The blast radius of an API key is not "did it leak." It's "if the agent holding it does the wrong thing, how much of your stack goes with it." A secret scanner answers the first question. Nothing in your toolchain answers the second one before an incident. So I wrote 40 lines that do, offline, from the permission metadata you already have. In short: the blast radius of an API key is set by its permissions, not by whether it leaked: scope width × environment isolation × lifetime × revocability. b