Skip to content

Automatic Sync: Merge changes from stable/mi to main#2398

Open
choreo-cicd wants to merge 151 commits into
mainfrom
sync/main-stable/mi-1782808868
Open

Automatic Sync: Merge changes from stable/mi to main#2398
choreo-cicd wants to merge 151 commits into
mainfrom
sync/main-stable/mi-1782808868

Conversation

@choreo-cicd

@choreo-cicd choreo-cicd commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR syncs changes from stable/mi to the main branch.

Automated PR created by GitHub Actions.

Summary by CodeRabbit

  • New Features

    • Added MCP server support, including new forms, commands, and project explorer entries.
    • Added tool-suggestion and tool-management workflows for APIs and sequences.
    • Added support for bindsTo on APIs/resources and startOnLoad for tasks.
  • Bug Fixes

    • Improved AI chat context handling with clearer warnings and better error messages.
    • Fixed file attachment, XML validation, and tryout behavior in several diagram views.
    • Refined connector import, download, and validation flows.
  • Chores

    • Updated multiple bundled dependencies across the project.

IsuruMaduranga and others added 30 commits May 27, 2026 00:25
Replace VALID_FILE_EXTENSIONS / VALID_SPECIAL_FILE_NAMES with
BLOCKED_BINARY_EXTENSIONS so the agent can read/write any text file
(including extensionless ones like Dockerfile, Makefile, .gitignore)
while still blocking archives, executables, office docs, images, etc.
Shell sandbox now enforces the same deny-list on mutation paths. The
@-mention picker keeps its own short UX allow-list, decoupled from
the security gate. Also enable XML validation for .dbs data services.
Trim filePath in getReadFileKind() to keep classification consistent with
validateReadableFilePath(), and update shell sandbox error message to
accurately describe all mutation types (write/edit/delete/rename).
Loads a root-level AGENTS.md (CLAUDE.md / Cursor convention) as a tracked
context block. Re-injected only on content drift via the existing
session-context hash system, so it does not waste tokens every turn.

Files over 30 KB are truncated before being shipped to the model. The
block carries an explicit truncation banner so the agent knows context is
missing (and can file_read the tail on demand), and a persistent in-chat
warning segment tells the user. Truncation warnings fire only when the
block is actually being injected, so an unchanged large file does not
re-warn each turn.
- agent.ts: make `saveAgentsMdWarning` failure non-fatal. The live event
  still fires so the user sees the warning this turn; only the JSONL
  replay across reconnects is sacrificed on persistence failure.
- prompt.ts: neutralize embedded `<system-reminder>` / `<user_query>`
  tags in user-authored AGENTS.md so they can't break out of the
  surrounding envelope. Replaces the angle brackets with U+27E8 / U+27E9.
- prompt.ts: fix the `SessionContextBlockHashes.agentsMd` doc comment to
  describe what the code actually hashes (surfaced bytes + truncation
  metadata) instead of the old "full untruncated raw bytes" claim.
- AIChatFooter.tsx: splice the warning before the optimistic streaming
  placeholder. Appending at the end displaced the placeholder, causing
  subsequent content_block / thinking_* events to land in the warning
  bubble instead of the assistant message.
- eventToMessageConverter.ts: drop `(event as any)` cast now that
  `warningMessage` is a typed field on AgentEvent / ChatHistoryEvent.
Fix trivy detected vulnerabilities
Support the startOnLoad attribute for tasks in MI 4.1.0
Instruct agent-mode to flip pom.xml <packaging> to jar and declare
synapse-core when creating a class mediator, otherwise the CApp ships
without the compiled jar and deployment silently fails.

Fixes wso2/product-integrator#1631
file_write and file_edit now append a <system-reminder> to the tool
result whenever the touched file is a class mediator java source
(src/main/java/**/*.java), telling the agent to verify root pom.xml
packaging is "jar" and synapse-core is declared. The prompt-level
guideline alone can be missed; a per-tool reminder makes it harder
to skip.

Related to wso2/product-integrator#1631
Read the project root pom.xml and skip the class mediator reminder
when <packaging>jar</packaging> is already set, so the agent is not
prompted to fix something that is already correct. When packaging is
something else (typically the default "pom"), the reminder reports
the current value to make the required change unambiguous.
…ging

Fix copilot-created class mediators not packed in CApp
- Clarify file_read offset/limit are line-based in AGENTS.md guidance
- Use Math.ceil for KB rounding and improve truncation warning copy
- Add aria-hidden to decorative warning icon
- Dedup context_warning on panel reconnect/event replay
Mirror the POSIX shell sandbox check so the agent cannot mutate
foo.jar, foo.dll, etc. via PowerShell on Windows.
Switch agent file tools to a binary deny-list
Fix trivy detected vulnerabilities
Sync latest changes from release/mi-4.0.2
Merge "micro-integrator-4.0.2" into "stable/mi"
ChinthakaJ98 and others added 25 commits June 19, 2026 00:28
Fix trivy detected vulnerabilities
…tors, variables)

Mirror of wso2/mi-vscode#1504 for the release/mi-4.1.1 line of this repo.
Fixes the four classes of incorrect code reported in
wso2/product-integrator#1640, all via the always-loaded agent-mode
prompt/context guides, plus the Opus 4.7 -> 4.8 main-agent model swap.

- Operator precedence: Synapse's grammar makes and/or bind tighter than
  comparison operators, so `a <= 0 or b > 10` mis-parses. Add a mandatory
  "parenthesize every comparison joined by and/or" rule to the expression
  guide, fix the contradictory "Key implication" narrative in
  synapse_expression_spec.ts, and correct all anti-pattern examples in the
  expression guide and edge-cases doc.
- Platform limitations: add a scope rule to the main system prompt telling
  the agent to state what MI cannot do rather than fabricate invalid code.
- Connector syntax: add a hard rule to never write a connector operation's
  XML without first calling get_connector_info mode='details', reinforced in
  connectors_guide.ts.
- Uninitialized variables: add a declare-before-use rule to the variable
  mediator section and a WRONG/CORRECT example in synapse_edge_cases.ts.
- Defer cross-file reference checks out of per-file auto-validation: add an
  opt-in skipCrossFileValidation flag to synapse/codeDiagnostic (XmlCode +
  validateXmlFile); file_write/file_edit set it so their per-file pass omits
  cross-file reference checks, validate_code leaves it off. Optional and
  ignored by language servers that don't support it.
- Model: swap claude-opus-4-7 -> claude-opus-4-8 for the 'opus' main-agent
  preset (direct + Bedrock inference profile), with UI label and comment
  updates.

Refs: wso2/product-integrator#1640
Mirrors: wso2/mi-vscode#1504
…ails-1640

Fix agent-mode codegen guardrails (operator precedence, scope, connectors, variables)
Mirror of wso2/mi-vscode#1515 for the release/mi-4.1.1 line of this repo.

The MI Copilot proxy blocks Opus models and returns a 400 with an
explanatory body, but the chat error card only showed the SDK's generic
status text, and WSO2 users could still select Opus in Settings.

Settings (WSO2/MI_INTEL login only):
- Disable both the Main Agent and Sub-Agent model switches (greyed out)
  with a note: "Sign in with your own Anthropic API key or AWS Bedrock to
  change models." BYOK (Anthropic key / Bedrock) is unaffected.
- The Main switch always shows the non-Opus default; the high-intelligence
  warning is suppressed on the plan.

Backend:
- Clamp the main agent to Sonnet for MI_INTEL when an 'opus' preset carried
  over from a prior BYOK session, so it can't 400 every turn. Custom model
  IDs are left untouched.

Error surfacing:
- Add getDisplayErrorMessage() which extracts the upstream provider/proxy
  message from APICallError responseBody/data (walking the cause chain)
  instead of the bare HTTP status text, and wire it into the agent's stream
  'error' path, execution catch, and the rpc-manager fallback catch.

Mirrors: wso2/mi-vscode#1515
Add support to the binds-to attribute in APIs
Fix back button functionality issue
Mirror the review fixes applied to the mi-vscode PR so both repos carry an
identical change set:

stream_guard.ts:
- Extract shared extractProviderErrorMessageFromBody() that handles
  APICallError.data as a raw string, surfaces JSON-quoted string bodies,
  and guards JSON.parse against oversized bodies (MAX_PARSEABLE_BODY_LENGTH)
  on the already-failing path.

agent.ts:
- Prefer abortReason over the caught error when building the user-facing
  message, so watchdog-wrapped errors keep the upstream provider detail.

SettingsPanel.tsx / AICodeGenerator.tsx:
- Add a byokResolved flag; gate model-switch locking on it and keep the
  controls neutral (disabled, no lock note, no warning) while resolution
  is pending. Reset byokResolved before each lookup and settle it on the
  failure path so the UI can't leak stale state or hang pending.
- Make Reset to defaults respect the locked plan: on MI Copilot it no
  longer rewrites the (locked) model presets, closing the hidden
  model-switch path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
AICodeGenerator.tsx:
- Clear isByok/isAwsBedrock (not just byokResolved) and run the re-gate
  before the rpcClient guard, so a failed or rpcClient-less lookup can't
  settle with a prior session's stale auth flags and wrongly unlock the
  model controls.

SettingsPanel.tsx:
- Use modelControlsDisabled (locked plan OR pending resolution) instead of
  isMiCopilotPlan for both handleResetDefaults and isDefault, so Reset to
  defaults can't rewrite presets before the plan is known.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…y-errors

Lock model switching on WSO2 plan and surface proxy error messages
Merge "micro-integrator-4.1.1" into "stable/mi"
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
3 out of 4 committers have signed the CLA.

✅ arunans23
✅ ChinthakaJ98
✅ IsuruMaduranga
❌ choreo-cicd
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds MCP Server artifact support to the MI extension (utilities, RPC methods, UI forms, project explorer integration), injects project AGENTS.md as a tracked agent session context block with truncation warnings, updates the AI model to Claude Opus 4.8, adds API bindsTo binding support for inbound endpoints, threads a disableTryout prop through diagram side-panel components, improves debugger abort-on-disconnect, and bumps dependency versions across all workspaces.

Changes

Dependency Version Bumps

Layer / File(s) Summary
Rush config and workspace package.json bumps
common/autoinstallers/rush-plugins/package.json, common/config/rush/.pnpmfile.cjs, common/config/rush/pnpm-config.json, package.json, workspaces/api-designer/..., workspaces/ballerina/..., workspaces/choreo/..., workspaces/mi/mi-diagram/package.json, workspaces/mi/mi-visualizer/package.json, workspaces/wso2-platform/...
Updates pinned overrides in rush pnpmfile/pnpm-config and bumps axios, js-yaml, @babel/core, webpack-dev-server, undici, hono, protobufjs, tmp, and others across all workspace package.json files.

MI Extension Features and Fixes

Layer / File(s) Summary
Core RPC type contracts and state machine views
workspaces/mi/mi-core/src/rpc-types/agent-mode/types.ts, workspaces/mi/mi-core/src/rpc-types/mi-diagram/..., workspaces/mi/mi-core/src/rpc-types/mi-visualizer/..., workspaces/mi/mi-core/src/state-machine-types.ts
Extends AgentEventType/AgentEvent/ChatHistoryEvent with context_warning, adds SessionContextBlocksState.agentsMd, introduces MCP server request/response interfaces, adds getMcpToolSuggestion to MIVisualizerAPI, and adds MCPServerForm/MCPServerFromAPIsForm/ImportInboundConnectorForm to MACHINE_VIEW.
MCP server utilities and backend RPC
workspaces/mi/mi-extension/src/util/mcp-server-utils.ts, workspaces/mi/mi-extension/src/util/fileOperations.ts, workspaces/mi/mi-extension/src/lang-client/ExtendedLanguageClient.ts, workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-manager.ts, workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-handler.ts, workspaces/mi/mi-extension/src/rpc-managers/ai-features/rpc-manager.ts, workspaces/mi/mi-extension/src/rpc-managers/ai-features/rpc-handler.ts, workspaces/mi/mi-extension/src/rpc-managers/mi-visualizer/rpc-manager.ts, workspaces/mi/mi-rpc-client/src/rpc-clients/mi-diagram/rpc-client.ts, workspaces/mi/mi-rpc-client/src/rpc-clients/mi-visualizer/rpc-client.ts, workspaces/mi/mi-extension/src/RPCLayer.ts, workspaces/mi/mi-visualizer/src/constants/index.ts
Adds mcp-server-utils.ts with XML/JSON schema/OpenAPI parsing and tools XML generation. Implements all 9 MCP RPC methods in MiDiagramRpcManager, getMcpToolSuggestion via Anthropic in MIAIPanelRpcManager, wires handlers and clients, adds updateInboundConnectors() to ExtendedLanguageClient, and excludes MCP config files from showGoToSource.
MCP server UI forms, project explorer, and InboundEP connector hook
workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/*, workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/..., workspaces/mi/mi-visualizer/src/Hooks.tsx, workspaces/mi/mi-visualizer/src/MainPanel.tsx, workspaces/mi/mi-visualizer/src/PopupPanel.tsx, workspaces/mi/mi-extension/src/project-explorer/..., workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx, workspaces/mi/mi-visualizer/src/views/AddArtifact/index.tsx, workspaces/mi/mi-visualizer/src/components/NavigationBar/HierachicalPath.tsx, workspaces/mi/mi-extension/src/constants/index.ts, workspaces/mi/mi-extension/package.json
Adds MCPServerWizard, MCPServerToolsForm, AddAPIToolDialog, AddSequenceToolDialog, CreateScratchToolDialog, ToolTypeSelector, ToolsList, ImportInboundConnectorForm components. Introduces useConnectorDependency hook. Wires MCP server commands into project explorer, Overview, navigation bar, and AddArtifact (gated on runtime 4.6.0+).
AGENTS.md context injection and context_warning events
workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/agent.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/chat-history-manager.ts, workspaces/mi/mi-extension/src/rpc-managers/agent-mode/rpc-manager.ts, workspaces/mi/mi-visualizer/src/views/AIPanel/component/ContextWarningSegment.tsx, workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatFooter.tsx, workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatMessage.tsx, workspaces/mi/mi-visualizer/src/views/AIPanel/utils.ts, workspaces/mi/mi-visualizer/src/views/AIPanel/utils/eventToMessageConverter.ts
Reads project-root AGENTS.md (30KB cap), hashes and injects it as a tracked session context block per turn. Emits context_warning events when truncated, persists them to the JSONL journal via saveAgentsMdWarning, includes them in getMessages and convertToEventFormat, and renders a styled ContextWarningSegment in the AI chat UI.
Claude Opus 4.8, error display, attachment normalization, file deny-list, and synapse guides
workspaces/mi/mi-extension/src/ai-features/connection.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/stream_guard.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/attachment-utils.ts, workspaces/mi/mi-extension/src/ai-features/copilot/message-utils.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/file_tools.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/validation-utils.ts, workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse*/..., workspaces/mi/mi-visualizer/src/views/AIPanel/component/SettingsPanel.tsx, workspaces/mi/mi-visualizer/src/views/AIPanel/component/AICodeGenerator.tsx, workspaces/mi/mi-visualizer/src/views/AIPanel/utils.ts, workspaces/mi/mi-visualizer/src/views/AIPanel/constants.ts
Updates to claude-opus-4-8, adds getDisplayErrorMessage for provider-aware error extraction, normalizes data:*;base64, URI prefixes in PDF/image attachments, replaces file extension allowlist with BLOCKED_BINARY_EXTENSIONS deny-list, blocks binary path mutations in shell sandboxes, extends XML validation to .dbs, adds byokResolved gating in SettingsPanel, increases file upload limit to 10MB, and corrects Synapse operator-precedence examples.
API resource bindsTo binding support
workspaces/mi/syntax-tree/src/syntax-tree-interfaces.ts, workspaces/mi/mi-visualizer/src/utils/form.ts, workspaces/mi/mi-visualizer/src/utils/template-engine/mustache-templates/core/api.ts, workspaces/mi/mi-visualizer/src/views/Forms/ResourceForm.tsx, workspaces/mi/mi-visualizer/src/views/Forms/APIform/index.tsx, workspaces/mi/mi-visualizer/src/views/ServiceDesigner/index.tsx, workspaces/mi/mi-visualizer/src/views/Diagram/Resource.tsx, workspaces/mi/mi-diagram/src/components/Form/Keylookup/Keylookup.tsx
Adds bindsTo to API/APIResource syntax tree interfaces. Extends ResourceForm and APIform with a ParamManager-based bindings UI. Wires binds-to attribute into API edit/resource add/edit mustache templates. Adds getApiBindsToOptions helper and bindToInbound FilterType to Keylookup.
disableTryout prop threading and diagram side-panel fixes
workspaces/mi/mi-diagram/src/components/Diagram.tsx, workspaces/mi/mi-diagram/src/components/sidePanel/..., workspaces/mi/mi-diagram/src/components/nodes/BaseNodeModel.ts, workspaces/mi/mi-visualizer/src/views/Diagram/InboundEndpoint.tsx, workspaces/mi/mi-visualizer/src/views/Diagram/Task.tsx, workspaces/mi/mi-diagram/src/components/sidePanel/tryout/SetPayloads.tsx, workspaces/mi/mi-diagram/src/components/sidePanel/dataServices/query.tsx
Adds optional disableTryout prop to DiagramProps and threads it through SidePanelList, MediatorPage, ConnectorPage, HomePage, and Mediators. Fixes BaseNodeModel.onClicked tag derivation for MCP tool nodes, SetPayloads default payload fallback, and replaces TextArea with AutoResizeTextArea in data service query.
Debugger project-list resolution and abort-on-disconnect
workspaces/mi/mi-extension/src/debugger/activate.ts, workspaces/mi/mi-extension/src/debugger/debugAdapter.ts, workspaces/mi/mi-extension/src/debugger/debugHelper.ts
Makes resolveDebugConfiguration async with project-selection logic (single-folder, consolidated, or quick-pick). Moves project-list validation into launchRequest. Adds _isDisconnecting flag and abortBuildAndRun() to SIGKILL the active build subprocess on disconnect. Tracks activeBuildProcess in debugHelper.
DataService uniqueness, ConnectionForm refactor, TaskForm startOnLoad, and misc fixes
workspaces/mi/mi-visualizer/src/views/Forms/DataServiceForm/..., workspaces/mi/mi-visualizer/src/views/Forms/ConnectionForm/index.tsx, workspaces/mi/mi-visualizer/src/views/Forms/TaskForm.tsx, workspaces/mi/mi-extension/src/util/template-engine/mustach-templates/tasks.ts, workspaces/mi/mi-visualizer/src/views/Forms/ProxyServiceForm.tsx, workspaces/mi/mi-visualizer/src/views/Forms/RegistryResourceForm.tsx, workspaces/mi/mi-visualizer/src/views/Forms/Tests/TestSuiteForm.tsx, workspaces/mi/mi-visualizer/src/components/View/ViewContent.tsx, workspaces/mi/mi-visualizer/src/views/Overview/ProjectInformation/index.tsx
Adds Yup uniqueness validation for DataService operation names and resource path+method pairs; requires at least one datasource. Refactors connector cards with truncation tooltip and normalized version matching. Adds runtime-gated startOnLoad checkbox to TaskForm. Fixes ProxyServiceForm post-create double-navigate, RegistryResourceForm cross-platform path separators, and minor layout/padding changes.
State machine viewStacking and view remounting
workspaces/mi/mi-extension/src/stateMachine.ts
Adds viewStacking intermediate state between viewFinding and viewReady. Introduces viewKey state in MainPanel and PopupPanel to trigger React remounts when view/customProps change. Fixes ResourceView diagnostics normalization and replace-view back-stack behavior in updateStack.
Extension metadata, CHANGELOG, and e2e test updates
workspaces/mi/mi-extension/CHANGELOG.md, workspaces/mi/mi-extension/package.json, workspaces/mi/mi-extension/src/test/e2e-playwright-tests/...
Bumps extension version to 4.1.1, updates description, renames "Add unit test" to "Add MI unit test", adds CHANGELOG entries for versions 4.0.1–4.1.1, and updates Playwright e2e test helpers with new UI labels, stronger synchronization, and skips the multi-workspace suite.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

  • wso2/vscode-extensions#2325: Implements the same MCP Server RPC/API surface additions in MiDiagramAPI and corresponding rpc-type/types files.
  • wso2/vscode-extensions#2396: Shares the same MI_INTEL model clamping logic, getDisplayErrorMessage usage, and byokResolved UI wiring in SettingsPanel/AICodeGenerator.
  • wso2/vscode-extensions#2391: Implements the same bindsTo/bindsToOptions support in ResourceForm, APIform, API mustache templates, and the Service Designer.

Suggested labels

Extension/MI

Suggested reviewers

  • hevayo
  • gigara
  • arunans23

Poem

🐇 Hops into the code with a flourish and flair,
MCP servers blooming like clover everywhere!
AGENTS.md whispers its wisdom per turn,
Opus 4.8 ready, with lessons to learn.
bindsTo the inbound, the tryout's disabled—
This rabbit ships features and never feels jaded! 🌟

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is far too brief and misses the required template sections like Purpose, Goals, Approach, tests, and release notes. Fill out the repository template sections, or explain why each non-applicable section is N/A for this sync PR.
Docstring Coverage ⚠️ Warning Docstring coverage is 48.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly identifies this as an automated sync merge from stable/mi to main.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sync/main-stable/mi-1782808868

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Biome (2.5.1)
common/config/rush/pnpm-config.json

File contains syntax errors that prevent linting: Line 1: JSON standard does not allow comments.; Line 5: End of file expected; Line 8: JSON standard does not allow comments.; Line 20: End of file expected; Line 20: End of file expected; Line 20: End of file expected; Line 20: End of file expected; Line 22: JSON standard does not allow comments.; Line 36: JSON standard does not allow comments.; Line 46: JSON standard does not allow comments.; Line 61: JSON standard does not allow comments.; Line 79: JSON standard does not allow comments.; Line 91: End of file expected; Line 91: End of file expected; Line 91: End of file expected; Line 94: End of file expected; Line 96: JSON standard does not allow comments.; Line 108: End of file expected; Line 108: End of file expected; Line 109: Expected a property but instead found '// "ignoreMissing": ["@eslint/*"],'.; Line 108: End of file expected; Line 109: End of file expected; Line 114: JSON standard does not allow comments.; Line 127: End of

... [truncated 344 characters] ...

an object, or a literal but instead found '// "fsevents"'.; Line 154: End of file expected; Line 155: End of file expected; Line 158: JSON standard does not allow comments.; Line 170: End of file expected; Line 170: End of file expected; Line 171: Expected a property but instead found '// "request": "*"'.; Line 170: End of file expected; Line 171: End of file expected; Line 175: JSON standard does not allow comments.; Line 182: End of file expected; Line 182: End of file expected; Line 182: End of file expected; Line 182: End of file expected; Line 184: JSON standard does not allow comments.; Line 196: End of file expected; Line 196: End of file expected; Line 197: Expected a property but instead found '// "dependencies": {'.; Line 196: End of file expected; Line 197: End of file expected


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 20

🧹 Nitpick comments (4)
workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-manager.ts (1)

6898-6914: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Reuse the shared YAML/candidate-resolution logic.

This block re-implements the candidate-filename derivation already present in buildInputSchemasForAPITools (mcp-server-utils.ts) and calls require("yaml") inside the loop. Consider extracting a shared helper (e.g. readApiSpecForOperation) in mcp-server-utils.ts and hoisting the parse import to module scope to avoid duplication and repeated require calls.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-manager.ts` around
lines 6898 - 6914, This block duplicates the YAML candidate resolution and
parsing logic already used in buildInputSchemasForAPITools, so refactor it to
reuse a shared helper such as readApiSpecForOperation from mcp-server-utils.ts.
Move the candidate-name derivation and file loading/parsing into that helper,
and hoist the yaml parse import to module scope instead of calling
require("yaml") inside the loop. Update the description-building path here to
call the shared helper and use its returned spec before
extractOperationDescription.
workspaces/mi/mi-core/src/rpc-types/mi-visualizer/types.ts (1)

549-574: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Inconsistent inputSchema optionality across the union.

APITool.inputSchema is optional (Line 563) while SequenceTool.inputSchema is required (Line 573). Consumers of UnifiedTool (e.g. ToolsList.saveEdit) treat the field uniformly via inputSchema ?? '', so the divergence is purely cosmetic at runtime but makes the contract ambiguous. Consider aligning both to the same optionality.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-core/src/rpc-types/mi-visualizer/types.ts` around lines 549
- 574, The UnifiedTool contract has inconsistent inputSchema optionality between
APITool and SequenceTool, which makes the shape ambiguous for consumers like
ToolsList.saveEdit that treat it the same way. Update the APITool and
SequenceTool definitions in the mi-visualizer types so inputSchema has the same
optionality on both variants, and keep the union consistent wherever UnifiedTool
is defined or consumed.
workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx (1)

391-413: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Missing key on the mapped wrapper <div>.

The outer .map(([key, value]) => ...) returns a <div> without a key, producing a React reconciliation warning. Use the iteration key (artifact type) as the element key.

♻️ Proposed change
-                            return (!hasOnlyUndefinedItems || hasConnections) && (
-                                <div>
+                            return (!hasOnlyUndefinedItems || hasConnections) && (
+                                <div key={key}>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx`
around lines 391 - 413, The outer element returned from the artifact-type
`.map(([key, value]) => ...)` is missing a React `key`, which causes
reconciliation warnings. Add the iteration `key` from this map to the wrapping
`<div>` in `ProjectStructureView` so each artifact section is uniquely
identified, and keep the inner `Entry` rendering unchanged.
workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/ImportInboundConnector.tsx (1)

43-47: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

onImportSuccess prop is declared but never called.

Success is signaled via CLOSE_VIEW with recentIdentifier: "success" (which InboundEPWizard.importInboundConnector listens for through onParentPopupSubmitted), so onImportSuccess is unused dead surface. Either remove it from ImportInboundConnectorFormProps or invoke it in the success branch to avoid confusing future callers.

Also applies to: 60-81

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/ImportInboundConnector.tsx`
around lines 43 - 47, The success callback in ImportInboundConnectorFormProps is
currently dead surface because the success path already reports via CLOSE_VIEW
with recentIdentifier: "success" and is handled by
InboundEPWizard.importInboundConnector through onParentPopupSubmitted. Update
ImportInboundConnector and its success branch to either remove onImportSuccess
from ImportInboundConnectorFormProps if it is not needed, or call it explicitly
where the import succeeds so the prop matches actual behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@common/autoinstallers/rush-plugins/package.json`:
- Line 11: The rush-plugins autoinstaller is pinned to undici 7.x even though
the repo still supports Node >=20.6.0, which can break supported installs below
20.18.1. Update the dependency in package.json for the rush-plugins
autoinstaller by either downgrading undici back to a 6.x release or raising the
repository’s Node engine floor to match undici 7.x, and make sure the chosen
option is reflected consistently where the Node support range is defined.

In `@common/config/rush/.pnpmfile.cjs`:
- Line 30: The lodash override is pinned to the wrong version, leaving the
security fix unapplied. Update the lodash version override in the .pnpmfile.cjs
dependency rewrite and the matching pnpm.overrides entry in package.json so both
use 4.18.1 instead of 4.18.0.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts`:
- Around line 583-606: The AGENTS.md loader in readAgentsMd currently follows
symlinks because it relies on statSync/readFileSync, which can let a workspace
inject arbitrary local file content into prompt context. Update readAgentsMd to
reject symlinked AGENTS.md entries by checking the file type with lstatSync (or
equivalent) before any read, and only proceed when the path is a regular file;
if you use realpath containment instead, ensure the resolved target stays within
the expected workspace. Keep the existing truncation logic intact after the
symlink check.

In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts`:
- Around line 906-918: The binary deny-list check in the mutation handling for
shell sandboxing misses destructive git operations because `git rm` and `git mv`
are currently treated as plain `git` commands, so their path arguments never
become `mutationPathTokens`. Update `extractPathTokens()` or the mutation
classification path in `shell_sandbox_powershell.ts` to recognize the git
subcommand and mark `git rm`/`git mv` arguments as mutations, then ensure the
existing `blockedBinaryMutationPaths` logic and `hasBlockedBinaryExtension()`
check apply to those paths too.

In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts`:
- Around line 1266-1268: The binary-path deny list in shell_sandbox.ts only
checks writePathTokens, so Git working-tree mutations like git rm and git mv can
slip through because the Git extractor currently only captures clone/init paths.
Update the Git argument extraction and blockedBinaryMutationPaths logic so
mutation commands also contribute their target paths to the same binary
extension check, using the existing shell parsing helpers and git-related
extraction code paths to locate the affected tokens.

In `@workspaces/mi/mi-extension/src/debugger/debugAdapter.ts`:
- Around line 554-574: Guard the async continuations in the debugger startup
flow so they do nothing after a disconnect. In `DebugAdapter` around the
`checkServerReadiness()` and `initializeDebugger()` promise chains, add the
existing `_isDisconnecting` check to both the success path and the catch path
before calling `openRuntimeServicesWebview`, setting
`extension.isServerStarted`, sending `miServerRunStateChanged`, showing errors,
or terminating. This keeps the post-start callbacks from running after
`disconnectRequest()` has already marked the session stopped.

In `@workspaces/mi/mi-extension/src/debugger/debugHelper.ts`:
- Line 242: The module-level activeBuildProcess is being cleared
unconditionally, which lets an older process exit wipe out a newer build handle.
Update the ownership check in debugHelper.ts so the exit/cleanup path only sets
activeBuildProcess to undefined when the exiting process is still the one
currently stored. Use the existing activeBuildProcess tracking in the
build-start and process-exit flow to compare identity (or a stable token/pid)
before clearing it.
- Around line 225-231: The build completion toast in debugHelper.ts should
ignore intentionally aborted builds instead of treating every nonzero close code
as a failure. Update abortBuildAndRun() and the buildProcess.on('close') handler
in DebugHelper to track when a build was killed during disconnect, then skip
both success/failure notifications for that aborted process. Use the existing
build process state in DebugHelper to distinguish normal exits from
abort-triggered SIGKILL closes before calling vscode.window.showErrorMessage.

In `@workspaces/mi/mi-extension/src/project-explorer/activate.ts`:
- Around line 486-490: The delete flow in the `activate` handler is passing the
raw `fileUri` into `deleteApiMetadata`, but that helper expects an `apiPath`
string and will fail when given a `Uri`. Update the call site in the
`item.contextValue === 'api'` branch to pass a path string instead, using
`fileUri.fsPath ?? fileUri`, so `deleteApiMetadata` can safely use
`path.basename` and `path.extname` without throwing.

In `@workspaces/mi/mi-extension/src/stateMachine.ts`:
- Around line 626-634: Do not remove the existing back target when handling
in-place view replacements. In `stateMachine.ts`, update the `event.data.type
=== EVENT_TYPE.REPLACE_VIEW` path so `history.pop()` is not called for
`REPLACE_VIEW`, and keep the existing `OPEN_VIEW`/`previousContext` logic intact
so `history` still preserves the prior navigation target for both form and
non-form views.

In `@workspaces/mi/mi-extension/src/util/mcp-server-utils.ts`:
- Around line 352-359: The sequence-tool XML generation in mcp-server-utils.ts
should not interpolate UnifiedTool.inputSchema directly into CDATA when it may
be undefined. Update the else branch that builds the <tool> block so
<inputSchema> uses the same safe fallback behavior as the API branch (for
example, an empty object/schema default or equivalent), ensuring tool.name,
tool.sequenceName, and tool.description remain unchanged while preventing
literal undefined from being emitted.

In `@workspaces/mi/mi-visualizer/src/Hooks.tsx`:
- Around line 54-56: The download-progress listener is being registered directly
in the Hooks.tsx hook body, so each render adds another
RpcClient.onDownloadProgress subscription and can duplicate setDownloadProgress
updates. Move the subscription setup into a useEffect in the same hook, and
update RpcClient.onDownloadProgress to return an unsubscribe/disposable handle
so the effect can clean it up on unmount or dependency changes.

In `@workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatMessage.tsx`:
- Around line 344-345: `hasAnswerContent` in `AIChatMessage` is missing
`isContextWarning` from the system-only segment checks, so a warning-only
assistant message can incorrectly trigger the `FeedbackBar`. Update the segment
classification logic in `hasAnswerContent` to treat `segment.isContextWarning`
the same way as other system segments (like `isCompactSummary`), and keep the
rendering branch in `ContextWarningSegment` aligned with that behavior.

In `@workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/index.tsx`:
- Around line 226-232: The `handleAcceptDownload` flow is too fragile because
`localConnectors.find(...).id` can throw before `acceptDownload` runs if
`inboundOnconfirmation` is missing or no connector matches. Update
`handleAcceptDownload` to safely resolve the connector id with optional
chaining, check for a missing result, and return early or otherwise bail out
gracefully before calling `acceptDownload`; use the existing
`handleAcceptDownload`, `inboundOnconfirmation`, and `localConnectors` symbols
to keep the fix aligned with the current logic.
- Around line 175-184: The store connector lookup in selectStoreConnector
assumes localConnectors.find(...) always returns a match, so accessing .id can
throw before the requiresDownload fallback runs. Update selectStoreConnector to
safely handle a missing local connector by checking the find result before
reading id, and when no match exists, skip the RPC call and route directly to
requiresDownload(connector). Keep the existing happy path intact for matched
connectors.

In
`@workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/CreateScratchToolDialog.tsx`:
- Around line 60-64: The `sanitizeToolName` helper in `CreateScratchToolDialog`
is only trimming underscores from one end because the final `replace(/^_+|_+$/,
'')` pattern is missing the global flag. Update that sanitization step so both
leading and trailing underscores are removed after normalization, ensuring
inputs like `!weather!` don’t produce a derived name with a trailing underscore
before `tool` is appended.

In
`@workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/MCPServerToolsForm.tsx`:
- Around line 340-343: The sequenceName sanitization in MCPServerToolsForm
should trim both leading and trailing underscores correctly, since the current
replace call uses /^_+|_+$/ without a global flag and may leave a trailing
underscore when both ends match. Update the regex in the sequenceName
construction to remove all matched edge underscores in one pass, and keep the
logic around data.name, the chained replace calls, and the final '_tool' suffix
intact.

In `@workspaces/mi/mi-visualizer/src/views/Forms/RegistryResourceForm.tsx`:
- Around line 279-285: Normalize any backslashes to forward slashes in
handleRegistryPathPrefix() before doing startsWith/endsWith checks or building
the final resPath, so the duplicate lookup and recentIdentifier generation use
the same canonical path form as the later submission step. Update the path
assembly logic around createOptionValue, filePath, and resourceName/templateType
handling to compare and concatenate against a `/`-normalized value rather than
the raw Windows-style input, including the related block in the later section
noted by the comment.

In `@workspaces/mi/mi-visualizer/src/views/Forms/TaskForm.tsx`:
- Around line 267-269: The startOnLoad gate in TaskForm.tsx is using an exact
version match, which incorrectly disables the field on newer supported runtimes.
Update the logic around getProjectDetails, runtimeVersion, and
setIsStartOnLoadSupported to use a minimum-version comparison instead of
compareVersions(...) === 0, so 4.1.0 and later keep the field enabled and
existing startOnLoad values continue to be preserved when saving tasks.

In `@workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx`:
- Around line 310-325: Replace the native confirmation in deleteMCPServer with a
VS Code modal confirmation flow, since window.confirm may not render in
webviews. Update deleteMCPServer to await an extension-host-backed
showWarningMessage call with { modal: true } before invoking
rpcClient.getMiDiagramRpcClient().deleteArtifact for inboundEndpoint.path and
localEntry.path, and keep the delete logic behind the modal result.

---

Nitpick comments:
In `@workspaces/mi/mi-core/src/rpc-types/mi-visualizer/types.ts`:
- Around line 549-574: The UnifiedTool contract has inconsistent inputSchema
optionality between APITool and SequenceTool, which makes the shape ambiguous
for consumers like ToolsList.saveEdit that treat it the same way. Update the
APITool and SequenceTool definitions in the mi-visualizer types so inputSchema
has the same optionality on both variants, and keep the union consistent
wherever UnifiedTool is defined or consumed.

In `@workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-manager.ts`:
- Around line 6898-6914: This block duplicates the YAML candidate resolution and
parsing logic already used in buildInputSchemasForAPITools, so refactor it to
reuse a shared helper such as readApiSpecForOperation from mcp-server-utils.ts.
Move the candidate-name derivation and file loading/parsing into that helper,
and hoist the yaml parse import to module scope instead of calling
require("yaml") inside the loop. Update the description-building path here to
call the shared helper and use its returned spec before
extractOperationDescription.

In
`@workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/ImportInboundConnector.tsx`:
- Around line 43-47: The success callback in ImportInboundConnectorFormProps is
currently dead surface because the success path already reports via CLOSE_VIEW
with recentIdentifier: "success" and is handled by
InboundEPWizard.importInboundConnector through onParentPopupSubmitted. Update
ImportInboundConnector and its success branch to either remove onImportSuccess
from ImportInboundConnectorFormProps if it is not needed, or call it explicitly
where the import succeeds so the prop matches actual behavior.

In `@workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx`:
- Around line 391-413: The outer element returned from the artifact-type
`.map(([key, value]) => ...)` is missing a React `key`, which causes
reconciliation warnings. Add the iteration `key` from this map to the wrapping
`<div>` in `ProjectStructureView` so each artifact section is uniquely
identified, and keep the inner `Entry` rendering unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6d3470f-c23f-4953-8f19-85eb45897d2c

📥 Commits

Reviewing files that changed from the base of the PR and between 654f18a and d223431.

⛔ Files ignored due to path filters (2)
  • common/autoinstallers/rush-plugins/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (144)
  • common/autoinstallers/rush-plugins/package.json
  • common/config/rush/.pnpmfile.cjs
  • common/config/rush/pnpm-config.json
  • package.json
  • workspaces/api-designer/api-designer-extension/package.json
  • workspaces/api-designer/api-designer-visualizer/package.json
  • workspaces/ballerina/ballerina-extension/package.json
  • workspaces/ballerina/ballerina-low-code-diagram/package.json
  • workspaces/ballerina/ballerina-side-panel/package.json
  • workspaces/ballerina/ballerina-visualizer/package.json
  • workspaces/ballerina/bi-diagram/package.json
  • workspaces/ballerina/component-diagram/package.json
  • workspaces/ballerina/graphql/package.json
  • workspaces/ballerina/persist-layer-diagram/package.json
  • workspaces/ballerina/sequence-diagram/package.json
  • workspaces/ballerina/trace-visualizer/package.json
  • workspaces/ballerina/type-diagram/package.json
  • workspaces/choreo/choreo-extension/package.json
  • workspaces/choreo/choreo-webviews/package.json
  • workspaces/mi/mi-core/src/rpc-types/agent-mode/types.ts
  • workspaces/mi/mi-core/src/rpc-types/mi-diagram/index.ts
  • workspaces/mi/mi-core/src/rpc-types/mi-diagram/rpc-type.ts
  • workspaces/mi/mi-core/src/rpc-types/mi-diagram/types.ts
  • workspaces/mi/mi-core/src/rpc-types/mi-visualizer/index.ts
  • workspaces/mi/mi-core/src/rpc-types/mi-visualizer/rpc-type.ts
  • workspaces/mi/mi-core/src/rpc-types/mi-visualizer/types.ts
  • workspaces/mi/mi-core/src/state-machine-types.ts
  • workspaces/mi/mi-diagram/package.json
  • workspaces/mi/mi-diagram/src/components/Diagram.tsx
  • workspaces/mi/mi-diagram/src/components/Form/Keylookup/Keylookup.tsx
  • workspaces/mi/mi-diagram/src/components/nodes/BaseNodeModel.ts
  • workspaces/mi/mi-diagram/src/components/sidePanel/connections/index.tsx
  • workspaces/mi/mi-diagram/src/components/sidePanel/dataServices/query.tsx
  • workspaces/mi/mi-diagram/src/components/sidePanel/index.tsx
  • workspaces/mi/mi-diagram/src/components/sidePanel/mediators/List.tsx
  • workspaces/mi/mi-diagram/src/components/sidePanel/mediators/Mediator.tsx
  • workspaces/mi/mi-diagram/src/components/sidePanel/mediators/index.tsx
  • workspaces/mi/mi-diagram/src/components/sidePanel/tryout/SetPayloads.tsx
  • workspaces/mi/mi-extension/CHANGELOG.md
  • workspaces/mi/mi-extension/package.json
  • workspaces/mi/mi-extension/src/RPCLayer.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/agent.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/attachment-utils.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/chat-history-manager.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/connectors_guide.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse-core/synapse_edge_cases.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse-core/synapse_expression_spec.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_expression_guide.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_guide.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_guide_old.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/stream_guard.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/file_tools.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/lsp_tools.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/validation-utils.ts
  • workspaces/mi/mi-extension/src/ai-features/auth.ts
  • workspaces/mi/mi-extension/src/ai-features/connection.ts
  • workspaces/mi/mi-extension/src/ai-features/copilot/message-utils.ts
  • workspaces/mi/mi-extension/src/constants/index.ts
  • workspaces/mi/mi-extension/src/debugger/activate.ts
  • workspaces/mi/mi-extension/src/debugger/debugAdapter.ts
  • workspaces/mi/mi-extension/src/debugger/debugHelper.ts
  • workspaces/mi/mi-extension/src/lang-client/ExtendedLanguageClient.ts
  • workspaces/mi/mi-extension/src/project-explorer/activate.ts
  • workspaces/mi/mi-extension/src/project-explorer/project-explorer-provider.ts
  • workspaces/mi/mi-extension/src/rpc-managers/agent-mode/rpc-manager.ts
  • workspaces/mi/mi-extension/src/rpc-managers/ai-features/rpc-handler.ts
  • workspaces/mi/mi-extension/src/rpc-managers/ai-features/rpc-manager.ts
  • workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-handler.ts
  • workspaces/mi/mi-extension/src/rpc-managers/mi-diagram/rpc-manager.ts
  • workspaces/mi/mi-extension/src/rpc-managers/mi-visualizer/rpc-manager.ts
  • workspaces/mi/mi-extension/src/stateMachine.ts
  • workspaces/mi/mi-extension/src/test/e2e-playwright-tests/components/ArtifactTest/Automation.ts
  • workspaces/mi/mi-extension/src/test/e2e-playwright-tests/components/ArtifactTest/ClassMediator.ts
  • workspaces/mi/mi-extension/src/test/e2e-playwright-tests/components/ProjectExplorer.ts
  • workspaces/mi/mi-extension/src/test/e2e-playwright-tests/components/UnitTest.ts
  • workspaces/mi/mi-extension/src/test/e2e-playwright-tests/connectorTests/connector.spec.ts
  • workspaces/mi/mi-extension/src/test/e2e-playwright-tests/test.list.ts
  • workspaces/mi/mi-extension/src/util/fileOperations.ts
  • workspaces/mi/mi-extension/src/util/mcp-server-utils.ts
  • workspaces/mi/mi-extension/src/util/template-engine/mustach-templates/tasks.ts
  • workspaces/mi/mi-extension/src/visualizer/activate.ts
  • workspaces/mi/mi-rpc-client/src/rpc-clients/mi-diagram/rpc-client.ts
  • workspaces/mi/mi-rpc-client/src/rpc-clients/mi-visualizer/rpc-client.ts
  • workspaces/mi/mi-visualizer/package.json
  • workspaces/mi/mi-visualizer/src/Hooks.tsx
  • workspaces/mi/mi-visualizer/src/MainPanel.tsx
  • workspaces/mi/mi-visualizer/src/PopupPanel.tsx
  • workspaces/mi/mi-visualizer/src/components/AuthenticationDialog/AuthenticationDialog.tsx
  • workspaces/mi/mi-visualizer/src/components/AuthenticationDialog/useAuthentication.ts
  • workspaces/mi/mi-visualizer/src/components/NavigationBar/HierachicalPath.tsx
  • workspaces/mi/mi-visualizer/src/components/View/ViewContent.tsx
  • workspaces/mi/mi-visualizer/src/constants/index.ts
  • workspaces/mi/mi-visualizer/src/utils/form.ts
  • workspaces/mi/mi-visualizer/src/utils/template-engine/mustache-templates/core/api.ts
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatFooter.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatMessage.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/AICodeGenerator.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/ContextWarningSegment.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/MICopilotContext.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/SettingsPanel.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/constants.ts
  • workspaces/mi/mi-visualizer/src/views/AIPanel/utils.ts
  • workspaces/mi/mi-visualizer/src/views/AIPanel/utils/eventToMessageConverter.ts
  • workspaces/mi/mi-visualizer/src/views/AddArtifact/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Diagram/InboundEndpoint.tsx
  • workspaces/mi/mi-visualizer/src/views/Diagram/Resource.tsx
  • workspaces/mi/mi-visualizer/src/views/Diagram/Task.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/APIform/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/Commons/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/ConnectionForm/ImportConnector.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/ConnectionForm/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/DataServiceForm/MainPanelForms/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/DataServiceForm/ResourceServiceDesigner.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/DataServiceForm/SidePanelForms/OperationForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/DataServiceForm/SidePanelForms/ResourceForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/IDPConnectorForm/IdpConnectorSchemaGenerateForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/ImportInboundConnector.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/inboundConnectorForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/InboundEPform/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/AddAPIToolDialog.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/AddSequenceToolDialog.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/CreateScratchToolDialog.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/MCPServerToolsForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/ToolTypeSelector.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/ToolsList.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/styles.ts
  • workspaces/mi/mi-visualizer/src/views/Forms/ProxyServiceForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/RegistryResourceForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/ResourceForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/TaskForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Forms/Tests/TestSuiteForm.tsx
  • workspaces/mi/mi-visualizer/src/views/Overview/ProjectInformation/index.tsx
  • workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx
  • workspaces/mi/mi-visualizer/src/views/Overview/index.tsx
  • workspaces/mi/mi-visualizer/src/views/ServiceDesigner/index.tsx
  • workspaces/mi/syntax-tree/src/syntax-tree-interfaces.ts
  • workspaces/wso2-platform/wso2-platform-extension/package.json
  • workspaces/wso2-platform/wso2-platform-webviews/package.json
💤 Files with no reviewable changes (1)
  • workspaces/mi/mi-visualizer/src/views/Forms/ProxyServiceForm.tsx

"minimatch": "3.1.5",
"brace-expansion": "1.1.13",
"undici": "6.24.0"
"undici": "7.28.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

undici 7 minimum supported Node.js version

💡 Result:

The minimum supported Node.js version for the Undici 7.x release line is Node.js 20.18.1 [1][2][3]. The Undici project maintains an LTS-aligned support schedule for its major versions, and the 7.x branch explicitly requires Node.js ≥20.18.1 [1][2][3]. This requirement is documented in the project's official README and is enforced via the engines field in the package's configuration, which may cause installation warnings or errors in environments using older Node.js versions [2][4]. As of June 30, 2026, the 7.x series remains a supported maintenance line [5]. It is tested against Node.js versions 20, 22, and 24 [1][2][3].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '== package.json ==\n'
sed -n '1,120p' common/autoinstallers/rush-plugins/package.json

printf '\n== node/runtime constraints ==\n'
rg -n --hidden --glob '!**/node_modules/**' '"engines"|nodeVersion|Node\.js|node ' \
  package.json common rush.json rush-*.json .npmrc .nvmrc .node-version .tool-versions 2>/dev/null || true

printf '\n== files mentioning undici ==\n'
rg -n --hidden --glob '!**/node_modules/**' '"undici"|undici@|undici ' common package.json rush.json 2>/dev/null || true

Repository: wso2/vscode-extensions

Length of output: 3253


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '== root package.json (engines/volta/packageManager) ==\n'
python3 - <<'PY'
from pathlib import Path
import json
p = Path('package.json')
data = json.loads(p.read_text())
for k in ['engines', 'volta', 'packageManager', 'os', 'cpu']:
    if k in data:
        print(f'{k}: {data[k]}')
PY

printf '\n== rush.json node settings ==\n'
python3 - <<'PY'
from pathlib import Path
import json
p = Path('rush.json')
data = json.loads(p.read_text())
for k in ['nodeSupportedVersionRange', 'nodeSupportedVersionInstructions', 'pnpmVersion', 'rushVersion']:
    if k in data:
        print(f'{k}: {data[k]}')
PY

printf '\n== rush.json excerpt around node-related settings ==\n'
sed -n '1,120p' rush.json

Repository: wso2/vscode-extensions

Length of output: 846


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '== rush.json lines 1-120 ==\n'
cat -n rush.json | sed -n '1,120p'

printf '\n== root package.json ==\n'
cat -n package.json | sed -n '1,140p'

printf '\n== CI / workflow node version references ==\n'
rg -n --hidden --glob '!**/node_modules/**' 'node-version|Node\.js|setup-node|actions/setup-node|20\.18|20\.19|22\.|24\.' .github common package.json rush.json 2>/dev/null || true

Repository: wso2/vscode-extensions

Length of output: 13786


Keep undici 6.x or raise the Node floor
undici 7.x requires Node >=20.18.1, but this repo still supports >=20.6.0 <23.0.0, so the autoinstaller can break on supported 20.6–20.18 installs. Either bump the repo’s Node range or stay on 6.x.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@common/autoinstallers/rush-plugins/package.json` at line 11, The rush-plugins
autoinstaller is pinned to undici 7.x even though the repo still supports Node
>=20.6.0, which can break supported installs below 20.18.1. Update the
dependency in package.json for the rush-plugins autoinstaller by either
downgrading undici back to a 6.x release or raising the repository’s Node engine
floor to match undici 7.x, and make sure the chosen option is reflected
consistently where the Node support range is defined.

if (deps['eslint']) deps['eslint'] = '^9.27.0';
if (deps['fast-xml-parser']) deps['fast-xml-parser'] = '5.7.0';
if (deps['esbuild']) deps['esbuild'] = '0.25.12';
if (deps['lodash']) deps['lodash'] = '4.18.0';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin lodash to 4.18.1, not 4.18.0.

lodash 4.18.1 ships a prototype-pollution fix for _.unset/_.omit (constructor/prototype path traversal, GHSA-f23m-r3pf-42rh). Pinning the override to exactly 4.18.0 leaves that hole unpatched, which defeats the security intent of this override block. The same 4.18.0 pin is present in the root package.json pnpm.overrides (line 21); update both.

🛡️ Proposed fix
-        if (deps['lodash']) deps['lodash'] = '4.18.0';
+        if (deps['lodash']) deps['lodash'] = '4.18.1'; // security fix: prototype pollution in _.unset/_.omit (GHSA-f23m-r3pf-42rh)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (deps['lodash']) deps['lodash'] = '4.18.0';
if (deps['lodash']) deps['lodash'] = '4.18.1'; // security fix: prototype pollution in _.unset/_.omit (GHSA-f23m-r3pf-42rh)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@common/config/rush/.pnpmfile.cjs` at line 30, The lodash override is pinned
to the wrong version, leaving the security fix unapplied. Update the lodash
version override in the .pnpmfile.cjs dependency rewrite and the matching
pnpm.overrides entry in package.json so both use 4.18.1 instead of 4.18.0.

Comment on lines +583 to +606
function readAgentsMd(projectPath: string): { content: string; truncated: boolean; originalSize: number } | undefined {
const agentsMdPath = path.join(projectPath, 'AGENTS.md');
if (!fs.existsSync(agentsMdPath)) {
return undefined;
}
try {
const stat = fs.statSync(agentsMdPath);
if (!stat.isFile()) {
return undefined;
}
const originalSize = stat.size;
if (originalSize <= AGENTS_MD_MAX_BYTES) {
const content = fs.readFileSync(agentsMdPath, 'utf8');
return { content, truncated: false, originalSize };
}
// Oversized — read only the first AGENTS_MD_MAX_BYTES bytes. Open as
// a file descriptor so we don't pull the whole file into memory just
// to slice it.
const fd = fs.openSync(agentsMdPath, 'r');
try {
const buffer = Buffer.allocUnsafe(AGENTS_MD_MAX_BYTES);
const bytesRead = fs.readSync(fd, buffer, 0, AGENTS_MD_MAX_BYTES, 0);
const content = buffer.subarray(0, bytesRead).toString('utf8');
return { content, truncated: true, originalSize };

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

tmp_dir="$(mktemp -d)"
secret_file="$(mktemp)"
echo "SECRET_DO_NOT_SEND" > "$secret_file"
ln -s "$secret_file" "$tmp_dir/AGENTS.md"

node - "$tmp_dir" <<'NODE'
const fs = require('fs');
const path = require('path');
const root = process.argv[2];
const file = path.join(root, 'AGENTS.md');
console.log({
  statIsFile: fs.statSync(file).isFile(),
  lstatIsFile: fs.lstatSync(file).isFile(),
  isSymlink: fs.lstatSync(file).isSymbolicLink(),
  contentRead: fs.readFileSync(file, 'utf8').trim(),
});
NODE

Repository: wso2/vscode-extensions

Length of output: 261


Do not follow symlinks when loading AGENTS.md.
statSync/readFileSync will traverse a symlinked AGENTS.md, so an untrusted workspace can point it at any readable local file and inject that content into prompt context. Skip symlinks or enforce realpath containment before reading.

🧰 Tools
🪛 ast-grep (0.44.0)

[warning] 594-594: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.readFileSync(agentsMdPath, 'utf8')
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(detect-non-literal-fs-filename-typescript)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts`
around lines 583 - 606, The AGENTS.md loader in readAgentsMd currently follows
symlinks because it relies on statSync/readFileSync, which can let a workspace
inject arbitrary local file content into prompt context. Update readAgentsMd to
reject symlinked AGENTS.md entries by checking the file type with lstatSync (or
equivalent) before any read, and only proceed when the path is a regular file;
if you use realpath containment instead, ensure the resolved target stays within
the expected workspace. Keep the existing truncation logic intact after the
symlink check.

Comment on lines +906 to +918
const blockedBinaryMutationPaths = dedupe(
extractedPathTokens.mutationPathTokens.filter(
(token) => hasBlockedBinaryExtension(path.win32.basename(stripWrappingQuotes(token)))
)
);
if (blockedBinaryMutationPaths.length > 0) {
blocked = true;
reasons.push(
`Mutating binary file paths is blocked (write/edit/delete/rename; matches the file-tool deny-list). ` +
`Blocked path(s): ${blockedBinaryMutationPaths.join(', ')}. ` +
`Use directory-level operations (e.g. \`Remove-Item -Recurse dist\`) instead of targeting binary files by name.`
);
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify PowerShell analyzer coverage for external mutation commands and path extraction.
rg -n -C 4 'POWERSHELL_MUTATION_COMMANDS|mutationFromCommands|isMutationCommand|git|npm|pnpm|yarn|pip|mutationPathTokens' workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts

Repository: wso2/vscode-extensions

Length of output: 6723


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts

# Map the relevant symbols first.
ast-grep outline "$FILE" --view expanded >/tmp/ps_outline.txt || true
sed -n '1,220p' /tmp/ps_outline.txt

# Read the command-name and path-extraction related sections.
sed -n '430,640p' "$FILE"
echo '---'
sed -n '820,930p' "$FILE"

Repository: wso2/vscode-extensions

Length of output: 16268


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts

# Inspect the analyzer flow that builds commandNames and segments.
sed -n '700,860p' "$FILE"
echo '---'
sed -n '860,1020p' "$FILE"

Repository: wso2/vscode-extensions

Length of output: 12803


Track destructive git subcommands as mutations. git rm foo.jar / git mv foo.jar bar.jar are parsed as git, so their path arguments never reach mutationPathTokens and the binary deny-list check here won’t fire. Special-case git rm / git mv in extractPathTokens() or propagate the git subcommand into mutation classification.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts`
around lines 906 - 918, The binary deny-list check in the mutation handling for
shell sandboxing misses destructive git operations because `git rm` and `git mv`
are currently treated as plain `git` commands, so their path arguments never
become `mutationPathTokens`. Update `extractPathTokens()` or the mutation
classification path in `shell_sandbox_powershell.ts` to recognize the git
subcommand and mark `git rm`/`git mv` arguments as mutations, then ensure the
existing `blockedBinaryMutationPaths` logic and `hasBlockedBinaryExtension()`
check apply to those paths too.

Comment on lines +1266 to +1268
const blockedBinaryMutationPaths = writePathTokens.filter(
(token) => !hasDynamicShellExpansion(token) && hasBlockedBinaryExtension(path.basename(token))
);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Cover Git working-tree mutations in the binary-path block.

blockedBinaryMutationPaths only inspects writePathTokens, but the Git extractor above only records paths for clone/init. Commands like git rm lib/foo.jar or git mv foo.jar bar.jar are mutations, but their binary targets never reach this deny-list and can proceed via approval instead of being blocked.

🛡️ Proposed extraction coverage
         if (subcommand === 'clone' && positionalArgs.length >= 2) {
             writePaths.push(positionalArgs[positionalArgs.length - 1]);
         } else if (subcommand === 'init' && positionalArgs.length >= 1) {
             writePaths.push(positionalArgs[positionalArgs.length - 1]);
+        } else if (['rm', 'mv', 'restore', 'checkout'].includes(subcommand)) {
+            writePaths.push(
+                ...positionalArgs
+                    .map((token) => stripWrappingQuotes(token))
+                    .filter((token) => looksLikePathToken(token))
+            );
         }

Also applies to: 1295-1301

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts`
around lines 1266 - 1268, The binary-path deny list in shell_sandbox.ts only
checks writePathTokens, so Git working-tree mutations like git rm and git mv can
slip through because the Git extractor currently only captures clone/init paths.
Update the Git argument extraction and blockedBinaryMutationPaths logic so
mutation commands also contribute their target paths to the same binary
extension check, using the existing shell parsing helpers and git-related
extraction code paths to locate the affected tokens.

Comment on lines +60 to +64
const sanitizeToolName = (raw: string): string =>
raw.trim().toLowerCase()
.replace(/[^a-z0-9]/g, '_')
.replace(/_{2,}/g, '_')
.replace(/^_+|_+$/, '');

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Trailing underscores not stripped when both ends have underscores.

/^_+|_+$/ lacks the global flag, so replace only removes the first matching alternation. For a value that ends up with leading and trailing underscores after sanitization (e.g. "!weather!""_weather_"), only the leading underscores are removed, yielding "weather_" and ultimately a derived sequence name like weather__tool. Add the g flag so both ends are trimmed.

🐛 Proposed fix
-        .replace(/^_+|_+$/, '');
+        .replace(/^_+|_+$/g, '');
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const sanitizeToolName = (raw: string): string =>
raw.trim().toLowerCase()
.replace(/[^a-z0-9]/g, '_')
.replace(/_{2,}/g, '_')
.replace(/^_+|_+$/, '');
const sanitizeToolName = (raw: string): string =>
raw.trim().toLowerCase()
.replace(/[^a-z0-9]/g, '_')
.replace(/_{2,}/g, '_')
.replace(/^_+|_+$/g, '');
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/CreateScratchToolDialog.tsx`
around lines 60 - 64, The `sanitizeToolName` helper in `CreateScratchToolDialog`
is only trimming underscores from one end because the final `replace(/^_+|_+$/,
'')` pattern is missing the global flag. Update that sanitization step so both
leading and trailing underscores are removed after normalization, ensuring
inputs like `!weather!` don’t produce a derived name with a trailing underscore
before `tool` is appended.

Comment on lines +340 to +343
const sequenceName = data.name.toLowerCase()
.replace(/[^a-z0-9]/g, '_')
.replace(/_{2,}/g, '_')
.replace(/^_+|_+$/, '') + '_tool';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Missing global flag in trim regex.

/^_+|_+$/ without the g flag replaces only the first matched alternative. For a name that produces both leading and trailing underscores (e.g. _foo_), only the leading underscores are stripped, yielding foo__tool instead of foo_tool.

🐛 Proposed fix
-                .replace(/^_+|_+$/, '') + '_tool';
+                .replace(/^_+|_+$/g, '') + '_tool';
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const sequenceName = data.name.toLowerCase()
.replace(/[^a-z0-9]/g, '_')
.replace(/_{2,}/g, '_')
.replace(/^_+|_+$/, '') + '_tool';
const sequenceName = data.name.toLowerCase()
.replace(/[^a-z0-9]/g, '_')
.replace(/^_+|_+$/g, '') + '_tool';
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@workspaces/mi/mi-visualizer/src/views/Forms/MCPServerForm/MCPServerToolsForm.tsx`
around lines 340 - 343, The sequenceName sanitization in MCPServerToolsForm
should trim both leading and trailing underscores correctly, since the current
replace call uses /^_+|_+$/ without a global flag and may leave a trailing
underscore when both ends match. Update the regex in the sequenceName
construction to remove all matched edge underscores in one pass, and keep the
logic around data.name, the chained replace calls, and the final '_tool' suffix
intact.

Comment on lines +279 to +285
resPath = PATH_SEPARATORS.some(sep => resourceDirPath.startsWith(sep)) ? resPath + resourceDirPath.substring(1) : resPath + resourceDirPath;
if (createOptionValue) {
resPath.endsWith('/') ? resPath = resPath + getValues("resourceName") + getFileExtension(getValues('templateType'))
PATH_SEPARATORS.some(sep => resPath.endsWith(sep)) ? resPath = resPath + getValues("resourceName") + getFileExtension(getValues('templateType'))
: resPath = resPath + '/' + getValues("resourceName") + getFileExtension(getValues('templateType'));
} else {
const filename = getValues("filePath").split('/').pop();
resPath.endsWith('/') ? resPath = resPath + filename : resPath = resPath + '/' + filename;
const filename = getValues("filePath").split(/[/\\]/).pop();
PATH_SEPARATORS.some(sep => resPath.endsWith(sep)) ? resPath = resPath + filename : resPath = resPath + '/' + filename;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Normalize \ to / before path comparisons.

These helpers now keep internal backslashes, but handleRegistryPathPrefix() later canonicalizes the submitted path to /. On Windows that can make the duplicate check miss an existing resource/registry entry and produce a mismatched recentIdentifier.

Suggested fix
     const formatResourcePath = (resourceDirPath: string) => {
+        const normalizedResourceDirPath = resourceDirPath.replace(/[\\]/g, '/');
         let resPath = 'resources:';
-        resPath = PATH_SEPARATORS.some(sep => resourceDirPath.startsWith(sep)) ? resPath + resourceDirPath.substring(1) : resPath + resourceDirPath;
+        resPath = normalizedResourceDirPath.startsWith('/') ? resPath + normalizedResourceDirPath.substring(1) : resPath + normalizedResourceDirPath;
         if (createOptionValue) {
-            PATH_SEPARATORS.some(sep => resPath.endsWith(sep)) ? resPath = resPath + getValues("resourceName") + getFileExtension(getValues('templateType'))
+            PATH_SEPARATORS.some(sep => resPath.endsWith(sep)) ? resPath = resPath + getValues("resourceName") + getFileExtension(getValues('templateType'))
                 : resPath = resPath + '/' + getValues("resourceName") + getFileExtension(getValues('templateType'));
         } else {
-            const filename = getValues("filePath").split(/[/\\]/).pop();
+            const filename = getValues("filePath").split(/[/\\]/).pop();
             PATH_SEPARATORS.some(sep => resPath.endsWith(sep)) ? resPath = resPath + filename : resPath = resPath + '/' + filename;
         }
         return resPath;
     }

     const formatRegistryPath = (path: string) => {
+        const normalizedPath = path.replace(/[\\]/g, '/');
         let regPath = '';
         if (getValues("registryType") === 'gov') {
             regPath = 'gov:';
         } else {
             regPath = 'conf:';
         }
-        PATH_SEPARATORS.some(sep => path.startsWith(sep)) ? regPath = regPath + path.substring(1) : regPath = regPath + path;
+        normalizedPath.startsWith('/') ? regPath = regPath + normalizedPath.substring(1) : regPath = regPath + normalizedPath;

Also applies to: 297-303

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-visualizer/src/views/Forms/RegistryResourceForm.tsx` around
lines 279 - 285, Normalize any backslashes to forward slashes in
handleRegistryPathPrefix() before doing startsWith/endsWith checks or building
the final resPath, so the duplicate lookup and recentIdentifier generation use
the same canonical path form as the later submission step. Update the path
assembly logic around createOptionValue, filePath, and resourceName/templateType
handling to compare and concatenate against a `/`-normalized value rather than
the raw Windows-style input, including the related block in the later section
noted by the comment.

Comment on lines +267 to +269
const projectDetails = await rpcClient.getMiVisualizerRpcClient().getProjectDetails();
const runtimeVersion = projectDetails.primaryDetails.runtimeVersion.value;
setIsStartOnLoadSupported(compareVersions(runtimeVersion, RUNTIME_VERSION_410) === 0);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Use a minimum-version check for startOnLoad.

This gate only enables the feature on exactly 4.1.0. On 4.1.1+, the form hides the field, Line 308 stops sending startOnLoad, and updating an existing task can drop the XML attribute even though the backend already parses and templates it.

Suggested fix
-            setIsStartOnLoadSupported(compareVersions(runtimeVersion, RUNTIME_VERSION_410) === 0);
+            setIsStartOnLoadSupported(compareVersions(runtimeVersion, RUNTIME_VERSION_410) >= 0);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const projectDetails = await rpcClient.getMiVisualizerRpcClient().getProjectDetails();
const runtimeVersion = projectDetails.primaryDetails.runtimeVersion.value;
setIsStartOnLoadSupported(compareVersions(runtimeVersion, RUNTIME_VERSION_410) === 0);
const projectDetails = await rpcClient.getMiVisualizerRpcClient().getProjectDetails();
const runtimeVersion = projectDetails.primaryDetails.runtimeVersion.value;
setIsStartOnLoadSupported(compareVersions(runtimeVersion, RUNTIME_VERSION_410) >= 0);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-visualizer/src/views/Forms/TaskForm.tsx` around lines 267 -
269, The startOnLoad gate in TaskForm.tsx is using an exact version match, which
incorrectly disables the field on newer supported runtimes. Update the logic
around getProjectDetails, runtimeVersion, and setIsStartOnLoadSupported to use a
minimum-version comparison instead of compareVersions(...) === 0, so 4.1.0 and
later keep the field enabled and existing startOnLoad values continue to be
preserved when saving tasks.

Comment on lines +310 to +325
const deleteMCPServer = (entry: any) => {
const inboundPath = entry.inboundEndpoint?.path;
const localEntryPath = entry.localEntry?.path;

const confirmed = window.confirm(`Are you sure you want to delete MCP Server "${entry.name}"? This action cannot be undone.`);
if (!confirmed) {
return;
}

if (inboundPath) {
rpcClient.getMiDiagramRpcClient().deleteArtifact({ path: inboundPath, enableUndo: false });
}
if (localEntryPath) {
rpcClient.getMiDiagramRpcClient().deleteArtifact({ path: localEntryPath, enableUndo: false });
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does window.confirm work inside a VS Code webview iframe?

💡 Result:

No, window.confirm does not work inside a VS Code webview [1][2][3]. VS Code intentionally blocks the use of window.confirm, window.alert, and window.prompt within webviews [2][3]. Because webviews operate within a sandboxed iframe environment, these browser-native modal dialogs are disabled by design to maintain a consistent UI experience and prevent untrusted or third-party content from disrupting the editor [2][3]. If your application requires user confirmation or input, the recommended approach is to use VS Code's native extension APIs, which are designed to handle these interactions within the editor's UI [1][2]: 1. Use postMessage: Send a message from your webview to your extension host using the acquireVsCodeApi instance [4]. 2. Invoke Native APIs: Inside your extension, receive the message and use VS Code's native UI methods, such as vscode.window.showInformationMessage or vscode.window.showQuickPick [1][2]. These methods support a modal option (e.g., {modal: true}) to provide a similar user experience to a standard confirmation dialog [1][2]. If you are using third-party libraries that rely on window.confirm or window.alert, you must override these global functions in your webview code to intercept the calls and redirect them to the extension host via postMessage [1][2].

Citations:


Replace window.confirm with a VS Code modal. Native confirm dialogs are disabled in webviews, so this guard may not render; use an extension-host-backed showWarningMessage(..., { modal: true }) flow before calling deleteArtifact.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-visualizer/src/views/Overview/ProjectStructureView.tsx`
around lines 310 - 325, Replace the native confirmation in deleteMCPServer with
a VS Code modal confirmation flow, since window.confirm may not render in
webviews. Update deleteMCPServer to await an extension-host-backed
showWarningMessage call with { modal: true } before invoking
rpcClient.getMiDiagramRpcClient().deleteArtifact for inboundEndpoint.path and
localEntry.path, and keep the delete logic behind the modal result.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants