Palette ux aria label accept suggestion 7832725668674833841

.Jules/learnings.md

@@ -0,0 +1,5 @@
+# Performance Optimization Learnings
+
+- **RegExp Hoisting**: Hoisting `new RegExp(...)` out of loops when the pattern is constant can yield significant performance improvements (observed ~50% in micro-benchmark).
+- **TypeScript**: When updating internal helper functions, ensure all call sites are updated to match the new signature.
+- **Verification**: In environments where full test suites cannot run due to missing dependencies, creating standalone micro-benchmarks or verification scripts is a viable alternative to ensure correctness and performance gains.

.Jules/palette.md

@@ -0,0 +1,3 @@
+## 2023-10-27 - [Avoid redundant aria-labels or titles on textual buttons]
+**Learning:** Adding a title or aria-label that exactly matches the visible text of a button is redundant and can cause screen readers to announce the text twice.
+**Action:** Reserve title attributes for icon-only buttons or use them to provide *additional* contextual information (e.g., "Click to insert this suggestion into your code" instead of "Accept suggestion 1").

.github/workflows/webpack.yml

@@ -0,0 +1,28 @@
+name: NodeJS with Webpack
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [22.x]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - name: Build
+      run: |
+        npm install
+        npm run build

.jules/bolt.md

@@ -0,0 +1,7 @@
+## 2024-03-08 - Regex Optimization in TF-IDF
+**Learning:** Using `matchAll` with complex regexes containing lookarounds can be significantly slower than a manual scanning loop with simple regexes and `exec`.
+**Action:** When parsing large amounts of text (like in TF-IDF tokenization), prefer scanning loops with simple regexes. Also, be careful with global regexes (`/g`) in module scope as they are stateful (`lastIndex`).
+
+## 2024-03-08 - Fast String Truncation
+**Learning:** Checking string byte length with `new TextEncoder().encode(text).length` is extremely slow because it allocates massive memory buffers. Node.js's `Buffer.byteLength(text, 'utf8')` is >3.5x faster. Also, truncating a large string to a byte limit is faster by first slicing the string `text.slice(0, maxIndexableFileSize)` (as 1 char >= 1 byte in utf8) before doing the exact byte-wise truncation with `Buffer.from(slicedString, 'utf8')`.
+**Action:** Use `Buffer.byteLength(text, 'utf8')` and string slicing before buffer conversion to avoid memory allocation bottlenecks on large strings.

.jules/sentinel.md

@@ -0,0 +1,9 @@
+## 2025-02-27 - DOMPurify Configuration Gaps
+**Vulnerability:** Found `DOMPurify.sanitize` usage that stripped `target="_blank"` attributes from external links, leading to broken functionality and potentially confusing behavior. Also, the external links lacked `rel="noopener noreferrer"`, which `DOMPurify` would strip if `target` was stripped, but if `target` was allowed, it would be vulnerable to reverse tabnabbing.
+**Learning:** `DOMPurify` by default is very strict and strips `target` attributes. To allow them, `ADD_ATTR: ['target']` is needed. However, allowing `target` introduces tabnabbing risks, so `rel="noopener noreferrer"` MUST be added and preserved.
+**Prevention:** When using `DOMPurify` for webviews, always check if `target="_blank"` is intended. If so, configure `DOMPurify` to allow `target` and ensure `rel="noopener noreferrer"` is present. Use explicit `DOMPurify` configuration rather than relying on defaults.
+
+## 2025-02-27 - Process Environment Variable Leakage
+**Vulnerability:** The `CommandExecutor` class in `src/extension/mcp/vscode-node/util.ts` propagated the full `process.env` to child processes (e.g., via `cp.spawn`), creating a potential security risk for environment variable leakage of extension-specific secrets (e.g., IPC hooks, auth tokens) to external tools and MCP servers.
+**Learning:** Blindly passing `{ ...process.env }` to child processes can inadvertently leak sensitive context information, but over-aggressively stripping all environment variables (like `TOKEN` or `PASSWORD`) breaks underlying authorized tool functionality (like custom NuGet sources or GitHub CLI).
+**Prevention:** Rather than a blanket filter of all variables matching generic terms, specifically filter out framework/application-specific secrets (e.g., variables starting with `VSCODE_`, `GITHUB_`, or `COPILOT_`). Additionally, APIs that spawn processes should accept an explicit `env` parameter to allow intentional overrides by callers.

Caché

@@ -0,0 +1,20 @@
+            - nombre: Caché
+  usos: acciones/cache@v5.0.3
+  con:
+    # Una lista de archivos, directorios y patrones comodín para almacenar en caché y restaurar
+    camino:
+    # Una clave explícita para restaurar y guardar el caché
+    llave:
+    # Una cadena multilínea ordenada que enumera las claves con prefijo coincidente, que se utilizan para restaurar la caché obsoleta si no se produce un acierto de caché para la clave. Nota: `cache-hit` devuelve falso en este caso.
+    restaurar-claves: # opcional
+    # El tamaño del fragmento utilizado para dividir archivos grandes durante la carga, en bytes
+    tamaño del fragmento de carga: # opcional
+    # Un valor booleano opcional, cuando está habilitado, permite que los ejecutores de Windows guarden o restauren cachés que se pueden restaurar o guardar respectivamente en otras plataformas
+    enableCrossOsArchive: # opcional, el valor predeterminado es falso
+    # Falla el flujo de trabajo si no se encuentra la entrada de caché
+    fail-on-cache-miss: # opcional, el valor predeterminado es falso
+    # Verifica si existe una entrada de caché para las entradas dadas (clave, claves de restauración) sin descargar el caché
+    solo búsqueda: # opcional, el valor predeterminado es falso
+    # Ejecute el paso posterior para guardar el caché incluso si otro paso anterior falla
+    guardar siempre: # opcional, el valor predeterminado es falso
+

fix_config.js

@@ -0,0 +1,14 @@
+const fs = require('fs');
+const path = 'src/platform/configuration/common/configurationService.ts';
+let code = fs.readFileSync(path, 'utf8');
+
+// We need to remove these from the Deprecated namespace:
+// OllamaEndpoint, AzureModels, CustomOAIModels, AzureAuthType
+// Let's use string replacement or regex
+
+code = code.replace(/\s*export const OllamaEndpoint = defineSetting<string>\('chat\.byok\.ollamaEndpoint', ConfigType\.Simple, 'http:\/\/localhost:11434'\);/, '');
+code = code.replace(/\s*export const AzureModels = defineSetting<Record<string, \{ name: string; url: string; toolCalling: boolean; vision: boolean; maxInputTokens: number; maxOutputTokens: number; requiresAPIKey\?: boolean; thinking\?: boolean; streaming\?: boolean; zeroDataRetentionEnabled\?: boolean \}>\>\('chat\.azureModels', ConfigType\.Simple, \{\}\);/, '');
+code = code.replace(/\s*export const CustomOAIModels = defineSetting<Record<string, \{ name: string; url: string; toolCalling: boolean; vision: boolean; maxInputTokens: number; maxOutputTokens: number; requiresAPIKey\?: boolean; thinking\?: boolean; streaming\?: boolean; requestHeaders\?: Record<string, string>; zeroDataRetentionEnabled\?: boolean \}>\>\('chat\.customOAIModels', ConfigType\.Simple, \{\}\);/, '');
+code = code.replace(/\s*export const AzureAuthType = defineSetting<AzureAuthMode>\('chat\.azureAuthType', ConfigType\.Simple, AzureAuthMode\.EntraId\);/, '');
+
+fs.writeFileSync(path, code);