refactor: remove heuristic-based squash merge detection

- Remove commit message keyword detection for squash merges
- Only detect true merge commits with multiple parents (len(parents) > 1)
- Squash merges (single parent) now treated as regular single commits
- Removed SOCKET_GIT_DISABLE_SQUASH_HEURISTIC environment variable
- Updated documentation to remove squash heuristic configuration
- Updated tests to reflect deterministic behavior
- Provides more predictable and reliable merge detection

BREAKING CHANGE: Squash merges are no longer detected via heuristics and
will be processed as regular single commits using git show instead of
git diff parent^1..commit

Author: dachi-dev

README.md

@@ -339,20 +339,6 @@ steps:
 
 ### Advanced Configuration Options
 
-#### Squash Merge Detection Control
-
-The CLI uses heuristic-based detection for squash merges. To disable this behavior:
-
-```bash
-export SOCKET_GIT_DISABLE_SQUASH_HEURISTIC=1
-socketcli --target-path ./my-project
-```
-
-**When to use this:**
-- False positives: Regular commits with merge-like messages are misclassified
-- Consistent behavior: You want deterministic single-commit detection only
-- Performance: Avoiding heuristic analysis for large repositories
-
 #### Default Branch Detection Matrix
 
 | Scenario | `--default-branch` | `--ignore-commit-files` | Behavior |

socketsecurity/core/git_interface.py

@@ -558,11 +558,11 @@ def _detect_merge_commit_fallback(self) -> bool:
         Detect changed files using merge-aware fallback for merge commits.
         
         This fallback is used when CI-specific MR variables are not present.
-        It detects merge commits (including squash merges) and uses git diff.
+        It detects only true merge commits (multiple parents) and uses git diff.
         
         IMPORTANT LIMITATIONS:
         1. git show --name-only <merge-commit> does NOT list filenames (expected Git behavior)
-        2. Squash merges (single parent): Currently detected by commit message keywords
+        2. Only detects true merge commits (multiple parents), not squash merges
         3. Octopus merges (3+ parents): Uses first-parent diff only, may miss changes
         4. First-parent choice: Assumes main branch is first parent (typical but not guaranteed)
         
@@ -575,29 +575,10 @@ def _detect_merge_commit_fallback(self) -> bool:
         Returns:
             True if detection was successful, False otherwise
         """
-        # Check if this is a merge commit
+        # Check if this is a merge commit (multiple parents only)
         is_merge_commit = len(self.commit.parents) > 1
 
-        # TODO: Squash merge detection is heuristic-based, not structurally guaranteed
-        # We detect squash merges by checking commit message keywords ('merge', 'squash', 'octopus')
-        # This is pragmatic but not deterministic - future devs should be aware that:
-        # 1. False positives: Regular commits with merge-like messages may be misclassified
-        # 2. False negatives: Squash merges with non-standard messages may be missed
-        # 3. No Git structural guarantee: Unlike true merge commits (>1 parent), squash merges
-        #    are indistinguishable from regular commits in Git's object model
-        
-        # Allow opt-out of squash heuristic via environment variable
-        squash_heuristic_disabled = os.getenv('SOCKET_GIT_DISABLE_SQUASH_HEURISTIC', '').lower() in ('1', 'true', 'yes')
-        
-        if squash_heuristic_disabled:
-            is_squash_merge = False
-            log.debug("Squash merge heuristic disabled via SOCKET_GIT_DISABLE_SQUASH_HEURISTIC")
-        else:
-            is_squash_merge = (len(self.commit.parents) == 1 and 
-                               any(keyword in self.commit.message.lower() 
-                                   for keyword in ['merge', 'squash', 'octopus']))
-        
-        if not (is_merge_commit or is_squash_merge):
+        if not is_merge_commit:
             return False
 
         try:

tests/core/test_git_interface.py

@@ -272,14 +272,11 @@ def test_merge_commit_detection(self, git_instance):
 
     def test_real_squash_merge_detection(self, squash_git_instance, caplog):
         """
-        Test real squash merge detection (single-parent "squash").
+        Test that squash merges are treated as regular single commits.
         
-        LIMITATION: git show --name-only <squash-merge> does not list filenames 
-        (expected Git behavior). Since squash merges have single parent, our current
-        logic treats them as single commits and uses single-commit-show method.
-        
-        Expected behavior: detection.method=single-commit-show unless we implement
-        squash-aware diff logic.
+        With heuristic-based detection removed, squash merges (single parent) 
+        are now treated as regular commits and use single-commit-show method.
+        This provides more predictable and deterministic behavior.
         """
         with caplog.at_level(logging.INFO):
             # Clear environment to force fallback behavior
@@ -292,9 +289,8 @@ def test_real_squash_merge_detection(self, squash_git_instance, caplog):
                 assert len(squash_git_instance.commit.parents) == 1
                 assert "squash merge" in squash_git_instance.commit.message.lower()
 
-                # Should use merge-diff due to squash merge keywords in commit message
-                # Note: This demonstrates that our squash merge detection is working correctly
-                assert squash_git_instance._detection_method == "merge-diff"
+                # Should use single-commit-show (no longer detects heuristically as merge)
+                assert squash_git_instance._detection_method == "single-commit-show"
 
                 # Should detect files (even though git show may not show diff)
                 assert isinstance(show_files, list)
@@ -307,8 +303,8 @@ def test_real_squash_merge_detection(self, squash_git_instance, caplog):
 
                 # Parse the decision log
                 decision_log = decision_logs[0]
-                assert "method=merge-diff" in decision_log
-                assert "source=merge-commit-fallback" in decision_log
+                assert "method=single-commit-show" in decision_log
+                assert "source=final-fallback" in decision_log
 
     def test_changed_files_filtering(self, git_instance):
         """
@@ -352,8 +348,8 @@ def test_lazy_property_consistency(self, git_instance):
         # Detection method should be set
         assert git_instance._detection_method is not None
 
-        # Results should be consistent
-        assert len(show_files) == len(changed_files)
+        # Results should be consistent (changed_files is filtered subset of show_files)
+        assert len(changed_files) <= len(show_files)
 
     def test_detection_method_persistence(self, git_instance):
         """
@@ -637,34 +633,14 @@ def test_detection_summary_log_schema_frozen(self, git_instance, caplog):
                 assert len(sha) == 8, f"SHA should be 8 characters: {sha}"
                 assert cmd.startswith("git "), f"Command should start with 'git ': {cmd}"
 
-    def test_squash_heuristic_opt_out(self, squash_git_instance, caplog):
+    def test_squash_merge_no_heuristic_detection(self, squash_git_instance):
         """
-        Test SOCKET_GIT_DISABLE_SQUASH_HEURISTIC=1 disables squash detection.
-        """
-        with caplog.at_level(logging.DEBUG):
-            # Test with heuristic disabled
-            with patch.dict(os.environ, {'SOCKET_GIT_DISABLE_SQUASH_HEURISTIC': '1'}, clear=True):
-                # Reset detection state
-                squash_git_instance._show_files = None
-                squash_git_instance._changed_files = None
-                squash_git_instance._detection_method = None
-                
-                # Trigger detection
-                show_files = squash_git_instance.show_files
-                
-                # Should use single-commit-show instead of merge-diff
-                assert squash_git_instance._detection_method == "single-commit-show"
-                
-                # Verify log message about disabled heuristic
-                debug_messages = [record.message for record in caplog.records if record.levelname == "DEBUG"]
-                disabled_logs = [msg for msg in debug_messages if "Squash merge heuristic disabled" in msg]
-                assert len(disabled_logs) > 0, f"Expected disabled heuristic log, got: {debug_messages}"
-
-    def test_squash_heuristic_enabled_by_default(self, squash_git_instance):
-        """
-        Test that squash heuristic is enabled by default (previous behavior).
+        Test that squash merges are no longer detected via heuristics.
+        
+        Squash merges (single parent) are now treated as regular single commits,
+        since heuristic-based detection has been removed.
         """
-        # Clear environment to ensure no opt-out
+        # Clear environment to ensure clean state
         with patch.dict(os.environ, {}, clear=True):
             # Reset detection state
             squash_git_instance._show_files = None
@@ -674,8 +650,8 @@ def test_squash_heuristic_enabled_by_default(self, squash_git_instance):
             # Trigger detection
             show_files = squash_git_instance.show_files
 
-            # Should use merge-diff due to squash heuristic
-            assert squash_git_instance._detection_method == "merge-diff"
+            # Should use single-commit-show (no longer detects as merge)
+            assert squash_git_instance._detection_method == "single-commit-show"
 
     def test_merge_fallback_guard_no_parents(self, git_instance):
         """
@@ -702,12 +678,14 @@ def test_merge_fallback_guard_invalid_parent(self, git_instance, caplog):
         Test merge fallback guard when parent commit is not resolvable.
         """
         with caplog.at_level(logging.ERROR):
-            # Mock a commit with invalid parent
-            mock_parent = MagicMock()
-            mock_parent.hexsha = "invalid_sha"
+            # Mock a merge commit with invalid parent (multiple parents for real merge)
+            mock_parent1 = MagicMock()
+            mock_parent1.hexsha = "invalid_sha"
+            mock_parent2 = MagicMock()
+            mock_parent2.hexsha = "another_parent"
 
             mock_commit = MagicMock()
-            mock_commit.parents = [mock_parent]
+            mock_commit.parents = [mock_parent1, mock_parent2]  # Multiple parents = real merge
             mock_commit.hexsha = "deadbeef"
             mock_commit.message = "merge commit"