vaspera 2.7.0 → 2.9.0

package/dist/action/diff-mode.d.ts

@@ -1,20 +1,107 @@
 /**
- * Diff Mode - Changed Files Detection
+ * Differential PR Mode
  *
- * Detects which files have changed in a PR or push event
- * to enable incremental scanning.
+ * Enhanced diff mode for incremental scanning with:
+ * - Git-based change detection (git diff --name-only)
+ * - Integration with scanner cache
+ * - Support for PR base SHA comparison
+ * - Incremental certification support
  *
  * @module action/diff-mode
  */
 import type { ChangedFile, GitHubContext } from "./types.js";
 /**
- * Get changed files from GitHub API
+ * Result of git diff operation
+ */
+export interface GitDiffResult {
+    /** Files that changed */
+    changedFiles: string[];
+    /** Base commit SHA */
+    baseSha: string;
+    /** Head commit SHA */
+    headSha: string;
+    /** Whether diff detection was successful */
+    success: boolean;
+    /** Error message if unsuccessful */
+    error?: string;
+    /** Total additions */
+    additions: number;
+    /** Total deletions */
+    deletions: number;
+}
+/**
+ * File info with hash for caching
+ */
+export interface FileInfo {
+    /** Relative file path */
+    path: string;
+    /** SHA-256 hash of file contents */
+    hash: string;
+    /** File size in bytes */
+    size: number;
+    /** Last modified time */
+    mtime: Date;
+}
+/**
+ * Incremental scan configuration
+ */
+export interface IncrementalScanConfig {
+    /** Project path */
+    projectPath: string;
+    /** Base SHA for comparison (e.g., PR base branch) */
+    baseSha?: string;
+    /** Head SHA (default: HEAD) */
+    headSha?: string;
+    /** Previous certification ID to build upon */
+    previousCertificationId?: string;
+    /** Files to force include even if unchanged */
+    forceInclude?: string[];
+    /** Files to exclude from scanning */
+    exclude?: string[];
+    /** Whether to scan security-critical files regardless of changes */
+    alwaysScanSecurityFiles?: boolean;
+}
+/**
+ * Incremental scan result
+ */
+export interface IncrementalScanResult {
+    /** Files that need scanning */
+    filesToScan: FileInfo[];
+    /** Files that are unchanged (cached) */
+    unchangedFiles: string[];
+    /** Files that were removed */
+    removedFiles: string[];
+    /** Git diff information */
+    diff: GitDiffResult;
+    /** Configuration used */
+    config: IncrementalScanConfig;
+    /** Whether incremental mode was used */
+    isIncremental: boolean;
+    /** Estimated time savings from cache */
+    estimatedSavingsPercent: number;
+}
+/**
+ * Get changed files using git diff
  *
- * @param octokit - GitHub API client
- * @param context - GitHub context
- * @returns Array of changed files
+ * Uses `git diff --name-only $BASE_SHA...HEAD` for accurate change detection.
+ *
+ * @param projectPath - Path to git repository
+ * @param baseSha - Base commit SHA (e.g., PR base branch)
+ * @param headSha - Head commit SHA (default: HEAD)
  */
-export declare function getChangedFiles(octokit: any, context: GitHubContext): Promise<ChangedFile[]>;
+export declare function getGitDiff(projectPath: string, baseSha?: string, headSha?: string): Promise<GitDiffResult>;
+/**
+ * Get file info with content hash
+ */
+export declare function getFileInfo(projectPath: string, filePath: string): Promise<FileInfo | null>;
+/**
+ * Get file info for multiple files in parallel
+ */
+export declare function getFilesInfo(projectPath: string, filePaths: string[]): Promise<FileInfo[]>;
+/**
+ * Check if a file should be scanned
+ */
+export declare function isScannableFile(filename: string): boolean;
 /**
  * Filter changed files to only scannable ones
  */
@@ -23,12 +110,41 @@ export declare function filterScannableFiles(files: ChangedFile[]): ChangedFile[
  * Get the list of file paths to scan
  */
 export declare function getFilesToScan(changedFiles: ChangedFile[]): string[];
+/**
+ * Configure incremental scanning
+ *
+ * Determines which files need scanning based on:
+ * 1. Git diff against base SHA
+ * 2. File content hashes (for cache validation)
+ * 3. Security-critical file detection
+ */
+export declare function configureIncrementalScan(config: IncrementalScanConfig): Promise<IncrementalScanResult>;
+/**
+ * Get changed files from GitHub API
+ *
+ * @param octokit - GitHub API client
+ * @param context - GitHub context
+ * @returns Array of changed files
+ */
+export declare function getChangedFiles(octokit: any, context: GitHubContext): Promise<ChangedFile[]>;
 /**
  * Check if any security-relevant files changed
  */
 export declare function hasSecurityRelevantChanges(changedFiles: ChangedFile[]): boolean;
+/**
+ * Get scan scope recommendation based on changes
+ */
+export declare function getScanScopeRecommendation(changedFiles: ChangedFile[]): "full" | "incremental" | "security-only";
 /**
  * Generate summary of changed files
  */
 export declare function generateChangeSummary(changedFiles: ChangedFile[]): string;
+/**
+ * Group files by directory for parallel processing
+ */
+export declare function groupFilesByDirectory(files: FileInfo[]): Map<string, FileInfo[]>;
+/**
+ * Prioritize files for scanning (security-critical first)
+ */
+export declare function prioritizeFiles(files: FileInfo[]): FileInfo[];
 //# sourceMappingURL=diff-mode.d.ts.map

package/dist/action/diff-mode.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"diff-mode.d.ts","sourceRoot":"","sources":["../../src/action/diff-mode.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AA6B7D;;;;;;GAMG;AACH,wBAAsB,eAAe,CAEnC,OAAO,EAAE,GAAG,EACZ,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,WAAW,EAAE,CAAC,CAmExB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,WAAW,EAAE,CAoBxE;AAWD;;GAEG;AACH,wBAAgB,cAAc,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,EAAE,CAEpE;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,OAAO,CAsB/E;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,CA8BzE"}
+{"version":3,"file":"diff-mode.d.ts","sourceRoot":"","sources":["../../src/action/diff-mode.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAoD7D;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,KAAK,EAAE,IAAI,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,+CAA+C;IAC/C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,qCAAqC;IACrC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,oEAAoE;IACpE,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,+BAA+B;IAC/B,WAAW,EAAE,QAAQ,EAAE,CAAC;IACxB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,8BAA8B;IAC9B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,2BAA2B;IAC3B,IAAI,EAAE,aAAa,CAAC;IACpB,yBAAyB;IACzB,MAAM,EAAE,qBAAqB,CAAC;IAC9B,wCAAwC;IACxC,aAAa,EAAE,OAAO,CAAC;IACvB,wCAAwC;IACxC,uBAAuB,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAC9B,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,GAAE,MAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CA+ExB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAkB1B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EAAE,GAClB,OAAO,CAAC,QAAQ,EAAE,CAAC,CAKrB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAsBzD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,WAAW,EAAE,CAMxE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,EAAE,CAEpE;AAED;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,qBAAqB,GAC5B,OAAO,CAAC,qBAAqB,CAAC,CAmEhC;AAkED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAEnC,OAAO,EAAE,GAAG,EACZ,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,WAAW,EAAE,CAAC,CAkExB;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,OAAO,CA0B/E;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,YAAY,EAAE,WAAW,EAAE,GAC1B,MAAM,GAAG,aAAa,GAAG,eAAe,CAkB1C;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,CA4CzE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,QAAQ,EAAE,GAChB,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAWzB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,QAAQ,EAAE,CAsB7D"}

package/dist/action/diff-mode.js

@@ -1,11 +1,21 @@
 /**
- * Diff Mode - Changed Files Detection
+ * Differential PR Mode
  *
- * Detects which files have changed in a PR or push event
- * to enable incremental scanning.
+ * Enhanced diff mode for incremental scanning with:
+ * - Git-based change detection (git diff --name-only)
+ * - Integration with scanner cache
+ * - Support for PR base SHA comparison
+ * - Incremental certification support
  *
  * @module action/diff-mode
  */
+import { exec } from "child_process";
+import { promisify } from "util";
+import { join, extname } from "path";
+import { stat, readFile } from "fs/promises";
+import { createHash } from "crypto";
+import { logger } from "../logger.js";
+const execAsync = promisify(exec);
 /**
  * File extensions to include in scans
  */
@@ -31,7 +41,285 @@ const SCANNABLE_EXTENSIONS = new Set([
     ".cs",
     ".vue",
     ".svelte",
+    ".tf", // Terraform
+    ".dockerfile", // Docker
 ]);
+/**
+ * Paths to exclude from scanning
+ */
+const EXCLUDED_PATHS = [
+    "node_modules/",
+    "dist/",
+    "build/",
+    "coverage/",
+    ".git/",
+    ".vaspera/",
+    ".next/",
+    ".turbo/",
+    "__pycache__/",
+    "vendor/",
+    "venv/",
+    ".venv/",
+];
+/**
+ * Get changed files using git diff
+ *
+ * Uses `git diff --name-only $BASE_SHA...HEAD` for accurate change detection.
+ *
+ * @param projectPath - Path to git repository
+ * @param baseSha - Base commit SHA (e.g., PR base branch)
+ * @param headSha - Head commit SHA (default: HEAD)
+ */
+export async function getGitDiff(projectPath, baseSha, headSha = "HEAD") {
+    const result = {
+        changedFiles: [],
+        baseSha: baseSha || "",
+        headSha,
+        success: false,
+        additions: 0,
+        deletions: 0,
+    };
+    try {
+        // Get base SHA if not provided (use default branch)
+        if (!baseSha) {
+            try {
+                const { stdout: defaultBranch } = await execAsync('git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed "s@^refs/remotes/origin/@@" || echo "main"', { cwd: projectPath, timeout: 10000 });
+                baseSha = `origin/${defaultBranch.trim()}`;
+                result.baseSha = baseSha;
+            }
+            catch {
+                baseSha = "HEAD^";
+                result.baseSha = baseSha;
+            }
+        }
+        // Get list of changed files
+        const { stdout: diffOutput } = await execAsync(`git diff --name-only ${baseSha}...${headSha} 2>/dev/null || git diff --name-only ${baseSha} ${headSha}`, { cwd: projectPath, timeout: 30000 });
+        result.changedFiles = diffOutput
+            .trim()
+            .split("\n")
+            .filter((f) => f.length > 0);
+        // Get stats (additions/deletions)
+        try {
+            const { stdout: statsOutput } = await execAsync(`git diff --shortstat ${baseSha}...${headSha} 2>/dev/null || git diff --shortstat ${baseSha} ${headSha}`, { cwd: projectPath, timeout: 10000 });
+            const addMatch = statsOutput.match(/(\d+) insertions?/);
+            const delMatch = statsOutput.match(/(\d+) deletions?/);
+            result.additions = addMatch ? parseInt(addMatch[1], 10) : 0;
+            result.deletions = delMatch ? parseInt(delMatch[1], 10) : 0;
+        }
+        catch {
+            // Stats are optional
+        }
+        // Get actual head SHA
+        try {
+            const { stdout: actualHead } = await execAsync(`git rev-parse ${headSha}`, { cwd: projectPath, timeout: 5000 });
+            result.headSha = actualHead.trim();
+        }
+        catch {
+            // Keep original headSha
+        }
+        result.success = true;
+        logger.info("diff_mode.git_diff", {
+            baseSha: result.baseSha,
+            headSha: result.headSha,
+            changedFiles: result.changedFiles.length,
+            additions: result.additions,
+            deletions: result.deletions,
+        });
+        return result;
+    }
+    catch (error) {
+        result.error = String(error);
+        logger.warn("diff_mode.git_diff_failed", { error: result.error });
+        return result;
+    }
+}
+/**
+ * Get file info with content hash
+ */
+export async function getFileInfo(projectPath, filePath) {
+    const fullPath = join(projectPath, filePath);
+    try {
+        const [fileStats, content] = await Promise.all([
+            stat(fullPath),
+            readFile(fullPath),
+        ]);
+        return {
+            path: filePath,
+            hash: createHash("sha256").update(content).digest("hex"),
+            size: fileStats.size,
+            mtime: fileStats.mtime,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get file info for multiple files in parallel
+ */
+export async function getFilesInfo(projectPath, filePaths) {
+    const results = await Promise.all(filePaths.map((path) => getFileInfo(projectPath, path)));
+    return results.filter((f) => f !== null);
+}
+/**
+ * Check if a file should be scanned
+ */
+export function isScannableFile(filename) {
+    // Check excluded paths
+    for (const excluded of EXCLUDED_PATHS) {
+        if (filename.includes(excluded)) {
+            return false;
+        }
+    }
+    // Check extension
+    const ext = extname(filename).toLowerCase();
+    if (!SCANNABLE_EXTENSIONS.has(ext)) {
+        // Special cases
+        if (filename.endsWith("Dockerfile"))
+            return true;
+        if (filename === "docker-compose.yml" || filename === "docker-compose.yaml")
+            return true;
+        return false;
+    }
+    // Exclude minified/bundled files
+    if (filename.endsWith(".min.js") || filename.endsWith(".min.css"))
+        return false;
+    if (filename.endsWith(".bundle.js"))
+        return false;
+    return true;
+}
+/**
+ * Filter changed files to only scannable ones
+ */
+export function filterScannableFiles(files) {
+    return files.filter((file) => {
+        // Exclude deleted files
+        if (file.status === "removed")
+            return false;
+        return isScannableFile(file.filename);
+    });
+}
+/**
+ * Get the list of file paths to scan
+ */
+export function getFilesToScan(changedFiles) {
+    return filterScannableFiles(changedFiles).map((f) => f.filename);
+}
+/**
+ * Configure incremental scanning
+ *
+ * Determines which files need scanning based on:
+ * 1. Git diff against base SHA
+ * 2. File content hashes (for cache validation)
+ * 3. Security-critical file detection
+ */
+export async function configureIncrementalScan(config) {
+    const { projectPath, baseSha, headSha, forceInclude, exclude, alwaysScanSecurityFiles } = config;
+    // Get git diff
+    const diff = await getGitDiff(projectPath, baseSha, headSha);
+    // Filter to scannable files
+    const scannableChanged = diff.changedFiles.filter(isScannableFile);
+    // Apply exclusions
+    let filesToProcess = scannableChanged;
+    if (exclude && exclude.length > 0) {
+        const excludePatterns = exclude.map((p) => new RegExp(p));
+        filesToProcess = filesToProcess.filter((f) => !excludePatterns.some((pattern) => pattern.test(f)));
+    }
+    // Add force-included files
+    if (forceInclude && forceInclude.length > 0) {
+        const additional = forceInclude.filter((f) => !filesToProcess.includes(f) && isScannableFile(f));
+        filesToProcess = [...filesToProcess, ...additional];
+    }
+    // Add security-critical files if requested
+    if (alwaysScanSecurityFiles) {
+        const securityFiles = await findSecurityCriticalFiles(projectPath);
+        const additional = securityFiles.filter((f) => !filesToProcess.includes(f));
+        filesToProcess = [...filesToProcess, ...additional];
+    }
+    // Get file info (with hashes)
+    const fileInfos = await getFilesInfo(projectPath, filesToProcess);
+    // Calculate removed files
+    const removedFiles = diff.changedFiles.filter((f) => {
+        // Try to stat the file - if it fails, it's removed
+        return !fileInfos.some((fi) => fi.path === f);
+    });
+    // Estimate savings
+    const totalProjectFiles = await estimateTotalFiles(projectPath);
+    const estimatedSavingsPercent = totalProjectFiles > 0
+        ? Math.round(((totalProjectFiles - fileInfos.length) / totalProjectFiles) * 100)
+        : 0;
+    const result = {
+        filesToScan: fileInfos,
+        unchangedFiles: [], // Will be populated by cache lookup
+        removedFiles,
+        diff,
+        config,
+        isIncremental: diff.success && fileInfos.length < totalProjectFiles,
+        estimatedSavingsPercent,
+    };
+    logger.info("diff_mode.incremental_config", {
+        filesToScan: fileInfos.length,
+        removedFiles: removedFiles.length,
+        isIncremental: result.isIncremental,
+        estimatedSavingsPercent,
+    });
+    return result;
+}
+/**
+ * Find security-critical files that should always be scanned
+ */
+async function findSecurityCriticalFiles(projectPath) {
+    const patterns = [
+        "**/auth/**/*.{ts,tsx,js,jsx}",
+        "**/security/**/*.{ts,tsx,js,jsx}",
+        "**/middleware/**/*.{ts,tsx,js,jsx}",
+        "**/api/**/*.{ts,tsx,js,jsx}",
+        "**/*auth*.{ts,tsx,js,jsx}",
+        "**/*login*.{ts,tsx,js,jsx}",
+        "**/*session*.{ts,tsx,js,jsx}",
+        "**/*token*.{ts,tsx,js,jsx}",
+        "**/*password*.{ts,tsx,js,jsx}",
+        ".env.example",
+        "package.json",
+        "package-lock.json",
+        "yarn.lock",
+        "pnpm-lock.yaml",
+    ];
+    const files = [];
+    try {
+        // Use git ls-files to get tracked files matching patterns
+        for (const pattern of patterns) {
+            try {
+                const { stdout } = await execAsync(`git ls-files "${pattern}" 2>/dev/null || true`, { cwd: projectPath, timeout: 5000 });
+                const matches = stdout.trim().split("\n").filter((f) => f.length > 0);
+                files.push(...matches);
+            }
+            catch {
+                // Ignore pattern matching errors
+            }
+        }
+    }
+    catch {
+        // Git ls-files failed, return empty
+    }
+    // Deduplicate
+    return [...new Set(files)];
+}
+/**
+ * Estimate total number of scannable files in project
+ */
+async function estimateTotalFiles(projectPath) {
+    try {
+        const { stdout } = await execAsync('git ls-files | grep -E "\\.(ts|tsx|js|jsx|py|rb|go|java|rs|sql|json|yaml|yml)$" | wc -l', { cwd: projectPath, timeout: 10000 });
+        return parseInt(stdout.trim(), 10) || 0;
+    }
+    catch {
+        return 0;
+    }
+}
+// ============================================================================
+// GitHub API Integration (preserved from original)
+// ============================================================================
 /**
  * Get changed files from GitHub API
  *
@@ -72,7 +360,6 @@ octokit, context) {
     }
     else {
         // Push event - compare with previous commit
-        // For push events, compare HEAD^ with HEAD
         const base = `${context.sha}^`;
         const head = context.sha;
         try {
@@ -105,70 +392,51 @@ octokit, context) {
     }
     return changedFiles;
 }
-/**
- * Filter changed files to only scannable ones
- */
-export function filterScannableFiles(files) {
-    return files.filter((file) => {
-        // Exclude deleted files
-        if (file.status === "removed")
-            return false;
-        // Check extension
-        const ext = getExtension(file.filename);
-        if (!SCANNABLE_EXTENSIONS.has(ext))
-            return false;
-        // Exclude common non-source paths
-        if (file.filename.includes("node_modules/"))
-            return false;
-        if (file.filename.includes("dist/"))
-            return false;
-        if (file.filename.includes("build/"))
-            return false;
-        if (file.filename.includes("coverage/"))
-            return false;
-        if (file.filename.includes(".git/"))
-            return false;
-        if (file.filename.endsWith(".min.js"))
-            return false;
-        if (file.filename.endsWith(".bundle.js"))
-            return false;
-        return true;
-    });
-}
-/**
- * Get file extension (including dot)
- */
-function getExtension(filename) {
-    const lastDot = filename.lastIndexOf(".");
-    if (lastDot === -1)
-        return "";
-    return filename.slice(lastDot).toLowerCase();
-}
-/**
- * Get the list of file paths to scan
- */
-export function getFilesToScan(changedFiles) {
-    return filterScannableFiles(changedFiles).map((f) => f.filename);
-}
 /**
  * Check if any security-relevant files changed
  */
 export function hasSecurityRelevantChanges(changedFiles) {
-    const securityFiles = [
-        "package.json",
-        "package-lock.json",
-        "yarn.lock",
-        "pnpm-lock.yaml",
-        ".env",
-        ".env.example",
-        "auth",
-        "security",
-        "middleware",
-        "api/",
-        "routes/",
+    const securityPatterns = [
+        /package\.json$/,
+        /package-lock\.json$/,
+        /yarn\.lock$/,
+        /pnpm-lock\.yaml$/,
+        /\.env/,
+        /auth/i,
+        /security/i,
+        /middleware/i,
+        /api\//i,
+        /routes?\//i,
+        /session/i,
+        /token/i,
+        /password/i,
+        /crypt/i,
+        /jwt/i,
+        /oauth/i,
+        /supabase/i,
+        /prisma/i,
+        /schema\.prisma$/,
     ];
-    return changedFiles.some((file) => securityFiles.some((pattern) => file.filename.includes(pattern) ||
-        file.filename.toLowerCase().includes(pattern)));
+    return changedFiles.some((file) => securityPatterns.some((pattern) => pattern.test(file.filename)));
+}
+/**
+ * Get scan scope recommendation based on changes
+ */
+export function getScanScopeRecommendation(changedFiles) {
+    // If no changes detected, suggest full scan
+    if (changedFiles.length === 0) {
+        return "full";
+    }
+    // If many files changed (>50), suggest full scan
+    if (changedFiles.length > 50) {
+        return "full";
+    }
+    // If security-relevant changes, suggest security-focused scan
+    if (hasSecurityRelevantChanges(changedFiles)) {
+        return "security-only";
+    }
+    // Otherwise, incremental scan
+    return "incremental";
 }
 /**
  * Generate summary of changed files
@@ -176,19 +444,25 @@ export function hasSecurityRelevantChanges(changedFiles) {
 export function generateChangeSummary(changedFiles) {
     const byStatus = new Map();
     const byExtension = new Map();
+    let totalAdditions = 0;
+    let totalDeletions = 0;
     for (const file of changedFiles) {
         byStatus.set(file.status, (byStatus.get(file.status) || 0) + 1);
-        const ext = getExtension(file.filename) || "(no extension)";
+        const ext = extname(file.filename) || "(no extension)";
         byExtension.set(ext, (byExtension.get(ext) || 0) + 1);
+        totalAdditions += file.additions;
+        totalDeletions += file.deletions;
     }
     const lines = [
         `**Changed Files**: ${changedFiles.length}`,
+        `**Lines Changed**: +${totalAdditions} / -${totalDeletions}`,
         "",
         "| Status | Count |",
         "|--------|-------|",
     ];
     for (const [status, count] of byStatus) {
-        lines.push(`| ${status} | ${count} |`);
+        const emoji = status === "added" ? "🆕" : status === "removed" ? "🗑️" : "📝";
+        lines.push(`| ${emoji} ${status} | ${count} |`);
     }
     lines.push("", "| Extension | Count |", "|-----------|-------|");
     // Sort by count descending
@@ -196,6 +470,51 @@ export function generateChangeSummary(changedFiles) {
     for (const [ext, count] of sortedExtensions.slice(0, 10)) {
         lines.push(`| ${ext} | ${count} |`);
     }
+    // Add scope recommendation
+    const scope = getScanScopeRecommendation(changedFiles);
+    lines.push("", `**Recommended Scope**: ${scope}`);
+    if (hasSecurityRelevantChanges(changedFiles)) {
+        lines.push("", "⚠️ **Security-relevant files detected** - recommend full security scan");
+    }
     return lines.join("\n");
 }
+/**
+ * Group files by directory for parallel processing
+ */
+export function groupFilesByDirectory(files) {
+    const groups = new Map();
+    for (const file of files) {
+        const dir = file.path.split("/").slice(0, -1).join("/") || ".";
+        const existing = groups.get(dir) || [];
+        existing.push(file);
+        groups.set(dir, existing);
+    }
+    return groups;
+}
+/**
+ * Prioritize files for scanning (security-critical first)
+ */
+export function prioritizeFiles(files) {
+    const securityPatterns = [
+        /auth/i,
+        /security/i,
+        /middleware/i,
+        /api\//i,
+        /routes?\//i,
+        /session/i,
+        /token/i,
+        /password/i,
+        /\.env/,
+        /package\.json$/,
+    ];
+    return [...files].sort((a, b) => {
+        const aIsSecurity = securityPatterns.some((p) => p.test(a.path));
+        const bIsSecurity = securityPatterns.some((p) => p.test(b.path));
+        if (aIsSecurity && !bIsSecurity)
+            return -1;
+        if (!aIsSecurity && bIsSecurity)
+            return 1;
+        return 0;
+    });
+}
 //# sourceMappingURL=diff-mode.js.map