Changelog

[Unreleased]

Added

Docs: No Manual Migrations — media/docs: built-in checks and Quality overview, CLI tools page (install notes), configuration reference (devManager.realtime, noManualMigrations settings), changelog; English and Ukrainian.
Migration safety: full coverage pass — closes the remaining gaps for Prisma + Drizzle in one go:
- Drizzle: regen-and-diff — wraps drizzle.config.* into a tmp ESM wrapper with out: swapped to a tmp dir, runs drizzle-kit generate, then diffs against on-disk migrations. Catches hand edits to existing .sql files (the previous journal-only check missed these). Falls back to the journal + drizzle-kit check path when regen tooling is unavailable.
- Drizzle: robust out: resolution — replaces the regex parser with a node --input-type=module (or npx tsx) ESM probe, cached by config mtime. Falls back to the regex when the probe fails.
- Prisma: multi-file schema (prismaSchemaFolder) — noManualMigrations, prismaValidate and prismaMigrateStatus now detect prisma/schema/*.prisma directories and pass them to --schema correctly.
- Removed/renamed migrations — new detectRemovedMigrations() helper scans recent git history (configurable lookback) and flags any deleted or renamed migration file across all adapters (Prisma, Drizzle, Atlas) with code: 'migration-removed-or-renamed'. Settings: noManualMigrations.checkRemoved, noManualMigrations.gitLookback.
- Squawk: data-risk + down-pair scanners — pure-Node post-pass that flags UPDATE/DELETE without LIMIT or batched WHERE id IN (...) (unbatched-data-migration), BEGIN/COMMIT blocks without SET LOCAL lock_timeout / statement_timeout (missing-lock-timeout), and missing *.down.sql / down() siblings for non-Prisma/Drizzle migrations (missing-down-migration). Settings: squawk.dataRisk (off|warn|error), squawk.requireDownMigration.
- Prisma Migrate Status: realtime watch — re-runs prisma migrate status on changes to prisma/migrations/** and .env*, debounced to 2s and cached for 30s. Setting: prismaMigrateStatus.realtime.
- Migrations CI Gate — new built-in provider that fails Quality Hub when an ORM project has no GitHub Actions workflow running migration safety commands (prisma migrate diff, drizzle-kit check, atlas migrate validate), or when realtime / noManualMigrations is disabled locally. Setting: migrationsCiGate.enabled.
- Pre-commit: migrations strict mode — new realtime.precommit.migrationsMode (off|warn|block-strict) blocks commits where staged migration files have ANY SnakeFlow finding (warnings included). Also surfaces a one-time warning when core.hooksPath is overridden to a non-default path (a common silent --no-verify vector).

Changed

Default keybindings — moved from the Ctrl+M chord to Ctrl+Alt+<letter> (Ctrl+Alt+M main menu, Ctrl+Alt+S/Q/R servers, Ctrl+Alt+F / Ctrl+Alt+I full vs incremental Quality Hub, Ctrl+Alt+G GitHub issue, Ctrl+Alt+N scripts, Ctrl+Alt+P filter providers, Ctrl+Alt+H / Ctrl+Alt+Shift+H voice dictation). Docs and README updated to match.

[0.5.10] - 2026-04-22

Added

Enhanced Schema Linting and RLS Checks — New configuration options in package.json allow users to specify fields to ignore during schema linting and exclude specific SQL paths from checks. The RLS check provider now supports excluding tables from validation. These enhancements provide greater flexibility and control over schema validation processes.
Improved Workspace Data Handling — The getMemberships function has been updated to ensure workspace properties like repo_patterns and app_patterns are properly validated, preventing potential errors caused by invalid data structures. Membership refresh is now forced before editing patterns to guarantee the use of the latest data.
Custom Workflow Management — Introduced commands for creating, editing, deleting, and running custom workflows within the workflow manager. Commands are now dynamically registered to handle custom workflows as they are added or removed.
Advanced Migration Safety — Comprehensive migration safety checks for Prisma and Drizzle have been added, including the detection of removed or renamed migrations from Git history. New configuration options allow customization of lookback periods and enable/disable checks. A pre-commit gate is introduced for stricter migration checks, preventing commits with detected issues in staged migration files.
Documentation Enhancements — Updated documentation includes details on new migration safety checks, their configuration options, and the Migrations CI Gate. The Quality Hub documentation has been improved to clarify migration checks and their integration with CI workflows.
Schema Cleanup — Obsolete migration files, legacy columns, and tables related to push permissions and workspace management have been removed to streamline the migration process and reflect current application architecture.
Quality Checks and Configuration — Added new quality checks and enhanced existing ones. Configuration options have been expanded for wake lock management, real-time diagnostics, and custom workflows. TypeScript configuration enforces stricter type checking, and GitHub Actions workflows are updated for security by pinning third-party actions.
Command Execution Safety — New ESLint rules restrict the use of shell-injection-prone child_process APIs outside the quality-provider layer, promoting safer command execution. Commands now utilize utility functions to prevent potential security vulnerabilities.
Real-time Diagnostics and Quality Providers — New quality providers for dead exports and Knip enable real-time diagnostics. The status bar is enhanced to track new provider IDs. Wake lock management ensures better process handling, and promptfoo dependency is added for improved prompt management.
Rate-Limiting for Active Minutes — An hourly rate-limit for active minutes tracking has been implemented using a new KV namespace. The active-minutes API now utilizes this store, replacing the previous database approach. Documentation reflects the new rate-limit implementation.
Team Tracker Documentation — Updated documentation includes details on the per-workspace app allowlist feature, allowing admins to configure regex patterns for ActivityWatch app and title. Internal vs. external minute classification rules are clarified.
External App Tracking — Introduced a new APP_LABEL regex to validate synthetic labels for time spent in apps outside the workspace allowlist. The active-minutes API accommodates both repository and app labels.
Pre-commit Gate Functionality — Added a pre-commit gate command to block commits based on real-time errors, enhancing code quality before submission.
Hourly Cap for Active Minutes — Implemented a new table active_minutes_hourly to enforce a per-hour cap of 60 minutes. The active-minutes API incorporates this cap, and the TeamCollector tracks gated minutes.
Team Tracker Commands and Configuration — Introduced new commands for Team Tracker, including login, logout, status, and workspace management, along with configuration settings for activity tracking and ActivityWatch integration.
Streamlined Team Features — Removed the tools menu command and associated UI elements. Introduced new commands for team activity tracking and updated configuration options for team tracking.
Enhanced Cloud Dashboard and Team Management — Added new commands for managing teams, including editing repository patterns, generating invitations, syncing commit data, setting member roles, and managing workspace membership. The cloud dashboard supports these commands with new action buttons. Workspace member management has been improved by removing deprecated fields.
Simplified Cloud Dashboard UI — Removed redundant text and logout buttons from the team section in the cloud dashboard to streamline the user interface and focus on key metrics and actions.

Changed

Default Keybindings — Moved from the Ctrl+M chord to Ctrl+Alt+<letter> for various commands, including the main menu, servers, Quality Hub, GitHub issue, scripts, filter providers, and voice dictation. Documentation and README have been updated accordingly.

[0.5.9] - 2026-04-21

Added

Team Management Commands — Added new commands for managing teams within workspaces, including:
- Editing repository patterns.
- Generating invitations for new members.
- Syncing commit data.
- Setting member roles.
- Kicking members from workspaces.
- Leaving workspaces.
- Deleting workspaces.
Enhanced Cloud Dashboard — The cloud dashboard now supports the new team management commands, providing a more comprehensive interface for workspace administration. New action buttons have been integrated for workspace and member management.

Changed

Simplified Team Section Display — Redundant explanatory text has been removed from the team section in the cloud dashboard to streamline the user interface and improve focus on key metrics and actions.
Removed Logout Buttons — “Sign out” buttons have been removed from the team section and header authentication in the cloud dashboard to simplify the user interface and focus on core workspace management actions.

Fixed

Workspace Member Fields — The is_primary and share_external_repo_names fields have been removed from the workspace_members table and related API endpoints. This simplifies workspace member management by eliminating deprecated fields.
Team Dashboard Metrics — Enhanced team dashboard metrics to include classification of commits as internal or external based on repository patterns. This provides more granular insights into team activity.

[0.5.8] - 2026-04-20

Security

Quality Hub — shell injection hardening — new _safeShell.ts with isSafeGitRef, isSafeRelPath, isSafeIdentifier, quoteShellArg, and UnsafeShellInputError. All settings-driven inputs in oasdiff, commitlint, graphqlInspector, bufBreaking, eslint, act, bearer, and prismaMigrateStatus are now strictly validated and shell-quoted before reaching git show / CLI invocations.
Quality Hub — secret scrubbing — scrubSecrets is now applied to HTTP error bodies in qualityProviderBase.httpRequest, CLI stdout/stderr in _thinCli, and bearer errors so tokens accidentally embedded in responses no longer leak into the sidebar.
Quality Hub — secretLeaks — wraps user-provided skipPatterns in try/catch to survive invalid regex; auto-gates when a stronger secret scanner (Gitleaks/TruffleHog) is enabled.

Fixed

Quality Hub — auto-gate accuracy — gates now consult a BINARY_CACHE primed at the start of every run (primeBinaryCache()), so a heuristic only stands down when the stronger CLI is actually installed, not merely toggled on in settings.
Quality Hub — componentInventory — detects forwardRef(...), memo(...), and class components; accumulates prop counts across multiple parameters; resolves interface- and type-alias-based props within the same file.
Quality Hub — rlsCheck — narrows file targeting to migrations/ directories (Prisma, Drizzle, Atlas, sqlx, Rails, Supabase) and replaces naïve split(';') with a SQL splitter that respects single-quoted literals, dollar-quoted PL/pgSQL bodies ($$ … $$, $tag$ … $tag$), and -- / /* */ comments.
Quality Hub — complexity — default: clauses now contribute +1 to McCabe cyclomatic score alongside case clauses.
Quality Hub — magicNumbers — hoisted getFullText().split(/\r?\n/) out of the AST visitor, eliminating the per-literal O(N²) scan on large files.
Quality Hub — _thinCli — npxCliTool.isInstalled now resolves the npm package and probes node_modules/.bin (incl. .cmd on Windows) instead of trusting npx’s presence; child processes are killed when the caller’s AbortSignal fires; UnsafeShellInputError thrown from buildCommand is caught and reported as skip.
Quality Hub — cloud opt-in — profileEnableOverride no longer auto-enables cloud providers under any profile; tokens-and-billing providers stay strictly opt-in.
Quality Hub — noFocusedTests — .todo test cases are now counted and surfaced in the summary.
Quality Hub — pgtapPresence — verifies file contents call into the pgTAP API (plan, ok, is, throws_ok, has_table, …) before counting them as test files; mere placement under tests/ is no longer sufficient.
Quality Hub — _shared.collectSourceFiles — symlinks that escape the project root are now skipped, preventing infinite recursion and out-of-tree disclosure.
Quality Hub — _shared.readLines — strips trailing \r, fixing regex anchors on CRLF-terminated files.
Quality Hub — agentContext — recommendedSections now also targets .cursor/rules/** (largest file used as representative); GEMINI.md line cap reads dedicated geminiMd.failLines (default 300) instead of warnLines * 2. recommendedSections also recognises CLAUDE.md / GEMINI.md as pointer files when they merely link to AGENTS.md (≤10 non-heading lines, each referencing agents.md) — pointers inherit the grade from AGENTS.md instead of being penalised for missing sections, matching the agents.md convention.
Quality Hub — Doctor — header reports both the active profile and isStrictModeActive() instead of the raw strictMode flag.
Quality Hub — Setup Wizard — Socket.dev added to PROVIDER_SETUP; tagline catalogue updated for anyCoverage, componentInventory, socket, and deadExports.
Quality Hub — vibe profile — strong-provider set now includes golangciLint, act, schemaLint, trojanSource, vale, alex, lychee, promptfoo, dotenvLinter.
Subcategory — edgeCompat recategorised as quality (was security).

Docs

AGENTS.md clarifies provider categories (builtin / cli / cloud / custom) and surfaces isQualityProviderEnabled as the canonical gate.
README.md corrects the cloud-provider count from 16 to 10 and lists each provider explicitly.
reference/configuration.md notes that the table is representative and the canonical list lives in the package.json contributes.configuration section.

[0.5.7] - 2026-04-20

Added

Quality Hub — profiles — devManager.quality.profile (strict, balanced, vibe, default strict). Strict mode turns on every check by default, promotes missing tooling to failures when combined with strict behaviour, and supports optional devManager.quality.warnAsFail to treat warnings as failures. Balanced keeps the same default enablement but leaves warnings as warnings. Vibe enables only strong cloud + external-CLI checks by default; heuristic built-ins are opt-in via per-provider enabled.
Quality Hub — 26 new built-in checks — supply chain (attw, publint, lockfileLint, npmProvenance, syncpack, manypkg, scorecard), quality (typeCoverage, commitlint, noFocusedTests, stylelint, prettierCheck), performance (sizeLimit, lighthouseCi), API contracts (oasdiff, graphqlInspector, bufBreaking), security and supply extras (dockle, grype, dive, hardenRunnerAudit, sbom, sentrySourcemaps, trojanSource), database (rlsCheck, pgtapPresence, sqruff), and docs/prose (vale, alex, lychee, promptfoo, dotenvLinter). Each maps to devManager.quality.builtin.<id>.* settings in the extension manifest.
Quality Hub — Socket.dev — cloud provider socket for npm supply-chain signals (malicious packages, install scripts, telemetry, typosquatting). Configure devManager.quality.socket.{enabled, token, thresholdCritical, thresholdHigh}.
Quality Hub — auto-gate — additional pairs so weaker heuristics stand down when Stylelint, Commitlint, Lighthouse CI, Size Limit, or attw-style tooling is configured in the repo.

Removed

Quality Hub (BREAKING) — removed built-in providers eslintSecurity and migrationsExist. Use the main ESLint provider with eslint-plugin-security, and migration/schema checks (prismaMigrateStatus, drizzleCheck, atlas, squawk, etc.) instead.
Database Tools menu — removed SnakeFlow: Database Tools, the database.ts command module, ORM auto-detection used only by that menu, and related settings/commands. Run database CLIs directly or via your agent workflow.

Changed

Quality Hub — stronger heuristics — rewritten on the TypeScript compiler API where applicable: structural fingerprints for duplicate UI components, per-function McCabe complexity, AST-based any and magic-number detection, stronger secret scanning (entropy + updated patterns, always-on alongside other scanners), neutral README section checks, and broader agent-context file detection with a consistent recommended section layout for agent docs.
Wake Lock — the status bar toggle is the single source of truth; the lock is held only while there is real editor activity (edits, saves, terminal, tasks, debug, Quality Hub). After devManager.wakeLock.idleThresholdSeconds (default 120) of idle time the lock releases. Removed devManager.wakeLock.keepAwakeDuringSession; added devManager.wakeLock.idleThresholdSeconds (30–1800).

[0.5.6] - 2026-04-18

Added

Quality Hub — auto-gate duplicate built-ins — new setting devManager.quality.autoGateDuplicates.enabled (default true). When a stronger alternative is active in the project, the overlapping regex/heuristic built-in silently stands down (its isConfigured() returns false). Pairs auto-gated: Type Safety / Broad Types / Return Types / Non-Null Assertions / Enum Usage → ESLint @typescript-eslint; Parameter Count → any JS/TS linter (ESLint / Biome / Oxlint); Long Lines / Mixed Indent → Prettier / Biome / EditorConfig; React Hook Rules → eslint-plugin-react-hooks; Accessibility → eslint-plugin-jsx-a11y; Secret Leaks → Trivy / Bearer / Semgrep (when enabled); ESLint Security → eslint-plugin-security already in main config; LCOV Coverage → Codecov / Coveralls (when configured); Copy-Paste (jscpd) → SonarCloud (reports duplicated_lines_density); Cross-Layer Imports → dependency-cruiser or arch-DSL; Coupling Metrics / Import Depth / Barrel Files → dependency-cruiser. Set to false to run every enabled provider regardless of overlap.
Quality Hub — filter / search — new title-bar button (magnifier) and command SnakeFlow: Filter Quality Providers... (shortcut Ctrl+Alt+P). Enter a term to filter the tree by provider id, label, summary, details, or tagline across Cloud / Built-in / Custom groups and all subcategories. While a filter is active a header row shows Filter: "term" — click to clear; the title-bar magnifier switches to a clear-filter icon. Empty groups collapse, so you can quickly narrow to one provider among 40+.
Wake Lock — full coverage for AI chat sessions — two new settings make the wake lock work while the AI agent generates in Cursor / VS Code / Antigravity (those IDEs do not expose a public “assistant is generating” event). devManager.wakeLock.keepAwakeDuringSession (default true) holds the lock for the entire editor session, so the PC never sleeps while the window is open. devManager.wakeLock.keepDisplayAwake (default true) adds ES_DISPLAY_REQUIRED on Windows and uses caffeinate -di on macOS, so the monitor also stays on (previously the extension only prevented system sleep — the display still blanked after the OS idle timer).
Project Structure — Tags (Nx-style) — orthogonal axis on top of layers. New settings devManager.quality.builtin.projectStructure.tagDefs (assign tags to files by path glob) and tagRules (restrict which tag sets may import each other). Covers scope:* and type:* cross-cutting concerns that strict layering can’t express. The auto-synced AGENTS.md managed block now surfaces a Tags table alongside the Layer table.
Scorecard export — new command SnakeFlow: Export Quality Scorecard (Backstage) runs the full Quality Hub and writes a Backstage-compatible SystemScorecard JSON (apiVersion, kind, metadata, spec.checks[]) to devManager.quality.scorecard.outputPath (default scorecard.json). Zero new dependencies — plugs SnakeFlow straight into Backstage / Cortex / Port dashboards.
Layer graph export — new command SnakeFlow: Export Layer Graph (DOT) emits a Graphviz .dot of the inter-layer import graph derived from projectStructure.layers. Violations are drawn as dashed red edges. Render with dot -Tsvg layer-graph.dot -o layer-graph.svg. Single source of truth: same layers config that enforces the rules also generates the picture.
CodeQL (SARIF) built-in — new provider builtin-codeql reads findings from a pre-generated SARIF file (fast, offline, default) or optionally runs the codeql CLI live with per-git-SHA caching. Parses rule IDs, levels, file:line, and messages into Quality Hub results. Cross-function dataflow SAST used by GitHub Advanced Security; free for OSS. Settings: codeql.{enabled, sarifPath, runCli, cliPath, suites, cacheDir}.
Dead Exports — new provider builtin-deadExports flags named TS/JS exports no other file imports. Reuses the import graph SnakeFlow already builds for projectStructure.layers; follows re-exports and barrels explicitly. Complements Knip (faster, no subprocess, catches barrel false-negatives). Ignore list via deadExports.ignore.
Architecture DSL — new provider builtin-archDsl loads an opt-in .snakeflow/architecture.ts file containing ArchUnit-style fitness functions (rule(name).from(layer('domain')).shouldNot().dependOn(layer('ui'))) and evaluates them against the import graph. Transpiled via esbuild, executed in a Node vm sandbox that blocks all require() except a virtual snakeflow module — no network or fs escapes. Supports both layer() and tag() selectors.
Stale Feature Flags — new provider builtin-staleFlags scans for references to retired flag keys (staleFlags.retiredKeys). Matches flags.X, flags['X'], flags.get('X'), isEnabled('X'), featureFlag('X'). Piranha-inspired — reports every call site with file:line so the AI agent can rewrite dead branches.
Bundle Size Budget — new provider builtin-bundleBudget parses an esbuild --metafile=meta.json and fails when any output exceeds its budget. Budgets declared as [{ pattern: "dist/extension.js", maxKB: 2048 }]; patterns are path globs matched against metafile output keys. Reports actual KB + percent over budget.
Project Structure — Layer Visibility (Bazel-style) — new setting devManager.quality.builtin.projectStructure.layers declares architectural layers (name, path glob, canImport allow-list). Built-in TypeScript/JavaScript import parser validates every relative import against the declared layer graph; external/package imports are ignored. Supports per-file exceptions: [{file, canImport}] for friend-module patterns and upfront graph validation — duplicate names, unknown layer references, and cyclic canImport edges produce a single fail with the exact cycle path instead of noisy per-import warnings.
AGENTS.md Structure Sync — new command SnakeFlow: Sync AGENTS.md Structure Block regenerates a managed region inside AGENTS.md (between  / :END --> markers) from projectStructure.fileRules / folderRules and quality.skipFiles / skipDirs. Auto-syncs on settings change when devManager.agentContext.structureSync.autoSync is true (default). Only non-inferable architectural hints (layer rules, file placement, required exports, don’t-touch zones) are injected — numeric limits are deliberately excluded per Anthropic context-engineering guidance and ETH Zurich (Feb 2026) research showing auto-generated context files reduce agent success by 0.5–3%.
Agent Context — Structure Block Drift sub-check — warns when the managed block in AGENTS.md drifted from projectStructure settings; run the sync command (or change any watched setting) to regenerate.
dependency-cruiser inline rules — new setting devManager.quality.builtin.dependencyCruiser.rules accepts a full depcruise configuration object directly in settings.json. When non-empty, it is materialised to a temp .dependency-cruiser.json and passed via --config on each run; the temp file is cleaned up afterwards. Precedence: settings rules → local .dependency-cruiser.* file → --no-config. This lets JS/TS projects keep all Quality Hub configuration in VS Code settings without committing a separate JS config file, and works seamlessly with Cloud Settings Sync.

Fixed

Heavy Imports check — no longer flags example import statements that live inside JSDoc / block comments (false positive on its own source file). Line and block comments are now skipped before the import regex runs.
Directory Depth check — stops recursing into nested sub-packages (directories that carry their own package.json / Cargo.toml / go.mod / pyproject.toml / composer.json / pom.xml). Embedded docs sites (e.g. media/docs/** Astro Starlight) and monorepo members are no longer reported against the outer project’s depth budget.
Coupling Metrics check — strips comments before counting imports (prevents inflated fan-out from JSDoc examples) and adds a new devManager.quality.builtin.couplingMetrics.ignoreFiles setting to exclude legitimate composition roots / provider registries from the high-fan-out report.

Changed

Cloud registration flow — made silent registration resilient: retries on every activation until it succeeds (tracked via snakeflow.cloud.registeredAt) instead of running exactly once. Previously, the one-shot flag was set before the attempt, so users who had no GitHub session at first activation never registered, even after later signing in.
Cloud onboarding CTA — users without an active GitHub session now see a one-time, non-intrusive prompt (Sign in / Not now / Don't show again) instead of silently skipping. Controlled by snakeflow.cloud.onboardingShownAt.
Cloud HTTP layer — added a 10s request timeout, explicit UTF-8 decoding, and server-error propagation (non-2xx responses now throw with the server’s error message instead of being parsed as “no token”).
Cloud diagnostics — silent registration now logs outcomes (skip reason, HTTP errors, network/timeout) to the SnakeFlow output channel instead of swallowing every failure.

[0.3.16] - 2026-04-16

Fixed

Git API typing — GitRepository in the shared helper now declares checkout, matching the built-in Git extension API used for branch checkout.
Build scripts — npm run compile / watch / vscode:prepublish now call media/docs/sync-changelog.cjs (the script lives next to the docs site, not under a top-level docs/ folder).

Changed

Documentation — refreshed the docs site: Quality Hub overview and cloud provider list aligned with the extension, command palette reference (including incremental quality runs and internal commands), built-in checks catalog, and Quick Start keybinding reference (later releases use Ctrl+Alt+<letter> defaults with separate chords for incremental runs vs GitHub issue creation).

[0.3.15] - 2026-04-14

Fixed

Squawk encoding — stderr from Squawk (and Windows system errors) is now sanitized before display. Non-ASCII bytes caused by the cp1251 / UTF-8 mismatch on Windows were replaced with ?, so the error hint in Quality Hub is always readable ASCII instead of mojibake.

[0.3.14] - 2026-04-14

Fixed

Marketplace installation — removed JavaScript obfuscation from the build. The javascript-obfuscator output (hex identifiers + base64 string arrays) was triggering Windows Defender false positives, causing the VSIX to be quarantined mid-download and resulting in a truncated ZIP error on installation.

[0.3.13] - 2026-04-14

Added

Bearer on Windows — Bearer SAST scanner now probes Scoop/WinGet shims and, if no native binary is found, transparently runs Bearer inside WSL (wsl -e bearer) with the project dir remapped to /mnt/<drive>/… — falling back to Docker only as a last resort. Install options: native bearer.exe on PATH, curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh inside WSL, or docker pull bearer/bearer.
Squawk: auto-detect .squawk.toml — Squawk provider now automatically locates .squawk.toml in the project root or any direct subdirectory (e.g. application/.squawk.toml) and passes --config to the CLI.
Squawk: excludeRules setting — new devManager.quality.builtin.squawk.excludeRules (string array) maps to --exclude-rule CLI flags.
Squawk: assumeInTransaction setting — new devManager.quality.builtin.squawk.assumeInTransaction boolean passes --assume-in-transaction to suppress warnings about statements safe only inside transactions.
Bearer: enabled and path settings — new devManager.quality.builtin.bearer.enabled and devManager.quality.builtin.bearer.path for explicit provider control.

Fixed

Semgrep — binary blocked by Device Guard or antivirus (UNKNOWN, ENOENT, EPERM) now returns skip with a helpful message instead of an opaque error.
Semgrep: relative --config — relative paths in devManager.quality.semgrep.config (e.g. application/.semgrep/) are now resolved against the project root for both local and Docker runs. Previously they resolved against the VS Code host process cwd and produced unable to find a config errors. Missing config paths now surface a clear config not found error up front instead of Semgrep’s generic warning.
Squawk — binary blocked by Device Guard or antivirus now returns a clear error message with install instructions.

[0.4.0] - 2024-05-15

Added

Squawk 2.x Support — enhanced handling for Squawk 2.x flat violations output.
Git Progress Notifications — new progress notifications provide better user experience during Git operations.
Changelog Generation Command — a new command to generate changelog from Git commits, improving project documentation.
Breaking Change Support — changelog generation now supports breaking changes and conventional commit types.
New Project Management Commands — multiple new commands added, including ‘Copy Result’, ‘Add Steps to Pipeline’, and ‘Send Issue to Chat’.
Quality Check Configurations — introduced new quality check configurations.
CI/CD, Cloud Sync, and Voice Dictation Commands — new commands enhance features in these areas.
Automatic Changelog Updates — changelog automatically updates with new commit entries under ## [Unreleased].
Auto Changelog Setting — a new setting in package.json for auto changelog functionality.
Dynamic Versioning — the extension now reads the version from package.json for dynamic versioning in the changelog.
Semantic Version Suggestion — logic implemented to suggest the next semantic version based on commit types.
Development Prompts Customization — added default milestone and customized prompts for issue and PR analysis in the devManager settings.

Changed

API Keys Tab and Cloud API Removed — the API Keys tab in the SnakeFlow Cloud Dashboard and associated API endpoints (for generating and managing personal API keys) have been removed.
Native Git Operations — Git operations (fetching, pulling, and pushing branches) now use native VS Code Git API calls for better integration and status updates, replacing terminal command executions.
Changelog Entry Structure — changelog entries are now organized by conventional commit types and include breaking flags for a refined structure.
Changelog Version Sections — changelog entry insertion now supports version-specific sections for better organization and clarity.
Existing Commands Refactored — existing commands have been refactored for better integration and usability.
Changelog Display Mode — changelog entries are now prepended to the file (instead of appended) for better visibility of recent changes.

Improved

Squawk Output Processing — Squawk output parsing now supports multiple formats (flat array, array of file reports, object keyed by filename) with enhanced error handling.
Quality Command Installation Feedback — progress notifications added for quality command installation.
Changelog Command Integration — seamless integration of the changelog command within the extension.
Changelog Readability — noise filtering, sorting, and formatting of commits in the changelog have been enhanced for better readability.
Documentation and User Experience — overall documentation and user experience have been improved, including command descriptions.
Changelog Generation Process — the overall changelog generation process has been enhanced for better usability and integration.
Code Review and CI Analysis Guidance — improved guidance for code review and CI analysis, ensuring a structured approach to handling PRs and issues.

[0.3.12] - 2026-04-14

Fixed

Changelog sync — docs changelog is now always kept in sync with the root CHANGELOG.md on every build, package, and watch start.

[0.3.11] - 2026-04-13

Added

Silent cloud registration — on first activation, SnakeFlow silently registers the user in SnakeFlow Cloud if a GitHub session is already present in the IDE (no prompts or dialogs). A one-time notification confirms the connection with an “Open Dashboard” shortcut.

Changed

Cloud auth scope reduced — the GitHub OAuth scope for SnakeFlow Cloud login is now read:user only (previously repo, read:user, read:org). GitHub Features such as Issues and Pull Requests still use the full scope set; only the cloud JWT exchange was narrowed.

[0.3.10] - 2026-04-13

Changed

Support contact — extension metadata, license, and documentation now list vaulttec-dev@proton.me as the primary contact address.

[0.3.9] - 2026-04-13

Changed

Marketplace discovery — package.json now uses only VS Code–allowed Marketplace categories (invalid Databases removed) and fills the keyword tag list to the documented limit for better search visibility.

[0.3.8] - 2026-04-12

Added

API Keys tab — new tab in the SnakeFlow Cloud Dashboard to generate and manage personal API keys for programmatic access to the SnakeFlow Cloud API. Supports creating keys (with a custom name), copying the key on first reveal, and revoking existing keys. Keys authenticate via the X-API-Key header.
SnakeFlow Cloud API — new REST endpoints: GET /api/keys, POST /api/keys, DELETE /api/keys/:id. API keys use the snfk_ prefix format (industry-standard). Raw keys are never stored — only a SHA-256 hash is persisted.
API Reference — interactive Scalar API Reference page added to the documentation site at snakeflow.pages.dev/api-reference. Covers all Cloud API endpoints with request/response schemas and try-it-out support.

[0.3.7] - 2026-04-12

Changed

Voice Dictation (status bar) — after transcription, the IDE chat panel is focused and text is pasted automatically into the current conversation without creating a new chat.

[0.3.6] - 2026-04-12

Changed

Voice Dictation (status bar) — transcribed text is now copied to clipboard instead of opening a new chat. A notification with an “Open Chat” button lets you paste into the current conversation with Ctrl+V.

Added

Voice Dictation for comments — microphone button added to the “Add comment” field in Edit Issue form. Dictate comments the same way as descriptions.

[0.3.5] - 2026-04-12

Added

Voice Dictation — new microphone button $(mic) in the status bar (Windows only). Click once to start recording, click again to stop — Gemini AI transcribes the audio and sends the result directly to the IDE chat (Cursor Chat / Copilot Chat). Requires devManager.gemini.apiKey.
Voice Dictation in Issue forms — microphone button added to the Description field in both New Issue and Edit Issue forms. Records audio via system microphone and inserts the transcribed text into the description.
devManager.gemini.dictationLanguage — new setting to specify the spoken language for voice dictation transcription (auto, uk, en, de, fr, es, pl, and more). Defaults to auto (Gemini detects language automatically).

[0.3.4] - 2026-04-12

Added

Cloud Dashboard — Push Access control — repository settings owners can now manage who is allowed to push configuration to the cloud. Other team members see a read-only list and their own push access status.

Fixed

Cloud Dashboard buttons — navigation tabs (Overview, Projects, Account) and all action buttons (Push to Cloud, Pull from Cloud, Logout, Delete) are now fully interactive.

Changed

Cloud Dashboard — Refresh button consolidated to the footer; removed the duplicate from the Overview card.

[0.3.3] - 2026-04-12

Added

devManager.quality.skipFiles — new workspace setting to exclude specific files and path patterns from Quality Hub checks. Supports relative paths, *.vsix, and **/suffix glob patterns. Applied to line count, TODO count, import depth, test ratio, file size, and Semgrep result aggregation.
devManager.quality.builtin.pkgAudit.failOnHigh — controls severity threshold for the Package Audit check: when false, HIGH-severity npm vulnerabilities report as warn instead of fail (only CRITICAL triggers a failure). Useful for gradually tightening supply-chain hygiene.
Documented settings thresholds — Coupling Metrics, Magic Numbers, and Parameter Count built-in checks now expose their warning/failure thresholds in the Settings UI for easy customization.

Changed

Semgrep built-in: suppressed the path-join-resolve-traversal rule for workspace paths to reduce noise on trusted codebases.
Import Depth built-in: comment lines are no longer counted — regex examples in source code no longer inflate import-depth scores.
Long Lines built-in: skipFiles exclusion list is now applied during file iteration for consistency with other checks.
Debug Leaks built-in: build-tooling scripts are correctly identified and excluded when the “skip script files” option is enabled.
File Size built-in: packaged extension artifacts are excluded from the largest-files report.

[0.3.2] - 2026-04-12

[0.3.1] - 2026-04-12

[0.3.0] - 2026-04-11

Changed

Build / distribution — extension ships as a single bundled file for a smaller .vsix and simpler deployment. Developer workflow: compile / build / vscode:prepublish for release; watch for fast rebuilds during extension development; bundle for a non-minified debug build.
Removed legacy build pipeline — the old sequential project runner is gone. Ctrl+Alt+F runs Quality Hub only. For lint, typecheck, tests, and build, use custom checks in settings or built-in / CLI providers.

[0.2.9] - 2026-04-11

Changed

License — switched from MIT to a proprietary license: free to install and use for personal or internal business use; redistribution, modification, forking, and commercial resale are not allowed. See the LICENSE file in the package for full terms.

[0.2.8] - 2026-04-11

Added

Documentation link in main menu — new “Open Documentation” item in the Tools submenu (Ctrl+Alt+M → Tools → Open Documentation) opens snakeflow.pages.dev in the browser.
Email icon in docs header — contact email icon added to the documentation site navigation bar.

Fixed

VS Code Marketplace metadata — updated homepage, support contact, categories (including Debuggers and Linters), and keywords for clearer discovery.

[0.2.7] - 2026-04-11

Changed

Marketplace metadata — homepage now points to the documentation site; support contact updated; added Debuggers and Linters categories; expanded keywords.

[0.2.6] - 2026-04-11

Added

Documentation site — launched snakeflow.pages.dev built with Astro Starlight; covers all features, quality checks, configuration reference, CLI tool installation, cloud provider setup, FAQ, and Changelog. Available in English and Ukrainian.
Green snake icon — extension icon and documentation logo updated to green (#22c55e) variant.
Contact — support email added to README and documentation FAQ.

Fixed

Package size — reduced from 83 MB to 325 KB by excluding docs/ and .github/ from .vscodeignore.
tsconfig — added docs to exclude list to prevent Astro source files from being compiled by the root TypeScript compiler.

[0.2.5] - 2026-04-11

Fixed

Cross-platform binary detection — CLI tools are checked for presence on PATH before running, so missing tools return skip instead of a confusing error (notably on Windows with non-English locales). Applies to Hadolint, ShellCheck, golangci-lint, Trivy, and Bandit.
README rewritten — now covers every feature, all 60+ quality checks, Docker Desktop installation, Docker image pull instructions, CLI tool installation for every supported platform, cloud provider setup, and full configuration reference.

[0.2.4] - 2026-04-11

Added

Stryker — mutation testing provider for JS/TS projects; reports mutation score with killed/survived/no-coverage breakdown (npm i -D @stryker-mutator/core)
Bearer — SAST security scanning provider that detects sensitive data flows and vulnerabilities (bearer scan)
Component Inventory — pure Node.js check that scans exported React/Vue/Svelte components and hooks, groups them by UI pattern (Button, Modal, Input, etc.) and flags consolidation opportunities
Any Coverage — reads generic coverage-summary.json (Istanbul/NYC/Jest) and reports line/branch/function coverage percentages
LCOV Coverage — parses lcov.info files; works with any language that generates LCOV (Jest, Go, Python coverage, Ruby, etc.)
JSDoc Coverage — estimates JSDoc documentation coverage for JS/TS exported functions and classes (pure Node.js)
golangci-lint — runs golangci-lint run --out-format json for Go projects; reports linter violations by severity
GitHub Actions Audit — pure Node.js check that scans .github/workflows/ YAML files for security issues: pinned actions, pull_request_target, actions/github-script, dangerous ${{ }} expressions
Empty Tests — detects test files with no assertions (it/test/expect/assert blocks), multi-language (JS/TS/Python/Go/Java/Rust)
Heavy Imports — flags JS/TS files importing known large libraries (lodash, moment, rxjs, antd, etc.) without tree-shaking-friendly subpath imports
Coupling Metrics — measures afferent/efferent coupling and instability index per file; flags highly unstable or overly depended-upon modules
Magic Numbers — detects hardcoded numeric literals that should be named constants, multi-language
Parameter Count — flags functions/methods with too many parameters (default: warn ≥4, fail ≥7)
Barrel Files — detects oversized index.ts/js re-export barrels that hurt tree-shaking and build performance
Cross-Layer Imports — detects forbidden import direction violations between architectural layers (e.g. utils importing from components)

Fixed

Bearer — JSON output was never parsed correctly; bearer scan --format json outputs findings grouped by severity ({ critical, high, medium, low }) — was expecting a flat findings[] array, causing all scans to always report “No findings”

[0.2.3] - 2026-04-11

Added

Git branch status bar item now auto-fetches from remote every 60 seconds and on window focus — ahead/behind counts stay in sync with the remote without manual refresh

Changed

Git branch status bar item repositioned immediately to the right of VS Code’s built-in sync button for a more natural grouping
Git branch status bar item no longer shows the branch name (VS Code already shows it) — displays icon + ahead/behind indicators only
GitHub auth status bar item no longer shows the account name — displays icon only (account name visible in tooltip)
Clicking a branch in the Git Branches sidebar now opens it on GitHub (compare view) instead of checking it out locally
Removed “Delete Multiple Branches” and “Delete Gone Branches” buttons from the Git Branches panel title bar

Fixed

skill-template/SKILL.md was excluded from the packaged .vsix by .vscodeignore — caused “Error creating skill: ENOENT” when running the Create Skill command

[0.2.2] - 2026-04-08

Changed

Changelog translated to English

[0.2.1] - 2026-04-08

Fixed

Fixed Marketplace metadata links (repository, bugs, homepage)
Windows PowerShell commands now use spawn with an array of arguments instead of exec with a string — fixes nested-quote issues when passing PowerShell scripts through cmd.exe
killByPort on Windows: rewritten with spawn, timeout, and double-resolve guard
getPortPids on Windows: rewritten with spawn — more reliable delivery of multi-line PS scripts
getProcessDescription on Windows: rewritten with spawnSync and argument array
lsof on macOS/Linux: now correctly handles ENOENT (lsof not installed) — resolves silently instead of throwing
getOrCreateTerminal: added env parameter for passing environment variables; when env is provided a fresh terminal is always created so the env takes effect
runInTerminal: forwards env to getOrCreateTerminal

Changed

IDE detection now distinguishes three IDE types: Cursor, Antigravity, VS Code (previously Antigravity fell into the VS Code category without its own %APPDATA%\Antigravity path)
Linux: user config path now respects XDG_CONFIG_HOME (instead of a hardcoded ~/.config)
Marketplace extension categories updated for better discoverability

[0.2.0] - 2026-04-08

Changed

Renamed extension to SnakeFlow
Servers are now a fully dynamic array — any number of servers, any language or runtime (Next.js, Vite, Django, Rails, Go, etc.)
Package manager auto-detected from lockfile: pnpm-lock.yaml, yarn.lock, bun.lockb, package-lock.json
Database actions auto-detected from project dependencies (Prisma, Drizzle, TypeORM, Knex) — no manual config needed
Status bar completely revamped: git branch with ahead/behind indicators, GitHub auth status, per-server live monitoring

Added

Git Branches sidebar panel — view, checkout, and delete branches without leaving the IDE
Pull Requests sidebar panel — view open PRs, send PR context to Cursor Chat for AI review
GitHub Issues — search, filter by milestone / assignee / date, create branch from issue, send to Cursor Chat
GitHub Actions — run workflows locally via act
Semgrep security scan with auto / security-audit / CI dry-run profiles
Git commands — pull from origin, sync from upstream, push to origin
Gemini AI title generation for GitHub Issues (optional, requires API key)
Custom database actions — fully configurable via settings UI with variable substitution
Custom container actions — configurable Docker Compose or any infra command
Status bar: git branch indicator shows current branch name, commits ahead/behind, click to pull
Status bar: GitHub auth indicator — shows signed-in account or prompts to sign in
devManager.git.defaultBranch setting — fallback when remote HEAD cannot be detected
devManager.git.protectedBranches setting — branches requiring extra confirmation before delete
devManager.prToChat.prompt — custom prompt prepended when sending PR to Cursor Chat
devManager.issueToChat.prompt — custom prompt prepended when sending issue to Cursor Chat
devManager.github.defaultMilestone — default milestone for new issues
devManager.gemini.apiKey / devManager.gemini.model — Gemini AI integration settings
devManager.database.actions — fully custom database action menu

Fixed

Cross-platform terminal disposal errors (try-catch in sendCtrlC/disposeTerminal)
Server status now uses combined check: port + terminal presence (avoids false positives from external processes)

[0.1.0] - 2026-02-14

Added

Project auto-detection from workspace folder
Server control: start/stop/restart dev servers
Quality Hub: built-in + CLI checks, custom project scripts, live sidebar results
Database / Prisma: Studio, generate, migrate, db push, seed, reset
GitHub PR AI Feedback reports (requires gh CLI)
Docker Compose management
Project tree view in sidebar
Status bar with current project and server status
Cross-platform support (Windows, macOS, Linux)