CleanLibrary for VS Code
Verdict-aware package-proxy companion for npm, PyPI, Go, and crates. Inline ALLOW / DENY / WARN decisions next to your dependencies; signed cosign attestations on every verdict; rich-data intelligence hover (recommended upgrade, package risk, typo-squat signals); transitive (lockfile-resolved) dependency scanning; one-click risk-acceptance rule generation; full offline fallback when the backend is unreachable.
Available now on the VS Code Marketplace — current release v0.1.13.
What's new (v0.1.2 → v0.1.13 ship trajectory)
| Version |
Theme |
Highlights |
| v0.1.13 |
Listing refresh |
Marketplace listing + documentation brought current to the v0.1.12 feature surface (changelog, rich-data hover + transitive-scan sections, full configuration reference) |
| v0.1.12 |
Rich-data intelligence hover |
"📊 CleanLibrary intelligence" hover block surfacing recommended upgrade version + package-risk summary + verdict provenance + similar-package (typo-squat) signals when the backend supplies them; gap-tolerant (renders only present fields, omits cleanly when absent); 8 typed rich-data fields incl. a structured recommended-version object |
| v0.1.11 |
Transitive dependency scanning |
Lockfile-resolved transitive graph scanning (package-lock.json / Cargo.lock / go.sum / poetry.lock); cleanlib.transitiveScan (off / direct-only / full) + cleanlib.transitiveScanMaxNodes fan-out cap; verdicts for direct and transitive nodes |
| v0.1.10 |
Marketplace readiness + ergonomics |
Multi-channel notification policy controls (scan-complete / deny-verdict / fallback / error / risk-accepted); brand-essence verdict color palette; API-key persistence hardening; proprietary LICENSE + polished Marketplace metadata |
| v0.1.9 |
Tier-1 customer ergonomics |
Configurable HTTPS request timeout (5–60s; 30s default) + AbortController + classification-aware fallback (Timeout / 4xx / 5xx / Network / uncaught) with [Retry] [Show output] [Dismiss] toast + Bearer-masked Output channel + CleanLibrary: Show diagnostics Quick Pick + 4-state status bar (cyan LIVE_CONNECTED / amber LIVE_WITH_FALLBACK / red ERROR / gray NOT_CONFIGURED) |
| v0.1.8 |
Marketplace branding |
Logo integration (cyan → deep-blue gradient hexagonal mark; light + dark icons); polished package metadata for Marketplace listing |
| v0.1.7 |
Discovery + reasoning |
Welcome Quick Pick on first activation; workspace scan on open with non-modal toast; CodeLens with suggested_actions from Verdict response; inline reasoning preview |
| v0.1.6 |
Cosign attestation rendering |
Renders cosign signature + verdict_id + artifact_hash binding from App CustomerVerdictResponse envelope; surfaces signature provenance to the developer |
| v0.1.5 |
Multi-ecosystem manifests |
Parser support for package.json (npm) + requirements.txt + pyproject.toml (PyPI) + go.mod (Go) + Cargo.toml (crates); 16 new manifest-parser test cases |
| v0.1.4 |
Polish bundle |
npm package-name alias resolution (org-scoped + dist-tag forms); error-message refinement; cache-coherence pass |
| v0.1.3 |
Secure credential storage |
Bearer token migrated to OS keychain via VS Code SecretStorage; cleanlib.apiKey setting deprecated (auto-migrated on activation); CleanLibrary: Set API Key / Clear API Key Command Palette flow |
| v0.1.2 |
IDE-native surface |
Diagnostics provider (Problems panel entries per dependency) + Hover provider (verdict tooltip) + CodeActions (one-click "copy risk-acceptance rule" + "fetch verdict") + in-memory verdict cache |
Features (current feature surface)
Inline IDE integration
- Diagnostics — Problems panel entries for each dependency with verdict severity (
error on DENY, warning on WARN, configurable severity on ALLOW)
- Hover provider — verdict tooltip on dependency names showing decision + reasoning + signature provenance, plus the rich-data intelligence block (see below)
- CodeActions — one-click "CleanLibrary: Copy risk-acceptance rule" for DENY/WARN dependencies; "CleanLibrary: Fetch verdict" for any package
- CodeLens —
suggested_actions from the Verdict response surfaced inline above each manifest entry (v0.1.7+)
- Workspace scan — scans all workspace manifest files on activation (and via
CleanLibrary: Scan workspace command) with non-modal completion toast
- In-memory verdict cache — shared across Diagnostics / Hover / CodeActions to avoid redundant backend calls; configurable TTL via
cleanlib.cacheTtlSeconds
Rich-data intelligence hover (v0.1.12)
When the backend supplies rich-data, the Hover surfaces a 📊 CleanLibrary intelligence block above the standard verdict tooltip:
- Recommended upgrade — a structured recommended-version target for the package
- Package risk — risk level + vulnerability count summary
- Verdict provenance — the verdict source + terminal state
- Similar packages — typo-squat / lookalike signals
The block is gap-tolerant: it renders only the fields the backend actually returns and omits cleanly when none are present, so older backends and absent fields never produce empty rows.
Transitive dependency scanning (v0.1.11)
Resolve the full dependency graph from lockfiles and fetch verdicts for every node, not just the manifest-declared direct dependencies. Controlled by cleanlib.transitiveScan (off / direct-only / full) and bounded by cleanlib.transitiveScanMaxNodes. Supported lockfiles: package-lock.json, Cargo.lock, go.sum, poetry.lock.
Multi-ecosystem manifest support
| Ecosystem |
Files parsed |
| npm |
package.json (deps + devDeps + peerDeps; npm-alias resolution) |
| PyPI |
requirements.txt, pyproject.toml |
| Go |
go.mod |
| crates |
Cargo.toml |
Backend + fallback
- Live backend — HTTPS to CleanLibrary App at
cleanapp.clnstrt.dev (or your configured cleanlib.endpoint); Bearer auth via OS keychain
- Fallback to local fixtures — automatic on timeout / 4xx / 5xx / Network / uncaught error; non-modal warning toast surfaces the classification with
[Retry] [Show output] [Dismiss] actions
- Cosign attestation rendering — when the App response includes a
SignedAttestation, the extension surfaces signature provenance + verdict_id binding + artifact_hash to the developer
Status bar
4-state badge with click action:
| State |
Color |
Meaning |
LIVE_CONNECTED |
cyan |
Connected to live backend; cache fresh |
LIVE_WITH_FALLBACK |
amber |
Backend reachable but at least one recent request fell back to local fixtures |
ERROR |
red |
Persistent backend error; full fallback mode active |
NOT_CONFIGURED |
gray |
No API key set; running fully on local fixtures |
Click opens the Show diagnostics Quick Pick showing endpoint, key state (masked), cache stats, last error, and a [Set API Key] action.
Commands
All commands available via the Command Palette (Cmd+Shift+P / Ctrl+Shift+P):
| Command |
Purpose |
CleanLibrary: Fetch verdict for package |
Quick-pick ecosystem → input package + version → render verdict |
CleanLibrary: Show status |
Show configured endpoint + connection mode + cache state |
CleanLibrary: Show diagnostics |
Quick Pick of endpoint, key (masked), cache stats, last error |
CleanLibrary: Scan workspace for verdicts |
Re-scan all workspace manifest files for verdicts |
CleanLibrary: Refresh diagnostics for current package.json |
Re-run diagnostics on the active manifest only |
CleanLibrary: Copy risk-acceptance rule |
Copy a CDP-uploadable YAML risk-acceptance rule for the current verdict |
CleanLibrary: Set API Key |
Store Bearer token in OS keychain via SecretStorage |
CleanLibrary: Clear API Key |
Remove stored Bearer token |
Configuration
| Setting |
Default |
Description |
cleanlib.endpoint |
https://cleanapp.clnstrt.dev |
CleanLibrary App endpoint base URL |
cleanlib.cacheTtlSeconds |
300 |
In-memory verdict cache TTL (seconds); shared across Diagnostics / Hover / CodeActions |
cleanlib.requestTimeoutMs |
30000 |
Per-request HTTPS timeout (ms); bounded 5000–60000; on timeout the extension falls back to local fixtures and surfaces a non-modal toast |
cleanlib.diagnosticsAllowSeverity |
off |
Severity for ALLOW verdicts in the Problems panel; set to information or hint to surface every package |
cleanlib.transitiveScan |
direct-only |
Transitive (lockfile-resolved) scanning: off / direct-only / full. full resolves the entire dependency graph and fetches verdicts for every node |
cleanlib.transitiveScanMaxNodes |
250 |
Cap on transitive nodes fetched when transitiveScan is full (bounded 10–2000); prevents a large lockfile from overwhelming the backend |
cleanlib.notifications.onScanComplete |
critical-only |
Scan-completion toast policy: critical-only / issues-only / always / never; manual scans always toast unless never; re-toast spam avoided via per-result hash |
cleanlib.notifications.onDenyVerdict |
statusbar-only |
Per-package DENY notification: toast / statusbar-only / never |
cleanlib.notifications.onFallback |
once-per-session |
Backend-fallback toast policy: once-per-session / every-time / never |
cleanlib.notifications.onError |
toast |
Persistent-backend-error notification: toast / statusbar-only / never |
cleanlib.notifications.onRiskAccepted |
toast |
Confirmation after a risk-acceptance rule is copied to the clipboard: toast / never |
cleanlib.apiKey |
"" |
DEPRECATED (v0.1.3+) — Bearer token now stored in OS keychain via SecretStorage. Use CleanLibrary: Set API Key from the Command Palette. A non-empty value here is auto-migrated on activation and the setting is cleared. |
Quick start
- Install the extension — search "CleanLibrary" in the VS Code Extensions view (
Cmd+Shift+X / Ctrl+Shift+X) → Install, or run code --install-extension cleanstart.cleanlibrary
- Run
CleanLibrary: Set API Key from the Command Palette and paste your Bearer token (issued by CleanStart; see API key onboarding for the provisioning path)
- Open a project with
package.json / requirements.txt / pyproject.toml / go.mod / Cargo.toml
- Verdicts populate the Problems panel within seconds; hover any dependency for inline detail; CodeActions on DENY/WARN entries offer one-click risk-acceptance rule copy
If no API key is set, the extension runs fully on local fixtures — useful for evaluation without backend access. Status bar shows NOT_CONFIGURED (gray) in this mode.
Architecture
The extension consumes the CleanLibrary App CustomerVerdictResponse envelope at GET /v1/customer/verdicts/{ecosystem}/{package}/{version} — a Verdict JSON object optionally extended with a SignedAttestation (cosign signature + verdict_id + artifact_hash binding). Backend interactions are wrapped by AbortController + classification-aware retry / fallback; the verdict cache + Diagnostics + Hover + CodeActions share state for a coherent IDE surface.
For the full CleanLibrary product architecture see https://cleanlibrary.clnstrt.dev/Architecture/.
License
Proprietary. See LICENSE for terms. © 2026 CleanStart Inc.
