# gitleaks vs leakproof — verified receipt for the launch claim
# Generated by worker-opus-3. Reproducible; gitleaks v8.30.1, default ruleset.
# Files = the post-diff source from worker-3's tests/adversarial/demo_planted_secret.diff:
#   services/billing/config.py  (AWS key id, AWS secret, base64-wrapped AWS key)
#   tests/fixtures/conftest.py  (prod Postgres DSN)

## gitleaks detect --no-git --source scan/
[90m1:50PM[0m [32mINF[0m [1mscanned ~434 bytes (434 bytes) in 238ms[0m
[90m1:50PM[0m [32mINF[0m [1mno leaks found[0m

## WHY 0: gitleaks' generic-api-key rule keys off keyword-y var NAMES + entropy.
## The secrets sit in _aws / _aws_secret / _fallback / DB → no keyword trigger → 0 findings.
## Proof it's the NAMES, not the values: rename to aws_secret_access_key= / database_password_url= and gitleaks DOES catch them:

## gitleaks detect --no-git --source struct/  (same secrets, blatant var names)
RuleID:      generic-api-key
RuleID:      generic-api-key
[90m1:50PM[0m [33mWRN[0m [1mleaks found: 2[0m

## => Differentiator is VALUE-awareness vs variable-name matching (renaming-proof).
## leakproof half of the side-by-side: pending scanner merge (opus-5 integration branch).

## ────────────────────────────────────────────────────────────
## leakproof half (VERIFIED) — worker-2 scanner lane/semantic @ 28854f4
## Same fixture, rules-only (LEAKPROOF_SEMANTIC=0, deterministic, no model):
##   services/billing/config.py
##     [high]   aws_access_key_id         AWS access key ID
##     [medium] high_entropy_string       the base64-wrapped key, flagged on entropy
##   tests/fixtures/conftest.py
##     [high]   db_url_with_credentials   prod Postgres DSN with embedded creds
##   => leakproof: 3 caught (rules-only).  gitleaks: 0.
## Repro: LEAKPROOF_SEMANTIC=0 leakproof scan <fixture files>  (installed console script; rules-only by default)
## (optional semantic pass via ollama qwen2.5:1.5b also catches the "EXAMPLE"-masked AWS secret,
##  but it's non-deterministic on a 1.5B model — rules-only is the clean demo number.)
##
## THE SIDE-BY-SIDE (identical input):  gitleaks 0  →  leakproof 3.
## Why gitleaks misses: keyword+entropy rules key off variable NAMES (_aws/_fallback/DB don't trigger).
## leakproof evaluates the VALUE → renaming-proof. THIS is the demo.
