ux: status bar severity color + what's-new notification

[dmartinochoa]

Summary

Two UX improvements from the post-v0.2.0 review. Stacked on #19 (scan-workspace-v2) — base is scan-workspace-v2, so the diff shows only this PR's work.

1. Status bar severity color 🔴 🟡

A workspace with CRITICAL findings now tints the status bar to statusBarItem.errorBackground (red); HIGH-without-CRITICAL tints to statusBarItem.warningBackground (yellow); MEDIUM / LOW / INFO keep the default fg colour so a "1 medium" workspace doesn't shout. Same ThemeColor tokens ESLint and Error Lens use — the visual language reads correctly across themes.

```
$(shield) 3C 1H ← red background (CRITICAL present)
$(shield) 4H 2M ← yellow background (HIGH, no CRITICAL)
$(shield) 5 ← default colour (medium/low only)
$(shield) clean ← default colour (zero findings)
```

2. What's-new notification on upgrade

First activation after a version bump shows a one-time toast — "Pipeline-Check 0.X.Y is here. The Findings panel, status bar item, inline CodeLens, and Alt+F8 navigation are new — see what changed?" — with a See release notes button that opens the matching GitHub release URL.

Persistence is write-before-show: the seen-version saves before the toast fires, so a missed dismissal (VS Code closes, user clicks elsewhere) doesn't loop next launch. A v0.1.x → v0.2.0 upgrade fires it once; subsequent launches stay silent.

Pre-release strip: `v0.2.0-rc.1` → `v0.2.0` won't re-trigger.

What user-edits ride along

Three intentional edits the user committed to the working tree are folded in:

• package.json dropped `onStartupFinished` from activationEvents — the activity-bar slot only appears in CI-relevant workspaces now, matching the status bar's already-quieter visibility policy.
• package.json expanded `untrustedWorkspaces.description` to explain the `machine-overridable` scope on `serverCommand` / `serverArgs`. Better copy for the trust prompt VS Code surfaces on first open.
• README.md added a Socket supply-chain badge.

Test plan

• `npm run lint` clean
• `npm run compile` clean
• `npm test` — 129 tests pass (was 107 on feat: pipelineCheck.scanWorkspace + refresh-as-scan (R10, R15) #19; +5 statusBar, +17 whatsNew)
• `npm run smoke` clean
• Manual smoke under F5: open a fixture with CRITICAL findings → status bar reads red; clear the diagnostics → status bar returns to default colour.
• Manual upgrade test: install v0.2.0 cleanly, then dev-load this build, confirm the "what's new" toast fires once; restart VS Code, confirm it's silent.

Notes for v0.3.0 release

When you cut v0.3.0 (or whatever the next release is), the what's-new notification will fire once on first activation for every existing user — that's the whole point. The Findings-panel / status bar / CodeLens / Alt+F8 mentions in the message are deliberate: those land/landed in the v0.2.x line.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c4a8b677-18d1-4bfe-857d-050f008fb3db

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ux-polish-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}