trailofbits
diff --git a/‎AGENTS.md‎
Lines changed: 2 additions & 1 deletion b/‎AGENTS.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎CLAUDE.md‎
Lines changed: 1 addition & 0 deletions b/‎CLAUDE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 29 additions & 0 deletions b/‎README.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎esbuild.js‎
Lines changed: 14 additions & 0 deletions b/‎esbuild.js‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎media/style.css‎
Lines changed: 4 additions & 0 deletions b/‎media/style.css‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 50 additions & 1 deletion b/‎package.json‎
Lines changed: 50 additions & 1 deletion
diff --git a/‎src/codeMarker.ts‎
Lines changed: 65 additions & 3 deletions b/‎src/codeMarker.ts‎
Lines changed: 65 additions & 3 deletions
diff --git a/‎src/extension.ts‎
Lines changed: 5 additions & 0 deletions b/‎src/extension.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/panels/findingDetails.html‎
Lines changed: 4 additions & 0 deletions b/‎src/panels/findingDetails.html‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/panels/findingDetailsPanel.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/panels/findingDetailsPanel.ts‎
Lines changed: 1 addition & 0 deletions
@@ -15,7 +15,8 @@ Guidelines for autonomous contributors working on this repository.
    - Whether it’s TypeScript, shell scripts, or build helpers, any newly introduced function or class must include a concise docstring explaining its role. Update existing docstrings when behavior changes.
 
 5. **Tests and validation**
-   - Run any available automated checks relevant to your change (unit tests, linting, packaging). If something can’t be run in the current environment, clearly state what remains unverified.
+   - Always run the test suite and linter before considering a coding task complete. If something can’t be run in the current environment, clearly state what remains unverified.
+   - Run any other available automated checks relevant to your change (e.g., packaging). If something can’t be run in the current environment, clearly state what remains unverified.
 
 6. **Commit messaging**
    - When suggesting or creating commit titles, always follow the [Conventional Commits](https://www.conventionalcommits.org/) format (e.g., `feat: add highlight toggle command`). Include scope when it adds clarity.
 
@@ -0,0 +1 @@
+AGENTS.md
@@ -36,6 +36,7 @@ See the [Build and install](#build-and-install) section below for how to build a
 -   [**View Mode**](#view-mode) - View findings in a list, or grouped by filename.
 -   [**Multiple Users**](#multiple-users) - Findings can be viewed from multiple different users.
 -   [**Hide Findings**](#hide-findings) - Hide all findings associated with a specific user.
+-   [**Auto Sync (Git)**](#auto-sync-git) - Automatically sync .weaudit files across auditors via a dedicated branch.
 -   [**Search & Filter Findings**](#search--filter-findings) - Search and filter the findings in the _List of Findings_ panel.
 -   [**Export Findings**](#export-findings) - Export findings to a markdown file.
 -   [**Drag & drop Findings and Locations**](#drag--drop-findings-and-locations) - Drag and drop findings and locations in the _List of Findings_ panel.
@@ -87,6 +88,7 @@ You can quickly navigate through all partially audited regions in your workspace
 ### Detailed Findings
 
 You can fill detailed information about a finding by clicking on it in the _List of Findings_ view in the sidebar. The respective _Finding Details_ panel will open, where you can fill the information.
+The panel also shows a read-only provenance field (defaulting to "human") to indicate who created the finding.
 
 ![Finding Details](media/readme/finding_details.png)
 
@@ -140,6 +142,7 @@ You can share the weAudit file with you co-auditors to share findings. This file
 
 In the `weAudit Files` panel, you can toggle to show or hide the findings from each user by clicking on the entries.
 There are color settings for other user's findings and notes, and for your own findings and notes.
+Findings and notes show the author's username after the filename/line number in the _List of Findings_ panel.
 
 ![Multiple Users](media/readme/multi_user.png)
 
@@ -148,6 +151,22 @@ You can hide all findings associated with a specific user by clicking on that us
 
 ![Hide Findings associated to a user](media/readme/gifs/hide_findings.gif)
 
+### Auto Sync (Git)
+weAudit can automatically sync `.weaudit` files across auditors using a dedicated git branch.
+
+To enable, set `weAudit.sync.enabled` to `true` in your settings. By default, weAudit:
+- uses the `weaudit-sync` branch on the `origin` remote;
+- pulls the latest sync branch before committing local `.weaudit` changes;
+- polls every minute for remote updates (configurable);
+- syncs only `.vscode/*.weaudit` files.
+
+Sync runs from a dedicated git worktree stored in VS Code's global storage, so your current branch and working tree stay untouched.
+
+You can also configure these settings in the **Sync Configuration** panel in the weAudit sidebar.
+The panel shows the timestamp of the last successful sync.
+
+You can trigger a manual sync at any time with the `weAudit: Sync Findings Now` command.
+
 ### Toggle Highlights
 Hide every findings/notes highlight in the editor by running the `weAudit: Toggle Findings Highlighting` command from the Command Palette. Run the command again to bring the highlights back whenever you need to review them.
 
@@ -177,6 +196,16 @@ You can drag and drop findings and locations in the _List of Findings_ panel to:
 -   `weAudit.general.username`: Username to use as finding's author (defaults to system username if empty)
 -   `weAudit.general.permalinkSeparator`: Separator to use in permalinks (\\n is interpreted as newline)
 
+#### Sync settings
+
+-   `weAudit.sync.enabled`: Enable git-based auto sync (opt-in)
+-   `weAudit.sync.remoteName`: Git remote to use (default: "origin")
+-   `weAudit.sync.branchName`: Sync branch name (default: "weaudit-sync")
+-   `weAudit.sync.pollMinutes`: Remote polling interval in minutes (default: 1)
+-   `weAudit.sync.debounceMs`: Debounce delay for local changes in milliseconds
+
+Sync settings are stored per-workspace (user-level settings are ignored).
+
 #### Background colors
 
 Each background color is customizable via the VSCode settings page. Write as #RGB, #RGBA, #RRGGBB or #RRGGBBAA:
 
@@ -33,6 +33,14 @@ const gitConfigWebviewConfig = {
     outfile: "./out/gitConfigWebview.js",
 };
 
+const syncConfigWebviewConfig = {
+    ...baseConfig,
+    target: "es2020",
+    format: "esm",
+    entryPoints: ["./src/webview/syncConfigMain.ts"],
+    outfile: "./out/syncConfigWebview.js",
+};
+
 const watchPlugin = {
     name: "watch-plugin",
     setup(build) {
@@ -65,15 +73,21 @@ const watchPlugin = {
                 ...gitConfigWebviewConfig,
                 plugins: [watchPlugin],
             });
+            const syncConfigWebviewContext = await context({
+                ...syncConfigWebviewConfig,
+                plugins: [watchPlugin],
+            });
 
             await extensionContext.watch();
             await webviewContext.watch();
             await gitConfigWebviewContext.watch();
+            await syncConfigWebviewContext.watch();
         } else {
             // Build extension and webview code
             await build(extensionConfig);
             await build(webviewConfig);
             await build(gitConfigWebviewConfig);
+            await build(syncConfigWebviewConfig);
             console.log("build complete");
         }
     } catch (err) {
 
@@ -8,6 +8,10 @@
     padding-right: 0.5em;
 }
 
+.detailValue {
+    flex: 1;
+}
+
 vscode-dropdown,
 vscode-text-area,
 vscode-text-field {
 
@@ -22,7 +22,7 @@
     },
     "icon": "media/icon.png",
     "engines": {
-        "vscode": "^1.107.0"
+        "vscode": "^1.108.0"
     },
     "activationEvents": [
         "onStartupFinished",
@@ -64,6 +64,13 @@
                     "visibility": "collapsed",
                     "contextualTitle": "weAudit"
                 },
+                {
+                    "type": "webview",
+                    "id": "syncConfig",
+                    "name": "Sync Configuration",
+                    "visibility": "collapsed",
+                    "contextualTitle": "weAudit"
+                },
                 {
                     "id": "savedFindings",
                     "name": "weAudit Files",
@@ -240,6 +247,10 @@
             {
                 "command": "weAudit.toggleFindingsHighlighting",
                 "title": "weAudit: Toggle Findings Highlighting"
+            },
+            {
+                "command": "weAudit.syncNow",
+                "title": "weAudit: Sync Findings Now"
             }
         ],
         "keybindings": [
@@ -387,6 +398,11 @@
                     "when": "view == gitConfig",
                     "group": "navigation@0"
                 },
+                {
+                    "command": "weAudit.syncNow",
+                    "when": "view == syncConfig",
+                    "group": "navigation@0"
+                },
                 {
                     "command": "weAudit.openGithubIssueFromDetails",
                     "when": "view == findingDetails && weAudit.findingDetailsHasEntry",
@@ -530,6 +546,39 @@
                         "description": "Background color for other user's notes (write as #RGB, #RGBA, #RRGGBB or #RRGGBBAA)."
                     }
                 }
+            },
+            {
+                "title": "Sync",
+                "order": 3,
+                "properties": {
+                    "weAudit.sync.enabled": {
+                        "type": "boolean",
+                        "default": false,
+                        "description": "Enable git-based auto sync for .weaudit files."
+                    },
+                    "weAudit.sync.remoteName": {
+                        "type": "string",
+                        "default": "origin",
+                        "description": "The git remote to use for auto sync."
+                    },
+                    "weAudit.sync.branchName": {
+                        "type": "string",
+                        "default": "weaudit-sync",
+                        "description": "The branch name used for auto sync."
+                    },
+                    "weAudit.sync.pollMinutes": {
+                        "type": "number",
+                        "default": 1,
+                        "minimum": 1,
+                        "description": "Polling interval (in minutes) for pulling remote .weaudit changes."
+                    },
+                    "weAudit.sync.debounceMs": {
+                        "type": "number",
+                        "default": 1000,
+                        "minimum": 0,
+                        "description": "Debounce delay (in milliseconds) before syncing local .weaudit changes."
+                    }
+                }
             }
         ]
     },
 
@@ -2035,6 +2035,11 @@ export class CodeMarker implements vscode.TreeDataProvider<TreeEntry> {
             void this.exportFindingsInMarkdown();
         });
 
+        // Reload selected configs from disk to pick up external sync updates.
+        vscode.commands.registerCommand("weAudit.reloadSavedFindingsFromDisk", () => {
+            this.reloadSavedFindingsFromDisk();
+        });
+
         // Gets the filtered entries from the current tree that correspond to a specific username and workspace root
         vscode.commands.registerCommand("weAudit.getFilteredEntriesForSaving", (username: string, root: WARoot) => {
             return this.getFilteredEntriesForSaving(username, root);
@@ -3378,6 +3383,9 @@ export class CodeMarker implements vscode.TreeDataProvider<TreeEntry> {
             partiallyAuditedFile.path = normalizePathForOS(rootPath, partiallyAuditedFile.path);
         });
 
+        this.ensureEntryDetailsProvenance(fullParsedEntries.treeEntries);
+        this.ensureEntryDetailsProvenance(fullParsedEntries.resolvedEntries);
+
         if (update) {
             if (add) {
                 // Remove potential entries of username which appear on the tree.
@@ -3439,6 +3447,61 @@ export class CodeMarker implements vscode.TreeDataProvider<TreeEntry> {
         return fullParsedEntries;
     }
 
+    /**
+     * Reload all selected configurations from disk to keep the tree in sync with external changes.
+     */
+    reloadSavedFindingsFromDisk(): void {
+        const selectedConfigs = this.workspaces.getSelectedConfigurations();
+        for (const config of selectedConfigs) {
+            if (!fs.existsSync(config.path)) {
+                // If a synced file disappeared, clear the in-memory entries for that user/root.
+                this.removeEntriesForConfig(config);
+                continue;
+            }
+            this.loadSavedDataFromConfig(config, true, false);
+            this.loadSavedDataFromConfig(config, true, true);
+        }
+
+        vscode.commands.executeCommand("weAudit.refreshSavedFindings", selectedConfigs);
+        this.resolvedEntriesTree.setResolvedEntries(this.resolvedEntries);
+        this.refreshTree();
+        this.decorate();
+    }
+
+    /**
+     * Ensure all entry details include a provenance value.
+     */
+    private ensureEntryDetailsProvenance(entries: FullEntry[]): void {
+        for (const entry of entries) {
+            if (entry.details.provenance === undefined) {
+                entry.details.provenance = "human";
+            }
+        }
+    }
+
+    /**
+     * Remove entries for a config's username within its workspace root from in-memory state.
+     */
+    private removeEntriesForConfig(config: ConfigurationEntry): void {
+        const [wsRoot, _relativePath] = this.workspaces.getCorrespondingRootAndPath(config.path);
+        if (wsRoot === undefined) {
+            return;
+        }
+        this.treeEntries = this.treeEntries.filter(
+            (entry) =>
+                entry.author !== config.username ||
+                entry.locations.findIndex((loc) => this.workspaces.getUniqueLabel(loc.rootPath) !== config.root.label) !== -1,
+        );
+        wsRoot.filterAudited(config.username);
+        wsRoot.filterPartiallyAudited(config.username);
+        this.resolvedEntries = this.resolvedEntries.filter(
+            (entry) =>
+                entry.author !== config.username ||
+                entry.locations.findIndex((loc) => this.workspaces.getUniqueLabel(loc.rootPath) !== config.root.label) !== -1,
+        );
+        this.markPathMapDirty();
+    }
+
     /**
      * Implicitly called in this._onDidChangeFileDecorationsEmitter.fire(uri);
      * which is called on this.refresh(uri)
@@ -3738,6 +3801,7 @@ export class CodeMarker implements vscode.TreeDataProvider<TreeEntry> {
             if (entry.location.endLine !== entry.location.startLine) {
                 description += "-" + (entry.location.endLine + 1).toString();
             }
+            description += " (" + entry.parentEntry.author + ")";
             let mainLabel: string;
             if (this.treeViewMode === TreeViewMode.List) {
                 mainLabel = entry.location.label;
@@ -3782,9 +3846,7 @@ export class CodeMarker implements vscode.TreeDataProvider<TreeEntry> {
         const basePath = path.basename(mainLocation.path);
         treeItem.description = basePath + ":" + (mainLocation.startLine + 1).toString();
 
-        if (entry.author !== this.username) {
-            treeItem.description += " (" + entry.author + ")";
-        }
+        treeItem.description += " (" + entry.author + ")";
 
         treeItem.command = {
             command: "weAudit.openFileLines",
 
@@ -6,6 +6,8 @@ import { AuditMarker } from "./codeMarker";
 import { MultipleSavedFindings } from "./multiConfigs";
 import { activateFindingDetailsWebview } from "./panels/findingDetailsPanel";
 import { activateGitConfigWebview } from "./panels/gitConfigPanel";
+import { activateSyncConfigWebview } from "./panels/syncConfigPanel";
+import { GitAutoSyncManager } from "./sync/gitAutoSync";
 
 export function activate(context: vscode.ExtensionContext): void {
     // if there are no open folders, return
@@ -23,6 +25,9 @@ export function activate(context: vscode.ExtensionContext): void {
     new MultipleSavedFindings(context);
     activateFindingDetailsWebview(context);
     activateGitConfigWebview(context);
+    activateSyncConfigWebview(context);
+    const gitAutoSyncManager = new GitAutoSyncManager(context);
+    context.subscriptions.push(gitAutoSyncManager);
 }
 
 async function openResource(resource: vscode.Uri, startLine: number, endLine: number): Promise<void> {
 
@@ -3,6 +3,10 @@
         <span class="detailSpan">Title:</span>
         <vscode-text-field id="label-area"></vscode-text-field>
     </div>
+    <div class="detailsDiv">
+        <span class="detailSpan">Provenance:</span>
+        <span id="provenance-value" class="detailValue"></span>
+    </div>
 
     <div class="detailsDiv">
         <span class="detailSpan">Severity:</span>
 
@@ -68,6 +68,7 @@ class FindingDetailsProvider implements vscode.WebviewViewProvider {
                 description: entry.description,
                 exploit: entry.exploit,
                 recommendation: entry.recommendation,
+                provenance: entry.provenance ?? "human",
                 title: title,
             });