pi-lens 3.8.21 → 3.8.23

package/clients/tree-sitter-query-loader.ts

@@ -32,6 +32,9 @@ export interface TreeSitterQuery {
 		value: string | string[];
 	}>;
 	tags?: string[];
+	cwe?: string[];
+	owasp?: string[];
+	confidence?: "low" | "medium" | "high";
 	defect_class?: string;
 	inline_tier?: "blocking" | "warning" | "review";
 	has_fix: boolean;
@@ -172,6 +175,13 @@ export class TreeSitterQueryLoader {
 						}))
 					: undefined,
 				tags: Array.isArray(parsed.tags) ? parsed.tags.map(String) : undefined,
+				cwe: Array.isArray(parsed.cwe) ? parsed.cwe.map(String) : undefined,
+				owasp: Array.isArray(parsed.owasp)
+					? parsed.owasp.map(String)
+					: undefined,
+				confidence: parsed.confidence
+					? (String(parsed.confidence) as "low" | "medium" | "high")
+					: undefined,
 				has_fix: parsed.has_fix === true || parsed.has_fix === "true",
 				fix_action: parsed.fix_action ? String(parsed.fix_action) : undefined,
 				filePath,
@@ -298,8 +308,9 @@ export class TreeSitterQueryLoader {
 				break;
 			}
 
-			// Skip comment lines (they're not part of the value)
-			if (trimmed.startsWith("#")) continue;
+			// Skip YAML comment lines for most keys, but preserve native
+			// tree-sitter predicate lines in query blocks (#eq?, #match?, ...).
+			if (trimmed.startsWith("#") && key !== "query") continue;
 
 			// This is part of the multiline value
 			valueLines.push(line.slice(startIndent));

package/index.ts

@@ -13,6 +13,7 @@ import { ComplexityClient } from "./clients/complexity-client.js";
 import { DependencyChecker } from "./clients/dependency-checker.js";
 import { getDiagnosticTracker } from "./clients/diagnostic-tracker.js";
 import {
+	getDispatchSlopScoreLine,
 	getLatencyReports,
 	resetDispatchBaselines,
 } from "./clients/dispatch/integration.js";
@@ -378,6 +379,7 @@ export default function (pi: ExtensionAPI) {
 				`Pipeline crashes (session): ${totalCrashes}`,
 				`Files affected: ${crashEntries.length}`,
 			];
+			const slopScoreLine = getDispatchSlopScoreLine();
 
 			if (crashEntries.length > 0) {
 				lines.push("", "Top crash files:");
@@ -432,6 +434,10 @@ export default function (pi: ExtensionAPI) {
 				}
 			}
 
+			if (slopScoreLine) {
+				lines.push("", slopScoreLine);
+			}
+
 			ctx.ui.notify(lines.join("\n"), "info");
 		},
 	});
@@ -525,10 +531,20 @@ pi.on("tool_call", async (event, ctx) => {
 		}
 	}
 
-	const filePath =
+	const inputObj = (event.input ?? {}) as Record<string, unknown>;
+	const rawFilePath =
 		isToolCallEventType("write", event) || isToolCallEventType("edit", event)
 			? (event.input as { path: string }).path
-			: undefined;
+			: toolName === "read" || toolName === "lsp_navigation"
+				? typeof inputObj.filePath === "string"
+					? inputObj.filePath
+					: undefined
+				: undefined;
+	const filePath = rawFilePath
+		? path.isAbsolute(rawFilePath)
+			? rawFilePath
+			: path.resolve(ctx.cwd ?? runtime.projectRoot, rawFilePath)
+		: undefined;
 
 	if (!filePath) return;
 
@@ -537,6 +553,24 @@ pi.on("tool_call", async (event, ctx) => {
 	);
 	if (!nodeFs.existsSync(filePath)) return;
 
+	const shouldAutoTouch =
+		(toolName === "read" ||
+			toolName === "write" ||
+			toolName === "edit" ||
+			toolName === "lsp_navigation") &&
+		!!pi.getFlag("lens-lsp") &&
+		!pi.getFlag("no-lsp");
+	if (shouldAutoTouch) {
+		try {
+			const fileContent = nodeFs.readFileSync(filePath, "utf-8");
+			void getLSPService()
+				.touchFile(filePath, fileContent, false, `tool_call:${toolName}`)
+				.catch((err) => dbg(`lsp auto-touch failed for ${filePath}: ${err}`));
+		} catch {
+			// Best effort only; never block tool calls.
+		}
+	}
+
 	// Record complexity baseline for historical tracking (booboo/tdi).
 	// Not shown inline — just captured for delta analysis.
 	if (
@@ -734,20 +768,36 @@ pi.on("turn_end", async (_event, ctx) => {
 // --- Inject turn-end findings into next agent turn ---
 // jscpd, madge, and turn-end delta results are cached at turn_end and consumed here
 // via the context event, which fires before each provider request.
+// Important: context handlers must APPEND to the existing message list, not replace it.
+// Replacing `event.messages` can drop the user's first prompt entirely, which causes
+// OpenAI Responses requests to fail with: "One of input/previous_response_id/prompt/conversation_id must be provided."
 // biome-ignore lint/suspicious/noExplicitAny: pi.on("context") overload has TS resolution bug
-(pi as any).on("context", async (_event: unknown, ctx: { cwd?: string }) => {
-	try {
-		const cwd = ctx.cwd ?? process.cwd();
-		const turnEndFindings = consumeTurnEndFindings(cacheManager, cwd);
-		const sessionGuidance = consumeSessionStartGuidance(cacheManager, cwd);
-		const messages = [
-			...(sessionGuidance?.messages ?? []),
-			...(turnEndFindings?.messages ?? []),
-		];
-		if (messages.length === 0) return;
-		return { messages };
-	} catch (err) {
-		dbg(`context event error: ${err}`);
-	}
-});
+(pi as any).on(
+	"context",
+	async (
+		event: { messages?: Array<{ role: string; content: unknown }> } | unknown,
+		ctx: { cwd?: string },
+	) => {
+		try {
+			const cwd = ctx.cwd ?? process.cwd();
+			const turnEndFindings = consumeTurnEndFindings(cacheManager, cwd);
+			const sessionGuidance = consumeSessionStartGuidance(cacheManager, cwd);
+			const injectedMessages = [
+				...(sessionGuidance?.messages ?? []),
+				...(turnEndFindings?.messages ?? []),
+			];
+			if (injectedMessages.length === 0) return;
+
+			const existingMessages =
+				(event as { messages?: Array<{ role: string; content: unknown }> })
+					?.messages ?? [];
+
+			return {
+				messages: [...existingMessages, ...injectedMessages],
+			};
+		} catch (err) {
+			dbg(`context event error: ${err}`);
+		}
+	},
+);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pi-lens",
-	"version": "3.8.21",
+	"version": "3.8.23",
 	"type": "module",
 	"description": "Real-time code feedback for pi — LSP, linters, formatters, type-checking, structural analysis & booboo",
 	"repository": {
@@ -22,6 +22,7 @@
 		"rust:build:debug": "cargo build --manifest-path rust/Cargo.toml",
 		"check": "node scripts/check-extensions.mjs",
 		"audit:tree-sitter": "node scripts/audit-tree-sitter-rules.mjs",
+		"audit:rule-catalog": "node scripts/validate-rule-catalog.mjs",
 		"download-grammars": "node scripts/download-grammars.js",
 		"postinstall": "node scripts/download-grammars.js"
 	},
@@ -53,6 +54,7 @@
 		"scripts/download-grammars.js",
 		"scripts/check-extensions.mjs",
 		"scripts/audit-tree-sitter-rules.mjs",
+		"scripts/validate-rule-catalog.mjs",
 		"rust/src/",
 		"rust/Cargo.toml",
 		"default-architect.yaml",

package/rules/rule-catalog.json

@@ -0,0 +1,64 @@
+{
+  "version": 1,
+  "entries": [
+    { "rule_id": "go-command-injection", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-hardcoded-secrets", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "go-insecure-random", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-path-traversal", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "path-traversal-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-sql-injection", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "sql-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "go-weak-hash", "engine": "tree-sitter", "language": "go", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "python-command-injection", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-hardcoded-secrets", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "eval-exec", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "python-insecure-deserialization", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "insecure-deserialization-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-insecure-random", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-path-traversal", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "path-traversal-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-sql-injection", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "sql-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-ssrf", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "ssrf-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-unsafe-regex", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "unsafe-regex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "python-weak-hash", "engine": "tree-sitter", "language": "python", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "ruby-command-injection", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "low", "status": "experimental" },
+    { "rule_id": "ruby-eval", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "ruby-hardcoded-secrets", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "ruby-insecure-deserialization", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "insecure-deserialization-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ruby-insecure-random", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ruby-unsafe-regex", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "unsafe-regex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "ruby-weak-hash", "engine": "tree-sitter", "language": "ruby", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "dangerously-set-inner-html", "engine": "tree-sitter", "language": "tsx", "family": "security", "scope": "file", "canonical_concept": "dom-xss-dangerous-inner-html", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-eval", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "hardcoded-secrets", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "sql-injection", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "sql-injection-sink", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "ts-command-injection", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "command-injection-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ts-insecure-random", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ts-ssrf", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "ssrf-sink", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "ts-weak-hash", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "weak-hash-primitive", "severity_default": "warning", "confidence": "high", "status": "experimental" },
+    { "rule_id": "unsafe-regex", "engine": "tree-sitter", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "unsafe-regex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "go-goroutine-loop-capture", "engine": "tree-sitter", "language": "go", "family": "concurrency", "scope": "file", "canonical_concept": "goroutine-loop-capture", "severity_default": "warning", "confidence": "low", "status": "experimental" },
+    { "rule_id": "go-shared-map-write-goroutine", "engine": "tree-sitter", "language": "go", "family": "concurrency", "scope": "file", "canonical_concept": "shared-map-write-in-goroutine", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "python-thread-global-write", "engine": "tree-sitter", "language": "python", "family": "concurrency", "scope": "file", "canonical_concept": "threaded-shared-state-write", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+    { "rule_id": "rust-lock-held-across-await", "engine": "tree-sitter", "language": "rust", "family": "concurrency", "scope": "file", "canonical_concept": "lock-held-across-await", "severity_default": "warning", "confidence": "low", "status": "experimental" },
+    { "rule_id": "ts-detached-async-call", "engine": "tree-sitter", "language": "typescript", "family": "concurrency", "scope": "file", "canonical_concept": "detached-async-call", "severity_default": "warning", "confidence": "medium", "status": "experimental" },
+
+    { "rule_id": "no-sql-in-code", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "sql-in-code-literal", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-sql-in-code-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "sql-in-code-literal", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-open-redirect", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "open-redirect", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-open-redirect-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "open-redirect", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-javascript-url", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "javascript-url-scheme", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-javascript-url-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "javascript-url-scheme", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-insecure-randomness", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-insecure-randomness-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "insecure-randomness", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-implied-eval", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active", "allow_overlap": true },
+    { "rule_id": "no-implied-eval-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-hardcoded-secrets", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active", "allow_overlap": true },
+    { "rule_id": "no-hardcoded-secrets-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "hardcoded-secrets", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-global-eval-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "dynamic-code-execution", "severity_default": "error", "confidence": "high", "status": "active", "allow_overlap": true },
+    { "rule_id": "jwt-no-verify", "engine": "ast-grep", "language": "typescript", "family": "security", "scope": "file", "canonical_concept": "jwt-signature-bypass", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "jwt-no-verify-js", "engine": "ast-grep", "language": "javascript", "family": "security", "scope": "file", "canonical_concept": "jwt-signature-bypass", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "toctou", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "file", "canonical_concept": "toctou-file-race", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "toctou-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "file", "canonical_concept": "toctou-file-race", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "missed-concurrency", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "function", "canonical_concept": "sequential-awaits-parallelizable", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "missed-concurrency-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "sequential-awaits-parallelizable", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-await-in-loop", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-await-in-loop-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" }
+  ]
+}

package/rules/tree-sitter-queries/go/go-bare-error.yml

@@ -16,17 +16,29 @@ description: |
   ✅ FIX: Handle the error before returning, or document why it's safe.
 
 query: |
-  (function_declaration
-    body: (block
-      (return_statement
-        (expression_list
-          (call_expression) @CALL))))
+  [
+    (function_declaration
+      result: (type_identifier) @RET
+      body: (block
+        (return_statement
+          (expression_list
+            (call_expression) @CALL)))
+      (#eq? @RET "error"))
+    (function_declaration
+      result: (parameter_list
+        (parameter_declaration
+          type: (type_identifier) @RET))
+      body: (block
+        (return_statement
+          (expression_list
+            (call_expression) @CALL)))
+      (#eq? @RET "error"))
+  ]
 
 metavars:
+  - RET
   - CALL
 
-post_filter: returns_error
-
 has_fix: false
 
 tags:

package/rules/tree-sitter-queries/go/go-command-injection.yml

@@ -0,0 +1,55 @@
+# Go Security
+# Detects shell command execution via exec.Command(..., "-c"|"/c", ...).
+id: go-command-injection
+name: Command Injection Sink
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: go
+
+message: "Potential command injection sink — avoid shell command composition with user input"
+
+description: |
+  Using exec.Command with a shell (`sh -c`, `bash -c`, `cmd /c`) executes command strings.
+
+  ✅ FIX: invoke binaries directly with explicit argument arrays and strict allowlists.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      operand: (identifier) @PKG
+      field: (field_identifier) @FN)
+    arguments: (argument_list
+      (interpreted_string_literal) @SHELL
+      (interpreted_string_literal) @FLAG
+      (_) @CMD))
+  (#eq? @PKG "exec")
+  (#match? @FN "^(Command|CommandContext)$")
+  (#match? @SHELL "^\"(sh|bash|zsh|cmd|powershell|pwsh)\"$")
+  (#match? @FLAG "^\"(-c|/c)\"$")
+
+metavars:
+  - PKG
+  - FN
+  - SHELL
+  - FLAG
+  - CMD
+
+post_filter: go_command_injection_sink
+
+has_fix: false
+
+tags:
+  - go
+  - security
+  - command-injection
+  - cwe-78
+  - owasp-a03
+
+examples:
+  bad: |
+    exec.Command("sh", "-c", userInput)
+
+  good: |
+    exec.Command("git", "status")

package/rules/tree-sitter-queries/go/go-direct-panic.yml

@@ -0,0 +1,45 @@
+# Go Reliability
+# Detects direct panic calls in application/library code.
+id: go-direct-panic
+name: Direct panic() Call
+severity: error
+category: reliability
+defect_class: safety
+inline_tier: blocking
+language: go
+
+message: "Direct panic() call can crash the process — return or propagate an error instead"
+
+description: |
+  Calling `panic(...)` for ordinary error paths can terminate the process and bypass
+  normal recovery/cleanup flow.
+
+  ✅ FIX: return an error, wrap it, or handle it at the boundary layer.
+
+query: |
+  (call_expression
+    function: (identifier) @FN
+    arguments: (argument_list) @ARGS)
+  (#eq? @FN "panic")
+
+metavars:
+  - FN
+  - ARGS
+
+has_fix: false
+
+tags:
+  - go
+  - reliability
+  - safety
+
+examples:
+  bad: |
+    if err != nil {
+        panic(err)
+    }
+
+  good: |
+    if err != nil {
+        return fmt.Errorf("failed: %w", err)
+    }

package/rules/tree-sitter-queries/go/go-empty-if-err.yml

@@ -0,0 +1,47 @@
+# Go Error Handling
+# Detects empty `if err != nil` handlers
+id: go-empty-if-err
+name: Empty Error Handler
+severity: error
+category: error-handling
+defect_class: silent-error
+inline_tier: blocking
+language: go
+
+message: "Empty error handler — handle err or return it"
+
+description: |
+  An `if err != nil {}` block silently ignores failures.
+
+  ✅ FIX: return, wrap, or log the error with context.
+
+query: |
+  (if_statement
+    condition: (binary_expression
+      left: (identifier) @ERR
+      right: (nil))
+    consequence: (block) @BODY)
+  (#eq? @ERR "err")
+
+metavars:
+  - ERR
+  - BODY
+
+post_filter: empty_body
+
+has_fix: false
+
+tags:
+  - go
+  - error-handling
+  - reliability
+
+examples:
+  bad: |
+    if err != nil {
+    }
+
+  good: |
+    if err != nil {
+        return fmt.Errorf("load config: %w", err)
+    }

package/rules/tree-sitter-queries/go/go-goroutine-loop-capture.yml

@@ -0,0 +1,49 @@
+# Go Concurrency
+# Detects goroutines started inside loops with parameterless func literals.
+id: go-goroutine-loop-capture
+name: Goroutine Loop Capture Risk
+severity: warning
+category: concurrency
+defect_class: async-misuse
+inline_tier: warning
+language: go
+
+message: "Goroutine launched in loop with captured variables — pass loop values as parameters"
+
+description: |
+  Launching `go func(){...}()` inside loops can capture changing loop variables.
+
+  ✅ FIX: pass loop variables as explicit function parameters.
+
+query: |
+  (for_statement
+    body: (block
+      (go_statement) @GO)
+
+metavars:
+  - GO
+
+cwe:
+  - CWE-362
+owasp:
+  - A09
+confidence: medium
+
+has_fix: false
+
+tags:
+  - go
+  - concurrency
+  - goroutine
+  - loop-capture
+
+examples:
+  bad: |
+    for _, item := range items {
+        go func() { use(item) }()
+    }
+
+  good: |
+    for _, item := range items {
+        go func(v string) { use(v) }(item)
+    }

package/rules/tree-sitter-queries/go/go-ignored-call-result.yml

@@ -0,0 +1,51 @@
+# Go Reliability
+# Detects discarded call results using blank identifier assignment.
+id: go-ignored-call-result
+name: Ignored Call Result
+severity: warning
+category: error-handling
+defect_class: silent-error
+inline_tier: warning
+language: go
+
+message: "Call result assigned to '_' — verify this discard is intentional"
+
+description: |
+  Assigning a call result to `_` can hide failures or important return values.
+
+  ✅ FIX: handle the returned value/error or document intentional discard.
+
+query: |
+  [
+    (short_var_declaration
+      left: (expression_list
+        (identifier) @VAR)
+      right: (expression_list
+        (call_expression) @CALL))
+    (assignment_statement
+      left: (expression_list
+        (identifier) @VAR)
+      right: (expression_list
+        (call_expression) @CALL))
+  ]
+  (#eq? @VAR "_")
+
+metavars:
+  - VAR
+  - CALL
+
+has_fix: false
+
+tags:
+  - go
+  - reliability
+  - code-smell
+
+examples:
+  bad: |
+    _ = doWork()
+
+  good: |
+    if err := doWork(); err != nil {
+        return err
+    }

package/rules/tree-sitter-queries/go/go-insecure-random.yml

@@ -0,0 +1,51 @@
+# Go Security
+# Detects use of math/rand in potentially security-sensitive contexts.
+id: go-insecure-random
+name: Insecure Randomness
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: go
+
+message: "Insecure randomness source detected — use crypto/rand for security-sensitive values"
+
+description: |
+  math/rand is deterministic and not suitable for security-sensitive randomness.
+
+  ✅ FIX: use crypto/rand for tokens, keys, nonces, and secrets.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      operand: (identifier) @PKG
+      field: (field_identifier) @FN)
+    arguments: (argument_list) @ARGS)
+  (#eq? @PKG "rand")
+  (#match? @FN "^(Int|Intn|Int63|Uint32|Uint64|Read|Float64)$")
+
+metavars:
+  - PKG
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-330
+owasp:
+  - A02
+confidence: medium
+
+has_fix: false
+
+tags:
+  - go
+  - security
+  - randomness
+  - weak-prng
+
+examples:
+  bad: |
+    code := rand.Intn(1000000)
+
+  good: |
+    _, _ = rand.Read(buf) // from crypto/rand