fix(safety): fix OpenAI pattern to not match Anthropic keys, enhance Python queries

Sephyi · Sephyi · commit 2ff5e8285769 · 2026-03-22T04:38:40.000+01:00
- OpenAI pattern now requires sk-proj- or sk-svcacct- prefix for new
  keys, or exact sk-[48 chars] for legacy — no longer matches sk-ant-
- Python tree-sitter query now captures decorated functions and classes
diff --git a/src/queries/python.scm b/src/queries/python.scm
@@ -4,3 +4,5 @@
 
 (function_definition name: (identifier) @name) @definition
 (class_definition name: (identifier) @name) @definition
+(decorated_definition definition: (function_definition name: (identifier) @name)) @definition
+(decorated_definition definition: (class_definition name: (identifier) @name)) @definition
diff --git a/src/services/safety.rs b/src/services/safety.rs
@@ -84,7 +84,8 @@ fn builtin_patterns() -> Vec<SecretPattern> {
         // ── AI/ML Provider Keys ──
         SecretPattern {
             name: Cow::Borrowed("OpenAI Key"),
-            regex: Regex::new(r"sk-(?:proj-|svcacct-)?[a-zA-Z0-9\-_]{20,}").unwrap(),
+            regex: Regex::new(r"sk-(?:proj-|svcacct-)[a-zA-Z0-9\-_]{20,}|sk-[a-zA-Z0-9]{48}")
+                .unwrap(),
             description: Cow::Borrowed(
                 "OpenAI API key (legacy, project-scoped, or service account)",
             ),
