firevault 0.2.0-beta.2 → 0.2.0-beta.4

package/CHANGELOG.md

@@ -1,6 +1,18 @@
 # Changelog
 
-## 0.2.0-beta.1 - Unreleased
+## Unreleased
+
+- Added optional VS Code settings support during `firevault init` to hide the nested `.firevault` Git repository from the parent workspace Source Control panel.
+
+## 0.2.0-beta.3
+
+- Changed `firevault doctor` to treat service account paths outside `.firevault` as informational rather than a failure.
+
+## 0.2.0-beta.2
+
+- Fixed CLI version reporting to read from `package.json` instead of a hardcoded version.
+
+## 0.2.0-beta.1
 
 - Added `firevault status` for compact local recovery health checks.
 - Added `firevault doctor` for actionable local setup validation.

package/README.md

@@ -52,6 +52,8 @@ firevault init
 
 `firevault init` asks for your Firebase project ID, service account path, output directory, and collections. It creates `.firevault/`, writes `.firevault/config.json`, writes `.firevault/.gitignore`, can initialize Git inside `.firevault/`, and adds `.firevault/` to the parent app repo `.gitignore` when the parent is a Git repo.
 
+If VS Code settings are detected, init can also hide `.firevault` from the parent workspace Source Control panel by adding `.firevault` to `git.ignoredRepositories`. This only affects the parent VS Code UI; `.firevault` remains a normal Git repository and works normally when opened directly.
+
 During setup, Firevault looks for likely Firebase project IDs in local files such as `.env.local`, `.env.development`, `firebase.json`, and common Firebase config files. Detection is best-effort and transparent: if Firevault finds candidates, it shows where they came from and lets you accept one or enter a value manually.
 
 Firevault also looks for likely local service account files such as `serviceAccountKey.json`, `service-account.json`, `firebase-service-account.json`, and `credentials/firebase.json`. It never prints private key contents. If you select a service account path, Firevault adds that path to `.gitignore`.

package/dist/commands/doctor.js

@@ -133,7 +133,7 @@ export function runDoctor() {
     }
     const serviceAccountDisplayPath = displayPathFromApp(config.workspaceRoot, config.serviceAccountPathAbsolute);
     if (!isInside(config.workspaceRoot, config.serviceAccountPathAbsolute)) {
-        addCheck(checks, "FAIL", "Service account path is outside .firevault", "Set serviceAccountPath to a path inside .firevault, such as ./serviceAccountKey.json");
+        addCheck(checks, "INFO", "Service account path is outside .firevault", "External credential paths are supported. Ensure the file is securely managed and excluded from Git.");
     }
     else if (existsSync(config.serviceAccountPathAbsolute)) {
         addCheck(checks, "OK", "Service account file present");
@@ -164,10 +164,14 @@ export function runDoctor() {
         addCheck(checks, "WARN", "No Git remote origin configured", "git -C .firevault remote add origin <private-repo-url>");
     }
     workflowChecks(checks, config.workspaceRoot);
-    const serviceAccountIgnored = workspaceIsGitRepo
+    const serviceAccountIsInsideWorkspace = isInside(config.workspaceRoot, config.serviceAccountPathAbsolute);
+    const serviceAccountIgnored = workspaceIsGitRepo && serviceAccountIsInsideWorkspace
         ? isPathIgnored(config.serviceAccountPath, config.workspaceRoot)
         : undefined;
-    if (serviceAccountIgnored === true || gitignoreContains(config.workspaceRoot, config.serviceAccountPath)) {
+    if (!serviceAccountIsInsideWorkspace) {
+        addCheck(checks, "INFO", "Service account ignore check skipped for external path");
+    }
+    else if (serviceAccountIgnored === true || gitignoreContains(config.workspaceRoot, config.serviceAccountPath)) {
         addCheck(checks, "OK", "Service account file ignored");
     }
     else {

package/dist/commands/init.js

@@ -236,6 +236,53 @@ function ensureGitignoreEntries(gitignorePath, entries) {
     const prefix = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
     appendFileSync(gitignorePath, `${prefix}${missingEntries.join("\n")}\n`);
 }
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function hasVsCodeConfig(appRoot) {
+    return existsSync(path.join(appRoot, ".vscode"));
+}
+async function shouldHideWorkspaceFromVsCode(options, appRoot, rl) {
+    if (!hasVsCodeConfig(appRoot)) {
+        return false;
+    }
+    if (options.yes) {
+        return true;
+    }
+    if (!rl) {
+        throw new Error("Prompt interface is required for interactive init.");
+    }
+    console.log("VS Code detected.");
+    const answer = (await rl.question("Hide .firevault repository from the parent VS Code workspace? (Y/n): "))
+        .trim()
+        .toLowerCase();
+    return answer === "" || answer === "y" || answer === "yes";
+}
+function updateVsCodeSettings(appRoot) {
+    const vscodeDir = path.join(appRoot, ".vscode");
+    const settingsPath = path.join(vscodeDir, "settings.json");
+    const settings = existsSync(settingsPath)
+        ? JSON.parse(readFileSync(settingsPath, "utf-8"))
+        : {};
+    if (!isRecord(settings)) {
+        throw new Error(".vscode/settings.json must contain a JSON object.");
+    }
+    const existingIgnoredRepositories = settings["git.ignoredRepositories"];
+    if (existingIgnoredRepositories !== undefined &&
+        !Array.isArray(existingIgnoredRepositories)) {
+        throw new Error(".vscode/settings.json field git.ignoredRepositories must be an array.");
+    }
+    const ignoredRepositories = existingIgnoredRepositories
+        ? [...existingIgnoredRepositories]
+        : [];
+    if (ignoredRepositories.includes(".firevault")) {
+        return false;
+    }
+    mkdirSync(vscodeDir, { recursive: true });
+    settings["git.ignoredRepositories"] = [...ignoredRepositories, ".firevault"];
+    writeFileSync(settingsPath, `${JSON.stringify(settings, null, 2)}\n`);
+    return true;
+}
 export async function runInit(options) {
     console.log("Firevault");
     console.log("Undo button for Firestore.");
@@ -256,6 +303,7 @@ export async function runInit(options) {
         const shouldInitGit = workspaceIsGitRepository
             ? false
             : await promptForGitInit(options, rl);
+        const shouldHideVsCodeWorkspace = await shouldHideWorkspaceFromVsCode(options, appRoot, rl);
         const config = await promptForConfig(options, workspaceRoot, rl);
         config.collections = config.collections.map((collection) => collection.trim());
         validateConfig(config);
@@ -290,6 +338,15 @@ export async function runInit(options) {
             ensureGitignoreEntries(path.join(appRoot, ".gitignore"), parentIgnoreEntries);
             console.log("Updated parent .gitignore safety entries.");
         }
+        if (shouldHideVsCodeWorkspace) {
+            const updatedVsCodeSettings = updateVsCodeSettings(appRoot);
+            if (updatedVsCodeSettings) {
+                console.log("Updated VS Code settings to hide .firevault from the parent workspace.");
+            }
+            else {
+                console.log("VS Code settings already hide .firevault from the parent workspace.");
+            }
+        }
         console.log("Created .firevault/config.json.");
         console.log("Updated .firevault/.gitignore safety entries.");
         console.log("");

package/docs/architecture.md

@@ -107,6 +107,7 @@ Behavior:
 - refuses to overwrite `.firevault/config.json` unless `--force` is provided,
 - adds `.firevault/` to the parent app repo `.gitignore` when the parent is a Git repo,
 - appends `.firevault/.gitignore` safety entries, including the selected service account path, without duplicating existing lines,
+- optionally adds `.firevault` to VS Code `git.ignoredRepositories` for the parent workspace when `.vscode/` is detected and the user accepts,
 - never creates service accounts, opens browsers, runs `gcloud`, commits, pushes, creates GitHub repositories, contacts Firebase, or writes secrets.
 
 ## Firebase Access
@@ -134,6 +135,8 @@ Operational commands work from the app root or from inside `.firevault/` by disc
 
 `firestore-backups/` is not ignored inside `.firevault/` by default. The `.firevault` repository exists to commit backup data.
 
+VS Code may show nested Git repositories in the parent app Source Control panel. Firevault can optionally update `.vscode/settings.json` in the parent app to hide `.firevault` from that parent workspace UI using `git.ignoredRepositories`. This does not change Git behavior and does not prevent opening `.firevault` directly in VS Code.
+
 ## GitHub Actions Automation
 
 `firevault setup-github-action` is a local workflow-file generator for scheduled offsite snapshots. It writes `.firevault/.github/workflows/firevault-snapshot.yml` and stops there.

package/docs/doctor-design.md

@@ -45,6 +45,7 @@ Next fixes:
 Use clear severity:
 
 - `OK`: check passed.
+- `INFO`: supported setup choice or useful context.
 - `WARN`: setup can work locally but recovery posture is weaker.
 - `FAIL`: setup is incomplete or unsafe enough that normal recovery workflows may fail.
 
@@ -54,6 +55,8 @@ Exit codes:
 - `1` if warnings are present and no checks fail.
 - `2` if any `FAIL`.
 
+`INFO` checks do not affect the exit code.
+
 ## Checks
 
 ### Workspace
@@ -103,16 +106,25 @@ Edit .firevault/config.json or rerun `firevault init --force`
 
 Checks:
 
-- configured `serviceAccountPath` resolves inside `.firevault`,
-- file exists.
+- configured `serviceAccountPath` may resolve inside or outside `.firevault`,
+- file exists when the path is inside `.firevault`.
+
+External credential paths are supported. A service account file outside `.firevault` is not inherently unsafe because users may keep credentials in secure locations such as `~/.config`, password-manager mounted paths, or shared secret directories.
 
 Do not parse the service account JSON in the first version. Parsing is local, but it starts pulling doctor toward credential validation. Save that for a later `--verify` mode.
 
 Result:
 
+- `INFO Service account path is outside .firevault`
 - `OK Service account file present`
 - `FAIL Service account file missing`
 
+Message for external paths:
+
+```txt
+External credential paths are supported. Ensure the file is securely managed and excluded from Git.
+```
+
 Fix:
 
 ```txt
@@ -216,7 +228,9 @@ Review .firevault/.github/workflows/firevault-snapshot.yml or rerun `firevault s
 Checks:
 
 - `.firevault/.gitignore` exists,
-- configured service account path is ignored by Git.
+- configured service account path is ignored by Git when the path is inside `.firevault`.
+
+If the configured service account path is outside `.firevault`, skip `.firevault/.gitignore` enforcement and report an informational check instead. External credential paths should be managed by the external location's security and Git ignore policy.
 
 Best check:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "firevault",
-  "version": "0.2.0-beta.2",
+  "version": "0.2.0-beta.4",
   "description": "Undo button for Firestore. Git-style history, rollback, and recovery for Firestore projects.",
   "keywords": [
     "firebase",