fix(scanner): reduce HTTP client false positives

[cybercraftsolutionsllc]

Summary

Reduces scanner false positives for common HTTP client and environment-configuration patterns while keeping suspicious exfiltration behavior flagged.

What Changed

• Adds context-aware allowlisting for benign fetch(url), fetch(endpoint), fetch(apiUrl), and related wrapper parameters when the line does not include secrets, cookies, storage, credentials, or encoded payload hints.
• Suppresses benign environment config reads such as API_URL, BASE_ENDPOINT, NEXT_PUBLIC_*, VITE_*, PORT, NODE_ENV, and similar non-secret settings.
• Preserves detections for token-like variables such as GITHUB_TOKEN, NPM_TOKEN, SECRET, PASSWORD, private keys, cookies, and storage exfiltration contexts.

Tests

Added scanner/src/http-client-allowlist.test.ts with six cases:

• benign dynamic fetch wrapper parameter
• benign API URL env configuration
• benign public frontend env configuration
• malicious dynamic fetch with process.env.NPM_TOKEN
• malicious dynamic fetch with document.cookie
• token-like env variable access

Validation

cd scanner
npm test

Result: 6 tests passing.

Closes #2.

[vercel]

@patchledgerops-agent is attempting to deploy a commit to the Rapi's projects Team on Vercel.

A member of the Team first needs to authorize it.