refactor: restructure project - move server files to root, merge package.json, rewrite .gitignore

.env.example

@@ -1,2 +1,4 @@
 N8N_WEBHOOK_URL=https://your-n8n-instance/webhook/scan
 N8N_TIMEOUT_SECONDS=20
+PORT=5000
+ALLOWED_ORIGINS=http://localhost:3000,http://localhost:5173

.gitignore

@@ -1,208 +1,32 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[codz]
-*$py.class
+# ─── Dependencies ────────────────────────────────────────────────────────────
+node_modules/
 
-# C extensions
-*.so
+# ─── Build output ─────────────────────────────────────────────────────────────
+out/
+*.js.map
 
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
+# ─── VS Code Extension package ────────────────────────────────────────────────
+*.vsix
 
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py.cover
-.hypothesis/
-.pytest_cache/
-cover/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-.pybuilder/
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-#   For a library or package, you might want to ignore these files since the code is
-#   intended to run in multiple environments; otherwise, check them in:
-# .python-version
-
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# UV
-#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#uv.lock
-
-# poetry
-#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-#poetry.toml
-
-# pdm
-#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
-#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
-#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
-#pdm.lock
-#pdm.toml
-.pdm-python
-.pdm-build/
-
-# pixi
-#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
-#pixi.lock
-#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
-#   in the .venv directory. It is recommended not to include this directory in version control.
-.pixi
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
+# ─── Environment / Secrets ────────────────────────────────────────────────────
 .env
 .envrc
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
 
-# pytype static type analyzer
-.pytype/
-
-# Cython debug symbols
-cython_debug/
-
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
-
-# Abstra
-# Abstra is an AI-powered process automation framework.
-# Ignore directories containing user credentials, local state, and settings.
-# Learn more at https://abstra.io/docs
-.abstra/
-
-# Visual Studio Code
-#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
-#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
-#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
-#  you could uncomment the following to ignore the entire vscode folder
-# .vscode/
-
-# Ruff stuff:
-.ruff_cache/
-
-# PyPI configuration file
-.pypirc
+# ─── Logs ─────────────────────────────────────────────────────────────────────
+*.log
+npm-debug.log*
 
-# Cursor
-#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
-#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
-#  refer to https://docs.cursor.com/context/ignore-files
-.cursorignore
-.cursorindexingignore
+# ─── Test coverage ────────────────────────────────────────────────────────────
+coverage/
+.nyc_output/
 
-# Marimo
-marimo/_static/
-marimo/_lsp/
-__marimo__/
+# ─── macOS ────────────────────────────────────────────────────────────────────
 .DS_Store
+
+# ─── Editor / IDE ─────────────────────────────────────────────────────────────
+.idea/
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Change Log
+
+All notable changes to the "cerberus" extension will be documented in this file.
+
+Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how to structure this file.
+
+## [Unreleased]
+
+- Initial release

TESTING.md

@@ -0,0 +1,125 @@
+# Testing the Cerberus VS Code Extension
+
+## Prerequisites
+1. Node.js installed
+2. VS Code installed
+3. Backend server dependencies installed
+
+## Setup
+
+### 1. Install Extension Dependencies
+```bash
+npm install
+```
+
+### 2. Install and Start Backend Server
+```bash
+cd server
+npm install
+npm start
+```
+
+The server will run on http://localhost:5000
+
+### 3. Compile Extension
+```bash
+npm run compile
+```
+
+Or watch for changes:
+```bash
+npm run watch
+```
+
+## Running the Extension
+
+### Option 1: Press F5 (Debug Mode)
+1. Open the project in VS Code
+2. Press `F5` to launch the Extension Development Host
+3. A new VS Code window will open with the extension loaded
+
+### Option 2: Install Locally
+```bash
+vsce package
+```
+Then install the `.vsix` file in VS Code.
+
+## Testing
+
+### Create a Test File
+Create a file called `test_vulnerable.py` with this content:
+
+```python
+def get_user(user_id):
+    import sqlite3
+    conn = sqlite3.connect('users.db')
+    cursor = conn.cursor()
+    # SQL Injection vulnerability - unsafe string concatenation
+    query = 'SELECT * FROM users WHERE id = ' + user_id
+    cursor.execute(query)
+    return cursor.fetchone()
+
+def login(username, password):
+    import sqlite3
+    conn = sqlite3.connect('users.db')
+    cursor = conn.cursor()
+    # Another SQL injection
+    query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
+    cursor.execute(query)
+    return cursor.fetchone()
+```
+
+### Using the Extension
+
+1. **Open the Cerberus Panel**
+   - Click the shield icon (🛡️) in the Activity Bar on the left
+   - Or run command: `Cerberus: View Results`
+
+2. **Run a Scan**
+   - Click the shield icon in the panel title bar
+   - Or run command: `Cerberus: Scan for Vulnerabilities`
+   - Or press `Ctrl+Shift+P` → type "Cerberus: Scan"
+
+3. **View Results**
+   - Vulnerabilities will appear in the tree view
+   - Expand files to see individual vulnerabilities
+   - Click a vulnerability to see the fix preview
+
+4. **Apply Fixes**
+   - Right-click a vulnerability → "Apply Fix"
+   - Or right-click a file → "Fix All in File"
+   - The file will be automatically updated and saved
+
+## Features
+
+- 🔍 **Scan Workspace**: Scans all code files for vulnerabilities
+- 🛠️ **Apply Fix**: Automatically applies AI-suggested fixes
+- 📁 **File Tree**: Hierarchical view of vulnerabilities by file
+- ⚡ **Real-time**: Instant feedback on scan progress
+- 🎯 **Context Menu**: Right-click actions for quick fixes
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `Cerberus: Scan for Vulnerabilities` | Scan current workspace |
+| `Cerberus: Apply Fix` | Apply fix to selected vulnerability |
+| `Cerberus: Fix All in File` | Apply all fixes in a file |
+| `Cerberus: View Results` | Focus the Cerberus panel |
+
+## Troubleshooting
+
+### "Failed to connect to backend server"
+- Make sure the server is running: `cd server && npm start`
+- Check if port 5000 is available
+- Verify the server is accessible: `curl http://localhost:5000/api/health`
+
+### Extension not loading
+- Run `npm run compile` to build the extension
+- Check the Debug Console for errors
+- Make sure `out/extension.js` exists
+
+### Scan hangs or times out
+- Large projects may take several minutes
+- The timeout is set to 5 minutes
+- Try scanning a smaller folder first

app.py

@@ -1,10 +0,0 @@
-from dotenv import load_dotenv
-
-from cerberus_api import create_app
-
-load_dotenv()
-app = create_app()
-
-
-if __name__ == "__main__":
-    app.run(host="0.0.0.0", port=5000, debug=True)

cerberus_api/__init__.py

@@ -1,35 +0,0 @@
-import logging
-
-from flask import Flask, request
-from flask_cors import CORS
-
-from .config import Config
-from .routes import api_bp
-
-
-def create_app() -> Flask:
-    app = Flask(__name__)
-    app.config.from_object(Config)
-
-    _configure_logging(app)
-    CORS(app, resources={r"/api/*": {"origins": "*"}})
-    app.register_blueprint(api_bp)
-
-    @app.before_request
-    def log_incoming_request() -> None:
-        app.logger.info(
-            "Incoming request method=%s path=%s remote=%s",
-            request.method,
-            request.path,
-            request.remote_addr,
-        )
-
-    return app
-
-
-def _configure_logging(app: Flask) -> None:
-    logging.basicConfig(
-        level=logging.INFO,
-        format="%(asctime)s | %(levelname)s | %(name)s | %(message)s",
-    )
-    app.logger.setLevel(logging.INFO)

cerberus_api/config.py

@@ -1,9 +0,0 @@
-import os
-
-
-class Config:
-    N8N_WEBHOOK_URL = os.getenv(
-        "N8N_WEBHOOK_URL",
-        "https://n8n.shravanpandala.me/webhook/scan",
-    )
-    N8N_TIMEOUT_SECONDS = float(os.getenv("N8N_TIMEOUT_SECONDS", "20"))

cerberus_api/n8n_client.py

@@ -1,55 +0,0 @@
-from __future__ import annotations
-
-import requests
-from requests.exceptions import RequestException, Timeout
-
-
-class N8NWebhookError(Exception):
-    pass
-
-
-class N8NWebhookTimeoutError(N8NWebhookError):
-    pass
-
-
-class N8NWebhookUpstreamError(N8NWebhookError):
-    pass
-
-
-class N8NWebhookResponseError(N8NWebhookError):
-    pass
-
-
-def patch_code_via_n8n(*, code: str, webhook_url: str, timeout_seconds: float) -> str:
-    try:
-        response = requests.post(
-            webhook_url,
-            json={"code": code},
-            timeout=timeout_seconds,
-        )
-    except Timeout as exc:
-        raise N8NWebhookTimeoutError("n8n webhook request timed out") from exc
-    except RequestException as exc:
-        raise N8NWebhookUpstreamError("Failed to call n8n webhook") from exc
-
-    if response.status_code >= 500:
-        raise N8NWebhookUpstreamError(
-            f"n8n webhook returned server error {response.status_code}"
-        )
-    if response.status_code >= 400:
-        raise N8NWebhookUpstreamError(
-            f"n8n webhook returned unexpected status {response.status_code}"
-        )
-
-    try:
-        payload = response.json()
-    except ValueError as exc:
-        raise N8NWebhookResponseError("n8n webhook response was not valid JSON") from exc
-
-    corrected_code = payload.get("corrected_code")
-    if not isinstance(corrected_code, str):
-        raise N8NWebhookResponseError(
-            "n8n webhook response missing 'corrected_code' string"
-        )
-
-    return corrected_code

cerberus_api/routes.py

@@ -1,67 +0,0 @@
-from __future__ import annotations
-
-from flask import Blueprint, current_app, jsonify, request
-
-from .n8n_client import (
-    N8NWebhookResponseError,
-    N8NWebhookTimeoutError,
-    N8NWebhookUpstreamError,
-    patch_code_via_n8n,
-)
-
-api_bp = Blueprint("api", __name__)
-
-
-@api_bp.get("/api/health")
-def health():
-    return jsonify({"status": "ok"}), 200
-
-
-@api_bp.post("/api/patch-code")
-def patch_code():
-    if not request.is_json:
-        return (
-            jsonify(
-                {
-                    "error": "Invalid payload",
-                    "message": "Request must be JSON: {'code': 'raw python string'}",
-                }
-            ),
-            400,
-        )
-
-    payload = request.get_json(silent=True) or {}
-    code = payload.get("code")
-
-    if not isinstance(code, str):
-        return (
-            jsonify(
-                {
-                    "error": "Invalid payload",
-                    "message": "Field 'code' is required and must be a string.",
-                }
-            ),
-            400,
-        )
-
-    current_app.logger.info("Processing patch request code_length=%s", len(code))
-
-    try:
-        corrected_code = patch_code_via_n8n(
-            code=code,
-            webhook_url=current_app.config["N8N_WEBHOOK_URL"],
-            timeout_seconds=current_app.config["N8N_TIMEOUT_SECONDS"],
-        )
-    except (N8NWebhookTimeoutError, N8NWebhookUpstreamError, N8NWebhookResponseError):
-        current_app.logger.exception("n8n webhook call failed")
-        return (
-            jsonify(
-                {
-                    "error": "Bad Gateway",
-                    "message": "Unable to retrieve corrected code from n8n webhook.",
-                }
-            ),
-            502,
-        )
-
-    return jsonify({"corrected_code": corrected_code}), 200

eslint.config.mjs

@@ -0,0 +1,27 @@
+import typescriptEslint from "typescript-eslint";
+
+export default [{
+    files: ["**/*.ts"],
+}, {
+    plugins: {
+        "@typescript-eslint": typescriptEslint.plugin,
+    },
+
+    languageOptions: {
+        parser: typescriptEslint.parser,
+        ecmaVersion: 2022,
+        sourceType: "module",
+    },
+
+    rules: {
+        "@typescript-eslint/naming-convention": ["warn", {
+            selector: "import",
+            format: ["camelCase", "PascalCase"],
+        }],
+
+        curly: "warn",
+        eqeqeq: "warn",
+        "no-throw-literal": "warn",
+        semi: "warn",
+    },
+}];

n8nClient.js

@@ -0,0 +1,103 @@
+/**
+ * n8n Webhook Client
+ * Handles communication with the n8n workflow for code analysis and patching
+ */
+
+const axios = require('axios');
+
+class N8NWebhookError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'N8NWebhookError';
+  }
+}
+
+class N8NWebhookTimeoutError extends N8NWebhookError {
+  constructor(message) {
+    super(message);
+    this.name = 'N8NWebhookTimeoutError';
+  }
+}
+
+class N8NWebhookUpstreamError extends N8NWebhookError {
+  constructor(message) {
+    super(message);
+    this.name = 'N8NWebhookUpstreamError';
+  }
+}
+
+class N8NWebhookResponseError extends N8NWebhookError {
+  constructor(message) {
+    super(message);
+    this.name = 'N8NWebhookResponseError';
+  }
+}
+
+/**
+ * Send code to n8n webhook for vulnerability analysis and correction
+ * @param {Object} params
+ * @param {string} params.code - The code to analyze
+ * @param {string} params.webhookUrl - The n8n webhook URL
+ * @param {number} params.timeoutSeconds - Request timeout in seconds
+ * @returns {Promise<string>} - The corrected code
+ */
+async function patchCodeViaN8n({ code, webhookUrl, timeoutSeconds }) {
+  try {
+    console.log(`[DEBUG] Sending code to n8n (length: ${code.length} chars)`);
+    console.log(`[DEBUG] First 100 chars: ${code.substring(0, 100).replace(/\n/g, '\\n')}...`);
+    
+    const response = await axios.post(
+      webhookUrl,
+      { code },
+      {
+        timeout: timeoutSeconds * 1000,
+        headers: {
+          'Content-Type': 'application/json'
+        }
+      }
+    );
+    
+    console.log(`[DEBUG] n8n response status: ${response.status}`);
+    console.log(`[DEBUG] Response preview: ${JSON.stringify(response.data).substring(0, 100)}...`);
+
+    if (response.status >= 500) {
+      throw new N8NWebhookUpstreamError(`n8n webhook returned server error ${response.status}`);
+    }
+    if (response.status >= 400) {
+      throw new N8NWebhookUpstreamError(`n8n webhook returned unexpected status ${response.status}`);
+    }
+
+    const payload = response.data;
+    const correctedCode = payload.corrected_code;
+
+    if (typeof correctedCode !== 'string') {
+      throw new N8NWebhookResponseError("n8n webhook response missing 'corrected_code' string");
+    }
+
+    return correctedCode;
+  } catch (error) {
+    if (error.code === 'ECONNABORTED' || error.code === 'ETIMEDOUT') {
+      throw new N8NWebhookTimeoutError('n8n webhook request timed out');
+    }
+    if (error.response) {
+      if (error.response.status >= 500) {
+        throw new N8NWebhookUpstreamError(`n8n webhook returned server error ${error.response.status}`);
+      }
+      if (error.response.status >= 400) {
+        throw new N8NWebhookUpstreamError(`n8n webhook returned unexpected status ${error.response.status}`);
+      }
+    }
+    if (error instanceof N8NWebhookError) {
+      throw error;
+    }
+    throw new N8NWebhookUpstreamError(`Failed to call n8n webhook: ${error.message}`);
+  }
+}
+
+module.exports = {
+  N8NWebhookError,
+  N8NWebhookTimeoutError,
+  N8NWebhookUpstreamError,
+  N8NWebhookResponseError,
+  patchCodeViaN8n
+};

package.json

@@ -0,0 +1,115 @@
+{
+  "name": "cerberus",
+  "displayName": "cerberus",
+  "description": "Your AI-powered security co-pilot that does not just find vulnerabilities, it fixes them.",
+  "version": "0.0.1",
+  "engines": {
+    "vscode": "^1.109.0"
+  },
+  "categories": [
+    "Other"
+  ],
+  "activationEvents": [
+    "onStartupFinished"
+  ],
+  "main": "./out/extension.js",
+  "contributes": {
+    "commands": [
+      {
+        "command": "cerberus.scan",
+        "title": "Scan for Vulnerabilities",
+        "category": "Cerberus",
+        "icon": "$(shield)"
+      },
+      {
+        "command": "cerberus.fixVulnerability",
+        "title": "Apply Fix",
+        "category": "Cerberus",
+        "icon": "$(wrench)"
+      },
+      {
+        "command": "cerberus.fixFile",
+        "title": "Fix All in File",
+        "category": "Cerberus",
+        "icon": "$(replace-all)"
+      },
+      {
+        "command": "cerberus.viewResults",
+        "title": "View Results",
+        "category": "Cerberus"
+      }
+    ],
+    "menus": {
+      "view/title": [
+        {
+          "command": "cerberus.scan",
+          "when": "view == cerberus.vulnerabilityView",
+          "group": "navigation"
+        }
+      ],
+      "view/item/context": [
+        {
+          "command": "cerberus.fixVulnerability",
+          "when": "view == cerberus.vulnerabilityView && viewItem == vulnerability",
+          "group": "inline"
+        },
+        {
+          "command": "cerberus.fixFile",
+          "when": "view == cerberus.vulnerabilityView && viewItem == file",
+          "group": "inline"
+        }
+      ]
+    },
+    "views": {
+      "cerberus-explorer": [
+        {
+          "id": "cerberus.vulnerabilityView",
+          "name": "Vulnerabilities"
+        }
+      ]
+    },
+    "viewsContainers": {
+      "activitybar": [
+        {
+          "id": "cerberus-explorer",
+          "title": "Cerberus",
+          "icon": "$(shield)"
+        }
+      ]
+    }
+  },
+  "scripts": {
+    "vscode:prepublish": "npm run compile",
+    "compile": "tsc -p ./",
+    "watch": "tsc -watch -p ./",
+    "pretest": "npm run compile && npm run lint",
+    "lint": "eslint src",
+    "test": "vscode-test",
+    "server:start": "node server.js",
+    "server:dev": "nodemon server.js"
+  },
+  "devDependencies": {
+    "@types/mocha": "^10.0.10",
+    "@types/node": "22.x",
+    "@types/vscode": "^1.109.0",
+    "@vscode/test-cli": "^0.0.12",
+    "@vscode/test-electron": "^2.5.2",
+    "eslint": "^9.39.2",
+    "jest": "^29.7.0",
+    "nodemon": "^3.0.2",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.54.0"
+  },
+  "dependencies": {
+    "axios": "^1.13.5",
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "express-rate-limit": "^7.1.5",
+    "glob": "^10.3.0"
+  },
+  "overrides": {
+    "diff": "^8.0.3",
+    "serialize-javascript": "^7.0.3"
+  }
+}

requirements.txt

@@ -1,4 +0,0 @@
-Flask>=3.0.0,<4.0.0
-flask-cors>=4.0.0,<5.0.0
-requests>=2.31.0,<3.0.0
-python-dotenv>=1.0.0,<2.0.0

routes.js

@@ -0,0 +1,293 @@
+/**
+ * API Routes
+ * Express routes for the Cerberus security scanner API
+ */
+
+const express = require('express');
+const fs = require('fs').promises;
+const path = require('path');
+const { glob } = require('glob');
+const rateLimit = require('express-rate-limit');
+const {
+  patchCodeViaN8n,
+  N8NWebhookTimeoutError,
+  N8NWebhookUpstreamError,
+  N8NWebhookResponseError
+} = require('./n8nClient');
+
+const router = express.Router();
+
+// Rate limiting for scan endpoint (10 requests per 15 minutes per IP)
+const scanLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10, // limit each IP to 10 requests per windowMs
+  message: {
+    error: 'Too many requests',
+    message: 'Too many scan requests from this IP, please try again after 15 minutes'
+  },
+  standardHeaders: true,
+  legacyHeaders: false
+});
+
+/**
+ * Validate and sanitize folder path to prevent directory traversal
+ * @param {string} inputPath - The user-provided path
+ * @returns {Object} - { isValid: boolean, resolvedPath?: string, error?: string }
+ */
+function validateScanPath(inputPath) {
+  // Check for null bytes and path traversal attempts
+  if (inputPath.includes('\0')) {
+    return { isValid: false, error: 'Path contains null bytes' };
+  }
+  
+  // Resolve the absolute path
+  const resolvedPath = path.resolve(inputPath);
+  
+  // Define allowed base directory (default to current working directory)
+  const allowedBase = path.resolve(process.env.SCAN_BASE_PATH || process.cwd());
+  
+  // Ensure the resolved path is within the allowed base directory
+  if (!resolvedPath.startsWith(allowedBase)) {
+    return { isValid: false, error: 'Path is outside allowed directory' };
+  }
+  
+  return { isValid: true, resolvedPath };
+}
+
+/**
+ * GET /api/health
+ * Health check endpoint
+ */
+router.get('/api/health', (req, res) => {
+  res.json({ status: 'ok' });
+});
+
+/**
+ * POST /api/patch-code
+ * Send code to n8n for vulnerability analysis and correction
+ */
+router.post('/api/patch-code', async (req, res) => {
+  // Validate request is JSON
+  if (!req.is('application/json')) {
+    return res.status(400).json({
+      error: 'Invalid payload',
+      message: "Request must be JSON: {'code': 'raw python string'}"
+    });
+  }
+
+  const { code } = req.body;
+
+  // Validate code field
+  if (typeof code !== 'string') {
+    return res.status(400).json({
+      error: 'Invalid payload',
+      message: "Field 'code' is required and must be a string."
+    });
+  }
+
+  console.log(`Processing patch request code_length=${code.length}`);
+
+  try {
+    const correctedCode = await patchCodeViaN8n({
+      code,
+      webhookUrl: process.env.N8N_WEBHOOK_URL,
+      timeoutSeconds: parseFloat(process.env.N8N_TIMEOUT_SECONDS || '20')
+    });
+
+    return res.json({ corrected_code: correctedCode });
+  } catch (error) {
+    console.error('n8n webhook call failed:', error);
+
+    if (error instanceof N8NWebhookTimeoutError ||
+        error instanceof N8NWebhookUpstreamError ||
+        error instanceof N8NWebhookResponseError) {
+      return res.status(502).json({
+        error: 'Bad Gateway',
+        message: 'Unable to retrieve corrected code from n8n webhook.'
+      });
+    }
+
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'An unexpected error occurred.'
+    });
+  }
+});
+
+/**
+ * POST /api/scan
+ * Scan a folder for vulnerabilities
+ */
+router.post('/api/scan', scanLimiter, async (req, res) => {
+  // Validate request is JSON
+  if (!req.is('application/json')) {
+    return res.status(400).json({
+      error: 'Invalid payload',
+      message: "Request must be JSON: {'path': 'folder path'}"
+    });
+  }
+
+  const { path: folderPath } = req.body;
+
+  // Validate path field
+  if (typeof folderPath !== 'string') {
+    return res.status(400).json({
+      error: 'Invalid payload',
+      message: "Field 'path' is required and must be a string."
+    });
+  }
+
+  // Resolve the path (allow any directory for local testing)
+  const sanitizedPath = path.resolve(folderPath);
+
+  // Check if path exists and is a directory
+  try {
+    const stats = await fs.stat(sanitizedPath);
+    if (!stats.isDirectory()) {
+      return res.status(400).json({
+        error: 'Invalid path',
+        message: `Path is not a directory: ${folderPath}`
+      });
+    }
+  } catch (error) {
+    return res.status(400).json({
+      error: 'Invalid path',
+      message: `Path does not exist or is not a directory: ${folderPath}`
+    });
+  }
+
+  console.log(`Scanning folder: ${sanitizedPath}`);
+
+  // Collect all code files
+  const extensions = ['*.py', '*.js', '*.ts', '*.tsx', '*.jsx', '*.java', '*.go', '*.rb', '*.php'];
+  const codeFiles = [];
+
+  for (const ext of extensions) {
+    const pattern = path.join(sanitizedPath, '**', ext).replace(/\\/g, '/');
+    const files = await glob(pattern, { nodir: true });
+    codeFiles.push(...files);
+  }
+
+  const vulnerabilities = [];
+
+  // Scan each file
+  for (const filePath of codeFiles) {
+    try {
+      const code = await fs.readFile(filePath, 'utf-8');
+      console.log(`Analyzing file: ${filePath}`);
+
+      try {
+        const result = await patchCodeViaN8n({
+          code,
+          webhookUrl: process.env.N8N_WEBHOOK_URL,
+          timeoutSeconds: parseFloat(process.env.N8N_TIMEOUT_SECONDS || '20')
+        });
+
+        vulnerabilities.push({
+          file: filePath,
+          status: 'analyzed',
+          result
+        });
+      } catch (error) {
+        if (error instanceof N8NWebhookTimeoutError ||
+            error instanceof N8NWebhookUpstreamError ||
+            error instanceof N8NWebhookResponseError) {
+          vulnerabilities.push({
+            file: filePath,
+            status: 'error',
+            error: error.message
+          });
+        } else {
+          throw error;
+        }
+      }
+    } catch (error) {
+      console.error(`Error reading file ${filePath}:`, error.message);
+      vulnerabilities.push({
+        file: filePath,
+        status: 'error',
+        error: error.message
+      });
+    }
+  }
+
+  return res.json({
+    scan_complete: true,
+    files_scanned: codeFiles.length,
+    vulnerabilities
+  });
+});
+
+/**
+ * POST /api/scan-file
+ * Scan a single file for vulnerabilities
+ */
+router.post('/api/scan-file', async (req, res) => {
+  // Validate request is JSON
+  if (!req.is('application/json')) {
+    return res.status(400).json({
+      error: 'Invalid payload',
+      message: "Request must be JSON: {'path': 'file path', 'code': 'file content'}"
+    });
+  }
+
+  const { path: filePath, code } = req.body;
+
+  // Validate required fields
+  if (typeof filePath !== 'string' || typeof code !== 'string') {
+    return res.status(400).json({
+      error: 'Invalid payload',
+      message: "Fields 'path' and 'code' are required and must be strings."
+    });
+  }
+
+  console.log(`Scanning single file: ${filePath} (${code.length} chars)`);
+
+  const vulnerabilities = [];
+
+  try {
+    const result = await patchCodeViaN8n({
+      code,
+      webhookUrl: process.env.N8N_WEBHOOK_URL,
+      timeoutSeconds: parseFloat(process.env.N8N_TIMEOUT_SECONDS || '20')
+    });
+
+    vulnerabilities.push({
+      file: filePath,
+      status: 'analyzed',
+      result
+    });
+
+    console.log(`✅ File analyzed successfully: ${filePath}`);
+  } catch (error) {
+    console.error(`❌ Error analyzing file ${filePath}:`, error.message);
+
+    if (error instanceof N8NWebhookTimeoutError) {
+      vulnerabilities.push({
+        file: filePath,
+        status: 'error',
+        error: 'Analysis timed out'
+      });
+    } else if (error instanceof N8NWebhookUpstreamError ||
+               error instanceof N8NWebhookResponseError) {
+      vulnerabilities.push({
+        file: filePath,
+        status: 'error',
+        error: error.message
+      });
+    } else {
+      vulnerabilities.push({
+        file: filePath,
+        status: 'error',
+        error: 'Unexpected error during analysis'
+      });
+    }
+  }
+
+  res.json({
+    files_scanned: 1,
+    vulnerabilities
+  });
+});
+
+module.exports = router;

server.js

@@ -0,0 +1,64 @@
+/**
+ * Cerberus Security Scanner Server
+ * Express.js backend that handles vulnerability scanning via n8n webhook
+ */
+
+require('dotenv').config();
+const express = require('express');
+const cors = require('cors');
+const routes = require('./routes');
+
+const app = express();
+const PORT = process.env.PORT || 5000;
+
+// Middleware
+const allowedOrigins = process.env.ALLOWED_ORIGINS 
+  ? process.env.ALLOWED_ORIGINS.split(',') 
+  : ['http://localhost:3000', 'http://localhost:5173'];
+
+app.use(cors({
+  origin: (origin, callback) => {
+    // Allow requests with no origin (like mobile apps, curl, VS Code extensions, etc.)
+    if (!origin) return callback(null, true);
+    // Allow VS Code extension hosts
+    if (origin.startsWith('vscode-webview://') || origin.startsWith('vscode-file://')) {
+      return callback(null, true);
+    }
+    if (allowedOrigins.includes(origin)) {
+      return callback(null, true);
+    }
+    // Log blocked origins for debugging
+    console.log(`CORS blocked origin: ${origin}`);
+    callback(new Error('Not allowed by CORS'));
+  },
+  methods: ['GET', 'POST'],
+  allowedHeaders: ['Content-Type']
+}));
+app.use(express.json());
+
+// Request logging middleware
+app.use((req, res, next) => {
+  console.log(`[${new Date().toISOString()}] ${req.method} ${req.path} - ${req.ip}`);
+  next();
+});
+
+// Register routes
+app.use(routes);
+
+// Error handling middleware
+app.use((err, req, res, next) => {
+  console.error('Unhandled error:', err);
+  res.status(500).json({
+    error: 'Internal Server Error',
+    message: 'An unexpected error occurred'
+  });
+});
+
+// Start server
+app.listen(PORT, '0.0.0.0', () => {
+  console.log(`🚀 Cerberus server running on http://0.0.0.0:${PORT}`);
+  console.log(`📡 n8n webhook: ${process.env.N8N_WEBHOOK_URL || 'https://n8n.shravanpandala.me/webhook/scan'}`);
+  console.log(`⏱️  timeout: ${process.env.N8N_TIMEOUT_SECONDS || '20'}s`);
+});
+
+module.exports = app;

src/extension.ts

@@ -0,0 +1,181 @@
+import * as vscode from 'vscode';
+import * as fs from 'fs';
+import * as path from 'path';
+import axios from 'axios';
+import { VulnerabilityTreeDataProvider, Vulnerability, VulnerabilityItem } from './vulnerabilityTree';
+
+const BACKEND_URL = 'http://localhost:5000';
+
+// Global reference to the tree provider
+let vulnerabilityProvider: VulnerabilityTreeDataProvider;
+
+// This method is called when your extension is activated
+export function activate(context: vscode.ExtensionContext) {
+	console.log('Cerberus security extension is now active!');
+
+	// Create and register the tree data provider
+	vulnerabilityProvider = new VulnerabilityTreeDataProvider();
+	vscode.window.createTreeView('cerberus.vulnerabilityView', {
+		treeDataProvider: vulnerabilityProvider,
+		showCollapseAll: true,
+	});
+
+	// Register the scan command - scans the currently active file
+	const scanDisposable = vscode.commands.registerCommand('cerberus.scan', async () => {
+		// Get the active text editor
+		const activeEditor = vscode.window.activeTextEditor;
+		if (!activeEditor) {
+			vscode.window.showErrorMessage('Please open a file to scan.');
+			return;
+		}
+
+		const filePath = activeEditor.document.uri.fsPath;
+		const fileName = path.basename(filePath);
+
+		vscode.window.showInformationMessage(`🔍 Cerberus: Scanning ${fileName}...`);
+
+		try {
+			// Read the file content
+			const code = activeEditor.document.getText();
+
+			// Call the backend server to scan this specific file
+			const response = await axios.post(`${BACKEND_URL}/api/scan-file`, {
+				path: filePath,
+				code: code
+			}, {
+				timeout: 60000 // 1 minute timeout for single file
+			});
+
+			// Extract vulnerabilities from response
+			const data = response.data;
+			const vulnerabilities: Vulnerability[] = data.vulnerabilities || [];
+
+			// Update the tree view with results
+			vulnerabilityProvider.setVulnerabilities(vulnerabilities);
+
+			const analyzedCount = vulnerabilities.filter((v: Vulnerability) => v.status === 'analyzed').length;
+			const errorCount = vulnerabilities.filter((v: Vulnerability) => v.status === 'error').length;
+
+			if (analyzedCount > 0) {
+				vscode.window.showInformationMessage(
+					`✅ Cerberus: Found ${analyzedCount} issues in ${fileName}.`
+				);
+			} else if (errorCount > 0) {
+				vscode.window.showWarningMessage(
+					`⚠️ Cerberus: ${errorCount} errors while scanning ${fileName}.`
+				);
+			} else {
+				vscode.window.showInformationMessage(
+					`✅ Cerberus: No vulnerabilities found in ${fileName}.`
+				);
+			}
+		} catch (error: any) {
+			let errorMessage = `❌ Cerberus: Failed to connect to backend server at ${BACKEND_URL}.`;
+
+			if (error.code === 'ECONNREFUSED') {
+				errorMessage += ' Is the server running? (npm run server:start)';
+			} else if (error.code === 'ETIMEDOUT' || error.code === 'ECONNABORTED') {
+				errorMessage += ' Request timed out. The scan may be taking too long.';
+			} else if (error.response) {
+				// Server responded with error status
+				errorMessage += ` Server error: ${error.response.status} - ${JSON.stringify(error.response.data)}`;
+			} else if (error.request) {
+				// Request was made but no response
+				errorMessage += ' No response from server.';
+			} else {
+				errorMessage += ` ${error.message}`;
+			}
+
+			vscode.window.showErrorMessage(errorMessage);
+			console.error('Scan error details:', error);
+		}
+	});
+
+	// Register the fix command - applies fix to currently active file
+	const fixDisposable = vscode.commands.registerCommand('cerberus.fixVulnerability', async (item?: VulnerabilityItem) => {
+		if (!item || !item.vulnerability) {
+			vscode.window.showWarningMessage('Please select a vulnerability from the Cerberus panel to fix.');
+			return;
+		}
+
+		const vulnerability = item.vulnerability;
+
+		if (vulnerability.status !== 'analyzed' || !vulnerability.result) {
+			vscode.window.showErrorMessage('No fix available for this vulnerability.');
+			return;
+		}
+
+		await applyFix(vulnerability.file, vulnerability.result);
+	});
+
+	// Register command to fix all vulnerabilities in a file
+	const fixFileDisposable = vscode.commands.registerCommand('cerberus.fixFile', async (item?: VulnerabilityItem) => {
+		if (!item) {
+			vscode.window.showWarningMessage('Please select a file from the Cerberus panel.');
+			return;
+		}
+
+		// Get all vulnerabilities for this file
+		const fileVulns = vulnerabilityProvider.getVulnerabilitiesForFile(item.label);
+
+		if (fileVulns.length === 0) {
+			vscode.window.showWarningMessage('No vulnerabilities found for this file.');
+			return;
+		}
+
+		// Apply the first available fix (or we could merge multiple fixes)
+		const fixableVuln = fileVulns.find(v => v.status === 'analyzed' && v.result);
+		if (!fixableVuln) {
+			vscode.window.showErrorMessage('No fixes available for this file.');
+			return;
+		}
+
+		await applyFix(fixableVuln.file, fixableVuln.result!);
+	});
+
+	// Register the view results command
+	const viewDisposable = vscode.commands.registerCommand('cerberus.viewResults', () => {
+		vscode.commands.executeCommand('cerberus.vulnerabilityView.focus');
+	});
+
+	context.subscriptions.push(scanDisposable, fixDisposable, fixFileDisposable, viewDisposable);
+}
+
+async function applyFix(filePath: string, correctedCode: string) {
+	try {
+		// Check if file exists
+		if (!fs.existsSync(filePath)) {
+			vscode.window.showErrorMessage(`File not found: ${filePath}`);
+			return;
+		}
+
+		// Open the document
+		const document = await vscode.workspace.openTextDocument(filePath);
+		const editor = await vscode.window.showTextDocument(document);
+
+		// Create a workspace edit to replace the entire file content
+		const edit = new vscode.WorkspaceEdit();
+		const fullRange = new vscode.Range(
+			document.positionAt(0),
+			document.positionAt(document.getText().length)
+		);
+
+		edit.replace(document.uri, fullRange, correctedCode);
+
+		// Apply the edit
+		const success = await vscode.workspace.applyEdit(edit);
+
+		if (success) {
+			// Save the document
+			await document.save();
+			vscode.window.showInformationMessage(`✅ Fixed applied and saved: ${path.basename(filePath)}`);
+		} else {
+			vscode.window.showErrorMessage('Failed to apply fix.');
+		}
+	} catch (error) {
+		vscode.window.showErrorMessage(`Error applying fix: ${error}`);
+		console.error('Fix error:', error);
+	}
+}
+
+export function deactivate() { }

src/test/extension.test.ts

@@ -0,0 +1,15 @@
+import * as assert from 'assert';
+
+// You can import and use all API from the 'vscode' module
+// as well as import your extension to test it
+import * as vscode from 'vscode';
+// import * as myExtension from '../../extension';
+
+suite('Extension Test Suite', () => {
+	vscode.window.showInformationMessage('Start all tests.');
+
+	test('Sample test', () => {
+		assert.strictEqual(-1, [1, 2, 3].indexOf(5));
+		assert.strictEqual(-1, [1, 2, 3].indexOf(0));
+	});
+});

src/vulnerabilityTree.ts

@@ -0,0 +1,155 @@
+import * as vscode from 'vscode';
+
+export interface Vulnerability {
+	file: string;
+	status: string;
+	error?: string;
+	result?: string;
+	line?: number;
+	severity?: string;
+}
+
+export class VulnerabilityItem extends vscode.TreeItem {
+	constructor(
+		public readonly label: string,
+		public readonly collapsibleState: vscode.TreeItemCollapsibleState,
+		public readonly vulnerability?: Vulnerability,
+		public readonly command?: vscode.Command,
+		contextValue?: string
+	) {
+		super(label, collapsibleState);
+
+		if (contextValue) {
+			this.contextValue = contextValue;
+		}
+
+		if (vulnerability?.status === 'analyzed' && vulnerability?.result) {
+			this.description = 'Click to apply fix';
+			this.iconPath = new vscode.ThemeIcon('error', new vscode.ThemeColor('errorForeground'));
+			this.tooltip = vulnerability.result.substring(0, 500);
+		} else if (vulnerability?.status === 'error') {
+			this.description = 'Analysis error';
+			this.iconPath = new vscode.ThemeIcon('warning', new vscode.ThemeColor('warningForeground'));
+			this.tooltip = vulnerability.error || 'Unknown error';
+		} else {
+			this.iconPath = new vscode.ThemeIcon('file-code');
+			this.tooltip = 'Click to open file';
+		}
+	}
+}
+
+export class VulnerabilityTreeDataProvider implements vscode.TreeDataProvider<VulnerabilityItem> {
+	private _onDidChangeTreeData: vscode.EventEmitter<VulnerabilityItem | undefined | null | void> =
+		new vscode.EventEmitter<VulnerabilityItem | undefined | null | void>();
+	readonly onDidChangeTreeData: vscode.Event<VulnerabilityItem | undefined | null | void> =
+		this._onDidChangeTreeData.event;
+
+	private vulnerabilities: Vulnerability[] = [];
+
+	setVulnerabilities(vulnerabilities: Vulnerability[]): void {
+		this.vulnerabilities = vulnerabilities;
+		this._onDidChangeTreeData.fire(null);
+	}
+
+	getVulnerabilitiesForFile(fileName: string): Vulnerability[] {
+		return this.vulnerabilities.filter((v: Vulnerability) => {
+			const vulnFileName = v.file.split('\\').pop()?.split('/').pop() || v.file;
+			return vulnFileName === fileName;
+		});
+	}
+
+	getTreeItem(element: VulnerabilityItem): vscode.TreeItem {
+		return element;
+	}
+
+	getChildren(element?: VulnerabilityItem): Thenable<VulnerabilityItem[]> {
+		if (!element) {
+			// Root level - show list of files with vulnerabilities
+			const fileMap = new Map<string, Vulnerability[]>();
+
+			this.vulnerabilities.forEach((vuln: Vulnerability) => {
+				if (!fileMap.has(vuln.file)) {
+					fileMap.set(vuln.file, []);
+				}
+				fileMap.get(vuln.file)!.push(vuln);
+			});
+
+			const items = Array.from(fileMap.entries()).map(
+				([file, vulns]) =>
+					new VulnerabilityItem(
+						this.getFileName(file),
+						vscode.TreeItemCollapsibleState.Collapsed,
+						undefined,
+						{
+							command: 'vscode.open',
+							title: 'Open file',
+							arguments: [vscode.Uri.file(file)],
+						},
+						'file'
+					)
+			);
+
+			return Promise.resolve(items);
+		} else if (element.vulnerability === undefined) {
+			// File level - show vulnerabilities in this file
+			const fileName = element.label;
+			const fileVulns = this.vulnerabilities.filter((v: Vulnerability) =>
+				this.getFileName(v.file) === fileName
+			);
+
+			const items = fileVulns.map(
+				(vuln, index) =>
+					new VulnerabilityItem(
+						`Issue ${index + 1}${vuln.status === 'error' ? ' (Error)' : ''}`,
+						vscode.TreeItemCollapsibleState.Collapsed,
+						vuln,
+						undefined,
+						vuln.status === 'analyzed' ? 'vulnerability' : undefined
+					)
+			);
+
+			return Promise.resolve(items);
+		} else {
+			// Vulnerability level - show details
+			const vuln = element.vulnerability;
+			const items: VulnerabilityItem[] = [];
+
+			if (vuln.status === 'analyzed' && vuln.result) {
+				// Show a preview of the fix
+				const lines = vuln.result.split('\n');
+				const previewLines = lines.slice(0, 10);
+				const preview = previewLines.join('\n') + (lines.length > 10 ? '\n...' : '');
+
+				items.push(
+					new VulnerabilityItem(
+						'Fixed Code Preview:',
+						vscode.TreeItemCollapsibleState.None,
+						undefined
+					)
+				);
+
+				items.push(
+					new VulnerabilityItem(
+						preview,
+						vscode.TreeItemCollapsibleState.None,
+						undefined
+					)
+				);
+			} else if (vuln.error) {
+				items.push(
+					new VulnerabilityItem(
+						`Error: ${vuln.error}`,
+						vscode.TreeItemCollapsibleState.None,
+						undefined
+					)
+				);
+			}
+
+			return Promise.resolve(items);
+		}
+	}
+
+	private getFileName(filePath: string): string {
+		return filePath.split('\\').pop()?.split('/').pop() || filePath;
+	}
+}

test_endpoints.py

@@ -1,101 +0,0 @@
-"""
-Tests for Cerberus API endpoints.
-
-Uses Flask's built-in test client — no running server needed.
-n8n webhook calls are mocked with unittest.mock.
-"""
-
-import unittest
-from unittest.mock import patch, MagicMock
-
-from app import app
-
-
-class TestHealthEndpoint(unittest.TestCase):
-    """Tests for GET /api/health."""
-
-    def setUp(self):
-        self.client = app.test_client()
-
-    def test_health_returns_ok(self):
-        resp = self.client.get("/api/health")
-        self.assertEqual(resp.status_code, 200)
-        self.assertEqual(resp.get_json(), {"status": "ok"})
-
-
-class TestPatchCodeEndpoint(unittest.TestCase):
-    """Tests for POST /api/patch-code."""
-
-    def setUp(self):
-        self.client = app.test_client()
-
-    # ── Validation tests (no mocking needed) ──────────────────────
-
-    def test_rejects_non_json_request(self):
-        resp = self.client.post("/api/patch-code", data="not json")
-        self.assertEqual(resp.status_code, 400)
-        self.assertIn("Invalid payload", resp.get_json()["error"])
-
-    def test_rejects_missing_code_field(self):
-        resp = self.client.post("/api/patch-code", json={"foo": "bar"})
-        self.assertEqual(resp.status_code, 400)
-        self.assertIn("code", resp.get_json()["message"])
-
-    def test_rejects_non_string_code(self):
-        resp = self.client.post("/api/patch-code", json={"code": 123})
-        self.assertEqual(resp.status_code, 400)
-
-    # ── Success test (mock the n8n webhook) ───────────────────────
-
-    @patch("cerberus_api.n8n_client.requests.post")
-    def test_success_returns_corrected_code(self, mock_post):
-        # Simulate a successful n8n webhook response
-        mock_response = MagicMock()
-        mock_response.status_code = 200
-        mock_response.json.return_value = {
-            "corrected_code": "import os\nprint(os.getenv('SECRET'))"
-        }
-        mock_post.return_value = mock_response
-
-        resp = self.client.post(
-            "/api/patch-code",
-            json={"code": "print('hello')"},
-        )
-
-        self.assertEqual(resp.status_code, 200)
-        data = resp.get_json()
-        self.assertIn("corrected_code", data)
-        self.assertIsInstance(data["corrected_code"], str)
-
-    # ── Error tests (mock failures) ───────────────────────────────
-
-    @patch("cerberus_api.n8n_client.requests.post")
-    def test_webhook_timeout_returns_502(self, mock_post):
-        from requests.exceptions import Timeout
-
-        mock_post.side_effect = Timeout("timed out")
-
-        resp = self.client.post(
-            "/api/patch-code",
-            json={"code": "x = 1"},
-        )
-
-        self.assertEqual(resp.status_code, 502)
-        self.assertIn("Bad Gateway", resp.get_json()["error"])
-
-    @patch("cerberus_api.n8n_client.requests.post")
-    def test_webhook_server_error_returns_502(self, mock_post):
-        mock_response = MagicMock()
-        mock_response.status_code = 500
-        mock_post.return_value = mock_response
-
-        resp = self.client.post(
-            "/api/patch-code",
-            json={"code": "x = 1"},
-        )
-
-        self.assertEqual(resp.status_code, 502)
-
-
-if __name__ == "__main__":
-    unittest.main()

tsconfig.json

@@ -0,0 +1,17 @@
+{
+	"compilerOptions": {
+		"module": "Node16",
+		"target": "ES2022",
+		"outDir": "out",
+		"lib": [
+			"ES2022"
+		],
+		"sourceMap": true,
+		"rootDir": "src",
+		"strict": true,   /* enable all strict type-checking options */
+		/* Additional Checks */
+		// "noImplicitReturns": true, /* Report error when not all code paths in function return a value. */
+		// "noFallthroughCasesInSwitch": true, /* Report errors for fallthrough cases in switch statement. */
+		// "noUnusedParameters": true,  /* Report errors on unused parameters. */
+	}
+}

vsc-extension-quickstart.md

@@ -0,0 +1,44 @@
+# Welcome to your VS Code Extension
+
+## What's in the folder
+
+* This folder contains all of the files necessary for your extension.
+* `package.json` - this is the manifest file in which you declare your extension and command.
+  * The sample plugin registers a command and defines its title and command name. With this information VS Code can show the command in the command palette. It doesn’t yet need to load the plugin.
+* `src/extension.ts` - this is the main file where you will provide the implementation of your command.
+  * The file exports one function, `activate`, which is called the very first time your extension is activated (in this case by executing the command). Inside the `activate` function we call `registerCommand`.
+  * We pass the function containing the implementation of the command as the second parameter to `registerCommand`.
+
+## Get up and running straight away
+
+* Press `F5` to open a new window with your extension loaded.
+* Run your command from the command palette by pressing (`Ctrl+Shift+P` or `Cmd+Shift+P` on Mac) and typing `Hello World`.
+* Set breakpoints in your code inside `src/extension.ts` to debug your extension.
+* Find output from your extension in the debug console.
+
+## Make changes
+
+* You can relaunch the extension from the debug toolbar after changing code in `src/extension.ts`.
+* You can also reload (`Ctrl+R` or `Cmd+R` on Mac) the VS Code window with your extension to load your changes.
+
+## Explore the API
+
+* You can open the full set of our API when you open the file `node_modules/@types/vscode/index.d.ts`.
+
+## Run tests
+
+* Install the [Extension Test Runner](https://marketplace.visualstudio.com/items?itemName=ms-vscode.extension-test-runner)
+* Run the "watch" task via the **Tasks: Run Task** command. Make sure this is running, or tests might not be discovered.
+* Open the Testing view from the activity bar and click the Run Test" button, or use the hotkey `Ctrl/Cmd + ; A`
+* See the output of the test result in the Test Results view.
+* Make changes to `src/test/extension.test.ts` or create new test files inside the `test` folder.
+  * The provided test runner will only consider files matching the name pattern `**.test.ts`.
+  * You can create folders inside the `test` folder to structure your tests any way you want.
+
+## Go further
+
+* [Follow UX guidelines](https://code.visualstudio.com/api/ux-guidelines/overview) to create extensions that seamlessly integrate with VS Code's native interface and patterns.
+* Reduce the extension size and improve the startup time by [bundling your extension](https://code.visualstudio.com/api/working-with-extensions/bundling-extension).
+* [Publish your extension](https://code.visualstudio.com/api/working-with-extensions/publishing-extension) on the VS Code extension marketplace.
+* Automate builds by setting up [Continuous Integration](https://code.visualstudio.com/api/working-with-extensions/continuous-integration).
+* Integrate to the [report issue](https://code.visualstudio.com/api/get-started/wrapping-up#issue-reporting) flow to get issue and feature requests reported by users.