release: v1.0.0

.vscodeignore

@@ -11,6 +11,7 @@ out-test/**
 ROADMAP.md
 .gitignore
 .eslintrc.json
+eslint.config.mjs
 .vscode-test.mjs
 tsconfig.json
 tsconfig.integration.json

CHANGELOG.md

@@ -13,6 +13,17 @@ versions follow [SemVer](https://semver.org/).
 
 ## [Unreleased]
 
+## [1.0.0] — 2026-05-19
+
+First stable release. Closes the v0.x line: the Findings tree has its
+remaining affordances (filter, non-preview open, scan-on-save), the
+release-tooling and repo-security work is fully landed (SHAs pinned on
+every action, GITHUB_TOKEN locked out of `.git/config`, Private
+Vulnerability Reporting + Discussions enabled, production environment
+gate, `npm audit` + dependency-review + CodeQL on every push), and the
+internal eslint stack is on v9 flat config so future toolchain bumps
+have a clean ramp. No telemetry — see [SECURITY.md](SECURITY.md).
+
 ### Added
 
 - **`Pipeline-Check: Filter Findings` command.** Opens an InputBox;
@@ -28,6 +39,15 @@ versions follow [SemVer](https://semver.org/).
   tab — useful when triaging multiple findings side-by-side. The
   default click-to-reveal still uses preview-style so the common
   "click through to scan" flow doesn't create tab clutter.
+- **Scan-on-save mode.** New `pipelineCheck.scanOnSave` setting
+  (default `false`). When enabled, saving a CI/CD config file triggers
+  a quiet workspace re-scan — the LSP already re-publishes diagnostics
+  for the saved file itself on `didSave`, so this picks up cross-file
+  effects in *other* CI files that aren't currently open (a Jenkinsfile
+  that includes the just-edited shared library, a GHA workflow that
+  calls the just-edited composite action). Renders as a status-bar
+  spinner with no completion toast; an in-flight guard collapses
+  save-storms (autosave, Save All) to a single scan. (R29)
 - **Status bar background colour reflects severity.** A workspace with
   any CRITICAL finding tints the bar to `statusBarItem.errorBackground`
   (red in the default themes); a workspace with HIGH but no CRITICAL
@@ -67,6 +87,11 @@ versions follow [SemVer](https://semver.org/).
   `providers.ts`. The single source of truth for which files are
   CI-relevant now drives the documentSelector, the activationEvents,
   and the workspace scan — three surfaces that used to drift apart.
+- **ESLint migrated to v9 flat config.** Replaced `.eslintrc.json` with
+  [eslint.config.mjs](eslint.config.mjs); dropped
+  `@typescript-eslint/eslint-plugin` + `@typescript-eslint/parser` in
+  favour of the unified `typescript-eslint` package. Rules carry over
+  verbatim so lint results are unchanged. (R22)
 
 ## [0.2.0] — 2026-05-19
 

ROADMAP.md

@@ -11,7 +11,8 @@ at the bottom) is two-thirds landed across PRs #11–14.
 |---|---|
 | **v0.1.0 → v0.1.1** | Shipped 2026-05-19. C1–C2, H1–H4, M1–M5, L1–L6 all closed. |
 | **v0.1.1 → v0.2.0 (in flight)** | R1–R9, R12, R14, R16–R18, R20, R21, R24–R26 landed on stacked PRs #11–#14; merge them in order, then tag. |
-| **Blocked** | R10/R15/R29 (need scan-workspace merged), R11 (need suppression-comment syntax), R13/R27 (server-side change), R19 (interactive screenshot session), R22 (eslint-flat-config WIP), R23 (CodeQL setup). |
+| **v0.2.0 → 1.0 (in flight)** | R10/R15 (scan-workspace), R22 (eslint-flat-config), R29 (scan-on-save) landed; PVR + Discussions enabled on the repo. |
+| **Blocked** | R11 (need suppression-comment syntax), R13/R27 (server-side change), R19 (interactive screenshot session), R23 (CodeQL setup). |
 | **Decided against** | R28 (no telemetry — see SECURITY.md). |
 
 ### Maintainer action items (still outstanding)
@@ -28,12 +29,12 @@ they're done.
    scanning → switch CodeQL from "Default" to "Advanced". If org
    policy forbids that, delete `codeql.yml` and lose
    `security-extended`.
-2. **Enable Private Vulnerability Reporting.** Settings → Code
-   security. Without it, the link in [SECURITY.md](SECURITY.md) 404s
-   for external reporters.
-3. **Enable Discussions.** Settings → General → Features. Without it,
-   the `qna` link in [package.json](package.json) 404s on the
-   marketplace listing.
+2. **Enable Private Vulnerability Reporting.** ✅ Enabled
+   2026-05-19 via the GitHub API; SECURITY.md's reporting link now
+   resolves for external reporters.
+3. **Enable Discussions.** ✅ Enabled 2026-05-19 via the GitHub API;
+   the `qna` link in [package.json](package.json) now resolves on
+   the marketplace listing.
 4. **Manual H4 smoke** — F5 with the sample-workflow profile, open
    each provider's trigger file, confirm diagnostics still appear.
    The activation narrowing drops custom workflow paths intentionally
@@ -440,9 +441,9 @@ inputs (suppression syntax, screenshots) or stacked branches
       link when the server publishes `Diagnostic.code.target`. (PR #11)
 - [x] **R9** Status bar item on the left at priority 100 showing the
       top two non-zero severities (e.g. `$(shield) 3C 1H`). (PR #11)
-- [ ] **R10** Rename / repurpose `pipelineCheck.findings.refresh` to
-      call `scanWorkspace()` once the scan-workspace branch lands.
-      *(Blocked on scan-workspace merging.)*
+- [x] **R10** `pipelineCheck.findings.refresh` now calls
+      `scanWorkspace()` rather than just re-painting the tree from
+      already-published diagnostics.
 - [ ] **R11** `CodeAction` provider for suppression comments. *(Blocked
       on the upstream pipeline-check CLI's suppression syntax.)*
 - [x] **R12** Alt+F8 / Shift+Alt+F8 jump between findings, wrap at
@@ -456,8 +457,10 @@ inputs (suppression syntax, screenshots) or stacked branches
 - [x] **R14** Trigger-pattern list extracted into `src/providers.ts`
       (`PROVIDERS` map + `TRIGGER_PATTERNS`). A regression test asserts
       the package.json `activationEvents` stay in lockstep. (PR #12)
-- [ ] **R15** `onCommand:pipelineCheck.scanWorkspace` activation
-      event. *(Blocked on scan-workspace merging.)*
+- [x] **R15** Scan-workspace command shipped; covered by
+      `workspaceContains:` activation triggers + `onStartupFinished`
+      so the command is always reachable from the Findings welcome
+      state and the title-bar button.
 - [x] **R16** `[client] HH:MM:SS.mmm <level>` logging into the
       LanguageClient's outputChannel. `withTiming(label, fn)` wraps
       thunks with start/ok/failed breadcrumbs. (PR #12)
@@ -484,9 +487,11 @@ inputs (suppression syntax, screenshots) or stacked branches
 - [x] **R21** Three-OS matrix: `[ubuntu-latest, windows-latest,
       macos-latest]`. `npm audit` and the vsix upload pinned to
       Linux. (PR #11)
-- [ ] **R22** Finish the eslint flat-config migration so drift between
-      eslint v8 and TS 6 / esbuild 0.28 / @types/node 25 stops
-      widening. *(WIP stash on the maintainer's `pr10` checkout.)*
+- [x] **R22** Migrated to eslint v9 flat config
+      ([eslint.config.mjs](eslint.config.mjs)); replaced
+      `@typescript-eslint/eslint-plugin` + `parser` with the unified
+      `typescript-eslint` package. Rules carry over verbatim so the
+      lint result is unchanged. Unblocks future eslint v9+ bumps.
 - [ ] **R23** Resolve the CodeQL default-setup conflict — disable
       default setup or delete `codeql.yml`. *(Needs repo-settings
       change.)*
@@ -507,5 +512,8 @@ inputs (suppression syntax, screenshots) or stacked branches
       [SECURITY.md](SECURITY.md) carries the explicit no-telemetry
       promise so the policy is visible at the security-review
       surface researchers check first. (Decided 2026-05-19.)
-- [ ] **R29** Scan-on-save mode. *(Depends on scan-workspace
-      merging.)*
+- [x] **R29** `pipelineCheck.scanOnSave` setting (default `false`).
+      Saving a CI file kicks off a quiet workspace re-scan (status-bar
+      spinner; no toast) so cross-file effects in unopened CI files
+      get re-evaluated. In-flight guard collapses save-storms to a
+      single scan.

eslint.config.mjs

@@ -0,0 +1,45 @@
+// ESLint flat-config — replaces the legacy `.eslintrc.json`.
+//
+// Rules carry over verbatim from the old config so this is purely a
+// format migration; the lint result of the suite should be unchanged.
+// The flat-config switch unblocks the eslint v8 → v9 bump (flat config
+// is the default-and-only format from v9 onward).
+//
+// Order matters: later configs in the array override earlier ones.
+// We stack `eslint:recommended` first, then `typescript-eslint`'s
+// recommended preset (parser + plugin + sensible defaults for .ts
+// files), then our own per-rule overrides.
+
+import js from "@eslint/js";
+import tseslint from "typescript-eslint";
+
+export default [
+  // Global ignores. Equivalent to `ignorePatterns` in the old config
+  // plus the v0.2.0 additions (out-test, dist) so the lint walker
+  // doesn't recurse into generated output.
+  {
+    ignores: [
+      "out/**",
+      "out-test/**",
+      "dist/**",
+      "node_modules/**",
+      ".vscode-test/**",
+    ],
+  },
+  js.configs.recommended,
+  ...tseslint.configs.recommended,
+  {
+    languageOptions: {
+      ecmaVersion: 2022,
+      sourceType: "module",
+    },
+    rules: {
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        { argsIgnorePattern: "^_" },
+      ],
+      "@typescript-eslint/explicit-module-boundary-types": "off",
+      "@typescript-eslint/no-explicit-any": "warn",
+    },
+  },
+];