AGENTS.md: vscode Architectural Context & Engagement Rules

1. Information Flow & Purpose (The Executive Summary)

You are operating within the vscode repository, the core codebase for Microsoft's Visual Studio Code editor. The architecture is overwhelmingly dominated by TypeScript (79.0%) and JSON configurations (9.0%), utilizing Electron for desktop integration and a complex web-based UI framework. * Architectural Paradigm: The system maps to a "Cluster 4" macro-species. The network topology demonstrates moderate Modularity (0.4471) but severe negative Assortativity (-0.5791). This indicates a highly centralized, fragile "hub-and-spoke" architecture where isolated features and workbench contributions rely heavily on a small set of central utility nodes and foundational service locators. * Information Flow: Execution stems from the Electron main process (src/vs/code/electron-main/app.ts), flowing into the shared process and renderer (Workbench). Features are registered dynamically via contribution points (*.contribution.ts), relying on dependency injection to access core services. * Core Rule: Maintain strict adherence to the established dependency injection (DI) container and contribution registration patterns. Do NOT tightly couple discrete workbench contributions directly to one another; always interface through abstract service definitions located in common/ or browser/ directories.

2. Notable Structures & Architecture

• Foundational Load-Bearers: Core utility modules dictate the stability of the entire repository. src/vs/base/common/assert.ts (1055 inbound connections) and src/vs/base/common/path.ts (143 inbound connections) act as critical pillars. Modifying these files carries an immense blast radius that can trigger cascading compilation and runtime failures across all editor layers.
• Fragile Orchestrators: Test service locators and feature registrars pull in massive dependency trees. workbenchTestServices.ts (189 outbound) and chat.contribution.ts (159 outbound) are highly coupled. Modifying these orchestrators requires comprehensive understanding of the injected service contracts.
• Algorithmic Complexity: Core string processing, path resolution, and specific test fixtures (dompurify.js, conway.js) operate at high recursive time complexities (O(2^N) in static analysis). Avoid introducing unbounded recursion or synchronous blocking operations within the main renderer thread or critical text buffer operations.

3. Security & Vulnerabilities

Status: SECURE PERIMETER. Structural Threat Intelligence audits have flagged 0 malicious artifacts.

CRITICAL WARNINGS: 1. Exploit Generation & Injection Surfaces: Files handling external git operations, terminal environments, and GitHub authentication (extensions/github-authentication/src/flows.ts, extensions/git/src/test/git.test.ts) exhibit high exposure for Exploit Generation. Ensure any shell execution or URL parsing strictly sanitizes external inputs to prevent command injection or path traversal. 2. Hardcoded Payload Artifacts: Numerous .npmrc files are flagged for hardcoded payloads. These are standard configuration files for package registries and are generally safe, but ensure no personal access tokens (PATs) are inadvertently committed. 3. Supply Chain: The repository imports over 4,000 unknown dependencies that bypass the Zero-Trust whitelist. Given the scale of the node ecosystem, this is expected, but adding new third-party telemetry or runtime dependencies requires strict architectural review.

4. Outliers & Extremes

• The Hotspot Matrix (High Volatility + Risk): AI and Chat integrations are currently the most volatile components. chatInputPart.ts (90.4% churn, 91.4% Cognitive Load) and runInTerminalTool.ts (86.4% churn) are massive sources of developer friction, reflecting rapid iteration on Copilot/Chat capabilities.
• Key Person Silos: Foundational external integrations contain significant bus factor risks. src/vs/base/browser/dompurify/dompurify.js (3136 Mass) is 100% isolated to Henning Dieterichs, and Rust-based CLI tunneling components (cli/src/tunnels/code_server.rs) are strictly siloed.
• Blind Bottlenecks: src/vs/base/common/path.ts is a critical "God Node" with a massive blast radius (10.15) but 100% Documentation Risk. It lacks sufficient structured metadata, meaning downstream dependents are flying blind regarding its internal constraints.
• Cumulative Risk Extremes: terminalService.ts and notebookEditorModel.ts represent the highest multi-dimensional technical debt. They combine maximum specification match exposure, logic bomb risk, and extreme cognitive load.

5. Recommended Next Steps (Refactoring for Stability)

To stabilize the architecture and reduce cognitive load for ongoing maintenance, prioritize the following pragmatic actions:

1. Decouple Chat Contribution Orchestrators: The rapid development of AI features has turned chatInputPart.ts and chat.contribution.ts into highly volatile hotspots. Extract the specific command execution and state management logic into discrete, testable controllers to reduce the 90%+ churn rate and lower cognitive load.
2. Document Foundational Blind Bottlenecks: Address the 100% documentation risk in src/vs/base/common/path.ts and extensions/typescript-language-features/src/utils/fs.ts. Adding rigorous JSDoc/TSDoc architectural contracts to these files will mitigate the "House of Cards" error risk for the hundreds of downstream dependents.
3. Refactor Test Service Locators: workbenchTestServices.ts exhibits severe design slop (130 orphaned functions) and pulls in 189 outbound dependencies. Split this monolithic test helper into domain-specific mock service providers (e.g., editorTestServices.ts, terminalTestServices.ts) to reduce testing fragility and improve test compilation times.