security: harden detection — 9-3900-3 IoC variant + 1000-char line gate

[skhaitan]

Summary

Step 4 Bundle 1 — detection-hardening. Two changes, both auto-pass the gates landed in Step 3 yesterday.

1. .gitleaks.toml — broaden the bb-malware-blockchain-loader-marker regex

The 2026-05-09 wave-3 reinfection (precheckin-backend logger.js, tenant_api ecosystem.config.example.js) used global['!']='9-3900-3' — different bracket key than wave 1/2 ('_V') and a -N campaign-suffix the old rule did not match. The rule fired on wave 3 anyway via the other alternatives (_$_1e42, Tgw(2509), etc.) but the campaign-tag arm was effectively dead.

New regex accepts any bracket key and any -<digit> suffix:

global\[['"][^'"]+['"]\]\s*=\s*['"][A-Z]?9-\d{4}(?:-\d+)?

2. .github/workflows/security-precommit.yml — 1000-char single-line gate

New scan-pr step that rejects any single added line >1000 chars. Shai-Hulud payloads are always one minified line >5000 chars; legitimate source rarely exceeds 200. Pathspec exempts lockfiles, minified bundles, dist/build dirs, detection-rule files, and incident docs.

Driven by: rival-review consensus from Gemini-3.1-pro + GPT-5.4 on the 2026-05-13 secret-architecture review.

Test plan

• CI: Gitleaks pass, scan-pr pass, Review new dependencies pass
• Confirm rule still catches a synthetic wave-1/wave-2/wave-3 IoC line
• Confirm a synthetic 5000-char single line in a non-exempt file is rejected

🤖 Generated with Claude Code