A pass over the extension surface to address review feedback:
Safety / hardening:
- `graphPanel.ts`: validate `m.path` from the webview before opening
files. Reject absolute paths and any path that escapes the workspace
root (`..`, `/foo`, `C:/...`). Validate the line number is a positive
integer before constructing a `Range`. Surface failures via the output
channel rather than letting the rejection bubble up.
- `mcpProvider.ts`: defensively check that
`vscode.lm.registerMcpServerDefinitionProvider` exists before calling
it. The `engines.vscode: ^1.99.0` field already enforces this on
install, but some VS Code-derived editors mis-report their engine
version. The extension now degrades gracefully (sidebar, commands,
status bar still work) instead of failing activation.
- `commands.ts` and `graphPanel.ts`: wrap `workbench.action.chat.open`
in try/catch. Not every VS Code-compatible editor exposes that
command; falling back to the output channel avoids unhandled
rejections after the user clicked "Open chat".
- `extension.ts`: persist the first-run walkthrough flag only after the
walkthrough command resolves successfully, so a transient failure
doesn't silently skip the onboarding forever.
CI gates:
- `extension-ci.yml` and `extension-release.yml`: run `npm test` between
typecheck and build, so manifest-level smoke regressions can't slip
through to either the PR artefact or the marketplace publishes.
Settings copy:
- `socraticode.env` description: explicitly call out that the setting
is for non-secret config only. Recommend OS environment variables /
local `.env` files for API keys, since workspace settings can sync
via Settings Sync and end up in committed `.vscode/settings.json`.
Quality of life:
- `sidebar.ts` `formatRelative`: clamp the computed seconds to zero so
a file mtime slightly ahead of the local clock doesn't render
"-5s ago".
- `walkthroughs/first-index.md`: corrected the embedding model name
(`nomic-embed-text`, not `mxbai-embed-large`) to match the engine
default in `src/constants.ts`.
Lint / docs:
- `extension/README.md`: hyphenate "Eclipse Theia-based editors".
- `DEVELOPER.md`: add `text` language hint to the directory-tree code
fence (markdownlint MD040). Updated the inline comment for
`settings.ts` to reflect its current shape.
- `README.md`: reflow the "extension vs plugin" callout into a single
blockquote (markdownlint MD028).
Lint, typecheck, manifest tests and build all clean. Engine unit tests
unaffected (706/706 still pass).
`extension-ci.yml`: triggers on push and PR to `main` whenever anything
in `extension/` changes. Runs lint, typecheck, build, and `vsce
package`, then uploads the resulting `.vsix` as an artefact for manual
smoke testing (download from the Actions run, install via "Extensions:
Install from VSIX..." in any VS Code-compatible editor).
`extension-release.yml`: triggers on `v*` tags so engine release tags
fire the extension release in lockstep, with manual dispatch as a
fallback. Builds the `.vsix`, then publishes to:
- VS Code Marketplace via `vsce publish` (using the `VSCE_PAT` repo
secret).
- Open VSX Registry via `ovsx publish` (using the `OVSX_PAT` repo
secret).
When triggered by a tag, also attaches the `.vsix` to the GitHub
release so users on Open VSX-less editors can grab it directly.
Both workflows are scoped to the `extension/` working directory so
engine-only changes don't trigger them, and they rely on the
extension's own `package-lock.json` for npm caching. Permissions
follow least-privilege: workflow-level `contents: read`, with
`contents: write` granted only to the publish job for the GitHub
release upload step.
Giancarlo Erra