pi-lens 2.1.0 → 2.1.1

package/CHANGELOG.md

@@ -2,6 +2,23 @@
 
 All notable changes to pi-lens will be documented in this file.
 
+## [2.1.1] - 2026-03-29
+
+### Added
+- **Content-level secret scanning**: Catches secrets in ANY file type on write/edit (`.env`, `.yaml`, `.json`, not just TypeScript). Blocks before save with patterns for `sk-*`, `ghp_*`, `AKIA*`, private keys, hardcoded passwords.
+- **Project rules integration**: Scans for `.claude/rules/`, `.agents/rules/`, `CLAUDE.md`, `AGENTS.md` at session start and surfaces in system prompt.
+- **Grep-ability rules**: New ast-grep rules for `no-default-export` and `no-relative-cross-package-import` to improve agent searchability.
+
+### Changed
+- **Inline feedback stripped to blocking only**: Warnings no longer shown inline (noise). Only blocking violations and test failures interrupt the agent.
+- **booboo-fix output compacted**: Summary in terminal, full plan in `.pi-lens/reports/fix-plan.tsv`.
+- **booboo-refactor output compacted**: Top 5 worst offenders in terminal, full ranked list in `.pi-lens/reports/refactor-ranked.tsv`.
+- **`ast_grep_search` new params**: Added `selector` (extract specific AST node) and `context` (show surrounding lines).
+- **`ast_grep_replace` mode indicator**: Shows `[DRY-RUN]` or `[APPLIED]` prefix.
+- **no-hardcoded-secrets**: Fixed to only flag actual hardcoded strings (not `process.env` assignments).
+- **no-process-env**: Now only flags secret-related env vars (not PORT, NODE_ENV, etc.).
+- **Removed Factory AI article reference** from architect.yaml.
+
 ## [2.0.40] - 2026-03-27
 
 ### Changed

package/README.md

@@ -16,6 +16,37 @@ pi install git:github.com/apmantza/pi-lens
 
 ---
 
+## What's New (v2.1)
+
+### Content-Level Secret Scanning
+
+Secrets are now blocked **before** they're saved, on **all file types**:
+
+```
+🔴 STOP — 1 potential secret(s) in src/config.ts:
+  L12: Possible Stripe or OpenAI API key (sk-*)
+  → Remove before continuing. Use env vars instead.
+```
+
+Works on `.env`, `.yaml`, `.json`, `.md` — not just TypeScript. Catches `sk-*`, `ghp_*`, `AKIA*`, private keys, hardcoded passwords.
+
+### Compact Output
+
+Inline feedback stripped to **blocking only** — no more warning noise:
+
+```
+🔴 STOP — 2 issue(s) must fixed:
+  L23: var total = sum(items); — use 'let' or 'const'
+```
+
+Warnings are tracked and surfaced via `/lens-booboo`. booboo-fix and booboo-refactor output compacted to summaries with TSV files for full details.
+
+### Project Rules Integration
+
+Scans for `.claude/rules/`, `.agents/rules/`, `CLAUDE.md`, `AGENTS.md` at session start. Project-specific rules are surfaced in the system prompt — the agent knows to read them when relevant. Works alongside pi-lens architect rules.
+
+---
+
 ## What's New (v2.0)
 
 ### Declarative Dispatch System
@@ -184,7 +215,7 @@ These files provide **general project guidance** (coding conventions, workflow r
 
 | Tool | Description |
 |---|---|
-| **`ast_grep_search`** | Search code patterns using AST-aware matching. Supports meta-variables: `$VAR` (single node), `$$$` (multiple). Example: `console.log($MSG)` |
+| **`ast_grep_search`** | Search code patterns using AST-aware matching. Supports meta-variables: `$VAR` (single node), `$$$` (multiple). Optional: `selector` (extract specific AST node), `context` (show surrounding lines). Example: `console.log($MSG)` |
 | **`ast_grep_replace`** | Replace code patterns with AST-aware rewriting. Dry-run by default, use `apply=true` to apply changes. Example: `pattern='console.log($MSG)' rewrite='logger.info($MSG)'` |
 
 Supported languages: c, cpp, csharp, css, dart, elixir, go, haskell, html, java, javascript, json, kotlin, lua, php, python, ruby, rust, scala, sql, swift, tsx, typescript, yaml

package/clients/ast-grep-client.js

@@ -45,16 +45,16 @@ export class AstGrepClient {
     /**
      * Search for AST patterns in files
      */
-    async search(pattern, lang, paths) {
-        return this.runner.exec([
-            "run",
-            "-p",
-            pattern,
-            "--lang",
-            lang,
-            "--json=compact",
-            ...paths,
-        ]);
+    async search(pattern, lang, paths, options) {
+        const args = ["run", "-p", pattern, "--lang", lang, "--json=compact"];
+        if (options?.selector) {
+            args.push("--selector", options.selector);
+        }
+        if (options?.context !== undefined) {
+            args.push("--context", String(options.context));
+        }
+        args.push(...paths);
+        return this.runner.exec(args);
     }
     /**
      * Search and replace AST patterns
@@ -165,8 +165,8 @@ message: found
         }
         return exports;
     }
-    formatMatches(matches, isDryRun = false) {
-        return this.runner.formatMatches(matches, isDryRun);
+    formatMatches(matches, isDryRun = false, showModeIndicator = false) {
+        return this.runner.formatMatches(matches, isDryRun, 50, showModeIndicator);
     }
     /**
      * Scan a file against all rules

package/clients/ast-grep-client.ts

@@ -92,16 +92,17 @@ export class AstGrepClient {
 		pattern: string,
 		lang: string,
 		paths: string[],
+		options?: { selector?: string; context?: number },
 	): Promise<{ matches: AstGrepMatch[]; error?: string }> {
-		return this.runner.exec([
-			"run",
-			"-p",
-			pattern,
-			"--lang",
-			lang,
-			"--json=compact",
-			...paths,
-		]);
+		const args = ["run", "-p", pattern, "--lang", lang, "--json=compact"];
+		if (options?.selector) {
+			args.push("--selector", options.selector);
+		}
+		if (options?.context !== undefined) {
+			args.push("--context", String(options.context));
+		}
+		args.push(...paths);
+		return this.runner.exec(args);
 	}
 
 	/**
@@ -257,8 +258,17 @@ message: found
 		return exports;
 	}
 
-	formatMatches(matches: AstGrepMatch[], isDryRun = false): string {
-		return this.runner.formatMatches(matches as SgMatch[], isDryRun);
+	formatMatches(
+		matches: AstGrepMatch[],
+		isDryRun = false,
+		showModeIndicator = false,
+	): string {
+		return this.runner.formatMatches(
+			matches as SgMatch[],
+			isDryRun,
+			50,
+			showModeIndicator,
+		);
 	}
 
 	/**

package/clients/dispatch/dispatcher.js

@@ -191,9 +191,9 @@ export async function dispatchForFile(ctx, groups) {
     const blockers = allDiagnostics.filter((d) => d.semantic === "blocking");
     const warnings = allDiagnostics.filter((d) => d.semantic === "warning" || d.semantic === "none");
     const fixedItems = allDiagnostics.filter((d) => d.semantic === "fixed");
-    // Format output
+    // Format output — only blocking issues shown inline
+    // Warnings tracked but not shown (noise) — surfaced via /lens-booboo
     let output = formatDiagnostics(blockers, "blocking");
-    output += formatDiagnostics(warnings, "warning");
     output += formatDiagnostics(fixedItems, "fixed");
     return {
         diagnostics: allDiagnostics,

package/clients/dispatch/dispatcher.ts

@@ -266,9 +266,9 @@ export async function dispatchForFile(
 	);
 	const fixedItems = allDiagnostics.filter((d) => d.semantic === "fixed");
 
-	// Format output
+	// Format output — only blocking issues shown inline
+	// Warnings tracked but not shown (noise) — surfaced via /lens-booboo
 	let output = formatDiagnostics(blockers, "blocking");
-	output += formatDiagnostics(warnings, "warning");
 	output += formatDiagnostics(fixedItems, "fixed");
 
 	return {

package/clients/dispatch/runners/secrets.js

@@ -0,0 +1,109 @@
+/**
+ * Secrets scanner runner
+ *
+ * Scans file content for potential secret patterns before write.
+ * Works on all file types via regex matching.
+ *
+ * Patterns detected:
+ * - Stripe/OpenAI keys (sk-*)
+ * - GitHub tokens (ghp_*, gho_*, github_pat_*)
+ * - AWS keys (AKIA*)
+ * - Slack tokens (xoxp-*, xoxb-*)
+ * - Private keys (BEGIN PRIVATE KEY)
+ * - Generic API key patterns
+ */
+const SECRET_PATTERNS = [
+    {
+        pattern: /sk-[a-zA-Z0-9]{20,}/g,
+        name: "stripe-openai-key",
+        message: "Possible Stripe or OpenAI API key (sk-*)",
+    },
+    {
+        pattern: /ghp_[a-zA-Z0-9]{36}/g,
+        name: "github-personal-token",
+        message: "GitHub personal access token (ghp_*)",
+    },
+    {
+        pattern: /gho_[a-zA-Z0-9]{36}/g,
+        name: "github-oauth-token",
+        message: "GitHub OAuth token (gho_*)",
+    },
+    {
+        pattern: /github_pat_[a-zA-Z_]{82}/g,
+        name: "github-fine-grained-pat",
+        message: "GitHub fine-grained PAT (github_pat_*)",
+    },
+    {
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        name: "aws-access-key",
+        message: "AWS access key ID (AKIA*)",
+    },
+    {
+        pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
+        name: "slack-token",
+        message: "Slack token (xoxb-*/xoxp-*)",
+    },
+    {
+        pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
+        name: "private-key",
+        message: "Private key material detected",
+    },
+    {
+        pattern: /password\s*[:=]\s*["'][^"']{8,}["']/gi,
+        name: "hardcoded-password",
+        message: "Possible hardcoded password",
+    },
+    {
+        pattern: /(?:secret|api_?key|token)\s*[:=]\s*["'][a-zA-Z0-9]{20,}["']/gi,
+        name: "generic-api-secret",
+        message: "Possible hardcoded secret, API key, or token",
+    },
+];
+function scanContent(content) {
+    const findings = [];
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const secret of SECRET_PATTERNS) {
+            secret.pattern.lastIndex = 0; // Reset regex state
+            const match = secret.pattern.exec(line);
+            if (match) {
+                findings.push({
+                    line: i + 1,
+                    pattern: secret,
+                    match: match[0].slice(0, 20) + "...",
+                });
+            }
+        }
+    }
+    return findings;
+}
+async function run(ctx) {
+    const diagnostics = [];
+    // Get the content being written - check both full content and the diff
+    const content = ctx.content;
+    if (!content)
+        return { diagnostics };
+    const findings = scanContent(content);
+    for (const finding of findings) {
+        diagnostics.push({
+            id: `secrets-${finding.pattern.name}-${finding.line}`,
+            message: `${finding.pattern.message} at line ${finding.line}. Remove before committing.`,
+            filePath: ctx.filePath,
+            line: finding.line,
+            severity: "error",
+            semantic: "blocking", // Always blocking - secrets should never be committed
+            tool: "secrets",
+            rule: finding.pattern.name,
+            fixable: false,
+        });
+    }
+    return { diagnostics };
+}
+const runner = {
+    id: "secrets",
+    appliesTo: ["*"], // All file types
+    priority: 0, // Run first - block before other checks
+    run,
+};
+export default runner;

package/clients/secrets-scanner.js

@@ -0,0 +1,113 @@
+/**
+ * Content-level secrets scanner
+ *
+ * Scans file content for potential secret patterns before write.
+ * Works on all file types via regex matching.
+ *
+ * Detected patterns:
+ * - Stripe/OpenAI keys (sk-*)
+ * - GitHub tokens (ghp_*, gho_*, github_pat_*)
+ * - AWS keys (AKIA*)
+ * - Slack tokens (xoxp-*, xoxb-*)
+ * - Private keys (BEGIN PRIVATE KEY)
+ * - Generic API key/password patterns
+ */
+// Patterns ordered by specificity - first match wins per line
+const SECRET_PATTERNS = [
+    // High-confidence: specific key prefixes
+    {
+        pattern: /sk-[a-zA-Z0-9-]{20,}/g,
+        name: "stripe-openai-key",
+        message: "Possible Stripe or OpenAI API key (sk-*)",
+    },
+    {
+        pattern: /ghp_[a-zA-Z0-9]{36}/g,
+        name: "github-personal-token",
+        message: "GitHub personal access token (ghp_*)",
+    },
+    {
+        pattern: /gho_[a-zA-Z0-9]{36}/g,
+        name: "github-oauth-token",
+        message: "GitHub OAuth token (gho_*)",
+    },
+    {
+        pattern: /github_pat_[a-zA-Z_]{82}/g,
+        name: "github-fine-grained-pat",
+        message: "GitHub fine-grained PAT (github_pat_*)",
+    },
+    {
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        name: "aws-access-key",
+        message: "AWS access key ID (AKIA*)",
+    },
+    {
+        pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
+        name: "slack-token",
+        message: "Slack token (xoxb-*/xoxp-*)",
+    },
+    {
+        pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
+        name: "private-key",
+        message: "Private key material detected",
+    },
+    // Medium-confidence: quoted credentials
+    {
+        pattern: /password\s*[:=]\s*["'][^"']{4,}["']/gi,
+        name: "hardcoded-password",
+        message: "Possible hardcoded password",
+    },
+    {
+        pattern: /(?:secret|api_?key|token|access_?key)\s*[:=]\s*["'][a-zA-Z0-9_\-/.]{8,}["']/gi,
+        name: "hardcoded-secret",
+        message: "Possible hardcoded secret or API key",
+    },
+    // .env format: KEY=VALUE (no quotes)
+    {
+        pattern: /^(?:API_?KEY|SECRET|TOKEN|PASSWORD|AWS_?ACCESS_?KEY)\s*=\s*\S{8,}/gim,
+        name: "env-file-secret",
+        message: "Possible secret in .env format",
+    },
+];
+/**
+ * Scan content for potential secrets
+ * Returns findings with line numbers
+ */
+export function scanForSecrets(content) {
+    const findings = [];
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        let matched = false;
+        for (const pattern of SECRET_PATTERNS) {
+            // Reset lastIndex before each test (important for global regex)
+            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+            if (regex.test(line)) {
+                findings.push({
+                    line: i + 1,
+                    message: pattern.message,
+                });
+                matched = true;
+                break; // One finding per line
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Format secrets findings for terminal output
+ */
+export function formatSecrets(findings, filePath) {
+    if (findings.length === 0)
+        return "";
+    const lines = [
+        `🔴 STOP — ${findings.length} potential secret(s) in ${filePath}:`,
+    ];
+    for (const f of findings.slice(0, 5)) {
+        lines.push(`  L${f.line}: ${f.message}`);
+    }
+    if (findings.length > 5) {
+        lines.push(`  ... and ${findings.length - 5} more`);
+    }
+    lines.push("  → Remove before continuing. Use env vars instead.");
+    return lines.join("\n");
+}

package/clients/secrets-scanner.test.js

@@ -0,0 +1,100 @@
+import { describe, expect, it } from "vitest";
+import { formatSecrets, scanForSecrets } from "./secrets-scanner.js";
+describe("scanForSecrets", () => {
+    it("should detect Stripe/OpenAI keys (sk-*)", () => {
+        const content = `const apiKey = "sk-live-1234567890abcdefghij";`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("Stripe or OpenAI");
+    });
+    it("should detect GitHub personal tokens (ghp_*)", () => {
+        const content = `token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("GitHub personal");
+    });
+    it("should detect AWS access keys (AKIA*)", () => {
+        const content = `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("AWS access key");
+    });
+    it("should detect private key material", () => {
+        const content = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA...`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("Private key");
+    });
+    it("should detect hardcoded passwords", () => {
+        const content = `const config = { password: "hunter2" };`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("password");
+    });
+    it("should detect secrets in .env format", () => {
+        const content = `API_KEY=sk-live-1234567890abcdefghij
+DATABASE_URL=postgres://localhost`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        // sk-* pattern catches this first (more specific)
+        expect(findings[0].message).toContain("Stripe or OpenAI");
+    });
+    it("should NOT flag safe content", () => {
+        const content = `
+const name = "test";
+const url = "https://example.com";
+const port = 3000;
+const message = "Hello world";
+`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(0);
+    });
+    it("should NOT flag env var references", () => {
+        const content = `const key = process.env.API_KEY;`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(0);
+    });
+    it("should detect multiple secrets", () => {
+        const content = `
+const sk = "sk-live-1234567890abcdefghij";
+const gh = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
+`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(2);
+    });
+    it("should report correct line numbers", () => {
+        const content = `line 1
+line 2
+const secret = "sk-live-1234567890abcdefghij";
+line 4`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].line).toBe(3);
+    });
+});
+describe("formatSecrets", () => {
+    it("should format findings for terminal output", () => {
+        const findings = [
+            { line: 5, message: "Possible Stripe or OpenAI API key (sk-*)" },
+        ];
+        const output = formatSecrets(findings, "src/config.ts");
+        expect(output).toContain("STOP");
+        expect(output).toContain("1 potential secret(s)");
+        expect(output).toContain("L5");
+        expect(output).toContain("src/config.ts");
+    });
+    it("should return empty string for no findings", () => {
+        const output = formatSecrets([], "src/config.ts");
+        expect(output).toBe("");
+    });
+    it("should truncate at 5 findings", () => {
+        const findings = Array.from({ length: 10 }, (_, i) => ({
+            line: i + 1,
+            message: "Test secret",
+        }));
+        const output = formatSecrets(findings, "src/config.ts");
+        expect(output).toContain("10 potential secret(s)");
+        expect(output).toContain("... and 5 more");
+    });
+});

package/clients/secrets-scanner.test.ts

@@ -0,0 +1,113 @@
+import { describe, expect, it } from "vitest";
+import { formatSecrets, scanForSecrets } from "./secrets-scanner.js";
+
+describe("scanForSecrets", () => {
+	it("should detect Stripe/OpenAI keys (sk-*)", () => {
+		const content = `const apiKey = "sk-live-1234567890abcdefghij";`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("Stripe or OpenAI");
+	});
+
+	it("should detect GitHub personal tokens (ghp_*)", () => {
+		const content = `token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("GitHub personal");
+	});
+
+	it("should detect AWS access keys (AKIA*)", () => {
+		const content = `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("AWS access key");
+	});
+
+	it("should detect private key material", () => {
+		const content = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA...`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("Private key");
+	});
+
+	it("should detect hardcoded passwords", () => {
+		const content = `const config = { password: "hunter2" };`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("password");
+	});
+
+	it("should detect secrets in .env format", () => {
+		const content = `API_KEY=sk-live-1234567890abcdefghij
+DATABASE_URL=postgres://localhost`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		// sk-* pattern catches this first (more specific)
+		expect(findings[0].message).toContain("Stripe or OpenAI");
+	});
+
+	it("should NOT flag safe content", () => {
+		const content = `
+const name = "test";
+const url = "https://example.com";
+const port = 3000;
+const message = "Hello world";
+`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(0);
+	});
+
+	it("should NOT flag env var references", () => {
+		const content = `const key = process.env.API_KEY;`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(0);
+	});
+
+	it("should detect multiple secrets", () => {
+		const content = `
+const sk = "sk-live-1234567890abcdefghij";
+const gh = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
+`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(2);
+	});
+
+	it("should report correct line numbers", () => {
+		const content = `line 1
+line 2
+const secret = "sk-live-1234567890abcdefghij";
+line 4`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].line).toBe(3);
+	});
+});
+
+describe("formatSecrets", () => {
+	it("should format findings for terminal output", () => {
+		const findings = [
+			{ line: 5, message: "Possible Stripe or OpenAI API key (sk-*)" },
+		];
+		const output = formatSecrets(findings, "src/config.ts");
+		expect(output).toContain("STOP");
+		expect(output).toContain("1 potential secret(s)");
+		expect(output).toContain("L5");
+		expect(output).toContain("src/config.ts");
+	});
+
+	it("should return empty string for no findings", () => {
+		const output = formatSecrets([], "src/config.ts");
+		expect(output).toBe("");
+	});
+
+	it("should truncate at 5 findings", () => {
+		const findings = Array.from({ length: 10 }, (_, i) => ({
+			line: i + 1,
+			message: "Test secret",
+		}));
+		const output = formatSecrets(findings, "src/config.ts");
+		expect(output).toContain("10 potential secret(s)");
+		expect(output).toContain("... and 5 more");
+	});
+});