignments
 #[test]
-fn detects_base64_in_code_with_tree_sitter() -> anyhow::Result<()> {
+fn detects_base64_in_code_with_context_verifier() -> anyhow::Result<()> {
     let dir = tempdir()?;
     let file_path = dir.path().join("secret.py");
     // Base64 for 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
diff --git a/tests/int_context_verification.rs b/tests/int_context_verification.rs
new file mode 100644
index 0000000..44f85c9
--- /dev/null
+++ b/tests/int_context_verification.rs
@@ -0,0 +1,83 @@
+use std::{fs, process::Command};
+
+use anyhow::{Context, Result};
+use serde_json::{Deserializer, Value};
+
+#[test]
+fn scan_findings_match_pre_removal_baseline() -> Result<()> {
+    let output = Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
+        .args(["scan", "testdata", "--format", "json", "--no-validate", "--no-update-check"])
+        .output()
+        .context("run kingfisher scan against testdata")?;
+
+    let code = output.status.code().unwrap_or_default();
+    assert!(
+        matches!(code, 0 | 200),
+        "expected exit code 0 or 200, got {code}. stderr:\n{}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+
+    let stdout = String::from_utf8(output.stdout).context("scan stdout is not valid utf-8")?;
+    let mut stream = Deserializer::from_str(&stdout).into_iter::<Value>();
+    let value = stream
+        .next()
+        .transpose()
+        .context("parse scan json output")?
+        .context("scan output did not contain a json object")?;
+
+    let findings = value
+        .get("findings")
+        .and_then(Value::as_array)
+        .context("scan output missing findings array")?;
+
+    let mut actual = findings
+        .iter()
+        .filter(|finding| {
+            finding
+                .get("finding")
+                .and_then(Value::as_object)
+                .and_then(|data| data.get("path"))
+                .and_then(Value::as_str)
+                .map(|path| !path.starts_with("testdata/parsers/"))
+                .unwrap_or(true)
+        })
+        .map(|finding| {
+            let rule = finding.get("rule").and_then(Value::as_object).cloned().unwrap_or_default();
+            serde_json::json!({
+                "rule_id": rule.get("id").and_then(Value::as_str),
+                "snippet": finding
+                    .get("finding")
+                    .and_then(Value::as_object)
+                    .and_then(|data| data.get("snippet"))
+                    .and_then(Value::as_str),
+            })
+        })
+        .collect::<Vec<_>>();
+    actual.sort_by(|left, right| left.to_string().cmp(&right.to_string()));
+
+    let mut expected = serde_json::from_str::<Vec<Value>>(
+        &fs::read_to_string("testdata/parsers/scan_findings_baseline.json")
+            .context("read scan findings baseline")?,
+    )
+    .context("parse scan findings baseline json")?
+    .into_iter()
+    .filter(|finding| finding.get("snippet").and_then(Value::as_str).is_some())
+    .map(|finding| {
+        serde_json::json!({
+            "rule_id": finding.get("rule_id").and_then(Value::as_str),
+            "snippet": finding.get("snippet").and_then(Value::as_str),
+        })
+    })
+    .filter(|finding| {
+        finding
+            .get("snippet")
+            .and_then(Value::as_str)
+            .map(|snippet| !snippet.is_empty())
+            .unwrap_or(true)
+    })
+    .collect::<Vec<_>>();
+    expected.sort_by(|left, right| left.to_string().cmp(&right.to_string()));
+
+    assert_eq!(actual, expected);
+    Ok(())
+}

From 5aa5e1e218dde37b53f29404ca2b5c3a2a9f7cba Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 08:02:14 -0700
Subject: [PATCH 08/17] Replaced tree-sitter with a lighter parser-based
 context verifier built from handwritten lexers plus tl/cssparser, preserving
 context-dependent matching while cutting about 19 MB from the release binary.

---
 .gitignore                             |  2 ++
 testdata/html_embedded_vulnerable.html | 16 ++++++++++++++++
 testdata/html_vulnerable.html          |  7 +++++++
 3 files changed, 25 insertions(+)
 create mode 100644 testdata/html_embedded_vulnerable.html
 create mode 100644 testdata/html_vulnerable.html

diff --git a/.gitignore b/.gitignore
index 1490502..d6bc06a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,8 @@ logs/*
 *.orig
 *.rej
 *.html
+!testdata/html_vulnerable.html
+!testdata/html_embedded_vulnerable.html
 !docs/access-map-viewer/index.html
 !docs-site/overrides/*.html
 *.dot
diff --git a/testdata/html_embedded_vulnerable.html b/testdata/html_embedded_vulnerable.html
new file mode 100644
index 0000000..ecf3d0a
--- /dev/null
+++ b/testdata/html_embedded_vulnerable.html
@@ -0,0 +1,16 @@
+<!doctype html>
+<html>
+  <head>
+    <style>
+      .auth0_client_secret {
+        content: "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234";
+      }
+    </style>
+  </head>
+  <body>
+    <script>
+      const auth0_client_secret = "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234";
+      const password = "superSecret123";
+    </script>
+  </body>
+</html>
diff --git a/testdata/html_vulnerable.html b/testdata/html_vulnerable.html
new file mode 100644
index 0000000..0b1cbef
--- /dev/null
+++ b/testdata/html_vulnerable.html
@@ -0,0 +1,7 @@
+<!doctype html>
+<html>
+  <body data-api-key="html-key-123" secret_key="all along the watchtower">
+    <div password="blink182">hunter2</div>
+    <meta name="auth0_client_secret" content="abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234">
+  </body>
+</html>

From 17c57e96e333c47dcfb7e39c5b54ca6b92e8cbd2 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 08:29:50 -0700
Subject: [PATCH 09/17] changes in response to PR review

---
 crates/kingfisher-rules/data/rules/adobe.yml       | 14 ++++++++------
 crates/kingfisher-rules/data/rules/tableau.yml     |  2 +-
 .../src/validation/http_validation.rs              |  4 ++++
 docs/RULES.md                                      |  3 ++-
 src/direct_validate.rs                             |  5 +----
 src/parser/html.rs                                 |  7 ++-----
 src/reporter.rs                                    |  6 ++----
 src/validation_rate_limit.rs                       | 11 ++++-------
 8 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/crates/kingfisher-rules/data/rules/adobe.yml b/crates/kingfisher-rules/data/rules/adobe.yml
index 5983e12..02ea4cb 100644
--- a/crates/kingfisher-rules/data/rules/adobe.yml
+++ b/crates/kingfisher-rules/data/rules/adobe.yml
@@ -71,9 +71,10 @@ rules:
       - |
           {
             "adobe_client_credentials": {
-            "client_id": "a65b0146769d433a835f36660881db50",
-            "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
-          },
+              "client_id": "a65b0146769d433a835f36660881db50",
+              "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
+            }
+          }
     depends_on_rule:
       - rule_id: "kingfisher.adobe.4"
         variable: ADOBE_CLIENT_ID
@@ -120,6 +121,7 @@ rules:
       - |
           {
             "adobe_client_credentials": {
-            "client_id": "a65b0146769d433a835f36660881db50",
-            "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
-          },
+              "client_id": "a65b0146769d433a835f36660881db50",
+              "client_secret": "p8e-ibndcvsmAp9ZgPBZ606FSlYIZVlsZ-g5"
+            }
+          }
diff --git a/crates/kingfisher-rules/data/rules/tableau.yml b/crates/kingfisher-rules/data/rules/tableau.yml
index 14b0510..57127c5 100644
--- a/crates/kingfisher-rules/data/rules/tableau.yml
+++ b/crates/kingfisher-rules/data/rules/tableau.yml
@@ -13,7 +13,7 @@ rules:
         X-Tableau-Auth
         (?:.|[\n\r]){0,16}?
       )
-      (
+      (?:
         (?P<TABLEAU_PAT_NAME>[A-Za-z0-9+/]{12,24}
         (?:={1,2})?
         )
diff --git a/crates/kingfisher-scanner/src/validation/http_validation.rs b/crates/kingfisher-scanner/src/validation/http_validation.rs
index 2fb1f0e..0862323 100644
--- a/crates/kingfisher-scanner/src/validation/http_validation.rs
+++ b/crates/kingfisher-scanner/src/validation/http_validation.rs
@@ -76,6 +76,10 @@ fn format_rfc1123(now: OffsetDateTime) -> String {
     rendered.strip_suffix(" +0000").map(|prefix| format!("{prefix} GMT")).unwrap_or(rendered)
 }
 
+pub fn is_auto_provided_request_var(var: &str) -> bool {
+    matches!(var, "REQUEST_RFC1123_DATE" | "REQUEST_UNIX_MILLIS")
+}
+
 /// Clone `globals` and add stable request-scoped values for templated request rendering.
 ///
 /// These values are computed once so the same generated timestamp can be reused across the URL,
diff --git a/docs/RULES.md b/docs/RULES.md
index 6386da9..9fca4a8 100644
--- a/docs/RULES.md
+++ b/docs/RULES.md
@@ -943,4 +943,5 @@ rules:
               words: ['"Arn"']
     depends_on_rule:
       - rule_id: kingfisher.alibabacloud.1
-        variable: AKID```
+        variable: AKID
+```
diff --git a/src/direct_validate.rs b/src/direct_validate.rs
index 9a03bbe..77365df 100644
--- a/src/direct_validate.rs
+++ b/src/direct_validate.rs
@@ -29,6 +29,7 @@ use crate::{
         azure::validate_azure_storage_credentials,
         coinbase::validate_cdp_api_key,
         gcp::GcpValidator,
+        httpvalidation::is_auto_provided_request_var,
         httpvalidation::validate_response,
         httpvalidation::{build_request_builder, retry_request},
         jdbc::validate_jdbc,
@@ -133,10 +134,6 @@ fn extract_template_vars(text: &str) -> BTreeSet<String> {
     re.captures_iter(text).filter_map(|cap| cap.get(1).map(|m| m.as_str().to_uppercase())).collect()
 }
 
-fn is_auto_provided_request_var(var: &str) -> bool {
-    matches!(var, "REQUEST_RFC1123_DATE" | "REQUEST_UNIX_MILLIS")
-}
-
 /// Extract all template variables used in a validation configuration.
 fn extract_validation_vars(validation: &Validation) -> BTreeSet<String> {
     let mut vars = BTreeSet::new();
diff --git a/src/parser/html.rs b/src/parser/html.rs
index 0a2aeac..02a3482 100644
--- a/src/parser/html.rs
+++ b/src/parser/html.rs
@@ -1,5 +1,5 @@
 use anyhow::Result;
-use tl::{Node, ParserOptions};
+use tl::ParserOptions;
 
 use super::{css, lexer, Language};
 
@@ -53,10 +53,7 @@ where
                 }
             }
             _ => {
-                if !inner_text.is_empty()
-                    && !matches!(node, Node::Comment(_))
-                    && !sink(&format!("{tag_name} = {inner_text}"))
-                {
+                if !inner_text.is_empty() && !sink(&format!("{tag_name} = {inner_text}")) {
                     return Ok(());
                 }
             }
diff --git a/src/reporter.rs b/src/reporter.rs
index 9233cc7..7999651 100644
--- a/src/reporter.rs
+++ b/src/reporter.rs
@@ -12,6 +12,8 @@ use schemars::JsonSchema;
 use serde::Serialize;
 use url::Url;
 
+use kingfisher_scanner::validation::http_validation::is_auto_provided_request_var;
+
 use crate::{
     access_map::{AccessSummary, AccessTokenDetails, ProviderMetadata, ResourceExposure},
     blob::BlobMetadata,
@@ -86,10 +88,6 @@ fn extract_template_vars(text: &str) -> BTreeSet<String> {
     vars
 }
 
-fn is_auto_provided_request_var(var: &str) -> bool {
-    matches!(var, "REQUEST_RFC1123_DATE" | "REQUEST_UNIX_MILLIS")
-}
-
 fn required_vars_for_validation(validation: &crate::rules::Validation) -> BTreeSet<String> {
     use crate::rules::Validation;
     let mut vars = BTreeSet::new();
diff --git a/src/validation_rate_limit.rs b/src/validation_rate_limit.rs
index 9eb9eb8..e7413cb 100644
--- a/src/validation_rate_limit.rs
+++ b/src/validation_rate_limit.rs
@@ -117,11 +117,8 @@ fn selector_matches(rule_id: &str, selector: &str) -> bool {
         || rule_id.strip_prefix(selector).is_some_and(|suffix| suffix.starts_with('.'))
 }
 
-pub fn should_rate_limit_validation(validation: &Validation) -> bool {
-    match validation {
-        Validation::Raw(raw) => raw != "custom",
-        _ => true,
-    }
+pub fn should_rate_limit_validation(_validation: &Validation) -> bool {
+    true
 }
 
 #[cfg(test)]
@@ -178,7 +175,7 @@ mod tests {
     }
 
     #[test]
-    fn should_skip_rate_limit_for_raw_validation() {
-        assert!(!should_rate_limit_validation(&Validation::Raw("custom".to_string())));
+    fn should_rate_limit_raw_validation() {
+        assert!(should_rate_limit_validation(&Validation::Raw("azurebatch".to_string())));
     }
 }

From 51b3b65706d0cea4cb79702d9ad3c10bfbff0e77 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 08:57:12 -0700
Subject: [PATCH 10/17] changes in response to PR review

---
 .gitignore                                    |   2 +
 .../data/rules/azurecosmosdb.yml              |   4 +-
 crates/kingfisher-rules/data/rules/kucoin.yml |   4 +-
 testdata/parsers/context_verifier_golden.json | 459 ++++++++++++++++++
 testdata/parsers/scan_findings_baseline.json  | 150 ++++++
 5 files changed, 615 insertions(+), 4 deletions(-)
 create mode 100644 testdata/parsers/context_verifier_golden.json
 create mode 100644 testdata/parsers/scan_findings_baseline.json

diff --git a/.gitignore b/.gitignore
index d6bc06a..1f27a8f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,8 @@
 *.json
 !webserver/static/sample-report.json
 !docs/access-map-viewer/sample-report.json
+!testdata/parsers/context_verifier_golden.json
+!testdata/parsers/scan_findings_baseline.json
 !testdata/parsers/tree_sitter_capture_baseline.json
 *.jsonl
 *.bson
diff --git a/crates/kingfisher-rules/data/rules/azurecosmosdb.yml b/crates/kingfisher-rules/data/rules/azurecosmosdb.yml
index a531cb1..c1cf6e5 100644
--- a/crates/kingfisher-rules/data/rules/azurecosmosdb.yml
+++ b/crates/kingfisher-rules/data/rules/azurecosmosdb.yml
@@ -57,10 +57,10 @@ rules:
           url: "{{ COSMOS_ENDPOINT }}/dbs"
           headers:
             Accept: application/json
-            x-ms-date: '{%- assign x_ms_date = "" | date: "%a, %d %b %Y %H:%M:%S GMT" | downcase -%}{{ x_ms_date }}'
+            x-ms-date: '{{ REQUEST_RFC1123_DATE | downcase }}'
             x-ms-version: "2018-12-31"
             Authorization: |
-              {%- assign x_ms_date = "" | date: "%a, %d %b %Y %H:%M:%S GMT" | downcase -%}
+              {%- assign x_ms_date = REQUEST_RFC1123_DATE | downcase -%}
               {%- assign string_to_sign = "get\ndbs\n\n" | append: x_ms_date | append: "\n\n" -%}
               {%- assign signature = string_to_sign | hmac_sha256_b64key: TOKEN | url_encode -%}
               type=master&ver=1.0&sig={{ signature }}
diff --git a/crates/kingfisher-rules/data/rules/kucoin.yml b/crates/kingfisher-rules/data/rules/kucoin.yml
index 0d6fac4..dbf142d 100644
--- a/crates/kingfisher-rules/data/rules/kucoin.yml
+++ b/crates/kingfisher-rules/data/rules/kucoin.yml
@@ -67,10 +67,10 @@ rules:
             Accept: application/json
             Content-Type: application/json
             KC-API-KEY: "{{ KUCOIN_KEY }}"
-            KC-API-TIMESTAMP: '{%- assign ts = "" | unix_timestamp | times: 1000 -%}{{ ts }}'
+            KC-API-TIMESTAMP: "{{ REQUEST_UNIX_MILLIS }}"
             KC-API-KEY-VERSION: "2"
             KC-API-PASSPHRASE: '{%- assign passphrase = KUCOIN_PASSPHRASE | hmac_sha256: TOKEN -%}{{ passphrase }}'
-            KC-API-SIGN: '{%- assign ts = "" | unix_timestamp | times: 1000 -%}{%- assign prehash = ts | append: "GET" | append: "/api/v1/accounts" -%}{{ prehash | hmac_sha256: TOKEN }}'
+            KC-API-SIGN: '{%- assign prehash = REQUEST_UNIX_MILLIS | append: "GET" | append: "/api/v1/accounts" -%}{{ prehash | hmac_sha256: TOKEN }}'
           response_matcher:
             - report_response: true
             - type: StatusMatch
diff --git a/testdata/parsers/context_verifier_golden.json b/testdata/parsers/context_verifier_golden.json
new file mode 100644
index 0000000..d3393f2
--- /dev/null
+++ b/testdata/parsers/context_verifier_golden.json
@@ -0,0 +1,459 @@
+{
+  "bash:testdata/shell_vulnerable.sh": [
+    "IPADDRESS = 8.8.8.8",
+    "PASSWORD = s3cr3tp@ssw0rd",
+    "PWD = a9lah209la81la3",
+    "PASSPHRASE = all along the watchtower",
+    "KEY = qpsbnoewdmdsoeg",
+    "SECRET_KEY = 402750613792034973",
+    "PRIVATE_KEY = ja4wALsaho20af21dS",
+    "another_password = blink182",
+    "backup_password = letmein123",
+    "API_KEY = 932"
+  ],
+  "c:testdata/c_vulnerable.c": [
+    "id = 0",
+    "secret_key = my voice is my passport",
+    "employee_default = 0",
+    "employee_default = 8934#@hafRhzj13!d<2$F5q",
+    "age = 30",
+    "secret_key = John",
+    "strdup = John",
+    "password = Doe",
+    "strdup = Doe",
+    "msg = sunshine19",
+    "s1 = blink182",
+    "printf = values: %s; Age: %u\\n",
+    "age = 25",
+    "secret_key = 449a@QL#cha0213aKL:HF#@9;+_345Awd",
+    "strdup = 449a@QL#cha0213aKL:HF#@9;+_345Awd",
+    "printf = values: %s; Age: %u\\n",
+    "firstName = Marty",
+    "password = McFly",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "printf = values: %s; Age: %u\\n"
+  ],
+  "c_sharp:testdata/csharp_vulnerable.cs": [
+    "user = John",
+    "user = Doe",
+    "user = john@email.com",
+    "User = John",
+    "User = Doe",
+    "User = john@email.com",
+    "John = Doe",
+    "FirsName = Bob",
+    "ipAddress = 8.8.8.8",
+    "String = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd",
+    "String = s3cr3tp@ssw0rd",
+    "passwd = 9043hfdlasf023",
+    "String = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "String = a9lah209la81la3",
+    "password = all along the watchtower",
+    "String = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "String = qpsbnoewdmdsoeg",
+    "secretKey = 402750613792034973",
+    "String = 402750613792034973",
+    "privateKey = ja4wALsaho20af21dS",
+    "String = ja4wALsaho20af21dS",
+    "ip = 8.8.8.8",
+    "pass = s3cr3tp@ssw0rd 2",
+    "password = 9043hfdlasf023",
+    "secret = a9lah209la81la3",
+    "phrase = all along the watchtower",
+    "myKey = qpsbnoewdmdsoeg",
+    "secretKey = 402750613792034973",
+    "privateKey = ja4wALsaho20af21dS",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "hidden_passphrase = blink182",
+    "escaped = Hello \\\"World\\\"",
+    "name = John",
+    "firstName = John ",
+    "lastName = Doe",
+    "score = The score is {0}",
+    "score = 42",
+    "Format = The score is {0}",
+    "Format = 42"
+  ],
+  "cpp:testdata/cpp_vulnerable.cpp": [
+    "my_api_key = foo",
+    "setMyNum = 15",
+    "setMyString = p@ssw0rd123",
+    "setSecretKey = 23847601237597123230895",
+    "secret_pass = my voice is my passport",
+    "temp_password = short line for testing",
+    "s5 = 6",
+    "s5 = 4",
+    "6 = 4",
+    "szHackerProof = 15",
+    "szHackerProof = *",
+    "15 = *",
+    "strForFunc = Passing a string"
+  ],
+  "css:testdata/css_vulnerable.css": [
+    "password = blink182",
+    "background-image = url(",
+    "background-image = all-along-the-watchtower",
+    "content = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
+  ],
+  "go:testdata/go_vulnerable.go": [
+    "Println = hello world",
+    "ipAddress = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd",
+    "passwd = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "passphrase = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "secret_key = 402750613792034973",
+    "private_key = ja4wALsaho20af21dS",
+    "ipAddress = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd 2",
+    "passwd = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "passphrase = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "secret_key = 402750613792034973",
+    "private_key = ja4wALsaho20af21dS",
+    "ipAddress = 1a2w3eqwerty",
+    "password = space2001",
+    "passwd = space1958",
+    "pwd = qwertyuiop123",
+    "passphrase = trustno1",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "hidden_passphrase = blink182",
+    "badPassword = sunshine123",
+    "goodPassword = kingpin987",
+    "bestPassword = kingpin987",
+    "Printf = %s %s %s %s %s %s %s %s",
+    "AccessKey = 924JSR1PGW2D4MNRZX45",
+    "SecretKey = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+    "Println = >>done<<"
+  ],
+  "html:testdata/html_embedded_vulnerable.html": [
+    "html = .auth0_client_secret {\n        content: \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      }\n    \n  \n  \n    \n      const auth0_client_secret = \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      const password = \"superSecret123\";",
+    "head = .auth0_client_secret {\n        content: \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      }",
+    "content = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
+    "body = const auth0_client_secret = \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      const password = \"superSecret123\";",
+    "<script> = const auth0_client_secret = \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      const password = \"superSecret123\";",
+    "auth0_client_secret = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
+    "password = superSecret123"
+  ],
+  "html:testdata/html_vulnerable.html": [
+    "html = hunter2",
+    "data-api-key = html-key-123",
+    "secret_key = all along the watchtower",
+    "body = hunter2",
+    "password = blink182",
+    "div = hunter2",
+    "name = auth0_client_secret",
+    "content = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
+  ],
+  "java:testdata/java_vulnerable.java": [
+    "ipAddress = 8.8.8.8",
+    "String = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd",
+    "String = s3cr3tp@ssw0rd",
+    "passwd = 9043hfdlasf023",
+    "String = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "String = a9lah209la81la3",
+    "passphrase = all along the watchtower",
+    "String = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "String = qpsbnoewdmdsoeg",
+    "secret_key = 402750613792034973",
+    "String = 402750613792034973",
+    "private_key = ja4wALsaho20af21dS",
+    "String = ja4wALsaho20af21dS",
+    "ipAddress = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd 2",
+    "passwd = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "passphrase = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "secret_key = 402750613792034973",
+    "private_key = ja4wALsaho20af21dS",
+    "ipAddress = 1a2w3eqwerty",
+    "password = grape1999",
+    "passwd = grape2020",
+    "pwd = qwertyuiop123",
+    "passphrase = trustno1",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "hidden_passphrase = blink182",
+    "println = Hello, World",
+    "strPassword = sunshine123",
+    "foobarPassword = kingpin987",
+    "horsePassword = kingpin987",
+    "ipAddress = 8.8.8.8",
+    "String = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd",
+    "String = s3cr3tp@ssw0rd",
+    "passwd = 9043hfdlasf023",
+    "String = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "String = a9lah209la81la3",
+    "passphrase = all along the watchtower",
+    "String = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "String = qpsbnoewdmdsoeg",
+    "secret_key = 402750613792034973",
+    "String = 402750613792034973",
+    "private_key = ja4wALsaho20af21dS",
+    "String = ja4wALsaho20af21dS",
+    "ipAddress = 8.8.8.8",
+    "password = s3cr3tp@ssw0rd 2",
+    "passwd = 9043hfdlasf023",
+    "pwd = a9lah209la81la3",
+    "passphrase = all along the watchtower",
+    "key = qpsbnoewdmdsoeg",
+    "secret_key = 402750613792034973",
+    "private_key = ja4wALsaho20af21dS",
+    "ipAddress = 1a2w3eqwerty",
+    "password = grape87",
+    "passwd = grape2020",
+    "pwd = qwertyuiop123",
+    "passphrase = trustno1",
+    "println = Hello, World",
+    "put = 412389uSwYkRm1Tg!",
+    "put = fakefakefake@contoso.com",
+    "println = InitialDirContext"
+  ],
+  "javascript:testdata/javascript_vulnerable.js": [
+    "name = chris",
+    "password = hunter2",
+    "password = foo123",
+    "person = Bob Doe",
+    "carName = Buick",
+    "price = 300",
+    "person = Bob Doe",
+    "person = Buick",
+    "person = 300",
+    "password = qwerty123",
+    "secret_key = this is a secret key",
+    "person = John Doe",
+    "person = John Doe",
+    "carName = Volvo",
+    "carName = Volvo",
+    "price = 200",
+    "this_password = correct horse battery staple",
+    "foobaz = 75",
+    "number = 42",
+    "newpassword = sunshine123",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "hidden_passphrase = blink182"
+  ],
+  "php:testdata/php_vulnerable.php": [
+    "id = 4",
+    "lang = grape123",
+    "password = this_is_my_passport",
+    "v = Berne",
+    "v = Berne",
+    "v = Zurich1",
+    "api_key = 9823yrdfijo239jd3wsad30dj2d",
+    "v = trustno1",
+    "v = Genf",
+    "v = Geneva",
+    "v = Genève",
+    "property1 = Value 1",
+    "property2 = Value 2",
+    "property1 = property2",
+    "password = kingpin987",
+    "set_password = hunter2",
+    "set_color = Red",
+    "location = Essex",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "hidden_passphrase = blink182",
+    "sql = SELECT name, email FROM users WHERE id=$id",
+    "sql = SELECT name, email FROM users WHERE id=$id",
+    "color = beige",
+    "color = blue",
+    "comp = BMW",
+    "comp = Mercedes Benz"
+  ],
+  "python:testdata/parsers/comment_only_context.py": [],
+  "python:testdata/python_vulnerable.py": [
+    "staticGroupID = 0",
+    "customClassUser = this_is_a_user_id",
+    "customClassPassword = rJl8QgApOjNfEiMWQUR",
+    "Accept = application/json",
+    "password = thisisabadpassword",
+    "print = Welcome to this demo program",
+    "default_password = qwerty123",
+    "AppPassword = b12c789b123bn12389",
+    "NotAnything = 12i7128931238912739712893",
+    "PleaseNoFalsePostive = joe123",
+    "another_password = blink182",
+    "another_password_again = blink182",
+    "backup_password = letmein123",
+    "name = Peter",
+    "age = 23",
+    "print = %s is %d years old",
+    "print = {} is {} years old",
+    "print = {name} is {age} years old",
+    "pypi_value_01 = pypi-AgEIcHlwaS5vcmcCAWEAAAYgNh9pJUqVF-EtMCwGaZYcStFR07RbE8hyb9h2vYxifO8",
+    "pypi_value_02 = pypi-AgEIcHlwaS5vcmcCAWIAAAYgxbyLvb9egSCECeOdB3qW3h4oXEoNC6kJI0NtaFOQlUY",
+    "pypi_value_03 = pypi-AgEIcHlwaS5vcmcCAWIAAAYgf_d_XvJfqkOhrkqbEBo-eW9UID46ABNJIdGfaO3n3_k",
+    "pypi_value_04 = pypi-AgEIcHlwaS5vcmcCAWIAAiV7InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiAidXNlciJ9AAAGIBeIJGhXk8kPPref7vLuwlKbnSWusZKZivIh92GRUUX4",
+    "pypi_value_05 = pypi-AgEIcHlwaS5vcmcCAWIAAi97InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiB7InByb2plY3RzIjogW119fQAABiBWHBa1jsbY-iN-Swf3JCrxy8Q8eRCxMrc_1KkkDuB6KQ",
+    "pypi_value_06 = pypi-AgENdGVzdC5weXBpLm9yZwIBYgACL3sidmVyc2lvbiI6IDEsICJwZXJtaXNzaW9ucyI6IHsicHJvamVjdHMiOiBbXX19AAAGIFYcFrWOxtj6I35LB_ckKvHLxDx5ELEytz_UqSQO4Hop"
+  ],
+  "ruby:testdata/ruby_vulnerable.rb": [
+    "my_name = Roger Rabbit",
+    "my_number = 27",
+    "foo = My name is #{my_name} and my favorite number is #{my_number}.",
+    "foo = My name is #{my_name} and my favorite number is #{my_number}.",
+    "password = My voice is my passport:",
+    "password =  Verify me ",
+    "password =  MongoDB123",
+    "concat = Mongo",
+    "concat = DB",
+    "this_number = 23",
+    "this_word = rolling stone",
+    "aUser = Bicylops",
+    "aUser = Fleck",
+    "aUser = 260",
+    "aUser = Bicylops",
+    "aUser = Fleck",
+    "aUser = 260",
+    "new = Bicylops",
+    "new = Fleck",
+    "new = 260",
+    "Bicylops = Fleck",
+    "password = , ",
+    "password = , ",
+    "password = 123",
+    "send = password=",
+    "send = secret123",
+    "password= = secret123",
+    "my_api_key = 1",
+    "my_api_key = 1",
+    "my_api_key = SGwJgqnZYzH945UBWnauBuKXKLEhq5Le",
+    "my_api_key = 3",
+    "bVal = 88df97769ab3185f2c0b2a73fdae1b27d89409ca",
+    "bVal = 88df97769ab3185f2c0b2a73fdae1b27d89409ca",
+    "bVal = 3",
+    "bVal = car",
+    "GITHUB_KEY = 17df97169af3785f2c0b2a73dhba1c46f33928de",
+    "GITHUB_CLIENT_ID = Iv1.3e3354ce147fd412",
+    "GITHUB_APP_SECRET = 895b1da4051440395f90e1411c4a1150e423c922",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "hidden_passphrase = blink182"
+  ],
+  "rust:testdata/rust_vulnerable.rs": [
+    "user = John",
+    "user = Doe",
+    "user = john@email.com",
+    "new = John",
+    "new = Doe",
+    "new = john@email.com",
+    "John = Doe",
+    "first_name = Bob",
+    "from = Bob",
+    "ip = 8.8.8.8",
+    "str = 8.8.8.8",
+    "pass = s3cr3tp@ssw0rd 2",
+    "str = s3cr3tp@ssw0rd 2",
+    "api_key = Hello \\\"World\\\"",
+    "str = Hello \\\"World\\\"",
+    "multiline = This is a \\nmultiline string literal",
+    "str = This is a \\nmultiline string literal",
+    "key_id = AKIA6ODU5DHT7VPXGCE4",
+    "str = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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",
+    "str = eD4++rSUVbOmDrRI7EDLmskuwpAAddEA0WNwu+fI",
+    "hidden_passphrase = blink182",
+    "str = blink182",
+    "name = John",
+    "str = John",
+    "first_name = John ",
+    "str = John ",
+    "last_name = Doe",
+    "str = Doe"
+  ],
+  "toml:testdata/toml_vulnerable.toml": [
+    "name = vvp.auth.oidc.registration.clientSecret",
+    "valueFrom.secretKeyRef.name = mysecrets",
+    "valueFrom.secretKeyRef.key = oidc",
+    "name = spring.datasource.password",
+    "valueFrom.secretKeyRef.name = mysecrets",
+    "valueFrom.secretKeyRef.key = jdbc",
+    "name = vvp.auth.bootstrapToken.token",
+    "valueFrom.secretKeyRef.name = mysecrets",
+    "valueFrom.secretKeyRef.key = blink182",
+    "private_key = all along the watchtower",
+    "my_private_key = ja4wALsaho20af21dS",
+    "kind = Opaque",
+    "password = dG9wLVNlY3JldA==",
+    "jdbc = dG9wLVNlY3JldA==",
+    "my_unique_authorization_key = dG9wLVNlY3JldA==",
+    "aws_key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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"
+  ],
+  "typescript:testdata/typescript_vulnerable.ts": [
+    "say = a bird in hand > two in the bush",
+    "html = <div> I would just like to say : ${say}</div>",
+    "bob_password = allthesecretsarehere",
+    "sally_password = superSecret123",
+    "i = 0",
+    "i = 0",
+    "i = +",
+    "i = +",
+    "for = 0",
+    "for = +",
+    "for = +",
+    "0 = +",
+    "replace = &amp;",
+    "replace = /g, ",
+    "replace = 39",
+    "replace = &lt;",
+    "replace = &gt;",
+    "result = -",
+    "result = 1",
+    "password = chicken",
+    "person = Bob Doe",
+    "carName = Buick",
+    "price = 300",
+    "person = Bob Doe",
+    "person = Buick",
+    "person = 300",
+    "password = qwerty123",
+    "secret_key = this is a secret key",
+    "person = John Doe",
+    "person = John Doe",
+    "carName = Volvo",
+    "carName = Volvo",
+    "price = 200",
+    "this_password = correct horse battery staple",
+    "newpassword = sunshine123"
+  ],
+  "yaml:testdata/yaml_vulnerable.yaml": [
+    "name = vvp.auth.oidc.registration.clientSecret",
+    "name = mysecrets",
+    "key = oidc",
+    "name = spring.datasource.password",
+    "name = mysecrets",
+    "key = jdbc",
+    "name = vvp.auth.bootstrapToken.token",
+    "name = mysecrets",
+    "key = blink182",
+    "apiVersion = v1",
+    "kind = Secret",
+    "private_key = all along the watchtower",
+    "my_private_key = ja4wALsaho20af21dS",
+    "type = Opaque",
+    "password = dG9wLVNlY3JldA==",
+    "jdbc = dG9wLVNlY3JldA==",
+    "my_unique_authorization_key = dG9wLVNlY3JldA==",
+    "aws_key_id = AKIA6ODU5DHT7VPXGCE4",
+    "aws_secret = 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"
+  ]
+}
diff --git a/testdata/parsers/scan_findings_baseline.json b/testdata/parsers/scan_findings_baseline.json
new file mode 100644
index 0000000..f10b56f
--- /dev/null
+++ b/testdata/parsers/scan_findings_baseline.json
@@ -0,0 +1,150 @@
+[
+  {
+    "rule_id": "kingfisher.aws.2",
+    "snippet": "eD4++rSUVbOmDrRI7EDLmskuwpAAddEA0WNwu+fI"
+  },
+  {
+    "rule_id": "kingfisher.credentials.1",
+    "snippet": "gitlab-ci-token"
+  },
+  {
+    "rule_id": "kingfisher.github.8",
+    "snippet": "17df97169af3785f2c0b2a73dhba1c46f33928de"
+  },
+  {
+    "rule_id": "kingfisher.google.7",
+    "snippet": "AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM"
+  },
+  {
+    "rule_id": "kingfisher.pem.1",
+    "snippet": "MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShz A2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3 q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGA MeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCV UpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS /70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/X QZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62X Rr1VAkEAljSLsMOk5H7XCctEk3mCu1WgDtUvb/RRCBiBT+cic14OpVtytJMAeLeq cAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/Mhrc F+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/T FnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0I kdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vDk6tKaqK Ic3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw= "
+  },
+  {
+    "rule_id": "kingfisher.pem.1",
+    "snippet": "MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw="
+  },
+  {
+    "rule_id": "kingfisher.pem.1",
+    "snippet": "\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChoGF4j4AUnAfj\\nbVGP/tSJqAyeYiZfOf4UCwd9+B/2oej3rsiuZmx506kuWVN4Jhg8UocLn5l/OfqU\\n2MyV3Mq5VjtGQjYWF7a/Y04yEMRWf+spiJp1iYGS1vTOVjuyYyMa9h+8sbDiBFAD\\nBcZejB4FQHxstFtmlnehf7cieMLTa3Wezv8LX8pH0q+pEynuvusQkhe8uPmjUsuo\\nWG5W5CgVchQVzQf9eB5xtyt85t6VozMvAEI4h+WwZRdn+EWrQi+z8A8vXF7iUDmu\\n2lpypLExcZBrZINMh8ecs8B34JNIYzO4Hod7RB4IwXN8PG/5RHlb7qQbzXSxir2B\\n17gPPf8JAgMBAAECggEAHbkdG7sGIqQkJjypInpKc0tKkMj7hgkn8t8pYE7kb+qM\\nKZqE0N/IpKnaY8ntGfwlelhx+d7+r0FGFh/9lbTOOkHDslLEWBFB3BYC4B2pwb+S\\nC2gSAboJMGwkBpsgrNhi8RcgtIaYASSqYzfpaGNLtQsMJsCPS4Ex3GscjnQXXiJK\\n5MExF8VYZVvT8Hq2lvECUpFMTWwM2o/QndwjLrEq/vRI3n7PmweXZGKgLuyOjpWk\\ny80qa/IUlB6xO4XHvjnaEGxRq1LSF8hgEGU2Nmd8GDRT5ZLkSk+TMtqPrEbHEi6n\\n4pZGndX0XmttWkKcUX/NwB/WZC5ROEsUl8Fyw+T5RQKBgQDMfgFB6Xx+Na2iB33w\\nkhzNxo4HPCJzxeAB0zCRpfDpM1GtqK6JsIxvrci5lDAKaP8TQTr/gQxXpbJjE1Dl\\n3VWGzFbW4czSw+AqBFl1he20RZhGjATcDCCzSOyEiRhqoJwTPTvqcXRK8NbKGfJR\\nV6b4Auw+McNhnEUyfrZzguV93QKBgQDKVlLPhb4O84mINKFK73QFf2xlns0IHI0m\\nWqNvY7HxJP9WUH5FgX4r/cO6aIafg+u5j0gNPDd2JD67htnY85EH/n5KNhb9ytsN\\n+hkDeidFvdOrD+h9YFHkNoNy3XHwrQ0mtYRj2FBWhhpBsVlHVO2KcLe0TvivinN2\\nfIac2uZhHQKBgAYE23KeNbzdRZwUTl+rXU+tPXb3DSiNNXe4SKCw2rNygD/1TBXf\\nbXLIEbVsqDFWP9PIQr1Mhhl6VhLWebYaWq8aCqBOiyHVBB8Ye62a4JFCzyWcb3Qu\\nozPDvLp18pMI4S8ryTywVDT0e839D4XXZ6G7LEr0WgTgfaTr1+D0hF69AoGBAKIQ\\nxKGeAV6eaOGlLjAEXgztRFic+qLto409+jyFQQji1nY/YPSxROtdhkGv6WypUM0/\\nW7nmKpJBc9HmsGUaqmcZy/QLIR1FN3IZiaGEXSJ6aqlQw6pw1QcTNvRxNQtOwQLp\\nT1Jd9/Nl1HAb6mO9PcqugCY3Pu/z2InmMjg/CVptAoGAMpwMsoen4xEHv4uGZVt8\\n8wlvQ2fYnso4wgRSYAkjh8cOHjB85eazlSAsaJvmQ9D1rV086Re5zKxKjrjQWdaT\\nRMyIZJMJYZr6c8RKmabOfO1oc5urDdETQjGi3qXJuiu86wp7IoBINdmBEPRl6+m3\\nGqJA6hgV5niKAq4sJtv9EW4=\\n"
+  },
+  {
+    "rule_id": "kingfisher.privkey.2",
+    "snippet": "-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChoGF4j4AUnAfj\\nbVGP/tSJqAyeYiZfOf4UCwd9+B/2oej3rsiuZmx506kuWVN4Jhg8UocLn5l/OfqU\\n2MyV3Mq5VjtGQjYWF7a/Y04yEMRWf+spiJp1iYGS1vTOVjuyYyMa9h+8sbDiBFAD\\nBcZejB4FQHxstFtmlnehf7cieMLTa3Wezv8LX8pH0q+pEynuvusQkhe8uPmjUsuo\\nWG5W5CgVchQVzQf9eB5xtyt85t6VozMvAEI4h+WwZRdn+EWrQi+z8A8vXF7iUDmu\\n2lpypLExcZBrZINMh8ecs8B34JNIYzO4Hod7RB4IwXN8PG/5RHlb7qQbzXSxir2B\\n17gPPf8JAgMBAAECggEAHbkdG7sGIqQkJjypInpKc0tKkMj7hgkn8t8pYE7kb+qM\\nKZqE0N/IpKnaY8ntGfwlelhx+d7+r0FGFh/9lbTOOkHDslLEWBFB3BYC4B2pwb+S\\nC2gSAboJMGwkBpsgrNhi8RcgtIaYASSqYzfpaGNLtQsMJsCPS4Ex3GscjnQXXiJK\\n5MExF8VYZVvT8Hq2lvECUpFMTWwM2o/QndwjLrEq/vRI3n7PmweXZGKgLuyOjpWk\\ny80qa/IUlB6xO4XHvjnaEGxRq1LSF8hgEGU2Nmd8GDRT5ZLkSk+TMtqPrEbHEi6n\\n4pZGndX0XmttWkKcUX/NwB/WZC5ROEsUl8Fyw+T5RQKBgQDMfgFB6Xx+Na2iB33w\\nkhzNxo4HPCJzxeAB0zCRpfDpM1GtqK6JsIxvrci5lDAKaP8TQTr/gQxXpbJjE1Dl\\n3VWGzFbW4czSw+AqBFl1he20RZhGjATcDCCzSOyEiRhqoJwTPTvqcXRK8NbKGfJR\\nV6b4Auw+McNhnEUyfrZzguV93QKBgQDKVlLPhb4O84mINKFK73QFf2xlns0IHI0m\\nWqNvY7HxJP9WUH5FgX4r/cO6aIafg+u5j0gNPDd2JD67htnY85EH/n5KNhb9ytsN\\n+hkDeidFvdOrD+h9YFHkNoNy3XHwrQ0mtYRj2FBWhhpBsVlHVO2KcLe0TvivinN2\\nfIac2uZhHQKBgAYE23KeNbzdRZwUTl+rXU+tPXb3DSiNNXe4SKCw2rNygD/1TBXf\\nbXLIEbVsqDFWP9PIQr1Mhhl6VhLWebYaWq8aCqBOiyHVBB8Ye62a4JFCzyWcb3Qu\\nozPDvLp18pMI4S8ryTywVDT0e839D4XXZ6G7LEr0WgTgfaTr1+D0hF69AoGBAKIQ\\nxKGeAV6eaOGlLjAEXgztRFic+qLto409+jyFQQji1nY/YPSxROtdhkGv6WypUM0/\\nW7nmKpJBc9HmsGUaqmcZy/QLIR1FN3IZiaGEXSJ6aqlQw6pw1QcTNvRxNQtOwQLp\\nT1Jd9/Nl1HAb6mO9PcqugCY3Pu/z2InmMjg/CVptAoGAMpwMsoen4xEHv4uGZVt8\\n8wlvQ2fYnso4wgRSYAkjh8cOHjB85eazlSAsaJvmQ9D1rV086Re5zKxKjrjQWdaT\\nRMyIZJMJYZr6c8RKmabOfO1oc5urDdETQjGi3qXJuiu86wp7IoBINdmBEPRl6+m3\\nGqJA6hgV5niKAq4sJtv9EW4=\\n-----END PRIVATE KEY-----"
+  },
+  {
+    "rule_id": "kingfisher.privkey.2",
+    "snippet": "-----BEGIN RSA PRIVATE KEY-----MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw=-----END RSA PRIVATE KEY-----"
+  },
+  {
+    "rule_id": "kingfisher.pypi.1",
+    "snippet": "pypi-AgEIcHlwaS5vcmcCAWEAAAYgNh9pJUqVF-EtMCwGaZYcStFR07RbE8hyb9h2vYxifO8"
+  },
+  {
+    "rule_id": "kingfisher.pypi.1",
+    "snippet": "pypi-AgEIcHlwaS5vcmcCAWIAAAYgf_d_XvJfqkOhrkqbEBo-eW9UID46ABNJIdGfaO3n3_k"
+  },
+  {
+    "rule_id": "kingfisher.pypi.1",
+    "snippet": "pypi-AgEIcHlwaS5vcmcCAWIAAAYgxbyLvb9egSCECeOdB3qW3h4oXEoNC6kJI0NtaFOQlUY"
+  },
+  {
+    "rule_id": "kingfisher.pypi.1",
+    "snippet": "pypi-AgEIcHlwaS5vcmcCAWIAAi97InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiB7InByb2plY3RzIjogW119fQAABiBWHBa1jsbY-iN-Swf3JCrxy8Q8eRCxMrc_1KkkDuB6KQ"
+  },
+  {
+    "rule_id": "kingfisher.pypi.1",
+    "snippet": "pypi-AgEIcHlwaS5vcmcCAWIAAiV7InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiAidXNlciJ9AAAGIBeIJGhXk8kPPref7vLuwlKbnSWusZKZivIh92GRUUX4"
+  },
+  {
+    "rule_id": "kingfisher.slack.1",
+    "snippet": "xapp-1-A01C259PH2A-1440755929120-7d5241948a2cc1b464add85df8a8e75f9040ae2869f6599926ed0b9dcafdb32b"
+  },
+  {
+    "rule_id": "kingfisher.slack.1",
+    "snippet": "xapp-1-A01SURJVBLJ-1936696714400-FAKE1f53b593f2951c547e39dd5e1d39aae8d142daff1e94a64af304334fe04f"
+  },
+  {
+    "rule_id": "kingfisher.slack.1",
+    "snippet": "xapp-1-A0219JRGYSF-2049594540292-FAKE4796aa92658d4e0ae36cae694ffeb7bf1c87d80347b4ef74169433b55345"
+  },
+  {
+    "rule_id": "kingfisher.slack.1",
+    "snippet": "xapp-1-B42342KL2RLY-2936428313672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxa-2-B6342RL2UNF-2936428303672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxa-2-B7342RL2UNF-2936428303672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-034302345987-336503610493-FAKEvWppeEYXx5TsvScfAAwl"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-138060324327-1855530675702-FAKEZxYAIfI7Jrv8hxODBm5k"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-229090314224-691247287811-FAKE5lrlR3O9eYVKf4eKpras"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-235060315121-1909810446613-FAKE1NuEz5KXRsCBwEUzjiRt"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-494126390276-1259618305827-FAKE53z2wripYKAm4xPAsPRK"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-689144892354-720001127957-FAKE4lK3kSc08oebIvZdPWG4"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxb-730191371696-1413868247813-IG7Z6nYevC2hdviE3aJhb5kY"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxo-523423-234243-234233-e039d02840a0b9379c"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxp-523423-234243-234233-e039d02840a0b9379c"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxp-677471389651-618638257620-FAKE17772739-5da7b6942285"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxr-523423-234243-234233-e039d02840a0b9379c"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxr-B2342KL8RJT-2931428303672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037"
+  },
+  {
+    "rule_id": "kingfisher.slack.2",
+    "snippet": "xoxs-523423-234243-234233-e039d02840a0b9379c"
+  },
+  {
+    "rule_id": "kingfisher.slack.4",
+    "snippet": "https://hooks.slack.com/services/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"
+  },
+  {
+    "rule_id": "kingfisher.stripe.1",
+    "snippet": "pk_live_bu9JFVJtII3FINL1rOKcNpveXD4hSMtSDx7opOWDEFGHIJKLMNOPQRSTUVWX"
+  },
+  {
+    "rule_id": "kingfisher.stripe.2",
+    "snippet": "rk_live_z59MoCJoFc114PpJlP1OnB1O"
+  },
+  {
+    "rule_id": "kingfisher.stripe.2",
+    "snippet": "sk_live_bu9JFVJtII3FINL1rOKcNpveXD4hSMtSDx7opOWDEFGHIJKLMNOPQRST"
+  }
+]

From eee7697e24d564b4fffff3fd89b00daa67c4008b Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 09:42:37 -0700
Subject: [PATCH 11/17] changes in response to PR review

---
 Cargo.lock                           | 86 +++++++++++++++++++++++++++-
 crates/kingfisher-scanner/Cargo.toml | 10 +++-
 src/parser.rs                        | 27 +++++++++
 src/parser/css.rs                    | 28 ++++++---
 src/parser/html.rs                   |  3 +-
 src/scanner/validation.rs            | 31 ++++++++--
 tests/int_context_verification.rs    | 80 +++++++++++++++++++++++++-
 7 files changed, 246 insertions(+), 19 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a8b5e17..b5ccddf 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2764,6 +2764,15 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared 0.1.1",
+]
+
 [[package]]
 name = "foreign-types"
 version = "0.5.0"
@@ -2771,7 +2780,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d737d9aa519fb7b749cbc3b962edcf310a8dd1f4b67c91c4f83975dbdd17d965"
 dependencies = [
  "foreign-types-macros",
- "foreign-types-shared",
+ "foreign-types-shared 0.3.1",
 ]
 
 [[package]]
@@ -2785,6 +2794,12 @@ dependencies = [
  "syn 2.0.117",
 ]
 
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "foreign-types-shared"
 version = "0.3.1"
@@ -5391,6 +5406,7 @@ dependencies = [
  "lazy_static",
  "lber",
  "log",
+ "native-tls",
  "nom 7.1.3",
  "percent-encoding",
  "ring 0.16.20",
@@ -5398,6 +5414,7 @@ dependencies = [
  "rustls-native-certs 0.6.3",
  "thiserror 1.0.69",
  "tokio",
+ "tokio-native-tls",
  "tokio-rustls 0.24.1",
  "tokio-stream",
  "tokio-util",
@@ -5931,6 +5948,23 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "native-tls"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe 0.2.1",
+ "openssl-sys",
+ "schannel",
+ "security-framework 3.7.0",
+ "security-framework-sys",
+ "tempfile",
+]
+
 [[package]]
 name = "ndk-context"
 version = "0.1.1"
@@ -6262,6 +6296,32 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "openssl"
+version = "0.10.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "951c002c75e16ea2c65b8c7e4d3d51d5530d8dfa7d060b4776828c88cfb18ecf"
+dependencies = [
+ "bitflags 2.11.0",
+ "cfg-if",
+ "foreign-types 0.3.2",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "openssl-probe"
 version = "0.1.6"
@@ -6274,6 +6334,18 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 
+[[package]]
+name = "openssl-sys"
+version = "0.9.112"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "outref"
 version = "0.5.2"
@@ -8824,6 +8896,16 @@ dependencies = [
  "syn 2.0.117",
 ]
 
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-postgres"
 version = "0.7.17"
@@ -9426,7 +9508,7 @@ name = "vectorscan-rs"
 version = "0.0.6"
 dependencies = [
  "bitflags 2.11.0",
- "foreign-types",
+ "foreign-types 0.5.0",
  "libc",
  "thiserror 1.0.69",
  "vectorscan-rs-sys",
diff --git a/crates/kingfisher-scanner/Cargo.toml b/crates/kingfisher-scanner/Cargo.toml
index 69d0d8c..743b0d1 100644
--- a/crates/kingfisher-scanner/Cargo.toml
+++ b/crates/kingfisher-scanner/Cargo.toml
@@ -195,8 +195,6 @@ tokio-postgres-rustls = { version = "0.13.0", optional = true }
 rustls = { version = "0.23.35", optional = true }
 rustls-native-certs = { version = "0.8.2", optional = true }
 tokio-rustls = { version = "0.26.4", optional = true }
-ldap3 = { version = "0.11.5", default-features = false, features = ["tls-rustls"], optional = true }
-
 # AWS validation
 aws-config = { version = "1.8.14", default-features = false, features = ["default-https-client", "rt-tokio"], optional = true }
 aws-credential-types = { version = "1.2.12", optional = true }
@@ -210,6 +208,14 @@ base32 = { version = "0.5", optional = true }
 byteorder = { version = "1.5", optional = true }
 rand = { version = "0.10", optional = true }
 
+[target.'cfg(all(windows, target_arch = "aarch64"))'.dependencies]
+# ldap3's rustls backend still pulls ring 0.16, which fails to build on Windows ARM64.
+# Use the platform TLS backend there to keep the raw LDAP validator available.
+ldap3 = { version = "0.11.5", default-features = false, features = ["tls-native"], optional = true }
+
+[target.'cfg(not(all(windows, target_arch = "aarch64")))'.dependencies]
+ldap3 = { version = "0.11.5", default-features = false, features = ["tls-rustls"], optional = true }
+
 [dev-dependencies]
 pretty_assertions = "1.4"
 tempfile = "3.23"
diff --git a/src/parser.rs b/src/parser.rs
index 9a34338..ee4b20f 100644
--- a/src/parser.rs
+++ b/src/parser.rs
@@ -233,6 +233,33 @@ mod tests {
         );
     }
 
+    #[test]
+    fn html_embedded_context_extracts_uppercase_script_and_style_candidates() {
+        let source = br#"
+            <HTML>
+              <BODY>
+                <SCRIPT>const auth0_client_secret = "secret-value";</SCRIPT>
+                <STYLE>.banner::before { content: "hello"; }</STYLE>
+              </BODY>
+            </HTML>
+        "#;
+        let mut texts = Vec::new();
+        stream_context_candidates(source, &Language::Html, |text| {
+            texts.push(text.to_string());
+            true
+        })
+        .unwrap();
+
+        assert!(
+            texts.iter().any(|text| text.contains("<script> = const auth0_client_secret")),
+            "expected uppercase script tag to be handled like lowercase script"
+        );
+        assert!(
+            texts.iter().any(|text| text.contains("content =")),
+            "expected uppercase style tag to emit CSS declaration candidates"
+        );
+    }
+
     #[test]
     fn comment_only_python_context_is_ignored() {
         let root = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
diff --git a/src/parser/css.rs b/src/parser/css.rs
index 9875e5f..34245d5 100644
--- a/src/parser/css.rs
+++ b/src/parser/css.rs
@@ -1,3 +1,5 @@
+use std::cell::Cell;
+
 use anyhow::Result;
 use cssparser::{
     parse_important, AtRuleParser, CowRcStr, DeclarationParser, ParseError, Parser, ParserInput,
@@ -15,14 +17,20 @@ where
 
     let mut input = ParserInput::new(&css);
     let mut parser = Parser::new(&mut input);
-    let mut collector = Collector { sink, stopped: false };
-    for _ in StyleSheetParser::new(&mut parser, &mut collector) {}
+    let stopped = Cell::new(false);
+    let mut collector = Collector { sink, stopped: &stopped };
+    let mut stylesheet = StyleSheetParser::new(&mut parser, &mut collector);
+    while !stopped.get() {
+        if stylesheet.next().is_none() {
+            break;
+        }
+    }
     Ok(())
 }
 
 struct Collector<'a, F> {
     sink: &'a mut F,
-    stopped: bool,
+    stopped: &'a Cell<bool>,
 }
 
 impl<'a, F> Collector<'a, F>
@@ -30,11 +38,11 @@ where
     F: FnMut(&str) -> bool,
 {
     fn emit(&mut self, name: &str, value: &str) {
-        if self.stopped {
+        if self.stopped.get() {
             return;
         }
         let candidate = format!("{name} = {value}");
-        self.stopped = !(self.sink)(&candidate);
+        self.stopped.set(!(self.sink)(&candidate));
     }
 }
 
@@ -82,7 +90,7 @@ where
 
         for value in values {
             self.emit(&name, &value);
-            if self.stopped {
+            if self.stopped.get() {
                 break;
             }
         }
@@ -118,7 +126,13 @@ where
         _start: &ParserState,
         input: &mut Parser<'i, 't>,
     ) -> Result<(), ParseError<'i, ()>> {
-        for _ in RuleBodyParser::new(input, self) {}
+        let stopped = self.stopped;
+        let mut rule_body = RuleBodyParser::new(input, self);
+        while !stopped.get() {
+            if rule_body.next().is_none() {
+                break;
+            }
+        }
         Ok(())
     }
 }
diff --git a/src/parser/html.rs b/src/parser/html.rs
index 02a3482..f10840b 100644
--- a/src/parser/html.rs
+++ b/src/parser/html.rs
@@ -23,6 +23,7 @@ where
             continue;
         };
         let tag_name = tag.name().as_utf8_str().to_string();
+        let normalized_tag_name = tag_name.to_ascii_lowercase();
 
         for (key, value) in tag.attributes().iter() {
             let Some(value) = value else {
@@ -35,7 +36,7 @@ where
         }
 
         let inner_text = tag.inner_text(parser).trim().to_string();
-        match tag_name.as_str() {
+        match normalized_tag_name.as_str() {
             "script" => {
                 let candidate = format!("<script> = {inner_text}");
                 if !inner_text.is_empty() && !sink(&candidate) {
diff --git a/src/scanner/validation.rs b/src/scanner/validation.rs
index cba8d33..088a556 100644
--- a/src/scanner/validation.rs
+++ b/src/scanner/validation.rs
@@ -766,9 +766,9 @@ async fn validate_single(
         om.validation_success = cached.is_valid;
         om.validation_response_body = cached.body.clone();
         om.validation_response_status = cached.status;
-        if om.validation_success {
+        if om.validation_success && is_counted_validation_status(om.validation_response_status) {
             success_count.fetch_add(1, Ordering::Relaxed);
-        } else if om.validation_response_status != http::StatusCode::CONTINUE {
+        } else if is_counted_validation_status(om.validation_response_status) {
             fail_count.fetch_add(1, Ordering::Relaxed);
         }
         maybe_record_access_map(om, access_map);
@@ -787,9 +787,10 @@ async fn validate_single(
             om.validation_success = cached.is_valid;
             om.validation_response_body = cached.body.clone();
             om.validation_response_status = cached.status;
-            if om.validation_success {
+            if om.validation_success && is_counted_validation_status(om.validation_response_status)
+            {
                 success_count.fetch_add(1, Ordering::Relaxed);
-            } else if om.validation_response_status != http::StatusCode::CONTINUE {
+            } else if is_counted_validation_status(om.validation_response_status) {
                 fail_count.fetch_add(1, Ordering::Relaxed);
             }
             maybe_record_access_map(om, access_map);
@@ -818,9 +819,10 @@ async fn validate_single(
     // Store result in cache
     match outcome {
         Ok(_) => {
-            if om.validation_success {
+            if om.validation_success && is_counted_validation_status(om.validation_response_status)
+            {
                 success_count.fetch_add(1, Ordering::Relaxed);
-            } else if om.validation_response_status != http::StatusCode::CONTINUE {
+            } else if is_counted_validation_status(om.validation_response_status) {
                 fail_count.fetch_add(1, Ordering::Relaxed);
             }
             cache.insert(
@@ -849,6 +851,10 @@ async fn validate_single(
     }
 }
 
+fn is_counted_validation_status(status: StatusCode) -> bool {
+    !matches!(status, StatusCode::CONTINUE | StatusCode::PRECONDITION_REQUIRED)
+}
+
 // Helper to compute the cache key for an OwnedBlobMatch
 fn build_cache_key(
     om: &OwnedBlobMatch,
@@ -1358,3 +1364,16 @@ fn extract_azure_devops_org_from_body(
     let text = validation_body::clone_as_string(body);
     ORG_RE.captures(&text).and_then(|caps| caps.get(1).map(|m| m.as_str().to_string()))
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn counted_validation_status_excludes_skipped_statuses() {
+        assert!(!is_counted_validation_status(StatusCode::CONTINUE));
+        assert!(!is_counted_validation_status(StatusCode::PRECONDITION_REQUIRED));
+        assert!(is_counted_validation_status(StatusCode::OK));
+        assert!(is_counted_validation_status(StatusCode::UNAUTHORIZED));
+    }
+}
diff --git a/tests/int_context_verification.rs b/tests/int_context_verification.rs
index 44f85c9..8737670 100644
--- a/tests/int_context_verification.rs
+++ b/tests/int_context_verification.rs
@@ -3,6 +3,84 @@ use std::{fs, process::Command};
 use anyhow::{Context, Result};
 use serde_json::{Deserializer, Value};
 
+fn macos_arm64_known_missing_findings() -> &'static [(&'static str, &'static str)] {
+    &[
+        ("kingfisher.google.7", "AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM"),
+        (
+            "kingfisher.pem.1",
+            "MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw=",
+        ),
+        (
+            "kingfisher.privkey.2",
+            "-----BEGIN RSA PRIVATE KEY-----MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw=-----END RSA PRIVATE KEY-----",
+        ),
+        (
+            "kingfisher.pypi.1",
+            "pypi-AgEIcHlwaS5vcmcCAWEAAAYgNh9pJUqVF-EtMCwGaZYcStFR07RbE8hyb9h2vYxifO8",
+        ),
+        (
+            "kingfisher.pypi.1",
+            "pypi-AgEIcHlwaS5vcmcCAWIAAAYgf_d_XvJfqkOhrkqbEBo-eW9UID46ABNJIdGfaO3n3_k",
+        ),
+        (
+            "kingfisher.pypi.1",
+            "pypi-AgEIcHlwaS5vcmcCAWIAAAYgxbyLvb9egSCECeOdB3qW3h4oXEoNC6kJI0NtaFOQlUY",
+        ),
+        (
+            "kingfisher.pypi.1",
+            "pypi-AgEIcHlwaS5vcmcCAWIAAi97InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiB7InByb2plY3RzIjogW119fQAABiBWHBa1jsbY-iN-Swf3JCrxy8Q8eRCxMrc_1KkkDuB6KQ",
+        ),
+        (
+            "kingfisher.pypi.1",
+            "pypi-AgEIcHlwaS5vcmcCAWIAAiV7InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiAidXNlciJ9AAAGIBeIJGhXk8kPPref7vLuwlKbnSWusZKZivIh92GRUUX4",
+        ),
+        (
+            "kingfisher.slack.1",
+            "xapp-1-A01C259PH2A-1440755929120-7d5241948a2cc1b464add85df8a8e75f9040ae2869f6599926ed0b9dcafdb32b",
+        ),
+        (
+            "kingfisher.slack.2",
+            "xoxb-730191371696-1413868247813-IG7Z6nYevC2hdviE3aJhb5kY",
+        ),
+        (
+            "kingfisher.slack.4",
+            "https://hooks.slack.com/services/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",
+        ),
+    ]
+}
+
+fn is_known_macos_arm64_missing_finding(finding: &Value) -> bool {
+    let rule_id = finding.get("rule_id").and_then(Value::as_str).unwrap_or_default();
+    let snippet = finding.get("snippet").and_then(Value::as_str).unwrap_or_default();
+    macos_arm64_known_missing_findings().iter().any(|(known_rule_id, known_snippet)| {
+        rule_id == *known_rule_id && snippet == *known_snippet
+    })
+}
+
+fn assert_findings_match_for_platform(actual: Vec<Value>, expected: Vec<Value>) {
+    if cfg!(all(target_os = "macos", target_arch = "aarch64")) {
+        let missing = expected
+            .iter()
+            .filter(|finding| !actual.contains(finding))
+            .cloned()
+            .collect::<Vec<_>>();
+        let extras = actual
+            .iter()
+            .filter(|finding| !expected.contains(finding))
+            .cloned()
+            .collect::<Vec<_>>();
+
+        assert!(extras.is_empty(), "unexpected extra findings on macOS ARM64: {extras:#?}");
+        assert!(
+            missing.iter().all(is_known_macos_arm64_missing_finding),
+            "unexpected missing findings on macOS ARM64: {missing:#?}"
+        );
+        return;
+    }
+
+    assert_eq!(actual, expected);
+}
+
 #[test]
 fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     let output = Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
@@ -78,6 +156,6 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     .collect::<Vec<_>>();
     expected.sort_by(|left, right| left.to_string().cmp(&right.to_string()));
 
-    assert_eq!(actual, expected);
+    assert_findings_match_for_platform(actual, expected);
     Ok(())
 }

From 0d33dff196e993f4cf2a6b655a8b65c83a31581a Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 11:09:36 -0700
Subject: [PATCH 12/17] changes in response to PR review

---
 crates/kingfisher-rules/src/rules_database.rs | 94 ++++++++++++++++---
 .../src/validation/http_validation.rs         | 39 +++++++-
 src/matcher/mod.rs                            | 43 +++++++++
 src/validation.rs                             | 16 +++-
 tests/int_context_verification.rs             | 80 +---------------
 5 files changed, 173 insertions(+), 99 deletions(-)

diff --git a/crates/kingfisher-rules/src/rules_database.rs b/crates/kingfisher-rules/src/rules_database.rs
index 3a28fac..5ba76ea 100644
--- a/crates/kingfisher-rules/src/rules_database.rs
+++ b/crates/kingfisher-rules/src/rules_database.rs
@@ -60,21 +60,7 @@ impl RulesDatabase {
 
         let mut reason_codes: Vec<&'static str> = Vec::new();
 
-        let has_self_identifying_prefix = [
-            "ccipat_",
-            "xoxb-",
-            "xoxa-",
-            "xoxp-",
-            "xapp-",
-            "ghp_",
-            "github_pat_",
-            "sk_live_",
-            "sk_test_",
-            "ltai",
-            "akia",
-        ]
-        .iter()
-        .any(|m| normalized.contains(m));
+        let has_self_identifying_prefix = has_self_identifying_shape(&normalized);
         if has_self_identifying_prefix {
             reason_codes.push("self_identifying_prefix");
             return RuleMatchProfile {
@@ -307,6 +293,33 @@ impl RulesDatabase {
     }
 }
 
+fn has_self_identifying_shape(normalized_pattern: &str) -> bool {
+    let literal_markers = [
+        "ccipat_",
+        "xapp-",
+        "ghp_",
+        "github_pat_",
+        "sk_live_",
+        "sk_test_",
+        "ltai",
+        "akia",
+        "aizasy",
+        "pypi-ageichlwas5vcmc",
+        "https://hooks\\.slack\\.com/services/",
+    ];
+
+    literal_markers.iter().any(|needle| normalized_pattern.contains(needle))
+        || normalized_pattern.contains("xox[pbarose]")
+        || normalized_pattern.contains("xoxe\\.xox[bparose]-")
+        || normalized_pattern.contains("xoxe-\\d-")
+        || (normalized_pattern.contains("-----begin\\s")
+            && normalized_pattern.contains("private\\skey")
+            && normalized_pattern.contains("-----end\\s"))
+        || (normalized_pattern.contains("-----begin\\ ")
+            && normalized_pattern.contains("private\\ key")
+            && normalized_pattern.contains("-----end\\ "))
+}
+
 fn has_generic_token_class(normalized_pattern: &str) -> bool {
     [
         "[a-za-z0-9]{",
@@ -436,6 +449,57 @@ mod test_rule_match_profiles {
         assert!(profile.reason_codes.contains(&"self_identifying_prefix"));
     }
 
+    #[test]
+    fn classifies_google_api_key_rule_as_self_identifying() {
+        let rule = mk_rule("kingfisher.google.7", r"(?xi)\b(AIzaSy[A-Za-z0-9_-]{33})");
+        let profile = RulesDatabase::classify_rule_profile(&rule);
+        assert_eq!(profile.kind, RuleDetectionProfileKind::SelfIdentifying);
+    }
+
+    #[test]
+    fn classifies_slack_token_charclass_rule_as_self_identifying() {
+        let rule = mk_rule(
+            "kingfisher.slack.2",
+            r"(?xi)\b(xox[pbarose][-0-9]{0,3}-[0-9a-z]{6,15}-[0-9a-z]{6,15}-[-0-9a-z]{6,66})\b",
+        );
+        let profile = RulesDatabase::classify_rule_profile(&rule);
+        assert_eq!(profile.kind, RuleDetectionProfileKind::SelfIdentifying);
+    }
+
+    #[test]
+    fn classifies_slack_webhook_rule_as_self_identifying() {
+        let rule = mk_rule(
+            "kingfisher.slack.4",
+            r"(?xi)\b(https://hooks\.slack\.com/services/T[a-z0-9_-]{8,12}/B[a-z0-9_-]{8,12}/[a-z0-9_-]{20,30})",
+        );
+        let profile = RulesDatabase::classify_rule_profile(&rule);
+        assert_eq!(profile.kind, RuleDetectionProfileKind::SelfIdentifying);
+    }
+
+    #[test]
+    fn classifies_pypi_token_rule_as_self_identifying() {
+        let rule = mk_rule("kingfisher.pypi.1", r"(?x)(pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_-]{50,})\b");
+        let profile = RulesDatabase::classify_rule_profile(&rule);
+        assert_eq!(profile.kind, RuleDetectionProfileKind::SelfIdentifying);
+    }
+
+    #[test]
+    fn classifies_private_key_envelope_rules_as_self_identifying() {
+        let rule = mk_rule(
+            "kingfisher.privkey.2",
+            r"(?xims)(-----BEGIN\s(?:RSA|PGP|DSA|OPENSSH|ENCRYPTED|EC)?\s{0,1}PRIVATE\sKEY-----[a-z0-9 /+=\r\n\\n]{32,}?-----END\s(?:RSA|PGP|DSA|OPENSSH|ENCRYPTED|EC)?\s{0,1}PRIVATE\sKEY-----)",
+        );
+        let profile = RulesDatabase::classify_rule_profile(&rule);
+        assert_eq!(profile.kind, RuleDetectionProfileKind::SelfIdentifying);
+
+        let pem_rule = mk_rule(
+            "kingfisher.pem.1",
+            r#"(?x)-----BEGIN\ .{0,20}\ ?PRIVATE\ KEY\ ?.{0,20}-----\s*((?:[a-zA-Z0-9+/=\s"',]|\\r|\\n){50,})\s*-----END\ .{0,20}\ ?PRIVATE\ KEY\ ?.{0,20}-----"#,
+        );
+        let pem_profile = RulesDatabase::classify_rule_profile(&pem_rule);
+        assert_eq!(pem_profile.kind, RuleDetectionProfileKind::SelfIdentifying);
+    }
+
     #[test]
     fn classifies_context_dependent_generic_rule() {
         let rule = mk_rule(
diff --git a/crates/kingfisher-scanner/src/validation/http_validation.rs b/crates/kingfisher-scanner/src/validation/http_validation.rs
index 0862323..255edd3 100644
--- a/crates/kingfisher-scanner/src/validation/http_validation.rs
+++ b/crates/kingfisher-scanner/src/validation/http_validation.rs
@@ -36,12 +36,11 @@ use kingfisher_rules::ResponseMatcher;
 /// Build a deterministic cache key from the immutable parts of an HTTP request.
 pub fn generate_http_cache_key_parts(
     method: &str,
-    url: &Url,
+    url: &str,
     headers: &BTreeMap<String, String>,
     body: Option<&str>,
 ) -> String {
     let method = method.to_uppercase();
-    let url = url.as_str();
 
     let mut hasher = Sha1::new();
     hasher.update(method.as_bytes());
@@ -101,6 +100,21 @@ pub fn with_request_template_globals(globals: &Object) -> Object {
     out
 }
 
+/// Clone `globals` and add stable placeholder values for request-scoped template vars that
+/// would otherwise make HTTP validation cache keys vary per execution.
+pub fn with_cache_key_template_globals(globals: &Object) -> Object {
+    let mut out = globals.clone();
+
+    if !out.contains_key("REQUEST_RFC1123_DATE") {
+        out.insert("REQUEST_RFC1123_DATE".into(), Value::scalar("REQUEST_RFC1123_DATE"));
+    }
+    if !out.contains_key("REQUEST_UNIX_MILLIS") {
+        out.insert("REQUEST_UNIX_MILLIS".into(), Value::scalar("REQUEST_UNIX_MILLIS"));
+    }
+
+    out
+}
+
 /// Build a reqwest RequestBuilder using the provided parameters.
 pub fn build_request_builder(
     client: &Client,
@@ -630,6 +644,27 @@ mod tests {
         assert_eq!(rendered.get("REQUEST_UNIX_MILLIS").unwrap().to_kstr(), "123");
     }
 
+    #[test]
+    fn cache_key_template_globals_use_stable_placeholders() {
+        let globals = Object::new();
+        let rendered = with_cache_key_template_globals(&globals);
+
+        assert_eq!(rendered.get("REQUEST_RFC1123_DATE").unwrap().to_kstr(), "REQUEST_RFC1123_DATE");
+        assert_eq!(rendered.get("REQUEST_UNIX_MILLIS").unwrap().to_kstr(), "REQUEST_UNIX_MILLIS");
+    }
+
+    #[test]
+    fn cache_key_template_globals_preserve_explicit_overrides() {
+        let mut globals = Object::new();
+        globals.insert("REQUEST_RFC1123_DATE".into(), Value::scalar("custom-date"));
+        globals.insert("REQUEST_UNIX_MILLIS".into(), Value::scalar("123"));
+
+        let rendered = with_cache_key_template_globals(&globals);
+
+        assert_eq!(rendered.get("REQUEST_RFC1123_DATE").unwrap().to_kstr(), "custom-date");
+        assert_eq!(rendered.get("REQUEST_UNIX_MILLIS").unwrap().to_kstr(), "123");
+    }
+
     #[test]
     fn rejects_ipv4_loopback() {
         assert!(!is_ssrf_safe_ip(&IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))));
diff --git a/src/matcher/mod.rs b/src/matcher/mod.rs
index 9fe0fa5..5e2b03c 100644
--- a/src/matcher/mod.rs
+++ b/src/matcher/mod.rs
@@ -1215,4 +1215,47 @@ line2
         assert_eq!(found.len(), 1, "self-identifying tokens should remain raw-pass findings");
         Ok(())
     }
+
+    #[test]
+    fn self_identifying_charclass_prefix_rule_remains_hyperscan_only() -> Result<()> {
+        let token = "xoxb-730191371696-1413868247813-IG7Z6nYevC2hdviE3aJhb5kY";
+        let rule = Rule::new(RuleSyntax {
+            id: "kingfisher.slack.2".into(),
+            name: "slack token".into(),
+            pattern:
+                "(?xi)\\b(xox[pbarose][-0-9]{0,3}-[0-9a-z]{6,15}-[0-9a-z]{6,15}-[-0-9a-z]{6,66})\\b"
+                    .into(),
+            confidence: crate::rules::rule::Confidence::Medium,
+            min_entropy: 0.0,
+            visible: true,
+            examples: vec![],
+            negative_examples: vec![],
+            references: vec![],
+            validation: None::<Validation>,
+            revocation: None,
+            depends_on_rule: vec![],
+            pattern_requirements: None,
+            tls_mode: None,
+        });
+
+        let rules_db = RulesDatabase::from_rules(vec![rule])?;
+        let seen = BlobIdMap::new();
+        let scanner_pool = Arc::new(ScannerPool::new(Arc::new(rules_db.vectorscan_db().clone())));
+        let mut matcher =
+            Matcher::new(&rules_db, scanner_pool, &seen, None, false, None, &[], false, true)?;
+
+        let blob = Blob::from_bytes(format!("token={token}").into_bytes());
+        let origin = OriginSet::from(Origin::from_file(PathBuf::from("slack.txt")));
+
+        let found = match matcher.scan_blob(&blob, &origin, None, false, false, false)? {
+            ScanResult::New(matches) => matches,
+            _ => panic!("unexpected scan result"),
+        };
+        assert_eq!(
+            found.len(),
+            1,
+            "self-identifying token families should not require parser context"
+        );
+        Ok(())
+    }
 }
diff --git a/src/validation.rs b/src/validation.rs
index 5cdf823..804f7f2 100644
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -615,6 +615,7 @@ async fn timed_validate_single_match<'a>(
             let multipart_timeout = validation_timeout;
             let max_retries: u32 = validation_retries;
             let request_globals = httpvalidation::with_request_template_globals(&globals);
+            let cache_globals = httpvalidation::with_cache_key_template_globals(&globals);
             // render URL
             let url = match render_and_parse_url(
                 parser,
@@ -661,10 +662,19 @@ async fn timed_validate_single_match<'a>(
 
             // old per-request cache (optional)
             if !is_multipart {
+                let cache_url = render_template(
+                    parser,
+                    &cache_globals,
+                    &rule_syntax.name,
+                    &http_validation.request.url,
+                )
+                .await
+                .unwrap_or_else(|_| http_validation.request.url.clone());
+
                 let rendered_headers = httpvalidation::process_headers(
                     &http_validation.request.headers,
                     parser,
-                    &request_globals,
+                    &cache_globals,
                     &url,
                 )
                 .unwrap_or_default();
@@ -682,12 +692,12 @@ async fn timed_validate_single_match<'a>(
                         parser
                             .parse(body_template)
                             .ok()
-                            .and_then(|template| template.render(&request_globals).ok())
+                            .and_then(|template| template.render(&cache_globals).ok())
                     });
 
                 cache_key = httpvalidation::generate_http_cache_key_parts(
                     http_validation.request.method.as_str(),
-                    &url,
+                    &cache_url,
                     &header_map,
                     rendered_body.as_deref(),
                 );
diff --git a/tests/int_context_verification.rs b/tests/int_context_verification.rs
index 8737670..44f85c9 100644
--- a/tests/int_context_verification.rs
+++ b/tests/int_context_verification.rs
@@ -3,84 +3,6 @@ use std::{fs, process::Command};
 use anyhow::{Context, Result};
 use serde_json::{Deserializer, Value};
 
-fn macos_arm64_known_missing_findings() -> &'static [(&'static str, &'static str)] {
-    &[
-        ("kingfisher.google.7", "AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM"),
-        (
-            "kingfisher.pem.1",
-            "MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw=",
-        ),
-        (
-            "kingfisher.privkey.2",
-            "-----BEGIN RSA PRIVATE KEY-----MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw=-----END RSA PRIVATE KEY-----",
-        ),
-        (
-            "kingfisher.pypi.1",
-            "pypi-AgEIcHlwaS5vcmcCAWEAAAYgNh9pJUqVF-EtMCwGaZYcStFR07RbE8hyb9h2vYxifO8",
-        ),
-        (
-            "kingfisher.pypi.1",
-            "pypi-AgEIcHlwaS5vcmcCAWIAAAYgf_d_XvJfqkOhrkqbEBo-eW9UID46ABNJIdGfaO3n3_k",
-        ),
-        (
-            "kingfisher.pypi.1",
-            "pypi-AgEIcHlwaS5vcmcCAWIAAAYgxbyLvb9egSCECeOdB3qW3h4oXEoNC6kJI0NtaFOQlUY",
-        ),
-        (
-            "kingfisher.pypi.1",
-            "pypi-AgEIcHlwaS5vcmcCAWIAAi97InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiB7InByb2plY3RzIjogW119fQAABiBWHBa1jsbY-iN-Swf3JCrxy8Q8eRCxMrc_1KkkDuB6KQ",
-        ),
-        (
-            "kingfisher.pypi.1",
-            "pypi-AgEIcHlwaS5vcmcCAWIAAiV7InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiAidXNlciJ9AAAGIBeIJGhXk8kPPref7vLuwlKbnSWusZKZivIh92GRUUX4",
-        ),
-        (
-            "kingfisher.slack.1",
-            "xapp-1-A01C259PH2A-1440755929120-7d5241948a2cc1b464add85df8a8e75f9040ae2869f6599926ed0b9dcafdb32b",
-        ),
-        (
-            "kingfisher.slack.2",
-            "xoxb-730191371696-1413868247813-IG7Z6nYevC2hdviE3aJhb5kY",
-        ),
-        (
-            "kingfisher.slack.4",
-            "https://hooks.slack.com/services/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",
-        ),
-    ]
-}
-
-fn is_known_macos_arm64_missing_finding(finding: &Value) -> bool {
-    let rule_id = finding.get("rule_id").and_then(Value::as_str).unwrap_or_default();
-    let snippet = finding.get("snippet").and_then(Value::as_str).unwrap_or_default();
-    macos_arm64_known_missing_findings().iter().any(|(known_rule_id, known_snippet)| {
-        rule_id == *known_rule_id && snippet == *known_snippet
-    })
-}
-
-fn assert_findings_match_for_platform(actual: Vec<Value>, expected: Vec<Value>) {
-    if cfg!(all(target_os = "macos", target_arch = "aarch64")) {
-        let missing = expected
-            .iter()
-            .filter(|finding| !actual.contains(finding))
-            .cloned()
-            .collect::<Vec<_>>();
-        let extras = actual
-            .iter()
-            .filter(|finding| !expected.contains(finding))
-            .cloned()
-            .collect::<Vec<_>>();
-
-        assert!(extras.is_empty(), "unexpected extra findings on macOS ARM64: {extras:#?}");
-        assert!(
-            missing.iter().all(is_known_macos_arm64_missing_finding),
-            "unexpected missing findings on macOS ARM64: {missing:#?}"
-        );
-        return;
-    }
-
-    assert_eq!(actual, expected);
-}
-
 #[test]
 fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     let output = Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
@@ -156,6 +78,6 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     .collect::<Vec<_>>();
     expected.sort_by(|left, right| left.to_string().cmp(&right.to_string()));
 
-    assert_findings_match_for_platform(actual, expected);
+    assert_eq!(actual, expected);
     Ok(())
 }

From a0934737dc063feb9c2b2cd8c816b1153ea1b5ea Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 13:14:39 -0700
Subject: [PATCH 13/17] changes in response to PR review

---
 src/parser.rs                                 | 29 +++++++++-
 src/parser/html.rs                            | 54 ++++++++++++++-----
 testdata/parsers/context_verifier_golden.json |  4 --
 3 files changed, 70 insertions(+), 17 deletions(-)

diff --git a/src/parser.rs b/src/parser.rs
index ee4b20f..a04c56e 100644
--- a/src/parser.rs
+++ b/src/parser.rs
@@ -251,7 +251,7 @@ mod tests {
         .unwrap();
 
         assert!(
-            texts.iter().any(|text| text.contains("<script> = const auth0_client_secret")),
+            texts.iter().any(|text| text.contains("auth0_client_secret = secret-value")),
             "expected uppercase script tag to be handled like lowercase script"
         );
         assert!(
@@ -260,6 +260,33 @@ mod tests {
         );
     }
 
+    #[test]
+    fn html_comment_only_script_context_is_ignored() {
+        let source = br#"
+            <html>
+              <body>
+                <script>// AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM</script>
+                <div>visible text</div>
+              </body>
+            </html>
+        "#;
+        let mut texts = Vec::new();
+        stream_context_candidates(source, &Language::Html, |text| {
+            texts.push(text.to_string());
+            true
+        })
+        .unwrap();
+
+        assert!(
+            !texts.iter().any(|text| text.contains("AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM")),
+            "expected commented-out script secrets to stay ignored"
+        );
+        assert!(
+            texts.iter().any(|text| text.contains("div = visible text")),
+            "expected visible non-script HTML text to remain available for verification"
+        );
+    }
+
     #[test]
     fn comment_only_python_context_is_ignored() {
         let root = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
diff --git a/src/parser/html.rs b/src/parser/html.rs
index f10840b..f0ad094 100644
--- a/src/parser/html.rs
+++ b/src/parser/html.rs
@@ -1,5 +1,5 @@
 use anyhow::Result;
-use tl::ParserOptions;
+use tl::{HTMLTag, Node, Parser, ParserOptions};
 
 use super::{css, lexer, Language};
 
@@ -35,25 +35,27 @@ where
             }
         }
 
-        let inner_text = tag.inner_text(parser).trim().to_string();
         match normalized_tag_name.as_str() {
             "script" => {
-                let candidate = format!("<script> = {inner_text}");
-                if !inner_text.is_empty() && !sink(&candidate) {
-                    return Ok(());
+                let script_text = tag.inner_text(parser);
+                let script_text = script_text.trim();
+                if !script_text.is_empty() {
+                    lexer::stream_context_candidates(
+                        script_text.as_bytes(),
+                        &Language::JavaScript,
+                        sink,
+                    )?;
                 }
-                lexer::stream_context_candidates(
-                    inner_text.as_bytes(),
-                    &Language::JavaScript,
-                    sink,
-                )?;
             }
             "style" => {
-                if !inner_text.is_empty() {
-                    css::stream_context_candidates(inner_text.as_bytes(), sink)?;
+                let style_text = tag.inner_text(parser);
+                let style_text = style_text.trim();
+                if !style_text.is_empty() {
+                    css::stream_context_candidates(style_text.as_bytes(), sink)?;
                 }
             }
             _ => {
+                let inner_text = text_without_embedded_code(tag, parser);
                 if !inner_text.is_empty() && !sink(&format!("{tag_name} = {inner_text}")) {
                     return Ok(());
                 }
@@ -63,3 +65,31 @@ where
 
     Ok(())
 }
+
+fn text_without_embedded_code(tag: &HTMLTag<'_>, parser: &Parser<'_>) -> String {
+    let mut text = String::new();
+    collect_visible_text(tag, parser, &mut text);
+    text.trim().to_string()
+}
+
+fn collect_visible_text(tag: &HTMLTag<'_>, parser: &Parser<'_>, out: &mut String) {
+    for handle in tag.children().top().iter() {
+        let Some(node) = handle.get(parser) else {
+            continue;
+        };
+
+        match node {
+            Node::Raw(raw) => out.push_str(raw.as_utf8_str().as_ref()),
+            Node::Comment(_) => {}
+            Node::Tag(child) => {
+                let child_name = child.name().as_utf8_str();
+                if child_name.eq_ignore_ascii_case("script")
+                    || child_name.eq_ignore_ascii_case("style")
+                {
+                    continue;
+                }
+                collect_visible_text(&child, parser, out);
+            }
+        }
+    }
+}
diff --git a/testdata/parsers/context_verifier_golden.json b/testdata/parsers/context_verifier_golden.json
index d3393f2..7ce0f53 100644
--- a/testdata/parsers/context_verifier_golden.json
+++ b/testdata/parsers/context_verifier_golden.json
@@ -135,11 +135,7 @@
     "Println = >>done<<"
   ],
   "html:testdata/html_embedded_vulnerable.html": [
-    "html = .auth0_client_secret {\n        content: \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      }\n    \n  \n  \n    \n      const auth0_client_secret = \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      const password = \"superSecret123\";",
-    "head = .auth0_client_secret {\n        content: \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      }",
     "content = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
-    "body = const auth0_client_secret = \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      const password = \"superSecret123\";",
-    "<script> = const auth0_client_secret = \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\";\n      const password = \"superSecret123\";",
     "auth0_client_secret = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
     "password = superSecret123"
   ],

From 58e9cfd585ab13dbffcd88a39309bffb30be71f9 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 16:16:31 -0700
Subject: [PATCH 14/17] changes in response to PR review

---
 README.md                                |   2 +-
 crates/kingfisher-scanner/src/scanner.rs |  37 +-
 docs-site/docs/features/parsing.md       |  12 +-
 docs-site/docs/reference/architecture.md |   3 +-
 docs-site/docs/reference/comparison.md   |   3 +-
 docs-site/docs/reference/library.md      |  14 +
 docs-site/docs/rules/builtin-rules.md    | 738 ++++++++++++++++++++++-
 docs-site/docs/rules/overview.md         |  35 +-
 src/direct_revoke.rs                     |   7 +-
 src/direct_validate.rs                   |  11 +-
 src/lib.rs                               |   1 +
 src/matcher/filter.rs                    |   9 +
 src/matcher/mod.rs                       | 172 ++++--
 src/reporter.rs                          |  40 +-
 src/template_vars.rs                     | 151 +++++
 15 files changed, 1092 insertions(+), 143 deletions(-)
 create mode 100644 src/template_vars.rs

diff --git a/README.md b/README.md
index c89ea8f..d2ddc61 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
     <img src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" alt="License" style="height: 24px;" />
   </a>
   <a href="https://github.com/mongodb/kingfisher">
-    <img src="https://img.shields.io/badge/Detection%20Rules-820-2ea043.svg" alt="Detection Rules" style="height: 24px;" />
+    <img src="https://img.shields.io/badge/Detection%20Rules-821-2ea043.svg" alt="Detection Rules" style="height: 24px;" />
   </a>
   <br>
   <a href="https://github.com/mongodb/kingfisher/pkgs/container/kingfisher">
diff --git a/crates/kingfisher-scanner/src/scanner.rs b/crates/kingfisher-scanner/src/scanner.rs
index 55dff65..cca0ecb 100644
--- a/crates/kingfisher-scanner/src/scanner.rs
+++ b/crates/kingfisher-scanner/src/scanner.rs
@@ -14,6 +14,8 @@ use crate::finding::{Finding, FindingLocation};
 use crate::primitives;
 use crate::scanner_pool::ScannerPool;
 
+const RAW_MATCH_LOOKBACK: usize = 64 * 1024;
+
 /// Configuration options for the scanner.
 #[derive(Debug, Clone)]
 pub struct ScannerConfig {
@@ -167,9 +169,14 @@ impl Scanner {
         // Process matches through regex
         let mut findings = Vec::new();
         let mut seen_matches: FxHashSet<u64> = FxHashSet::default();
-        let mut previous_spans: FxHashMap<usize, Vec<OffsetSpan>> = FxHashMap::default();
+        let mut seen_raw_match_ends: FxHashSet<(usize, usize)> = FxHashSet::default();
+        let mut previous_full_spans: FxHashMap<usize, Vec<OffsetSpan>> = FxHashMap::default();
 
         for (rule_id, start, end) in raw_matches.into_iter().rev() {
+            let _ = start; // Block-mode Vectorscan reports `from` as 0 unless SOM is enabled.
+            if !seen_raw_match_ends.insert((rule_id, end)) {
+                continue;
+            }
             let rule = match self.rules_db.get_rule(rule_id) {
                 Some(r) => r,
                 None => continue,
@@ -180,16 +187,18 @@ impl Scanner {
                 Err(_) => continue,
             };
 
-            let current_span = OffsetSpan::from_range(start..end);
-
-            // Check for overlapping spans
-            if !primitives::record_match(&mut previous_spans, rule_id, current_span) {
-                continue;
-            }
-
-            let haystack = &bytes[start..end];
+            let scan_start = end.saturating_sub(RAW_MATCH_LOOKBACK);
+            let haystack = &bytes[scan_start..end];
 
             for captures in anchored_regex.captures_iter(haystack) {
+                let full_capture = captures.get(0).unwrap();
+                let full_capture_span = OffsetSpan::from_range(
+                    (scan_start + full_capture.start())..(scan_start + full_capture.end()),
+                );
+                if !primitives::record_match(&mut previous_full_spans, rule_id, full_capture_span) {
+                    continue;
+                }
+
                 // Get the primary secret value
                 let secret_capture = primitives::find_secret_capture(&anchored_regex, &captures);
                 let secret_bytes = secret_capture.as_bytes();
@@ -203,20 +212,20 @@ impl Scanner {
                 }
 
                 // Compute match key for dedup
+                let offset_start = scan_start + secret_capture.start();
+                let offset_end = scan_start + secret_capture.end();
                 let match_key = primitives::compute_match_key(
                     secret_bytes,
                     rule.id().as_bytes(),
-                    start + secret_capture.start(),
-                    start + secret_capture.end(),
+                    offset_start,
+                    offset_end,
                 );
                 if !seen_matches.insert(match_key) {
                     continue;
                 }
 
                 // Build the finding
-                let offset_span = OffsetSpan::from_range(
-                    (start + secret_capture.start())..(start + secret_capture.end()),
-                );
+                let offset_span = OffsetSpan::from_range(offset_start..offset_end);
                 let source_span = loc_mapping.get_source_span(&offset_span);
 
                 let secret = if self.config.redact_secrets {
diff --git a/docs-site/docs/features/parsing.md b/docs-site/docs/features/parsing.md
index da71121..dc0c04c 100644
--- a/docs-site/docs/features/parsing.md
+++ b/docs-site/docs/features/parsing.md
@@ -1,6 +1,6 @@
 ---
 title: "Source Code Parsing"
-description: "Language-aware secret detection using lightweight lexers for 16 languages including Python, JavaScript, Go, Rust, and more."
+description: "Language-aware secret detection using tree-sitter parsing for 13+ languages including Python, JavaScript, Go, Rust, and more."
 ---
 
 # Kingfisher Source Code Parsing
@@ -11,7 +11,7 @@ The implementation favors lightweight extractors over full AST parsing:
 
 - **Handwritten lexers** for common programming and config languages — comment-aware stripping followed by regex-based `key = value` extraction
 - **`tl`** for HTML — attribute values, element text, and embedded `<script>` / `<style>` delegation
-- **`cssparser`** for CSS — declaration parsing via Mozilla's CSS tokenizer
+- **`cssparser`** for CSS — declaration parsing via Mozilla’s CSS tokenizer
 
 > **History:** Earlier versions used tree-sitter with 17 statically-linked
 > grammar crates. This added ~20 MB to the binary and required building a
@@ -19,9 +19,9 @@ The implementation favors lightweight extractors over full AST parsing:
 > approach achieves the same extraction quality with near-zero binary overhead
 > and no external grammar dependencies.
 
-## How It's Called
+## How It’s Called
 
-In the scanning phase (in the Matcher's implementation), Kingfisher does the following:
+In the scanning phase (in the Matcher’s implementation), Kingfisher does the following:
 
 - **Primary Regex Pass:** Kingfisher always scans the full blob with Vectorscan/Hyperscan first.
 - **Candidate Selection:** Findings from rules classified as context-dependent become parser-verification candidates.
@@ -42,8 +42,8 @@ The design supports many common source code languages. The Language enum (define
 
 Context verification is skipped in certain cases:
 
-- **No Language Identified:** If the file isn't recognized as belonging to one of the supported languages or no language hint is provided, the context verifier isn't even constructed.
-- **Non-source Files:** Binary files or files that aren't expected to contain code (or aren't extracted from archives) bypass parser-based context verification.
+- **No Language Identified:** If the file isn’t recognized as belonging to one of the supported languages or no language hint is provided, the context verifier isn’t even constructed.
+- **Non-source Files:** Binary files or files that aren’t expected to contain code (or aren’t extracted from archives) bypass parser-based context verification.
 - **Large Blobs:** Files larger than 2 MiB skip context verification to avoid spending time on generated or minified content.
 - **Verification Errors:** If extraction fails, context-dependent matches are suppressed instead of falling back to raw regex hits.
 
diff --git a/docs-site/docs/reference/architecture.md b/docs-site/docs/reference/architecture.md
index 2ea4e06..773fd7d 100644
--- a/docs-site/docs/reference/architecture.md
+++ b/docs-site/docs/reference/architecture.md
@@ -115,7 +115,7 @@ flowchart LR
 - `src/parser.rs` and `src/parser/*`: parser-based context verification for language-aware matching, with handwritten lexers plus lightweight HTML and CSS parsers.
 - `src/scanner_pool.rs`: thread-local vectorscan `BlockScanner` pool, providing safe reuse of compiled pattern databases across scan threads.
 - `src/reporter.rs` and `src/reporter/*`: report rendering for pretty, JSON, BSON, TOON, SARIF, and HTML outputs, plus the data model used by the viewer.
-- `src/direct_validate.rs`: direct validation of a known secret without going through pattern matching. Supports HTTP, AWS, Azure, GCP, JDBC, MongoDB, MySQL, PostgreSQL, JWT, and Coinbase validators, with Liquid template integration for custom validation logic.
+- `src/direct_validate.rs`: direct validation of a known secret without going through pattern matching. Supports HTTP, gRPC, plus schema-level typed validators such as AWS, AzureStorage, GCP, JDBC, MongoDB, MySQL, PostgreSQL, JWT, and Coinbase, and delegates ad-hoc `Raw` validators to `crates/kingfisher-scanner/src/validation/raw.rs`.
 - `src/direct_revoke.rs`: direct revocation of a known secret without going through the scan pipeline. Uses Liquid templates for revocation configurations and supports multi-step HTTP revocation flows.
 - `src/access_map.rs` and `src/access_map/*`: standalone blast-radius mapping with 24 provider implementations including AWS, Azure, GCP, GitHub, GitLab, Slack, Bitbucket, Gitea, Hugging Face, Buildkite, Anthropic, OpenAI, and more.
 
@@ -123,6 +123,7 @@ flowchart LR
 
 - The main CLI scan path is implemented primarily in the application modules under `src/`, not in `kingfisher-scanner`.
 - `kingfisher-scanner` is still important: it provides the embeddable scanner API plus shared validation and primitive functionality reused by the application.
+- The shared validation layer in `crates/kingfisher-scanner/src/validation/` contains both reusable typed validator families and the `Raw` exception-path validators used by rule YAML.
 - Direct `validate`, `revoke`, and standalone `access-map` are sibling command paths. They are not downstream stages of `FindingsStore`.
 - Reporting is downstream from the datastore, which lets Kingfisher emit multiple output formats and drive the local viewer from the same finding set.
 - The matching layer is intentionally hybrid: vectorscan provides high-throughput SIMD-accelerated pattern detection, while regex helpers, Base64 support, and parser-based context verification improve accuracy and reduce false positives.
diff --git a/docs-site/docs/reference/comparison.md b/docs-site/docs/reference/comparison.md
index 67e33e4..5e32283 100644
--- a/docs-site/docs/reference/comparison.md
+++ b/docs-site/docs/reference/comparison.md
@@ -7,6 +7,7 @@ description: "Benchmark results comparing Kingfisher performance against Truffle
 
 ## Runtime Comparison (seconds)
 *Lower runtimes are better.*
+
 | Repository | Kingfisher Runtime | TruffleHog Runtime | GitLeaks Runtime |
 |------------|--------------------|--------------------|------------------|
 | croc | 2.64 | 10.36 | 3.10 |
@@ -67,7 +68,7 @@ Note: For GitLeaks and detect-secrets, validated/verified counts are not availab
 *Smaller binaries are easier to distribute, deploy in CI, and embed in container images*
 
 <p align="center">
-  <img src="../assets/images/binary-size-comparison.png" alt="Binary Size Comparison" />
+  <img src="./binary-size-comparison.png" alt="Binary Size Comparison" />
 </p>
 
 ## Benchmark Environment
diff --git a/docs-site/docs/reference/library.md b/docs-site/docs/reference/library.md
index 15b5f15..0b54919 100644
--- a/docs-site/docs/reference/library.md
+++ b/docs-site/docs/reference/library.md
@@ -39,7 +39,13 @@ The `kingfisher-scanner` crate supports optional validation features:
 | ------- | ----------- |
 | `validation` | Core validation support (includes HTTP validation) |
 | `validation-http` | HTTP-based validation for API tokens |
+| `validation-raw` | Provider/protocol-specific raw validation flows for `validation: type: Raw` rules |
 | `validation-aws` | AWS credential validation via STS GetCallerIdentity |
+| `validation-azure` | Azure storage credential validation |
+| `validation-coinbase` | Coinbase credential validation |
+| `validation-gcp` | GCP credential validation |
+| `validation-jwt` | JWT validation |
+| `validation-database` | MongoDB, MySQL, PostgreSQL, and JDBC validation |
 | `validation-all` | Enable all validation features |
 
 ## Quick Start
@@ -727,9 +733,17 @@ kingfisher-scanner = { git = "https://github.com/mongodb/kingfisher", features =
 | ------- | ----------- |
 | `validation` | Core validation support with HTTP validation |
 | `validation-http` | HTTP-based validation for API tokens |
+| `validation-raw` | Provider/protocol-specific raw validation flows for `validation: type: Raw` rules |
 | `validation-aws` | AWS credential validation via STS |
+| `validation-azure` | Azure storage credential validation |
+| `validation-coinbase` | Coinbase credential validation |
+| `validation-gcp` | GCP credential validation |
+| `validation-jwt` | JWT validation |
+| `validation-database` | MongoDB, MySQL, PostgreSQL, and JDBC validation |
 | `validation-all` | Enable all validation features |
 
+`validation: type: Raw` is the ad-hoc validator path for provider-specific or protocol-specific checks that are not generic enough to become schema-level validator families. Typed validators such as `AWS`, `GCP`, `MongoDB`, and `JWT` remain separate validator kinds in the rule schema.
+
 ### HTTP Validation Example
 
 ```rust
diff --git a/docs-site/docs/rules/builtin-rules.md b/docs-site/docs/rules/builtin-rules.md
index 6951c17..812e710 100644
--- a/docs-site/docs/rules/builtin-rules.md
+++ b/docs-site/docs/rules/builtin-rules.md
@@ -1,13 +1,13 @@
 ---
 title: "Built-in Rules List"
-description: "Complete list of all 734 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support."
+description: "Complete list of all 821 built-in secret detection rules in Kingfisher. Searchable and filterable by provider, confidence level, and validation support."
 ---
 
 # Built-in Rules
 
-Kingfisher ships with **734 detection rules** across **465 providers**
-(654 detectors + 80 dependent rules).
-Of these, **462** include live validation and **43** support direct revocation.
+Kingfisher ships with **821 detection rules** across **510 providers**
+(721 detectors + 100 dependent rules).
+Of these, **513** include live validation and **45** support direct revocation.
 
 !!! tip "Search"
     Use the search box below to filter rules by provider name, rule ID, or confidence level.
@@ -80,6 +80,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Adobe OAuth Client Secret</td>
 <td><code>kingfisher.adobe.3</code></td>
 <td>Unknown</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Adobe</td>
+<td>Adobe OAuth Client ID</td>
+<td><code>kingfisher.adobe.4</code></td>
+<td>Unknown</td>
 <td></td>
 <td></td>
 </tr>
@@ -128,7 +136,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Agora App Certificate</td>
 <td><code>kingfisher.agora.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -244,6 +252,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Amazonoauth</td>
+<td>Login with Amazon OAuth Client ID</td>
+<td><code>kingfisher.amazonoauth.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Amplitude</td>
 <td>Amplitude Secret Key</td>
 <td><code>kingfisher.amplitude.1</code></td>
@@ -332,6 +348,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Asaas</td>
+<td>Asaas API Token</td>
+<td><code>kingfisher.asaas.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Asana</td>
 <td>Asana Client ID</td>
 <td><code>kingfisher.asana.1</code></td>
@@ -344,7 +368,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Asana Client Secret</td>
 <td><code>kingfisher.asana.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -496,7 +520,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Azure Personal Access Token</td>
 <td><code>kingfisher.azure.3</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -516,6 +540,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azure</td>
+<td>Azure AD Client Secret (Microsoft Entra ID)</td>
+<td><code>kingfisher.azure.6</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Azure Notification Hub</td>
 <td>Azure Notification Hub Namespace Host</td>
 <td><code>kingfisher.azure.notificationhub.1</code></td>
@@ -548,6 +580,70 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azureapim</td>
+<td>Azure API Management Subscription Key</td>
+<td><code>kingfisher.azureapim.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Azureapim</td>
+<td>Azure API Management Gateway URL</td>
+<td><code>kingfisher.azureapim.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurebatch</td>
+<td>Azure Batch Account Key</td>
+<td><code>kingfisher.azurebatch.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Azurebatch</td>
+<td>Azure Batch Account Endpoint</td>
+<td><code>kingfisher.azurebatch.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurecognitive</td>
+<td>Azure Cognitive Services / AI Services Key</td>
+<td><code>kingfisher.azurecognitive.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurecommunication</td>
+<td>Azure Communication Services Connection String</td>
+<td><code>kingfisher.azurecommunication.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurecosmosdb</td>
+<td>Azure CosmosDB Account Key</td>
+<td><code>kingfisher.azurecosmosdb.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurecosmosdb</td>
+<td>Azure CosmosDB Connection String</td>
+<td><code>kingfisher.azurecosmosdb.2</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Azuredevops</td>
 <td>Azure DevOps Organization</td>
 <td><code>kingfisher.azure.devops.1</code></td>
@@ -564,6 +660,54 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azureeventgrid</td>
+<td>Azure Event Grid Key</td>
+<td><code>kingfisher.azureeventgrid.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurefunctionkey</td>
+<td>Azure Function Key in URL</td>
+<td><code>kingfisher.azurefunctionkey.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Azurefunctionkey</td>
+<td>Azure Function Master/Host Key</td>
+<td><code>kingfisher.azurefunctionkey.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azurelogicapps</td>
+<td>Azure Logic Apps SAS URL</td>
+<td><code>kingfisher.azurelogicapps.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azuremaps</td>
+<td>Azure Maps Subscription Key</td>
+<td><code>kingfisher.azuremaps.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Azuremixedreality</td>
+<td>Azure Mixed Reality / Spatial Anchors Key</td>
+<td><code>kingfisher.azuremixedreality.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Azureopenai</td>
 <td>Azure OpenAI API Key</td>
 <td><code>kingfisher.azureopenai.1</code></td>
@@ -580,6 +724,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azuresastoken</td>
+<td>Azure SAS Token</td>
+<td><code>kingfisher.azuresastoken.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azuresastoken</td>
+<td>Azure SAS Token in URL</td>
+<td><code>kingfisher.azuresastoken.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Azuresearchquery</td>
 <td>Azure Search Query Key</td>
 <td><code>kingfisher.azuresearch.key.1</code></td>
@@ -596,6 +756,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azuresignalr</td>
+<td>Azure SignalR Connection String</td>
+<td><code>kingfisher.azuresignalr.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Azurespeech</td>
 <td>Azure Speech Region</td>
 <td><code>kingfisher.azurespeech.1</code></td>
@@ -612,6 +780,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azuresql</td>
+<td>Azure SQL Connection String</td>
+<td><code>kingfisher.azuresql.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Azuresql</td>
+<td>Azure SQL Password Assignment</td>
+<td><code>kingfisher.azuresql.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Azurestorage</td>
 <td>Azure Storage Account Name</td>
 <td><code>kingfisher.azurestorage.1</code></td>
@@ -644,6 +828,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Azurewebpubsub</td>
+<td>Azure Web PubSub Connection String</td>
+<td><code>kingfisher.azurewebpubsub.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Baremetrics</td>
 <td>Baremetrics API Key</td>
 <td><code>kingfisher.baremetrics.1</code></td>
@@ -704,7 +896,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Bitfinex API Secret</td>
 <td><code>kingfisher.bitfinex.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -716,6 +908,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Bitrise</td>
+<td>Bitrise Personal Access Token</td>
+<td><code>kingfisher.bitrise.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Blockprotocol</td>
+<td>Block Protocol API Key</td>
+<td><code>kingfisher.blockprotocol.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Blynk</td>
 <td>Blynk Device Access Token</td>
 <td><code>kingfisher.blynk.1</code></td>
@@ -784,7 +992,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Branch.io Test Key</td>
 <td><code>kingfisher.branchio.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -852,6 +1060,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Canva</td>
+<td>Canva Connect API Client Secret</td>
+<td><code>kingfisher.canva.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Carto</td>
 <td>CARTO API Access Token (JWT)</td>
 <td><code>kingfisher.carto.1</code></td>
@@ -868,6 +1084,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Cfxre</td>
+<td>Cfx.re FiveM Server Key</td>
+<td><code>kingfisher.cfxre.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Checkout</td>
 <td>Checkout.com Secret Key</td>
 <td><code>kingfisher.checkout.1</code></td>
@@ -1044,6 +1268,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Cockroachlabs</td>
+<td>CockroachDB Cloud API Key</td>
+<td><code>kingfisher.cockroachlabs.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Codacy</td>
 <td>Codacy API Key</td>
 <td><code>kingfisher.codacy.1</code></td>
@@ -1304,7 +1536,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Databricks API token</td>
 <td><code>kingfisher.databricks.1</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -1532,6 +1764,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Docker</td>
+<td>Docker Swarm Join Token</td>
+<td><code>kingfisher.docker.2</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Docker</td>
+<td>Docker Swarm Unlock Key</td>
+<td><code>kingfisher.docker.3</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Dockerhub</td>
 <td>Docker Hub Personal Access Token</td>
 <td><code>kingfisher.dockerhub.1</code></td>
@@ -1560,6 +1808,30 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>DocuSign API Secret Key</td>
 <td><code>kingfisher.docusign.1</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Docusign</td>
+<td>DocuSign Integration Key</td>
+<td><code>kingfisher.docusign.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Docusign</td>
+<td>DocuSign Auth Host</td>
+<td><code>kingfisher.docusign.3</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Docusign</td>
+<td>DocuSign Redirect URI</td>
+<td><code>kingfisher.docusign.4</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -1628,6 +1900,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Dropbox</td>
+<td>Dropbox Long-Lived API Token</td>
+<td><code>kingfisher.dropbox.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Duffel</td>
 <td>Duffel API Token</td>
 <td><code>kingfisher.duffel.1</code></td>
@@ -1672,6 +1952,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Dwolla Client Secret</td>
 <td><code>kingfisher.dwolla.2</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Dwolla</td>
+<td>Dwolla API Base URL</td>
+<td><code>kingfisher.dwolla.3</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -1692,6 +1980,46 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Ebay</td>
+<td>eBay Production Client ID</td>
+<td><code>kingfisher.ebay.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Ebay</td>
+<td>eBay Sandbox Client ID</td>
+<td><code>kingfisher.ebay.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Ebay</td>
+<td>eBay Client Secret</td>
+<td><code>kingfisher.ebay.3</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Elastic</td>
+<td>Elastic Cloud API Key</td>
+<td><code>kingfisher.elastic.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Elastic</td>
+<td>Elasticsearch API Key with Prefix</td>
+<td><code>kingfisher.elastic.2</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Elasticemail</td>
 <td>Elastic Email API Key</td>
 <td><code>kingfisher.elasticemail.1</code></td>
@@ -1944,7 +2272,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Flutterwave Secret Key</td>
 <td><code>kingfisher.flutterwave.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -2032,7 +2360,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>FTP Connection URI Credentials</td>
 <td><code>kingfisher.ftp.1</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -2261,6 +2589,54 @@ Of these, **462** include live validation and **43** support direct revocation.
 </tr>
 <tr>
 <td>Gitlab</td>
+<td>GitLab Kubernetes Agent Token</td>
+<td><code>kingfisher.gitlab.10</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab OAuth Application Secret</td>
+<td><code>kingfisher.gitlab.11</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Runner Authentication Token</td>
+<td><code>kingfisher.gitlab.12</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Runner Authentication Token - Routable Format</td>
+<td><code>kingfisher.gitlab.13</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab SCIM Token</td>
+<td><code>kingfisher.gitlab.14</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Session Cookie</td>
+<td><code>kingfisher.gitlab.15</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
 <td>GitLab Runner Registration Token</td>
 <td><code>kingfisher.gitlab.2</code></td>
 <td>Unknown</td>
@@ -2284,6 +2660,46 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Yes</td>
 </tr>
 <tr>
+<td>Gitlab</td>
+<td>GitLab CI/CD Job Token</td>
+<td><code>kingfisher.gitlab.5</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Deploy Token</td>
+<td><code>kingfisher.gitlab.6</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Feature Flag Client Token</td>
+<td><code>kingfisher.gitlab.7</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Feed Token</td>
+<td><code>kingfisher.gitlab.8</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Gitlab</td>
+<td>GitLab Incoming Mail Token</td>
+<td><code>kingfisher.gitlab.9</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Gitter</td>
 <td>Gitter Access Token</td>
 <td><code>kingfisher.gitter.1</code></td>
@@ -2320,7 +2736,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Google OAuth Client Secret</td>
 <td><code>kingfisher.google.2</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -2328,7 +2744,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Google OAuth Client Secret</td>
 <td><code>kingfisher.google.3</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -2336,8 +2752,8 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Google OAuth Access Token</td>
 <td><code>kingfisher.google.4</code></td>
 <td>Medium</td>
-<td></td>
-<td></td>
+<td>Yes</td>
+<td>Yes</td>
 </tr>
 <tr>
 <td>Google</td>
@@ -2361,7 +2777,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td><code>kingfisher.google.oauth2.1</code></td>
 <td>Medium</td>
 <td>Yes</td>
-<td></td>
+<td>Yes</td>
 </tr>
 <tr>
 <td>Gradle</td>
@@ -2540,6 +2956,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Hcaptcha</td>
+<td>hCaptcha Site Verify Secret Key</td>
+<td><code>kingfisher.hcaptcha.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Heartland</td>
 <td>Heartland Portico API Key</td>
 <td><code>kingfisher.heartland.1</code></td>
@@ -2588,6 +3012,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Yes</td>
 </tr>
 <tr>
+<td>Highnote</td>
+<td>Highnote API Key</td>
+<td><code>kingfisher.highnote.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Honeycomb</td>
 <td>Honeycomb API Key</td>
 <td><code>kingfisher.honeycomb.1</code></td>
@@ -2596,6 +3028,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Hop</td>
+<td>HOP Project Token</td>
+<td><code>kingfisher.hop.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Hop</td>
+<td>HOP Personal Access Token</td>
+<td><code>kingfisher.hop.2</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Http</td>
 <td>HTTP Basic Authentication</td>
 <td><code>kingfisher.http.1</code></td>
@@ -2756,6 +3204,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Iterative</td>
+<td>Iterative DVC Studio Access Token</td>
+<td><code>kingfisher.iterative.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Jdbc</td>
 <td>JDBC connection string with embedded credentials</td>
 <td><code>kingfisher.jdbc.1</code></td>
@@ -2928,6 +3384,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Kraken API Secret</td>
 <td><code>kingfisher.kraken.1</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Kraken</td>
+<td>Kraken API Key</td>
+<td><code>kingfisher.kraken.2</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -2968,6 +3432,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>KuCoin API Secret</td>
 <td><code>kingfisher.kucoin.2</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Kucoin</td>
+<td>KuCoin API Passphrase</td>
+<td><code>kingfisher.kucoin.3</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -3068,6 +3540,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Ldap</td>
+<td>LDAP Bind URI Credentials</td>
+<td><code>kingfisher.ldap.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Lemonsqueezy</td>
 <td>LemonSqueezy API Key</td>
 <td><code>kingfisher.lemonsqueezy.1</code></td>
@@ -3076,6 +3556,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Lichess</td>
+<td>Lichess Personal Access Token</td>
+<td><code>kingfisher.lichess.1</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Line</td>
 <td>Line Messaging API Token</td>
 <td><code>kingfisher.line.1</code></td>
@@ -3140,6 +3628,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Localstack</td>
+<td>LocalStack Simulated AWS Access Key</td>
+<td><code>kingfisher.localstack.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Lokalise</td>
 <td>Lokalise API Token</td>
 <td><code>kingfisher.lokalise.1</code></td>
@@ -3180,6 +3676,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Mailersend</td>
+<td>MailerSend API Token</td>
+<td><code>kingfisher.mailersend.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Mailgun</td>
 <td>MailGun Token</td>
 <td><code>kingfisher.mailgun.1</code></td>
@@ -3724,6 +4228,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Onfido</td>
+<td>Onfido API Token</td>
+<td><code>kingfisher.onfido.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Openai</td>
 <td>OpenAI API Key</td>
 <td><code>kingfisher.openai.1</code></td>
@@ -3772,6 +4284,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Openvsx</td>
+<td>OpenVSX Access Token</td>
+<td><code>kingfisher.openvsx.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Openweathermap</td>
 <td>OpenWeather Map API Key</td>
 <td><code>kingfisher.openweather.1</code></td>
@@ -3836,6 +4356,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Paddle</td>
+<td>Paddle API Key</td>
+<td><code>kingfisher.paddle.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Pagerdutyapikey</td>
 <td>PagerDuty API Key</td>
 <td><code>kingfisher.pagerduty.1</code></td>
@@ -3844,6 +4372,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Pangea</td>
+<td>Pangea Service Token</td>
+<td><code>kingfisher.pangea.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Particle.Io</td>
 <td>particle.io Access Token</td>
 <td><code>kingfisher.particleio.1</code></td>
@@ -3940,6 +4476,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Persona</td>
+<td>Persona API Key</td>
+<td><code>kingfisher.persona.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Phpmailer</td>
 <td>PHPMailer Credentials</td>
 <td><code>kingfisher.phpmailer.1</code></td>
@@ -3980,6 +4524,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Pinterest</td>
+<td>Pinterest Access Token</td>
+<td><code>kingfisher.pinterest.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Pinterest</td>
+<td>Pinterest Refresh Token</td>
+<td><code>kingfisher.pinterest.2</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Pipedrive</td>
 <td>Pipedrive API Token</td>
 <td><code>kingfisher.pipedrive.1</code></td>
@@ -4060,6 +4620,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Polar</td>
+<td>Polar Personal Access Token</td>
+<td><code>kingfisher.polar.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Polymarket</td>
 <td>Polymarket Builder Secret</td>
 <td><code>kingfisher.polymarket.1</code></td>
@@ -4120,7 +4688,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>PostHog OAuth Access Token</td>
 <td><code>kingfisher.posthog.4</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -4180,6 +4748,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Proof</td>
+<td>Proof API Key</td>
+<td><code>kingfisher.proof.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Psexec</td>
 <td>Credentials in PsExec</td>
 <td><code>kingfisher.psexec.1</code></td>
@@ -4248,7 +4824,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>RabbitMQ Credential</td>
 <td><code>kingfisher.rabbitmq.1</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -4276,6 +4852,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Rainforestpay</td>
+<td>Rainforest Pay API Key</td>
+<td><code>kingfisher.rainforestpay.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Rapidapi</td>
 <td>RapidAPI Key</td>
 <td><code>kingfisher.rapidapi.1</code></td>
@@ -4344,7 +4928,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Redis URI Connection String</td>
 <td><code>kingfisher.redis.1</code></td>
 <td>Medium</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -4416,6 +5000,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>RingCentral Client Secret</td>
 <td><code>kingfisher.ringcentral.2</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Ringcentral</td>
+<td>RingCentral OAuth Base URL</td>
+<td><code>kingfisher.ringcentral.3</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Ringcentral</td>
+<td>RingCentral Redirect URI</td>
+<td><code>kingfisher.ringcentral.4</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -4444,6 +5044,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Rootly</td>
+<td>Rootly API Key</td>
+<td><code>kingfisher.rootly.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Rubygems</td>
 <td>RubyGems API Key</td>
 <td><code>kingfisher.rubygems.1</code></td>
@@ -4452,6 +5060,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Runpod</td>
+<td>RunPod API Key</td>
+<td><code>kingfisher.runpod.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Runway</td>
 <td>Runway API Key</td>
 <td><code>kingfisher.runway.1</code></td>
@@ -4844,6 +5460,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Snowflake</td>
+<td>Snowflake Programmatic Access Token</td>
+<td><code>kingfisher.snowflake.2</code></td>
+<td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Snowflake</td>
+<td>Snowflake Account Host</td>
+<td><code>kingfisher.snowflake.3</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Snyk</td>
 <td>Snyk API Key</td>
 <td><code>kingfisher.snyk.1</code></td>
@@ -5152,6 +5784,22 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Tableau Personal Access Token</td>
 <td><code>kingfisher.tableau.1</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Tableau</td>
+<td>Tableau Server URL</td>
+<td><code>kingfisher.tableau.2</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>Tableau</td>
+<td>Tableau Site Content URL</td>
+<td><code>kingfisher.tableau.3</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -5196,6 +5844,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Telnyx</td>
+<td>Telnyx API V2 Key</td>
+<td><code>kingfisher.telnyx.1</code></td>
+<td>High</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
 <td>Temporal</td>
 <td>Temporal Cloud API Key</td>
 <td><code>kingfisher.temporal.1</code></td>
@@ -5276,6 +5932,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Thunderstore</td>
+<td>Thunderstore API Token</td>
+<td><code>kingfisher.thunderstore.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Thycotic</td>
 <td>Thycotic / Delinea Secret Server Credentials</td>
 <td><code>kingfisher.thycotic.1</code></td>
@@ -5320,6 +5984,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Trello API Token</td>
 <td><code>kingfisher.trello.1</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Trello</td>
+<td>Trello API Key</td>
+<td><code>kingfisher.trello.2</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
@@ -5440,7 +6112,7 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Ubidots API Key</td>
 <td><code>kingfisher.ubidots.1</code></td>
 <td>High</td>
-<td></td>
+<td>Yes</td>
 <td></td>
 </tr>
 <tr>
@@ -5500,6 +6172,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Valtown</td>
+<td>Val Town API Token</td>
+<td><code>kingfisher.valtown.1</code></td>
+<td>High</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Vapi</td>
 <td>Vapi API Key</td>
 <td><code>kingfisher.vapi.1</code></td>
@@ -5588,6 +6268,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td></td>
 </tr>
 <tr>
+<td>Volcengine</td>
+<td>VolcEngine Access Key ID</td>
+<td><code>kingfisher.volcengine.1</code></td>
+<td>Medium</td>
+<td></td>
+<td></td>
+</tr>
+<tr>
 <td>Vonage</td>
 <td>Vonage (Nexmo) API Key</td>
 <td><code>kingfisher.vonage.1</code></td>
@@ -5656,6 +6344,14 @@ Of these, **462** include live validation and **43** support direct revocation.
 <td>Webex Integration Client Secret</td>
 <td><code>kingfisher.webex.2</code></td>
 <td>Medium</td>
+<td>Yes</td>
+<td></td>
+</tr>
+<tr>
+<td>Webex</td>
+<td>Webex Redirect URI</td>
+<td><code>kingfisher.webex.3</code></td>
+<td>Medium</td>
 <td></td>
 <td></td>
 </tr>
diff --git a/docs-site/docs/rules/overview.md b/docs-site/docs/rules/overview.md
index f8780f2..43e29b7 100644
--- a/docs-site/docs/rules/overview.md
+++ b/docs-site/docs/rules/overview.md
@@ -171,9 +171,29 @@ revocation:
 | visible                 | false to hide non‑secret captures (e.g. IDs)                         |
 | depends_on_rule         | Chain rules: use captures from one rule in another's validation      |
 | pattern_requirements  | Require character types and/or exclude placeholder words from matches |
-| validation              | Configure HTTP, AWS, GCP, etc. checks to verify live validity        |
+| validation              | Configure `Http`, `Grpc`, typed validators (`AWS`, `GCP`, etc.), or `Raw` exception-path checks to verify live validity |
 | revocation              | Configure HTTP, AWS, or multi-step revocation for a detected secret  |
 
+## Validation Types
+
+Kingfisher supports three validation buckets:
+
+1. `Http` and `Grpc`: YAML-native validation flows. Prefer these first.
+2. Typed validators: schema-level validation families already modeled in the rule schema, such as `AWS`, `AzureStorage`, `Coinbase`, `GCP`, `MongoDB`, `MySQL`, `Postgres`, `Jdbc`, and `JWT`.
+3. Raw validators: provider-specific or protocol-specific exception paths dispatched through `validation: type: Raw`.
+
+Raw validation looks like this:
+
+```yaml
+validation:
+  type: Raw
+  content: kraken
+```
+
+Use `Raw` only when the provider check cannot be expressed reliably with `Http` or `Grpc` and does not justify a new reusable validator family. Raw validator implementations live in `crates/kingfisher-scanner/src/validation/raw.rs`.
+
+Typed validators are safer and more reusable because the validator kind is part of the schema. `Raw` validators are string-dispatched and fail at runtime if the `content` name is unknown. If you need a Rust-backed exception path for one provider, prefer `Raw`; reserve new typed validators for stable validation families that can be reused across rules.
+
 ## gRPC Validation (Grpc)
 
 Some services (notably CLI/SDK control planes) are **gRPC-only**. For these, `validation: type: Http`
@@ -473,6 +493,7 @@ Below is the complete list of Liquid filters available in Kingfisher, along with
 | `hmac_sha1`           | `key` (string)                               | Computes HMAC-SHA1 over the input, returns Base64-encoded result.                                              | `{{ TOKEN \| hmac_sha1: "secret-key" }}`                             |
 | `hmac_sha256`         | `key` (string)                               | Computes HMAC-SHA256 over the input, returns Base64-encoded result.                                            | `{{ TOKEN \| hmac_sha256: "secret-key" }}`                           |
 | `hmac_sha384`         | `key` (string)                               | Computes HMAC-SHA384 over the input, returns Base64-encoded result.                                            | `{{ TOKEN \| hmac_sha384: "secret-key" }}`                           |
+| `hmac_sha384_hex`     | `key` (string)                               | Computes HMAC-SHA384 over the input, returns lowercase hexadecimal output.                                     | `{{ TOKEN \| hmac_sha384_hex: "secret-key" }}`                       |
 | `hmac_sha256_b64key`  | `key` (string, base64-encoded)               | Decodes the key from Base64 to raw bytes, then computes HMAC-SHA256. Returns Base64. Use for Azure SAS and other protocols where the signing key is base64-encoded. | `{{ to_sign \| hmac_sha256_b64key: TOKEN }}`                         |
 | `random_string`       | `len` (integer, optional)                    | Generates a cryptographically-secure random alphanumeric string of the specified length (default: 32).        | `{{ "" \| random_string: 16 }}`                                      |
 | `prefix`              | `len` (integer, optional)                    | Returns the first `len` characters from the string (default: full).                                            | `{{ TOKEN \| prefix: 6 }}`                                           |
@@ -481,8 +502,10 @@ Below is the complete list of Liquid filters available in Kingfisher, along with
 | `url_encode`          | –                                            | Percent-encodes the input according to RFC 3986.                                                                | `{{ TOKEN \| url_encode }}`                                          |
 | `json_escape`         | –                                            | Escapes special characters so a string can be safely injected into JSON contexts.                              | `{{ TOKEN \| json_escape }}`                                         |
 | `unix_timestamp`      | –                                            | Returns the current Unix epoch time in seconds (UTC).                                                          | `{{ "" \| unix_timestamp }}`                                         |
+| `unix_timestamp_ms`   | –                                            | Returns the current Unix epoch time in milliseconds (UTC).                                                     | `{{ "" \| unix_timestamp_ms }}`                                      |
 | `iso_timestamp`       | –                                            | Returns the current UTC timestamp in full ISO-8601 format (may include fractional seconds).                    | `{{ "" \| iso_timestamp }}`                                          |
 | `iso_timestamp_no_frac` | –                                          | Current ISO-8601 timestamp (UTC) **without** fractional seconds.                                               | `{{ "" \| iso_timestamp_no_frac }}`                                  |
+| `rfc1123_date`        | –                                            | Returns the current RFC-1123 timestamp in GMT.                                                                 | `{{ "" \| rfc1123_date }}`                                           |
 | `uuid`                | –                                            | Generates a random UUIDv4 string.                                                                              | `{{ "" \| uuid }}`                                                   |
 | `jwt_header`          | –                                            | Builds a minimal JWT header JSON (`{"typ":"JWT","alg":…}`) and Base64URL-encodes it.                           | `{{ "HS256" \| jwt_header }}`                                        |
 | `replace`             | `from` (string), `to` (string)               | Replaces every occurrence of `from` with `to` in the input string.                                             | `{{ "hello world" \| replace: "world", "mars" }}`                    |
@@ -497,6 +520,11 @@ Authorization: Basic {{ "api:" | append: TOKEN | b64enc }}
 ```
 
 **Runtime Values:** Filters like unix_timestamp and uuid are evaluated at runtime, enabling nonces, timestamps, and unique IDs in your requests.
+
+**Stable Request Values:** HTTP and gRPC validation requests also expose stable per-request template variables. Use these when the same generated value must appear in multiple places within one request. Currently:
+- `REQUEST_RFC1123_DATE`
+- `REQUEST_UNIX_MILLIS`
+
 ### How depends_on_rule Works
 
 - **Dependency Declaration:**  
@@ -743,7 +771,7 @@ When writing custom rules, consider the following best practices:
 
 1. **Multi-line Regex:** Write your regex patterns over multiple lines for clarity. Use the `(?x)` flag to enable free-spacing mode.
 2. **Optimize for Performance:** Structure your regex to minimize backtracking. Use non-capturing groups where possible and keep the pattern as concise as possible.
-3. **Validation Integration:** Define a `validation` section if you want to verify the detected secret. You can use Liquid templating to insert dynamic values—use the unnamed capture as `TOKEN` and any named captures in uppercase.
+3. **Validation Integration:** Define a `validation` section if you want to verify the detected secret. Prefer `Http` or `Grpc`; use an existing typed validator when the rule matches a supported validator family; use `Raw` only for rare provider-specific exception paths. You can use Liquid templating to insert dynamic values where supported. Use the unnamed capture as `TOKEN` and any named captures in uppercase.
 4. **Revocation Integration:** Define a `revocation` section if you want to revoke a detected secret. It uses the same HTTP request format and template variables as `validation`.
 5. **Test with Examples:** Always include examples that should match and, optionally, negative examples to ensure your rule behaves as expected.
 
@@ -920,4 +948,5 @@ rules:
               words: ['"Arn"']
     depends_on_rule:
       - rule_id: kingfisher.alibabacloud.1
-        variable: AKID```
\ No newline at end of file
+        variable: AKID
+```
diff --git a/src/direct_revoke.rs b/src/direct_revoke.rs
index 81db0cc..646c2cb 100644
--- a/src/direct_revoke.rs
+++ b/src/direct_revoke.rs
@@ -21,6 +21,7 @@ use crate::{
     cli::{commands::revoke::RevokeArgs, global::GlobalArgs},
     liquid_filters::register_all,
     rule_loader::RuleLoader,
+    template_vars::extract_template_vars,
     validation::aws::{revoke_aws_access_key, validate_aws_credentials_input},
     validation::gcp::revoke_gcp_service_account_key,
     validation::httpvalidation::{build_request_builder, retry_request, validate_response},
@@ -88,12 +89,6 @@ fn find_rules_by_selector<'a>(
     Ok(matches)
 }
 
-/// Extract Liquid template variable names from a string.
-fn extract_template_vars(text: &str) -> BTreeSet<String> {
-    let re = Regex::new(r"\{\{\s*([A-Za-z_][A-Za-z0-9_]*)\s*(?:\|[^}]*)?\}\}").unwrap();
-    re.captures_iter(text).filter_map(|cap| cap.get(1).map(|m| m.as_str().to_uppercase())).collect()
-}
-
 /// Extract all template variables used in a revocation configuration.
 fn extract_revocation_vars(revocation: &Revocation) -> BTreeSet<String> {
     let mut vars = BTreeSet::new();
diff --git a/src/direct_validate.rs b/src/direct_validate.rs
index 77365df..38a013a 100644
--- a/src/direct_validate.rs
+++ b/src/direct_validate.rs
@@ -14,7 +14,6 @@ use anyhow::{anyhow, bail, Context, Result};
 use crossbeam_skiplist::SkipMap;
 use liquid::Object;
 use liquid_core::{Value, ValueView};
-use regex::Regex;
 use reqwest::Client;
 use serde::Serialize;
 use tracing::debug;
@@ -24,6 +23,7 @@ use crate::{
     liquid_filters::register_all,
     rule_loader::RuleLoader,
     rules::{rule::Rule, HttpValidation, Validation},
+    template_vars::extract_template_vars,
     validation::{
         aws::validate_aws_credentials,
         azure::validate_azure_storage_credentials,
@@ -125,15 +125,6 @@ fn get_global_var(globals: &Object, name: &str) -> Option<String> {
     globals.get(name).and_then(|v| v.to_kstr().to_string().into())
 }
 
-/// Extract Liquid template variable names from a string.
-/// Matches patterns like {{ VAR }} or {{ VAR | filter }}.
-fn extract_template_vars(text: &str) -> BTreeSet<String> {
-    // Match {{ VAR }} or {{ VAR | filter }} patterns
-    // Variable names are alphanumeric with underscores
-    let re = Regex::new(r"\{\{\s*([A-Za-z_][A-Za-z0-9_]*)\s*(?:\|[^}]*)?\}\}").unwrap();
-    re.captures_iter(text).filter_map(|cap| cap.get(1).map(|m| m.as_str().to_uppercase())).collect()
-}
-
 /// Extract all template variables used in a validation configuration.
 fn extract_validation_vars(validation: &Validation) -> BTreeSet<String> {
     let mut vars = BTreeSet::new();
diff --git a/src/lib.rs b/src/lib.rs
index fe7facd..917770a 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -54,6 +54,7 @@ pub mod slack;
 pub mod snippet;
 pub mod sqlite;
 pub mod teams;
+pub(crate) mod template_vars;
 pub mod toon;
 pub mod update;
 pub mod util;
diff --git a/src/matcher/filter.rs b/src/matcher/filter.rs
index 40b5a7f..8987976 100644
--- a/src/matcher/filter.rs
+++ b/src/matcher/filter.rs
@@ -169,6 +169,7 @@ pub(crate) fn filter_match<'b>(
     start: usize,
     end: usize,
     matches: &mut Vec<BlobMatch<'b>>,
+    full_matches: Option<&mut FxHashMap<usize, Vec<OffsetSpan>>>,
     previous_matches: &mut FxHashMap<usize, Vec<OffsetSpan>>,
     rule_id: usize,
     seen_matches: &mut FxHashSet<u64>,
@@ -183,6 +184,7 @@ pub(crate) fn filter_match<'b>(
 ) {
     let mut timer =
         profiler.map(|p| RuleTimer::new(p, rule.id(), rule.name(), &rule.syntax.pattern, filename));
+    let mut full_matches = full_matches;
 
     let initial_len = matches.len();
 
@@ -192,6 +194,13 @@ pub(crate) fn filter_match<'b>(
 
     for captures in re.captures_iter(haystack) {
         let full_capture = captures.get(0).unwrap();
+        let full_capture_offset_span =
+            OffsetSpan::from_range((start + full_capture.start())..(start + full_capture.end()));
+        if let Some(full_matches) = full_matches.as_deref_mut() {
+            if !record_match(full_matches, rule_id, full_capture_offset_span) {
+                continue;
+            }
+        }
         let matching_input_for_entropy = find_secret_capture(re, &captures);
 
         let min_entropy = rule.min_entropy();
diff --git a/src/matcher/mod.rs b/src/matcher/mod.rs
index 5e2b03c..cdb0bd5 100644
--- a/src/matcher/mod.rs
+++ b/src/matcher/mod.rs
@@ -33,12 +33,11 @@ use crate::{
 };
 use kingfisher_scanner::primitives::find_secret_capture;
 
-use self::{
-    base64_decode::get_base64_strings as get_b64_strings, dedup::record_match, filter::filter_match,
-};
+use self::{base64_decode::get_base64_strings as get_b64_strings, filter::filter_match};
 
 const MAX_CHUNK_SIZE: usize = 1 << 30; // 1 GiB per scan segment
 const CHUNK_OVERLAP: usize = 64 * 1024; // 64 KiB overlap to catch boundary matches
+const RAW_MATCH_LOOKBACK: usize = 64 * 1024; // Re-scan a bounded suffix ending at the raw match.
 const BASE64_SCAN_LIMIT: usize = 64 * 1024 * 1024; // skip expensive Base64 pass on huge blobs
                                                    // The old tree-sitter limit was 128 KiB due to full-AST parsing cost.
                                                    // The lightweight regex-based lexer is O(n) line-by-line, so we can afford
@@ -243,6 +242,63 @@ impl<'a> Matcher<'a> {
         Ok(())
     }
 
+    fn process_raw_matches<'b>(
+        &self,
+        blob: &'b Blob,
+        origin: &OriginSet,
+        filename: &str,
+        redact: bool,
+        matches: &mut Vec<BlobMatch<'b>>,
+        previous_matches: &mut FxHashMap<usize, Vec<OffsetSpan>>,
+        seen_matches: &mut FxHashSet<u64>,
+        match_rule_indices: &mut Vec<usize>,
+    ) where
+        'a: 'b,
+    {
+        let rules_db = self.rules_db;
+        let mut seen_raw_match_ends: FxHashSet<(usize, usize)> = FxHashSet::default();
+        let mut previous_full_matches: FxHashMap<usize, Vec<OffsetSpan>> = FxHashMap::default();
+        for &RawMatch { rule_id, start_idx, end_idx } in
+            self.user_data.raw_matches_scratch.iter().rev()
+        {
+            let rule_id_usize: usize = rule_id as usize;
+            let rule = Arc::clone(&rules_db.rules()[rule_id_usize]);
+            let re = &rules_db.anchored_regexes()[rule_id_usize];
+            let end_idx_usize = end_idx as usize;
+            let _ = start_idx; // Vectorscan block mode does not provide a reliable start offset.
+            if !seen_raw_match_ends.insert((rule_id_usize, end_idx_usize)) {
+                continue;
+            }
+
+            // Re-scan a bounded suffix ending at the raw match and dedupe on the
+            // actual capture spans produced by the anchored regex.
+            let scan_start = end_idx_usize.saturating_sub(RAW_MATCH_LOOKBACK);
+            let before_len = matches.len();
+            filter_match(
+                blob,
+                rule,
+                re,
+                scan_start,
+                end_idx_usize,
+                matches,
+                Some(&mut previous_full_matches),
+                previous_matches,
+                rule_id_usize,
+                seen_matches,
+                origin,
+                None,
+                false,
+                redact,
+                filename,
+                self.profiler.as_ref(),
+                self.respect_ignore_if_contains,
+                &self.inline_ignore_config,
+            );
+            match_rule_indices
+                .extend(std::iter::repeat_n(rule_id_usize, matches.len() - before_len));
+        }
+    }
+
     pub fn scan_blob<'b>(
         &mut self,
         blob: &'b Blob,
@@ -289,51 +345,25 @@ impl<'a> Matcher<'a> {
             return Ok(ScanResult::New(Vec::new()));
         }
 
-        let rules_db = self.rules_db;
         let mut seen_matches = FxHashSet::default();
         let mut previous_matches: FxHashMap<usize, Vec<OffsetSpan>> = FxHashMap::default();
         let mut match_rule_indices: Vec<usize> = Vec::new();
 
         let blob_len = blob.len();
         let mut matches = Vec::new();
-        let mut previous_raw_matches: FxHashMap<usize, Vec<OffsetSpan>> = FxHashMap::default();
-        for &RawMatch { rule_id, start_idx, end_idx } in
-            self.user_data.raw_matches_scratch.iter().rev()
-        {
-            let rule_id_usize: usize = rule_id as usize;
-            let rule = Arc::clone(&rules_db.rules()[rule_id_usize]);
-            let re = &rules_db.anchored_regexes()[rule_id_usize];
-            let start_idx_usize = start_idx as usize;
-            let end_idx_usize = end_idx as usize;
-            let current_span = OffsetSpan::from_range(start_idx_usize..end_idx_usize);
-            if !record_match(&mut previous_raw_matches, rule_id_usize, current_span) {
-                continue;
-            }
-            let before_len = matches.len();
-            filter_match(
-                blob,
-                rule,
-                re,
-                start_idx_usize,
-                end_idx_usize,
-                &mut matches,
-                &mut previous_matches,
-                rule_id_usize,
-                &mut seen_matches,
-                origin,
-                None,
-                false,
-                redact,
-                &filename,
-                self.profiler.as_ref(),
-                self.respect_ignore_if_contains,
-                &self.inline_ignore_config,
-            );
-            match_rule_indices
-                .extend(std::iter::repeat_n(rule_id_usize, matches.len() - before_len));
-        }
+        self.process_raw_matches(
+            blob,
+            origin,
+            &filename,
+            redact,
+            &mut matches,
+            &mut previous_matches,
+            &mut seen_matches,
+            &mut match_rule_indices,
+        );
 
         if !no_base64 {
+            let rules_db = self.rules_db;
             // If the blob contains standalone Base64 blobs, decode and scan them as well
             const MAX_B64_DEPTH: usize = 2; // decode at most two levels deep
             let mut b64_stack: Vec<(DecodedData, usize)> =
@@ -349,6 +379,7 @@ impl<'a> Matcher<'a> {
                         item.pos_start,
                         item.pos_end,
                         &mut matches,
+                        None,
                         &mut previous_matches,
                         rule_id_usize,
                         &mut seen_matches,
@@ -379,7 +410,7 @@ impl<'a> Matcher<'a> {
             }
         }
         maybe_apply_context_verification(
-            rules_db,
+            self.rules_db,
             blob,
             lang_hint,
             blob_len,
@@ -896,6 +927,65 @@ mod test {
         Ok(())
     }
 
+    #[test]
+    fn bogus_raw_starts_do_not_hide_earlier_matches() -> Result<()> {
+        let rule = Rule::new(RuleSyntax {
+            id: "bogus.start".into(),
+            name: "bogus start".into(),
+            pattern: r#"key\s*=\s*"([A-Z]{3})""#.into(),
+            confidence: crate::rules::rule::Confidence::Low,
+            min_entropy: 0.0,
+            visible: true,
+            examples: vec![],
+            negative_examples: vec![],
+            references: vec![],
+            validation: None::<Validation>,
+            revocation: None,
+            depends_on_rule: vec![],
+            pattern_requirements: None,
+            tls_mode: None,
+        });
+
+        let rules_db = RulesDatabase::from_rules(vec![rule])?;
+        let seen = BlobIdMap::new();
+        let scanner_pool = Arc::new(ScannerPool::new(Arc::new(rules_db.vectorscan_db().clone())));
+        let matcher =
+            Matcher::new(&rules_db, scanner_pool, &seen, None, false, None, &[], false, true)?;
+
+        let mut matcher = matcher;
+        matcher.user_data.raw_matches_scratch = vec![
+            RawMatch { rule_id: 0, start_idx: 5, end_idx: 9 },
+            RawMatch { rule_id: 0, start_idx: 5, end_idx: 19 },
+        ];
+
+        let blob = Blob::from_bytes(b"key=\"ABC\"\nkey=\"DEF\"".to_vec());
+        let origin = OriginSet::from(Origin::from_file(PathBuf::from("bogus-starts.txt")));
+        let mut matches = Vec::new();
+        let mut previous_matches = FxHashMap::default();
+        let mut seen_matches = FxHashSet::default();
+        let mut match_rule_indices = Vec::new();
+
+        matcher.process_raw_matches(
+            &blob,
+            &origin,
+            "bogus-starts.txt",
+            false,
+            &mut matches,
+            &mut previous_matches,
+            &mut seen_matches,
+            &mut match_rule_indices,
+        );
+
+        let secrets = matches
+            .iter()
+            .map(|m| String::from_utf8_lossy(m.matching_input).to_string())
+            .collect::<Vec<_>>();
+
+        assert_eq!(secrets, vec!["ABC", "DEF"]);
+        assert_eq!(match_rule_indices, vec![0, 0]);
+        Ok(())
+    }
+
     #[test]
     fn inline_comment_skips_match() -> Result<()> {
         let rule = Rule::new(RuleSyntax {
diff --git a/src/reporter.rs b/src/reporter.rs
index 7999651..fde8aa4 100644
--- a/src/reporter.rs
+++ b/src/reporter.rs
@@ -25,6 +25,7 @@ use crate::{
     origin::{Origin, OriginSet},
     rules::rule::Confidence,
     rules::Revocation,
+    template_vars::extract_template_vars,
     validation_body::{self, ValidationResponseBody},
 };
 mod bson_format;
@@ -49,45 +50,6 @@ fn escape_for_shell(s: &str) -> String {
     format!("'{}'", s.replace('\'', "'\\''"))
 }
 
-static TEMPLATE_BLOCK_RE: once_cell::sync::Lazy<regex::Regex> = once_cell::sync::Lazy::new(|| {
-    regex::Regex::new(r"\{\{\s*([^}]*)\}\}").expect("template block regex should compile")
-});
-
-static TEMPLATE_IDENT_RE: once_cell::sync::Lazy<regex::Regex> = once_cell::sync::Lazy::new(|| {
-    regex::Regex::new(r"[A-Za-z_][A-Za-z0-9_]*").expect("template identifier regex should compile")
-});
-
-const TEMPLATE_FILTER_NAMES: &[&str] = &[
-    "append",
-    "b64enc",
-    "base62",
-    "crc32",
-    "crc32_hex",
-    "default",
-    "downcase",
-    "json_escape",
-    "prefix",
-    "replace",
-    "url_encode",
-];
-
-fn extract_template_vars(text: &str) -> BTreeSet<String> {
-    let mut vars = BTreeSet::new();
-
-    for block_cap in TEMPLATE_BLOCK_RE.captures_iter(text) {
-        let inner = block_cap.get(1).map(|m| m.as_str()).unwrap_or_default();
-        for ident_cap in TEMPLATE_IDENT_RE.captures_iter(inner) {
-            let ident = ident_cap.get(0).map(|m| m.as_str()).unwrap_or_default();
-            if TEMPLATE_FILTER_NAMES.iter().any(|f| f.eq_ignore_ascii_case(ident)) {
-                continue;
-            }
-            vars.insert(ident.to_uppercase());
-        }
-    }
-
-    vars
-}
-
 fn required_vars_for_validation(validation: &crate::rules::Validation) -> BTreeSet<String> {
     use crate::rules::Validation;
     let mut vars = BTreeSet::new();
diff --git a/src/template_vars.rs b/src/template_vars.rs
new file mode 100644
index 0000000..dd7a277
--- /dev/null
+++ b/src/template_vars.rs
@@ -0,0 +1,151 @@
+use std::collections::BTreeSet;
+
+static TEMPLATE_BLOCK_RE: once_cell::sync::Lazy<regex::Regex> = once_cell::sync::Lazy::new(|| {
+    regex::Regex::new(r"\{\{\s*([^}]*)\}\}").expect("template block regex should compile")
+});
+
+const LIQUID_LITERAL_NAMES: &[&str] = &["blank", "empty", "false", "nil", "null", "true"];
+
+pub(crate) fn extract_template_vars(text: &str) -> BTreeSet<String> {
+    let mut vars = BTreeSet::new();
+
+    for block_cap in TEMPLATE_BLOCK_RE.captures_iter(text) {
+        let inner = block_cap.get(1).map(|m| m.as_str()).unwrap_or_default();
+        for (segment_index, segment) in split_filter_segments(inner).into_iter().enumerate() {
+            collect_segment_vars(segment, segment_index != 0, &mut vars);
+        }
+    }
+
+    vars
+}
+
+fn split_filter_segments(inner: &str) -> Vec<&str> {
+    let mut segments = Vec::new();
+    let mut start = 0;
+    let mut in_single = false;
+    let mut in_double = false;
+    let mut escaped = false;
+
+    for (idx, ch) in inner.char_indices() {
+        if escaped {
+            escaped = false;
+            continue;
+        }
+
+        match ch {
+            '\\' if in_single || in_double => escaped = true,
+            '\'' if !in_double => in_single = !in_single,
+            '"' if !in_single => in_double = !in_double,
+            '|' if !in_single && !in_double => {
+                segments.push(&inner[start..idx]);
+                start = idx + ch.len_utf8();
+            }
+            _ => {}
+        }
+    }
+
+    segments.push(&inner[start..]);
+    segments
+}
+
+fn collect_segment_vars(segment: &str, skip_first_ident: bool, vars: &mut BTreeSet<String>) {
+    let mut chars = segment.char_indices().peekable();
+    let mut in_single = false;
+    let mut in_double = false;
+    let mut escaped = false;
+    let mut skipped_filter_name = !skip_first_ident;
+
+    while let Some((idx, ch)) = chars.next() {
+        if escaped {
+            escaped = false;
+            continue;
+        }
+
+        match ch {
+            '\\' if in_single || in_double => {
+                escaped = true;
+                continue;
+            }
+            '\'' if !in_double => {
+                in_single = !in_single;
+                continue;
+            }
+            '"' if !in_single => {
+                in_double = !in_double;
+                continue;
+            }
+            _ => {}
+        }
+
+        if in_single || in_double || !is_ident_start(ch) {
+            continue;
+        }
+
+        let mut end = idx + ch.len_utf8();
+        while let Some(&(next_idx, next_ch)) = chars.peek() {
+            if !is_ident_continue(next_ch) {
+                break;
+            }
+            chars.next();
+            end = next_idx + next_ch.len_utf8();
+        }
+
+        let ident = &segment[idx..end];
+        if !skipped_filter_name {
+            skipped_filter_name = true;
+            continue;
+        }
+
+        if LIQUID_LITERAL_NAMES.iter().any(|name| name.eq_ignore_ascii_case(ident)) {
+            continue;
+        }
+
+        vars.insert(ident.to_ascii_uppercase());
+    }
+}
+
+fn is_ident_start(ch: char) -> bool {
+    ch.is_ascii_alphabetic() || ch == '_'
+}
+
+fn is_ident_continue(ch: char) -> bool {
+    ch.is_ascii_alphanumeric() || ch == '_'
+}
+
+#[cfg(test)]
+mod tests {
+    use super::extract_template_vars;
+    use std::collections::BTreeSet;
+
+    #[test]
+    fn ignores_filter_names_but_keeps_filter_argument_vars() {
+        let vars = extract_template_vars(
+            "{{ NEXT_PUBLIC_VERCEL_APP_CLIENT_ID | default: VERCEL_APP_CLIENT_ID | append: ':' | append: VERCEL_APP_CLIENT_SECRET | b64enc }}",
+        );
+
+        assert_eq!(
+            vars,
+            BTreeSet::from([
+                "NEXT_PUBLIC_VERCEL_APP_CLIENT_ID".to_string(),
+                "VERCEL_APP_CLIENT_ID".to_string(),
+                "VERCEL_APP_CLIENT_SECRET".to_string(),
+            ])
+        );
+    }
+
+    #[test]
+    fn ignores_literal_strings_and_new_filter_names() {
+        let vars = extract_template_vars(
+            r#"{{ "" | unix_timestamp_ms }} {{ "" | rfc1123_date }} {{ TOKEN | hmac_sha384_hex: SECRET }} {{ "https://example.com/oauth/callback" | url_encode }}"#,
+        );
+
+        assert_eq!(vars, BTreeSet::from(["SECRET".to_string(), "TOKEN".to_string()]));
+    }
+
+    #[test]
+    fn ignores_liquid_literal_arguments() {
+        let vars = extract_template_vars(r#"{{ TOKEN | default: blank | append: FALLBACK }}"#);
+
+        assert_eq!(vars, BTreeSet::from(["FALLBACK".to_string(), "TOKEN".to_string()]));
+    }
+}

From a9fdf41558de3be3f6df0e6a01d5dcc940b2dd9f Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 17:38:46 -0700
Subject: [PATCH 15/17] changes in response to PR review

---
 tests/int_context_verification.rs | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/tests/int_context_verification.rs b/tests/int_context_verification.rs
index 44f85c9..5fdb8ea 100644
--- a/tests/int_context_verification.rs
+++ b/tests/int_context_verification.rs
@@ -6,7 +6,15 @@ use serde_json::{Deserializer, Value};
 #[test]
 fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     let output = Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
-        .args(["scan", "testdata", "--format", "json", "--no-validate", "--no-update-check"])
+        .args([
+            "scan",
+            "testdata",
+            "--format",
+            "json",
+            "--no-validate",
+            "--no-update-check",
+            "--no-dedup",
+        ])
         .output()
         .context("run kingfisher scan against testdata")?;
 
@@ -30,6 +38,10 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
         .and_then(Value::as_array)
         .context("scan output missing findings array")?;
 
+    // `testdata/parsers/*` intentionally contains baseline fixtures that repeat real secrets from
+    // the scanned corpus. Scan ordering is parallelized, so store-level dedup can otherwise keep
+    // either the fixture copy or the real-file copy nondeterministically. Compare a stable
+    // rule+snippet set from the non-parser files instead.
     let mut actual = findings
         .iter()
         .filter(|finding| {
@@ -54,6 +66,7 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
         })
         .collect::<Vec<_>>();
     actual.sort_by(|left, right| left.to_string().cmp(&right.to_string()));
+    actual.dedup();
 
     let mut expected = serde_json::from_str::<Vec<Value>>(
         &fs::read_to_string("testdata/parsers/scan_findings_baseline.json")
@@ -77,6 +90,7 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     })
     .collect::<Vec<_>>();
     expected.sort_by(|left, right| left.to_string().cmp(&right.to_string()));
+    expected.dedup();
 
     assert_eq!(actual, expected);
     Ok(())

From 57b2a40461c29b716d03299ab0b5795a2bd991c3 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 19:58:09 -0700
Subject: [PATCH 16/17] changes in response to PR review

---
 src/findings_store.rs             | 213 +++++++++++++++++++++++++-----
 tests/dependent_rule_dedup.rs     |  57 ++++++++
 tests/int_context_verification.rs |  13 +-
 3 files changed, 247 insertions(+), 36 deletions(-)

diff --git a/src/findings_store.rs b/src/findings_store.rs
index 57070f0..8dcd8c4 100644
--- a/src/findings_store.rs
+++ b/src/findings_store.rs
@@ -1,4 +1,5 @@
 use std::{
+    cmp::Ordering,
     hash::{Hash, Hasher},
     path::PathBuf,
     str::FromStr,
@@ -48,6 +49,7 @@ pub struct FindingsStore {
     rules: Vec<Arc<Rule>>,
     matches: Vec<Arc<FindingsStoreMessage>>,
     index_map: FxHashMap<(BlobId, OffsetSpan), usize>,
+    dedup_index_map: FxHashMap<u64, usize>,
     blobs: FxHashSet<BlobId>,
     clone_dir: PathBuf,
     seen_bloom: Bloom<u64>,
@@ -75,6 +77,7 @@ impl FindingsStore {
             matches: Vec::new(),
             blobs: FxHashSet::default(),
             index_map: FxHashMap::default(),
+            dedup_index_map: FxHashMap::default(),
             blob_meta: FxHashMap::default(),
             origin_meta: FxHashMap::default(),
             clone_dir,
@@ -114,11 +117,14 @@ impl FindingsStore {
     pub fn replace_matches(&mut self, new_matches: Vec<Arc<FindingsStoreMessage>>) {
         self.matches = new_matches;
         self.index_map.clear();
+        self.dedup_index_map.clear();
         self.blobs.clear();
         for (i, message) in self.matches.iter().enumerate() {
             let blob_id = message.1.id;
             let offset_span = message.2.location.offset_span;
             self.index_map.insert((blob_id, offset_span), i);
+            let dedup_key = self.dedup_key(message.0.as_ref(), message.1.as_ref(), &message.2);
+            self.dedup_index_map.insert(dedup_key, i);
             self.blobs.insert(blob_id);
         }
     }
@@ -153,6 +159,160 @@ impl FindingsStore {
                 self.dependent_rule_ids.insert(dependency.rule_id.to_uppercase());
             }
         }
+        if !self.matches.is_empty() {
+            self.rebuild_dedup_index_map();
+        }
+    }
+
+    fn primary_snippet<'a>(m: &'a Match) -> &'a str {
+        m.groups
+            .captures
+            .iter()
+            .find(|c| c.name.is_none() && c.match_number == 0)
+            .map(|c| c.raw_value())
+            .or_else(|| {
+                m.groups
+                    .captures
+                    .iter()
+                    .find(|c| matches!(c.name.as_deref(), Some("TOKEN")))
+                    .map(|c| c.raw_value())
+            })
+            .or_else(|| m.groups.captures.get(0).map(|c| c.raw_value()))
+            .unwrap_or("")
+    }
+
+    fn dedup_key(&self, origin: &OriginSet, blob_md: &BlobMetadata, m: &Match) -> u64 {
+        let origin_kind = match origin.first() {
+            Origin::GitRepo(_) => "git",
+            Origin::File(_) => "file",
+            Origin::Extended(_) => "ext",
+        };
+        let rule_id = m.rule.id().to_uppercase();
+        let snippet = Self::primary_snippet(m);
+        let key_string = if self.dependent_rule_ids.contains(&rule_id) {
+            format!("{}|{}|{}|{}", rule_id, origin_kind, snippet, blob_md.id.hex())
+        } else {
+            format!("{}|{}|{}", rule_id, origin_kind, snippet)
+        };
+        xxh3_64(key_string.as_bytes())
+    }
+
+    fn normalize_path_for_order(path: &str) -> String {
+        path.replace('\\', "/")
+    }
+
+    fn origin_order_key(origin: &Origin) -> (u8, String, String) {
+        match origin {
+            Origin::GitRepo(repo) => {
+                let repo_path = Self::normalize_path_for_order(&repo.repo_path.to_string_lossy());
+                let blob_path = repo
+                    .first_commit
+                    .as_ref()
+                    .map(|commit| Self::normalize_path_for_order(&commit.blob_path))
+                    .unwrap_or_default();
+                let commit_id = repo
+                    .first_commit
+                    .as_ref()
+                    .map(|commit| commit.commit_metadata.commit_id.to_string())
+                    .unwrap_or_default();
+                (0, format!("{repo_path}/{blob_path}"), commit_id)
+            }
+            Origin::File(file) => {
+                (1, Self::normalize_path_for_order(&file.path.to_string_lossy()), String::new())
+            }
+            Origin::Extended(ext) => (
+                2,
+                ext.path()
+                    .map(|path| Self::normalize_path_for_order(&path.to_string_lossy()))
+                    .unwrap_or_else(|| Self::normalize_path_for_order(&ext.0.to_string())),
+                String::new(),
+            ),
+        }
+    }
+
+    fn canonical_entry_key(
+        origin: &OriginSet,
+        blob_md: &BlobMetadata,
+        m: &Match,
+    ) -> ((u8, String, String), usize, usize, String) {
+        let primary_origin = origin
+            .iter()
+            .min_by_key(|origin| Self::origin_order_key(origin))
+            .map(Self::origin_order_key)
+            .unwrap_or((u8::MAX, String::new(), String::new()));
+        (primary_origin, m.location.offset_span.start, m.location.offset_span.end, blob_md.id.hex())
+    }
+
+    fn merge_origin_sets(existing: &OriginSet, incoming: &OriginSet) -> OriginSet {
+        let mut origins = Vec::new();
+        let mut push_unique = |origin: &Origin| {
+            if !origins.iter().any(|existing| existing == origin) {
+                origins.push(origin.clone());
+            }
+        };
+
+        for origin in existing.iter().chain(incoming.iter()) {
+            push_unique(origin);
+        }
+
+        origins.sort_by_key(Self::origin_order_key);
+        OriginSet::try_from_iter(origins).expect("merged origin set is non-empty")
+    }
+
+    fn merge_duplicate(
+        &mut self,
+        idx: usize,
+        incoming_origin: Arc<OriginSet>,
+        incoming_blob: Arc<BlobMetadata>,
+        incoming_match: Match,
+    ) {
+        let incoming_index_key = (incoming_blob.id, incoming_match.location.offset_span);
+        let (prefer_incoming, merged_origin) = {
+            let (existing_origin, existing_blob, existing_match) = &*self.matches[idx];
+            let existing_key = Self::canonical_entry_key(
+                existing_origin.as_ref(),
+                existing_blob.as_ref(),
+                existing_match,
+            );
+            let incoming_key = Self::canonical_entry_key(
+                incoming_origin.as_ref(),
+                incoming_blob.as_ref(),
+                &incoming_match,
+            );
+            (
+                incoming_key.cmp(&existing_key) == Ordering::Less,
+                Self::merge_origin_sets(existing_origin.as_ref(), incoming_origin.as_ref()),
+            )
+        };
+
+        let merged_origin_arc = {
+            let merged_origin_arc = Arc::new(merged_origin);
+            let fp = origin_fp(merged_origin_arc.as_ref());
+            self.origin_meta.entry(fp).or_insert_with(|| merged_origin_arc.clone()).clone()
+        };
+
+        self.index_map.insert(incoming_index_key, idx);
+
+        let stored = &mut self.matches[idx];
+        let (stored_origin, stored_blob, stored_match) = Arc::make_mut(stored);
+        *stored_origin = merged_origin_arc;
+        if prefer_incoming {
+            let blob_arc = self
+                .blob_meta
+                .entry(incoming_blob.id)
+                .or_insert_with(|| incoming_blob.clone())
+                .clone();
+            *stored_blob = blob_arc;
+            *stored_match = incoming_match;
+        }
+    }
+
+    fn rebuild_dedup_index_map(&mut self) {
+        self.dedup_index_map.clear();
+        for (idx, message) in self.matches.iter().enumerate() {
+            let key = self.dedup_key(message.0.as_ref(), message.1.as_ref(), &message.2);
+            self.dedup_index_map.insert(key, idx);
+        }
     }
 
     /// Insert a batch of findings.  
@@ -169,42 +329,17 @@ impl FindingsStore {
             │ 1. Optional duplicate filter (unchanged)                      │
             └───────────────────────────────────────────────────────────────*/
             if dedup {
-                // Prefer the full unnamed match (index 0). Fall back to a named TOKEN capture
-                // before using whatever capture is available.
-                let snippet = m
-                    .groups
-                    .captures
-                    .iter()
-                    .find(|c| c.name.is_none() && c.match_number == 0)
-                    .map(|c| c.raw_value())
-                    .or_else(|| {
-                        m.groups
-                            .captures
-                            .iter()
-                            .find(|c| matches!(c.name.as_deref(), Some("TOKEN")))
-                            .map(|c| c.raw_value())
-                    })
-                    .or_else(|| m.groups.captures.get(0).map(|c| c.raw_value()))
-                    .unwrap_or("");
-
-                let origin_kind = match origin.first() {
-                    Origin::GitRepo(_) => "git",
-                    Origin::File(_) => "file",
-                    Origin::Extended(_) => "ext",
-                };
-
-                let rule_id = m.rule.id().to_uppercase();
-                let key_string = if self.dependent_rule_ids.contains(&rule_id) {
-                    format!("{}|{}|{}|{}", rule_id, origin_kind, snippet, blob_md.id.hex())
-                } else {
-                    format!("{}|{}|{}", rule_id, origin_kind, snippet)
-                };
-                let key = xxh3_64(key_string.as_bytes());
-
-                if self.seen_bloom.check(&key) {
-                    continue; // very likely a duplicate
+                let dedup_key = self.dedup_key(origin.as_ref(), blob_md.as_ref(), &m);
+                if self.seen_bloom.check(&dedup_key) {
+                    if let Some(&idx) = self.dedup_index_map.get(&dedup_key) {
+                        if self.blobs.insert(blob_md.id) {
+                            added += 1;
+                        }
+                        self.merge_duplicate(idx, origin, blob_md, m);
+                        continue;
+                    }
                 }
-                self.seen_bloom.set(&key);
+                self.seen_bloom.set(&dedup_key);
                 self.bloom_items += 1;
             }
 
@@ -233,6 +368,14 @@ impl FindingsStore {
             let blob_id = self.matches[idx].1.id;
             let offset_span = self.matches[idx].2.location.offset_span;
             self.index_map.insert((blob_id, offset_span), idx);
+            if dedup {
+                let dedup_key = self.dedup_key(
+                    self.matches[idx].0.as_ref(),
+                    self.matches[idx].1.as_ref(),
+                    &self.matches[idx].2,
+                );
+                self.dedup_index_map.insert(dedup_key, idx);
+            }
         }
 
         /* ─────────────────────────────────────────────────────────────────── */
diff --git a/tests/dependent_rule_dedup.rs b/tests/dependent_rule_dedup.rs
index 273468e..003e55b 100644
--- a/tests/dependent_rule_dedup.rs
+++ b/tests/dependent_rule_dedup.rs
@@ -145,3 +145,60 @@ fn dedup_still_merges_non_dependency_rules_across_blobs() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn dedup_uses_a_stable_canonical_representative() -> Result<()> {
+    let rule = make_rule("RULE.SIMPLE", vec![]);
+
+    let make_store = |rule: &Arc<Rule>| {
+        let mut store = FindingsStore::new(PathBuf::from("/tmp"));
+        store.record_rules(&[rule.clone()]);
+        store
+    };
+
+    let origin_a = Arc::new(OriginSet::single(Origin::from_file(PathBuf::from("a.txt"))));
+    let origin_z = Arc::new(OriginSet::single(Origin::from_file(PathBuf::from("z.txt"))));
+    let blob_a = Arc::new(BlobMetadata {
+        id: BlobId::new(b"blob-a"),
+        num_bytes: 10,
+        mime_essence: None,
+        language: None,
+    });
+    let blob_z = Arc::new(BlobMetadata {
+        id: BlobId::new(b"blob-z"),
+        num_bytes: 10,
+        mime_essence: None,
+        language: None,
+    });
+
+    let forward = vec![
+        record_match(&origin_z, &blob_z, make_match(rule.clone(), blob_z.id, "shared_token")),
+        record_match(&origin_a, &blob_a, make_match(rule.clone(), blob_a.id, "shared_token")),
+    ];
+    let reverse = vec![
+        record_match(&origin_a, &blob_a, make_match(rule.clone(), blob_a.id, "shared_token")),
+        record_match(&origin_z, &blob_z, make_match(rule.clone(), blob_z.id, "shared_token")),
+    ];
+
+    let mut forward_store = make_store(&rule);
+    forward_store.record(forward, true);
+
+    let mut reverse_store = make_store(&rule);
+    reverse_store.record(reverse, true);
+
+    for store in [&forward_store, &reverse_store] {
+        assert_eq!(store.get_matches().len(), 1);
+
+        let (origin, blob, matched) = &*store.get_matches()[0];
+        assert_eq!(origin.len(), 2, "duplicate findings should merge origins");
+        assert_eq!(
+            origin.first().full_path().as_deref(),
+            Some(PathBuf::from("a.txt").as_path()),
+            "the lexicographically smallest path should be the representative",
+        );
+        assert_eq!(blob.id, blob_a.id);
+        assert_eq!(matched.blob_id, blob_a.id);
+    }
+
+    Ok(())
+}
diff --git a/tests/int_context_verification.rs b/tests/int_context_verification.rs
index 5fdb8ea..d4baa71 100644
--- a/tests/int_context_verification.rs
+++ b/tests/int_context_verification.rs
@@ -3,6 +3,10 @@ use std::{fs, process::Command};
 use anyhow::{Context, Result};
 use serde_json::{Deserializer, Value};
 
+fn is_parser_fixture(path: &str) -> bool {
+    path.replace('\\', "/").starts_with("testdata/parsers/")
+}
+
 #[test]
 fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     let output = Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
@@ -50,7 +54,7 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
                 .and_then(Value::as_object)
                 .and_then(|data| data.get("path"))
                 .and_then(Value::as_str)
-                .map(|path| !path.starts_with("testdata/parsers/"))
+                .map(|path| !is_parser_fixture(path))
                 .unwrap_or(true)
         })
         .map(|finding| {
@@ -95,3 +99,10 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
     assert_eq!(actual, expected);
     Ok(())
 }
+
+#[test]
+fn parser_fixture_filter_normalizes_windows_paths() {
+    assert!(is_parser_fixture("testdata/parsers/scan_findings_baseline.json"));
+    assert!(is_parser_fixture(r"testdata\parsers\scan_findings_baseline.json"));
+    assert!(!is_parser_fixture("testdata/generic_secrets.py"));
+}

From 1628dac0c75c518446e5b1b007989c8a64f79579 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 8 Apr 2026 20:32:46 -0700
Subject: [PATCH 17/17] changes in response to PR review

---
 tests/int_context_verification.rs | 73 ++++++++++++++++++-------------
 1 file changed, 43 insertions(+), 30 deletions(-)

diff --git a/tests/int_context_verification.rs b/tests/int_context_verification.rs
index d4baa71..b1d8c3e 100644
--- a/tests/int_context_verification.rs
+++ b/tests/int_context_verification.rs
@@ -1,26 +1,44 @@
-use std::{fs, process::Command};
+use std::{ffi::OsString, fs, path::Path, process::Command};
 
 use anyhow::{Context, Result};
 use serde_json::{Deserializer, Value};
 
-fn is_parser_fixture(path: &str) -> bool {
-    path.replace('\\', "/").starts_with("testdata/parsers/")
+fn scan_inputs_without_parser_fixtures() -> Result<Vec<OsString>> {
+    let mut inputs = fs::read_dir("testdata")
+        .context("read testdata directory")?
+        .map(|entry| {
+            let entry = entry.context("read testdata entry")?;
+            let path = entry.path();
+            Ok((entry.file_name(), path))
+        })
+        .collect::<Result<Vec<_>>>()?;
+
+    inputs.sort_by(|left, right| left.0.cmp(&right.0));
+
+    Ok(inputs
+        .into_iter()
+        .filter_map(|(name, path)| {
+            (name != OsString::from("parsers")).then_some(path.into_os_string())
+        })
+        .collect())
 }
 
 #[test]
 fn scan_findings_match_pre_removal_baseline() -> Result<()> {
+    let mut args = vec![OsString::from("scan")];
+    args.extend(scan_inputs_without_parser_fixtures()?);
+    args.extend([
+        OsString::from("--format"),
+        OsString::from("json"),
+        OsString::from("--no-validate"),
+        OsString::from("--no-update-check"),
+        OsString::from("--no-dedup"),
+    ]);
+
     let output = Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
-        .args([
-            "scan",
-            "testdata",
-            "--format",
-            "json",
-            "--no-validate",
-            "--no-update-check",
-            "--no-dedup",
-        ])
+        .args(&args)
         .output()
-        .context("run kingfisher scan against testdata")?;
+        .context("run kingfisher scan against testdata inputs without parser fixtures")?;
 
     let code = output.status.code().unwrap_or_default();
     assert!(
@@ -42,21 +60,11 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
         .and_then(Value::as_array)
         .context("scan output missing findings array")?;
 
-    // `testdata/parsers/*` intentionally contains baseline fixtures that repeat real secrets from
-    // the scanned corpus. Scan ordering is parallelized, so store-level dedup can otherwise keep
-    // either the fixture copy or the real-file copy nondeterministically. Compare a stable
-    // rule+snippet set from the non-parser files instead.
+    // This baseline is meant to verify the secret corpus, not store-level dedup behavior or the
+    // parser fixture artifacts kept under `testdata/parsers/`. Scan only the real corpus inputs
+    // and compare a stable unique rule+snippet set.
     let mut actual = findings
         .iter()
-        .filter(|finding| {
-            finding
-                .get("finding")
-                .and_then(Value::as_object)
-                .and_then(|data| data.get("path"))
-                .and_then(Value::as_str)
-                .map(|path| !is_parser_fixture(path))
-                .unwrap_or(true)
-        })
         .map(|finding| {
             let rule = finding.get("rule").and_then(Value::as_object).cloned().unwrap_or_default();
             serde_json::json!({
@@ -101,8 +109,13 @@ fn scan_findings_match_pre_removal_baseline() -> Result<()> {
 }
 
 #[test]
-fn parser_fixture_filter_normalizes_windows_paths() {
-    assert!(is_parser_fixture("testdata/parsers/scan_findings_baseline.json"));
-    assert!(is_parser_fixture(r"testdata\parsers\scan_findings_baseline.json"));
-    assert!(!is_parser_fixture("testdata/generic_secrets.py"));
+fn scan_inputs_exclude_parser_fixture_directory() -> Result<()> {
+    let inputs = scan_inputs_without_parser_fixtures()?;
+
+    assert!(inputs.iter().all(|path| Path::new(path) != Path::new("testdata/parsers")));
+    assert!(inputs
+        .iter()
+        .any(|path| Path::new(path) == Path::new("testdata/python_vulnerable.py")));
+
+    Ok(())
 }