Merge branch 'main' into fix/ci-skip-docs-md-changes

Author: SebTardif

.github/workflows/auto-approve.yml

@@ -34,15 +34,53 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh pr review --approve "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}"
 
+      # Check for workflow file changes early (to decide whether we can safely use App token for auto-merge).
+      # This step is made robust so a transient gh failure does not fail the job (approve step already ran).
+      - name: Check for workflow file changes (use GITHUB_TOKEN fallback to avoid needing workflows:write on App)
+        id: wf-changes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pr="${{ github.event.pull_request.number }}"
+          files=$(gh pr view "$pr" --json files --jq '.files[].path' || echo "")
+          if echo "$files" | grep -q '^\.github/workflows/'; then
+            echo "changes=true" >> "$GITHUB_OUTPUT"
+            echo "PR touches .github/workflows/; will use GITHUB_TOKEN for auto-merge (no workflows:write needed on App)"
+          else
+            echo "changes=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event.pull_request.user.login != 'patchloom-release[bot]'
+        if: github.event.pull_request.user.login != 'patchloom-release[bot]' && steps.wf-changes.outputs.changes != 'true'
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
-      - name: Enable auto-merge
-        if: github.event.pull_request.user.login != 'patchloom-release[bot]'
+      # Strong guard against accidental/automated release PR merges is also
+      # implemented here (label check below) and via scripts/guard-no-release-merge.sh.
+      # See AGENTS.md "Release PRs - Strong Guard" section.
+
+      - name: Strong guard - detect release-please PRs (autorelease: pending label)
+        id: release-guard
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pr="${{ github.event.pull_request.number }}"
+          labels=$(gh pr view "$pr" --json labels --jq '.labels[].name' || true)
+          if echo "$labels" | grep -q 'autorelease: pending'; then
+            echo "is_release_pr=true" >> "$GITHUB_OUTPUT"
+            echo "Release PR detected by label 'autorelease: pending' - will skip auto-merge (user must explicitly approve merges of release PRs)"
+          else
+            echo "is_release_pr=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Enable auto-merge (App token when no wf changes; GITHUB_TOKEN fallback otherwise)
+        if: >-
+          github.event.pull_request.user.login != 'patchloom-release[bot]' &&
+          steps.release-guard.outputs.is_release_pr != 'true'
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}"
+          GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" \
+            || echo "Could not enable auto-merge (common when PR modifies .github/workflows/* using GITHUB_TOKEN fallback, or release guard, or other). Approval from prior step still applies; use manual merge if needed."

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.0.4"
+  ".": "0.0.5"
 }

AGENTS.md

@@ -126,3 +126,54 @@ All I/O-dependent functions accept an `inputs` object with injectable callbacks
 - All relative imports must use `.js` extensions (`from "./foo.js"`, not `from "./foo"`). Required by `moduleResolution: "node16"`.
 - All commits require a `Signed-off-by` line (DCO). Use `git commit -s`.
 - When adding commands to `package.json`, update the expected count in `test/suite/index.ts`.
+- **Branch & PR workflow (never push a branch and stop):** For any trackable work,
+  after the first `git push` immediately create a draft PR (`gh pr create --draft`).
+  Continue development with normal `git push` (updates the draft PR + CI).
+  Only run `gh pr ready <number>` (and enable auto-merge if needed) when the
+  changes are ready for review/merge. This ensures every pushed branch is
+  backed by an open (draft) PR from the start. See `~/.grok/skills/owned-repo-gate/SKILL.md`.
+
+- **Auto-approve self-modification:** PRs that change `.github/workflows/auto-approve.yml`
+  cause GitHub to emit only "push" validation runs (0 jobs, failure) using the PR's workflow content
+  (the pull_request runs use the definition from main). The approve step runs early using
+  GITHUB_TOKEN (before wf-changes detection or merge logic) so reviews are added when the
+  pull_request workflow runs from main. The Enable auto-merge step uses `|| echo` so the
+  workflow reports success even when merge enable falls back or is restricted. In rare cases
+  where no review appears, use the emergency bypass in ci-branch-protection skill + #159
+  (add bypass actor, `gh pr merge --admin`, remove bypass immediately). See also patchloom's
+  auto-approve.yml for the reference pattern.
+
+## Release PRs - Strong Guard
+
+Release PRs (created by release-please, titled "chore: release ..." or "chore(main): release ...", or labeled `autorelease: pending`) MUST NEVER be merged (with `gh pr merge`, `--auto`, or otherwise) without the user's explicit approval.
+
+Merging a release PR:
+- Publishes a new version of the VSIX
+- Creates git tags
+- Triggers the full release pipeline (Marketplace, Open VSX, attestation bundles)
+- The user controls release cadence, not the agent.
+
+### Required procedure (strong guard)
+
+When you encounter a release PR (during triage, gate check, `gh pr list`, or status):
+
+1. Report it clearly: "Release PR #N (vX.Y.Z) is ready to merge."
+2. Use the `ask_user_question` tool (or direct question) to ask: "Should I merge it?"
+3. **Only after receiving an explicit "yes" (or equivalent affirmative) from the user in this session**, proceed.
+4. Before executing any merge command, run the guard:
+   ```
+   bash scripts/guard-no-release-merge.sh <number>
+   ```
+   The script will abort with guidance unless `ALLOW_RELEASE_MERGE=yes` is set (only after user yes).
+5. If checks pass and user said yes: `gh pr merge <number> --squash` (or let auto if user directed).
+
+This rule was strengthened after an incident where `gh pr merge 144 --auto` (under a broad "merge everything" instruction) resulted in v0.0.5 being published without explicit per-release "yes".
+
+### Defense in depth
+
+- Workflow: `.github/workflows/auto-approve.yml` uses author + label check + wf-changes to never enable `--auto` for release PRs.
+- Script: `scripts/guard-no-release-merge.sh` provides a hard runtime guard for shell commands.
+- Documentation: This section + global AGENTS.md rule.
+- Branch protection + ruleset: still enforces checks, but does not replace user approval for releases.
+
+Never bypass the guard "just this once" or rationalize. Ask every time.

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [0.0.5](https://github.com/patchloom/patchloom-vscode/compare/patchloom-v0.0.4...patchloom-v0.0.5) (2026-06-22)
+
+
+### Features
+
+* align extension with patchloom CLI v0.4.0 ([0629af9](https://github.com/patchloom/patchloom-vscode/commit/0629af926a7a9eee8d6c634eee10bc6148d4d6ad))
+* align with patchloom CLI v0.4.0 ([#145](https://github.com/patchloom/patchloom-vscode/issues/145)) ([0629af9](https://github.com/patchloom/patchloom-vscode/commit/0629af926a7a9eee8d6c634eee10bc6148d4d6ad))
+
+
+### Bug Fixes
+
+* **ci:** prevent spurious Dependabot PR failures from auto-approve and @types/vscode bumps ([#143](https://github.com/patchloom/patchloom-vscode/issues/143)) ([3b50515](https://github.com/patchloom/patchloom-vscode/commit/3b505152f40ed37ac1120b5fccf4f8345d0b4cbb))
+
 ## [0.0.4](https://github.com/patchloom/patchloom-vscode/compare/patchloom-v0.0.3...patchloom-v0.0.4) (2026-06-18)
 
 

package-lock.json

@@ -2,7 +2,7 @@
   "name": "patchloom",
   "displayName": "Patchloom",
   "description": "VS Code extension for Patchloom. Installs, configures, and integrates the Patchloom CLI for editor-first workflows.",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "publisher": "patchloom",
   "license": "MIT",
   "repository": {

package.json

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# Strong guard against merging release-please PRs without explicit user approval.
+#
+# Usage:
+#   bash scripts/guard-no-release-merge.sh [PR_NUMBER]
+#   # or with current branch context (will try to detect open PR)
+#
+# Exits 0 if safe to merge (non-release PR).
+# Exits 1 and prints guidance if release PR detected, unless ALLOW_RELEASE_MERGE=yes.
+#
+# This is a defense-in-depth guard for agents and humans.
+# See AGENTS.md for the full "Release PRs - Strong Guard" policy.
+# Per global rules: report the PR, ask user "Should I merge it?", only proceed after explicit "yes".
+
+set -euo pipefail
+
+pr="${1:-}"
+
+if [[ -z "$pr" ]]; then
+  # Try to detect PR from current context (works if gh pr view succeeds for head)
+  if pr=$(gh pr view --json number --jq '.number' 2>/dev/null); then
+    :
+  else
+    echo "ERROR: No PR number provided and could not auto-detect current PR."
+    echo "Usage: $0 <pr-number>"
+    exit 2
+  fi
+fi
+
+echo "Guard: inspecting PR #$pr for release-please markers..."
+
+title=$(gh pr view "$pr" --json title --jq '.title' 2>/dev/null || echo "")
+labels=$(gh pr view "$pr" --json labels --jq '.labels[].name' 2>/dev/null || true)
+body=$(gh pr view "$pr" --json body --jq '.body' 2>/dev/null | head -c 500 || true)
+
+is_release=false
+reason=""
+
+if echo "$labels" | grep -q 'autorelease: pending'; then
+  is_release=true
+  reason="has label 'autorelease: pending'"
+elif echo "$title" | grep -qiE '^(chore|release).*release |release v?[0-9]+\.[0-9]+'; then
+  is_release=true
+  reason="title looks like release: '$title'"
+elif echo "$body" | grep -qi 'release-please'; then
+  is_release=true
+  reason="body mentions release-please"
+fi
+
+if [[ "$is_release" == "true" ]]; then
+  echo ""
+  echo "================================================================"
+  echo "STRONG GUARD TRIGGERED"
+  echo "================================================================"
+  echo "PR #$pr is a release PR ($reason)."
+  echo "Title: $title"
+  echo ""
+  echo "Release PRs (release-please etc) MUST NEVER be merged without the"
+  echo "user's explicit approval in this chat session."
+  echo ""
+  echo "  1. Report: \"Release PR #$pr ($title) is ready to merge.\""
+  echo "  2. Ask the user using ask_user_question or directly: \"Should I merge it?\""
+  echo "  3. ONLY proceed after an explicit \"yes\" (or equivalent)."
+  echo ""
+  echo "Merging publishes a new version, creates tags, and triggers releases."
+  echo "The user (not the agent) controls release cadence."
+  echo ""
+  echo "To bypass (ONLY after receiving explicit user yes):"
+  echo "  ALLOW_RELEASE_MERGE=yes $0 $pr"
+  echo "================================================================"
+  echo ""
+
+  if [[ "${ALLOW_RELEASE_MERGE:-}" != "yes" ]]; then
+    exit 1
+  else
+    echo "BYPASS: ALLOW_RELEASE_MERGE=yes detected. Proceeding (user approved)."
+  fi
+fi
+
+echo "Guard OK: PR #$pr does not appear to be a release PR. Safe to consider merge."
+exit 0

scripts/guard-no-release-merge.sh

@@ -160,11 +160,16 @@ export function patchloomNeedsUpgrade(status: PatchloomStatus): boolean {
  *
  * This removes duplicated ready-check + notify logic across commands.
  */
-export async function ensurePatchloomReadyOrNotify(contextSuffix = ""): Promise<string | null> {
-  const status = await resolvePatchloomStatus();
-  const vscode = await import("vscode");
+export async function ensurePatchloomReadyOrNotify(
+  contextSuffix = "",
+  testInputs?: PatchloomStatusInputs
+): Promise<string | null> {
+  const status = testInputs
+    ? await resolvePatchloomStatusWithInputs(testInputs)
+    : await resolvePatchloomStatus();
 
   if (!status.ready || !status.binaryPath) {
+    const vscode = await import("vscode");
     const choice = await vscode.window.showWarningMessage(
       `${status.message}${contextSuffix ? `\n\n${contextSuffix}` : ""}`,
       "Open Settings"
@@ -176,6 +181,7 @@ export async function ensurePatchloomReadyOrNotify(contextSuffix = ""): Promise<
   }
 
   if (patchloomNeedsUpgrade(status)) {
+    const vscode = await import("vscode");
     const choice = await vscode.window.showWarningMessage(
       `${status.compatibilityMessage}${contextSuffix ? `\n\n${contextSuffix}` : ""}`,
       "Open Releases"

src/binary/patchloom.ts

@@ -1,32 +1,14 @@
 import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import * as vscode from "vscode";
-import { patchloomNeedsUpgrade, resolvePatchloomStatus } from "../binary/patchloom.js";
+import { ensurePatchloomReadyOrNotify } from "../binary/patchloom.js";
 import { configureMcpTargets, inspectMcpTargets } from "../mcp/config.js";
 import { activeWorkspaceFolder, describeWorkspaceEnvironment } from "../workspace/readiness.js";
 import { refreshStatusBar } from "../status/statusBar.js";
 
 export async function configureMcp(): Promise<void> {
-  const status = await resolvePatchloomStatus();
-  if (!status.ready) {
-    const choice = await vscode.window.showWarningMessage(
-      `${status.message}\n\nPatchloom needs a working binary before MCP setup can continue.`,
-      "Open Settings"
-    );
-    if (choice === "Open Settings") {
-      await vscode.commands.executeCommand("patchloom.openPatchloomSettings");
-    }
-    return;
-  }
-
-  if (patchloomNeedsUpgrade(status)) {
-    const choice = await vscode.window.showWarningMessage(
-      `${status.compatibilityMessage}\n\nUpgrade Patchloom before MCP setup can continue.`,
-      "Open Releases"
-    );
-    if (choice === "Open Releases") {
-      await vscode.commands.executeCommand("patchloom.openPatchloomReleases");
-    }
+  const binaryPath = await ensurePatchloomReadyOrNotify("Patchloom needs a working binary before MCP setup can continue.");
+  if (!binaryPath) {
     return;
   }
 
@@ -66,7 +48,7 @@ export async function configureMcp(): Promise<void> {
     workspaceFolderPath,
     includeKinds: selectedKinds,
     includeUserTarget: environment.supportsUserMcpConfig,
-    patchloomPathSetting: status.binaryPath,
+    patchloomPathSetting: binaryPath,
     readFile: async (filePath) => {
       try {
         return await fs.readFile(filePath, "utf8");

src/commands/configureMcp.ts

@@ -1,34 +1,17 @@
 import * as vscode from "vscode";
-import { PATCHLOOM_DOCS_URL, PATCHLOOM_RELEASES_URL, patchloomNeedsUpgrade, resolvePatchloomStatus } from "../binary/patchloom.js";
+import { ensurePatchloomReadyOrNotify, PATCHLOOM_DOCS_URL, PATCHLOOM_RELEASES_URL } from "../binary/patchloom.js";
 import { describeWorkspaceEnvironment, inspectWorkspaceReadiness } from "../workspace/readiness.js";
 
 export async function setupWorkspace(): Promise<void> {
-  const status = await resolvePatchloomStatus();
-  if (!status.ready) {
-    const choice = await vscode.window.showWarningMessage(
-      `${status.message}\n\nPatchloom needs a working binary before workspace setup can continue.`,
-      "Open Settings"
-    );
-    if (choice === "Open Settings") {
-      await vscode.commands.executeCommand("patchloom.openPatchloomSettings");
-    }
+  const binaryPath = await ensurePatchloomReadyOrNotify("Patchloom needs a working binary before workspace setup can continue.");
+  if (!binaryPath) {
     return;
   }
 
   const readiness = await inspectWorkspaceReadiness({
     promptIfMany: true,
     placeHolder: "Select the workspace folder to inspect for Patchloom setup"
   });
-  if (patchloomNeedsUpgrade(status)) {
-    const choice = await vscode.window.showWarningMessage(
-      `${status.compatibilityMessage}\n\nUpgrade Patchloom before workspace setup can continue.`,
-      "Open Releases"
-    );
-    if (choice === "Open Releases") {
-      await vscode.commands.executeCommand("patchloom.openPatchloomReleases");
-    }
-    return;
-  }
 
   if (!readiness.hasWorkspace) {
     await vscode.window.showWarningMessage("Open a workspace folder before running Patchloom: Setup Workspace.");