[INS-472] [INS-515] Add user detector to defaults.go, gate it behind feat flag, update verification logic and add custom ep configuration

[MuneebUllahKhan222]

Description:

This PR adds the User detector to defaults.go and gates it behind the appropriate feature flag.

It also updates the detector verification logic to align with the latest API behavior and validation requirements, including support for configuring a custom User.com endpoint since API keys must be verified against the workspace-specific domain rather than a single global endpoint.

Additionally, the PR tightens the detector regex by removing support for the +, -, _, ., and = characters.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new default-gated detector and changes detection semantics (keys alone no longer match); verification performs outbound HTTP to customer User.com hosts when both parts are present.

Overview
Enables the User.com detector in the default engine behind UserDetectorEnabled (on by default in OSS), matching other gated detectors.

The User scanner is reworked for workspace-specific credentials: it only reports findings when both a 64-character alphanumeric API key and a *.user.com subdomain appear in the same chunk, pairs them in SecretParts/RawV2, and verifies via GET {endpoint}/api/public/users/ with Token auth instead of a single hardcoded host. Key matching is tightened (no +, -, _, ., = in the token pattern). Verification uses the shared deduplicated HTTP client and explicit status handling.

Unit and integration tests are updated for the two-part model and endpoint-aware verification.

^{Reviewed by Cursor Bugbot for commit 27e7654. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Corpora Test Results

Scans a corpus of real-world public code against only the detectors changed in this PR, then compares unique match counts between the PR build and the main baseline to catch regex regressions. Verification is disabled — each detector's regex is measured independently.

1 new · 0 clean  |  Scoped to: user

Status	Detector	Unique matches (main)	Unique matches (PR)	New	Removed
🆕	User	—	13	—	—

• 🔴 regression: >5 new, >20% increase over main, or any removed
• ⚠️ warning: 1–5 new and ≤20% increase over main
• ✅ clean
• 🆕 new detector (no baseline)

[unsmith]

I feel like this is similar to #5006 (TLy) but doesn't include some of the same improvements, like fixing the resource leak in the defer() calls or the refactored verify function. Those might be good to include here as well.

[MuneebUllahKhan222]

I feel like this is similar to #5006 (TLy) but doesn't include some of the same improvements, like fixing the resource leak in the defer() calls or the refactored verify function. Those might be good to include here as well.

Yeah, this was the first detector I worked on for adding to the defaults.go list. Initially, the intent was only to add it there, but later I thought that since I was already touching the detector, it would make sense to refactor it as well to align with our modern detector patterns.

I forgot to include that refactor in this PR, but I have updated it.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 779948d. Configure here.}