Merge pull request #217 from syncable-dev/develop

Develop

Author: Alex793x

.gitignore

@@ -34,3 +34,6 @@ docs/phase2/
 syncable-ide-companion/*.vsix
 syncable-ide-companion/node_modules/
 syncable-ide-companion/dist/
+
+syncable-cli.tape
+syncable-cli-demo.gif

src/agent/session.rs

@@ -406,6 +406,37 @@ impl ChatSession {
         input.trim().starts_with('/')
     }
 
+    /// Strip @ prefix from file/folder references for AI consumption
+    /// Keeps the path but removes the leading @ that was used for autocomplete
+    /// e.g., "check @src/main.rs for issues" -> "check src/main.rs for issues"
+    fn strip_file_references(input: &str) -> String {
+        let mut result = String::with_capacity(input.len());
+        let chars: Vec<char> = input.chars().collect();
+        let mut i = 0;
+
+        while i < chars.len() {
+            if chars[i] == '@' {
+                // Check if this @ is at start or after whitespace (valid file reference trigger)
+                let is_valid_trigger = i == 0 || chars[i - 1].is_whitespace();
+
+                if is_valid_trigger {
+                    // Check if there's a path after @ (not just @ followed by space/end)
+                    let has_path = i + 1 < chars.len() && !chars[i + 1].is_whitespace();
+
+                    if has_path {
+                        // Skip the @ but keep the path
+                        i += 1;
+                        continue;
+                    }
+                }
+            }
+            result.push(chars[i]);
+            i += 1;
+        }
+
+        result
+    }
+
     /// Read user input with prompt - with interactive file picker support
     /// Uses custom terminal handling for @ file references and / commands
     pub fn read_input(&self) -> io::Result<String> {
@@ -422,7 +453,9 @@ impl ChatSession {
                         return Ok(cmd.to_string());
                     }
                 }
-                Ok(trimmed.to_string())
+                // Strip @ prefix from file references before sending to AI
+                // The @ is for UI autocomplete, but the AI should see just the path
+                Ok(Self::strip_file_references(trimmed))
             }
             InputResult::Cancel => Ok("exit".to_string()),  // Ctrl+C exits
             InputResult::Exit => Ok("exit".to_string()),

src/analyzer/security/turbo/file_discovery.rs

@@ -131,7 +131,7 @@ impl FileDiscovery {
         Ok(paths)
     }
 
-    /// Get untracked files that might contain secrets
+    /// Get untracked files that might contain secrets (including gitignored files)
     fn get_untracked_secret_files(&self, project_root: &Path) -> Result<Vec<PathBuf>, SecurityError> {
         // Common secret file patterns that might not be tracked
         let secret_patterns = vec![
@@ -144,26 +144,46 @@ impl FileDiscovery {
             "config/*.json",
             "config/*.yml",
         ];
-        
+
         let mut untracked_files = Vec::new();
-        
+
         for pattern in secret_patterns {
+            // First, get untracked files that are NOT gitignored (potential accidental exposure)
             let output = Command::new("git")
                 .args(&["ls-files", "--others", "--exclude-standard", pattern])
                 .current_dir(project_root)
                 .output();
-            
+
+            if let Ok(output) = output {
+                if output.status.success() {
+                    let paths: Vec<PathBuf> = String::from_utf8_lossy(&output.stdout)
+                        .lines()
+                        .filter(|line| !line.is_empty())
+                        .map(|line| project_root.join(line))
+                        .collect();
+                    untracked_files.extend(paths);
+                }
+            }
+
+            // Also get gitignored files - these should be scanned to verify they exist
+            // and contain real secrets (important for security audit completeness)
+            let output = Command::new("git")
+                .args(&["ls-files", "--others", "--ignored", "--exclude-standard", pattern])
+                .current_dir(project_root)
+                .output();
+
             if let Ok(output) = output {
                 if output.status.success() {
                     let paths: Vec<PathBuf> = String::from_utf8_lossy(&output.stdout)
                         .lines()
+                        .filter(|line| !line.is_empty())
                         .map(|line| project_root.join(line))
                         .collect();
                     untracked_files.extend(paths);
                 }
             }
         }
-        
+
         Ok(untracked_files)
     }
 

src/analyzer/security/turbo/mod.rs

@@ -164,12 +164,12 @@ impl TurboSecurityAnalyzer {
 
         // Phase 3: Parallel scanning with work-stealing
         let scan_start = Instant::now();
-        let findings = self.parallel_scan(filtered_files)?;
-        info!("🔍 Scanned files in {:?}, found {} findings", 
+        let (findings, files_scanned) = self.parallel_scan(filtered_files)?;
+        info!("🔍 Scanned files in {:?}, found {} findings",
               scan_start.elapsed(), findings.len());
-        
+
         // Phase 4: Result aggregation and report generation
-        let report = ResultAggregator::aggregate(findings, start.elapsed());
+        let report = ResultAggregator::aggregate(findings, start.elapsed(), files_scanned);
 
         info!("✅ Turbo analysis completed in {:?}", start.elapsed());
         Ok(report)
@@ -226,7 +226,7 @@ impl TurboSecurityAnalyzer {
     }
 
     /// Parallel scan with work-stealing and early termination
-    fn parallel_scan(&self, files: Vec<FileMetadata>) -> Result<Vec<SecurityFinding>, SecurityError> {
+    fn parallel_scan(&self, files: Vec<FileMetadata>) -> Result<(Vec<SecurityFinding>, usize), SecurityError> {
         let thread_count = if self.config.worker_threads == 0 {
             num_cpus::get()
         } else {
@@ -333,10 +333,10 @@ impl TurboSecurityAnalyzer {
             handle.join().unwrap();
         }
 
-        info!("Scan complete: {} files scanned, {} skipped, {} findings", 
+        info!("Scan complete: {} files scanned, {} skipped, {} findings",
               files_scanned, files_skipped, all_findings.len());
-        
-        Ok(all_findings)
+
+        Ok((all_findings, files_scanned))
     }
 }
 

src/analyzer/security/turbo/results.rs

@@ -44,7 +44,7 @@ pub struct ResultAggregator;
 
 impl ResultAggregator {
     /// Aggregate findings into a comprehensive report
-    pub fn aggregate(mut findings: Vec<SecurityFinding>, scan_duration: Duration) -> SecurityReport {
+    pub fn aggregate(mut findings: Vec<SecurityFinding>, scan_duration: Duration, files_scanned: usize) -> SecurityReport {
         // Deduplicate findings
         findings = Self::deduplicate_findings(findings);
 
@@ -77,7 +77,7 @@ impl ResultAggregator {
             overall_score,
             risk_level,
             total_findings,
-            files_scanned: 0, // TODO: Track actual count
+            files_scanned,
             findings_by_severity,
             findings_by_category,
             findings,
@@ -329,7 +329,7 @@ mod tests {
             },
         ];
 
-        let report = ResultAggregator::aggregate(findings, Duration::from_secs(5));
+        let report = ResultAggregator::aggregate(findings, Duration::from_secs(5), 10);
 
         assert_eq!(report.total_findings, 2);
         assert_eq!(report.risk_level, SecuritySeverity::Critical);

src/handlers/security.rs

@@ -153,7 +153,7 @@ fn format_security_table(
         output.push_str(&format_security_findings_box(security_report, path));
         output.push_str(&format_gitignore_legend());
     } else {
-        output.push_str(&format_no_findings_box());
+        output.push_str(&format_no_findings_box(security_report.files_scanned));
     }
 
     // Recommendations
@@ -176,13 +176,7 @@ fn format_security_summary_box(
         TurboSecuritySeverity::Info => "blue",
     }), true);
     score_box.add_line("Total Findings:", &security_report.total_findings.to_string().cyan(), true);
-    
-    // Analysis scope
-    let config_files = security_report.findings.iter()
-        .filter_map(|f| f.file_path.as_ref())
-        .collect::<std::collections::HashSet<_>>()
-        .len();
-    score_box.add_line("Files Analyzed:", &config_files.max(1).to_string().green(), true);
+    score_box.add_line("Files Scanned:", &security_report.files_scanned.to_string().green(), true);
     score_box.add_line("Scan Mode:", &format!("{:?}", scan_mode).green(), true);
 
     format!("\n{}\n", score_box.draw())
@@ -402,10 +396,16 @@ fn format_gitignore_legend() -> String {
     format!("\n{}\n", legend_box.draw())
 }
 
-fn format_no_findings_box() -> String {
+fn format_no_findings_box(files_scanned: usize) -> String {
     let mut no_findings_box = BoxDrawer::new("Security Status");
-    no_findings_box.add_value_only(&"✅ No security issues detected".green());
-    no_findings_box.add_value_only("💡 Regular security scanning recommended");
+    if files_scanned == 0 {
+        no_findings_box.add_value_only(&"⚠️  No files were scanned".yellow());
+        no_findings_box.add_value_only("This may indicate that all files were filtered out or the scan failed.");
+        no_findings_box.add_value_only("💡 Try running with --mode thorough or --mode paranoid for a deeper scan");
+    } else {
+        no_findings_box.add_value_only(&"✅ No security issues detected".green());
+        no_findings_box.add_value_only("💡 Regular security scanning recommended");
+    }
     format!("\n{}\n", no_findings_box.draw())
 }