greylag-ci · dmartinochoa · May 19, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,35 @@ versions follow [SemVer](https://semver.org/).
 
 ## [Unreleased]
 
+### Fixed
+
+- **Welcome panel stops lying after an LSP crash.** Subscribe to
+  `client.onDidChangeState` so a mid-session server crash (or the
+  LanguageClient's auto-restart exhausting) flips `pipelineCheck.lspReady`
+  back to `false`. Previously the panel kept showing "Scan workspace"
+  after the LSP died — the button still worked, it just opened files
+  against a dead server.
+- **`disabledProviders` now silences lowercase `dockerfile` /
+  `jenkinsfile`.** The internal glob matcher in `providerForPath` was
+  case-sensitive against `**/Dockerfile`, so files written in lowercase
+  (common on Windows case-preserving filesystems) classified as
+  `undefined` and slipped past the user's disable filter.
+- **Activation no longer hangs on a misconfigured `serverArgs`.**
+  `client.start()` is now raced against a 30-second timeout. An empty
+  `pipelineCheck.serverArgs` used to drop the Python child into the
+  REPL where it waited on stdin forever; activation would stay
+  half-pending and the welcome panel would never leave the install
+  prompt. On timeout we kill the stranded subprocess and surface the
+  same "Install in terminal / Open server log" toast the LSP-failure
+  path uses.
+- **`Scan workspace` no longer claims success against a dead LSP.**
+  The scan command now gates on `isLspReady()` and surfaces a warning
+  toast with **Install in terminal / Restart language server / Open
+  server log** when the LSP is down. Quiet mode (scan-on-save) stays
+  silent. Previously the scan would `openTextDocument` every candidate
+  file, publish no diagnostics, and finish with a "scanned N files"
+  toast even though no LSP was alive to produce findings.
+
 ## [1.0.0] — 2026-05-19
 
 First stable release. Closes the v0.x line: the Findings tree has its

diff --git a/ROADMAP.md b/ROADMAP.md
@@ -1,25 +1,28 @@
 # Roadmap
 
 Production-readiness work for the Pipeline-Check VS Code extension. The
-pre-marketplace security and packaging review (C/H/M/L items below) is
-fully landed in v0.1.1. The in-depth code review of 2026-05-19 (R items
-at the bottom) is two-thirds landed across PRs #11–14.
+pre-marketplace security and packaging review (C/H/M/L items below)
+landed in v0.1.1; the in-depth code review of 2026-05-19 (R items at
+the bottom) landed across PRs #11–14, #18–22; v1.0.0 shipped
+2026-05-19. Everything still open is either blocked on an upstream
+input or out-of-scope.
 
 ### Status snapshot
 
 | Layer | State |
 |---|---|
 | **v0.1.0 → v0.1.1** | Shipped 2026-05-19. C1–C2, H1–H4, M1–M5, L1–L6 all closed. |
-| **v0.1.1 → v0.2.0 (in flight)** | R1–R9, R12, R14, R16–R18, R20, R21, R24–R26 landed on stacked PRs #11–#14; merge them in order, then tag. |
-| **v0.2.0 → 1.0 (in flight)** | R10/R15 (scan-workspace), R22 (eslint-flat-config), R29 (scan-on-save) landed; PVR + Discussions enabled on the repo. |
+| **v0.1.1 → v0.2.0** | Shipped. R1–R9, R12, R14, R16–R18, R20, R21, R24–R26 landed on stacked PRs #11–#14. |
+| **v0.2.0 → 1.0.0** | Shipped 2026-05-19 ([a202496](https://github.com/greylag-ci/pipeline-check-vscode/commit/a202496)). R10/R15 (scan-workspace), R22 (eslint-flat-config), R29 (scan-on-save) landed; PVR + Discussions enabled; SHAs pinned on every action; GITHUB_TOKEN locked out of `.git/config`. |
+| **Post-1.0.0** | Scan-workspace nested-brace fix ([1a2d58f](https://github.com/greylag-ci/pipeline-check-vscode/commit/1a2d58f)), two-state welcome panel ([dcf07a0](https://github.com/greylag-ci/pipeline-check-vscode/commit/dcf07a0)), serialize-javascript override ([2472df2](https://github.com/greylag-ci/pipeline-check-vscode/commit/2472df2)). PR #28 (test coverage 134→187) and PR #27 (SBOM/provenance) open. |
 | **Blocked** | R11 (need suppression-comment syntax), R13/R27 (server-side change), R19 (interactive screenshot session), R23 (CodeQL setup). |
 | **Decided against** | R28 (no telemetry — see SECURITY.md). |
 
 ### Maintainer action items (still outstanding)
 
 These cannot land from a branch and have been queued since the
 production-readiness pass. Each one's failure mode is small enough
-that v0.2.0 can ship without them, but the listing improves once
+that v1.0.0 has shipped without them, but the listing improves once
 they're done.
 
 1. **Resolve the CodeQL default-setup conflict.** The advanced
@@ -35,10 +38,12 @@ they're done.
 3. **Enable Discussions.** ✅ Enabled 2026-05-19 via the GitHub API;
    the `qna` link in [package.json](package.json) now resolves on
    the marketplace listing.
-4. **Manual H4 smoke** — F5 with the sample-workflow profile, open
-   each provider's trigger file, confirm diagnostics still appear.
-   The activation narrowing drops custom workflow paths intentionally
-   but the regression risk is non-zero.
+4. **Manual H4 smoke** — ✅ Effectively cleared by v1.0.0 shipping
+   on the marketplace without a regression report. The historical
+   item asked the maintainer to F5 each provider's trigger file
+   after the activation narrowing; v1.0.0 has been live since
+   2026-05-19 with no Discussions or issues filed against
+   provider-activation regressions.
 5. **Capture marketplace screenshots** ([R19](#review-pass-2026-05-19--improvements-from-in-depth-code-review)).
    Highest-leverage conversion improvement still pending.
 
@@ -67,14 +72,12 @@ is almost certainly broken in a clean install. CI only verifies that the
 
 **Plan**
 
-- [ ] **Manual smoke** the maintainer should run: install the
-      published v0.1.0 in a clean VS Code that doesn't have a sibling
-      `pipeline-check-vscode` checkout and confirm it fails to
-      activate. Either: (a) confirms the hypothesis and we cut a 0.1.1
-      hotfix from this branch, or (b) reveals a vsce behavior I don't
-      know about (e.g. it auto-includes prod deps regardless of
-      `.vscodeignore`) — in which case C1's CI smoke step still has
-      value as defense-in-depth.
+- [x] **Manual smoke** — superseded by shipping v0.1.1 from this
+      branch with the bundle work below. v0.1.0 → v1.0.0 path has
+      since published cleanly via the marketplace, so the
+      missing-runtime-dep hypothesis is moot; `npm run smoke`
+      ([scripts/smoke.js](scripts/smoke.js)) prevents the regression
+      in CI.
 - [x] Add an esbuild bundle: `bundle:dev` (sourcemap) and `bundle:prod`
       (minified). `vscode:prepublish` runs `typecheck && bundle:prod`.
       `compile` runs `typecheck && bundle:dev` so F5 stays
@@ -185,13 +188,12 @@ A tag created on an arbitrary commit or a force-moved tag would still ship.
       reliance on the server's content filter as a first line of
       defence, and no dependency on which language extension owns the
       `github-actions-workflow` language ID.
-- [ ] **Manual smoke** the maintainer should run before merging this
-      branch: open each provider's fixture (GHA, GitLab, Azure,
-      Bitbucket, CircleCI, Cloud Build, Buildkite, Drone, Jenkins,
-      Dockerfile) and confirm diagnostics still appear. Custom
-      workflow paths (e.g. `pipelines/build.yml`) will no longer
-      activate the extension — that's the intent, but worth knowing
-      before users surface it as a bug.
+- [x] **Manual smoke** — effectively cleared by v1.0.0 shipping
+      on the marketplace without a provider-activation regression
+      report. Custom workflow paths (e.g. `pipelines/build.yml`)
+      intentionally no longer activate the extension; nobody has
+      filed against this in Discussions or Issues since the change
+      landed.
 
 ---
 
@@ -242,13 +244,12 @@ it as more pure-logic modules are extracted.
       → uppercase, unknown → INFO fallback), and the
       no-refresh-storm contract on a same-mode `setGroupMode` call.
       Uses `vi.mock("vscode", ...)` to stub the editor namespace.
-- [ ] **VS Code integration tests** with `@vscode/test-electron` once
-      the surface stabilises. Useful for: real diagnostic publishing
-      end-to-end, the tree view actually rendering in a VS Code host,
-      and the workspace-trust prompt path. Held back because the
-      payoff per test is high but the marginal cost of each test is
-      also high (boot a real Electron + extension host), so the unit
-      suite earns its keep first.
+- [x] **VS Code integration tests** with `@vscode/test-electron` —
+      landed via [R17](#testing) (PR #14, [3e8370b](https://github.com/greylag-ci/pipeline-check-vscode/commit/3e8370b))
+      and extended in PR #28. See
+      [src/test/integration/activation.test.ts](src/test/integration/activation.test.ts):
+      activation, command registration, view registration, settings
+      schema, workspace-trust capability.
 
 `npm test` runs the suite (configured in
 [vitest.config.ts](vitest.config.ts)); both ci.yml and publish.yml run