fix(sources/filesystem): order resume comparison by path component

[genisis0x]

Description:

Resuming a filesystem scan could silently skip an entire sibling directory when one directory name is a prefix of another (e.g. blue-team and blue-team-deprecated).

scanDir decided whether a directory was already scanned by comparing its path against the stored resume point with a raw string comparison (path < resumeAfter). Raw string order does not match the depth-first order os.ReadDir produces, because the separator / (0x2F) sorts after characters that are valid inside a path component such as - (0x2D) and . (0x2E).

So when resuming inside blue-team with resume point /root/blue-team/project-notes.txt, the check evaluated:

"/root/blue-team-deprecated" < "/root/blue-team/project-notes.txt"  // true: '-' < '/'

and skipped blue-team-deprecated entirely — every file beneath it (e.g. AWSCredentials.txt) was never enumerated or scanned. Renaming blue-team to blue-team2 made the problem disappear, matching the report.

The fix compares the two paths component by component, which matches os.ReadDir's ordering (blue-team sorts before blue-team-deprecated). The in-subtree HasPrefix checks and the per-entry loop were already correct and are unchanged.

Closes #5039

Tests:

• TestResumptionWithPrefixSiblingDirectories — integration test reproducing the report (resume inside blue-team, assert the sibling blue-team-deprecated/AWSCredentials.txt is still scanned).
• TestComparePathsForResume — unit test for the comparison helper, including the prefix-sibling case and the existing before/after/ancestor cases.
• Existing TestResumption* tests still pass.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint)?

---

Note

Medium Risk
Changes interrupted-scan resume logic in the filesystem source; a bug here could skip files and miss secrets, but the change is narrow and covered by new regression tests.

Overview
Fixes silent skipped directories when a filesystem scan resumes and sibling folder names share a prefix (e.g. blue-team vs blue-team-deprecated).

scanDir used to treat a directory as already scanned if its full path was lexicographically before the resume point (path < resumeAfter). That order disagrees with os.ReadDir depth-first traversal, because / sorts after characters like - inside a name—so …/blue-team-deprecated could look “before” …/blue-team/notes.txt and the whole sibling tree was never scanned.

The PR adds comparePathsForResume (component-by-component, then shorter path wins for ancestors) and uses it for the out-of-subtree skip decision. Integration and unit tests cover the prefix-sibling regression and existing before/after/ancestor cases.

^{Reviewed by Cursor Bugbot for commit d39582d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.