pk-doctor: sensitive-data.url-credential false-positives on ${VAR}@ bash interpolation

[projectious]

Summary

pk-doctor's sensitive_data check fires ERROR sensitive-data.url-credential on bash deploy scripts that use environment-variable interpolation for GitHub token injection — a standard, secure pattern — rather than literal embedded credentials.

Repro

In a derived project, a shell script contains the canonical pattern:

GH_TOKEN_VAL="\$(gh auth token 2>/dev/null || true)"
AUTH_URL="https://x-access-token:\${GH_TOKEN_VAL}@github.com/\${OWNER}/\${REPO}.git"
git push "\$AUTH_URL" main

uv run context/skills/processkit/pk-doctor/scripts/doctor.py --json reports:

ERROR sensitive-data.url-credential
  src/scripts/deploy.sh:144: URL embedded credential
  message ends with: https:...AL}@

Two hits in our ai-market-research repo (deploy.sh:144 + phase8-cut.sh:55), both `${VAR}@` patterns.

Expected

The check should distinguish:

• Literal `https://user:hunter2@host/...\` (a real leak — flag)
• Interpolated `https://x-access-token:\${TOKEN}@host/...\` (env-var pattern — pass, or downgrade to INFO)

Suggested fix

Skip matches where the credential segment contains only `${...}` or `$VAR` shell expansion. Optionally surface them as INFO with a different finding id (`sensitive-data.url-credential-interpolated`) so a maintainer can still scan.

Impact

False positives that block `pk-doctor` from going clean and conflate real leaks with intentional env-var token injection. Found via `pk-resume` on a derived project; 2 of 23 errors in our health report.