pi-lens 2.2.9 → 3.0.0

package/commands/rate.js

@@ -4,9 +4,10 @@
  * Provides a visual scoring breakdown of code quality across multiple dimensions.
  * Uses existing scan data to calculate scores.
  */
-import * as childProcess from "node:child_process";
 import * as nodeFs from "node:fs";
 import * as path from "node:path";
+import { safeSpawn } from "../clients/safe-spawn.js";
+import { EXCLUDED_DIRS, isTestFile } from "../clients/file-utils.js";
 import { getSourceFiles } from "../clients/scan-utils.js";
 /**
  * Run all scans and calculate scores
@@ -69,7 +70,7 @@ export async function gatherScores(targetPath, clients) {
     let securityScore = 100;
     const securityIssues = [];
     let secretsFound = 0;
-    // Check for secrets in source files
+    // Check for secrets in source files (skip test files)
     const secretPatterns = [
         { name: "API Key (sk-)", pattern: /sk-[a-zA-Z0-9]{20,}/ },
         { name: "GitHub Token", pattern: /ghp_[a-zA-Z0-9]{36}/ },
@@ -82,6 +83,9 @@ export async function gatherScores(targetPath, clients) {
         },
     ];
     for (const file of files.slice(0, 100)) {
+        // Skip test files
+        if (isTestFile(file))
+            continue;
         try {
             const content = nodeFs.readFileSync(file, "utf-8");
             for (const line of content.split("\n")) {
@@ -97,8 +101,9 @@ export async function gatherScores(targetPath, clients) {
                 }
             }
         }
-        catch {
+        catch (err) {
             // Skip unreadable files
+            void err;
         }
     }
     securityScore = Math.max(0, 100 - secretsFound * 15);
@@ -118,14 +123,7 @@ export async function gatherScores(targetPath, clients) {
             for (const entry of nodeFs.readdirSync(dir, { withFileTypes: true })) {
                 const full = path.join(dir, entry.name);
                 if (entry.isDirectory()) {
-                    if ([
-                        "node_modules",
-                        ".git",
-                        "dist",
-                        "build",
-                        ".next",
-                        ".pi-lens",
-                    ].includes(entry.name))
+                    if (EXCLUDED_DIRS.includes(entry.name))
                         continue;
                     scanDir(full);
                 }
@@ -181,10 +179,8 @@ export async function gatherScores(targetPath, clients) {
     const testIssues = [];
     // Quick test run
     try {
-        const testResult = childProcess.spawnSync("npx", ["vitest", "run", "--reporter=basic"], {
-            encoding: "utf-8",
+        const testResult = safeSpawn("npx", ["vitest", "run", "--reporter=basic"], {
             timeout: 60000,
-            shell: true,
             cwd: targetPath,
         });
         if (testResult.status !== 0) {

package/commands/rate.ts

@@ -8,10 +8,12 @@
 import * as childProcess from "node:child_process";
 import * as nodeFs from "node:fs";
 import * as path from "node:path";
+import { safeSpawn } from "../clients/safe-spawn.js";
 import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
 import type { ArchitectClient } from "../clients/architect-client.js";
 import type { ComplexityClient } from "../clients/complexity-client.js";
 import type { KnipClient } from "../clients/knip-client.js";
+import { EXCLUDED_DIRS, isTestFile } from "../clients/file-utils.js";
 import { getSourceFiles } from "../clients/scan-utils.js";
 import type { TypeCoverageClient } from "../clients/type-coverage-client.js";
 
@@ -105,7 +107,7 @@ export async function gatherScores(
 	const securityIssues: string[] = [];
 	let secretsFound = 0;
 
-	// Check for secrets in source files
+	// Check for secrets in source files (skip test files)
 	const secretPatterns = [
 		{ name: "API Key (sk-)", pattern: /sk-[a-zA-Z0-9]{20,}/ },
 		{ name: "GitHub Token", pattern: /ghp_[a-zA-Z0-9]{36}/ },
@@ -119,6 +121,8 @@ export async function gatherScores(
 	];
 
 	for (const file of files.slice(0, 100)) {
+		// Skip test files
+		if (isTestFile(file)) continue;
 		try {
 			const content = nodeFs.readFileSync(file, "utf-8");
 			for (const line of content.split("\n")) {
@@ -133,8 +137,9 @@ export async function gatherScores(
 					}
 				}
 			}
-		} catch {
+		} catch (err) {
 			// Skip unreadable files
+			void err;
 		}
 	}
 	securityScore = Math.max(0, 100 - secretsFound * 15);
@@ -156,17 +161,7 @@ export async function gatherScores(
 			for (const entry of nodeFs.readdirSync(dir, { withFileTypes: true })) {
 				const full = path.join(dir, entry.name);
 				if (entry.isDirectory()) {
-					if (
-						[
-							"node_modules",
-							".git",
-							"dist",
-							"build",
-							".next",
-							".pi-lens",
-						].includes(entry.name)
-					)
-						continue;
+					if (EXCLUDED_DIRS.includes(entry.name)) continue;
 					scanDir(full);
 				} else if (/\.(ts|tsx|js|jsx|py|go|rs)$/.test(entry.name)) {
 					const relPath = path.relative(targetPath, full).replace(/\\/g, "/");
@@ -226,13 +221,11 @@ export async function gatherScores(
 
 	// Quick test run
 	try {
-		const testResult = childProcess.spawnSync(
+		const testResult = safeSpawn(
 			"npx",
 			["vitest", "run", "--reporter=basic"],
 			{
-				encoding: "utf-8",
 				timeout: 60000,
-				shell: true,
 				cwd: targetPath,
 			},
 		);

package/default-architect.yaml

@@ -7,7 +7,39 @@
 # IMPORTANT: Patterns are JavaScript regex syntax. Use single quotes for patterns
 # containing double quotes, and escape backslashes appropriately.
 
-version: "1.1"
+version: "1.2"
+
+# =============================================================================
+# FILE SIZE LIMITS (per file type)
+# =============================================================================
+
+  # Services: focused, single-purpose modules
+  - pattern: "**/services/**/*.ts"
+    max_lines: 500
+    must_not:
+      # TUNED: Was (8+ spaces, 5 lines), now (12+ spaces, 10 lines)
+      - pattern: '(?:\s{12,}.*\n){10,}'
+        message: "Extreme nesting detected (6+ levels). Refactor into smaller functions."
+
+  # Clients: can be larger but still bounded
+  - pattern: "**/clients/**/*.ts|**/commands/**/*.ts"
+    max_lines: 1000
+    must_not:
+      # TUNED: Was (8+ spaces, 5 lines), now (12+ spaces, 10 lines)
+      - pattern: '(?:\s{12,}.*\n){10,}'
+        message: "Extreme nesting detected (6+ levels). Refactor into smaller functions."
+
+  # General limit for other files (higher than before)
+  - pattern: "**/*.{ts,tsx,js,jsx,py,go,rs}"
+    max_lines: 3000
+    must_not:
+      # TUNED: Was (8+ spaces, 5 lines), now (12+ spaces, 10 lines) for extreme nesting only
+      - pattern: '(?:\s{12,}.*\n){10,}'
+        message: "Extreme nesting detected (6+ levels). Refactor into smaller functions."
+
+  # Test files: more relaxed (structure is different)
+  - pattern: "**/*.test.ts|**/*.test.js|**/*.spec.ts|**/*.spec.js"
+    max_lines: 5000
 
 # =============================================================================
 # LANGUAGE-AGNOSTIC RULES (The "Universal Truths")
@@ -19,27 +51,33 @@ rules:
     must_not:
       - pattern: '[a-zA-Z]:\\(?:Users|Program Files|Windows|Temp)\\[^\\]*'
         message: "No absolute Windows paths — breaks CI and cross-platform builds."
+        fix: "Use path.join(__dirname, 'relative/path') or process.cwd()"
       - pattern: '/(?:home|Users|usr|etc|var)/[a-zA-Z0-9_-]+/'
         message: "Potential absolute Unix path detected — use relative paths or path.join()."
+        fix: "Use path.join(process.cwd(), 'relative/path') or path.resolve()"
       - pattern: 'https?://localhost:[0-9]+'
         message: "No hardcoded localhost URLs — use environment variables or a config service."
+        fix: "Use process.env.API_URL || 'http://localhost:3000'"
 
   # --- Complexity & Technical Debt ---
   - pattern: "**/*.{ts,tsx,js,jsx,py,go,rs}"
-    max_lines: 3000
     must_not:
-      - pattern: '(?:\s{8,}.*\n){5,}'
-        message: "Deep nesting detected (4+ levels). Refactor into smaller functions to reduce cognitive load."
       - pattern: '(?:(?://|#).*\n){10,}'
         message: "Large block of commented-out code detected. This is dead code — delete it and rely on Git history."
+        fix: "Delete the commented code. Git history preserves it if needed later."
 
   # --- Reliability & Fragility ---
   - pattern: "**/*.{ts,tsx,js,jsx,py,go,rs}"
     must_not:
       - pattern: '(?:catch|except)\s*\(?.*?\)?\s*\{\s*\}'
         message: "No empty catch/except blocks. Swallowing errors makes debugging impossible — at least log the error."
+        fix: |
+          console.error(`[context] Operation failed:`, err);
+          // or: throw err;
+          // or: return null;
       - pattern: '\b(?:password|secret|api_?key|token|private_?key)\b\s*[:=]\s*(?:"|'')[^''"]{8,}(?:"|'')'
         message: "No hardcoded secrets — use environment variables or a secrets manager."
+        fix: "Use process.env.SECRET_NAME and add to .env.example (not .env!)"
 
 # =============================================================================
 # JS/TS-SPECIFIC RULES (Node.js & Frontend)
@@ -50,28 +88,34 @@ rules:
     must_not:
       - pattern: ':\s*any\b|as\s+any\b'
         message: "No 'any' types — use 'unknown' or define a proper interface to maintain type safety."
+        fix: |
+          // Instead of: x as any
+          x as unknown as SpecificType
+          // Or define proper interface and use it
     must:
       - "Use strict TypeScript mode"
 
   # --- Configuration & IO ---
-  - pattern: "**/services/**/*.ts|**/domain/**/*.ts"
-    must_not:
-      - pattern: 'process\.env'
-        message: "Domain/Service logic must not read env vars directly — inject config via constructor or a config service."
-      - pattern: 'console\.(log|warn|error)'
-        message: "Core logic should use a structured logger, not console.log."
+  # REMOVED: no process.env rule - extensions and CLI tools need env access
+  # If you want this rule for your project, add it to your .pi-lens/architect.yaml:
+  # - pattern: "**/services/**/*.ts|**/domain/**/*.ts"
+  #   must_not:
+  #     - pattern: 'process\.env'
+  #       message: "Domain/Service logic must not read env vars directly — inject config."
 
   # --- Async Patterns ---
-  - pattern: "**/*.{ts,tsx,js,jsx}"
-    must_not:
-      - pattern: '\.then\('
-        message: "Prefer async/await over .then() chains for better readability and error handling."
+  # DISABLED: .then() rule was too aggressive - flagged all promise usage
+  # Only flag in specific contexts (3+ level chains) via tree-sitter instead
+  # - pattern: "**/*.{ts,tsx,js,jsx}"
+  #   must_not:
+  #     - pattern: '\.then\('
+  #       message: "Prefer async/await over .then() chains for better readability."
 
   # --- Grep-ability & Agent Search ---
   # Note: 'export default' is acceptable for entry points (index.ts)
   - pattern: "**/*.{ts,tsx}"
     must_not:
-      - pattern: "from\s+['\"]\.\./\.\./\.\./"
+      - pattern: "from\\s+['\"]\.\./\.\./\.\./"
         message: "Avoid deep relative imports (3+ levels) — use absolute imports (@app/...) for agent reasoning."
 
 # =============================================================================