refactor(safety): track accurate line numbers in full diff scanning

Replace simple line counter with hunk header parsing to accurately
calculate source line numbers from unified diff format. This ensures
secrets detected in full diffs report the correct file line numbers even
when processing truncated diffs.

Author: Sephyi

src/services/safety.rs

@@ -252,23 +252,28 @@ pub fn scan_full_diff_for_secrets(full_diff: &str) -> Vec<SecretMatch> {
     scan_full_diff_with_patterns(full_diff, &DEFAULT_PATTERNS)
 }
 
+static HUNK_HEADER: LazyLock<Regex> =
+    LazyLock::new(|| Regex::new(r"^@@ -\d+,?\d* \+(\d+),?\d* @@").unwrap());
+
 /// Scan the full unified diff for secrets using the given pattern set.
 ///
 /// This catches secrets that would be missed by `scan_for_secrets` when
 /// file diffs are truncated to `max_file_lines`. Parses the raw `git diff`
-/// output directly, tracking file paths from diff headers.
+/// output directly, tracking file paths from diff headers and calculating
+/// accurate source line numbers from hunk headers (`@@ -L,l +R,r @@`).
 pub fn scan_full_diff_with_patterns(
     full_diff: &str,
     patterns: &[SecretPattern],
 ) -> Vec<SecretMatch> {
     let mut found = Vec::new();
     let mut current_file = String::new();
-    let mut line_num: usize = 0;
+    let mut current_line: Option<usize> = None;
 
     for line in full_diff.lines() {
         // Track current file from diff headers
         if line.starts_with("diff --git ") {
-            line_num = 0;
+            current_file.clear();
+            current_line = None;
             continue;
         }
 
@@ -278,7 +283,7 @@ pub fn scan_full_diff_with_patterns(
         }
 
         if line == "+++ /dev/null" {
-            // Deleted file — keep current_file from --- header
+            // Deleted file — keep current_file from --- header if we have one
             continue;
         }
 
@@ -290,22 +295,41 @@ pub fn scan_full_diff_with_patterns(
             continue;
         }
 
-        line_num += 1;
+        // Parse hunk header: @@ -1,5 +1,6 @@
+        if let Some(caps) = HUNK_HEADER.captures(line) {
+            if let Ok(start) = caps[1].parse::<usize>() {
+                current_line = Some(start);
+                continue;
+            }
+        }
+
+        let Some(ref mut line_num) = current_line else {
+            continue; // Not inside a hunk
+        };
 
-        // Only check added lines
-        if !line.starts_with('+') || line.starts_with("+++") {
+        // Skip diff headers like "index ...", "old mode ...", "--- ...", etc.
+        // Also skip "No newline at end of file"
+        if line.starts_with('\\') || line.starts_with("index") || line.starts_with("old mode") {
             continue;
         }
 
-        for pat in patterns {
-            if pat.regex.is_match(line) {
-                found.push(SecretMatch {
-                    pattern_name: pat.name.to_string(),
-                    file: current_file.clone(),
-                    line: Some(line_num),
-                });
-                break;
+        // Only check added lines
+        if line.starts_with('+') && !line.starts_with("+++") {
+            let content = &line[1..];
+            for pat in patterns {
+                if pat.regex.is_match(content) {
+                    found.push(SecretMatch {
+                        pattern_name: pat.name.to_string(),
+                        file: current_file.clone(),
+                        line: Some(*line_num),
+                    });
+                    break;
+                }
             }
+            *line_num += 1;
+        } else if line.starts_with(' ') {
+            // Context line
+            *line_num += 1;
         }
     }
 

tests/safety.rs

@@ -424,6 +424,32 @@ diff --git a/src/b.rs b/src/b.rs
     assert_eq!(matches[0].pattern_name, "OpenAI Key");
 }
 
+#[test]
+fn full_diff_accurate_line_numbers() {
+    let full_diff = "\
+diff --git a/src/main.rs b/src/main.rs
+--- a/src/main.rs
++++ b/src/main.rs
+@@ -10,5 +10,6 @@
+ fn old() {}
+  context line
+-removed line
++API_KEY=abcdefghijklmnopqrstuvwxyz1234567890abcdef
++another line
+ fn new() {}
+";
+    let matches = scan_full_diff_for_secrets(full_diff);
+    assert_eq!(matches.len(), 1);
+    // Hunk starts at +10
+    // Line 10:  fn old() {} (this should be the 10th line of the file, starting the hunk)
+    // Actually, in a diff, context lines also count towards the line number in the new file.
+    // Line 10:  fn old() {}
+    // Line 11:   context line
+    // (removed line is skipped)
+    // Line 12: +API_KEY=...
+    assert_eq!(matches[0].line, Some(12));
+}
+
 // ─── New pattern detection tests ──────────────────────────────────────────────
 
 #[test]