feat: add repository mesh reconciliation round

src/mais_humana/redaction.py

@@ -11,6 +11,7 @@ from .models import as_plain_data
 
 
 SECRET_PATTERNS: tuple[tuple[str, re.Pattern[str]], ...] = (
+    ("cloudflare_cfat_token", re.compile(r"\bcfat_[A-Za-z0-9_\-]{20,}\b")),
     ("generic_token_assignment", re.compile(r"(?i)\b(token|secret|password|api[_-]?key)\s*[:=]\s*['\"]?[A-Za-z0-9_\-]{16,}")),
     ("bearer_token", re.compile(r"(?i)\bbearer\s+[A-Za-z0-9_\-\.]{20,}")),
     (
@@ -21,13 +22,21 @@ SECRET_PATTERNS: tuple[tuple[str, re.Pattern[str]], ...] = (
     ("connection_string", re.compile(r"(?i)\b(postgres|mysql|mongodb|redis)://[^\\s]+")),
 )
 
-ALLOWLIST_TERMS = {
-    "credentialRef",
-    "secretRef",
-    "tokenRef",
+OPAQUE_REFERENCE_RE = re.compile(
+    r"""(?ix)
+    ^\s*
+    ["']?(credentialRef|secretRef|tokenRef|sourcePayloadHash|sourceRecordsHash|traceId|auditId)["']?
+    \s*[:=]\s*
+    ["']?[A-Za-z0-9][A-Za-z0-9._:/\-]{2,160}["']?
+    [,;]?\s*$
+    """
+)
+
+SAFE_TEXT_TERMS = {
     "redaction",
     "sem segredo",
     "nao vazar",
+    "referencia opaca",
 }
 
 
@@ -56,7 +65,11 @@ class RedactionReport:
 
 def is_allowlisted(line: str) -> bool:
     lowered = line.lower()
-    return any(term.lower() in lowered for term in ALLOWLIST_TERMS)
+    if "cfat_" in lowered or "bearer " in lowered:
+        return False
+    if OPAQUE_REFERENCE_RE.match(line):
+        return True
+    return any(term.lower() in lowered for term in SAFE_TEXT_TERMS) and not any(pattern.search(line) for _, pattern in SECRET_PATTERNS)
 
 
 def scan_text_for_secrets(path: str, text: str) -> tuple[RedactionFinding, ...]: