pi-lens 3.7.0 → 3.8.1

package/CHANGELOG.md

@@ -2,6 +2,235 @@
 
 All notable changes to pi-lens will be documented in this file.
 
+## [3.8.1] - 2026-04-05
+
+### Fixed
+- **`console-statement` hijacking `no-console-in-tests`** — The keyword match for
+  `console-statement` (`pattern.includes("console")`) was catching `no-console-in-tests`
+  because both contain "console". The simpler rule always won, so both fired on every
+  console call. Fixed by excluding test-related patterns: `!pattern.includes("test")`.
+- **`hardcoded-secrets` malformed tree-sitter query** — Had two top-level S-expression
+  patterns instead of a single union pattern `[...]`. Replaced with valid union syntax
+  and added `post_filter: check_secret_pattern` so variable names are actually filtered
+  against credential patterns. Reduced false positives from 58 → 0 on the codebase.
+
+## [3.8.0] - 2026-04-05
+
+### Added — Tree-sitter Expansion
+
+- **Go, Rust, Ruby grammar support** — WASM grammars for 3 new languages downloaded at
+  install time via `scripts/download-grammars.ts`. Grammar download script added with
+  npm `download-grammars` script and postinstall hook. Tree-sitter structural analysis
+  now covers all 7 dispatch languages: TypeScript, TSX, JavaScript, Python, Go, Rust, Ruby.
+
+- **Tree-sitter dispatch for Go/Rust/Ruby** — Dispatch runner `appliesTo` extended;
+  extension→language map replaces the brittle `endsWith` chain. Tree-sitter runner
+  added to Go, Rust, and Ruby dispatch plans.
+
+- **Incremental parse cache (`TreeCache`)** — AST trees are cached by SHA-256 content
+  hash and mtime. Subsequent queries on the same file (same turn) skip re-parsing.
+  Cache stores up to 50 files with LRU eviction. `calculateEdit()` + `incrementalUpdate()`
+  infrastructure ready for full incremental parsing when old content is tracked.
+
+- **AST navigator (`TreeSitterNavigator`)** — Scope-aware traversal utilities: `findParent()`,
+  `isInTryCatch()`, `isInTestBlock()`, `isInLoop()`, `getScopeChain()`, `isShadowed()`,
+  `getSiblings()`. Used by post-filters for context-aware rule evaluation.
+
+- **Native predicate support in queries** — Query YAML files now support a `predicates:`
+  array field. Rules with inline `#eq?` / `#match?` / `#not-eq?` predicates run filtering
+  inside WASM rather than in JavaScript post-filters.
+
+- **Inline fix hints** — Tree-sitter diagnostics now carry `fixable: true` and
+  `fixSuggestion: "remove this statement"` when `has_fix: true` in the rule. Displayed
+  as `💡 Fix: remove this statement` inline in the diagnostic output. Tree-sitter runner
+  is read-only — linters (Biome/Ruff/ESLint) own the autofix phase.
+
+- **New post-filters** — `not_in_try_catch`, `in_try_catch`, `not_in_test_block`,
+  `not_in_function`, `check_secret_pattern`, `python_empty_except`, `ruby_empty_rescue`,
+  `name_matches_param`.
+
+### Added — New Rules (50+)
+
+**Structural safety (ast-grep, TypeScript + JavaScript):**
+- `unchecked-sync-fs` — `fs.statSync/readFileSync/writeFileSync/...` outside try/catch (error)
+- `unchecked-throwing-call` — `JSON.parse`, `new URL()`, `execSync` outside try/catch (error)
+- `no-nan-comparison` — `x === NaN` always false, use `Number.isNaN()` (error)
+- `no-discarded-error` — `new Error()` as standalone statement without throw (error)
+
+**Structural safety (ast-grep, Python):**
+- `unchecked-throwing-call-python` — `open()`, `json.loads()`, `os.stat()` etc. outside
+  try/except (error)
+
+**Structural safety (ast-grep, Ruby):**
+- `unchecked-throwing-call-ruby` — `File.read`, `JSON.parse`, `Integer()` etc. outside
+  begin/rescue (error)
+
+**Tree-sitter Python rules (new):**
+- `python-mutable-class-attr` — class-level `list`/`dict`/`set` shared across all instances (error)
+- `python-debugger` — `breakpoint()`, `pdb.set_trace()` left in code (error)
+- `python-print-statement` — `print()` debug output in production code (warning)
+- `python-hardcoded-secrets` — hardcoded credential assignments (error)
+- `python-empty-except` — except block that only does `pass` (error)
+- `python-unsafe-regex` — `re.compile(variable)` ReDoS risk (error)
+- `python-raise-string` — `raise "string"` is TypeError in Python 3 (error)
+
+**Tree-sitter Ruby rules (new):**
+- `ruby-rescue-exception` — `rescue Exception` catches SystemExit and signals (error)
+- `ruby-empty-rescue` — rescue with no body silently swallows errors (error)
+- `ruby-debugger` — `binding.pry` / `binding.irb` left in code (error)
+- `ruby-puts-statement` — `puts`/`p`/`pp` debug output in production (warning)
+- `ruby-hardcoded-secrets` — hardcoded credential assignments (error)
+- `ruby-unsafe-regex` — `Regexp.new(variable)` ReDoS risk (error)
+
+**Tree-sitter Go rules (new):**
+- `go-hardcoded-secrets` — hardcoded credentials in short/var/const declarations (error)
+
+**JavaScript coverage (38 new rules):**
+  All runtime-applicable TypeScript ast-grep rules now have JavaScript equivalents:
+  `strict-equality`, `empty-catch`, `no-throw-string`, `no-cond-assign`,
+  `no-async-promise-executor`, `toctou`, `no-hardcoded-secrets`, `no-inner-html`,
+  `no-insecure-randomness`, `no-sql-in-code`, `jwt-no-verify`, `weak-rsa-key`, and 26 more.
+
+### Changed — Severity Upgrades
+
+**17 ast-grep rules upgraded from `warning` to `error`** (will crash / produce wrong output):
+`empty-catch`, `array-callback-return`, `getter-return`, `jsx-boolean-short-circuit`,
+`no-async-promise-executor`, `no-await-in-promise-all`, `no-bare-except`,
+`no-compare-neg-zero`, `no-cond-assign`, `no-constant-condition`,
+`no-constructor-return`, `no-insecure-randomness`, `no-prototype-builtins`,
+`no-sql-in-code`, `no-throw-string`, `toctou`, `no-comparison-to-none`.
+
+**4 tree-sitter rules upgraded from `warning` to `error`**:
+`go-defer-in-loop`, `is-vs-equals`, `rust-unwrap`, `unsafe-regex`.
+
+### Fixed
+
+- **`console-statement` duplicating `no-console-in-tests`** — `console-statement` now
+  uses `post_filter: not_in_test_block` so production and test console detection are
+  mutually exclusive.
+
+- **`variable-shadowing` never detecting actual shadowing** — Rule now captures both
+  `@PARAM` and `@NAME`; `name_matches_param` post-filter only flags when names are
+  identical. Previously the rule fired on any variable in a nested function.
+
+- **`isInLoop()` false positives** — `call_expression` removed from loop node type list.
+  Previously `isInLoop()` returned `true` inside any function call.
+
+- **`injectPredicates()` inserting at wrong AST position** — Broken predicate injection
+  machinery removed. Predicates already work inline in query S-expressions.
+
+- **`sql-injection` rule not matching `db.query()`** — Query now uses union
+  `[identifier | member_expression]` to catch both bare `query()` and `db.query()`.
+
+- **`contains_sql_keywords` post-filter inverted logic** — Rule was skipping `sql`
+  tagged templates (the primary SQL injection vector). Post-filter removed entirely;
+  rule relies on inline `#match?` predicate.
+
+- **`no-discarded-error` ast-grep `not: inside:` not traversing ancestors** — Required
+  `stopBy: end` in ast-grep's `inside` predicate to check all ancestors, not just the
+  direct parent. Applied to all `not: inside:` rules.
+
+- **Go/Rust/Ruby rules silently skipped** — Runner `appliesTo` was `["jsts", "python"]`
+  only. Extended to include `go`, `rust`, `ruby`.
+
+### Fixed (from PR #1 — alexx-ftw)
+
+- **`process.cwd()` wrong for global npm installs** — All asset resolution (WASM grammars,
+  tree-sitter query YAMLs, ast-grep rule directories, `default-architect.yaml`) now uses
+  `resolvePackagePath(import.meta.url, ...)` which walks up from the module file to the
+  package root. Previously, running pi-lens as a globally installed extension would fail
+  to find built-in rules and grammars.
+
+- **Session start scanning `$HOME` or generic directories** — `resolveStartupScanContext()`
+  gates all heavy startup scans (knip, jscpd, exports index, project index) behind project
+  root detection (`.git`, `package.json`, `go.mod`, etc.) and a 2000-source-file budget.
+  Pi-lens stays responsive when opened outside a real project.
+
+- **`cachedExports` not cleared on session reset** — Export cache from the previous
+  session persisted into new sessions, causing false duplicate-export warnings.
+
+- **`biomeClient.ensureAvailable()` at session start** — Changed to `isAvailable()` so
+  session start no longer blocks on a Biome auto-install. Installs happen lazily on
+  first file write.
+
+- **Project index not persisted across sessions** — Index now saved to disk after build
+  via `saveIndex()`, and `isIndexFresh()` check skips rebuild when the saved index is
+  still current.
+
+- **`tree-sitter-query-loader` only loading from `process.cwd()`** — Now loads from
+  both the user's project rules directory AND the package's built-in rules, merging
+  both sets. Project-specific rules coexist with built-in rules.
+
+---
+
+## [3.7.2] - 2026-04-05
+
+### Added
+- **All-clear signal** — When the pipeline runs clean (no blockers, no test failures),
+  the agent now receives a confirmation one-liner instead of silence:
+  `✓ TypeScript clean · 12/12 tests · 847ms`
+  When non-blocking warnings exist: `✓ no blockers · 3 warning(s) -> /lens-booboo · 847ms`
+  Agents can now distinguish "checks ran clean" from "checks didn't run".
+
+### Fixed
+- **Auto-fix message now names the tool** — `✅ Auto-fixed 3 issue(s) (eslint:2, biome:1)`
+  instead of the vague `Auto-fixed 3 issue(s)`. Agents know exactly what was corrected.
+
+### Security
+- **Remove `effect` dependency** — Used for 5 trivial `tryPromise` wrappers in one file,
+  never consumed via Effect's runtime. Dead dependency removed.
+- **`--ignore-scripts` in auto-installer** — `npm install` for auto-installed tools now
+  passes `--ignore-scripts` by default. Only packages that legitimately need postinstall
+  scripts to download native binaries (`@biomejs/biome`, `@ast-grep/napi`, `esbuild`) are
+  allowlisted.
+- **`npx -y` replaced with `npx --no`** — LSP server launch via npx no longer silently
+  downloads uncached packages. `--no` fails fast if the package isn't cached; the
+  interactive-install flow is the correct path for first-time installs.
+- **Local-first `sg` (ast-grep) resolution** — All `sg` callers now check
+  `node_modules/.bin/sg` → global `sg` → `npx --no sg` (cache-only). No silent
+  network downloads of the ast-grep CLI.
+
+---
+
+## [3.7.2] - 2026-04-05 (previous)
+
+### Added
+- **ESLint `--fix` in autofix phase** — Projects with an ESLint config now have fixable
+  issues auto-corrected (import ordering, jsx style, etc.) before dispatch runs, using
+  `--fix-dry-run` to get the accurate fixed count then `--fix` to apply. Availability
+  is cached per session. Only fires on JS/TS files with an ESLint config present.
+
+### Fixed
+- **Misleading infinite-loop comment in biome/ruff runners** — The comment incorrectly
+  stated that writing files from runners would trigger infinite loops (formatters already
+  prove this isn't true). Updated to explain the real reason: dispatch runners report
+  issues for agent understanding; silently rewriting would leave the agent's context
+  window stale.
+
+---
+
+## [3.7.1] - 2026-04-05
+
+### Added
+- **ESLint dispatch runner** — Projects with `.eslintrc` / `eslint.config.js` (any variant)
+  now run ESLint automatically on every JS/TS file write. Prefers local
+  `node_modules/.bin/eslint` over global. Skips silently on projects using Biome/OxLint
+  (no ESLint config). ESLint errors (severity 2) are blocking; warnings are non-blocking.
+
+- **golangci-lint dispatch runner** — Go projects with `.golangci.yml` / `.golangci.yaml`
+  now run golangci-lint on every `.go` file write (in addition to `go-vet`). Parses JSON
+  output. Skips when no config is present (avoids default-rule noise on non-opted-in
+  projects). 60s timeout.
+
+- **RuboCop dispatch runner** — Ruby files (`.rb`, `.rake`, `.gemspec`, `.ru`) now run
+  RuboCop in lint-only mode on every write. Prefers `bundle exec rubocop` when a Gemfile
+  references rubocop. Fatal/error offenses are blocking; convention/refactor are warnings.
+
+- **`ruby` file kind** — `.rb`, `.rake`, `.gemspec`, `.ru` files are now recognised as
+  `ruby` kind, enabling file-kind-gated runners and formatter detection.
+
+---
+
 ## [3.7.0] - 2026-04-05
 
 ### Added

package/README.md

@@ -1,21 +1,26 @@
 # pi-lens
 
-**pi extension for real-time code quality.** 31 LSP servers, tree-sitter structural analysis, AST pattern matching, auto-install for TypeScript/Python tooling, duplicate detection, complexity metrics, and inline blockers with comprehensive `/lens-booboo` reports.
+**pi extension for real-time code quality.** 31 LSP servers, tree-sitter structural analysis (7 languages), 112 AST pattern matching rules, auto-install for TypeScript/Python/Go/Rust/Ruby tooling, duplicate detection, complexity metrics, and inline blockers with comprehensive `/lens-booboo` reports.
 
 ## What pi-lens Does
 
 **For every file you edit:**
 1. **Auto-formats** — Detects and runs formatters (Biome, Prettier, Ruff, gofmt, rustfmt, etc.)
-2. **Type-checks** — TypeScript, Python, Go, Rust (31 languages with `--lens-lsp`)
+2. **Type-checks** — TypeScript, Python, Go, Rust, Ruby (31 languages with `--lens-lsp`)
 3. **Scans for secrets** — Blocks on hardcoded API keys, tokens, passwords
-4. **Runs linters** — Biome (TS/JS), Ruff (Python), plus structural analysis
-5. **Tree-sitter analysis** — Deep structural patterns (empty catch, eval, deep nesting, mixed async styles)
-6. **Auto-installs** — TypeScript, Python, Biome, Ruff, and analysis tools auto-install on first use
-7. **Only shows NEW issues** — Delta-mode tracks baselines and filters pre-existing problems
-
-**Blockers** (type errors, secrets, empty catches) appear inline and stop the agent until fixed.  
+4. **Runs linters** — Biome (TS/JS), Ruff (Python), ESLint (opt-in), plus structural analysis
+5. **Auto-fixes** — Biome, Ruff, and ESLint safe fixes applied automatically (named per tool)
+6. **Tree-sitter analysis** — Deep structural patterns across 7 languages (45+ patterns)
+7. **Pre-write duplicate detection** — Blocks export redefinitions and structural similarity clones
+8. **Auto-installs** — TypeScript, Python, Biome, Ruff, Go, Rust, Ruby tools auto-install on first use
+9. **Only shows NEW issues** — Delta-mode tracks baselines and filters pre-existing problems
+10. **Build artifact filtering** — Skips compiled `.js` when `.ts` sibling exists (no duplicate findings)
+
+**Blockers** (type errors, secrets, empty catches, duplicate exports) appear inline and stop the agent until fixed.
 **Warnings** (complexity, code smells) go to `/lens-booboo` — run it to see them all.
 
+**All-clear signals:** When checks pass, pi-lens confirms with `✓ TypeScript clean · 12/12 tests · 847ms` so you know checks ran (not just skipped).
+
 ## Quick Start
 
 ```bash
@@ -92,26 +97,28 @@ pi-lens **automatically lints** every file you write or edit. Linters are auto-d
 |--------|-----------|--------------|------|----------|
 | **Biome** | TS/JS/JSON/CSS | Automatic | **Default** | 10 |
 | **Ruff** | Python | Automatic | **Default** | 10 |
+| **ESLint** | TS/JS/Vue/Svelte | Automatic (with config) | Project-configured | 11 |
 | **oxlint** | TS/JS | Manual (`npm i -g oxlint`) | Fast alternative | 12 |
-| **ESLint** | JS/Vue/Svelte | `npx` via `--lens-lsp` | LSP only | - |
+| **golangci-lint** | Go | Manual (with config) | Go meta-linter | 13 |
+| **RuboCop** | Ruby | Manual / Bundler | Ruby standard | 15 |
 | **shellcheck** | Bash/sh/zsh/fish | Manual (`apt install shellcheck`) | Shell scripts | 20 |
 
 (*) = Auto-installed (no manual setup required)
 
-**Priority:** Lower numbers = run earlier. Biome/Ruff run first, followed by specialized linters.
-
 **How it works:**
 1. Agent writes a file
 2. pi-lens detects linters based on config files and file type
-3. Biome takes priority for TS/JS; Ruff takes priority for Python
-4. Multiple linters can run on the same file (e.g., Biome + oxlint)
+3. Biome takes priority for TS/JS; Ruff takes priority for Python; ESLint only runs when `.eslintrc` or `eslint.config.js` is present
+4. Multiple linters can run on the same file (e.g., Biome + oxlint + ESLint)
 5. Issues are delta-tracked (only new issues shown after first write)
+6. **Named autofix**: Auto-fix messages show tool breakdown: `✅ Auto-fixed 3 issue(s) (eslint:2, biome:1)`
 
 **Notes:**
-- Biome and Ruff are **dual-purpose** (lint + format)
+- Biome and Ruff are **dual-purpose** (lint + format + auto-fix)
+- ESLint requires a config file (project opts in); skipped on Biome/OxLint projects
+- golangci-lint requires `.golangci.yml` (project opts in)
 - oxlint is a faster Rust-based alternative to ESLint
-- ESLint only runs when `--lens-lsp` is enabled
-- shellcheck requires manual installation on most systems
+- ESLint LSP only runs when `--lens-lsp` is enabled; dispatch runner runs in standard mode too
 
 ---
 
@@ -137,15 +144,16 @@ pi --lens-lsp                    # Enable LSP
 
 ### `pi` vs `pi --lens-lsp`
 
-| Feature | `pi` (Default) | `pi --lens-lsp` |
+| `pi` (Default) | `pi --lens-lsp` |
 |---------|----------------|-----------------|
-| **Type Checking** | Built-in TypeScriptClient | Full LSP (31 language servers) |
-| **Auto-format** | Biome, Prettier, Ruff, etc. | Same |
-| **Auto-fix** | Enabled by default | Same |
+| **Type Checking** | Built-in TypeScriptClient, Pyright, go-vet, rust-clippy | Full LSP (31 language servers) |
+| **Auto-format** | Biome, Prettier, Ruff, gofmt, rustfmt, etc. | Same |
+| **Auto-fix** | Biome, Ruff, ESLint (named per tool) | Same |
 | **Secrets scan** | Blocks on hardcoded secrets | Same |
-| **Languages** | TypeScript, Python (built-in) | 31 languages via LSP |
+| **Languages** | TypeScript, Python, Go, Rust, Ruby (built-in) | 31 languages via LSP |
 | **Python** | Ruff/pyright (built-in) | Pyright LSP |
-| **Go, Rust, etc.** | Basic linting | Full LSP support |
+| **Go** | go-vet, golangci-lint | Full gopls |
+| **Rust** | rust-clippy | Full rust-analyzer |
 
 **Recommendation:** Use `pi` for TypeScript/Python projects. Use `pi --lens-lsp` for multi-language projects or when you need full language server features.
 
@@ -160,9 +168,10 @@ Every file write/edit triggers multiple analysis phases:
 **Execution flow:**
 1. **Secrets scan** (pre-flight) — Hardcoded secrets block immediately (non-runner check)
 2. **LSP integration** (Phase 3, with `--lens-lsp`) — Real-time type errors from language servers
-3. **Dispatch system** — Routes file to appropriate runners by `FileKind`
+3. **Dispatch system** — Routes file to appropriate runners by `FileKind` (TS, Python, Go, Rust, Ruby, etc.)
 4. **Runners execute** by priority (lower = earlier). See [Runners](#runners) section for full list.
 5. **Test runner detection** (post-write) — Detects Jest/Vitest/Pytest and runs relevant tests
+6. **Cascade deferral** — Errors in OTHER files (caused by this edit) are tracked but not shown inline; surfaced at `turn_end` once all edits complete
 
 **Delta mode behavior:**
 - **First write:** All issues tracked and stored in baseline
@@ -175,7 +184,17 @@ STOP — 1 issue(s) must be fixed:
   L23: var total = sum(items); — use 'let' or 'const'
 ```
 
-> **Note:** Only **blocking** issues (`ts-lsp`, `pyright` errors, `type-safety` switch errors, secrets) appear inline. Warnings are tracked but not shown inline (noise reduction) — run `/lens-booboo` to see all warnings.
+Or when clean:
+```
+✓ TypeScript clean · 12/12 tests · 847ms
+```
+
+Or with warnings:
+```
+✓ no blockers · 3 warning(s) -> /lens-booboo · 623ms
+```
+
+> **Note:** Only **blocking** issues (`ts-lsp`, `pyright` errors, `type-safety` switch errors, secrets, duplicate exports) appear inline. Warnings are tracked but not shown inline (noise reduction) — run `/lens-booboo` to see all warnings.
 
 ---
 
@@ -187,19 +206,22 @@ pi-lens uses a **dispatcher-runner architecture** for extensible multi-language
 |--------|----------|----------|--------|-------------|
 | **ts-lsp** | TypeScript | 5 | Blocking | TypeScript errors (hard stops) |
 | **pyright** | Python | 5 | Blocking | Python type errors (hard stops) |
-| **biome** | TS/JS | 10 | Warning | Linting issues (delta-tracked) |
-| **ruff** | Python | 10 | Warning | Python linting (delta-tracked) |
+| **biome** | TS/JS/JSON/CSS | 10 | Warning | Linting + auto-fix (delta-tracked) |
+| **ruff** | Python | 10 | Warning | Python linting + auto-fix (delta-tracked) |
+| **eslint** | TS/JS | 11 | Warning | ESLint with auto-fix (project must have config) |
 | **oxlint** | TS/JS | 12 | Warning | Fast Rust-based JS/TS linter |
-| **tree-sitter** | TS/JS, Python | 14 | Mixed | AST-based structural analysis (21 patterns) — **singleton WASM client** |
-| **ast-grep-napi** | TS/JS | 15 | Blocking | Security rules inline (no-eval, jwt-no-verify, no-hardcoded-secrets, etc.) |
+| **tree-sitter** | TS/JS, Python, Go, Rust, Ruby | 14 | Mixed | AST-based structural analysis (45+ patterns, 7 languages) — **singleton WASM client** |
+| **ast-grep-napi** | TS/JS/Python/Go/Rust | 15 | Blocking | Security rules inline (112 patterns, no-eval, jwt-no-verify, no-hardcoded-secrets, etc.) |
 | **type-safety** | TS | 20 | Mixed | Switch exhaustiveness (blocking), other (warning) |
 | **shellcheck** | Shell | 20 | Warning | Bash/sh/zsh/fish linting |
 | **python-slop** | Python | 25 | Warning | AI slop detection (~40 patterns) |
 | **spellcheck** | Markdown | 30 | Warning | Typo detection in docs |
-| **similarity** | TS | 35 | Warning | Semantic duplicate detection (≥90% structural similarity, Rust-accelerated when available) |
+| **similarity** | TS | 35 | Warning | Semantic duplicate detection (≥90% structural similarity, pre-write check) |
 | **architect** | All | 40 | Warning | Architectural rule violations |
 | **go-vet** | Go | 50 | Warning | Go static analysis |
+| **golangci-lint** | Go | 51 | Warning | Go meta-linter (needs .golangci.yml) |
 | **rust-clippy** | Rust | 50 | Warning | Rust linting |
+| **rubocop** | Ruby | 52 | Warning | Ruby linting (supports bundle exec) |
 
 **Priority legend:**
 - **5** — Type checkers (blocking errors)
@@ -215,25 +237,37 @@ pi-lens uses a **dispatcher-runner architecture** for extensible multi-language
 
 **Consolidated runners:** `ts-slop` merged into `ast-grep-napi` — CLI ast-grep used for full linter via `/lens-booboo`
 
-**Tree-sitter runner patterns** (priority 14, AST-based structural analysis):
+**Tree-sitter runner patterns** (priority 14, AST-based structural analysis, 7 languages, 45+ patterns):
 
-TypeScript/JavaScript (13 patterns):
-- **Error**: empty-catch, hardcoded-secrets, eval
-- **Warning**: debugger, await-in-loop, console-statement, long-parameter-list, nested-ternary, deep-promise-chain, mixed-async-styles, deep-nesting, constructor-super, no-dupe-class-members
+**TypeScript/JavaScript (17 patterns):**
+- **Error**: empty-catch, hardcoded-secrets, eval, sql-injection, unsafe-regex
+- **Warning**: debugger, await-in-loop, console-statement (not in tests), long-parameter-list, nested-ternary, deep-promise-chain, mixed-async-styles, deep-nesting, constructor-super, no-dupe-class-members, variable-shadowing
 
-TSX (2 patterns):
+**TSX (2 patterns):**
 - **Error**: dangerously-set-inner-html
 - **Warning**: no-nested-links
 
-Python (6 patterns):
-- **Error**: bare-except, mutable-default-arg, eval-exec, unreachable-except  
-- **Warning**: wildcard-import, is-vs-equals
+**Python (11 patterns):**
+- **Error**: bare-except, mutable-default-arg, eval-exec, unreachable-except, python-empty-except, python-hardcoded-secrets, python-mutable-class-attr, python-unsafe-regex, python-raise-string
+- **Warning**: wildcard-import, is-vs-equals, python-debugger, python-print-statement
+
+**Go (3 patterns):**
+- **Error**: go-hardcoded-secrets, go-defer-in-loop
+- **Warning**: go-bare-error
+
+**Rust (2 patterns):**
+- **Error**: rust-unwrap
+- **Warning**: rust-clone-in-loop
 
-**Custom tree-sitter queries:** Add `.yml` files to `.pi-lens/rules/tree-sitter-queries/{typescript,python}/`
+**Ruby (8 patterns):**
+- **Error**: ruby-rescue-exception, ruby-empty-rescue, ruby-hardcoded-secrets, ruby-unsafe-regex, ruby-debugger
+- **Warning**: ruby-puts-statement, ruby-eval, ruby-open-struct
 
-**AI Slop Detection:** 
+**Custom tree-sitter queries:** Add `.yml` files to `.pi-lens/rules/tree-sitter-queries/{typescript,python,go,rust,ruby}/`
+
+**AI Slop Detection:**
 - `python-slop` runner (priority 25): ~40 patterns for Python code quality
-- `ast-grep-napi` runner (priority 15): Security rules fire inline (blocking); slop/architecture warnings via `/lens-booboo` only. Skips 5 rules already covered by tree-sitter.
+- `ast-grep-napi` runner (priority 15): Security rules fire inline (blocking); slop/architecture warnings via `/lens-booboo` only. Skips rules already covered by tree-sitter.
 
 ---
 
@@ -241,6 +275,27 @@ Python (6 patterns):
 
 Safeguards that run **before** the dispatch system:
 
+#### Pre-Write Duplicate Detection
+
+Blocks the agent **before** the write/edit is applied if the new content would create problems:
+
+**Export Duplicate Detection**
+- **Triggers:** New `export function/class/const/type/interface` matches an existing export in another file
+- **Blocks:** `🔴 STOP — Redefining existing export(s). Import instead`
+- **Why:** Prevents accidental redefinitions when agent creates "helper" functions that already exist
+
+**Structural Similarity Detection**
+- **Triggers:** New function body is ≥90% similar to an existing utility function
+- **Warns:** `Function 'parseData' has 94% similarity to existing utility 'parseJSON()'. Consider reusing the existing utility.`
+- **How:** 57×72 state matrix comparison (Amain algorithm), runs via Rust core when available (~50ms)
+- **Why:** Prevents proliferation of nearly-identical helper functions
+
+**Build Artifact Filtering**
+- **Problem:** Scanning both `.ts` source and `.js` output produces duplicate findings
+- **Solution:** Source-filter module detects higher-precedence siblings (`.ts` shadows `.js`, `.vue` shadows `.js`)
+- **Applies to:** TypeScript→JavaScript, Vue/Svelte→JavaScript, CoffeeScript→JavaScript
+- **Result:** No duplicate diagnostics from compiled outputs
+
 #### Secrets Scanning (Pre-flight)
 
 Runs on every file write/edit **before** any other checks. Scans for:
@@ -292,20 +347,23 @@ See [AST_GREP_RULES.md](AST_GREP_RULES.md) for full guide.
 When pi starts a new session, pi-lens performs initialization scans to establish baselines and surface existing technical debt:
 
 **Initialization sequence:**
-1. **Reset session state** — Clear metrics and complexity baselines
-2. **Initialize LSP** (with `--lens-lsp`) — Detect and auto-install language servers
-3. **Pre-install TypeScript LSP** (with `--lens-lsp`) — Warm up cache for instant response
-4. **Detect available tools** — Biome, ast-grep, Ruff, Knip, jscpd, Madge, type-coverage, Go, Rust
-5. **Load architect rules** — If `architect.yml` or `.architect.yml` present
-6. **Detect test runner** — Jest, Vitest, Pytest, etc.
-
-**Cached scans** (with 5-min TTL):
+1. **Reset session state** — Clear metrics, complexity baselines, and cached exports
+2. **Startup scan safety** — Detect project root (`.git`, `package.json`, `go.mod`, etc.) and skip heavy scans if not in a real project (prevents scanning `$HOME`)
+3. **Initialize LSP** (with `--lens-lsp`) — Detect and auto-install language servers
+4. **Pre-install TypeScript LSP** (with `--lens-lsp`) — Warm up cache for instant response
+5. **Detect available tools** — Biome, ast-grep, Ruff, ESLint, Knip, jscpd, Madge, type-coverage, Go, Rust, Ruby
+6. **Load architect rules** — If `architect.yml` or `.architect.yml` present
+7. **Detect test runner** — Jest, Vitest, Pytest, etc.
+
+**Cached scans** (with TTL):
 | Scan | Tool | Cached | Purpose |
 |------|------|--------|---------|
-| **TODOs** | Internal | No | Tech debt markers |
-| **Dead code** | Knip | Yes | Unused exports/files/deps |
-| **Duplicates** | jscpd | Yes | Copy-paste detection |
-| **Exports** | ast-grep | No | Function index for similarity |
+| **TODOs** | Internal | Baseline stored | Tech debt markers (delta reported at turn_end) |
+| **Dead code** | Knip | 5-min TTL | Unused exports/files/deps |
+| **Duplicates** | jscpd | 5-min TTL | Copy-paste detection |
+| **Circular deps** | Madge | Turn-end | Import cycle detection (runs async) |
+| **Exports** | ast-grep | Session | Function index for duplicate detection |
+| **Project index** | Amain | Persisted to disk | Structural similarity for pre-write checks |
 
 **Error debt tracking** (with `--error-debt` flag):
 - If tests passed at end of previous session but fail now → **regression detected**
@@ -325,17 +383,19 @@ Full codebase analysis with **10 tracked runners** producing a comprehensive rep
 
 | # | Runner | What it finds |
 |---|--------|---------------|
-| 1 | **ast-grep (design smells)** | Structural issues (empty catch, no-debugger, etc.) |
+| 1 | **ast-grep (design smells)** | Structural issues (empty catch, no-debugger, unchecked throws, etc.) |
 | 2 | **ast-grep (similar functions)** | Duplicate function patterns across files |
 | 3 | **semantic similarity (Amain)** | 57×72 matrix semantic clones (≥90% similarity) |
 | 4 | **complexity metrics** | Low MI, high cognitive complexity, AI slop indicators |
-| 5 | **TODO scanner** | TODO/FIXME annotations and tech debt markers |
+| 5 | **TODO scanner** | TODO/FIXME annotations and tech debt markers (delta mode) |
 | 6 | **dead code (Knip)** | Unused exports, files, dependencies |
 | 7 | **duplicate code (jscpd)** | Copy-paste blocks with line/token counts |
 | 8 | **type coverage** | Percentage typed vs `any`, low-coverage files |
-| 9 | **circular deps (Madge)** | Import cycles and dependency chains |
+| 9 | **circular deps (Madge)** | Import cycles and dependency chains (turn-end async) |
 | 10 | **architectural rules** | Layer violations, file size limits, path rules |
 
+**Turn-end findings** — Some expensive analysis (jscpd, Madge, TODO-delta) runs asynchronously at the end of each turn and surfaces findings via context injection. Results are cached and merged into the next context event.
+
 **Output:**
 - **Terminal:** Progress `[1/10] runner...` with timing, summary with findings per runner
 - **JSON:** `.pi-lens/reviews/booboo-{timestamp}.json` (structured data for AI processing)
@@ -407,12 +467,13 @@ pi-lens works out of the box for TypeScript/JavaScript. For full language suppor
 
 | Tool | Install | What it does |
 |------|---------|--------------|
-| `@biomejs/biome` | `npm i -D @biomejs/biome` | Linting + formatting |
+| `@biomejs/biome` | `npm i -D @biomejs/biome` | Linting + formatting + auto-fix |
+| `eslint` | `npm i -D eslint` | Linting with project-specific rules (requires config file) |
 | `oxlint` | `npm i -D oxlint` | Fast Rust-based JS/TS linting |
 | `knip` | `npm i -D knip` | Dead code / unused exports |
 | `jscpd` | `npm i -D jscpd` | Copy-paste detection |
 | `type-coverage` | `npm i -D type-coverage` | TypeScript `any` coverage % |
-| `@ast-grep/napi` | `npm i -D @ast-grep/napi` | Fast structural analysis (TS/JS) — security rules inline, slop in booboo |
+| `@ast-grep/napi` | `npm i -D @ast-grep/napi` | Fast structural analysis — 112 patterns (TS/JS/Python/Go/Rust security rules, slop detection) |
 | `@ast-grep/cli` | `npm i -D @ast-grep/cli` | Structural pattern matching (all languages) |
 | `typos-cli` | `cargo install typos-cli` | Spellcheck for Markdown |
 
@@ -428,6 +489,7 @@ pi-lens works out of the box for TypeScript/JavaScript. For full language suppor
 | Tool | Install | What it does |
 |------|---------|--------------|
 | `go` | [golang.org](https://golang.org) | Built-in `go vet` for static analysis |
+| `golangci-lint` | [golangci-lint.run](https://golangci-lint.run) | Meta-linter (staticcheck, errcheck, gosimple, etc.) |
 
 ### Rust
 
@@ -435,6 +497,12 @@ pi-lens works out of the box for TypeScript/JavaScript. For full language suppor
 |------|---------|--------------|
 | `rust` + `clippy` | [rustup.rs](https://rustup.rs) | Linting via `cargo clippy` |
 
+### Ruby
+
+| Tool | Install | What it does |
+|------|---------|--------------|
+| `rubocop` | `gem install rubocop` / Bundler | Ruby linting + formatting |
+
 ### Shell
 
 | Tool | Install | What it does |
@@ -443,6 +511,19 @@ pi-lens works out of the box for TypeScript/JavaScript. For full language suppor
 
 ---
 
+## Security Hardening
+
+pi-lens follows npm security best practices for tool installation:
+
+| Measure | Implementation |
+|---------|---------------|
+| **Post-install scripts** | `--ignore-scripts` by default; only allowlisted packages (`@biomejs/biome`, `@ast-grep/napi`, `esbuild`) can run scripts for native binary downloads |
+| **npx behavior** | `--no` flag prevents silent downloads; fails fast if package not cached |
+| **Tool resolution** | Local `node_modules/.bin/` preferred over global over npx |
+| **Global install safety** | `resolvePackagePath()` uses `import.meta.url` instead of `process.cwd()` to locate built-in rules/grammars when installed globally |
+
+---
+
 ## Commands
 
 | Command | Description |
@@ -467,22 +548,28 @@ pi-lens works out of the box for TypeScript/JavaScript. For full language suppor
 | `--lens-lsp` | Use real Language Server Protocol servers instead of built-in type-checking |
 | `--lens-verbose` | Enable detailed console logging |
 | `--no-autoformat` | Disable automatic formatting (formatting is **enabled by default**) |
-| `--no-autofix` | Disable all auto-fixing (Biome safe fixes + Ruff autofix **enabled by default**). Unsafe fixes (e.g. removing unused vars) are never applied automatically — use `/lens-booboo` with explicit confirmation. |
+| `--no-autofix` | Disable all auto-fixing (Biome safe fixes + Ruff + ESLint autofix **enabled by default**). Unsafe fixes are never applied automatically. |
 | `--no-autofix-biome` | Disable Biome auto-fix only |
 | `--no-autofix-ruff` | Disable Ruff auto-fix only |
+| `--no-autofix-eslint` | Disable ESLint auto-fix only |
+| `--no-eslint` | Skip ESLint linting |
 | `--no-oxlint` | Skip Oxlint linting |
 | `--no-shellcheck` | Skip shellcheck for shell scripts |
 | `--no-tests` | Disable automatic test running on file write |
 | `--no-madge` | Skip circular dependency checks |
 | `--no-ast-grep` | Skip ast-grep structural analysis |
+| `--no-tree-sitter` | Skip tree-sitter structural analysis |
 | `--no-biome` | Skip Biome linting |
+| `--no-ruff` | Skip Ruff linting |
 | `--no-lsp` | Skip TypeScript/Python type checking |
+| `--no-similarity` | Skip pre-write structural similarity detection |
 | `--error-debt` | Track test regressions across sessions |
 
 **Recommended combinations:**
 ```bash
 pi                               # Default: auto-format, auto-fix, built-in type-checking
 pi --lens-lsp                    # LSP type-checking (31 languages)
+pi --no-eslint                   # Skip ESLint on a Biome/OxLint project
 ```
 
 ---

package/clients/architect-client.ts

@@ -12,6 +12,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { minimatch } from "minimatch";
+import { resolvePackagePath } from "./package-root.js";
 
 // --- Types ---
 
@@ -91,6 +92,8 @@ export class ArchitectClient {
 			// Try multiple possible locations for the default config
 			const possibleDefaultPaths = [
 				path.join(projectRoot, "default-architect.yaml"),
+				path.join(projectRoot, ".pi-lens", "default-architect.yaml"),
+				resolvePackagePath(import.meta.url, "default-architect.yaml"),
 				path.join(projectRoot, "..", "default-architect.yaml"),
 				path.join(process.cwd(), "default-architect.yaml"),
 			];
@@ -170,7 +173,7 @@ export class ArchitectClient {
 
 			for (const check of rule.must_not) {
 				// We use 'g' to find all occurrences and correctly report line numbers
-				const regex = new RegExp(check.pattern, "gi");
+				const regex = new RegExp(check.pattern, "gim");
 				let match: RegExpExecArray | null;
 
 				// biome-ignore lint/suspicious/noAssignInExpressions: RegExp.exec iteration
@@ -286,7 +289,9 @@ export class ArchitectClient {
 				) {
 					// Extract everything after "pattern:" and unquote
 					const raw = trimmed.replace(/^-?\s*pattern:\s*/, "").trim();
-					const unquoted = raw.replace(/^["']|["']$/g, "");
+					let unquoted = raw.replace(/^["']|["']$/g, "");
+					// Single-quoted YAML: '' is an escaped single-quote
+					if (raw.startsWith("'")) unquoted = unquoted.split("''").join("'");
 					if (unquoted) {
 						violation = { pattern: unquoted, message: "" };
 					}