docs(02-01): complete tier 1 high-confidence providers plan

.planning/STATE.md

@@ -3,9 +3,9 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 status: executing
-stopped_at: Completed 02-tier-1-2-providers 02-03-PLAN.md
+stopped_at: Completed 02-tier-1-2-providers 02-04-PLAN.md
-last_updated: "2026-04-05T11:12:42.470Z"
+last_updated: "2026-04-05T11:12:58.710Z"
-last_activity: 2026-04-05 -- Phase 02 execution started
+last_activity: 2026-04-05
 progress:
   total_phases: 18
   completed_phases: 1
@@ -26,9 +26,9 @@ See: .planning/PROJECT.md (updated 2026-04-04)
 ## Current Position
 
 Phase: 02 (tier-1-2-providers) — EXECUTING
-Plan: 1 of 5
+Plan: 3 of 5
-Status: Executing Phase 02
+Status: Ready to execute
-Last activity: 2026-04-05 -- Phase 02 execution started
+Last activity: 2026-04-05
 
 Progress: [██░░░░░░░░] 20%
 
@@ -57,6 +57,8 @@ Progress: [██░░░░░░░░] 20%
 | Phase 01-foundation P05 | 4min | 2 tasks | 8 files |
 | Phase 02-tier-1-2-providers P02 | 1m | 2 tasks | 12 files |
 | Phase 02-tier-1-2-providers P03 | 3min | 2 tasks | 14 files |
+| Phase 02-tier-1-2-providers P01 | 3min | 2 tasks | 12 files |
+| Phase 02-tier-1-2-providers P04 | 1min | 2 tasks tasks | 14 files files |
 
 ## Accumulated Context
 
@@ -74,6 +76,7 @@ Recent decisions affecting current work:
 - [Phase 01-foundation]: pkg/types/chunk.go breaks engine<->sources circular import; ants pool with WaitGroup+Mutex for detector coordination
 - [Phase 01-foundation]: Per-installation salt via settings table -- no hardcoded salt in production code
 - [Phase 01-foundation]: Exit code semantics: 0=clean, 1=keys-found, 2=error for CI/CD integration
+- [Phase 02-tier-1-2-providers]: AWS Bedrock verify URL left empty — SigV4 signing deferred to Phase 5 verification engine
 
 ### Pending Todos
 
@@ -88,6 +91,6 @@ None yet.
 
 ## Session Continuity
 
-Last session: 2026-04-05T11:12:42.467Z
+Last session: 2026-04-05T11:12:58.706Z
-Stopped at: Completed 02-tier-1-2-providers 02-03-PLAN.md
+Stopped at: Completed 02-tier-1-2-providers 02-04-PLAN.md
 Resume file: None

.planning/phases/02-tier-1-2-providers/02-01-SUMMARY.md

@@ -0,0 +1,87 @@
+---
+phase: 02-tier-1-2-providers
+plan: 01
+subsystem: providers
+tags: [providers, yaml, detection, tier-1]
+requires: [pkg/providers/schema.go, pkg/providers/loader.go, pkg/providers/registry.go]
+provides: [google-ai provider, vertex-ai provider, aws-bedrock provider, xai provider, upgraded openai provider, upgraded anthropic provider]
+affects: [pkg/providers/definitions (embedded)]
+tech_stack:
+  added: []
+  patterns: [dual-location provider YAML, go:embed definitions]
+key_files:
+  created:
+    - providers/google-ai.yaml
+    - providers/vertex-ai.yaml
+    - providers/aws-bedrock.yaml
+    - providers/xai.yaml
+    - pkg/providers/definitions/google-ai.yaml
+    - pkg/providers/definitions/vertex-ai.yaml
+    - pkg/providers/definitions/aws-bedrock.yaml
+    - pkg/providers/definitions/xai.yaml
+  modified:
+    - providers/openai.yaml
+    - providers/anthropic.yaml
+    - pkg/providers/definitions/openai.yaml
+    - pkg/providers/definitions/anthropic.yaml
+decisions:
+  - "AWS Bedrock uses empty verify URL — SigV4 signing deferred to Phase 5 verification engine"
+  - "Anthropic api03/admin01 patterns use exact {93}AA suffix per TruffleHog reference"
+  - "OpenAI legacy T3BlbkFJ middle-segment pattern retained for historical key detection"
+metrics:
+  duration: ~3 min
+  completed: 2026-04-05
+  tasks: 2
+  files: 12
+requirements: [PROV-01]
+---
+
+# Phase 02 Plan 01: Tier 1 High-Confidence Provider YAMLs Summary
+
+Defined 6 Tier 1 LLM provider YAML specs (2 upgraded, 4 new) with distinctive prefix regexes and verify endpoints; registry now loads 24 providers total (was 20).
+
+## What Was Built
+
+**Task 1 — Upgrade OpenAI and Anthropic YAMLs** (commit c0d3add)
+- OpenAI: added `sk-svcacct-` service-account pattern and legacy `sk-...T3BlbkFJ...` middle-segment pattern. Keywords extended with `sk-svcacct-`, `sk-none-`, `t3blbkfj`. Total 3 patterns.
+- Anthropic: added mandatory `AA` trailing suffix to api03 pattern (93-char body) and added new `sk-ant-admin01-` admin-key pattern. Total 2 patterns.
+- Synced to `pkg/providers/definitions/` for `go:embed`.
+
+**Task 2 — New Providers** (commit d74200b)
+- `google-ai.yaml`: `AIzaSy[A-Za-z0-9_\-]{33}` — Gemini API key pattern, verify via `generativelanguage.googleapis.com/v1/models?key={KEY}`.
+- `vertex-ai.yaml`: Same `AIzaSy` pattern at medium confidence, verify via aiplatform Bearer token.
+- `aws-bedrock.yaml`: `ABSK[A-Za-z0-9+/]{109,269}={0,2}` high-confidence long-token, plus `AKIA[0-9A-Z]{16}` medium fallback. Verify URL intentionally empty (SigV4 deferred).
+- `xai.yaml`: `xai-[0-9a-zA-Z_]{80}` — Grok 80-character token.
+
+## Verification Results
+
+- `go test ./pkg/providers/... -count=1 -v` → PASS (5 tests).
+- Registry runtime load reports 24 providers including: openai (3 patterns), anthropic (2), google-ai (1), vertex-ai (1), aws-bedrock (2), xai (1).
+- All regex patterns compile under Go RE2.
+- Dual-location diff check passed for all 12 files.
+
+## Deviations from Plan
+
+None — plan executed exactly as written.
+
+## Known Stubs
+
+- AWS Bedrock `verify.url` is empty and `valid_status`/`invalid_status` are empty arrays. This is intentional: Bedrock requires AWS SigV4 signing which will be implemented in Phase 5 (verification engine). Noted in decisions.
+
+## Commits
+
+- c0d3add — feat(02-01): upgrade OpenAI and Anthropic provider YAMLs
+- d74200b — feat(02-01): add Google AI, Vertex AI, AWS Bedrock, xAI providers
+
+## Self-Check: PASSED
+
+- FOUND: providers/google-ai.yaml
+- FOUND: providers/vertex-ai.yaml
+- FOUND: providers/aws-bedrock.yaml
+- FOUND: providers/xai.yaml
+- FOUND: pkg/providers/definitions/google-ai.yaml
+- FOUND: pkg/providers/definitions/vertex-ai.yaml
+- FOUND: pkg/providers/definitions/aws-bedrock.yaml
+- FOUND: pkg/providers/definitions/xai.yaml
+- FOUND commit: c0d3add
+- FOUND commit: d74200b