feat(secureflow): Add OpenRouter Support and Svelte UI with Production Optimizations (#441)

* feat: add OpenRouter support and Svelte-based UI with profile scanning

- Add OpenRouter client with support for 300+ models
- Implement model config generator for dynamic model support
- Add Svelte-based webview UI replacing old vanilla JS implementation
- Implement profile-based scanning with CLI integration
- Add ProfileScanService for running full security scans
- Support passing config directly to CLI scanner (no env vars needed)
- Add comprehensive logging for LLM responses and iteration tracking
- Link scans to profiles via profileId
- Add empty states and improved UX for profile details
- Fix maxIterations to be configurable via constructor options
- Update settings manager to support OpenRouter models

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add Settings page with proper navigation and input handling

- Add Settings component that replicates Onboarding functionality
- Add navigation between Settings and Profiles views via backToProfiles message
- Fix Settings to load current configuration on mount
- Add skipScan flag to prevent Settings save from triggering workspace scan
- Fix Input component to support proper two-way binding with bind:value
- Add type prop to Button component to support submit/button types
- Remove star emoji from recommended model in Select dropdown
- Refactor ProfilesList to remove embedded settings form
- Add getCurrentConfig message handler in explorer
- Add onboardingStatus update after config save for proper view transition

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: optimize bundle size and production builds

- Remove redundant posthog-node dependency (already in CLI package)
  - Reduces package-lock.json by 253 lines and 20 packages
- Disable source maps in production builds
  - Saves ~950KB in dist folder
  - Converts webpack configs to function form to access argv.mode
  - Sets devtool to false when mode is production
- Configure Svelte compiler for production
  - Disables dev mode and hot reload in production builds
- Update package script to remove --devtool flag

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* refactor: remove webview dead code and deduplicate CSS

Remove unused code:
- Remove unused selectedVulnerability variable from ProfileDetails

Deduplicate CSS:
- Extract .severity-* classes to global styles in App.svelte
- Remove 51 lines of duplicate CSS from ProfileDetails and VulnerabilityDetails
- Fix inconsistent .severity-low colors (now consistently green)

Impact:
- ProfileDetails: 1,397 → 1,370 lines (-27)
- VulnerabilityDetails: 278 → 254 lines (-24)
- Net savings: 26 lines of code
- Improved maintainability with single source of truth for severity styling

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* refactor: remove debug logging from production builds

Remove extensive debug logging infrastructure:
- Remove file logging system (logFile, logStream, initLogFile, closeLogFile)
- Remove all console.log/error/warn calls from scan services
- Remove console output capture during CLI scanner execution
- Remove fs import (no longer needed)

Changes:
- profile-scan-service.ts: Removed 150+ lines of logging code
- profile-storage-service.ts: Removed console.error calls, re-throw errors instead
- Deleted scan.json (temporary scan output file)
- Added scan.json to .gitignore

Impact:
- Cleaner production output (no debug noise)
- Faster scan execution (no I/O overhead from file logging)
- Reduced memory footprint (no log stream buffers)
- Production-ready error handling

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* refactor: add silent mode for CLI scanner to suppress console output

Add silent mode for programmatic usage (VSCode extension):
- CLIFullScanCommand: Add silent option and log() method wrapper
- AISecurityAnalyzer: Add silent option, remove debug console.log statements
- FileRequestHandler: Add silent mode support
- ProfileScanService: Enable silent=true when invoking scanner from extension

Changes:
- Replace all console.log calls with this.log() in scanner classes
- this.log() only outputs when silent=false (CLI usage)
- When silent=true (extension usage), all console output is suppressed
- Removed LLM response printing (3 console.log calls)
- Removed iteration analysis logging (5 console.log calls)

Impact:
- Clean extension output (no scanner debug noise in VSCode console)
- CLI tool still shows full output for terminal users
- Cleaner separation between programmatic and CLI usage
- ~200+ console.log calls now conditionally suppressed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: remove temporary scan.json file

This file should not be tracked as it's a temporary scan output.
Already added to .gitignore in previous commit.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* test: add comprehensive unit test suite for VSCode extension

Created 45 unit tests covering all major features added in OpenRouter PR:
- SettingsManager: API key, model config, provider selection (7 tests)
- ScanStorageService: scan CRUD, severity tracking, profile linkage (14 tests)
- ProfileStorageService: profile management, activation, workspace (12 tests)
- ProfileScanService: scan validation, provider detection (12 tests)

Test infrastructure:
- Mocha + @vscode/test-electron framework
- TDD-style test organization
- Mock VSCode APIs for isolated unit testing
- Test isolation with setup/teardown hooks

All tests passing with proper type safety and API alignment.

* chore: remove TESTING.md file

* test: add code coverage reporting with 46% coverage

- Add c8 dependency for coverage collection
- Configure vscode-test with coverage options
- Add test:coverage npm script
- Coverage results: 46% statements, 95% branches
- Exclude coverage/ directory from git
- HTML coverage report generated in coverage/index.html

* chore: bump version to 0.0.18 and update documentation

Version Changes:
- VSCode Extension: 0.0.17 → 0.0.18
- SecureFlow CLI: 0.0.7 → 0.0.8

Documentation Updates:
- Updated README with OpenRouter support and comprehensive Getting Started guide
- Added v0.0.18 changelog entry highlighting new features
- CLI README updated with OpenRouter model access

Package Optimizations:
- Added coverage/** to .vscodeignore (reduced package from 2.54MB to 818KB)
- Added *.js.map to CLI .gitignore

Features in v0.0.18:
- OpenRouter integration for 200+ AI models
- Modern Svelte-based webview UI
- Enhanced provider selection and configuration
- Profile-based security scanning workflow
- Comprehensive scan history tracking

* feat: add Claude Opus 4.5 model support

- Add Claude Opus 4.5 to models.json configuration
- Update model-context-limits.json with Opus 4.5 context window
- Regenerate TypeScript model types and configurations
- Premium model with 200K context window and 64K max output

* refactor: simplify Claude model selection to 4.5 series only

- Keep only Claude 4.5 models: Sonnet, Opus, Haiku
- Remove deprecated Claude 4.1, 4, 3.7, and 3.5 models
- Remove OpenRouter Claude 3.5 Sonnet
- Reorder models: Sonnet (17), Opus (18), Haiku (19)
- Update model-context-limits.json recommendations
- Regenerate TypeScript types (33 → 27 models)

* feat: streamline model catalog with latest AI models

OpenRouter Models:
- Remove all 7 existing OpenRouter models (GPT-4o, Gemini 2.0, DeepSeek, Llama, Mistral, Grok-2, Qwen 2.5)
- Add qwen/qwen3-coder - specialized coding model
- Add z-ai/glm-4.7 - high-performance AI model

Google Models:
- Add Gemini 3 Pro (gemini-3-pro-preview) - most advanced multimodal AI
- Add Gemini 3 Flash (gemini-3-flash-preview) - fast multimodal AI
- Both support 1M context window, 65K output, thinking capabilities
- Multimodal support: text, image, video, audio, PDF inputs

OpenAI Models:
- Remove GPT-4.1, GPT-4.1 Mini, GPT-4o, GPT-4o Mini
- Remove O1 reasoning model
- Keep only GPT-5 family (5.1, 5 Pro, 5, 5 Mini, 5 Nano)
- Keep O3 series (O3, O3 Pro, O3 Mini) and O4 Mini

Model Count: 27 → 19 models
Total Changes:
- Removed 14 models (6 OpenAI v4, 1 O1, 7 OpenRouter)
- Added 4 models (2 Gemini 3, 2 OpenRouter)
- Reordered all models sequentially (orders 1-19)
- Updated model-context-limits.json recommendations
- Regenerated TypeScript types

Updated metadata:
- Last updated: December 27, 2025
- Added Gemini 3 multimodal capabilities note
- Removed deprecated model shutdown notices

* feat: reorder models, remove O-series, add Grok 4.1, and improve UX

Model Ordering:
- Move Gemini 3 models above Gemini 2.5 (orders 6-9)
- Gemini 3 Pro (6), Gemini 3 Flash (7), Gemini 2.5 Pro (8), Gemini 2.5 Flash (9)

OpenAI Changes:
- Remove all O-series reasoning models (O3, O3 Pro, O3 Mini, O4 Mini)
- Keep only GPT-5 family: 5.1, 5 Pro, 5, 5 Mini, 5 Nano (orders 1-5)
- Updated recommendations in model-context-limits.json

xAI Addition:
- Add Grok 4.1 Fast (grok-4-1-fast-reasoning) - order 13
- "Frontier multimodal model optimized for high-performance agentic tool calling"
- 2M context window, 65K max output
- Positioned before Grok 4 Fast Reasoning

UI Improvements:
- Add "Missing a model? Request to include it here" link in Settings
- Add "Missing a model? Request to include it here" link in Onboarding
- Links point to GitHub issues: https://github.com/shivasurya/code-pathfinder/issues
- Helps users request missing AI models easily

Model Count: 15 → 16 models
Final Order: GPT-5 family (1-5), Gemini 3 (6-7), Gemini 2.5 (8-9),
Claude 4.5 (10-12), Grok (13-14), OpenRouter (15-16)

Regenerated TypeScript types and compiled successfully

* refactor: remove 'View Logs' button from scan completion notification

- Remove 'View Logs' action button from scan completion message
- Show simple notification instead of opening logs directory
- Cleaner UX without unnecessary directory access

* feat: add GPT-5.2 as flagship OpenAI model at top position

New Models:
- Add GPT-5.2 (order 1) - Best model for coding and agentic tasks
  - 400K context window, 128K max output
  - Description: "Best model for coding and agentic tasks across industries"
  - Positioned at the very top of OpenAI models

Model Reordering:
- GPT-5.2 (order 1) - NEW
- GPT-5.1 (order 2, was 1)
- GPT-5 Pro (order 3, was 2)
- GPT-5 (order 4, was 3)
- GPT-5 Mini (order 5, was 4)
- GPT-5 Nano (order 6, was 5)
- All other models incremented by 1

Configuration Updates:
- Added gpt-5.2 to model-context-limits.json
- Updated recommendations to prioritize GPT-5.2:
  - balanced: gpt-5.2 at top
  - reasoning: gpt-5.2 with thinking at top
  - highOutput: gpt-5.2 (128K output) at top
  - coding: gpt-5.2 at top
  - largeContext: gpt-5.2 (400K tokens)

CHANGELOG Updates:
- Added "Latest AI Models" section documenting:
  - GPT-5.2 (OpenAI's best model)
  - Gemini 3 Pro & Flash (Google's newest)
  - Grok 4.1 Fast (xAI's frontier model)
- Highlighted model availability in Settings and Onboarding

Model Count: 16 → 17 models
Final Order: GPT-5.2 (1), GPT-5 family (2-6), Gemini 3 (7-8),
Gemini 2.5 (9-10), Claude 4.5 (11-13), Grok (14-15), OpenRouter (16-17)

Regenerated TypeScript types and compiled successfully

* feat: add MiniMax M2 and DeepSeek V3.2 to OpenRouter models

- Added minimax/minimax-m2: Compact high-efficiency model optimized for coding and agentic workflows (196K context, 65K output)
- Added deepseek/deepseek-v3.2: High computational efficiency with strong reasoning and agentic tool-use (163K context, 32K output)
- Updated model-context-limits.json with OpenRouter section
- Added MiniMax M2 to coding recommendations
- Added DeepSeek V3.2 to reasoning recommendations

Model Count: 17 → 19 models
Final Order: GPT-5.2 (1), GPT-5 family (2-6), Gemini 3 (7-8),
Gemini 2.5 (9-10), Claude 4.5 (11-13), Grok (14-15), OpenRouter (16-19)

All tests passing: 45/45 ✓

* docs: update CHANGELOG with MiniMax M2 and DeepSeek V3.2 models

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: shivasurya

.gitignore

@@ -34,3 +34,4 @@ docs/public/rules/*.json
 node_modules
 __pycache__/
 compiled_rules.json
+scan.json

extension/secureflow/.gitignore

@@ -1,4 +1,8 @@
 dist/
 build/
 node_modules/
-*.vsix
+*.vsix
+# VSCode test cache
+.vscode-test/
+out/
+coverage/

extension/secureflow/.vscode-test.mjs

@@ -2,4 +2,9 @@ import { defineConfig } from '@vscode/test-cli';
 
 export default defineConfig({
 	files: 'out/test/**/*.test.js',
+	coverage: {
+		includeAll: true,
+		exclude: ['**/test/**', '**/node_modules/**', '**/out/**'],
+		reporter: ['text', 'html', 'lcov']
+	}
 });

extension/secureflow/.vscodeignore

@@ -3,6 +3,7 @@
 out/**
 node_modules/**
 src/**
+coverage/**
 .gitignore
 .yarnrc
 webpack.config.js
@@ -14,6 +15,6 @@ vsc-extension-quickstart.md
 **/.vscode-test.*
 
 
-# ignore hidden directories and files 
+# ignore hidden directories and files
 .windsurf/**
 packages/secureflow-cli/**

extension/secureflow/CHANGELOG.md

@@ -1,5 +1,44 @@
 # SecureFlow Changelog
 
+## Version 0.0.18 - December 27, 2025
+
+### What's New
+
+- **Latest AI Models**: Support for cutting-edge AI models from OpenAI, Google, xAI, and OpenRouter
+  - **GPT-5.2**: OpenAI's best model for coding and agentic tasks across industries (400K context, 128K output)
+  - **Gemini 3 Pro & Flash**: Google's newest multimodal AI with thinking capabilities (1M context)
+  - **Grok 4.1 Fast**: xAI's frontier model optimized for high-performance agentic tool calling (2M context)
+  - **MiniMax M2**: Compact high-efficiency model optimized for coding and agentic workflows via OpenRouter (196K context)
+  - **DeepSeek V3.2**: High computational efficiency with strong reasoning and agentic tool-use performance via OpenRouter (163K context)
+  - All models available at the top of Settings and Onboarding for easy selection
+- **OpenRouter Support**: Access 200+ AI models from multiple providers through a single API key
+  - Use models from Anthropic, OpenAI, Google, Meta, Mistral, and many more
+  - Switch between models without changing API keys
+  - Perfect for comparing different AI models for security analysis
+- **Modern User Interface**: Completely redesigned interface with better navigation
+  - New Profile management page to organize your scans
+  - Dedicated Results page with full scan history
+  - Easy-to-use Settings page for configuration
+  - Cleaner, more intuitive layout
+- **Enhanced Provider Selection**: Choose your preferred AI provider
+  - New Provider setting in configuration
+  - Auto-detection or manual selection
+  - Supported providers: Anthropic Claude, OpenAI, Google Gemini, OpenRouter
+- **Improved Workspace Profiling**: Better project detection and scanning
+  - Automatically identifies your project's technology stack
+  - One-click security scanning for detected profiles
+  - Faster, more accurate analysis
+- **Scan History**: Keep track of all your security scans
+  - View complete history of all scans
+  - See which profile each scan belongs to
+  - Review severity breakdowns and trends over time
+
+### Improvements
+
+- **Cleaner Output**: Removed unnecessary logging and debug messages
+- **Faster Performance**: Optimized for smaller bundle size and faster loading
+- **Better Settings Experience**: Improved input validation and helpful guidance
+
 ## Version 0.0.17 - November 15, 2025
 
 ### 🔧 Improvements

extension/secureflow/README.md

@@ -12,23 +12,58 @@
 [SecureFlow AI](https://codepathfinder.dev/secureflow-ai) is your AI security copilot for smarter, safer code, right in your editor. This VS Code extension helps you identify potential security vulnerabilities in your code directly within your development workflow.
 
 ## Features
- 
-- **Quick Security Analysis**: Run security analysis on your code and changes
-- **Real-time Feedback**: Get immediate feedback on potential security issues
-- **Detailed Reports**: View comprehensive reports with severity ratings, descriptions, and recommendations
-- **In-Editor Experience**: All analysis happens right in your VS Code editor with no need to switch contexts
 
-### Configuration
+- **Profile-Based Scanning**: Automatically detect your project stack and run targeted security analysis
+- **Multi-Provider Support**: Choose from Anthropic Claude, OpenAI, Google Gemini, or OpenRouter for 200+ models
+- **Modern UI**: Beautiful Svelte-based interface with intuitive navigation and real-time updates
+- **Comprehensive Reports**: View detailed vulnerability reports with severity ratings, file locations, and actionable recommendations
+- **Quick Analysis**: Run security analysis on git changes or full workspace scans
+- **Scan History**: Track all security scans with auto-incrementing scan numbers and profile linkage
+- **In-Editor Experience**: All analysis happens right in your VS Code editor with no context switching
 
-Set the following settings in your VS Code settings:
+## Getting Started
 
-- `secureflow.AIModel`: Select the AI Model to use for security analysis
-- `secureflow.APIKey`: API Key for the selected AI provider
+### 1. Installation
 
-### Usage
+Install from the [VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=codepathfinder.secureflow) or search for "SecureFlow" in VS Code Extensions.
 
-- Profile your workspace by running `SecureFlow: Profile Workspace for Security Analysis`
-- Analyze Code changes by running `SecureFlow: Review Git Changes for Security Issues`
+### 2. Configuration
+
+Configure your AI provider in VS Code settings:
+
+**Required Settings:**
+- `secureflow.Provider`: Choose your AI provider (auto/anthropic/openai/google/openrouter)
+- `secureflow.AIModel`: Select the AI model for security analysis
+- `secureflow.APIKey`: Your API key for the selected provider
+
+**Supported Providers:**
+- **Anthropic Claude**: Industry-leading security analysis with Claude Sonnet 4.5 (recommended)
+- **OpenAI**: Access GPT-4o, o1, and other OpenAI models
+- **Google Gemini**: Use Gemini 2.5 Pro or Flash models
+- **OpenRouter**: Access 200+ models from multiple providers through a single API
+
+**Getting API Keys:**
+- Anthropic: [console.anthropic.com/settings/keys](https://console.anthropic.com/settings/keys)
+- OpenAI: [platform.openai.com/api-keys](https://platform.openai.com/api-keys)
+- Google: [aistudio.google.com/apikey](https://aistudio.google.com/apikey)
+- OpenRouter: [openrouter.ai/settings/keys](https://openrouter.ai/settings/keys)
+
+### 3. Usage
+
+**Profile Your Workspace:**
+1. Open the SecureFlow view in the Activity Bar
+2. Click "Profile Workspace" or run command: `SecureFlow: Profile Workspace for Security Analysis`
+3. Review detected application profiles and select one to scan
+
+**Run Security Analysis:**
+- **Full Profile Scan**: Click "Scan" button on any detected profile
+- **Git Changes**: Run `SecureFlow: Review Git Changes for Security Issues`
+- **Quick Scan**: Use the "Scan Profile" action from the profiles list
+
+**View Results:**
+- Navigate to the Results tab to see all scan history
+- Click on any scan to view detailed vulnerability findings
+- Review severity levels: Critical 🔴, High 🟠, Medium 🟡, Low 🔵, Info ℹ️
 
 ## License Notice