Merge pull request #1 from greylag-ci/prod-ready-hardening

Production-readiness pass: security hardening, esbuild bundle, narrowed activation

Author: dmartinochoa

.github/dependabot.yml

@@ -0,0 +1,27 @@
+version: 2
+
+# Weekly dep bumps. npm covers the extension itself; github-actions
+# keeps the workflow action versions current so we don't drift onto
+# deprecated runners.
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    groups:
+      typescript-eslint:
+        patterns:
+          - '@typescript-eslint/*'
+      types:
+        patterns:
+          - '@types/*'
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 3

.github/workflows/ci.yml

@@ -34,9 +34,24 @@ jobs:
       - name: TypeScript compile
         run: npm run compile
 
+      - name: Unit tests
+        run: npm test
+
+      - name: Bundle smoke
+        # Catches the "vsix packages but won't load" failure mode — a
+        # successful vsce package doesn't prove the bundle has all its
+        # runtime deps. Loads dist/extension.js with a vscode stub and
+        # asserts activate/deactivate are exported.
+        run: npm run smoke
+
+      - name: npm audit (prod deps, high+)
+        run: npm audit --omit=dev --audit-level=high
+
       - name: Verify vsix packs cleanly
+        # vsce is a pinned devDependency (see package.json) — Dependabot
+        # bumps it via the npm config. `npm ci` has already installed it.
         run: |
-          npx --yes @vscode/vsce@latest package --out pipeline-check.vsix
+          npx vsce package --out pipeline-check.vsix
           ls -lh pipeline-check.vsix
 
       - uses: actions/upload-artifact@v4

.github/workflows/dependency-review.yml

@@ -0,0 +1,24 @@
+name: Dependency Review
+
+# Fails any PR that adds a dependency with a known CVE or an
+# incompatible license. Cheap, PR-only, no secrets required.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: on-failure
+          allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense

.github/workflows/publish.yml

@@ -25,16 +25,29 @@ on:
         required: true
         type: string
 
+# Workflow default is read-only; the publish job widens to
+# `contents: write` for the GitHub release step. GitHub Actions doesn't
+# support step-level permissions, so this is the tightest scope
+# available without splitting into two jobs.
 permissions:
-  contents: write   # creating the GitHub release
+  contents: read
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    # Gate the job on the `production` GitHub Environment so VSCE_PAT
+    # and OVSX_PAT are only readable from a run that has cleared
+    # whatever reviewers/branch rules the environment imposes. Anyone
+    # with push access can still fire workflow_dispatch, but the
+    # publish steps will block on the environment gate.
+    environment: production
+    permissions:
+      contents: write   # needed by the "Create GitHub release" step
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.tag || github.ref }}
+          fetch-depth: 0   # needed for the merge-base check below
 
       - uses: actions/setup-node@v4
         with:
@@ -44,43 +57,82 @@ jobs:
       - run: npm ci
 
       - name: Verify tag matches package.json version
+        env:
+          # On tag push GITHUB_REF_NAME is the tag; on workflow_dispatch
+          # it's the dispatching branch, so prefer the explicit input.
+          REF_NAME: ${{ inputs.tag || github.ref_name }}
         run: |
           set -euo pipefail
-          tag="${GITHUB_REF_NAME#v}"
+          tag="${REF_NAME#v}"
           pkg=$(node -p "require('./package.json').version")
           if [ "$tag" != "$pkg" ]; then
             echo "::error::Tag v$tag does not match package.json version $pkg"
             exit 1
           fi
           echo "Tag and package.json agree on version $pkg"
 
+      - name: Verify tag is reachable from main
+        env:
+          REF_NAME: ${{ inputs.tag || github.ref_name }}
+        run: |
+          set -euo pipefail
+          git fetch origin main
+          if ! git merge-base --is-ancestor "$REF_NAME" origin/main; then
+            echo "::error::Tag $REF_NAME is not reachable from origin/main — refusing to publish"
+            exit 1
+          fi
+          echo "Tag $REF_NAME is on main"
+
+      - name: Verify CHANGELOG has a section for this version
+        # publish.yml already enforces tag/version parity. This step
+        # closes the matching changelog-fold gap: if the "Unreleased"
+        # entries haven't been moved into a "## [X.Y.Z]" section, the
+        # release-notes extraction below would ship the wrong content.
+        run: |
+          set -euo pipefail
+          version=$(node -p "require('./package.json').version")
+          if ! grep -E "^## \[${version}\]" CHANGELOG.md > /dev/null; then
+            echo "::error::CHANGELOG.md is missing a '## [${version}]' section — fold the Unreleased entries before tagging"
+            exit 1
+          fi
+          echo "CHANGELOG section found for ${version}"
+
       - name: Lint
         run: npm run lint
 
       - name: TypeScript compile
         run: npm run compile
 
+      - name: Unit tests
+        run: npm test
+
+      - name: Bundle smoke
+        run: npm run smoke
+
       - name: Package vsix
+        # vsce and ovsx are pinned devDependencies in package.json, so
+        # `npm ci` above installed the exact versions and Dependabot
+        # bumps them via the standard npm config. `npx` here resolves
+        # the local binary — no fresh fetch with PATs in env.
         run: |
           version=$(node -p "require('./package.json').version")
-          npx --yes @vscode/vsce@latest package \
-            --out "pipeline-check-${version}.vsix"
+          npx vsce package --out "pipeline-check-${version}.vsix"
           ls -lh "pipeline-check-${version}.vsix"
           echo "VSIX_PATH=pipeline-check-${version}.vsix" >> $GITHUB_ENV
 
       - name: Publish to VS Code Marketplace
         env:
           VSCE_PAT: ${{ secrets.VSCE_PAT }}
         run: |
-          npx --yes @vscode/vsce@latest publish \
+          npx vsce publish \
             --packagePath "$VSIX_PATH" \
             --pat "$VSCE_PAT"
 
       - name: Publish to Open VSX
         env:
           OVSX_PAT: ${{ secrets.OVSX_PAT }}
         run: |
-          npx --yes ovsx@latest publish "$VSIX_PATH" \
+          npx ovsx publish "$VSIX_PATH" \
             --pat "$OVSX_PAT"
 
       - name: Create GitHub release

.vscode/launch.json

@@ -9,7 +9,7 @@
         "--extensionDevelopmentPath=${workspaceFolder}"
       ],
       "outFiles": [
-        "${workspaceFolder}/out/**/*.js"
+        "${workspaceFolder}/dist/**/*.js"
       ],
       "preLaunchTask": "npm: compile"
     },
@@ -22,7 +22,7 @@
         "${workspaceFolder}/test-fixtures/sample-workflow"
       ],
       "outFiles": [
-        "${workspaceFolder}/out/**/*.js"
+        "${workspaceFolder}/dist/**/*.js"
       ],
       "preLaunchTask": "npm: compile"
     }

.vscodeignore

@@ -5,6 +5,8 @@ src/**
 test-fixtures/**
 scripts/**
 docs/**
+out/**
+ROADMAP.md
 .gitignore
 .eslintrc.json
 tsconfig.json

CHANGELOG.md

@@ -11,6 +11,29 @@ commit collapses this section into `## [X.Y.Z] — <date>`.
 
 ### Added
 
+- **Findings panel.** A dedicated activity-bar slot
+  ("Pipeline-Check" — custom inverted-Y pipeline glyph at
+  `media/pipeline-check.svg`) carries a `Findings` tree that
+  re-groups the diagnostics the LSP server has already published.
+  Strictly a re-presentation: never triggers its own scan, so the
+  thin-transport-adapter promise in `extension.ts` stays intact.
+  The activity-bar icon carries a live count badge so "how many
+  findings does this workspace have right now?" is answerable
+  without expanding the panel. Three group modes — severity
+  (default), file, rule — are switched via a `Change Grouping`
+  Quick Pick that marks the active mode with `$(check)`. Each leaf
+  renders as the rule title plus a `RULE · file:LINE` description
+  that drops whichever component is already implied by the parent
+  group; clicking opens the file at the diagnostic range.
+  CRITICAL is rendered as `flame` and HIGH as `error` so the two
+  distinguish in the severity-grouped tree without breaking parity
+  with the editor gutter (which has no "more red than red" state);
+  INFO uses `circle-outline` themed to `descriptionForeground` so
+  it is visibly the quietest row instead of inheriting the default
+  foreground. The welcome state leads with what the extension does
+  rather than what is missing; the diagnostic recovery links sit
+  on a secondary "Not seeing findings?" line.
+
 - **`pipelineCheck.severityThreshold` setting.** A new enum knob
   (`low` / `medium` / `high` / `critical`, default `low`) that mirrors
   the CLI's `--severity-threshold`. Drives a client-side
@@ -24,8 +47,70 @@ commit collapses this section into `## [X.Y.Z] — <date>`.
   unconditionally, so an older server (or a non-pipeline-check
   publish) is never hidden.
 
+### Security
+
+- **`pipelineCheck.serverCommand` and `pipelineCheck.serverArgs` are now
+  `machine-overridable`.** Workspace overrides require an explicit
+  prompt, so a malicious `.vscode/settings.json` can't silently swap
+  the interpreter or inject `-c "<code>"` once the user trusts the
+  workspace.
+- **Declared `capabilities.untrustedWorkspaces: "limited"`** and
+  `virtualWorkspaces: false`. The extension stays inactive in
+  untrusted workspaces until the user trusts them, so the LSP child
+  process never spawns from a freshly-cloned, untrusted repo.
+- **Hardened the publish workflow.** Pinned `@vscode/vsce` and `ovsx`
+  to specific versions (no more `@latest` with PATs in env), added a
+  `git merge-base` check that refuses to publish a tag that isn't on
+  `main`, added a CHANGELOG-fold check, and narrowed workflow-level
+  permissions to `contents: read` with the publish job opting up to
+  `contents: write`. The publish job is gated on the `production`
+  GitHub Environment so `VSCE_PAT` / `OVSX_PAT` are only readable from
+  a run that has cleared required reviewers.
+- **Added [SECURITY.md](SECURITY.md)** with GitHub Private Vulnerability
+  Reporting as the disclosure channel, response SLAs, and a published
+  threat model.
+
+### Tests
+
+- **Vitest unit suite added.** 25 tests covering the severity threshold
+  filter (extracted into [src/severityFilter.ts](src/severityFilter.ts))
+  and the Findings tree's pure logic (collection from
+  diagnostics, group-by-severity / file / rule, severity normalisation,
+  no-refresh-storm contract). `npm test` runs the suite; both ci.yml
+  and publish.yml gate on it. Test files live next to the code they
+  cover and are stripped from the .vsix.
+
+### Fixed
+
+- **The published `.vsix` was missing its runtime dependency.** The
+  previous build emitted `out/extension.js` via `tsc` but excluded
+  `node_modules/` from the package, so `require("vscode-languageclient/node")`
+  threw on activation in a clean install. Now bundled with esbuild into
+  a single `dist/extension.js` (the only JS in the `.vsix`); a CI
+  smoke step ([scripts/smoke.js](scripts/smoke.js)) stubs the `vscode`
+  module, loads the bundle, and asserts `activate` / `deactivate` are
+  exported so this regression class fails the build instead of the user.
+
 ### Changed
 
+- **`npm audit --omit=dev --audit-level=high` now runs on every push to
+  `main`** so advisories filed after a PR has merged still surface.
+- **Activation tightened.** The extension used to activate on every YAML
+  / JSON / Dockerfile / Terraform / Groovy file in any workspace, then
+  rely on the server's content filter to drop unrelated documents.
+  `activationEvents` is now a `workspaceContains:` list of the trigger
+  files we actually scan (`.github/workflows/*`, `.gitlab-ci.yml`,
+  `azure-pipelines.yml`, etc.). The LSP's `documentSelector` is
+  switched from language IDs to matching file-path globs, so the
+  server only sees candidate documents — no more spurious activations
+  on `package.json`, `mkdocs.yml`, or a Helm `values.yaml`.
+- **`@vscode/vsce` and `ovsx` are pinned devDependencies.** Workflows
+  invoke them via the locally-installed binaries (`npx vsce`,
+  `npx ovsx`) after `npm ci`. Versions live in `package-lock.json`
+  and Dependabot's existing npm config keeps them current.
+- **Marketplace metadata polish.** Added `Other` to `categories`,
+  pointed `qna` at the repo Discussions page.
+
 - **Marketplace polish pass.** The `package.json` `description` is
   rewritten so the numbers that differentiate this extension (22
   providers, 14 compliance frameworks beyond OWASP Top 10 CI/CD,