# DISABLED (#206): relies on a metavariable `constraints` regex (VAR) to flag
# only secret-named assignments; the runner's interpreter ignores constraints, so
# the bare `const $VAR = "..."` pattern matches every string literal (noise).
id: no-hardcoded-secrets-js
language: JavaScript
message: "Hardcoded secret detected — use process.env instead"
severity: error
note: |
  Hardcoded secrets in source code can be exposed through version control.
  Use environment variables or a secrets manager instead.
  
  BAD:  const apiKey = "sk-live-1234567890"
  GOOD: const apiKey = process.env.API_KEY
rule:
  any:
    - pattern: const $VAR = "$_"
    - pattern: const $VAR = '$_'
constraints:
  VAR:
    regex: "(password|passwd|pwd|secret|token|apiKey|api_key|apikey|apiSecret|accessKey|access_key|auth|privateKey|private_key|clientSecret|client_secret|credentials|bearer)"
