chore(deps): re-pin @opena2a/credential-patterns to 0.1.1 (Wave 1 follow-up) — 0.22.1

[thebenignhacker]

Summary

Final Wave 1 step: re-pin @opena2a/credential-patterns from 0.1.0 to 0.1.1 in hackmyagent.

Catalog 0.1.1 (shipped 2026-04-30 via Trusted Publishing, SLSA v1) brings three false-positive suppressions surfaced by secretless-ai status dogfooding inside this repo:

• Block-comment marker recognition in isKnownExample: /*, <!--, -->, ''', """, JSDoc-continuation lines (^\s*\*) join // and #.
• Localhost+demo-password DB connection allowlist with anchored localhost / 127.0.0.1 / [::1] host check (Phase 4.5 case-insensitive password match — Password123 no longer slips, IPv6 loopback recognized).
• Bare 'fake' in PLACEHOLDER_INDICATORS (replaces 'fake_' / 'fake-' — catches sk-proj-fake1234567890abc... shape values).

Why this is zero-behavior-change for hackmyagent

CredVaultPlugin at src/plugins/credvault.ts continues to use its local 10-pattern catalog as the synchronous CJS-friendly detection source. The 0.1.1 isKnownExample additions live in the package and apply only when consumers call the package helpers directly — secretless-ai 0.16.4 does this; hackmyagent's runtime detection path is byte-identical.

Lockstep test __tests__/plugins/credvault/lockstep.test.ts re-runs against 0.1.1 and stays green: every local pattern's regex.source + regex.flags continues to match exactly one entry in the package (the 0.1.1 diff was additive on the catalog side; it did not narrow any of the 56 regexes).

Bundled commits riding along

This release also includes three patches that landed on main after 0.22.0 cut and are first published to npm in 0.22.1:

• fix(credential-analyzer): gate AST-CRED-001 on credential-format substring (fix(credential-analyzer): gate AST-CRED-001 on credential-format substring (#164) #167)
• feat(scan-soul): add --explain to print 9-domain governance model (feat(scan-soul): add --explain option for 9-domain governance model (#163) #166)
• fix(soul): emit HIGH SOUL-PROFILE-MISMATCH on profile-filter scope bypass (fix(soul): emit HIGH SOUL-PROFILE-MISMATCH on profile-filter scope bypass (#162) #168)

Test plan

• Build clean (npm run build)
• Lockstep test 6/6 green against catalog 0.1.1
• Full suite 2054/2080 passing
• Self-scan 98/100 (1 LOW pre-existing, no CRITICAL/HIGH/MEDIUM)
• No detection logic / scanner / scoring code modified — Phase 4.5 N/A
• Tag v0.22.1 triggers Trusted Publishing release workflow
• npm view hackmyagent@0.22.1 dist.attestations --json returns SLSA v1 attestations
• Homebrew formula refreshed
• Arch site product page bumped 0.22.0 → 0.22.1

[github-actions]

Claude Code Review

VERDICT: APPROVE

SUMMARY: This PR re-pins @opena2a/credential-patterns from 0.1.0 to 0.1.1, a patch dependency update that brings false-positive suppressions in the package's isKnownExample helper. The changes are confined to version strings in package.json, package-lock.json, and CHANGELOG documentation. No source code changes exist in this PR. Hackmyagent's runtime detection path is explicitly documented as zero-behavior-change because the local CredVaultPlugin catalog at src/plugins/credvault.ts remains the synchronous detection source; the 0.1.1 package additions only apply when consumers call package helpers directly (secretless-ai does this, hackmyagent does not). The lockstep test at __tests__/plugins/credvault/lockstep.test.ts (introduced in PR #165, bundled in 0.22.1) verifies the local catalog remains aligned with the package. Version bump to 0.22.1 follows semantic versioning (patch increment). No security or correctness issues introduced.

---

Reviewed 3 files changed (9366 bytes)

[github-actions]

ML-DSA-44 benchmark (ubuntu-latest, c6i.xlarge-class)

env: linux/x64 AMD EPYC 9V74 80-Core Processor (4 CPU) node=v20.20.2 noble=0.2.1
load avg: 0.64, 0.17, 0.06
ml-dsa-44-sign     p50=4.325ms p95=4.671ms p99=6.024ms max=7.350ms
ml-dsa-44-verify   p50=1.822ms p95=2.055ms p99=2.507ms max=3.158ms
budget: sign p99 OVER 2.5ms, verify p99 OVER 1.5ms
__BENCH_JSON__{"env":{"platform":"linux/x64","cpu":"AMD EPYC 9V74 80-Core Processor","cpuCount":4,"node":"v20.20.2","totalMemGB":16,"nobleVersion":"0.2.1","loadAvg":[0.64,0.17,0.06]},"budget":{"sign":2.5,"verify":1.5},"sign":{"op":"ml-dsa-44-sign","p50":4.324567999999999,"p95":4.670936999999867,"p99":6.023515999999745,"max":7.349505000000136,"iters":1000},"verify":{"op":"ml-dsa-44-verify","p50":1.822294000000511,"p95":2.0552230000002965,"p99":2.506609999999455,"max":3.157597000000351,"iters":1000},"signOver":true,"verifyOver":true}

Budget (AIComply D17): sign p99 < 2.5ms, verify p99 < 1.5ms.
Runner is shared; a single over-budget run is noisy. Check for consistent regression across PR commits.