rules:
  - name: Temporal Cloud API Key
    id: kingfisher.temporal.1
    pattern: |
      (?x)
      \b
      (
        eyJ[A-Za-z0-9_-]{10,}
        \.
        [A-Za-z0-9_-]*Y2NvdW50X2lk          (?# payload contains "account_id" )
        [A-Za-z0-9_-]*InRlbXBvcmFsLmlv      (?# payload contains "temporal.io" )
        [A-Za-z0-9_-]*(?:ICJrZXlfaWQiOi|a2V5X2lk|rZXlfaWQi) (?# payload contains "key_id" )
        [A-Za-z0-9_-]{20,}
        \.
        [A-Za-z0-9_-]{20,}
      )
      \b
    pattern_requirements:
      min_digits: 3
    min_entropy: 3.2
    confidence: medium
    examples:
      - 'temporal_api_key="eyJhbGciOiJFUzI1NiIsImtpZCI6IlNhbXBsZSJ9.eyJhY2NvdW50X2lkIjoic2FtcGxlIiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoic2FtcGxlLWtleSIsInN1YiI6InVzZXItMTIzIiwiZXhwIjoyMDAwMDAwMDAwfQ.c2lnbmF0dXJlX3BsYWNlaG9sZGVyXzEyMzQ1Njc4OTA"'
      - 'temporal --profile cloud config set --prop api_key --value "eyJhbGciOiJFUzI1NiIsImtpZCI6IkFub3RoZXJLZXkifQ.eyJhY2NvdW50X2lkIjoidGVzdC1hY2N0IiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoidGVzdC1rZXktaWQiLCJzdWIiOiJ1c2VyLXRlc3QiLCJleHAiOjIwMDAwMDAwMDB9.c2lnbmF0dXJlX3Rlc3RfdmFsdWVfMDEyMzQ1Njc4OTAi'
    negative_examples:
      - 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInN1YiI6InVzZXIiLCJleHAiOjE5NzIxNzI0NjF9.WQWcwBAQFNE259f2o8ruFln_UMLTFEnEaUD7KHrs9Aw'
    references:
      - https://docs.temporal.io/cloud/api-keys
      - https://docs.temporal.io/cli/env-config
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://saas-api.tmprl.cloud/cloud/current-identity
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: WordMatch
              words:
                - '"user"'
                - '"serviceAccount"'
              match_all_words: false