security: add leading \b to v1 token rule (round 3 Gemini)

Without a leading word boundary, the v1 token regex would partial-match
the substring 'Token' inside identifiers like PowerShell's
`$CancellationToken` or .NET's `CancellationToken`, producing false
positives on any 40-hex value assigned to such a variable.

Verified empirically:

    $CancellationToken = '<40-hex>'

Before: flagged by netbox-v1-token rule (FP)
After:  flagged only by generic-api-key entropy rule (correct default
        gitleaks behavior; my custom rule now correctly abstains)

`$Token = '<40-hex>'` still flagged by netbox-v1-token (intended).

Baseline unchanged at 9 entries — all historic findings use `Token =` or
equivalent identifiers that already start at a word boundary.

Author: ctrl-alt-automate

.gitleaks-baseline.json

@@ -152,16 +152,16 @@
  {
   "RuleID": "netbox-v1-token",
   "Description": "NetBox v1 API token (40-char hex key)",
-  "StartLine": 12,
-  "EndLine": 12,
+  "StartLine": 21,
+  "EndLine": 21,
   "StartColumn": 2,
   "EndColumn": 49,
   "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
   "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
-  "File": ".claude/commands/implement.md",
+  "File": ".claude/commands/netbox-api.md",
   "SymlinkFile": "",
   "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
-  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/implement.md?plain=1#L12",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/netbox-api.md?plain=1#L21",
   "Entropy": 3.7659574,
   "Author": "ctrl-alt-automate",
   "Email": "elvis@deployment-team.nl",
@@ -172,21 +172,21 @@
    "token",
    "v1"
   ],
-  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/implement.md:netbox-v1-token:12"
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/netbox-api.md:netbox-v1-token:21"
  },
  {
   "RuleID": "netbox-v1-token",
   "Description": "NetBox v1 API token (40-char hex key)",
-  "StartLine": 21,
-  "EndLine": 21,
+  "StartLine": 8,
+  "EndLine": 8,
   "StartColumn": 2,
   "EndColumn": 49,
   "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
   "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
-  "File": ".claude/commands/netbox-api.md",
+  "File": ".claude/commands/test-endpoint.md",
   "SymlinkFile": "",
   "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
-  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/netbox-api.md?plain=1#L21",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/test-endpoint.md?plain=1#L8",
   "Entropy": 3.7659574,
   "Author": "ctrl-alt-automate",
   "Email": "elvis@deployment-team.nl",
@@ -197,21 +197,21 @@
    "token",
    "v1"
   ],
-  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/netbox-api.md:netbox-v1-token:21"
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/test-endpoint.md:netbox-v1-token:8"
  },
  {
   "RuleID": "netbox-v1-token",
   "Description": "NetBox v1 API token (40-char hex key)",
-  "StartLine": 8,
-  "EndLine": 8,
+  "StartLine": 12,
+  "EndLine": 12,
   "StartColumn": 2,
   "EndColumn": 49,
   "Match": "TOKEN=\"a9717b9520d54d19383649066ef3b25e313bf219\"",
   "Secret": "a9717b9520d54d19383649066ef3b25e313bf219",
-  "File": ".claude/commands/test-endpoint.md",
+  "File": ".claude/commands/implement.md",
   "SymlinkFile": "",
   "Commit": "ef1726d42f622dedf4579016dd6a4fa13df26f17",
-  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/test-endpoint.md?plain=1#L8",
+  "Link": "https://github.com/ctrl-alt-automate/PowerNetbox/blob/ef1726d42f622dedf4579016dd6a4fa13df26f17/.claude/commands/implement.md?plain=1#L12",
   "Entropy": 3.7659574,
   "Author": "ctrl-alt-automate",
   "Email": "elvis@deployment-team.nl",
@@ -222,6 +222,6 @@
    "token",
    "v1"
   ],
-  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/test-endpoint.md:netbox-v1-token:8"
+  "Fingerprint": "ef1726d42f622dedf4579016dd6a4fa13df26f17:.claude/commands/implement.md:netbox-v1-token:12"
  }
 ]

.gitleaks.toml

@@ -29,7 +29,7 @@ tags = ["netbox", "token", "v2"]
 [[rules]]
 id = "netbox-v1-token"
 description = "NetBox v1 API token (40-char hex key)"
-regex = '''(?i)(?:token|netbox[_-]?token|nb[_-]?token|api[_-]?token|api[_-]?key)\s*[:=]\s*["']?\b([a-f0-9]{40})\b["']?'''
+regex = '''(?i)\b(?:token|netbox[_-]?token|nb[_-]?token|api[_-]?token|api[_-]?key)\s*[:=]\s*["']?\b([a-f0-9]{40})\b["']?'''
 keywords = ["token", "apikey", "api_key", "api-key"]
 secretGroup = 1
 tags = ["netbox", "token", "v1"]