release: v1.0.1

[dmartinochoa]

Summary

Stability batch on top of v1.0.0 — three rounds of edge-case hardening (251 tests, was 194 at v1.0.0) plus the supply-chain hardening from #27 (CycloneDX SBOM + signed SLSA provenance attached to each release, publish-side npm audit gate). Folds the accumulated [Unreleased] entries into ## [1.0.1] so the publish.yml awk extractor lifts the right block into the GitHub release notes.

What ships

Editor / extension

• python -m pip install switch so the Windows ExecutionPolicy + official-installer-without-pip combo stops blocking first-run install
• Welcome panel no longer lies after an LSP crash — subscribes to client.onDidChangeState
• Scan Workspace against a dead LSP surfaces a real error instead of false-success
• Activation no longer hangs on a misconfigured serverArgs — client.start() raced against a 30s timeout
• disabledProviders silences lowercase dockerfile / jenkinsfile — case-insensitive glob match
• Medium batch (round 2): scan-workspace in-flight guard, install-terminal reuse, scan-on-save disabled-provider short-circuit, semver-aware rc → ga "What's new" toast
• Low batch (round 3): status-bar latch releases on workspace-folder removal
• Polish: extension.ts header comment migrated to python -m pip install to match every other surface

Supply chain (from #27)

• CycloneDX SBOM attached to each GitHub release
• Signed SLSA build provenance via OIDC + Sigstore keyless — verifiable with gh attestation verify <vsix> --owner greylag-ci
• npm audit --omit=dev --audit-level=high gate on the publish workflow

Cut sequence

After this PR merges to main:

git tag v1.0.1 && git push --tags

Publish workflow waits at production env gate; on approval, runs the new SBOM/provenance steps, publishes to VS Code Marketplace + Open VSX, and creates a GitHub release with the .vsix, the SBOM, and notes lifted from the ## [1.0.1] section.

Verification

• Rebased onto main (now includes b88b22f from ci: add SBOM, signed provenance, and publish-side npm audit #27)
• 251/251 vitest pass
• typecheck / lint / smoke clean
• awk '/^## \[/{n++} n==2{exit} n==1{print}' CHANGELOG.md dry-runs the release-notes extraction and produces the ## [1.0.1] block with the new Security section

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@dmartinochoa has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 40 minutes and 9 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9ba7c093-6ff8-4459-9acf-6dd9934afae0

📥 Commits

Reviewing files that changed from the base of the PR and between b88b22f and 25d43e7.

📒 Files selected for processing (3)

• CHANGELOG.md
• package.json
• src/extension.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release/1.0.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}