rules:
  - name: Gitea Access Token
    id: kingfisher.gitea.1
    pattern: |
      (?xi)
      \b
      (?:gitea)
      (?:.|[\n\r]){0,16}?
      (?:token|key|secret|pat|access[_-]?token|api[_-]?key)\b
      (?:.|[\n\r]){0,32}?
      \b
      (
          [a-f0-9]{40}
      )
      \b
    pattern_requirements:
      min_digits: 4
    min_entropy: 3.0
    confidence: medium
    examples:
      - GITEA_TOKEN=5aab40e433037523cc70af7d3894a0fa8b4338b0
      - "gitea_access_token: 4c1cc89e363477a554b0eb629d3bc50bc810dfa2"
      - GITEA_KEY=def2fac70d12fd8ec8046ce554577298dbd99414
      - |
        [gitea]
        token = 8b40bcd90946073dfa9df0f0cb999b21da6a372d
    references:
      - https://docs.gitea.com/development/api-usage
    # NOTE: Gitea's token management API (/api/v1/user/tokens) requires
    # Basic Auth (username/password). Self-revocation using only the token
    # is not supported by the Gitea API.
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://gitea.com/api/v1/user
          headers:
            Authorization: token {{ TOKEN }}
            Accept: application/json
          response_matcher:
            - report_response: true
            # 200 = token has read:user scope; 403 = valid token with limited scopes
            # (Gitea returns 401 for truly invalid/expired tokens)
            - type: StatusMatch
              status: [200, 403]
            - type: WordMatch
              words:
                - '"login"'
                - 'token does not have'