pi-lens 3.7.1 → 3.8.2

package/clients/architect-client.ts

@@ -12,6 +12,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { minimatch } from "minimatch";
+import { resolvePackagePath } from "./package-root.js";
 
 // --- Types ---
 
@@ -91,6 +92,8 @@ export class ArchitectClient {
 			// Try multiple possible locations for the default config
 			const possibleDefaultPaths = [
 				path.join(projectRoot, "default-architect.yaml"),
+				path.join(projectRoot, ".pi-lens", "default-architect.yaml"),
+				resolvePackagePath(import.meta.url, "default-architect.yaml"),
 				path.join(projectRoot, "..", "default-architect.yaml"),
 				path.join(process.cwd(), "default-architect.yaml"),
 			];
@@ -170,7 +173,7 @@ export class ArchitectClient {
 
 			for (const check of rule.must_not) {
 				// We use 'g' to find all occurrences and correctly report line numbers
-				const regex = new RegExp(check.pattern, "gi");
+				const regex = new RegExp(check.pattern, "gim");
 				let match: RegExpExecArray | null;
 
 				// biome-ignore lint/suspicious/noAssignInExpressions: RegExp.exec iteration
@@ -286,7 +289,9 @@ export class ArchitectClient {
 				) {
 					// Extract everything after "pattern:" and unquote
 					const raw = trimmed.replace(/^-?\s*pattern:\s*/, "").trim();
-					const unquoted = raw.replace(/^["']|["']$/g, "");
+					let unquoted = raw.replace(/^["']|["']$/g, "");
+					// Single-quoted YAML: '' is an escaped single-quote
+					if (raw.startsWith("'")) unquoted = unquoted.split("''").join("'");
 					if (unquoted) {
 						violation = { pattern: unquoted, message: "" };
 					}

package/clients/ast-grep-client.ts

@@ -19,6 +19,7 @@ import type {
 	RuleDescription,
 	SgMatch,
 } from "./ast-grep-types.js";
+import { resolvePackagePath } from "./package-root.js";
 import { SgRunner } from "./sg-runner.js";
 
 const _getExtensionDir = () => {
@@ -38,7 +39,12 @@ export class AstGrepClient {
 	private runner: SgRunner;
 
 	constructor(ruleDir?: string, verbose = false) {
-		this.ruleDir = ruleDir || path.join(process.cwd(), "rules");
+		const projectRuleDir = path.join(process.cwd(), "rules");
+		this.ruleDir =
+			ruleDir ||
+			(fs.existsSync(projectRuleDir)
+				? projectRuleDir
+				: resolvePackagePath(import.meta.url, "rules"));
 		this.log = verbose
 			? (msg: string) => console.error(`[ast-grep] ${msg}`)
 			: () => {};

package/clients/dispatch/plan.ts

@@ -43,9 +43,11 @@ export const TOOL_PLANS: Record<string, ToolPlan> = {
 			{ mode: "fallback", runnerIds: ["similarity"], filterKinds: ["jsts"] },
 			// ESLint: only fires when project has eslint config (skips Biome/OxLint projects)
 			{ mode: "fallback", runnerIds: ["eslint"], filterKinds: ["jsts"] },
+			// Architectural rules: warning-only, fast (pure regex). Needed per-write so the
+			// all-clear signal can report "N warnings -> /lens-booboo" accurately.
+			{ mode: "fallback", runnerIds: ["architect"], filterKinds: ["jsts"] },
 			// Note: ast-grep CLI kept for ast_grep_search/ast_grep_replace tools only
 			// Note: biome, oxlint handled by direct auto-fix calls in index.ts (not in dispatch)
-			// Architectural rules (guidance only, not blocking) - runs via /lens-booboo only
 		],
 	},
 
@@ -60,8 +62,8 @@ export const TOOL_PLANS: Record<string, ToolPlan> = {
 			{ mode: "all", runnerIds: ["pyright"], filterKinds: ["python"] },
 			// LSP type checking (unified) - when --lens-lsp enabled
 			{ mode: "all", runnerIds: ["lsp"], filterKinds: ["python"] },
+			{ mode: "fallback", runnerIds: ["architect"], filterKinds: ["python"] },
 			// Note: ruff handled by direct auto-fix calls in index.ts (not in dispatch)
-			// Architectural rules (guidance only, not blocking) - runs via /lens-booboo only
 		],
 	},
 
@@ -77,7 +79,8 @@ export const TOOL_PLANS: Record<string, ToolPlan> = {
 			{ mode: "fallback", runnerIds: ["go-vet"], filterKinds: ["go"] },
 			// golangci-lint: only fires when project has .golangci.yml config
 			{ mode: "fallback", runnerIds: ["golangci-lint"], filterKinds: ["go"] },
-			// Architectural rules (guidance only, not blocking) - runs via /lens-booboo only
+			// Structural analysis
+			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["go"] },
 		],
 	},
 
@@ -91,7 +94,8 @@ export const TOOL_PLANS: Record<string, ToolPlan> = {
 			{ mode: "all", runnerIds: ["lsp"], filterKinds: ["rust"] },
 			// Cargo clippy for additional checks
 			{ mode: "fallback", runnerIds: ["rust-clippy"], filterKinds: ["rust"] },
-			// Architectural rules (guidance only, not blocking) - runs via /lens-booboo only
+			// Structural analysis
+			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["rust"] },
 		],
 	},
 
@@ -102,6 +106,8 @@ export const TOOL_PLANS: Record<string, ToolPlan> = {
 		name: "Ruby Linting",
 		groups: [
 			{ mode: "fallback", runnerIds: ["rubocop"], filterKinds: ["ruby"] },
+			// Structural analysis
+			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["ruby"] },
 		],
 	},
 

package/clients/dispatch/runners/architect.ts

@@ -18,6 +18,18 @@ import type {
 } from "../types.js";
 import { readFileContent } from "./utils.js";
 
+// Module-level singleton — loadConfig once per cwd, not on every file write
+let _client: ArchitectClient | null = null;
+let _loadedCwd: string | null = null;
+
+function getClient(cwd: string): ArchitectClient {
+	if (_client && _loadedCwd === cwd) return _client;
+	_client = new ArchitectClient();
+	_client.loadConfig(cwd);
+	_loadedCwd = cwd;
+	return _client;
+}
+
 const architectRunner: RunnerDefinition = {
 	id: "architect",
 	appliesTo: ["jsts", "python", "go", "rust", "cxx", "shell", "cmake"],
@@ -33,8 +45,7 @@ const architectRunner: RunnerDefinition = {
 			return { status: "skipped", diagnostics: [], semantic: "none" };
 		}
 
-		const architectClient = new ArchitectClient();
-		architectClient.loadConfig(ctx.cwd);
+		const architectClient = getClient(ctx.cwd);
 
 		if (!architectClient.hasConfig()) {
 			return { status: "skipped", diagnostics: [], semantic: "none" };
@@ -47,16 +58,18 @@ const architectRunner: RunnerDefinition = {
 		for (const v of violations) {
 			// Build message with inline fix guidance
 			let message = v.message;
-			let fixSuggestion: string | undefined = v.fix;
-			
+			const fixSuggestion: string | undefined = v.fix;
+
 			if (v.fix) {
-				const fixPreview = v.fix.length > 60 ? `${v.fix.substring(0, 60)}...` : v.fix;
+				const fixPreview =
+					v.fix.length > 60 ? `${v.fix.substring(0, 60)}...` : v.fix;
 				message += `\n💡 Suggested fix: ${fixPreview}`;
 			} else if (v.note) {
-				const notePreview = v.note.length > 80 ? `${v.note.substring(0, 80)}...` : v.note;
+				const notePreview =
+					v.note.length > 80 ? `${v.note.substring(0, 80)}...` : v.note;
 				message += `\n📝 ${notePreview}`;
 			}
-			
+
 			diagnostics.push({
 				id: `architect-${v.line || 0}-${v.pattern}`,
 				message,

package/clients/dispatch/runners/ast-grep-napi.ts

@@ -9,6 +9,7 @@
 
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { resolvePackagePath } from "../../package-root.js";
 import type {
 	Diagnostic,
 	DispatchContext,
@@ -356,8 +357,10 @@ const astGrepNapiRunner: RunnerDefinition = {
 		const diagnostics: Diagnostic[] = [];
 
 		const ruleDirs = [
-			path.join(process.cwd(), "rules/ast-grep-rules/rules"),
-			path.join(process.cwd(), "rules/ast-grep-rules"),
+			path.join(process.cwd(), "rules", "ast-grep-rules", "rules"),
+			path.join(process.cwd(), "rules", "ast-grep-rules"),
+			resolvePackagePath(import.meta.url, "rules", "ast-grep-rules", "rules"),
+			resolvePackagePath(import.meta.url, "rules", "ast-grep-rules"),
 		];
 
 		for (const ruleDir of ruleDirs) {

package/clients/dispatch/runners/ast-grep.ts

@@ -9,6 +9,7 @@
 
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { resolvePackagePath } from "../../package-root.js";
 import { safeSpawnAsync } from "../../safe-spawn.js";
 import type {
 	Diagnostic,
@@ -16,6 +17,7 @@ import type {
 	RunnerDefinition,
 	RunnerResult,
 } from "../types.js";
+import { getSgCommand, isSgAvailable } from "./utils/runner-helpers.js";
 
 // Simple YAML fix: field extractor
 function extractFixFromRule(
@@ -49,12 +51,8 @@ const astGrepRunner: RunnerDefinition = {
 	skipTestFiles: true, // Many rules are noisy in tests
 
 	async run(ctx: DispatchContext): Promise<RunnerResult> {
-		// Check if ast-grep is available (use npx for local installs)
-		const check = await safeSpawnAsync("npx", ["sg", "--version"], {
-			timeout: 5000,
-		});
-
-		if (check.error || check.status !== 0) {
+		// Check if ast-grep is available (local bin preferred over npx)
+		if (!isSgAvailable()) {
 			return { status: "skipped", diagnostics: [], semantic: "none" };
 		}
 
@@ -64,10 +62,18 @@ const astGrepRunner: RunnerDefinition = {
 			return { status: "skipped", diagnostics: [], semantic: "none" };
 		}
 
-		// Run ast-grep scan on the file (use npx for local installs)
-		const args = ["sg", "scan", "--config", configPath, "--json", ctx.filePath];
-
-		const result = await safeSpawnAsync("npx", args, {
+		const { cmd: sgCmd, args: sgPre } = getSgCommand();
+		const args = [
+			...sgPre,
+			"sg",
+			"scan",
+			"--config",
+			configPath,
+			"--json",
+			ctx.filePath,
+		];
+
+		const result = await safeSpawnAsync(sgCmd, args, {
 			timeout: 30000,
 		});
 
@@ -94,15 +100,20 @@ const astGrepRunner: RunnerDefinition = {
 
 function findAstGrepConfig(cwd: string): string | undefined {
 	const candidates = [
-		"rules/ast-grep-rules/.sgconfig.yml",
-		".sgconfig.yml",
-		"sgconfig.yml",
+		path.join(cwd, "rules", "ast-grep-rules", ".sgconfig.yml"),
+		path.join(cwd, ".sgconfig.yml"),
+		path.join(cwd, "sgconfig.yml"),
+		resolvePackagePath(
+			import.meta.url,
+			"rules",
+			"ast-grep-rules",
+			".sgconfig.yml",
+		),
 	];
 
 	for (const candidate of candidates) {
-		const fullPath = `${cwd}/${candidate}`;
-		if (fs.existsSync(fullPath)) {
-			return fullPath;
+		if (fs.existsSync(candidate)) {
+			return candidate;
 		}
 	}
 
@@ -119,8 +130,8 @@ function parseAstGrepOutput(
 	// Try to parse as JSON
 	// Determine rule directory for fix: extraction
 	const ruleDir = _configPath
-		? path.dirname(_configPath).replace("/.sgconfig.yml", "/rules")
-		: path.join(process.cwd(), "rules", "ast-grep-rules", "rules");
+		? path.join(path.dirname(_configPath), "rules")
+		: resolvePackagePath(import.meta.url, "rules", "ast-grep-rules", "rules");
 
 	try {
 		const parsed = JSON.parse(raw);

package/clients/dispatch/runners/biome.ts

@@ -37,10 +37,10 @@ const biomeRunner: RunnerDefinition = {
 			}
 		}
 
-		// IMPORTANT: Never use --write in dispatch runner to prevent infinite loops.
-		// Writing to the file would trigger another tool_result event, which would
-		// call dispatchLint again, creating a feedback loop.
-		// Auto-format handles formatting on write; this runner only checks.
+		// No --write here: dispatch runners report issues for agent understanding,
+		// not silent correction. Auto-format (biome --write) already runs in the
+		// format phase before dispatch, handling all safe style transforms.
+		// Silently rewriting here would leave the agent's context window stale.
 		const args = useNpx
 			? ["biome", "check", ctx.filePath]
 			: ["check", ctx.filePath];

package/clients/dispatch/runners/python-slop.ts

@@ -12,16 +12,17 @@
 
 import { spawnSync } from "node:child_process";
 import { safeSpawn } from "../../safe-spawn.js";
-import {
-	createConfigFinder,
-	isSgAvailable,
-} from "./utils/runner-helpers.js";
 import type {
 	Diagnostic,
 	DispatchContext,
 	RunnerDefinition,
 	RunnerResult,
 } from "../types.js";
+import {
+	createConfigFinder,
+	getSgCommand,
+	isSgAvailable,
+} from "./utils/runner-helpers.js";
 
 const findSlopConfig = createConfigFinder("python-slop-rules");
 
@@ -45,9 +46,18 @@ const pythonSlopRunner: RunnerDefinition = {
 		}
 
 		// Run ast-grep scan
-		const args = ["sg", "scan", "--config", configPath, "--json", ctx.filePath];
-
-		const result = safeSpawn("npx", args, {
+		const { cmd: sgCmd, args: sgPre } = getSgCommand();
+		const args = [
+			...sgPre,
+			"sg",
+			"scan",
+			"--config",
+			configPath,
+			"--json",
+			ctx.filePath,
+		];
+
+		const result = safeSpawn(sgCmd, args, {
 			timeout: 30000,
 		});
 

package/clients/dispatch/runners/ruff.ts

@@ -35,10 +35,10 @@ const ruffRunner: RunnerDefinition = {
 			}
 		}
 
-		// IMPORTANT: Never use --fix in dispatch runner to prevent infinite loops.
-		// Writing to the file would trigger another tool_result event, which would
-		// call dispatchLint again, creating a feedback loop.
-		// Fixes should be applied through explicit commands or user edits.
+		// No --fix here: dispatch runners report issues for agent understanding,
+		// not silent correction. Auto-fix (ruff --fix) already runs in the
+		// format phase before dispatch, handling all safe style transforms.
+		// Silently rewriting here would leave the agent's context window stale.
 		const args = ["check", ctx.filePath];
 
 		const result = await safeSpawnAsync(ruff.getCommand()!, args, {

package/clients/dispatch/runners/tree-sitter.ts

@@ -26,6 +26,7 @@ import type {
 // Creating a new TreeSitterClient() on every write resets TRANSFER_BUFFER (a module-level
 // WASM pointer) — concurrent writes race on _ts_init() and corrupt shared WASM state → crash.
 let _sharedClient: TreeSitterClient | null = null;
+
 function getSharedClient(): TreeSitterClient {
 	if (!_sharedClient) {
 		_sharedClient = new TreeSitterClient();
@@ -117,7 +118,7 @@ function matchesSecretPattern(varName: string): boolean {
 
 const treeSitterRunner: RunnerDefinition = {
 	id: "tree-sitter",
-	appliesTo: ["jsts", "python"],
+	appliesTo: ["jsts", "python", "go", "rust", "ruby"],
 	priority: 14, // Between oxlint (12) and ast-grep-napi (15)
 	enabledByDefault: true,
 	skipTestFiles: false, // Run on test files too (structural issues matter there)
@@ -136,21 +137,23 @@ const treeSitterRunner: RunnerDefinition = {
 
 		// Determine language from file extension
 		const filePath = ctx.filePath;
-		const isPython = filePath.endsWith(".py");
-		const isTypeScript = filePath.endsWith(".ts");
-		const isTSX = filePath.endsWith(".tsx");
-		const isJavaScript = filePath.endsWith(".js") || filePath.endsWith(".jsx");
-
-		let languageId: string;
-		if (isPython) {
-			languageId = "python";
-		} else if (isTSX) {
-			languageId = "tsx";
-		} else if (isTypeScript) {
-			languageId = "typescript";
-		} else if (isJavaScript) {
-			languageId = "javascript";
-		} else {
+		const ext = filePath.slice(filePath.lastIndexOf("."));
+		const EXT_TO_LANG: Record<string, string> = {
+			".ts": "typescript",
+			".mts": "typescript",
+			".cts": "typescript",
+			".tsx": "tsx",
+			".js": "javascript",
+			".mjs": "javascript",
+			".cjs": "javascript",
+			".jsx": "javascript",
+			".py": "python",
+			".go": "go",
+			".rs": "rust",
+			".rb": "ruby",
+		};
+		const languageId = EXT_TO_LANG[ext];
+		if (!languageId) {
 			return { status: "skipped", diagnostics: [], semantic: "none" };
 		}
 
@@ -197,7 +200,7 @@ const treeSitterRunner: RunnerDefinition = {
 			languageQueries = allQueries.filter(
 				(q) =>
 					q.language === languageId ||
-					(isJavaScript && q.language === "typescript"),
+					(languageId === "javascript" && q.language === "typescript"),
 			);
 
 			// Save to cache
@@ -245,8 +248,9 @@ const treeSitterRunner: RunnerDefinition = {
 						continue; // Skip this match - filter didn't pass
 					}
 
-					// For hardcoded-secrets, also check variable name pattern
-					if (query.id === "hardcoded-secrets") {
+					// check_secret_pattern post-filter is handled in tree-sitter-client.ts
+					// Legacy: hardcoded-secrets id check (kept for backward compat)
+					if (query.id === "hardcoded-secrets" && !query.post_filter) {
 						// Extract variable name from captures
 						const varName = match.captures?.VARNAME || "";
 						if (!varName || !matchesSecretPattern(varName)) {
@@ -276,6 +280,13 @@ const treeSitterRunner: RunnerDefinition = {
 						semantic,
 						tool: "tree-sitter",
 						rule: query.id,
+						// Surface fix intent to agent — tree-sitter never auto-applies;
+						// linters (biome/ruff/eslint) own the autofix phase.
+						fixable: query.has_fix,
+						fixSuggestion:
+							query.has_fix && query.fix_action
+								? `${query.fix_action} this statement`
+								: undefined,
 					});
 				}
 			} catch (err) {

package/clients/dispatch/runners/ts-slop.ts

@@ -12,16 +12,17 @@
 
 import { spawnSync } from "node:child_process";
 import { safeSpawn } from "../../safe-spawn.js";
-import {
-	createConfigFinder,
-	isSgAvailable,
-} from "./utils/runner-helpers.js";
 import type {
 	Diagnostic,
 	DispatchContext,
 	RunnerDefinition,
 	RunnerResult,
 } from "../types.js";
+import {
+	createConfigFinder,
+	getSgCommand,
+	isSgAvailable,
+} from "./utils/runner-helpers.js";
 
 const findSlopConfig = createConfigFinder("ts-slop-rules");
 
@@ -47,9 +48,18 @@ const tsSlopRunner: RunnerDefinition = {
 		}
 
 		// Run ast-grep scan
-		const args = ["sg", "scan", "--config", configPath, "--json", ctx.filePath];
-
-		const result = safeSpawn("npx", args, {
+		const { cmd: sgCmd, args: sgPre } = getSgCommand();
+		const args = [
+			...sgPre,
+			"sg",
+			"scan",
+			"--config",
+			configPath,
+			"--json",
+			ctx.filePath,
+		];
+
+		const result = safeSpawn(sgCmd, args, {
 			timeout: 30000,
 		});
 

package/clients/dispatch/runners/utils/runner-helpers.ts

@@ -41,9 +41,7 @@ export function createVenvFinder(
 		for (const venvPath of venvPaths) {
 			const fullPath = path.join(cwd, venvPath);
 			if (fs.existsSync(fullPath)) {
-				return quoteWindows && windowsExt
-					? `"${fullPath}"`
-					: fullPath;
+				return quoteWindows && windowsExt ? `"${fullPath}"` : fullPath;
 			}
 		}
 
@@ -142,21 +140,91 @@ export function createConfigFinder(
 
 // Shared sg availability cache across all slop runners
 let sgAvailable: boolean | null = null;
+let sgCmd: string | null = null;
+let sgCmdArgs: string[] = [];
 
 /**
- * Check if ast-grep CLI is available (shared cache)
+ * Check if ast-grep CLI (sg) is available.
+ * Prefers local node_modules/.bin/sg, then global sg, then npx --no sg (cache-only).
  */
 export function isSgAvailable(): boolean {
 	if (sgAvailable !== null) return sgAvailable;
 
-	const check = safeSpawn("npx", ["sg", "--version"], {
+	// 1. Local node_modules/.bin/sg
+	const isWin = process.platform === "win32";
+	const localSg = path.join(
+		process.cwd(),
+		"node_modules",
+		".bin",
+		isWin ? "sg.cmd" : "sg",
+	);
+	if (fs.existsSync(localSg)) {
+		const check = safeSpawn(localSg, ["--version"], { timeout: 5000 });
+		if (!check.error && check.status === 0) {
+			sgCmd = localSg;
+			sgCmdArgs = [];
+			sgAvailable = true;
+			return true;
+		}
+	}
+
+	// 2. Global sg
+	const globalCheck = safeSpawn("sg", ["--version"], { timeout: 5000 });
+	if (!globalCheck.error && globalCheck.status === 0) {
+		sgCmd = "sg";
+		sgCmdArgs = [];
+		sgAvailable = true;
+		return true;
+	}
+
+	// 3. npx --no (cache-only, no silent download)
+	const npxCheck = safeSpawn("npx", ["--no", "sg", "--version"], {
 		timeout: 5000,
 	});
-
-	sgAvailable = !check.error && check.status === 0;
+	sgAvailable = !npxCheck.error && npxCheck.status === 0;
+	if (sgAvailable) {
+		sgCmd = "npx";
+		sgCmdArgs = ["--no"];
+	}
 	return sgAvailable;
 }
 
+export function getSgCommand(): { cmd: string; args: string[] } {
+	return { cmd: sgCmd ?? "npx", args: sgCmdArgs.length ? sgCmdArgs : ["--no"] };
+}
+
+// =============================================================================
+// LOCAL-FIRST BINARY RESOLUTION
+// =============================================================================
+
+/**
+ * Find a tool binary preferring local node_modules/.bin over global PATH.
+ * Only falls back to npx as a last resort (avoids silent network downloads).
+ *
+ * Returns: { cmd, args } where args may include ["npx", toolName] preamble.
+ */
+export function resolveLocalFirst(
+	toolName: string,
+	cwd: string,
+	windowsExt = ".cmd",
+): { cmd: string; args: string[] } {
+	const isWin = process.platform === "win32";
+	const binName = isWin ? `${toolName}${windowsExt}` : toolName;
+
+	// 1. Local node_modules/.bin (project-installed)
+	const local = path.join(cwd, "node_modules", ".bin", binName);
+	if (fs.existsSync(local)) return { cmd: local, args: [] };
+
+	// 2. Global PATH (already installed system-wide)
+	const globalCheck = safeSpawn(toolName, ["--version"], { timeout: 3000 });
+	if (!globalCheck.error && globalCheck.status === 0) {
+		return { cmd: toolName, args: [] };
+	}
+
+	// 3. npx fallback — only for already-cached packages (no silent download)
+	return { cmd: "npx", args: ["--no", toolName] };
+}
+
 // =============================================================================
 // PRE-BUILT CHECKERS FOR COMMON TOOLS
 // =============================================================================
@@ -164,4 +232,4 @@ export function isSgAvailable(): boolean {
 export const pyright = createAvailabilityChecker("pyright", ".exe");
 export const ruff = createAvailabilityChecker("ruff", ".exe");
 export const biome = createAvailabilityChecker("biome");
-export const sg = { isAvailable: isSgAvailable, getCommand: () => "npx" };
+export const sg = { isAvailable: isSgAvailable, getCommand: getSgCommand };

package/clients/dispatch/utils/format-utils.ts

@@ -19,7 +19,8 @@ export const EMOJI: Record<string, string> = {
 export function formatDiagnostic(d: Diagnostic): string {
 	const line = d.line ? `L${d.line}: ` : "";
 	const indented = d.message.split("\n").join("\n  ");
-	return `  ${line}${indented}`;
+	const fix = d.fixSuggestion ? `\n    💡 Fix: ${d.fixSuggestion}` : "";
+	return `  ${line}${indented}${fix}`;
 }
 
 /**

package/clients/fix-scanners.ts

@@ -14,6 +14,10 @@ import * as nodeFs from "node:fs";
 import * as path from "node:path";
 import type { BiomeClient } from "./biome-client.js";
 import type { ComplexityClient } from "./complexity-client.js";
+import {
+	getSgCommand,
+	isSgAvailable,
+} from "./dispatch/runners/utils/runner-helpers.js";
 import { EXCLUDED_DIRS } from "./file-utils.js";
 import type { JscpdClient } from "./jscpd-client.js";
 import type { KnipClient } from "./knip-client.js";
@@ -119,17 +123,13 @@ export function scanAstGrep(
 	isTsProject: boolean,
 	configPath: string,
 ): AstIssue[] {
-	const hasSg =
-		nodeFs.existsSync(path.join(targetPath, "node_modules", ".bin", "sg")) ||
-		safeSpawn("npx", ["sg", "--version"], {
-			timeout: 5000,
-		}).status === 0;
-
-	if (!hasSg) return [];
+	if (!isSgAvailable()) return [];
 
+	const { cmd: sgCmd, args: sgPre } = getSgCommand();
 	const result = safeSpawn(
-		"npx",
+		sgCmd,
 		[
+			...sgPre,
 			"sg",
 			"scan",
 			"--config",