feat: add batch workspace analysis command and UI

[ruromero]

Summary

• Add rhda.stackAnalysisBatch command for workspace-level batch analysis
• Add VS Code settings for batch concurrency, continue-on-error, and metadata
• Propagate existing exclude patterns as workspaceDiscoveryIgnore
• Update JS client to v0.3.0 for batch API support
• Add comprehensive tests for batch analysis orchestration and config

Implements TC-3864

Test plan

• Config tests verify batch settings default values
• ExhortServices tests verify batch service wrapper
• BatchAnalysis tests verify orchestration, error handling, and config propagation
• All existing tests pass (20 pre-existing license test failures are unrelated)
• Manual testing: open a JS/Cargo workspace and run "Red Hat Dependency Analytics Batch Report" from command palette

🤖 Generated with Claude Code

[qodo-code-review]

Review Summary by Qodo

Add batch workspace analysis command with configuration and UI

✨ Enhancement

Walkthroughs

Description

• Add workspace-level batch stack analysis command for analyzing all packages
• Implement batch configuration settings (concurrency, error handling, metadata)
• Create batch analysis orchestration with progress UI and error handling
• Propagate exclude patterns and all analysis settings to batch service
• Add comprehensive tests and telemetry for batch analysis workflow

Diagram

flowchart LR
  A["User Command"] -->|"rhda.stackAnalysisBatch"| B["executeBatchStackAnalysis"]
  B -->|"Collects config"| C["BatchOptions"]
  C -->|"Includes settings"| D["batchConcurrency<br/>continueOnError<br/>batchMetadata"]
  C -->|"Propagates patterns"| E["workspaceDiscoveryIgnore"]
  B -->|"Calls service"| F["batchStackAnalysisService"]
  F -->|"Invokes JS client"| G["stackAnalysisBatch"]
  G -->|"Returns HTML"| H["WebviewPanel"]
  B -->|"Tracks events"| I["Telemetry"]

Loading

File Changes

1. src/batchAnalysis.ts ✨ Enhancement +80/-0

New batch analysis execution with progress UI

src/batchAnalysis.ts

---

2. src/commands.ts ✨ Enhancement +2/-1

Register new batch analysis command constant

src/commands.ts

---

3. src/config.ts ⚙️ Configuration changes +6/-0

Add batch configuration properties with defaults

src/config.ts

---

View more (7)

4. src/exhortServices.ts ✨ Enhancement +26/-1

Add batch service wrapper and BatchOptions interface

src/exhortServices.ts

---

5. src/extension.ts ✨ Enhancement +23/-0

Register batch command with error handling and telemetry

src/extension.ts

---

6. src/redhatTelemetry.ts ✨ Enhancement +3/-1

Add batch analysis telemetry action events

src/redhatTelemetry.ts

---

7. test/batchAnalysis.test.ts 🧪 Tests +86/-0

Comprehensive tests for batch analysis orchestration

test/batchAnalysis.test.ts

---

8. test/config.test.ts 🧪 Tests +3/-0

Verify batch configuration default values

test/config.test.ts

---

9. test/exhortServices.test.ts 🧪 Tests +32/-0

Test batch service wrapper and error handling

test/exhortServices.test.ts

---

10. package.json ⚙️ Configuration changes +24/-1

Add batch command UI and configuration settings

package.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Wrong batch auth token ☑ 🐞 Bug ≡ Correctness

Description

executeBatchStackAnalysis sets TRUSTIFY_DA_TOKEN to globalConfig.telemetryId instead of the
authenticated OIDC access token, so batch workspace analysis requests will be unauthenticated and
can fail against secured backends.

Code

src/batchAnalysis.ts[R24-28]

+    const options: BatchOptions = {
+      'TRUSTIFY_DA_BACKEND_URL': globalConfig.backendUrl,
+      'TRUSTIFY_DA_TELEMETRY_ID': globalConfig.telemetryId,
+      'TRUSTIFY_DA_TOKEN': globalConfig.telemetryId,
+      'TRUSTIFY_DA_SOURCE': globalConfig.utmSource,

Evidence

Batch analysis sends TRUSTIFY_DA_TOKEN as telemetryId rather than an access token. The repo already
implements OIDC and stores the access token in secret storage, and other analysis flows pass the
tokenProvider token into TRUSTIFY_DA_TOKEN, demonstrating the intended auth mechanism.

src/batchAnalysis.ts[24-28]
src/oidcAuthentication.ts[173-193]
src/dependencyAnalysis/diagnostics.ts[101-107]
src/imageAnalysis.ts[178-183]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`executeBatchStackAnalysis()` passes `globalConfig.telemetryId` as `TRUSTIFY_DA_TOKEN`, which is not an auth token. Batch analysis should pass the OIDC access token (as done in component/image analysis via `tokenProvider.getToken()` / secret storage).
### Issue Context
- OIDC access token is stored under `rhda-oidc-access-token` and retrieved by `getValidAccessToken()`.
- Component/image analysis already uses `tokenProvider.getToken()` to populate `TRUSTIFY_DA_TOKEN`.
### Fix Focus Areas
- src/batchAnalysis.ts[18-52]
- src/extension.ts[318-337]
- src/oidcAuthentication.ts[173-193]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Batch report panel missing ☑ 🐞 Bug ≡ Correctness

Description

The batch command runs executeBatchStackAnalysis without creating/showing DependencyReportPanel
first, so updateCurrentWebviewPanel() is a no-op and the user won’t see the batch HTML report.

Code

src/extension.ts[R318-335]

+  const disposableBatchAnalysisCommand = vscode.commands.registerCommand(
+    commands.STACK_ANALYSIS_BATCH_COMMAND,
+    async () => {
+      const workspaceFolders = vscode.workspace.workspaceFolders;
+      if (!workspaceFolders || workspaceFolders.length === 0) {
+        vscode.window.showErrorMessage('No workspace folder is open. Open a workspace to run batch analysis.');
+        return;
+      }
+      const workspaceRoot = workspaceFolders[0].uri.fsPath;
+      try {
+        await executeBatchStackAnalysis(workspaceRoot, outputChannelDep);
+        record(context, TelemetryActions.batchAnalysisDone, { workspace: workspaceRoot });
+      } catch (error) {
+        const message = applySettingNameMappings((error as Error).message);
+        vscode.window.showErrorMessage(`RHDA batch analysis error: ${message}`);
+        outputChannelDep.error(buildLogErrorMessage((error as Error)));
+        record(context, TelemetryActions.batchAnalysisFailed, { workspace: workspaceRoot, error: message });
+      }

Evidence

The command handler only calls executeBatchStackAnalysis; it never creates the webview panel.
updateCurrentWebviewPanel updates the UI only when DependencyReportPanel.currentPanel exists, so
results are dropped if no panel was opened.

src/extension.ts[318-337]
src/batchAnalysis.ts[61-64]
src/rhda.ts[77-82]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The batch command doesn’t open/create the report webview. Because `updateCurrentWebviewPanel()` only updates an existing panel, batch analysis completes but the UI doesn’t show results.
### Issue Context
Other report flows call `DependencyReportPanel.createOrShowWebviewPanel()` (via `triggerWebviewPanel()`) before attempting to update the webview.
### Fix Focus Areas
- src/extension.ts[318-337]
- src/rhda.ts[68-71]
- src/batchAnalysis.ts[61-64]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Command lacks activation event ☑ 🐞 Bug ≡ Correctness

Description

package.json does not include an onCommand activation event for rhda.stackAnalysisBatch, so in
workspaces that don’t match the existing workspaceContains triggers the extension won’t activate and
the command will not run.

Code

package.json[R79-84]

+      },
+      {
+        "command": "rhda.stackAnalysisBatch",
+        "title": "Red Hat Dependency Analytics Batch Report (Workspace)...",
+        "category": "Red Hat Dependency Analytics"
}

Evidence

The extension currently activates only on specific workspaceContains patterns. The new command is
contributed but there is no corresponding activation event, so invoking it from command palette
won’t activate/register the handler in workspaces missing those files (e.g., the PR test plan
mentions Cargo).

package.json[42-50]
package.json[80-84]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The batch command is contributed but may not be executable because the extension won’t activate unless workspaceContains matches. Add `onCommand:rhda.stackAnalysisBatch` so running the command activates the extension.
### Fix Focus Areas
- package.json[42-50]
- package.json[80-84]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Telemetry includes workspace path 🐞 Bug ⛨ Security

Description

Telemetry for batchAnalysisDone/batchAnalysisFailed records the absolute workspaceRoot path, which
can expose sensitive local directory names and user info.

Code

src/extension.ts[R326-335]

+      const workspaceRoot = workspaceFolders[0].uri.fsPath;
+      try {
+        await executeBatchStackAnalysis(workspaceRoot, outputChannelDep);
+        record(context, TelemetryActions.batchAnalysisDone, { workspace: workspaceRoot });
+      } catch (error) {
+        const message = applySettingNameMappings((error as Error).message);
+        vscode.window.showErrorMessage(`RHDA batch analysis error: ${message}`);
+        outputChannelDep.error(buildLogErrorMessage((error as Error)));
+        record(context, TelemetryActions.batchAnalysisFailed, { workspace: workspaceRoot, error: message });
+      }

Evidence

workspaceRoot is taken from workspaceFolders[0].uri.fsPath (absolute path) and sent in telemetry.
Other telemetry events in this repo generally record only path.basename(...) rather than full
paths.

src/extension.ts[326-335]
src/extension.ts[523-546]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Telemetry should not include absolute local filesystem paths.
### Issue Context
Batch telemetry currently sends `{ workspace: workspaceRoot }` where `workspaceRoot` is `uri.fsPath`.
### Fix Focus Areas
- src/extension.ts[326-335]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[ruromero]

Verification Report for TC-3864

Check	Result	Details
Scope Containment	WARN	6 out-of-scope files (README.md, package-lock.json, src/commands.ts, src/redhatTelemetry.ts, test/config.test.ts, test/exhortServices.test.ts) — all justified. src/dependencyReportPanel.ts listed in task but not modified (panel already handles HTML; no changes needed).
Diff Size	PASS	494 additions, 2111 deletions (bulk from package-lock.json), 12 files — proportionate to scope.
Commit Traceability	PASS	Both commits reference TC-3864.
Sensitive Patterns	PASS	Only matches are secrets: in test mock stubs — no real credentials.
CI Status	PASS	All checks pass.
Acceptance Criteria	PASS	7/7 criteria met (see details below).
Verification Commands	WARN	npm run test-compile succeeds. npm test: 188 passing, 20 failing — but main has 181 passing, 25 failing. All batch tests pass; failures are pre-existing.

Acceptance Criteria Details

#	Criterion	Result
1	New VS Code command rhda.stackAnalysisBatch is registered and appears in command palette	PASS — registered in package.json:83 and src/extension.ts:318
2	Command detects workspace root from vscode.workspace.workspaceFolders	PASS — src/extension.ts:321-326
3	Existing redHatDependencyAnalytics.exclude patterns propagated as workspaceDiscoveryIgnore	PASS — src/batchAnalysis.ts:25,54
4	New batch settings (concurrency, continueOnError, batchMetadata) configurable via VS Code settings	PASS — package.json:391-408, src/config.ts:52
5	Batch analysis report displayed in DependencyReportPanel	PASS — DependencyReportPanel.createOrShowWebviewPanel() + updateCurrentWebviewPanel(resp) in src/batchAnalysis.ts:60,68
6	Progress indicator shown during batch analysis	PASS — vscode.window.withProgress() in src/batchAnalysis.ts:22
7	Errors reported to user via VS Code notifications	PASS — error path updates panel with error template and logs error in src/batchAnalysis.ts:76-82

Overall: WARN

Minor warnings only — no failures. Out-of-scope files are all justified (docs, auto-generated lockfile, supporting modules for commands/telemetry/tests). The omission of src/dependencyReportPanel.ts is correct since the panel already handles HTML strings. Test failures are pre-existing (fewer on PR branch than main). All acceptance criteria are satisfied.

---

This comment was AI-generated by sdlc-workflow/verify-pr v0.4.3.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 73.46939% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.54%. Comparing base (343ec3b) to head (3b0a28c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/extension.ts	7.14%	13 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #880      +/-   ##
==========================================
+ Coverage   57.20%   57.54%   +0.33%     
==========================================
  Files          35       36       +1     
  Lines        1797     1842      +45     
  Branches      344      347       +3     
==========================================
+ Hits         1028     1060      +32     
- Misses        746      759      +13     
  Partials       23       23              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.