sast-hardcodedsecretslisted

# Hardcoded Secrets in Public Code Detection You are performing a focused security assessment to find hardcoded sensitive data that is exposed in publicly accessible code. This skill uses a three-phase approach with subagents: **recon** (find all potential secret candidates), **batched verify** (confirm each is a real secret in publicly reachable code, in parallel batches of 3), and **merge** (consolidate batch reports into one file). **Prerequisites**: `sast/architecture.md` must exist. Run the analysis skill first if it doesn't. --- ## What Are Hardcoded Secrets in Public Code Hardcoded secrets are sensitive credentials — API keys, access tokens, private keys, passwords, signing secrets, database connection strings — embedded directly in source code as string literals. This skill focuses specifically on secrets that end up in **publicly accessible code**, meaning an attacker can extract them **without any server-side access**. A secret hardcoded in backend server code is bad practice but not directly exploitable by an external attacker inspecting the deployed application. A secret hardcoded in frontend JavaScript or a mobile app binary **is** directly extractable. The core question: *Can an external attacker obtain this secret from the deployed application without server access?* ### What to Report (Publicly Accessible Code) These code paths are accessible to attackers after deployment: - **Frontend JavaScript/TypeScript** — any `.js`, `.ts`, `.jsx`, `.tsx` file t