commitbee 0.6.0

AI-powered commit message generator using tree-sitter semantic analysis and local LLMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366

// SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
//
// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Commercial

use std::borrow::Cow;
use std::sync::LazyLock;

use regex::Regex;

use crate::domain::StagedChanges;

pub struct SecretMatch {
    pub pattern_name: String,
    pub file: String,
    pub line: Option<usize>,
}

/// A named secret detection pattern with description.
#[allow(dead_code)]
pub struct SecretPattern {
    pub name: Cow<'static, str>,
    pub regex: Regex,
    pub description: Cow<'static, str>,
}

/// Build the full set of secret patterns, applying custom additions and disabled names.
///
/// Custom patterns are compiled from user-provided regex strings. Invalid regexes
/// are silently skipped (logged at warn level in the caller).
pub fn build_patterns(custom: &[String], disabled: &[String]) -> Vec<SecretPattern> {
    let mut patterns = builtin_patterns();

    // Remove disabled patterns by name (case-insensitive match)
    if !disabled.is_empty() {
        let disabled_lower: Vec<String> = disabled.iter().map(|s| s.to_lowercase()).collect();
        patterns.retain(|p| !disabled_lower.contains(&p.name.to_lowercase()));
    }

    // Add custom patterns
    for (i, raw) in custom.iter().enumerate() {
        if let Ok(regex) = Regex::new(raw) {
            patterns.push(SecretPattern {
                name: Cow::Owned(format!("Custom Pattern {}", i + 1)),
                regex,
                description: Cow::Owned(format!("User-defined: {}", raw)),
            });
        }
    }

    patterns
}

fn builtin_patterns() -> Vec<SecretPattern> {
    vec![
        // ── Cloud Provider API Keys ──
        SecretPattern {
            name: Cow::Borrowed("AWS Access Key"),
            regex: Regex::new(r"AKIA[0-9A-Z]{16}").unwrap(),
            description: Cow::Borrowed("AWS IAM access key ID"),
        },
        SecretPattern {
            name: Cow::Borrowed("AWS Secret Key"),
            regex: Regex::new(
                r#"(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*["']?[A-Za-z0-9/+=]{40}"#,
            )
            .unwrap(),
            description: Cow::Borrowed("AWS secret access key"),
        },
        SecretPattern {
            name: Cow::Borrowed("GCP Service Account"),
            regex: Regex::new(r#""type"\s*:\s*"service_account""#).unwrap(),
            description: Cow::Borrowed("Google Cloud service account JSON key"),
        },
        SecretPattern {
            name: Cow::Borrowed("GCP API Key"),
            regex: Regex::new(r"AIza[0-9A-Za-z_-]{35}").unwrap(),
            description: Cow::Borrowed("Google API key"),
        },
        SecretPattern {
            name: Cow::Borrowed("Azure Storage Key"),
            regex: Regex::new(r#"(?i)AccountKey\s*=\s*[A-Za-z0-9+/=]{44,}"#).unwrap(),
            description: Cow::Borrowed("Azure storage account key"),
        },
        // ── AI/ML Provider Keys ──
        SecretPattern {
            name: Cow::Borrowed("OpenAI Key"),
            regex: Regex::new(r"sk-(?:proj-|svcacct-)[a-zA-Z0-9\-_]{20,}|sk-[a-zA-Z0-9]{48}")
                .unwrap(),
            description: Cow::Borrowed(
                "OpenAI API key (legacy, project-scoped, or service account)",
            ),
        },
        SecretPattern {
            name: Cow::Borrowed("Anthropic Key"),
            regex: Regex::new(r"sk-ant-[a-zA-Z0-9-]{80,}").unwrap(),
            description: Cow::Borrowed("Anthropic API key"),
        },
        SecretPattern {
            name: Cow::Borrowed("HuggingFace Token"),
            regex: Regex::new(r"hf_[a-zA-Z0-9]{34,}").unwrap(),
            description: Cow::Borrowed("HuggingFace access token"),
        },
        // ── Source Control & CI ──
        SecretPattern {
            name: Cow::Borrowed("GitHub Token"),
            regex: Regex::new(r"gh[ps]_[a-zA-Z0-9]{36,}").unwrap(),
            description: Cow::Borrowed("GitHub personal access or OAuth token"),
        },
        SecretPattern {
            name: Cow::Borrowed("GitHub Fine-Grained Token"),
            regex: Regex::new(r"github_pat_[a-zA-Z0-9_]{22,}").unwrap(),
            description: Cow::Borrowed("GitHub fine-grained personal access token"),
        },
        SecretPattern {
            name: Cow::Borrowed("GitLab Token"),
            regex: Regex::new(r"glpat-[a-zA-Z0-9_-]{20,}").unwrap(),
            description: Cow::Borrowed("GitLab personal access token"),
        },
        // ── Communication Platforms ──
        SecretPattern {
            name: Cow::Borrowed("Slack Token"),
            regex: Regex::new(r"xox[bpras]-[0-9]{10,}-[a-zA-Z0-9-]+").unwrap(),
            description: Cow::Borrowed("Slack bot, user, or app token"),
        },
        SecretPattern {
            name: Cow::Borrowed("Slack Webhook"),
            regex: Regex::new(
                r"https://hooks\.slack\.com/services/T[0-9A-Z]+/B[0-9A-Z]+/[a-zA-Z0-9]+",
            )
            .unwrap(),
            description: Cow::Borrowed("Slack incoming webhook URL"),
        },
        SecretPattern {
            name: Cow::Borrowed("Discord Webhook"),
            regex: Regex::new(r"https://discord(?:app)?\.com/api/webhooks/\d+/[a-zA-Z0-9_-]+")
                .unwrap(),
            description: Cow::Borrowed("Discord webhook URL"),
        },
        // ── Payment & SaaS ──
        SecretPattern {
            name: Cow::Borrowed("Stripe Key"),
            regex: Regex::new(r"[sr]k_(live|test)_[a-zA-Z0-9]{24,}").unwrap(),
            description: Cow::Borrowed("Stripe secret or restricted API key"),
        },
        SecretPattern {
            name: Cow::Borrowed("Twilio Key"),
            regex: Regex::new(r"SK[a-f0-9]{32}").unwrap(),
            description: Cow::Borrowed("Twilio API key SID"),
        },
        SecretPattern {
            name: Cow::Borrowed("SendGrid Key"),
            regex: Regex::new(r"SG\.[a-zA-Z0-9_-]{22,}\.[a-zA-Z0-9_-]{43,}").unwrap(),
            description: Cow::Borrowed("SendGrid API key"),
        },
        SecretPattern {
            name: Cow::Borrowed("Mailgun Key"),
            regex: Regex::new(r"key-[a-f0-9]{32}").unwrap(),
            description: Cow::Borrowed("Mailgun API key"),
        },
        // ── Database & Infrastructure ──
        SecretPattern {
            name: Cow::Borrowed("Connection String"),
            regex: Regex::new(r"(?i)(mongodb(\+srv)?|postgres(ql)?|mysql|redis|amqp)://[^\s]+")
                .unwrap(),
            description: Cow::Borrowed("Database or message broker connection URI"),
        },
        // ── Cryptographic Material ──
        SecretPattern {
            name: Cow::Borrowed("Private Key"),
            regex: Regex::new(r"-----BEGIN .* PRIVATE KEY-----").unwrap(),
            description: Cow::Borrowed("PEM-encoded private key (RSA, EC, etc.)"),
        },
        SecretPattern {
            name: Cow::Borrowed("JWT Token"),
            regex: Regex::new(r"eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]+")
                .unwrap(),
            description: Cow::Borrowed("JSON Web Token (three-part Base64)"),
        },
        // ── Generic Patterns ──
        SecretPattern {
            name: Cow::Borrowed("Generic API Key"),
            regex: Regex::new(r#"(?i)(api[_-]?key|apikey)\s*[:=]\s*["']?[a-zA-Z0-9_-]{20,}"#)
                .unwrap(),
            description: Cow::Borrowed("Generic API key assignment"),
        },
        SecretPattern {
            name: Cow::Borrowed("Generic Secret"),
            regex: Regex::new(r#"(?i)(password|secret|token)\s*[:=]\s*["'][^"']{8,}["']"#).unwrap(),
            description: Cow::Borrowed("Quoted password, secret, or token assignment"),
        },
        SecretPattern {
            name: Cow::Borrowed("Generic Secret (unquoted)"),
            regex: Regex::new(r#"(?i)(password|secret|token)\s*[:=]\s*[^\s'"]{16,}"#).unwrap(),
            description: Cow::Borrowed("Unquoted password, secret, or token assignment"),
        },
    ]
}

/// Default patterns (no custom, no disabled) for use by the legacy API.
static DEFAULT_PATTERNS: LazyLock<Vec<SecretPattern>> = LazyLock::new(builtin_patterns);

/// Scan per-file truncated diffs for secrets using default patterns.
///
/// Prefer `scan_full_diff_for_secrets` in the main binary — it catches
/// secrets beyond `max_file_lines` truncation. This function is retained
/// for library consumers who only have `StagedChanges`.
#[allow(dead_code)]
pub fn scan_for_secrets(changes: &StagedChanges) -> Vec<SecretMatch> {
    scan_for_secrets_with_patterns(changes, &DEFAULT_PATTERNS)
}

/// Scan per-file truncated diffs for secrets using the given pattern set.
pub fn scan_for_secrets_with_patterns(
    changes: &StagedChanges,
    patterns: &[SecretPattern],
) -> Vec<SecretMatch> {
    let mut found = Vec::new();

    for file in &changes.files {
        if file.is_binary {
            continue;
        }

        let mut line_num = 0;
        for line in file.diff.lines() {
            line_num += 1;

            // Only check added lines
            if !line.starts_with('+') || line.starts_with("+++") {
                continue;
            }

            for pat in patterns {
                if pat.regex.is_match(line) {
                    found.push(SecretMatch {
                        pattern_name: pat.name.to_string(),
                        file: file.path.display().to_string(),
                        line: Some(line_num),
                    });
                    break; // One match per line is enough
                }
            }
        }
    }

    found
}

/// Scan the full unified diff for secrets using default patterns.
#[allow(dead_code)]
pub fn scan_full_diff_for_secrets(full_diff: &str) -> Vec<SecretMatch> {
    scan_full_diff_with_patterns(full_diff, &DEFAULT_PATTERNS)
}

static HUNK_HEADER: LazyLock<Regex> =
    LazyLock::new(|| Regex::new(r"^@@ -\d+,?\d* \+(\d+),?\d* @@").unwrap());

/// Scan the full unified diff for secrets using the given pattern set.
///
/// This catches secrets that would be missed by `scan_for_secrets` when
/// file diffs are truncated to `max_file_lines`. Parses the raw `git diff`
/// output directly, tracking file paths from diff headers and calculating
/// accurate source line numbers from hunk headers (`@@ -L,l +R,r @@`).
pub fn scan_full_diff_with_patterns(
    full_diff: &str,
    patterns: &[SecretPattern],
) -> Vec<SecretMatch> {
    let mut found = Vec::new();
    let mut current_file = String::new();
    let mut current_line: Option<usize> = None;

    for line in full_diff.lines() {
        // Track current file from diff headers
        if line.starts_with("diff --git ") {
            current_file.clear();
            current_line = None;
            continue;
        }

        if let Some(path) = line.strip_prefix("+++ b/") {
            current_file = path.to_string();
            continue;
        }

        if line == "+++ /dev/null" {
            // Deleted file — keep current_file from --- header if we have one
            continue;
        }

        if let Some(path) = line.strip_prefix("--- a/") {
            // For deleted files, this is the only file path we get
            if current_file.is_empty() {
                current_file = path.to_string();
            }
            continue;
        }

        // Parse hunk header: @@ -1,5 +1,6 @@
        if let Some(caps) = HUNK_HEADER.captures(line)
            && let Ok(start) = caps[1].parse::<usize>()
        {
            current_line = Some(start);
            continue;
        }

        let Some(ref mut line_num) = current_line else {
            continue; // Not inside a hunk
        };

        // Skip diff headers like "index ...", "old mode ...", "--- ...", etc.
        // Also skip "No newline at end of file"
        if line.starts_with('\\') || line.starts_with("index") || line.starts_with("old mode") {
            continue;
        }

        // Only check added lines
        if line.starts_with('+') && !line.starts_with("+++") {
            let content = &line[1..];
            for pat in patterns {
                if pat.regex.is_match(content) {
                    found.push(SecretMatch {
                        pattern_name: pat.name.to_string(),
                        file: current_file.clone(),
                        line: Some(*line_num),
                    });
                    break;
                }
            }
            *line_num += 1;
        } else if line.starts_with(' ') {
            // Context line
            *line_num += 1;
        }
    }

    found
}

/// Check for merge conflict markers
/// Note: This can false-positive in docs/test fixtures, so treat as warning
pub fn check_for_conflicts(changes: &StagedChanges) -> bool {
    for file in &changes.files {
        // Skip docs/test files where conflict markers might be intentional examples
        // Use path components to avoid matching "testing_utils" or "documentation" substrings
        if file.path.components().any(|c| {
            let s = c.as_os_str().to_string_lossy();
            s == "tests" || s == "docs" || s == "examples" || s.contains("test")
        }) {
            continue;
        }

        // Only check added lines for conflict markers
        for line in file.diff.lines() {
            if line.starts_with('+') && !line.starts_with("+++") {
                // Split strings to prevent self-detection in this file's own diff
                const CONFLICT_START: &str = concat!("<", "<<<<<<");
                const CONFLICT_END: &str = concat!(">", ">>>>>>");

                if line.contains(CONFLICT_START) || line.contains(CONFLICT_END) {
                    return true;
                }
            }
        }
    }
    false
}