fix(discordbottoken): detect standalone tokens and modern token formats

[lukem-ts]

Description:

The detector required a separate 17-digit ID co-located with the bot token (idPat), and the result loop nested the ID inside the token loop, so a bot token leaked on its own produced zero results. The bot ID is already embedded in the token's first segment, making the separate ID both redundant and the primary reason detection failed.

Changes:

• Match the token on its own; drop the separate idPat requirement.
• Relax keyPat segments to {23,28}.{6,7}.{27,40} (a superset of the old 24.6.27, so no legacy tokens are lost) to cover current token generations.
• Derive the bot ID by base64url-decoding the token's first segment for Redacted.
• Verify via GET /api/v10/users/@me (Authorization: Bot ), which needs no separate ID: 200 -> verified, 401 -> unverified, other -> verification error.
• Surface bot_id and username from the verification response as ExtraData.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Low Risk
Scoped to the Discord bot token detector’s regex, result shape, and outbound verification call; improves detection without touching auth or core engine paths.

Overview
Fixes Discord bot token detection when only the token string is present (no co-located 17-digit ID). The detector now matches standalone three-segment tokens with looser segment lengths ({23,28}.{6,7}.{27,40}) so modern formats are included while legacy 24.6.27 shapes still match.

Redaction derives the bot snowflake ID by base64url-decoding the token’s first segment instead of requiring a separate id match. Results drop the old id / RawV2 pairing and dedupe tokens per chunk.

Verification moves from GET /api/v8/users/{id} to GET /api/v10/users/@me with Authorization: Bot <token>, classifies 401 as unverified, and on 200 can attach bot_id and username in ExtraData. Tests cover modern and legacy token shapes without a separate numeric ID in the input.

^{Reviewed by Cursor Bugbot for commit e8b1d57. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e8b1d57. Configure here.}

[cursor]

Removed RawV2 breaks existing integration test

Medium Severity

The detectors.Result no longer sets RawV2, but the existing integration test (discordbottoken_integration_test.go line 101–102) calls t.Fatalf when RawV2 is empty. This means the integration test suite will unconditionally fatal when run with the detectors build tag. Either RawV2 needs to be populated or the integration test needs to be updated to reflect the new single-credential design.

 

^{Reviewed by Cursor Bugbot for commit e8b1d57. Configure here.}

[github-actions]

Corpora Test Results

Scans a corpus of real-world public code against only the detectors changed in this PR, then compares unique match counts between the PR build and the main baseline to catch regex regressions. Verification is disabled — each detector's regex is measured independently.

0 new · 1 clean  |  Scoped to: discordbottoken

Status	Detector	Unique matches (main)	Unique matches (PR)	New	Removed
✅	discordbottoken	0	0	0	0

• 🔴 regression: >5 new, >20% increase over main, or any removed
• ⚠️ warning: 1–5 new and ≤20% increase over main
• ✅ clean
• 🆕 new detector (no baseline)