pi-lens 3.8.28 → 3.8.30

package/CHANGELOG.md

@@ -2,6 +2,156 @@
 
 All notable changes to pi-lens will be documented in this file.
 
+## [Unreleased]
+
+## [3.8.30] - 2026-04-22
+
+### Fixed
+- **lsp_navigation permanently disabled** — removed stale `lens-lsp` flag check (flag was removed in 3.8.29) that caused every `lsp_navigation` call to short-circuit with `lsp_disabled`; tool now only gates on `--no-lsp`
+- **ast_grep_search / ast_grep_replace auto-install** — switched availability check from sync `isAvailable()` to async `ensureAvailable()` so the auto-installer triggers when `sg` is missing
+- **@ast-grep/cli postinstall skipped** — added `@ast-grep/cli` to `NEEDS_POSTINSTALL`; without it `--ignore-scripts` left ASCII stubs in place of `sg.exe` / `ast-grep.exe` on Windows
+- **Windows .exe binary lookup** — `getToolPath` now also probes the `.exe` extension on Windows, covering packages (like `@ast-grep/cli`) that place a `.exe` directly without a `.cmd` wrapper
+- **jscpd broken on Node 24** — pinned `jscpd` to `3.5.10`; v4 introduced a `reprism` dependency whose `lib/languages/` directory is absent from the published package
+- **TypeScript LSP using home dir as workspace root** — wrapped `TypeScriptServer` and `ESLintServer` roots with `IgnoreHomeRoot` so a `package.json` / eslint config in `~` can no longer hijacks the workspace root; fallback is the file's own directory
+- **CI npm publish runs without token** — gated `publish-npm` job and dry-run step on `NPM_TOKEN` secret being set
+- **Stale compiled .js triggered test failures** — rebuilt project; `secrets-scanner.js` and `project-index.js` were from before the env-var-name false-positive fix and line-number capture fix respectively
+- **ast_grep_search test mock** — updated test mock from `isAvailable` to `ensureAvailable` to match the new async availability check
+- **Stale LSP diagnostics in cascade** — cascade diagnostics now skip entries older than 240s, preventing false positives from earlier test injections bleeding across turns
+- **Biome check on Vue/Svelte** — biome-check-json was briefly skipped on `.vue`/`.svelte` but restored after confirming Biome 2.x has native support; the 3 blocking diagnostics were real lint findings, not parse errors
+- **Vue/Svelte TypeScript SDK** — extracted `findTsserverPath` helper and wired it into `VueServer` and `SvelteServer` `initializationOptions` so Vue/Svelte LSP servers find the correct `typescript.tsdk`
+- **Broken npm .cmd shims on Windows** — `launch.ts` now validates npm `.cmd` shims before spawning; if the target JS file doesn't exist the shim exits with code 1 after a 500ms startup window, pre-checking avoids the delay for all LSP servers on Windows
+- **Tree-sitter WASM path in hoisted installs** — `tree-sitter-client.ts` now resolves `web-tree-sitter/tree-sitter.wasm` via `createRequire` so Node walks `node_modules` ancestors correctly; fixes `ENOENT` crash in pnpm/monorepo layouts where the wasm is not nested under pi-lens's own `node_modules`
+- **Grammar directory lookups in hoisted installs** — `findGrammarsDir` uses the same `createRequire` fix to anchor `web-tree-sitter/grammars` and `tree-sitter-wasms/out` paths correctly in pnpm/monorepo layouts
+- **tree-sitter-gleam download 404** — removed `tree-sitter-gleam.wasm` from grammar downloads; the file was never published in `tree-sitter-wasms@0.1.13`
+- **Pipeline deduplication** — `handleToolResult` now deduplicates concurrent pipeline calls for the same file; the pi framework fires `tool_result` once per hunk in an Edit array, causing duplicate pipeline runs and doubled agent output
+
+### Changed
+- **Tuned false-positive thresholds across all runners** — reduced noise in `lens-booboo` and dispatch for all users:
+  - Added `FACT_SEVERITY_FILTER` (`error`/`warning` only) and `MIN_TREE_SITTER_HITS_PER_RULE = 3`
+  - Filtered entropy/AI-style warnings from complexity metrics
+  - Aligned complexity markdown headers with actual thresholds (`MI < 20`, `cognitive > 80`, `nesting > 8`)
+  - Raised `SEMANTIC_SIMILARITY_THRESHOLD` from `0.96` → `0.98` (aligned with dispatch similarity runner)
+  - Raised duplicate-string-literal `MIN_DUPLICATES` from `4` → `10`
+  - Unregistered `no-magic-numbers` and `high-entropy-string` fact rules globally
+
+### Removed
+- **Dead code across 32 files** — removed 51 sites of unused imports, locals, and parameters flagged by `tsc --noUnusedLocals --noUnusedParameters`:
+  - `clients/architect-client.ts`, `ast-grep-client.ts`, `biome-client.ts`, `complexity-client.ts`, `go-client.ts`, `rust-client.ts`, `scan-utils.ts`, `secrets-scanner.ts`, `subprocess-client.ts`, `test-runner-client.ts`, `tool-availability.ts`, `tree-sitter-cache.ts`, `tree-sitter-client.ts`, `type-coverage-client.ts`, `type-safety-client.ts`
+  - `clients/dispatch/dispatcher.ts`, `runners/ast-grep-napi.ts`, `runners/golangci-lint.ts`, `runners/index.ts`, `runners/python-slop.ts`, `runners/ts-lsp.ts`, `runners/utils/diagnostic-parsers.ts`
+  - `clients/lsp/client.ts`, `config.ts`, `interactive-install.ts`, `launch.ts`, `server.ts`
+  - `clients/pipeline.ts`, `review-graph/builder.ts`, `runner-tracker.ts`
+  - `commands/booboo.ts`, `index.ts`
+
+### Tests
+- **Pipeline regression tests** — `tests/clients/pipeline.test.ts` (11 tests): secrets blocking, format modification, LSP sync, dispatch blockers, autofix output, test runner skip, all-clear output
+- **Autofix helper tests** — `tests/clients/autofix-helpers.test.ts` (12 tests): config detection (eslint, stylelint, sqlfluff), malformed JSON handling, file change detection after command
+- **LSP lifecycle tests** — `tests/clients/lsp/lifecycle.test.ts` (4 tests): missing binary error, process spawn, immediate exit detection, process kill
+- **FormatService tests** — `tests/clients/format-service.test.ts` (11 tests): disabled/skip mode, no matching formatters, successful run with change detection, formatter failure, external modification detection, singleton behavior, state clearing, file tracking
+- **Dispatch integration tests** — `tests/clients/dispatch/integration.test.ts` (11 tests): `dispatchLintWithResult` empty results, result propagation, warnings-only; `shouldDispatch` for supported/unsupported; `getAvailableRunners` for supported/unsupported
+- **LSP client internals tests** — `tests/clients/lsp/client-internals.test.ts` (13 tests): `handleNotifyOpen` (first open, re-open, pending opens, clear diagnostics, skip when not alive), `handleNotifyChange` (didChange when open, fallback to didOpen, clear stale diagnostics, skip when not alive), `clientWaitForDiagnostics` (immediate resolve if cached, resolve via emitter, timeout, ignore other files)
+- **Runtime event flow test fix** — added missing `gatherCascadeDiagnostics` mock export to `tests/clients/runtime-event-flow.test.ts`
+- **LSP launch tests** — `tests/clients/lsp/launch.test.ts` (8 new tests): `isCmdShimValid` unit tests (target exists/missing, non-npm shim, unreadable file, `.mjs` extension), early `.cmd` shim rejection without spawning, `.ps1` bypass to `.cmd` sibling, `.ps1` fallback to direct `node <js>` execution
+- **Tree-sitter hoisted-install tests** — `tests/clients/tree-sitter-client-init.test.ts` (3 tests): wasm resolution via `require.resolve`, `locateFile` directory derivation, `findGrammarsDir` external package resolution
+
+### Refactored
+- **Extract `detectFileChangedAfterCommand`** — moved from `clients/pipeline.ts` to `clients/file-utils.ts` and exported for reuse/testing; imported back into `pipeline.ts`; `tests/clients/autofix-helpers.test.ts` now imports the real function instead of reimplementing a copy
+- **Export testable pipeline helpers** — exported `hasEslintConfig`, `hasStylelintConfig`, `hasSqlfluffConfig` from `clients/pipeline.ts` so config detection is testable
+- **Export LSP client internals** — exported `clientWaitForDiagnostics`, `handleNotifyOpen`, `handleNotifyChange`, and `LSPClientState` from `clients/lsp/client.ts` for direct testing with mocks
+- **Export `isCmdShimValid`** — exported from `clients/lsp/launch.ts` so the npm `.cmd` shim validator is unit-testable
+
+### CI
+- **Dead-code gate** — `lint-and-typecheck` job now runs `tsc --noUnusedLocals --noUnusedParameters --noEmit` alongside `--noEmit` so dead code regressions fail CI immediately
+
+## [3.8.29] - 2026-04-21
+
+### Added
+- **New diagnostic commands** — added `/lens-tools` and `/lens-health` for system visibility:
+  - `/lens-tools` — shows tool installation status: globally installed, pi-lens auto-installed, or npx fallback
+  - `/lens-health` — shows runtime health: pipeline crashes, slow runners, diagnostic stats
+  - Both provide actionable visibility into the pi-lens toolchain
+- **Streamlined ast-grep skill** — reduced skill from 7,759 bytes to 2,313 bytes (~70% reduction):
+  - Removed verbose CLI tips and YAML rule authoring sections (agent uses tools, not CLI)
+  - Removed redundant testing documentation
+  - Kept essential: Golden Rules, Quick Reference, Common Gotchas
+- **Configurable log cleanup** — automatic retention and rotation for `~/.pi-lens/*.log` files:
+  - Environment variable `PI_LENS_LOG_RETENTION_DAYS` (default: 7) — days to keep log files
+  - Environment variable `PI_LENS_MAX_LOG_SIZE_MB` (default: 10) — max size before rotation
+  - Runs automatically on session start, notifies when cleanup occurs
+  - Rotated backups (`.log.*`) cleaned after retention period
+  - Project-level logs (`{cwd}/.pi-lens/*`) intentionally excluded from cleanup
+
+### Changed
+- **`/lens-tools` output improved** — added explanatory note when GitHub-release tools are shown as missing: "GitHub-release tools auto-install when you open files of those languages"
+- **Simplified agent prompts** — removed verbose prompt sections to reduce token burn:
+  - Removed startup notes about project rules count (now just logged, not shown)
+  - Removed tooling hints for missing language tools (Go/Rust/Ruby install suggestions)
+  - Removed project rules section from system prompt (no longer injects `## Project Rules` block)
+  - Updated core guidance to clarify: automated checks run on edits/writes, blocking errors shown inline must be fixed
+- **Simplified CLI flags** — removed 16 flags to reduce surface area and cognitive load:
+  - Removed per-tool disable flags: `--no-biome`, `--no-ast-grep`, `--no-shellcheck`, `--no-madge`, `--no-oxlint`, `--no-ruff`, `--no-go`, `--no-rust`
+  - Removed per-tool autofix flags: `--no-autofix-biome`, `--no-autofix-ruff`
+  - Removed feature flags: `--lens-verbose`, `--error-debt`, `--auto-install`, `--lens-eslint-core`
+  - Removed redundant `--lens-lsp` flag (LSP is default-on; use `--no-lsp` to disable)
+  - Removed internal dead flag: `--lens-blocking-only`
+  - **Removed `--no-lsp-install` flag** — LSP servers now always auto-install when needed (no manual opt-out)
+  - New minimal flag set: `--no-lsp`, `--no-autoformat`, `--no-autofix`, `--no-tests`, `--no-delta`, `--lens-guard`
+- **Cross-platform line ending handling** — all `.split("\n")` changed to `.split(/\r?\n/)` for Windows CRLF compatibility (11 files updated)
+
+### Fixed
+- **Biome VCS/ignore file errors eliminated** — disabled VCS integration in biome config to prevent "ignore file not found" errors:
+  - Changed `vcs.enabled: true` → `vcs.enabled: false` in `config/biome/core.jsonc`
+  - Biome was searching for `.gitignore` files that don't exist when running on arbitrary projects via pi-lens
+  - Eliminates biome:parse-error spam in logs when biome runs outside its config directory
+- **LSP server thrashing eliminated** — added 240s idle timeout to prevent repeated LSP shutdown/startup cycles:
+  - New `scheduleLSPIdleReset()` in `runtime-turn.ts` defers server reset when no files modified
+  - Cancel pending reset when active editing resumes (avoids interrupting workflows)
+  - Eliminates ~1-2s cold-start penalty during active development sessions
+  - Debug logging added for scheduling and cancellation events
+- **Biome check runner JSON parsing** — fixed error where biome's stderr warnings broke JSON parsing:
+  - Changed from parsing `stdout || stderr` to parsing `stdout` only
+  - Biome outputs text warnings (e.g., "couldn't find ignore file") to stderr which broke the JSON parser
+  - Fixes biome-check-json runner failing with parse errors instead of providing lint diagnostics
+- **Auto-install verification gap** — `getToolPath()` now verifies tool binaries actually work before using them:
+  - Runs `--version` check on local npm tools (not just file existence)
+  - Detects broken/corrupted installations (e.g., wrapper exists but package missing)
+  - Triggers automatic reinstall when binary verification fails
+  - Fixes case where `@biomejs/biome` package deleted but `.cmd` wrapper remained
+- **Error swallowing in tool availability checks** — `runtime-session.ts` now logs errors when biome/ast-grep/ruff/knip/dep/jscpd availability checks fail (was silently returning `false`)
+- **Biome check runner reliability** — fixed path resolution and configuration issues causing "skipped" status and parse errors:
+  - Fixed biome flag: `--output-format=json` → `--reporter=json`
+  - Fixed `findBiome()` to check `~/.pi-lens/tools/` directory (was falling back to bare "biome" not in PATH)
+  - Fixed `findBiome()` to return `{cmd, argsPrefix}` object for proper npx fallback with `@biomejs/biome` prefix
+  - Added `vcs.root: "."` to `config/biome/core.jsonc` to respect project `.gitignore`
+- **LSP error messaging** — improved error messages for Windows .cmd shim failures to distinguish "npm .cmd shim failed (underlying binary not installed)" from "may be missing or corrupted"
+- **Windows installer improvements** — multiple fixes for Windows tool discovery and LSP stability:
+  - Prefer `.cmd` over extensionless in local TOOLS_DIR path lookup on Windows
+  - Bypass PS1 hangs in LSP initialization with hard-kill on timeout
+  - Remove `.ps1` from pyright managed candidates and ast-grep discovery on Windows
+  - Use `SYSTEMDRIVE` env var instead of hardcoded `C:` for cargo fallback path
+- **Rust LSP** — exponential backoff circuit breaker for failing LSP connections
+- **Installer reliability** — remove `console.error` verbosity, route all events to `sessionstart.log`
+- **Circular dependencies** — fixed circular dependencies identified in code review
+- **Knip race condition** — fixed race condition in knip tool discovery
+- **Non-blocking tool availability checks** — changed all `ensureAvailable()` methods to use async `safeSpawnAsync` instead of sync `safeSpawn`, completing the startup unblocking work:
+  - `ruff-client.ts`, `biome-client.ts`, `sg-runner.ts` (first batch)
+  - `knip-client.ts`, `dependency-checker.ts`, `jscpd-client.ts` (second batch)
+  - `sg-runner.ts` — added missing `safeSpawnAsync` import
+- **Secrets scanner false positives** — fixed incorrect flagging of environment variable name references (e.g., `"FIREWORKS_API_KEY"`, `"AWS_ACCESS_KEY_ID"`) as hardcoded secrets:
+  - Added word boundaries to `hardcoded-secret` regex pattern
+  - Added `looksLikeEnvVarName()` filter to skip UPPERCASE_SNAKE_CASE values
+  - Prevents false positives when env var names are used as placeholder strings
+
+### Changed
+- **Biome check performance** — reduced lint latency from ~1.4s to ~100ms per file (92% improvement):
+  - Removed redundant `--version` pre-check spawn (~200ms saved)
+  - Switched from `biome check` to `biome lint` command (skip format validation)
+  - Added binary path caching per cwd to avoid repeated fs checks
+  - Benchmark: 107ms average vs 1400ms baseline
+- **Tree-sitter performance** — reduced structural analysis latency by 30-50%:
+  - Execute queries in parallel with concurrency limit of 6 (was sequential)
+  - Skip entity snapshot extraction for changes under 5 lines (~500-800ms saved for trivial edits)
+  - Reduces tree-sitter latency from ~3s to ~1-2s for typical files
+
 ## [3.8.28] - 2026-04-19
 
 ### Fixed

package/README.md

@@ -42,6 +42,7 @@ At `turn_end`, pi-lens:
 - persists turn findings for next context injection
 - updates debt/diagnostic tracking and cleans transient state
 - renders a review-graph impact cascade showing affected files and diagnostic propagation
+- manages LSP server lifecycle with a 240s idle timeout (resets when editing resumes)
 
 ## Install
 
@@ -62,17 +63,22 @@ pi install git:github.com/apmantza/pi-lens
 pi
 
 # Optional switches
-pi --no-lsp              # Disable unified LSP, use language-specific fallbacks
+pi --no-lsp              # Disable unified LSP diagnostics
 pi --no-autoformat        # Skip auto-formatting
 pi --no-autofix           # Skip auto-fix (Biome, Ruff, ESLint, stylelint, sqlfluff, RuboCop)
 pi --no-tests             # Skip test runner
-pi --no-shellcheck        # Disable shellcheck runner
+pi --no-delta             # Disable delta mode (show all diagnostics, not just new ones)
+pi --lens-guard           # Block git commit/push when unresolved blockers exist (experimental)
 ```
 
+LSP is enabled by default. Use `--no-lsp` to use language-specific fallbacks (ts-lsp, pyright) instead of the unified LSP service.
+
 ## Key Commands
 
 - `/lens-booboo` — full quality report for current project state
 - `/lens-health` — runtime health, latency, and diagnostic telemetry
+- `/lens-tools` — tool installation status: globally installed, auto-installed, or npx fallback
+- `/lens-tdi` — Technical Debt Index (TDI) and project health trend
 
 ## Language Coverage
 
@@ -147,6 +153,8 @@ pi-lens builds a review graph (`file → symbol → dependency`) during session
 
 pi-lens includes **37 language server definitions**. LSP is **enabled by default** (`--lsp` or no flag). Servers are auto-discovered from PATH, project `node_modules`, and managed installs. When a server is not installed, pi-lens offers an interactive install prompt.
 
+**LSP Idle Management:** LSP servers shut down after 240 seconds of inactivity (no files modified) to free resources. The timer resets when you resume editing, preventing cold-start penalties during active development.
+
 LSP servers for: TypeScript, Deno, Python (pyright + pylsp), Go, Rust, Ruby (ruby-lsp + solargraph), PHP, C# (omnisharp), F#, Java, Kotlin, Swift, Dart, Lua, C/C++, Zig, Haskell, Elixir, Gleam, OCaml, Clojure, Terraform, Nix, Bash, Docker, YAML, JSON, HTML, TOML, Prisma, Vue, Svelte, ESLint, CSS.
 
 ## Runners
@@ -251,4 +259,14 @@ Additional language servers (gopls, ruby-lsp, solargraph, etc.) are auto-detecte
 
 - Not every auto-install runs in every project: gate type decides when install is attempted.
 - Rule packs are customizable via project-level rule directories.
-- Inline suppression: `// pi-lens-ignore` or `# pi-lens-ignore` comments suppress diagnostic output for that line.
+- Inline suppression: `// pi-lens-ignore` or `# pi-lens-ignore` comments suppress diagnostic output for that line.
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `PI_LENS_STARTUP_MODE` | auto | `full`, `minimal`, or `quick` — override session startup behavior |
+| `PI_LENS_LOG_RETENTION_DAYS` | 7 | Days to retain log files before automatic cleanup |
+| `PI_LENS_MAX_LOG_SIZE_MB` | 10 | Max size in MB before rotating active log files |
+
+Logs are stored in `~/.pi-lens/` and automatically cleaned up at session start based on these settings.

package/clients/architect-client.ts

@@ -53,7 +53,6 @@ export interface FileArchitectResult {
 export class ArchitectClient {
 	private config: ArchitectConfig | null = null;
 	private isUserConfig: boolean = false;
-	private configPath: string | undefined;
 	private log: (msg: string) => void;
 
 	constructor(verbose = false) {
@@ -78,7 +77,6 @@ export class ArchitectClient {
 			try {
 				const content = fs.readFileSync(configPath, "utf-8");
 				this.config = this.parseYaml(content);
-				this.configPath = configPath;
 				this.isUserConfig = true;
 				this.log(`Loaded user architect config from ${configPath}`);
 				return true;
@@ -112,7 +110,6 @@ export class ArchitectClient {
 				try {
 					const content = fs.readFileSync(defaultPath, "utf-8");
 					this.config = this.parseYaml(content);
-					this.configPath = defaultPath;
 					this.isUserConfig = false;
 					this.log(
 						"Using default architect rules (create .pi-lens/architect.yaml to customize)",
@@ -187,7 +184,7 @@ export class ArchitectClient {
 				// biome-ignore lint/suspicious/noAssignInExpressions: RegExp.exec iteration
 				while ((match = regex.exec(content)) !== null) {
 					// Convert index to line number
-					const lineNum = content.slice(0, match.index).split("\n").length;
+					const lineNum = content.slice(0, match.index).split(/\r?\n/).length;
 					violations.push({
 						pattern: rule.pattern,
 						message: check.message,
@@ -263,7 +260,7 @@ export class ArchitectClient {
 		const ruleBlocks = content.split(/(?=^ {2}- pattern:)/m);
 
 		for (const block of ruleBlocks) {
-			const lines = block.split("\n");
+			const lines = block.split(/\r?\n/);
 			let rule: ArchitectRule | null = null;
 			let section: "must_not" | "must" | null = null;
 			let violation: {
@@ -387,5 +384,3 @@ export class ArchitectClient {
 }
 
 // --- Singleton ---
-
-const _instance: ArchitectClient | null = null;

package/clients/ast-grep-client.ts

@@ -22,13 +22,6 @@ import type {
 import { resolvePackagePath } from "./package-root.js";
 import { SgRunner } from "./sg-runner.js";
 
-const _getExtensionDir = () => {
-	if (typeof __dirname !== "undefined") {
-		return __dirname;
-	}
-	return ".";
-};
-
 // --- Client ---
 
 export class AstGrepClient {
@@ -345,7 +338,7 @@ message: found
 			output += `  ${ruleInfo} (${loc})${fix}\n`;
 
 			if (d.ruleDescription?.note) {
-				const shortNote = d.ruleDescription.note.split("\n")[0];
+				const shortNote = d.ruleDescription.note.split(/\r?\n/)[0];
 				output += `    → ${shortNote}\n`;
 			}
 		}

package/clients/ast-grep-parser.ts

@@ -51,7 +51,7 @@ export class AstGrepParser {
 		}
 
 		return output
-			.split("\n")
+			.split(/\r?\n/)
 			.filter((l) => l.trim())
 			.map((line) => {
 				try {

package/clients/ast-grep-rule-manager.ts

@@ -67,7 +67,7 @@ export class AstGrepRuleManager {
 		);
 		if (noteMatch) {
 			result.note = noteMatch[1]
-				.split("\n")
+				.split(/\r?\n/)
 				.map((line) => line.trim())
 				.filter((line) => line.length > 0)
 				.join(" ");
@@ -82,7 +82,7 @@ export class AstGrepRuleManager {
 		const fixMatch = content.match(/^fix:\s*\|?([\s\S]*?)(?=^\w|^rule:|Z)/m);
 		if (fixMatch) {
 			result.fix = fixMatch[1]
-				.split("\n")
+				.split(/\r?\n/)
 				.map((line) => line.replace(/^\s*\|?\s*/, ""))
 				.filter((line) => line.length > 0)
 				.join("\n");

package/clients/biome-client.ts

@@ -28,17 +28,6 @@ export interface BiomeDiagnostic {
 	fixable: boolean;
 }
 
-interface BiomeJsonDiagnostic {
-	message: string;
-	severity: "error" | "warning" | "info" | "hint";
-	category: string;
-	span?: {
-		start: { line: number; column: number };
-		end: { line: number; column: number };
-	};
-	advice?: Array<{ message: string }>;
-}
-
 // --- Client ---
 
 export class BiomeClient {
@@ -137,7 +126,7 @@ export class BiomeClient {
 		if (this.biomeAvailable !== null) return this.biomeAvailable;
 
 		// Check if already available
-		const result = this.spawnBiome(["--version"], 10000);
+		const result = await this.spawnBiomeAsync(["--version"], 10000);
 		if (!result.error && result.status === 0) {
 			this.biomeAvailable = true;
 			return true;
@@ -568,8 +557,8 @@ export class BiomeClient {
 	}
 
 	private computeDiff(original: string, formatted: string): string {
-		const origLines = original.split("\n");
-		const formLines = formatted.split("\n");
+		const origLines = original.split(/\r?\n/);
+		const formLines = formatted.split(/\r?\n/);
 
 		let changedLines = 0;
 		const changes: string[] = [];

package/clients/complexity-client.ts

@@ -213,7 +213,7 @@ export class ComplexityClient {
 		sourceFile: ts.SourceFile;
 	}): FileComplexity {
 		const { absolutePath, content, sourceFile } = parsed;
-		const lines = content.split("\n");
+		const lines = content.split(/\r?\n/);
 
 		// Line counts and function collection
 		const { codeLines, commentLines } = this.countLines(sourceFile, lines);
@@ -363,7 +363,6 @@ export class ComplexityClient {
 	 * Calculate max parameters across all functions
 	 */
 	private calculateMaxParams(functions: FunctionMetrics[]): number {
-		const _maxParams = 0;
 		// We stored function params in the metrics during analysis
 		// For now, estimate based on function length (longer functions often have more params)
 		return Math.min(
@@ -393,7 +392,7 @@ export class ComplexityClient {
 			/\/\*\*?\s*(Overview|Summary|Description|Example|Usage)\s*\*?\//i,
 		];
 
-		const lines = sourceText.split("\n");
+		const lines = sourceText.split(/\r?\n/);
 		for (const line of lines) {
 			// Only check comment lines
 			const trimmed = line.trim();
@@ -583,9 +582,10 @@ export class ComplexityClient {
 		let match;
 		while ((match = commentRegex.exec(text)) !== null) {
 			const lineStart = text.lastIndexOf("\n", match.index) + 1;
-			const startLine = text.substring(0, lineStart).split("\n").length - 1;
+			const startLine = text.substring(0, lineStart).split(/\r?\n/).length - 1;
 			const endLine =
-				text.substring(0, match.index + match[0].length).split("\n").length - 1;
+				text.substring(0, match.index + match[0].length).split(/\r?\n/).length -
+				1;
 			for (let i = startLine; i <= endLine; i++) {
 				commentPositions.add(i);
 			}

package/clients/dependency-checker.ts

@@ -11,7 +11,7 @@
 
 import * as fs from "node:fs";
 import * as path from "node:path";
-import { safeSpawn } from "./safe-spawn.js";
+import { safeSpawn, safeSpawnAsync } from "./safe-spawn.js";
 
 // --- Types ---
 
@@ -63,7 +63,7 @@ export class DependencyChecker {
 		if (this.available !== null) return this.available;
 
 		// Check if available in PATH
-		const result = safeSpawn("madge", ["--version"], {
+		const result = await safeSpawnAsync("madge", ["--version"], {
 			timeout: 5000,
 		});
 		this.available = !result.error && result.status === 0;

package/clients/dispatch/diagnostic-taxonomy.ts

@@ -1,14 +1,4 @@
-import type { Diagnostic } from "./types.js";
-
-export type DefectClass =
-	| "silent-error"
-	| "injection"
-	| "secrets"
-	| "async-misuse"
-	| "correctness"
-	| "safety"
-	| "style"
-	| "unknown";
+import type { DefectClass, Diagnostic } from "./types.js";
 
 const SILENT_ERROR_HINTS = [
 	"empty-catch",
@@ -20,9 +10,27 @@ const SILENT_ERROR_HINTS = [
 	"silent",
 ];
 
-const INJECTION_HINTS = ["sql-injection", "eval", "exec", "inner-html", "javascript-url"];
-const SECRET_HINTS = ["secret", "token", "password", "api-key", "hardcoded-secrets"];
-const ASYNC_HINTS = ["await-in-loop", "promise", "concurrency", "async", "then-catch"];
+const INJECTION_HINTS = [
+	"sql-injection",
+	"eval",
+	"exec",
+	"inner-html",
+	"javascript-url",
+];
+const SECRET_HINTS = [
+	"secret",
+	"token",
+	"password",
+	"api-key",
+	"hardcoded-secrets",
+];
+const ASYNC_HINTS = [
+	"await-in-loop",
+	"promise",
+	"concurrency",
+	"async",
+	"then-catch",
+];
 
 function hasAny(haystack: string, hints: string[]): boolean {
 	return hints.some((h) => haystack.includes(h));
@@ -40,7 +48,11 @@ export function classifyDefect(
 	if (hasAny(text, SECRET_HINTS)) return "secrets";
 	if (hasAny(text, ASYNC_HINTS)) return "async-misuse";
 
-	if (text.includes("no-") || text.includes("return") || text.includes("constructor")) {
+	if (
+		text.includes("no-") ||
+		text.includes("return") ||
+		text.includes("constructor")
+	) {
 		return "correctness";
 	}
 
@@ -50,6 +62,8 @@ export function classifyDefect(
 	return "unknown";
 }
 
-export function classifyDiagnostic(d: Pick<Diagnostic, "rule" | "tool" | "message">): DefectClass {
+export function classifyDiagnostic(
+	d: Pick<Diagnostic, "rule" | "tool" | "message">,
+): DefectClass {
 	return classifyDefect(d.rule, d.tool, d.message);
 }

package/clients/dispatch/dispatcher.ts

@@ -17,15 +17,15 @@
 import * as path from "node:path";
 import type { FileKind } from "../file-kinds.js";
 import { detectFileKind } from "../file-kinds.js";
+import { isTestFile } from "../file-utils.js";
 import { getPrimaryDispatchGroup } from "../language-policy.js";
 import { resolveLanguageRootForFile } from "../language-profile.js";
-import { isTestFile } from "../file-utils.js";
 import { logLatency } from "../latency-logger.js";
 import { normalizeMapKey } from "../path-utils.js";
 import { RUNTIME_CONFIG } from "../runtime-config.js";
 import { safeSpawnAsync } from "../safe-spawn.js";
 import { classifyDiagnostic } from "./diagnostic-taxonomy.js";
-import { FactStore } from "./fact-store.js";
+import type { FactStore } from "./fact-store.js";
 import { getToolPlan } from "./plan.js";
 import { resolveRunnerPath } from "./runner-context.js";
 import { getToolProfile } from "./tool-profile.js";
@@ -135,7 +135,7 @@ export function createDispatchContext(
 		cwd: normalizedCwd,
 		kind,
 		pi,
-		autofix: !!(pi.getFlag("autofix-biome") || pi.getFlag("autofix-ruff")),
+		autofix: false,
 		deltaMode: !pi.getFlag("no-delta"),
 		facts,
 		blockingOnly,
@@ -215,7 +215,10 @@ function dedupeOverlappingDiagnostics(diagnostics: Diagnostic[]): Diagnostic[] {
  * Syntax: `// pi-lens-ignore: rule-id` (JS/TS) or `# pi-lens-ignore: rule-id` (Python/Ruby/etc.)
  * Place on the same line as the diagnostic or the line immediately above it.
  */
-function applyInlineSuppressions(diagnostics: Diagnostic[], content: string): Diagnostic[] {
+function applyInlineSuppressions(
+	diagnostics: Diagnostic[],
+	content: string,
+): Diagnostic[] {
 	if (!content || !diagnostics.length) return diagnostics;
 
 	// Build a set of (line, ruleId) pairs that are suppressed.
@@ -226,9 +229,12 @@ function applyInlineSuppressions(diagnostics: Diagnostic[], content: string): Di
 	for (let i = 0; i < lines.length; i++) {
 		const m = SUPPRESS_RE.exec(lines[i]);
 		if (!m) continue;
-		const rules = m[1].split(",").map((r) => r.trim()).filter(Boolean);
+		const rules = m[1]
+			.split(",")
+			.map((r) => r.trim())
+			.filter(Boolean);
 		const suppressedLine = i + 1; // same line (1-based)
-		const nextLine = i + 2;      // next line (1-based)
+		const nextLine = i + 2; // next line (1-based)
 		for (const ruleId of rules) {
 			suppressed.add(`${suppressedLine}:${ruleId}`);
 			suppressed.add(`${nextLine}:${ruleId}`);
@@ -342,7 +348,7 @@ function buildCoverageNotice(
 	runnerLatencies: RunnerLatency[],
 ): Diagnostic | undefined {
 	if (!ctx.kind) return undefined;
-	const lspEnabled = !!ctx.pi.getFlag("lens-lsp") && !ctx.pi.getFlag("no-lsp");
+	const lspEnabled = !ctx.pi.getFlag("no-lsp");
 	const primary = getPrimaryDispatchGroup(ctx.kind, lspEnabled);
 	if (!primary || primary.runnerIds.length === 0) return undefined;
 
@@ -367,7 +373,9 @@ function buildCoverageNotice(
 		(plan?.groups ?? [])
 			.filter(
 				(group) =>
-					!group.runnerIds.every((runnerId) => primary.runnerIds.includes(runnerId)),
+					!group.runnerIds.every((runnerId) =>
+						primary.runnerIds.includes(runnerId),
+					),
 			)
 			.flatMap((group) => group.runnerIds)
 			.filter((runnerId) => !primary.runnerIds.includes(runnerId)),
@@ -376,7 +384,12 @@ function buildCoverageNotice(
 	// Structural-only runners (tree-sitter, ast-grep, similarity) are not
 	// substitutes for real linters — don't suppress the notice if only they ran.
 	const STRUCTURAL_RUNNERS = new Set([
-		"tree-sitter", "ast-grep-napi", "similarity", "spellcheck", "architect", "fact-rules",
+		"tree-sitter",
+		"ast-grep-napi",
+		"similarity",
+		"spellcheck",
+		"architect",
+		"fact-rules",
 	]);
 	const anyLinterHasCoverage = runnerLatencies.some(
 		(r) =>
@@ -499,7 +512,7 @@ async function runGroup(
 		? group.runnerIds.filter((id) => {
 				const runner = registry.get(id);
 				return runner && ctx.kind && group.filterKinds?.includes(ctx.kind);
-		  })
+			})
 		: group.runnerIds;
 
 	const semantic = group.semantic ?? "warning";
@@ -614,7 +627,6 @@ export async function dispatchForFile(
 ): Promise<DispatchResult> {
 	const _overallStart = Date.now();
 	const allDiagnostics: Diagnostic[] = [];
-	const _fixed: Diagnostic[] = [];
 	let stopped = false;
 	const runnerLatencies: RunnerLatency[] = [];
 
@@ -668,12 +680,20 @@ export async function dispatchForFile(
 	// This avoids partial-baseline corruption when processing multiple groups.
 	const dedupedDiagnostics = dedupeOverlappingDiagnostics(allDiagnostics);
 	const overlapSuppressed = suppressLintOverlapsWithLsp(dedupedDiagnostics);
-	const fileContent = ctx.facts.getFileFact<string>(ctx.filePath, "file.content") ?? "";
-	const inlineSuppressed = applyInlineSuppressions(overlapSuppressed, fileContent);
+	const fileContent =
+		ctx.facts.getFileFact<string>(ctx.filePath, "file.content") ?? "";
+	const inlineSuppressed = applyInlineSuppressions(
+		overlapSuppressed,
+		fileContent,
+	);
 	let visibleDiagnostics = inlineSuppressed;
 	let resolvedCount = 0;
 	if (ctx.deltaMode && previousBaseline) {
-		const filtered = filterDelta(visibleDiagnostics, previousBaseline, (d) => d.id);
+		const filtered = filterDelta(
+			visibleDiagnostics,
+			previousBaseline,
+			(d) => d.id,
+		);
 		visibleDiagnostics = promoteDeltaUnusedToBlockers(filtered.new);
 		resolvedCount = filtered.fixed.length;
 	}
@@ -693,15 +713,19 @@ export async function dispatchForFile(
 
 	// Append fixed and fixable diagnostics to the persistent worklog
 	if (fixedItems.length > 0) {
-		import("../fix-worklog.js").then(({ appendToWorklog }) => {
-			appendToWorklog(ctx.cwd, fixedItems, true);
-		}).catch(() => {});
+		import("../fix-worklog.js")
+			.then(({ appendToWorklog }) => {
+				appendToWorklog(ctx.cwd, fixedItems, true);
+			})
+			.catch(() => {});
 	}
 	const fixableWarnings = warnings.filter((d) => d.fixable);
 	if (fixableWarnings.length > 0) {
-		import("../fix-worklog.js").then(({ appendToWorklog }) => {
-			appendToWorklog(ctx.cwd, fixableWarnings, false);
-		}).catch(() => {});
+		import("../fix-worklog.js")
+			.then(({ appendToWorklog }) => {
+				appendToWorklog(ctx.cwd, fixableWarnings, false);
+			})
+			.catch(() => {});
 	}
 
 	const inlineBlockers = blockers.filter((d) => d.tool !== "similarity");
@@ -804,7 +828,10 @@ function looksLikeDiagnosticCodePath(value: string): boolean {
 	return false;
 }
 
-function normalizeDiagnosticFilePath(ctx: DispatchContext, rawPath?: string): string {
+function normalizeDiagnosticFilePath(
+	ctx: DispatchContext,
+	rawPath?: string,
+): string {
 	if (typeof rawPath === "string" && looksLikeDiagnosticCodePath(rawPath)) {
 		ctx.log(
 			`runner path normalization: ignored diagnostic code-like path '${rawPath}', using current file`,