v1.27.0 (Stable) - security fixes

1.27.0 — Stable minor (security): private-key scan FN + DB placeholder FP + retro --json

🛡️ Stable release. An early minor to ship the 1.26.1 security fixes (found in the 13th external clean-room review). A security FN/FP — a false "secure OK" over a committed private key, and a placeholder false-positive that breaks CI — warrants publishing now rather than waiting to accumulate patches.

Highlights

• 🔒 Private-key file scan FN closed — scan secrets skipped private-key/cert files (.pem/.key/.crt/.p8/.pfx…) via the extension allow-list, so a committed private key passed clean AND handoff falsely reported security OK. Fixed with a basename override so the private-key detector actually runs on those files. (Gitignored keys stay info-downgraded.)
• 🔒 DB-URI placeholder FP closed — textbook placeholders in .env.example (user:password@, root:root, yourpassword) were flagged as committed secrets, breaking gate/CI. Fixed by checking only the password component + known placeholder markers. Real high-entropy DB passwords are still caught (no false negative).
• 🔧 retro --json contract — retro --days <non-numeric> --json previously leaked a plain-text error to a JSON consumer; now returns a structured error with a numeric guard.

Verification (zero regression)

• selftest 246/246 · E2E 367/367 (behavioral regression guard: private-key caught, placeholder skipped, real password caught, retro JSON structured) · post-publish clean-room re-verification.

Notes

• 0 runtime deps · 0 install scripts · Node ≥ 18 · MIT.