Two credential patterns were missing from the PiiDetector, confirmed
by live audit log showing was_pii_redacted: false with plaintext creds:
1. Abbreviated key form (pass: abc123!!): the pattern only matched
password|passwd|pwd. Added pass, passphrase, secret with a word
boundary to prevent substring false positives (bypass:, compass:).
2. Natural language form (Is the password password123 good): added a
second Password sub-pattern for keyword-adjacent values without a
key separator. Value must contain a digit or special char to avoid
flagging plain words (password strength, password policy).
5 new regression tests added. 233/233 Rust tests pass.
Rust's `regex` crate does not support lookaround assertions. The hostname
pattern `(?=.{1,253}\b)` caused a panic on every `PiiDetector::new()` call,
failing all four PII detector tests in CI (rust-fmt-check, rust-clippy,
rust-tests). Removed the lookahead; the remaining pattern correctly matches
valid FQDNs without the RFC 1035 length pre-check.
Also reformatted analysis.rs:253 to satisfy `rustfmt` (line break after `=`).
All 127 Rust tests pass and `cargo fmt --check` and `cargo clippy -- -D
warnings` are clean.
Remove high-risk defaults and tighten data handling across auth, storage, IPC, provider calls, and capabilities so sensitive data is better protected by default. Also update README/wiki security guidance and add targeted tests for the new hardening behaviors.
Made-with: Cursor
