pi-lens 2.1.0 → 2.2.0

package/CHANGELOG.md

@@ -2,6 +2,23 @@
 
 All notable changes to pi-lens will be documented in this file.
 
+## [2.1.1] - 2026-03-29
+
+### Added
+- **Content-level secret scanning**: Catches secrets in ANY file type on write/edit (`.env`, `.yaml`, `.json`, not just TypeScript). Blocks before save with patterns for `sk-*`, `ghp_*`, `AKIA*`, private keys, hardcoded passwords.
+- **Project rules integration**: Scans for `.claude/rules/`, `.agents/rules/`, `CLAUDE.md`, `AGENTS.md` at session start and surfaces in system prompt.
+- **Grep-ability rules**: New ast-grep rules for `no-default-export` and `no-relative-cross-package-import` to improve agent searchability.
+
+### Changed
+- **Inline feedback stripped to blocking only**: Warnings no longer shown inline (noise). Only blocking violations and test failures interrupt the agent.
+- **booboo-fix output compacted**: Summary in terminal, full plan in `.pi-lens/reports/fix-plan.tsv`.
+- **booboo-refactor output compacted**: Top 5 worst offenders in terminal, full ranked list in `.pi-lens/reports/refactor-ranked.tsv`.
+- **`ast_grep_search` new params**: Added `selector` (extract specific AST node) and `context` (show surrounding lines).
+- **`ast_grep_replace` mode indicator**: Shows `[DRY-RUN]` or `[APPLIED]` prefix.
+- **no-hardcoded-secrets**: Fixed to only flag actual hardcoded strings (not `process.env` assignments).
+- **no-process-env**: Now only flags secret-related env vars (not PORT, NODE_ENV, etc.).
+- **Removed Factory AI article reference** from architect.yaml.
+
 ## [2.0.40] - 2026-03-27
 
 ### Changed
@@ -281,6 +298,16 @@ All notable changes to pi-lens will be documented in this file.
 ### Changed
 - **Improved ast-grep tool descriptions**: Better pattern guidance to prevent overly broad searches.
 
+## [2.2.0] - 2026-03-29
+
+### Added
+- **`/lens-rate` command**: Visual code quality scoring across 6 dimensions (Type Safety, Complexity, Security, Architecture, Dead Code, Tests). Shows grade A-F and colored progress bars.
+- **Pyright runner**: Real Python type-checking via pyright. Catches type errors like `result: str = add(1, 2)` that ruff misses. Runs alongside ruff (pyright for types, ruff for linting).
+- **Vitest config**: Increased test timeout to 15s for CLI spawn tests. Fixes flaky test failures when npx downloads packages.
+
+### Fixed
+- **Test flakiness**: Availability tests (biome, knip, jscpd) no longer timeout when npx is downloading packages.
+
 ## [1.3.0] - 2026-03-23
 
 ### Changed

package/README.md

@@ -16,6 +16,74 @@ pi install git:github.com/apmantza/pi-lens
 
 ---
 
+## What's New (v2.2)
+
+### `/lens-rate` — Code Quality Scoring
+
+Visual scoring breakdown across 6 dimensions with grade A-F:
+
+```
+┌─────────────────────────────────────────────────────────┐
+│  📊 CODE QUALITY SCORE: 85/100 (B)                      │
+├─────────────────────────────────────────────────────────┤
+│  🔷 Type Safety  🟩🟩🟩🟩🟩🟩🟩🟩⬜⬜  85 │
+│  🧩 Complexity   🟩🟩🟩🟩🟩🟩🟩🟩⬜⬜  82 │
+│  🔒 Security     🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 100 │
+│  🏗️ Architecture  🟩🟩🟩🟩🟩🟩🟩🟩⬜⬜  80 │
+│  🗑️ Dead Code    🟩🟩🟩🟩🟩🟩🟩🟩🟩⬜  90 │
+│  ✅ Tests        🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 100 │
+└─────────────────────────────────────────────────────────┘
+```
+
+Scores are calculated from real scan data: type-coverage, complexity metrics, secret detection, architect rules, knip, and test results.
+
+### Python Type-Checking (Pyright)
+
+Python files now get **real type-checking** via pyright, not just linting:
+
+```python
+# ruff won't catch this, but pyright will:
+def add(x: int, y: int) -> int:
+    return x + y
+
+result: str = add(1, 2)  # ❌ pyright: Type "int" not assignable to "str"
+```
+
+Pyright runs alongside ruff — pyright catches type errors, ruff catches style issues.
+
+---
+
+## What's New (v2.1)
+
+### Content-Level Secret Scanning
+
+Secrets are now blocked **before** they're saved, on **all file types**:
+
+```
+🔴 STOP — 1 potential secret(s) in src/config.ts:
+  L12: Possible Stripe or OpenAI API key (sk-*)
+  → Remove before continuing. Use env vars instead.
+```
+
+Works on `.env`, `.yaml`, `.json`, `.md` — not just TypeScript. Catches `sk-*`, `ghp_*`, `AKIA*`, private keys, hardcoded passwords.
+
+### Compact Output
+
+Inline feedback stripped to **blocking only** — no more warning noise:
+
+```
+🔴 STOP — 2 issue(s) must fixed:
+  L23: var total = sum(items); — use 'let' or 'const'
+```
+
+Warnings are tracked and surfaced via `/lens-booboo`. booboo-fix and booboo-refactor output compacted to summaries with TSV files for full details.
+
+### Project Rules Integration
+
+Scans for `.claude/rules/`, `.agents/rules/`, `CLAUDE.md`, `AGENTS.md` at session start. Project-specific rules are surfaced in the system prompt — the agent knows to read them when relevant. Works alongside pi-lens architect rules.
+
+---
+
 ## What's New (v2.0)
 
 ### Declarative Dispatch System
@@ -184,7 +252,7 @@ These files provide **general project guidance** (coding conventions, workflow r
 
 | Tool | Description |
 |---|---|
-| **`ast_grep_search`** | Search code patterns using AST-aware matching. Supports meta-variables: `$VAR` (single node), `$$$` (multiple). Example: `console.log($MSG)` |
+| **`ast_grep_search`** | Search code patterns using AST-aware matching. Supports meta-variables: `$VAR` (single node), `$$$` (multiple). Optional: `selector` (extract specific AST node), `context` (show surrounding lines). Example: `console.log($MSG)` |
 | **`ast_grep_replace`** | Replace code patterns with AST-aware rewriting. Dry-run by default, use `apply=true` to apply changes. Example: `pattern='console.log($MSG)' rewrite='logger.info($MSG)'` |
 
 Supported languages: c, cpp, csharp, css, dart, elixir, go, haskell, html, java, javascript, json, kotlin, lua, php, python, ruby, rust, scala, sql, swift, tsx, typescript, yaml
@@ -327,6 +395,7 @@ Each rule includes a `message` and `note` that are shown in diagnostics, so the
 | `type-coverage` | `npm i -D type-coverage` | TypeScript `any` coverage percentage |
 | `madge` | `npm i -D madge` | Circular dependency detection |
 | `ruff` | `pip install ruff` | Python lint + format + autofix |
+| `pyright` | `npx pyright` (auto-installed) | Python type-checking |
 
 ---
 

package/clients/ast-grep-client.js

@@ -45,16 +45,16 @@ export class AstGrepClient {
     /**
      * Search for AST patterns in files
      */
-    async search(pattern, lang, paths) {
-        return this.runner.exec([
-            "run",
-            "-p",
-            pattern,
-            "--lang",
-            lang,
-            "--json=compact",
-            ...paths,
-        ]);
+    async search(pattern, lang, paths, options) {
+        const args = ["run", "-p", pattern, "--lang", lang, "--json=compact"];
+        if (options?.selector) {
+            args.push("--selector", options.selector);
+        }
+        if (options?.context !== undefined) {
+            args.push("--context", String(options.context));
+        }
+        args.push(...paths);
+        return this.runner.exec(args);
     }
     /**
      * Search and replace AST patterns
@@ -165,8 +165,8 @@ message: found
         }
         return exports;
     }
-    formatMatches(matches, isDryRun = false) {
-        return this.runner.formatMatches(matches, isDryRun);
+    formatMatches(matches, isDryRun = false, showModeIndicator = false) {
+        return this.runner.formatMatches(matches, isDryRun, 50, showModeIndicator);
     }
     /**
      * Scan a file against all rules

package/clients/ast-grep-client.ts

@@ -92,16 +92,17 @@ export class AstGrepClient {
 		pattern: string,
 		lang: string,
 		paths: string[],
+		options?: { selector?: string; context?: number },
 	): Promise<{ matches: AstGrepMatch[]; error?: string }> {
-		return this.runner.exec([
-			"run",
-			"-p",
-			pattern,
-			"--lang",
-			lang,
-			"--json=compact",
-			...paths,
-		]);
+		const args = ["run", "-p", pattern, "--lang", lang, "--json=compact"];
+		if (options?.selector) {
+			args.push("--selector", options.selector);
+		}
+		if (options?.context !== undefined) {
+			args.push("--context", String(options.context));
+		}
+		args.push(...paths);
+		return this.runner.exec(args);
 	}
 
 	/**
@@ -257,8 +258,17 @@ message: found
 		return exports;
 	}
 
-	formatMatches(matches: AstGrepMatch[], isDryRun = false): string {
-		return this.runner.formatMatches(matches as SgMatch[], isDryRun);
+	formatMatches(
+		matches: AstGrepMatch[],
+		isDryRun = false,
+		showModeIndicator = false,
+	): string {
+		return this.runner.formatMatches(
+			matches as SgMatch[],
+			isDryRun,
+			50,
+			showModeIndicator,
+		);
 	}
 
 	/**

package/clients/dispatch/dispatcher.js

@@ -191,9 +191,9 @@ export async function dispatchForFile(ctx, groups) {
     const blockers = allDiagnostics.filter((d) => d.semantic === "blocking");
     const warnings = allDiagnostics.filter((d) => d.semantic === "warning" || d.semantic === "none");
     const fixedItems = allDiagnostics.filter((d) => d.semantic === "fixed");
-    // Format output
+    // Format output — only blocking issues shown inline
+    // Warnings tracked but not shown (noise) — surfaced via /lens-booboo
     let output = formatDiagnostics(blockers, "blocking");
-    output += formatDiagnostics(warnings, "warning");
     output += formatDiagnostics(fixedItems, "fixed");
     return {
         diagnostics: allDiagnostics,

package/clients/dispatch/dispatcher.ts

@@ -266,9 +266,9 @@ export async function dispatchForFile(
 	);
 	const fixedItems = allDiagnostics.filter((d) => d.semantic === "fixed");
 
-	// Format output
+	// Format output — only blocking issues shown inline
+	// Warnings tracked but not shown (noise) — surfaced via /lens-booboo
 	let output = formatDiagnostics(blockers, "blocking");
-	output += formatDiagnostics(warnings, "warning");
 	output += formatDiagnostics(fixedItems, "fixed");
 
 	return {

package/clients/dispatch/runners/index.js

@@ -7,12 +7,14 @@ import architectRunner from "./architect.js";
 import astGrepRunner from "./ast-grep.js";
 import biomeRunner from "./biome.js";
 import goVetRunner from "./go-vet.js";
+import pyrightRunner from "./pyright.js";
 import ruffRunner from "./ruff.js";
 import rustClippyRunner from "./rust-clippy.js";
 import tsLspRunner from "./ts-lsp.js";
 import typeSafetyRunner from "./type-safety.js";
 // Register all runners (ordered by priority)
-registerRunner(tsLspRunner);
+registerRunner(tsLspRunner); // TypeScript type-checking
+registerRunner(pyrightRunner); // Python type-checking
 registerRunner(biomeRunner);
 registerRunner(ruffRunner);
 registerRunner(typeSafetyRunner);

package/clients/dispatch/runners/index.ts

@@ -8,13 +8,15 @@ import architectRunner from "./architect.js";
 import astGrepRunner from "./ast-grep.js";
 import biomeRunner from "./biome.js";
 import goVetRunner from "./go-vet.js";
+import pyrightRunner from "./pyright.js";
 import ruffRunner from "./ruff.js";
 import rustClippyRunner from "./rust-clippy.js";
 import tsLspRunner from "./ts-lsp.js";
 import typeSafetyRunner from "./type-safety.js";
 
 // Register all runners (ordered by priority)
-registerRunner(tsLspRunner);
+registerRunner(tsLspRunner); // TypeScript type-checking
+registerRunner(pyrightRunner); // Python type-checking
 registerRunner(biomeRunner);
 registerRunner(ruffRunner);
 registerRunner(typeSafetyRunner);

package/clients/dispatch/runners/pyright.js

@@ -0,0 +1,68 @@
+/**
+ * Pyright runner for dispatch system
+ *
+ * Provides real Python type-checking (not just linting).
+ * Catches type errors like: result: str = add(1, 2)  # Type "int" not assignable to "str"
+ */
+import { spawnSync } from "node:child_process";
+const pyrightRunner = {
+    id: "pyright",
+    appliesTo: ["python"],
+    priority: 5, // Higher priority than ruff (10) - type errors are more important
+    enabledByDefault: true,
+    async run(ctx) {
+        // Run pyright with JSON output
+        const result = spawnSync("npx", ["pyright", "--outputjson", ctx.filePath], {
+            encoding: "utf-8",
+            timeout: 60000, // Pyright can be slower on first run
+            shell: true,
+        });
+        // Pyright returns non-zero when errors found, that's OK
+        if (result.error) {
+            return { status: "skipped", diagnostics: [], semantic: "none" };
+        }
+        const output = (result.stdout || "").trim();
+        if (!output) {
+            return { status: "succeeded", diagnostics: [], semantic: "none" };
+        }
+        try {
+            const data = JSON.parse(output);
+            const diagnostics = parsePyrightOutput(data, ctx.filePath);
+            if (diagnostics.length === 0) {
+                return { status: "succeeded", diagnostics: [], semantic: "none" };
+            }
+            const hasErrors = diagnostics.some((d) => d.severity === "error");
+            return {
+                status: hasErrors ? "failed" : "succeeded",
+                diagnostics,
+                semantic: "warning",
+            };
+        }
+        catch {
+            // JSON parse failed, skip
+            return { status: "skipped", diagnostics: [], semantic: "none" };
+        }
+    },
+};
+function parsePyrightOutput(data, filePath) {
+    if (!data.generalDiagnostics)
+        return [];
+    return data.generalDiagnostics
+        .filter((d) => {
+        // Only include errors and warnings, skip informational
+        return d.severity === "error" || d.severity === "warning";
+    })
+        .map((d) => ({
+        id: `pyright-${d.range.start.line}-${d.rule}`,
+        message: d.message.split("\n")[0], // First line only (pyright has multi-line messages)
+        filePath,
+        line: d.range.start.line + 1, // Pyright is 0-indexed, we're 1-indexed
+        column: d.range.start.character + 1,
+        severity: d.severity === "error" ? "error" : "warning",
+        semantic: d.severity === "error" ? "blocking" : "warning",
+        tool: "pyright",
+        rule: d.rule,
+        fixable: false, // Pyright can't auto-fix, only suggest
+    }));
+}
+export default pyrightRunner;

package/clients/dispatch/runners/pyright.test.js

@@ -0,0 +1,84 @@
+import * as fs from "node:fs";
+import { createRequire } from "node:module";
+import * as path from "node:path";
+import { describe, expect, it } from "vitest";
+function createMockContext(filePath) {
+    return {
+        filePath,
+        cwd: process.cwd(),
+        kind: "python",
+        autofix: false,
+        deltaMode: false,
+        baselines: { get: () => [], add: () => { }, save: () => { } },
+        pi: {},
+        hasTool: async () => false,
+        log: () => { },
+    };
+}
+describe("pyright runner", () => {
+    const require = createRequire(import.meta.url);
+    it("should have correct runner definition", async () => {
+        const pyrightModule = await import("./pyright.js");
+        const runner = pyrightModule.default;
+        expect(runner.id).toBe("pyright");
+        expect(runner.appliesTo).toEqual(["python"]);
+        expect(runner.priority).toBe(5); // Higher priority than ruff
+        expect(runner.enabledByDefault).toBe(true);
+    });
+    it("should detect pyright availability", () => {
+        const { spawnSync } = require("node:child_process");
+        const result = spawnSync("npx", ["pyright", "--version"], {
+            encoding: "utf-8",
+            timeout: 10000,
+            shell: true,
+        });
+        expect(result.error || result.status !== 0 ? "not available" : "available").toBe("available");
+    });
+    it("should type-check Python files and find errors", async () => {
+        const tmpFile = path.join(process.env.TEMP || "/tmp", `pyright_test_${Date.now()}.py`);
+        fs.writeFileSync(tmpFile, `def add(x: int, y: int) -> int:
+    return x + y
+
+result: str = add(1, 2)
+
+def greet(name: str) -> str:
+    return "Hello " + name
+
+greet(123)
+`);
+        try {
+            const pyrightModule = await import("./pyright.js");
+            const runner = pyrightModule.default;
+            const result = await runner.run(createMockContext(tmpFile));
+            expect(result.diagnostics.length).toBeGreaterThanOrEqual(2);
+            expect(result.diagnostics.some((d) => d.tool === "pyright")).toBe(true);
+            expect(result.diagnostics.some((d) => d.severity === "error")).toBe(true);
+        }
+        finally {
+            fs.unlinkSync(tmpFile);
+        }
+    });
+    it("should pass valid Python files", async () => {
+        const tmpFile = path.join(process.env.TEMP || "/tmp", `pyright_test_ok_${Date.now()}.py`);
+        fs.writeFileSync(tmpFile, `def add(x: int, y: int) -> int:
+    return x + y
+
+result: str = str(add(1, 2))
+
+def greet(name: str) -> str:
+    return "Hello " + name
+
+greet("world")
+`);
+        try {
+            const pyrightModule = await import("./pyright.js");
+            const runner = pyrightModule.default;
+            const result = await runner.run(createMockContext(tmpFile));
+            expect(result.status).toBe("succeeded");
+            expect(result.diagnostics.length).toBe(0);
+        }
+        finally {
+            fs.unlinkSync(tmpFile);
+        }
+    });
+});

package/clients/dispatch/runners/pyright.test.ts

@@ -0,0 +1,109 @@
+import * as fs from "node:fs";
+import { createRequire } from "node:module";
+import * as path from "node:path";
+import { describe, expect, it } from "vitest";
+import type { DispatchContext } from "../types.js";
+
+function createMockContext(filePath: string): DispatchContext {
+	return {
+		filePath,
+		cwd: process.cwd(),
+		kind: "python" as any,
+		autofix: false,
+		deltaMode: false,
+		baselines: { get: () => [], add: () => {}, save: () => {} } as any,
+		pi: {} as any,
+		hasTool: async () => false,
+		log: () => {},
+	};
+}
+
+describe("pyright runner", () => {
+	const require = createRequire(import.meta.url);
+
+	it("should have correct runner definition", async () => {
+		const pyrightModule = await import("./pyright.js");
+		const runner = pyrightModule.default;
+
+		expect(runner.id).toBe("pyright");
+		expect(runner.appliesTo).toEqual(["python"]);
+		expect(runner.priority).toBe(5); // Higher priority than ruff
+		expect(runner.enabledByDefault).toBe(true);
+	});
+
+	it("should detect pyright availability", () => {
+		const { spawnSync } =
+			require("node:child_process") as typeof import("node:child_process");
+		const result = spawnSync("npx", ["pyright", "--version"], {
+			encoding: "utf-8",
+			timeout: 10000,
+			shell: true,
+		});
+		expect(
+			result.error || result.status !== 0 ? "not available" : "available",
+		).toBe("available");
+	});
+
+	it("should type-check Python files and find errors", async () => {
+		const tmpFile = path.join(
+			process.env.TEMP || "/tmp",
+			`pyright_test_${Date.now()}.py`,
+		);
+		fs.writeFileSync(
+			tmpFile,
+			`def add(x: int, y: int) -> int:
+    return x + y
+
+result: str = add(1, 2)
+
+def greet(name: str) -> str:
+    return "Hello " + name
+
+greet(123)
+`,
+		);
+
+		try {
+			const pyrightModule = await import("./pyright.js");
+			const runner = pyrightModule.default;
+			const result = await runner.run(createMockContext(tmpFile));
+
+			expect(result.diagnostics.length).toBeGreaterThanOrEqual(2);
+			expect(result.diagnostics.some((d) => d.tool === "pyright")).toBe(true);
+			expect(result.diagnostics.some((d) => d.severity === "error")).toBe(true);
+		} finally {
+			fs.unlinkSync(tmpFile);
+		}
+	});
+
+	it("should pass valid Python files", async () => {
+		const tmpFile = path.join(
+			process.env.TEMP || "/tmp",
+			`pyright_test_ok_${Date.now()}.py`,
+		);
+		fs.writeFileSync(
+			tmpFile,
+			`def add(x: int, y: int) -> int:
+    return x + y
+
+result: str = str(add(1, 2))
+
+def greet(name: str) -> str:
+    return "Hello " + name
+
+greet("world")
+`,
+		);
+
+		try {
+			const pyrightModule = await import("./pyright.js");
+			const runner = pyrightModule.default;
+			const result = await runner.run(createMockContext(tmpFile));
+
+			expect(result.status).toBe("succeeded");
+			expect(result.diagnostics.length).toBe(0);
+		} finally {
+			fs.unlinkSync(tmpFile);
+		}
+	});
+});

package/clients/dispatch/runners/pyright.ts

@@ -0,0 +1,102 @@
+/**
+ * Pyright runner for dispatch system
+ *
+ * Provides real Python type-checking (not just linting).
+ * Catches type errors like: result: str = add(1, 2)  # Type "int" not assignable to "str"
+ */
+
+import { spawnSync } from "node:child_process";
+import type {
+	Diagnostic,
+	DispatchContext,
+	RunnerDefinition,
+	RunnerResult,
+} from "../types.js";
+
+const pyrightRunner: RunnerDefinition = {
+	id: "pyright",
+	appliesTo: ["python"],
+	priority: 5, // Higher priority than ruff (10) - type errors are more important
+	enabledByDefault: true,
+
+	async run(ctx: DispatchContext): Promise<RunnerResult> {
+		// Run pyright with JSON output
+		const result = spawnSync("npx", ["pyright", "--outputjson", ctx.filePath], {
+			encoding: "utf-8",
+			timeout: 60000, // Pyright can be slower on first run
+			shell: true,
+		});
+
+		// Pyright returns non-zero when errors found, that's OK
+		if (result.error) {
+			return { status: "skipped", diagnostics: [], semantic: "none" };
+		}
+
+		const output = (result.stdout || "").trim();
+		if (!output) {
+			return { status: "succeeded", diagnostics: [], semantic: "none" };
+		}
+
+		try {
+			const data = JSON.parse(output);
+			const diagnostics = parsePyrightOutput(data, ctx.filePath);
+
+			if (diagnostics.length === 0) {
+				return { status: "succeeded", diagnostics: [], semantic: "none" };
+			}
+
+			const hasErrors = diagnostics.some((d) => d.severity === "error");
+
+			return {
+				status: hasErrors ? "failed" : "succeeded",
+				diagnostics,
+				semantic: "warning",
+			};
+		} catch {
+			// JSON parse failed, skip
+			return { status: "skipped", diagnostics: [], semantic: "none" };
+		}
+	},
+};
+
+interface PyrightDiagnostic {
+	file: string;
+	severity: "error" | "warning" | "information";
+	message: string;
+	range: {
+		start: { line: number; character: number };
+		end: { line: number; character: number };
+	};
+	rule: string;
+}
+
+interface PyrightResult {
+	generalDiagnostics: PyrightDiagnostic[];
+}
+
+function parsePyrightOutput(
+	data: PyrightResult,
+	filePath: string,
+): Diagnostic[] {
+	if (!data.generalDiagnostics) return [];
+
+	return data.generalDiagnostics
+		.filter((d) => {
+			// Only include errors and warnings, skip informational
+			return d.severity === "error" || d.severity === "warning";
+		})
+		.map((d) => ({
+			id: `pyright-${d.range.start.line}-${d.rule}`,
+			message: d.message.split("\n")[0], // First line only (pyright has multi-line messages)
+			filePath,
+			line: d.range.start.line + 1, // Pyright is 0-indexed, we're 1-indexed
+			column: d.range.start.character + 1,
+			severity: d.severity === "error" ? "error" : "warning",
+			semantic: d.severity === "error" ? "blocking" : "warning",
+			tool: "pyright",
+			rule: d.rule,
+			fixable: false, // Pyright can't auto-fix, only suggest
+		}));
+}
+
+export default pyrightRunner;