fix: complete cross-pass dedup, fix (^|_) regexes, add XAI/ASSEMBLYAI/AI21/NVIDIA_NIM

- Fix cross-pass dedup gap: scanEnvKeys now accepts and populates the shared
  seenEnvNames map, so extra_env_keys entries that also match a nameRegex pattern
  produce exactly one finding (scanEnvKeys wins as highest-priority pass).
  Regression test: TestAPIKeyScanner_ExtraEnvKeys_NoDuplicateWithNameRegex.

- Fix FLY_, NEON_, PALM_ regexes: replace \bFLY_ / \bNEON_ / \bPALM_ with
  (^|_)FLY_ etc. In RE2, _ is a word character so \b does not fire between _
  and a letter, meaning MY_FLY_TOKEN, MY_NEON_KEY, MY_PALM_KEY were silently
  missed. Tests updated to assert both the positive and negative cases.

- Add name-regex patterns for XAI, ASSEMBLYAI, AI21, NVIDIA_NIM (reviewer
  suggestion). Tests added in TestAPIKeyScanner_NameRegex_NewAIProviders.

Author: Pringled

internal/scan/apikeys.go

@@ -35,12 +35,16 @@ var nameRegexPatterns = []*regexp.Regexp{
 	regexp.MustCompile(`(?i)DEEPSEEK`),
 	regexp.MustCompile(`(?i)PERPLEXITY`),
 	regexp.MustCompile(`(?i)CEREBRAS`),
+	regexp.MustCompile(`(?i)XAI`),
+	regexp.MustCompile(`(?i)ASSEMBLYAI`),
+	regexp.MustCompile(`(?i)AI21`),
+	regexp.MustCompile(`(?i)NVIDIA_NIM`),
 	// Secrets managers
 	regexp.MustCompile(`(?i)DOPPLER`),
 	// Google AI (Gemini, Vertex AI, PaLM)
 	regexp.MustCompile(`(?i)GEMINI`),
 	regexp.MustCompile(`(?i)VERTEX`),
-	regexp.MustCompile(`(?i)\bPALM_`), // word boundary + underscore avoids NAPALM_MODE, PALM_BEACH_PROPERTY
+	regexp.MustCompile(`(?i)(^|_)PALM_`), // (^|_) avoids NAPALM_MODE while matching MY_PALM_KEY
 	// AWS AI
 	regexp.MustCompile(`(?i)BEDROCK`),
 	// Azure AI
@@ -72,7 +76,7 @@ var nameRegexPatterns = []*regexp.Regexp{
 	regexp.MustCompile(`(?i)CLOUDFLARE`),
 	regexp.MustCompile(`(?i)HEROKU`),
 	regexp.MustCompile(`(?i)RAILWAY`),
-	regexp.MustCompile(`(?i)\bFLY_`), // word boundary prevents false positives (BUTTERFLY_KEY)
+	regexp.MustCompile(`(?i)(^|_)FLY_`), // (^|_) avoids BUTTERFLY_KEY, FLYWEIGHT_INDEX while matching MY_FLY_TOKEN
 	// Source control
 	regexp.MustCompile(`(?i)GITHUB`),
 	regexp.MustCompile(`(?i)GITLAB`),
@@ -83,7 +87,7 @@ var nameRegexPatterns = []*regexp.Regexp{
 	regexp.MustCompile(`(?i)AIRTABLE`),
 	// Database-as-a-service (API keys / connection tokens)
 	regexp.MustCompile(`(?i)SUPABASE`),
-	regexp.MustCompile(`(?i)\bNEON_`), // word boundary + underscore avoids ANEMONE_CONFIG, NEON_LIGHTS_COLOR
+	regexp.MustCompile(`(?i)(^|_)NEON_`), // (^|_) avoids ANEMONE_CONFIG, NEONLIGHTS_COLOR while matching MY_NEON_KEY
 	regexp.MustCompile(`(?i)PLANETSCALE`),
 	// Generic credential terms
 	regexp.MustCompile(`(?i)API_KEY`),
@@ -194,11 +198,15 @@ func (s *APIKeyScanner) Name() string { return "api_keys" }
 // Implements Scanner. Never returns skipped=true.
 func (s *APIKeyScanner) Scan() models.ScanResult {
 	var findings []models.Finding
-	// seenEnvNames is shared across the name-regex and value-pattern passes so that a
-	// variable matching both (e.g. CUSTOM_STRIPE_KEY=sk_live_...) produces exactly one
-	// finding — the name-regex pass runs first and claims it.
+	// seenEnvNames is shared across all three env-scanning passes so that any variable
+	// claimed by an earlier pass is not re-reported by a later one. Order:
+	//   1. scanEnvKeys  — exact-match built-in + user-configured extra keys
+	//   2. scanNameRegex — name-pattern heuristics (MY_OPENAI_KEY etc.)
+	//   3. scanValuePatterns — prefix+length value matching
+	// A variable in ExtraEnvKeys that also matches a nameRegex pattern therefore produces
+	// exactly one finding (from scanEnvKeys, the highest-priority pass).
 	seenEnvNames := make(map[string]bool)
-	findings = append(findings, s.scanEnvKeys()...)
+	findings = append(findings, s.scanEnvKeys(seenEnvNames)...)
 	findings = append(findings, s.scanNameRegex(seenEnvNames)...)
 	findings = append(findings, s.scanValuePatterns(seenEnvNames)...)
 	findings = append(findings, s.scanCredentialFiles()...)
@@ -210,7 +218,9 @@ func (s *APIKeyScanner) Scan() models.ScanResult {
 
 // scanEnvKeys checks built-in and extra environment variable key names for presence.
 // Key names only are reported; values are never read or stored.
-func (s *APIKeyScanner) scanEnvKeys() []models.Finding {
+// seenEnvNames is the shared cross-pass dedup set; matched names are added to it so
+// that scanNameRegex and scanValuePatterns will skip variables already claimed here.
+func (s *APIKeyScanner) scanEnvKeys(seenEnvNames map[string]bool) []models.Finding {
 	var findings []models.Finding
 
 	// KEYS-01: Built-in high-risk env vars (sorted for deterministic output).
@@ -222,6 +232,7 @@ func (s *APIKeyScanner) scanEnvKeys() []models.Finding {
 	for _, key := range keys {
 		if val := os.Getenv(key); val != "" {
 			_ = val // value is intentionally discarded; presence only
+			seenEnvNames[key] = true
 			findings = append(findings, envKeyFinding(key))
 		}
 	}
@@ -235,12 +246,13 @@ func (s *APIKeyScanner) scanEnvKeys() []models.Finding {
 		copy(extraKeys, s.ExtraEnvKeys)
 		sort.Strings(extraKeys)
 		for _, key := range extraKeys {
-			if HighRiskEnvKeys[key] || seenExtra[key] {
-				continue // already covered by built-in check or earlier extra
+			if HighRiskEnvKeys[key] || seenExtra[key] || seenEnvNames[key] {
+				continue // already covered by built-in check, earlier extra, or another pass
 			}
 			seenExtra[key] = true
 			if val := os.Getenv(key); val != "" {
 				_ = val // value is intentionally discarded; presence only
+				seenEnvNames[key] = true
 				findings = append(findings, envKeyFinding(key))
 			}
 		}

internal/scan/apikeys_test.go

@@ -551,14 +551,16 @@ func TestAPIKeyScanner_ValuePattern_Anthropic(t *testing.T) {
 func TestAPIKeyScanner_NameRegex_FLY_Anchored(t *testing.T) {
 	clearHighRiskEnv(t)
 	t.Setenv("FLY_API_TOKEN", "real-token")
+	t.Setenv("MY_FLY_TOKEN", "also-real-token")
 	t.Setenv("BUTTERFLY_KEY", "not-a-fly-token")
 	t.Setenv("FLYWEIGHT_INDEX", "not-a-token")
 
 	s := newScannerWithHome(t.TempDir())
 	result := s.Scan()
 
-	// FLY_API_TOKEN must be flagged.
+	// FLY_API_TOKEN and MY_FLY_TOKEN must both be flagged.
 	assertResource(t, result.Findings, "FLY_API_TOKEN")
+	assertResource(t, result.Findings, "MY_FLY_TOKEN")
 
 	// BUTTERFLY_KEY and FLYWEIGHT_INDEX must NOT be flagged.
 	for _, f := range result.Findings {
@@ -754,13 +756,15 @@ func TestAPIKeyScanner_NameRegex_NEON_NarrowedPattern(t *testing.T) {
 	// These should NOT be flagged.
 	t.Setenv("ANEMONE_CONFIG", "some-value")
 	t.Setenv("NEONLIGHTS_COLOR", "blue")
-	// This SHOULD be flagged.
+	// These SHOULD be flagged.
 	t.Setenv("NEON_API_KEY", "real-neon-key")
+	t.Setenv("MY_NEON_KEY", "also-real-neon-key")
 
 	s := newScannerWithHome(t.TempDir())
 	result := s.Scan()
 
 	assertResource(t, result.Findings, "NEON_API_KEY")
+	assertResource(t, result.Findings, "MY_NEON_KEY")
 	for _, f := range result.Findings {
 		if f.Resource == "ANEMONE_CONFIG" {
 			t.Error("ANEMONE_CONFIG should not be flagged by NEON_ pattern")
@@ -794,12 +798,15 @@ func TestAPIKeyScanner_NameRegex_LINEAR_NarrowedPattern(t *testing.T) {
 func TestAPIKeyScanner_NameRegex_PALM_NarrowedPattern(t *testing.T) {
 	clearHighRiskEnv(t)
 	t.Setenv("NAPALM_MODE", "some-value")
+	// These SHOULD be flagged.
 	t.Setenv("PALM_API_KEY", "real-palm-key")
+	t.Setenv("MY_PALM_KEY", "also-real-palm-key")
 
 	s := newScannerWithHome(t.TempDir())
 	result := s.Scan()
 
 	assertResource(t, result.Findings, "PALM_API_KEY")
+	assertResource(t, result.Findings, "MY_PALM_KEY")
 	for _, f := range result.Findings {
 		if f.Resource == "NAPALM_MODE" {
 			t.Error("NAPALM_MODE should not be flagged by PALM_ pattern")
@@ -821,6 +828,10 @@ func TestAPIKeyScanner_NameRegex_NewAIProviders(t *testing.T) {
 		{"PERPLEXITY_API_KEY", "pplx-key-value"},
 		{"CEREBRAS_API_KEY", "cb-key-value"},
 		{"DOPPLER_TOKEN", "dp-token-value"},
+		{"XAI_API_KEY", "xai-key-value"},
+		{"ASSEMBLYAI_API_KEY", "aai-key-value"},
+		{"AI21_API_KEY", "ai21-key-value"},
+		{"NVIDIA_NIM_API_KEY", "nim-key-value"},
 	}
 	for _, tc := range cases {
 		t.Setenv(tc.envVar, tc.value)
@@ -834,6 +845,32 @@ func TestAPIKeyScanner_NameRegex_NewAIProviders(t *testing.T) {
 	}
 }
 
+// TestAPIKeyScanner_ExtraEnvKeys_NoDuplicateWithNameRegex verifies that a key listed in
+// ExtraEnvKeys whose name also matches a nameRegexPattern produces exactly ONE finding.
+// Previously scanEnvKeys and scanNameRegex were not sharing the seenEnvNames dedup map,
+// so MY_OPENAI_KEY in extra_env_keys would fire twice.
+func TestAPIKeyScanner_ExtraEnvKeys_NoDuplicateWithNameRegex(t *testing.T) {
+	const key = "MY_OPENAI_KEY" // matches OPENAI nameRegexPattern AND is in ExtraEnvKeys
+	t.Setenv(key, "sk-test-value")
+	clearHighRiskEnv(t)
+
+	s := &scan.APIKeyScanner{
+		HomeDir:      t.TempDir(),
+		ExtraEnvKeys: []string{key},
+	}
+	result := s.Scan()
+
+	count := 0
+	for _, f := range result.Findings {
+		if f.Resource == key {
+			count++
+		}
+	}
+	if count != 1 {
+		t.Errorf("expected exactly 1 finding for %q (ExtraEnvKeys + nameRegex cross-pass dedup), got %d", key, count)
+	}
+}
+
 // TestAPIKeyScanner_ValuePattern_BuiltinSkipped verifies that a key in HighRiskEnvKeys
 // whose value also matches a value pattern produces exactly ONE finding (from scanEnvKeys,
 // not from scanValuePatterns which skips it).