id: ruby-hardcoded-secrets
name: Hardcoded Secret
severity: warning
category: security
defect_class: secrets
inline_tier: blocking
language: ruby

message: "Hardcoded {{VARNAME}} — use environment variables or a secrets manager"

description: |
  Hardcoding credentials in source code exposes them in version control.
  
  ✅ FIX:
    token = ENV.fetch("API_TOKEN")
    api_key = Rails.application.credentials.api_key

query: |
  (assignment
    left: (identifier) @VARNAME
    right: (string) @VALUE)

metavars:
  - VARNAME
  - VALUE

post_filter: check_secret_pattern

has_fix: false

tags:
  - security
  - credentials

examples:
  bad: |
    token = "<redacted>"    # hardcoded — BUG
    api_key = "<redacted>"  # hardcoded — BUG
  
  good: |
    token = ENV.fetch("API_TOKEN")
    api_key = Rails.application.credentials.api_key
