pi-lens 3.8.21 → 3.8.22

package/clients/tree-sitter-client.ts

@@ -892,6 +892,26 @@ export class TreeSitterClient {
 					if (!secretPatterns.some((p) => p.test(varName))) continue;
 				}
 
+				// Go: only keep bare-return-call matches when enclosing function returns error.
+				if (postFilter === "returns_error") {
+					const first = Object.values(captures)[0];
+					if (!first) continue;
+					const funcNode = this.navigator.findParent(first, [
+						"function_declaration",
+						"method_declaration",
+					]);
+					if (!funcNode) continue;
+
+					const fnText = String(funcNode.text ?? "");
+					const signature = fnText.split("{", 1)[0]?.trim() ?? "";
+					const returnPartMatch = signature.match(
+						/func\s*(?:\([^)]*\)\s*)?[A-Za-z_]\w*\s*\([^)]*\)\s*(.*)$/s,
+					);
+					const returnPart = returnPartMatch?.[1]?.trim() ?? "";
+					const returnsError = returnPart.length > 0 && /\berror\b/.test(returnPart);
+					if (!returnsError) continue;
+				}
+
 				// Python: except body that only contains pass (effectively empty)
 				if (postFilter === "python_empty_except") {
 					const bodyNode = captures.BODY;
@@ -921,6 +941,148 @@ export class TreeSitterClient {
 					}
 				}
 
+				// TS security/concurrency: strict sink filtering (query predicates are not reliable in this runtime)
+				if (postFilter === "ts_command_injection_sink") {
+					const mod = captures.MOD?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					if (mod !== "child_process") continue;
+					if (!/^(exec|execSync)$/.test(fn)) continue;
+				}
+
+				if (postFilter === "ts_ssrf_sink") {
+					const fn = captures.FN?.text ?? "";
+					const obj = captures.OBJ?.text ?? "";
+					const allowedFns = new Set([
+						"fetch",
+						"request",
+						"get",
+						"post",
+						"put",
+						"patch",
+						"delete",
+					]);
+					if (!allowedFns.has(fn)) continue;
+
+					if (!obj) {
+						if (fn !== "fetch") continue;
+					} else {
+						const allowedObjs = new Set([
+							"axios",
+							"http",
+							"https",
+							"got",
+							"request",
+							"superagent",
+							"undici",
+						]);
+						if (!allowedObjs.has(obj)) continue;
+					}
+				}
+
+				if (postFilter === "ts_weak_hash_algorithm") {
+					const fn = captures.FN?.text ?? "";
+					const alg = captures.ALG?.text ?? "";
+					if (fn !== "createHash") continue;
+					if (!/^(md5|sha1)$/i.test(alg)) continue;
+				}
+
+				if (postFilter === "ts_insecure_random_source") {
+					const obj = captures.OBJ?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					if (obj !== "Math" || fn !== "random") continue;
+				}
+
+				if (postFilter === "ts_detached_async_call") {
+					const fn = captures.FN?.text ?? "";
+					if (!/(Async$|fetch$|request$)/.test(fn)) {
+						continue;
+					}
+				}
+
+				if (postFilter === "py_command_injection_sink") {
+					const mod = captures.MOD?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					const kw = captures.KW?.text ?? "";
+					const isOs = mod === "os" && /^(system|popen)$/.test(fn);
+					const isSubprocess =
+						mod === "subprocess" &&
+						/^(run|Popen|call|check_output|check_call)$/.test(fn) &&
+						kw === "shell";
+					if (!isOs && !isSubprocess) continue;
+				}
+
+				if (postFilter === "go_command_injection_sink") {
+					const pkg = captures.PKG?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					const shell = captures.SHELL?.text ?? "";
+					const flag = captures.FLAG?.text ?? "";
+					if (pkg !== "exec") continue;
+					if (!/^(Command|CommandContext)$/.test(fn)) continue;
+					if (!/^"(sh|bash|zsh|cmd|powershell|pwsh)"$/.test(shell)) continue;
+					if (!/^"(-c|\/c)"$/.test(flag)) continue;
+				}
+
+				if (postFilter === "ruby_command_injection_sink") {
+					const fn = captures.FN?.text ?? "";
+					if (!/^(system|exec|spawn|popen|capture3|capture2|capture2e)$/.test(fn)) {
+						continue;
+					}
+				}
+
+				if (postFilter === "py_ssrf_sink") {
+					const mod = captures.MOD?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					if (mod !== "requests") continue;
+					if (!/^(get|post|put|patch|delete|request|head|options)$/.test(fn))
+						continue;
+				}
+
+				if (postFilter === "py_path_traversal_sink") {
+					const fn = captures.FN?.text ?? "";
+					if (
+						!/^(open|read_text|read_bytes|write_text|write_bytes|remove|unlink|rmdir)$/.test(
+							fn,
+						)
+					)
+						continue;
+				}
+
+				if (postFilter === "go_path_traversal_sink") {
+					const pkg = captures.PKG?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					if (!/^(os|ioutil)$/.test(pkg)) continue;
+					if (!/^(Open|OpenFile|ReadFile|WriteFile|Create|Remove|RemoveAll)$/.test(fn))
+						continue;
+				}
+
+				if (postFilter === "py_sql_injection_sink") {
+					const fn = captures.FN?.text ?? "";
+					if (!/^(execute|executemany|query|raw)$/.test(fn)) continue;
+				}
+
+				if (postFilter === "go_sql_injection_sink") {
+					const dbFn = captures.DBFN?.text ?? "";
+					const fmtPkg = captures.FMTPKG?.text ?? "";
+					const fmtFn = captures.FMTFN?.text ?? "";
+					if (!/^(Query|QueryContext|QueryRow|QueryRowContext|Exec|ExecContext)$/.test(dbFn))
+						continue;
+					if (fmtPkg !== "fmt" || fmtFn !== "Sprintf") continue;
+				}
+
+				if (postFilter === "py_insecure_deserialization_sink") {
+					const mod = captures.MOD?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					if (!/^(pickle|yaml)$/.test(mod)) continue;
+					if (!/^(load|loads|unsafe_load)$/.test(fn)) continue;
+				}
+
+				if (postFilter === "ruby_insecure_deserialization_sink") {
+					const mod = captures.MOD?.text ?? "";
+					const fn = captures.FN?.text ?? "";
+					if (!/^(Marshal|YAML|Psych)$/.test(mod)) continue;
+					if (!/^(load|unsafe_load)$/.test(fn)) continue;
+				}
+
 				// Use first capture for position info
 				if (match.captures.length > 0) {
 					const firstNode = match.captures[0].node;

package/clients/tree-sitter-logger.ts

@@ -0,0 +1,47 @@
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+
+const TREE_SITTER_LOG_DIR = path.join(os.homedir(), ".pi-lens");
+const TREE_SITTER_LOG_FILE = path.join(TREE_SITTER_LOG_DIR, "tree-sitter.log");
+
+try {
+	if (!fs.existsSync(TREE_SITTER_LOG_DIR)) {
+		fs.mkdirSync(TREE_SITTER_LOG_DIR, { recursive: true });
+	}
+} catch {}
+
+export interface TreeSitterLogEntry {
+	ts?: string;
+	phase:
+		| "runner_start"
+		| "runner_skip"
+		| "queries_loaded"
+		| "query_error"
+		| "runner_complete"
+		| "entity_diff"
+		| "blast_radius";
+	filePath: string;
+	languageId?: string;
+	queryId?: string;
+	status?: string;
+	diagnostics?: number;
+	blocking?: number;
+	queryCount?: number;
+	effectiveQueryCount?: number;
+	cacheHit?: boolean;
+	reason?: string;
+	error?: string;
+	metadata?: Record<string, unknown>;
+}
+
+export function logTreeSitter(entry: TreeSitterLogEntry): void {
+	const line = `${JSON.stringify({ ts: new Date().toISOString(), ...entry })}\n`;
+	try {
+		fs.appendFileSync(TREE_SITTER_LOG_FILE, line);
+	} catch {}
+}
+
+export function getTreeSitterLogPath(): string {
+	return TREE_SITTER_LOG_FILE;
+}

package/clients/tree-sitter-query-loader.ts

@@ -32,6 +32,9 @@ export interface TreeSitterQuery {
 		value: string | string[];
 	}>;
 	tags?: string[];
+	cwe?: string[];
+	owasp?: string[];
+	confidence?: "low" | "medium" | "high";
 	defect_class?: string;
 	inline_tier?: "blocking" | "warning" | "review";
 	has_fix: boolean;
@@ -172,6 +175,13 @@ export class TreeSitterQueryLoader {
 						}))
 					: undefined,
 				tags: Array.isArray(parsed.tags) ? parsed.tags.map(String) : undefined,
+				cwe: Array.isArray(parsed.cwe) ? parsed.cwe.map(String) : undefined,
+				owasp: Array.isArray(parsed.owasp)
+					? parsed.owasp.map(String)
+					: undefined,
+				confidence: parsed.confidence
+					? (String(parsed.confidence) as "low" | "medium" | "high")
+					: undefined,
 				has_fix: parsed.has_fix === true || parsed.has_fix === "true",
 				fix_action: parsed.fix_action ? String(parsed.fix_action) : undefined,
 				filePath,
@@ -298,8 +308,9 @@ export class TreeSitterQueryLoader {
 				break;
 			}
 
-			// Skip comment lines (they're not part of the value)
-			if (trimmed.startsWith("#")) continue;
+			// Skip YAML comment lines for most keys, but preserve native
+			// tree-sitter predicate lines in query blocks (#eq?, #match?, ...).
+			if (trimmed.startsWith("#") && key !== "query") continue;
 
 			// This is part of the multiline value
 			valueLines.push(line.slice(startIndent));

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pi-lens",
-	"version": "3.8.21",
+	"version": "3.8.22",
 	"type": "module",
 	"description": "Real-time code feedback for pi — LSP, linters, formatters, type-checking, structural analysis & booboo",
 	"repository": {
@@ -22,6 +22,7 @@
 		"rust:build:debug": "cargo build --manifest-path rust/Cargo.toml",
 		"check": "node scripts/check-extensions.mjs",
 		"audit:tree-sitter": "node scripts/audit-tree-sitter-rules.mjs",
+		"audit:rule-catalog": "node scripts/validate-rule-catalog.mjs",
 		"download-grammars": "node scripts/download-grammars.js",
 		"postinstall": "node scripts/download-grammars.js"
 	},
@@ -53,6 +54,7 @@
 		"scripts/download-grammars.js",
 		"scripts/check-extensions.mjs",
 		"scripts/audit-tree-sitter-rules.mjs",
+		"scripts/validate-rule-catalog.mjs",
 		"rust/src/",
 		"rust/Cargo.toml",
 		"default-architect.yaml",

package/rules/rule-catalog.json

@@ -0,0 +1,64 @@
+{
+  "version": 1,
+  "entries": [
+    { "rule_id": "go-command-injection", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-hardcoded-secrets", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "go-insecure-random", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-path-traversal", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "path-traversal-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-sql-injection", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "sql-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-weak-hash", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "python-command-injection", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-hardcoded-secrets", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "eval-exec", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "python-insecure-deserialization", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "insecure-deserialization-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-insecure-random", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-path-traversal", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "path-traversal-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-sql-injection", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "sql-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-ssrf", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "ssrf-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-unsafe-regex", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "unsafe-regex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "python-weak-hash", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "ruby-command-injection", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "low", "status": "experimental" },
+    { "rule_id": "ruby-eval", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "ruby-hardcoded-secrets", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "ruby-insecure-deserialization", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "insecure-deserialization-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ruby-insecure-random", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ruby-unsafe-regex", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "unsafe-regex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "ruby-weak-hash", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "dangerously-set-inner-html", "engine": "tree-sitter", "language": "tsx", "family": "security", "scope": "file", "canonical_concept": "dom-xss-dangerous-inner-html", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-eval", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "hardcoded-secrets", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "sql-injection", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "sql-injection-sink", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "ts-command-injection", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ts-insecure-random", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ts-ssrf", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "ssrf-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ts-weak-hash", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "unsafe-regex", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "unsafe-regex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "go-goroutine-loop-capture", "engine": "tree-sitter", "language": "go", "family": "concurrency", "scope": "file", "canonical_concept": "goroutine-loop-capture", "severity_default": "warning", "confidence": "low", "status": "experimental" },
+    { "rule_id": "go-shared-map-write-goroutine", "engine": "tree-sitter", "language": "go", "family": "concurrency", "scope": "file", "canonical_concept": "shared-map-write-in-goroutine", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-thread-global-write", "engine": "tree-sitter", "language": "python", "family": "concurrency", "scope": "file", "canonical_concept": "threaded-shared-state-write", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "rust-lock-held-across-await", "engine": "tree-sitter", "language": "rust", "family": "concurrency", "scope": "file", "canonical_concept": "lock-held-across-await", "severity_default": "warning", "confidence": "low", "status": "experimental" },
+    { "rule_id": "ts-detached-async-call", "engine": "tree-sitter", "language": "typescript", "family": "concurrency", "scope": "file", "canonical_concept": "detached-async-call", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+
+    { "rule_id": "no-sql-in-code", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "sql-in-code-literal", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-sql-in-code-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "sql-in-code-literal", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-open-redirect", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "open-redirect", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-open-redirect-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "open-redirect", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-javascript-url", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "javascript-url-scheme", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-javascript-url-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "javascript-url-scheme", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-insecure-randomness", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-insecure-randomness-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-implied-eval", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active", "allow_overlap": true },
+    { "rule_id": "no-implied-eval-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-hardcoded-secrets", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active", "allow_overlap": true },
+    { "rule_id": "no-hardcoded-secrets-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-global-eval-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active", "allow_overlap": true },
+    { "rule_id": "jwt-no-verify", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "jwt-signature-bypass", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "jwt-no-verify-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "jwt-signature-bypass", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "toctou", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "file", "canonical_concept": "toctou-file-race", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "toctou-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "file", "canonical_concept": "toctou-file-race", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "missed-concurrency", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "function", "canonical_concept": "sequential-awaits-parallelizable", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "missed-concurrency-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "sequential-awaits-parallelizable", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-await-in-loop", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-await-in-loop-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" }
+  ]
+}

package/rules/tree-sitter-queries/go/go-bare-error.yml

@@ -16,17 +16,29 @@ description: |
   ✅ FIX: Handle the error before returning, or document why it's safe.
 
 query: |
-  (function_declaration
-    body: (block
-      (return_statement
-        (expression_list
-          (call_expression) @CALL))))
+  [
+    (function_declaration
+      result: (type_identifier) @RET
+      body: (block
+        (return_statement
+          (expression_list
+            (call_expression) @CALL)))
+      (#eq? @RET "error"))
+    (function_declaration
+      result: (parameter_list
+        (parameter_declaration
+          type: (type_identifier) @RET))
+      body: (block
+        (return_statement
+          (expression_list
+            (call_expression) @CALL)))
+      (#eq? @RET "error"))
+  ]
 
 metavars:
+  - RET
   - CALL
 
-post_filter: returns_error
-
 has_fix: false
 
 tags:

package/rules/tree-sitter-queries/go/go-command-injection.yml

@@ -0,0 +1,55 @@
+# Go Security
+# Detects shell command execution via exec.Command(..., "-c"|"/c", ...).
+id: go-command-injection
+name: Command Injection Sink
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: go
+
+message: "Potential command injection sink — avoid shell command composition with user input"
+
+description: |
+  Using exec.Command with a shell (`sh -c`, `bash -c`, `cmd /c`) executes command strings.
+
+  ✅ FIX: invoke binaries directly with explicit argument arrays and strict allowlists.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      operand: (identifier) @PKG
+      field: (field_identifier) @FN)
+    arguments: (argument_list
+      (interpreted_string_literal) @SHELL
+      (interpreted_string_literal) @FLAG
+      (_) @CMD))
+  (#eq? @PKG "exec")
+  (#match? @FN "^(Command|CommandContext)$")
+  (#match? @SHELL "^\"(sh|bash|zsh|cmd|powershell|pwsh)\"$")
+  (#match? @FLAG "^\"(-c|/c)\"$")
+
+metavars:
+  - PKG
+  - FN
+  - SHELL
+  - FLAG
+  - CMD
+
+post_filter: go_command_injection_sink
+
+has_fix: false
+
+tags:
+  - go
+  - security
+  - command-injection
+  - cwe-78
+  - owasp-a03
+
+examples:
+  bad: |
+    exec.Command("sh", "-c", userInput)
+
+  good: |
+    exec.Command("git", "status")

package/rules/tree-sitter-queries/go/go-direct-panic.yml

@@ -0,0 +1,45 @@
+# Go Reliability
+# Detects direct panic calls in application/library code.
+id: go-direct-panic
+name: Direct panic() Call
+severity: error
+category: reliability
+defect_class: safety
+inline_tier: blocking
+language: go
+
+message: "Direct panic() call can crash the process — return or propagate an error instead"
+
+description: |
+  Calling `panic(...)` for ordinary error paths can terminate the process and bypass
+  normal recovery/cleanup flow.
+
+  ✅ FIX: return an error, wrap it, or handle it at the boundary layer.
+
+query: |
+  (call_expression
+    function: (identifier) @FN
+    arguments: (argument_list) @ARGS)
+  (#eq? @FN "panic")
+
+metavars:
+  - FN
+  - ARGS
+
+has_fix: false
+
+tags:
+  - go
+  - reliability
+  - safety
+
+examples:
+  bad: |
+    if err != nil {
+        panic(err)
+    }
+
+  good: |
+    if err != nil {
+        return fmt.Errorf("failed: %w", err)
+    }

package/rules/tree-sitter-queries/go/go-empty-if-err.yml

@@ -0,0 +1,47 @@
+# Go Error Handling
+# Detects empty `if err != nil` handlers
+id: go-empty-if-err
+name: Empty Error Handler
+severity: error
+category: error-handling
+defect_class: silent-error
+inline_tier: blocking
+language: go
+
+message: "Empty error handler — handle err or return it"
+
+description: |
+  An `if err != nil {}` block silently ignores failures.
+
+  ✅ FIX: return, wrap, or log the error with context.
+
+query: |
+  (if_statement
+    condition: (binary_expression
+      left: (identifier) @ERR
+      right: (nil))
+    consequence: (block) @BODY)
+  (#eq? @ERR "err")
+
+metavars:
+  - ERR
+  - BODY
+
+post_filter: empty_body
+
+has_fix: false
+
+tags:
+  - go
+  - error-handling
+  - reliability
+
+examples:
+  bad: |
+    if err != nil {
+    }
+
+  good: |
+    if err != nil {
+        return fmt.Errorf("load config: %w", err)
+    }

package/rules/tree-sitter-queries/go/go-goroutine-loop-capture.yml

@@ -0,0 +1,49 @@
+# Go Concurrency
+# Detects goroutines started inside loops with parameterless func literals.
+id: go-goroutine-loop-capture
+name: Goroutine Loop Capture Risk
+severity: warning
+category: concurrency
+defect_class: async-misuse
+inline_tier: warning
+language: go
+
+message: "Goroutine launched in loop with captured variables — pass loop values as parameters"
+
+description: |
+  Launching `go func(){...}()` inside loops can capture changing loop variables.
+
+  ✅ FIX: pass loop variables as explicit function parameters.
+
+query: |
+  (for_statement
+    body: (block
+      (go_statement) @GO)
+
+metavars:
+  - GO
+
+cwe:
+  - CWE-362
+owasp:
+  - A09
+confidence: medium
+
+has_fix: false
+
+tags:
+  - go
+  - concurrency
+  - goroutine
+  - loop-capture
+
+examples:
+  bad: |
+    for _, item := range items {
+        go func() { use(item) }()
+    }
+
+  good: |
+    for _, item := range items {
+        go func(v string) { use(v) }(item)
+    }

package/rules/tree-sitter-queries/go/go-ignored-call-result.yml

@@ -0,0 +1,51 @@
+# Go Reliability
+# Detects discarded call results using blank identifier assignment.
+id: go-ignored-call-result
+name: Ignored Call Result
+severity: warning
+category: error-handling
+defect_class: silent-error
+inline_tier: warning
+language: go
+
+message: "Call result assigned to '_' — verify this discard is intentional"
+
+description: |
+  Assigning a call result to `_` can hide failures or important return values.
+
+  ✅ FIX: handle the returned value/error or document intentional discard.
+
+query: |
+  [
+    (short_var_declaration
+      left: (expression_list
+        (identifier) @VAR)
+      right: (expression_list
+        (call_expression) @CALL))
+    (assignment_statement
+      left: (expression_list
+        (identifier) @VAR)
+      right: (expression_list
+        (call_expression) @CALL))
+  ]
+  (#eq? @VAR "_")
+
+metavars:
+  - VAR
+  - CALL
+
+has_fix: false
+
+tags:
+  - go
+  - reliability
+  - code-smell
+
+examples:
+  bad: |
+    _ = doWork()
+
+  good: |
+    if err := doWork(); err != nil {
+        return err
+    }