DevSync provides:
- a CLI in
packages/cli - a VS Code extension in
extensions/vscode - a dashboard/service surface under
apps/
This README is the current end-to-end validation and production-readiness audit baseline.
Changes completed during this session:
- Added CLI
logincommand wiring inpackages/cli/src/index.ts. - Added CLI
migratecommand wiring inpackages/cli/src/index.tsto restore extension compatibility. - Extended
scanto include detailed project + database inventory:- inferred project databases (for example Supabase migrations without live URL)
- connection masking and provider detection
- per-database reachability/detail reporting
- project summary block
- Fixed summary mismatch so
Databases detectedreflects actual detected databases. - Fixed CLI test syntax error in
packages/cli/tests/retry-timeout.test.js. - Added missing shared helper module for tests:
packages/cli/src/commands/projects/shared.ts. - Fixed VS Code extension
pretestscript separator inextensions/vscode/package.json. - Fixed extension enhanced runner CLI path guard bug in
extensions/vscode/src/cli/enhancedRunner.ts. - Added VS Code test-host cache cleanup in
extensions/vscode/src/test/runTest.tsto reduce stale host failures. - Added
formatLastScan()export inpackages/cli/src/commands/scan.tsfor test compatibility.
Executed successfully in local/dev environment:
devsync --versiondevsync helpdevsync init --path <project>devsync scan --path <project>devsync status --path <project>devsync fix --path <project>(expected safe-block without DB URL)devsync apply(expected safe-block)devsync login --helpdevsync migrate --help(after command registration + reinstall)
Observed expected behavior:
- scan is read-only by default
- apply is blocked by default
- fix requires DB context for full operation
- project database inference works even without live DB URL
Status: passing (npm test runs build + 54 tests)
- Tests aligned with dashboard-based auth messaging and device-flow behavior
npm testnow builds TypeScript before running the suite
Completed:
npm run compilepassesnpm run compile-testspasses
Blocked:
npm run teststill fails due VS Code test host startup message:Code is currently being updated. Please wait for the update to complete before launching.
- Added mitigation (cache cleanup + retry scaffolding), but environment still reproduces this host-level issue.
Integration issues found and fixed:
- Extension expected CLI
migrate; CLI did not expose it. Fixed by wiringmigratecommand in CLI entrypoint. - Enhanced extension runner had a workspace-folder guard bug that could incorrectly return
CLI not found. Fixed.
Audit commands run:
packages/cli:npm audit --omit=dev-> 0 vulnerabilitiesextensions/vscode:npm audit --omit=dev-> 0 vulnerabilities (upgradedsqlite3@6,dompurify@3.3.4)- Dev-only advisories may remain in extension test tooling (
mocha); production deps are clean
Current posture:
- CLI stores auth config under user config path (
~/.config/devsync/config.json), with best-effort restrictive permissions on non-Windows. - Extension auth tokens are stored via VS Code secrets storage.
- Scan output masks credentials when printing connection strings.
Gaps to close:
- Add a secret-scanning step in CI.
- Standardize env var names and docs across CLI/extension/dashboard.
- Add stricter validation for required env vars at startup across packages.
- Node.js 20+ recommended
- npm 10+
cd packages/cli
npm install
npm run build
npm install -g .Run:
devsync help
devsync scan --path /path/to/project
devsync status --path /path/to/project
devsync fix --path /path/to/project --db postgresql://...
devsync migrate --path /path/to/project --db postgresql://...Test:
cd packages/cli
npm testcd extensions/vscode
npm install
npm run compileRun locally:
- Open
extensions/vscodein VS Code - Press
F5to launch Extension Development Host
Test:
cd extensions/vscode
npm run compile-tests
npm run testRemaining work to reach production-grade confidence:
- Stabilize test suites
- Align legacy CLI tests with current auth/network messages and lifecycle behavior.
- Add deterministic integration tests for scan/login with mocked services.
- Fix VS Code test-host update lock issue in CI/local runners (pin stable test host strategy).
- CI/CD hardening
- Unified workflow added:
.github/workflows/ci.yml(CLI, extension, dashboard, security) - Enforce branch protection with required checks on
ciworkflow jobs.
- Security hardening
- Extension production dependency vulnerabilities resolved.
- CI includes: Gitleaks secret scanning, CodeQL SAST (
.github/workflows/codeql.yml), SBOM generation,npm audit. - Remaining: expand SBOM coverage to extension/dashboard packages.
- Release engineering
- Release Please config added for semver + changelog automation (
.github/workflows/release-please.yml). - Add reproducible release flow for CLI (
npm publish) and extension packaging (vsce package/publish).
- Observability and operations
- Structured logging conventions across CLI/extension/dashboard.
- Error reporting and telemetry policy with explicit user opt-in.
- Health checks and service diagnostics for auth/device-flow endpoints.
- Documentation completeness
- Add architecture diagram for CLI-extension-dashboard handshake.
- Add troubleshooting for auth/device-flow and DB connectivity edge cases.
- Add contributor test matrix (Windows/macOS/Linux).