# Known historical findings, reviewed 2026-07-06 — all benign, baselined so CI stays strict # on anything NEW. Format: :::. # # 1-3) scratchpad QA probe scripts embed the Firebase WEB API key (AIzaSyDAD7…). That key is # a project identifier, not a bearer secret (access control = Auth + rules + App Check), # and it ships inside every APK anyway. Owner hardening (optional): add application # restrictions to the key in GCP Console → Credentials. 62696a69ea2de499b3b28204bdb4e0ffa9fdfe25:scratchpad/rules_arrays.js:gcp-api-key:8 62696a69ea2de499b3b28204bdb4e0ffa9fdfe25:scratchpad/rules_pos.js:gcp-api-key:3 38ff166598d6d85145bbeea53e651f7ef0cbc9f6:scratchpad/d3_negative.js:gcp-api-key:6 # # 4-6) iOS crypto unit-test fixtures — fixed base64 test vectors (e.g. "test-keybox- # ciphertext-blob"), not credentials. ade4667db723986c2d0185cfa71aa7808d559a8b:iphone/CloserTests/CryptoTests/KeyboxCallableTests.swift:generic-api-key:44 ade4667db723986c2d0185cfa71aa7808d559a8b:iphone/CloserTests/CryptoTests/KeyboxCallableTests.swift:generic-api-key:73 60c0003114fe0677858b0b2de7331a2a3699f901:iphone/CloserTests/CryptoTests/AES_GCM_KnownVectorTests.swift:generic-api-key:37