greylag-ci
diff --git a/‎CHANGELOG.md‎
Lines changed: 99 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 35 additions & 23 deletions b/‎README.md‎
Lines changed: 35 additions & 23 deletions
diff --git a/‎docs/screenshots/01-inline-findings.png‎
129 KB b/‎docs/screenshots/01-inline-findings.png‎
129 KB
diff --git a/‎docs/screenshots/02-hover-detail.png‎
50.1 KB b/‎docs/screenshots/02-hover-detail.png‎
50.1 KB
diff --git a/‎docs/screenshots/03-change-grouping.png‎
14.2 KB b/‎docs/screenshots/03-change-grouping.png‎
14.2 KB
diff --git a/‎docs/screenshots/04-severity-filter.png‎
20.5 KB b/‎docs/screenshots/04-severity-filter.png‎
20.5 KB
diff --git a/‎docs/screenshots/README.md‎
Lines changed: 25 additions & 11 deletions b/‎docs/screenshots/README.md‎
Lines changed: 25 additions & 11 deletions
diff --git a/‎package.json‎
Lines changed: 24 additions & 3 deletions b/‎package.json‎
Lines changed: 24 additions & 3 deletions
@@ -11,6 +11,105 @@ versions follow [SemVer](https://semver.org/).
 > section **above** Unreleased, or remove the Unreleased block for the
 > release commit. Otherwise the GitHub release ships boilerplate.
 
+## [1.1.0] — 2026-05-25
+
+Feature batch on top of v1.0.3. Three user-visible additions plus
+infrastructure for a fourth: a Findings-panel severity quick-filter
+(mute MEDIUM while triaging CRITICAL without touching the editor-wide
+threshold setting), a quick-fix lightbulb on every diagnostic (Open
+docs / Copy rule ID / Reveal in panel), and a fast-fail engine
+preflight that surfaces the install or upgrade action in under a
+second instead of waiting out the 30-second LSP start ceiling. The
+status-bar tooltip now carries the engine version so users can
+confirm at a glance which `pipeline-check` install is talking to the
+editor. Test count: 254 → 329 (75 new) across the new and extended
+suites — severity filter, code actions, preflight, version compare,
+upgrade flow, status-bar tooltip, lspState.
+
+### Added
+
+- **Per-panel severity quick-filter.** New title-bar **Show / Hide
+  Severities** button opens a multi-select Quick Pick; unchecked
+  severities are hidden from the Findings panel only. The editor
+  surface (gutter, Problems panel, CodeLens) is unaffected — the
+  filter is for triage, not for muting the project. State persists
+  per workspace via `workspaceState`. Composes with the existing
+  substring filter; both are dropped when their condition clears.
+- **Quick-fix lightbulb on every Pipeline-Check diagnostic.**
+  Rule-agnostic actions land on every finding the lightbulb attaches
+  to: **Open `<RULE-ID>` documentation** (when the server published
+  `Diagnostic.code.target`), **Copy rule ID** (routes through the
+  same code path as the panel's context-menu entry), and **Show in
+  Pipeline-Check Findings panel** (always available). No CodeAction
+  mutates the file — they're discoverability surfaces, not
+  auto-fixes.
+- **Fast-fail engine preflight.** Before `LanguageClient.start()`
+  spawns the LSP, a 5-second probe runs
+  `import pipeline_check; print(importlib.metadata.version(...))`
+  on the configured interpreter. A missing install fires the install
+  toast in under a second instead of the 30-second LSP start
+  ceiling. An out-of-date install (engine version below
+  `MIN_ENGINE_VERSION`) routes to a dedicated **Upgrade in terminal**
+  CTA instead of the generic install path. The probe is gated to
+  the default `python -m pipeline_check.lsp` shape so custom wrapper
+  scripts skip the check (`shouldPreflight` returns `false`) and
+  fall back to the existing start-timeout behavior.
+- **Engine version in the status-bar tooltip.** The captured version
+  appears as a trailing `Engine vX.Y.Z` line on hover. Useful for
+  triaging "why isn't this rule firing?" reports across people on
+  different upstream versions. Cleared on `stopClient()` and on the
+  mid-session `State.Stopped` transition so the tooltip stops
+  claiming a server is connected after a crash.
+- **`pipelineCheck.upgradeInTerminal` command + welcome panel
+  variant.** New command runs
+  `python -m pip install --upgrade "pipeline-check[lsp]"` in a
+  dedicated `Pipeline-Check upgrade` terminal (typed but not
+  auto-executed, matching the install-command pattern). When the
+  preflight rejects with `reason="out_of_date"`, the new
+  `pipelineCheck.engineOutOfDate` context key flips, and the
+  Findings panel switches to a third welcome entry that promotes
+  **Upgrade in terminal** as its primary CTA. The toast and the
+  panel surface the same action so a user who dismisses the toast
+  can still find it.
+
+### Changed
+
+- **README: Install section rewritten** as a numbered two-step flow
+  ("install the Python engine, then install the extension") so
+  first-timers can't skip the engine. Version requirements moved
+  inline with each step; the standalone Requirements section is
+  gone. A new "Verify" step points readers at the `🛡` status-bar
+  tally and the `Pipeline-Check: Show language server output`
+  command for the case where it doesn't appear. The Commands table
+  was also extended to list the two new commands and the
+  severity-toggle entry.
+- **`What's new` toast copy is now generic.** Previously it
+  hard-coded the v1.0.0 surfaces (Findings panel, status bar,
+  CodeLens, Alt+F8); the prose was stale the moment 1.0.1 shipped.
+  The toast now says `Pipeline-Check ${version} is here. See what
+  changed?` and the **See release notes** action does the
+  version-specific work. One less thing to remember to update per
+  release.
+
+### Infrastructure
+
+- **`MIN_ENGINE_VERSION = "1.0.0"`** in
+  [src/preflight.ts](src/preflight.ts) is the new floor the preflight
+  asserts. Anyone on a 0.x install sees the **Upgrade in terminal**
+  CTA on next launch; every 1.0.x install passes through unchanged.
+  The extension's stable contract with the engine — reading
+  `Diagnostic.code.target` (rule-docs URL) and `data.severity` (panel
+  grouping) from publishes — has held across the 1.x line, so the
+  floor is the same as the 1.x major. **Maintainer note:** bump
+  patch/minor here when the extension starts depending on a newer
+  field; the change forces the upgrade prompt for users behind the
+  new floor and deserves its own CHANGELOG entry.
+- **`isAtLeast` / `parseVersion`** helpers in preflight handle the
+  PEP 440 / SemVer shapes pipeline-check ships (numeric
+  MAJOR.MINOR.PATCH plus occasional rc / dev tails). Pre-releases
+  rank BELOW the corresponding release per spec, so `1.2.3rc1` does
+  not satisfy a `MIN_ENGINE_VERSION = "1.2.3"` assertion.
+
 ## [1.0.3] — 2026-05-21
 
 Recovery republish of v1.0.2 — Open VSX returned an HTTP 405 on
 
@@ -11,30 +11,25 @@
 
 Lint CI/CD pipelines for 22 providers against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks. 810+ rules, inline in your editor: severity-graded gutter squiggles, hover descriptions with `--explain` prose, and recommended-action hints. Built on the same rule registry as the [pipeline-check](https://github.com/dmartinochoa/pipeline-check) CLI, so editor findings match `pipeline_check --output json` byte-for-byte (modulo position translation).
 
-<!--
-Once docs/screenshots/01-inline.png, 02-findings-panel.png,
-03-hover.png, and 04-status-bar.png exist, uncomment the block below.
-See docs/screenshots/README.md for the capture recipe. The marketplace
-listing renders these via GitHub's raw blob URL, so they don't need
-to ship inside the .vsix.
+![Editor window with the Findings panel grouped by severity, gutter squiggles on the open workflow file, the activity-bar badge showing six findings, and a diagnostic hover tooltip](docs/screenshots/01-inline-findings.png)
 
-![Inline findings in the editor gutter](docs/screenshots/01-inline.png)
+![Zoomed hover on a finding showing the rule title, the --explain prose, the Fix recommendation, and a link to the rule documentation](docs/screenshots/02-hover-detail.png)
 
-![Findings panel in the activity bar, grouped by severity](docs/screenshots/02-findings-panel.png)
+![Change Grouping Quick Pick offering Severity, File, and Rule modes](docs/screenshots/03-change-grouping.png)
 
-![Hover tooltip showing problem, description, and rule docs link](docs/screenshots/03-hover.png)
-
-![Status bar item showing the per-severity tally](docs/screenshots/04-status-bar.png)
--->
+![Show / Hide Severities Quick Pick with checkboxes for CRITICAL, HIGH, MEDIUM, LOW, and INFO, each labelled with a one-line description](docs/screenshots/04-severity-filter.png)
 
 ## Features
 
 - **Inline diagnostics** — gutter squiggles + the Problems panel get a row per finding, severity-graded so CRITICAL and HIGH read red, MEDIUM yellow, LOW info-blue. Hover shows the rule title, the `--explain` prose, and a link to the rule documentation.
 - **Findings panel** — dedicated slot in the activity bar with a Pipeline-Check pipeline glyph. Re-groups findings by **severity** (default), **file**, or **rule** via the title-bar **Change Grouping** button; activity-bar icon carries a live count badge.
-- **Status bar item** — bottom-left of the window, shows the top two severity counts at a glance (e.g. `🛡 3C 1H`). Click reveals the Findings panel.
+- **Per-panel severity filter** — title-bar **Show / Hide Severities** button lets you mute MEDIUM while triaging CRITICAL without changing the editor-wide `severityThreshold` setting. State persists per workspace.
+- **Quick-fix lightbulb** — every finding carries a lightbulb with **Open `<RULE-ID>` documentation**, **Copy rule ID**, and **Show in Findings panel** — useful for triage without round-tripping through the panel.
+- **Status bar item** — bottom-left of the window, shows the top two severity counts at a glance (e.g. `🛡 3C 1H`). Tooltip carries the engine version so you know which `pipeline_check` install is talking to the editor. Click reveals the Findings panel.
 - **CodeLens summary** — every scanned file carries a `Pipeline-Check: 2 critical · 1 high` lens at line 1. Click navigates to the Findings panel.
 - **Keyboard navigation** — `Alt+F8` / `Shift+Alt+F8` jump between findings, with wrap at both ends. Mirrors VS Code's `F8` for "next problem" so muscle memory carries over.
 - **Tunable signal** — `pipelineCheck.severityThreshold` quiets the editor surface (`low` / `medium` / `high` / `critical`) without restarting the server; `pipelineCheck.disabledProviders` silences whole providers in a monorepo where Pipeline-Check would otherwise lint files belonging to a sub-project.
+- **Fast-fail engine check** — when the LSP fails to import the Python engine, the extension surfaces the install / upgrade action in under a second instead of waiting out the 30-second start ceiling. Engines below the extension's minimum required version get a dedicated **Upgrade in terminal** prompt.
 
 ## What it scans
 
@@ -57,7 +52,26 @@ Multi-file and context-heavy providers (Kubernetes, Helm, Terraform plans, live
 
 ## Install
 
-Search for `Pipeline-Check` in the extensions panel, or install from the command line:
+Pipeline-Check ships as **two pieces** that talk to each other over stdio:
+
+1. **Python rule engine** — the linter itself, installed from PyPI.
+2. **VS Code extension** — a thin LSP client (this repo) that spawns the engine and surfaces its findings in the editor.
+
+You need both. The extension does no scanning on its own; if the engine isn't installed, the Findings panel shows an **Install in terminal** button that runs the command below for you.
+
+### 1. Install the Python engine
+
+Requires Python 3.11+ on `PATH`:
+
+```bash
+python -m pip install "pipeline-check[lsp]"
+```
+
+If `pipeline_check` lives in a virtualenv or under `python3` rather than `python`, point [`pipelineCheck.serverCommand`](#configuration) at an absolute interpreter path.
+
+### 2. Install the extension
+
+Requires VS Code 1.85+. Search for `Pipeline-Check` in the extensions panel, or install from the command line:
 
 ```bash
 # Microsoft VS Code Marketplace
@@ -67,16 +81,9 @@ code --install-extension greylag-ci.pipeline-check
 codium --install-extension greylag-ci.pipeline-check
 ```
 
-The extension is a thin LSP client; the rule engine itself runs in Python and must be installed separately:
-
-```bash
-python -m pip install "pipeline-check[lsp]"
-```
-
-## Requirements
+### 3. Verify
 
-- VS Code 1.85 or newer.
-- Python 3.11 or newer on `PATH`, with `pipeline-check[lsp]` installed.
+Open any supported config file (see [What it scans](#what-it-scans)) — findings appear inline within a second or two, and the status bar shows a `🛡` tally. If you see `🛡 LSP not ready` instead, run **Pipeline-Check: Show language server output** from the Command Palette; the most common cause is `serverCommand` pointing at an interpreter that doesn't have `pipeline_check` installed.
 
 ## Configuration
 
@@ -96,9 +103,14 @@ All commands appear in the Command Palette under the **Pipeline-Check** category
 |---|---|
 | **Restart language server** — kills and respawns the LSP process |  |
 | **Show language server output** — focuses the output channel (LSP server logs + `[client]` client-side breadcrumbs) |  |
+| **Install LSP Server in Terminal** — opens a terminal with the `pip install` command typed but not executed |  |
+| **Upgrade LSP Server in Terminal** — same flow with `pip install --upgrade` for an out-of-date engine |  |
 | **Go to Next Finding** | <kbd>Alt</kbd>+<kbd>F8</kbd> |
 | **Go to Previous Finding** | <kbd>Shift</kbd>+<kbd>Alt</kbd>+<kbd>F8</kbd> |
+| **Scan Workspace** — opens every candidate file so the LSP runs `didOpen` on each |  |
 | **Change Grouping** (Findings view) — Quick Pick: Severity / File / Rule |  |
+| **Show / Hide Severities** (Findings view) — multi-select Quick Pick that mutes severity levels in the panel only (editor surface unchanged) |  |
+| **Filter Findings** (Findings view) — substring filter on rule ID, message, or path |  |
 | **Refresh** (Findings view) — re-render from the current diagnostic stream |  |
 
 ## Workspace trust
 
@@ -1,24 +1,38 @@
 # Marketplace screenshots
 
-Three PNGs go in this directory; the main `README.md` already has
-references to them, commented out. Once the files exist, uncomment
-the block and the marketplace listing picks them up automatically
-(vsce rewrites relative paths to the GitHub raw blob URL).
+Four PNGs ship today; the main `README.md` references them directly.
+The marketplace listing renders relative image paths through GitHub's
+raw blob URL, so the PNGs don't need to ship inside the `.vsix` —
+[.vscodeignore](../../.vscodeignore) excludes `docs/**` for that
+reason.
+
+## Currently shipping (v1.1.0)
+
+| Filename | What it shows |
+|---|---|
+| `01-inline-findings.png` | Full editor window with the Findings panel grouped by severity, gutter squiggles on the open workflow, activity-bar badge showing the live count, and a hover tooltip on one diagnostic. The "hero" shot — proves the whole-product story in one frame. |
+| `02-hover-detail.png` | Zoomed hover on a single diagnostic — title, `--explain` prose, `Fix:` recommendation, and the `pipeline-check(GHA-XXX)` documentation link. |
+| `03-change-grouping.png` | The **Change Grouping** Quick Pick showing Severity / File / Rule. |
+| `04-severity-filter.png` | The new **Show / Hide Severities** Quick Pick — landed in v1.1.0. Multi-select with one-line descriptions per severity. |
+
+## Slots still open
+
+Two v1.1.0 surfaces aren't yet shown. Capture and drop in when
+convenient; the README block will need a matching `![alt](path)` line
+added underneath the existing four:
 
 | Filename | What it shows |
 |---|---|
-| `01-inline.png` | Editor view of `test-fixtures/sample-workflow/release.yml` with all four GHA squiggles in the gutter. |
-| `02-problems-panel.png` | The Problems panel with the four diagnostics. Each rule ID is a hyperlink now that `codeDescription.href` is wired. Capture one ID under hover state so the underline is visible. |
-| `03-hover.png` | Hover tooltip on one diagnostic showing title, description, and the `Fix:` recommendation. |
+| `05-status-bar.png` | Status-bar shield with the per-severity tally (e.g. `🛡 3C 1H`) AND the tooltip open, including the trailing `Engine v0.X.Y` line. Proves the engine-version surface. |
+| `06-quickfix-lightbulb.png` | The CodeAction lightbulb dropdown on a finding, showing **Open `<RULE-ID>` documentation / Copy rule ID / Show in Pipeline-Check Findings panel**. The triage-ergonomics shot. |
 
 ## How to capture
 
 1. From the vscode repo root: `npm run compile`.
 2. Press <kbd>F5</kbd>, pick the **Run Extension (sample workflow)** debug profile.
-3. In the extension-host window, open `release.yml` (the fixture auto-opens with that profile).
-4. Wait for the four diagnostics to publish (~half a second).
-5. Take the three screenshots described above and save them in this directory with the filenames in the table.
-6. Open the main `README.md` and uncomment the `<!-- screenshot block -->` to surface them on the listing.
+3. In the extension-host window, `release.yml` auto-opens. Wait ~1s for the diagnostics to publish.
+4. Take each screenshot per the table above and save into this directory with the matching filename.
+5. Open the main `README.md` and add an `![alt](docs/screenshots/<filename>.png)` line into the screenshot block for any new captures.
 
 ## Capture settings
 
 
@@ -2,7 +2,7 @@
   "name": "pipeline-check",
   "displayName": "Pipeline-Check",
   "description": "Lint CI/CD pipelines for 22 providers against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks. 810+ rules, inline in your editor.",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "publisher": "greylag-ci",
   "license": "MIT",
   "icon": "icon.png",
@@ -89,8 +89,13 @@
       },
       {
         "view": "pipelineCheck.findings",
-        "when": "!pipelineCheck.lspReady",
+        "when": "!pipelineCheck.lspReady && !pipelineCheck.engineOutOfDate",
         "contents": "Pipeline-Check lints CI/CD configs against OWASP Top 10 CI/CD risks and 14 compliance frameworks. 810+ rules.\n\nIt needs a Python helper — `pipeline-check[lsp]` from PyPI — running locally.\n\n[Install in terminal](command:pipelineCheck.installInTerminal)\n[Retry connection](command:pipelineCheck.restart)\n\nAlready installed but still seeing this? [Open server log](command:pipelineCheck.showLog)."
+      },
+      {
+        "view": "pipelineCheck.findings",
+        "when": "pipelineCheck.engineOutOfDate",
+        "contents": "The installed `pipeline-check` engine is older than this extension requires.\n\nUpgrade it from PyPI:\n\n[Upgrade in terminal](command:pipelineCheck.upgradeInTerminal)\n[Retry connection](command:pipelineCheck.restart)\n\n[Open server log](command:pipelineCheck.showLog) for the version probe's output."
       }
     ],
     "commands": [
@@ -114,6 +119,11 @@
         "title": "Install LSP Server in Terminal",
         "category": "Pipeline-Check"
       },
+      {
+        "command": "pipelineCheck.upgradeInTerminal",
+        "title": "Upgrade LSP Server in Terminal",
+        "category": "Pipeline-Check"
+      },
       {
         "command": "pipelineCheck.scanWorkspace",
         "title": "Scan Workspace",
@@ -153,6 +163,12 @@
         "category": "Pipeline-Check",
         "icon": "$(filter)"
       },
+      {
+        "command": "pipelineCheck.findings.toggleSeverity",
+        "title": "Show / Hide Severities",
+        "category": "Pipeline-Check",
+        "icon": "$(eye)"
+      },
       {
         "command": "pipelineCheck.goToNextFinding",
         "title": "Go to Next Finding",
@@ -189,10 +205,15 @@
           "group": "navigation@1"
         },
         {
-          "command": "pipelineCheck.findings.changeGrouping",
+          "command": "pipelineCheck.findings.toggleSeverity",
           "when": "view == pipelineCheck.findings",
           "group": "navigation@2"
         },
+        {
+          "command": "pipelineCheck.findings.changeGrouping",
+          "when": "view == pipelineCheck.findings",
+          "group": "navigation@3"
+        },
         {
           "command": "pipelineCheck.findings.refresh",
           "when": "view == pipelineCheck.findings",