pi-lens 3.8.37 → 3.8.39

package/commands/booboo.ts

@@ -1149,9 +1149,7 @@ export async function handleBooboo(
 						inner.spans?.[0];
 					if (!span) continue;
 					const absFile = span.file_name
-						? path.isAbsolute(span.file_name)
-							? span.file_name
-							: path.join(targetPath, span.file_name)
+						? (path.isAbsolute(span.file_name) ? span.file_name : path.join(targetPath, span.file_name))
 						: targetPath;
 					issues.push({
 						file: path.relative(targetPath, absFile),
@@ -1183,9 +1181,7 @@ export async function handleBooboo(
 					for (const diag of json?.generalDiagnostics ?? []) {
 						if (!["error", "warning"].includes(diag.severity)) continue;
 						const absFile = diag.file
-							? path.isAbsolute(diag.file)
-								? diag.file
-								: path.join(targetPath, diag.file)
+							? (path.isAbsolute(diag.file) ? diag.file : path.join(targetPath, diag.file))
 							: targetPath;
 						if (shouldIncludeFile(absFile)) {
 							issues.push({
@@ -1331,7 +1327,7 @@ export async function handleBooboo(
 				);
 				const output = (result.stdout || "") + (result.stderr || "");
 				const csRe =
-					/^([^\s(]+\.cs)\((\d+),(\d+)\):\s+(error|warning)\s+([A-Z]+\d+):\s+([^\[]+)/gm;
+					/^([^\s(]+\.cs)\((\d+),(\d+)\):\s+(error|warning)\s+([A-Z]+\d+):\s+([^[]+)/gm;
 				for (const m of output.matchAll(csRe)) {
 					const [, file, line, col, sev, code, msg] = m;
 					const absFile = path.isAbsolute(file)
@@ -1394,10 +1390,13 @@ export async function handleBooboo(
 					timeout: 60_000,
 				});
 				const output = (result.stdout || "") + (result.stderr || "");
-				const gleamRe =
-					/^([^:\n]+):(\d+):(\d+)\s*(?:error|warning)[^\n]*\n([^\n]+)/gm;
-				for (const m of output.matchAll(gleamRe)) {
-					const [, file, line, col, msg] = m;
+				const gleamLines = output.split("\n");
+				const gleamHeaderRe = /^([^:]+):(\d+):(\d+)[ \t]*(?:error|warning)/;
+				for (let i = 0; i < gleamLines.length; i++) {
+					const m = gleamHeaderRe.exec(gleamLines[i]);
+					if (!m) continue;
+					const [, file, line, col] = m;
+					const msg = gleamLines[i + 1]?.trim() ?? "";
 					const absFile = path.isAbsolute(file)
 						? file
 						: path.join(targetPath, file);
@@ -1408,7 +1407,7 @@ export async function handleBooboo(
 							col: parseInt(col, 10),
 							severity: "error",
 							code: "gleam",
-							message: msg.trim(),
+							message: msg,
 							compiler: "gleam check",
 						});
 					}
@@ -1426,8 +1425,10 @@ export async function handleBooboo(
 					timeout: 120_000,
 				});
 				const output = (result.stdout || "") + (result.stderr || "");
-				const zigRe = /^([^:\n]+):(\d+):(\d+):\s*(error|warning|note):\s*([^\n]+)/gm;
-				for (const m of output.matchAll(zigRe)) {
+				const zigLineRe = /^([^:]+):(\d+):(\d+):[ \t]*(error|warning|note):[ \t]*(.+)/;
+				for (const zigLine of output.split("\n")) {
+					const m = zigLineRe.exec(zigLine);
+					if (!m) continue;
 					const [, file, line, col, sev, msg] = m;
 					const absFile = path.isAbsolute(file)
 						? file

package/index.ts

@@ -1148,7 +1148,7 @@ export default function (pi: ExtensionAPI) {
 				if (dupeWarnings.length > 0) {
 					return {
 						block: true,
-						reason: `🔴 STOP - Redefining existing export(s). Import instead:\n${dupeWarnings.map((w) => `  • ${w}`).join("\n")}`,
+						reason: "🔴 STOP - Redefining existing export(s). Import instead:\n" + dupeWarnings.map((w) => "  • " + w).join("\n"),
 					};
 				}
 
@@ -1321,9 +1321,9 @@ export default function (pi: ExtensionAPI) {
 	// --- Inject turn-end findings into next agent turn ---
 	// jscpd, madge, and turn-end delta results are cached at turn_end and consumed here
 	// via the context event, which fires before each provider request.
-	// Important: context handlers must APPEND to the existing message list, not replace it.
-	// Replacing `event.messages` can drop the user's first prompt entirely, which causes
-	// OpenAI Responses requests to fail with: "One of input/previous_response_id/prompt/conversation_id must be provided."
+	// Important: keep the user's prompt as the trailing message. Some provider bridges
+	// treat the final message as the active user action, so pi-lens context must be
+	// prepended instead of appended.
 	// biome-ignore lint/suspicious/noExplicitAny: pi.on("context") overload has TS resolution bug
 	(pi as any).on(
 		"context",
@@ -1348,7 +1348,7 @@ export default function (pi: ExtensionAPI) {
 						?.messages ?? [];
 
 				return {
-					messages: [...existingMessages, ...injectedMessages],
+					messages: [...injectedMessages, ...existingMessages],
 				};
 			} catch (err) {
 				dbg(`context event error: ${err}`);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pi-lens",
-	"version": "3.8.37",
+	"version": "3.8.39",
 	"type": "module",
 	"description": "Real-time code feedback for pi \u2014 LSP, linters, formatters, type-checking, structural analysis & booboo",
 	"repository": {
@@ -55,7 +55,8 @@
 		"tsconfig.json",
 		"README.md",
 		"CHANGELOG.md",
-		"banner.svg"
+		"banner.svg",
+		"banner.png"
 	],
 	"peerDependencies": {
 		"@mariozechner/pi-coding-agent": "*"

package/rules/rule-catalog.json

@@ -59,6 +59,57 @@
     { "rule_id": "missed-concurrency", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "function", "canonical_concept": "sequential-awaits-parallelizable", "severity_default": "warning", "confidence": "medium", "status": "active" },
     { "rule_id": "missed-concurrency-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "sequential-awaits-parallelizable", "severity_default": "warning", "confidence": "medium", "status": "active" },
     { "rule_id": "no-await-in-loop", "engine": "ast-grep", "language": "typescript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" },
-    { "rule_id": "no-await-in-loop-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" }
+    { "rule_id": "no-await-in-loop-js", "engine": "ast-grep", "language": "javascript", "family": "concurrency", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "warning", "confidence": "medium", "status": "active" },
+
+    { "rule_id": "return-in-init", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "return-in-init", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "yield-return-outside-function", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "file", "canonical_concept": "invalid-statement-context", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "notimplemented-boolean-context", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "deprecated-boolean-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "exit-signature-check", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "context-manager-signature", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "return-in-generator", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "return-in-generator", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "iter-return-iterator", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "iter-protocol-violation", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "switch-non-case-labels", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "switch-label-violation", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-clone-override", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "class", "canonical_concept": "clone-override", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "main-should-not-throw", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "main-throws-exception", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-threadgroup", "engine": "tree-sitter", "language": "java", "family": "security", "scope": "file", "canonical_concept": "deprecated-api-usage", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "this-in-static-context", "engine": "tree-sitter", "language": "php", "family": "reliability", "scope": "function", "canonical_concept": "this-in-static-context", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-exit-die", "engine": "tree-sitter", "language": "php", "family": "reliability", "scope": "function", "canonical_concept": "abrupt-termination", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "case-range-multiple-values", "engine": "tree-sitter", "language": "c", "family": "maintainability", "scope": "function", "canonical_concept": "case-range-single-value", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "goto-label-order", "engine": "tree-sitter", "language": "c", "family": "maintainability", "scope": "function", "canonical_concept": "backward-goto", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "goto-into-block", "engine": "tree-sitter", "language": "c", "family": "maintainability", "scope": "function", "canonical_concept": "goto-into-block", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-auto-ptr", "engine": "tree-sitter", "language": "cpp", "family": "reliability", "scope": "file", "canonical_concept": "deprecated-auto-ptr", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-memset-sensitive-data", "engine": "tree-sitter", "language": "cpp", "family": "security", "scope": "function", "canonical_concept": "insecure-memory-clear", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-scoped-lock-without-args", "engine": "tree-sitter", "language": "cpp", "family": "reliability", "scope": "function", "canonical_concept": "scoped-lock-no-mutex", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-confused-move-forward", "engine": "tree-sitter", "language": "cpp", "family": "reliability", "scope": "function", "canonical_concept": "move-forward-confusion", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "is-with-this", "engine": "tree-sitter", "language": "csharp", "family": "maintainability", "scope": "function", "canonical_concept": "is-operator-with-this", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-operator-eq-reference", "engine": "tree-sitter", "language": "csharp", "family": "maintainability", "scope": "class", "canonical_concept": "operator-eq-reference-type", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-dangerous-get-handle", "engine": "tree-sitter", "language": "csharp", "family": "reliability", "scope": "function", "canonical_concept": "unsafe-handle-access", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "no-thread-resume-suspend", "engine": "tree-sitter", "language": "csharp", "family": "reliability", "scope": "function", "canonical_concept": "deprecated-thread-api", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "async-await-identifiers", "engine": "tree-sitter", "language": "csharp", "family": "maintainability", "scope": "file", "canonical_concept": "keyword-as-identifier", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "in-operator-unsupported", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "in-operator-unsupported", "severity_default": "warning", "confidence": "medium", "status": "active" },
+    { "rule_id": "spring-session-attributes-setcomplete", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "class", "canonical_concept": "session-attributes-cleanup", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "springboot-default-package", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "file", "canonical_concept": "default-package-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "prepared-statement-valid-indices", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "jdbc-invalid-index", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "delete-update-where", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "sql-missing-where", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "fetch-bulk-collect-limit", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "fetch-no-limit", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "prepared-statement-indices", "engine": "tree-sitter", "language": "kotlin", "family": "reliability", "scope": "function", "canonical_concept": "jdbc-invalid-index", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "delete-where", "engine": "tree-sitter", "language": "abap", "family": "reliability", "scope": "function", "canonical_concept": "sql-missing-where", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "alter-statement", "engine": "tree-sitter", "language": "cobol", "family": "maintainability", "scope": "file", "canonical_concept": "alter-statement-usage", "severity_default": "warning", "confidence": "high", "status": "active" },
+    { "rule_id": "calc-spacing", "engine": "tree-sitter", "language": "css", "family": "reliability", "scope": "file", "canonical_concept": "calc-spacing-error", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "switch-non-case-labels-js", "engine": "tree-sitter", "language": "javascript", "family": "reliability", "scope": "function", "canonical_concept": "switch-label-violation", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-exit-methods", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "abrupt-termination", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-threads-in-constructors", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "constructor", "canonical_concept": "thread-in-constructor", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "switch-fall-through", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "switch-fall-through", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-wait-notify-on-thread", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "wait-on-thread-instance", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-double-checked-locking", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "double-checked-locking", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-future-keywords", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "file", "canonical_concept": "future-keyword-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-field-shadowing", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "class", "canonical_concept": "field-shadowing", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "junit-call-super", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "missing-super-call", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "forallsave-exceptions", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "forall-no-save-exceptions", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "not-null-initialization", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "not-null-uninitialized", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "end-loop-semicolon", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "missing-semicolon", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "raise-application-error-codes", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "invalid-error-code", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-synchronize", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "synchronize-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "send-file-mimetype", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "send-file-missing-mimetype", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "noexcept-functions", "engine": "tree-sitter", "language": "cpp", "family": "reliability", "scope": "function", "canonical_concept": "missing-noexcept", "severity_default": "error", "confidence": "medium", "status": "active" }
   ]
 }

package/rules/tree-sitter-queries/abap/delete-where.yml

@@ -0,0 +1,46 @@
+# ABAP DELETE Without WHERE
+# Detects DELETE statements without WHERE in ABAP
+id: delete-where
+name: DELETE FROM Should Have WHERE Clause
+severity: error
+category: reliability
+defect_class: correctness
+inline_tier: blocking
+language: abap
+
+message: "DELETE FROM statement should have a WHERE clause"
+
+description: |
+  DELETE FROM without WHERE deletes ALL rows. Almost always a bug.
+
+  ✅ FIX: Add WHERE clause
+
+  ```abap
+  DELETE FROM employees WHERE id = lv_id.  " GOOD
+  ```
+
+query: |
+  (delete_statement
+    (delete) @DELETE
+    (from_clause)
+    (where_clause)? @WHERE)
+
+metavars:
+  - DELETE
+  - WHERE
+
+post_filter: missing_where
+
+tags:
+  - reliability
+  - abap
+  - data-loss
+
+examples:
+  bad: |
+    DELETE FROM employees.  " BAD
+
+  good: |
+    DELETE FROM employees WHERE id = 123.  " GOOD
+
+has_fix: false

package/rules/tree-sitter-queries/c/case-range-multiple-values.yml

@@ -0,0 +1,65 @@
+# Case Ranges Should Cover Multiple Values
+# Detects case statements with ranges that only cover single values
+id: case-range-multiple-values
+name: Case Ranges Should Cover Multiple Values
+severity: warning
+category: maintainability
+defect_class: correctness
+inline_tier: warning
+language: c
+
+message: "Case range should cover multiple values"
+
+description: |
+  GCC case ranges (case 1..5:) should cover multiple values.
+  Using ranges for single values is confusing and unnecessary.
+
+  ✅ FIX: Use regular case for single values, ranges for multiple
+
+  ```c
+  switch (value) {
+      case 1:           // Single value - use regular case
+          break;
+      case 10..20:      // Range - multiple values
+          break;
+  }
+  ```
+
+query: |
+  (switch_statement
+    body: (compound_statement
+      (case_statement
+        value: (range_expression
+          (number_literal) @START
+          (number_literal) @END) @RANGE)))
+
+metavars:
+  - START
+  - END
+  - RANGE
+
+post_filter: case_range_single_value
+
+tags:
+  - maintainability
+  - c
+  - gnu
+  - switch
+
+examples:
+  bad: |
+    switch (val) {
+        case 5..5:  // BAD - range with single value
+            break;
+    }
+
+  good: |
+    switch (val) {
+        case 5:  // GOOD - single value
+            break;
+        case 10..20:  // GOOD - actual range
+            break;
+    }
+
+has_fix: true
+fix_action: simplify_single_case_range

package/rules/tree-sitter-queries/c/goto-into-block.yml

@@ -0,0 +1,72 @@
+# Goto Into Block
+# Detects goto statements that jump into blocks
+id: goto-into-block
+name: Goto Should Not Jump Into Blocks
+severity: warning
+category: maintainability
+defect_class: correctness
+inline_tier: blocking
+language: c
+
+message: "goto statements should not be used to jump into blocks"
+
+description: |
+  Jumping into a block bypasses variable initialization and
+  is undefined behavior. This is a MISRA C requirement.
+
+  ✅ FIX: Jump to the block's beginning or restructure code
+
+  ```c
+  void process() {
+      if (error) {
+          goto cleanup;
+      }
+      // ... code ...
+  cleanup:
+      {  // Jump to block start
+          free_resources();
+      }
+  }
+  ```
+
+query: |
+  (function_definition
+    body: (compound_statement
+      (goto_statement
+        (statement_identifier) @TARGET) @GOTO))
+
+metavars:
+  - TARGET
+  - GOTO
+
+post_filter: goto_targets_inner_block
+
+tags:
+  - maintainability
+  - c
+  - misra
+  - undefined-behavior
+
+examples:
+  bad: |
+    void func() {
+        if (cond) {
+            goto inside;  // BAD - jumps into block
+        }
+        {
+        inside:
+            x = 1;  // Variable might not be initialized!
+        }
+    }
+
+  good: |
+    void func() {
+        if (cond) {
+            needsProcessing = true;
+        }
+        if (needsProcessing) {  // GOOD - restructure
+            x = 1;
+        }
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/c/goto-label-order.yml

@@ -0,0 +1,65 @@
+# Goto Label Order
+# Detects goto statements that jump to labels declared earlier
+id: goto-label-order
+name: Goto Should Jump to Later Labels
+severity: warning
+category: maintainability
+defect_class: correctness
+inline_tier: warning
+language: c
+
+message: "goto should jump to labels declared later in the same function"
+
+description: |
+  Goto statements should only jump forward to labels declared later.
+  Backward jumps create spaghetti code and are harder to understand.
+  This is a MISRA C requirement.
+
+  ✅ FIX: Restructure to use forward jumps only
+
+  ```c
+  void process() {
+      if (error) {
+          goto cleanup;  // Forward jump - OK
+      }
+      // ... code ...
+  cleanup:
+      free_resources();
+  }
+  ```
+
+query: |
+  (function_definition
+    body: (compound_statement
+      (goto_statement
+        (statement_identifier) @LABEL) @GOTO))
+
+metavars:
+  - LABEL
+  - GOTO
+
+post_filter: goto_jumps_backward
+
+tags:
+  - maintainability
+  - c
+  - misra
+  - control-flow
+
+examples:
+  bad: |
+    void func() {
+    loop:
+        if (done) return;
+        process();
+        goto loop;  // BAD - backward jump
+    }
+
+  good: |
+    void func() {
+        while (!done) {  // GOOD - use loop instead
+            process();
+        }
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/cobol/alter-statement.yml

@@ -0,0 +1,39 @@
+# COBOL ALTER Statement
+# Detects ALTER statement usage in COBOL
+id: alter-statement
+name: ALTER Should Not Be Used
+severity: warning
+category: maintainability
+defect_class: correctness
+inline_tier: warning
+language: cobol
+
+message: "ALTER should not be used - causes spaghetti code"
+
+description: |
+  ALTER changes paragraph/section execution flow at runtime.
+  This is deprecated and causes unmaintainable spaghetti code.
+
+  ✅ FIX: Restructure to use PERFORM or other control flow
+
+query: |
+  (alter_statement
+    (ALTER) @ALTER)
+
+metavars:
+  - ALTER
+
+tags:
+  - maintainability
+  - cobol
+  - brain-overload
+  - deprecated
+
+examples:
+  bad: |
+    ALTER PARA-1 TO PROCEED TO PARA-2.  -- BAD
+
+  good: |
+    PERFORM PARA-2.  -- GOOD - explicit control flow
+
+has_fix: false

package/rules/tree-sitter-queries/cpp/no-auto-ptr.yml

@@ -0,0 +1,49 @@
+# No std::auto_ptr
+# Detects usage of deprecated std::auto_ptr
+id: no-auto-ptr
+name: std::auto_ptr Should Not Be Used
+severity: error
+category: reliability
+defect_class: correctness
+inline_tier: blocking
+language: cpp
+
+message: "std::auto_ptr should not be used — use std::unique_ptr instead"
+
+description: |
+  std::auto_ptr is deprecated (since C++11) and removed in C++17.
+  It has dangerous copy semantics. Use std::unique_ptr instead.
+
+  ✅ FIX: Replace with std::unique_ptr
+
+  ```cpp
+  std::unique_ptr<MyClass> ptr = std::make_unique<MyClass>();  // GOOD
+  ```
+
+query: |
+  (template_type
+    name: (type_identifier) @NAME (#eq? @NAME "auto_ptr")
+    arguments: (template_argument_list) @ARGS)
+  ((type_identifier) @NAME
+    (#eq? @NAME "auto_ptr"))
+
+metavars:
+  - NAME
+  - ARGS
+
+tags:
+  - reliability
+  - cpp
+  - deprecated
+  - since-cpp11
+  - removed-cpp17
+
+examples:
+  bad: |
+    std::auto_ptr<MyClass> ptr(new MyClass());  // BAD - deprecated
+
+  good: |
+    std::unique_ptr<MyClass> ptr = std::make_unique<MyClass>();  // GOOD
+
+has_fix: true
+fix_action: replace_auto_with_unique_ptr

package/rules/tree-sitter-queries/cpp/no-confused-move-forward.yml

@@ -0,0 +1,59 @@
+# No Confused std::move/std::forward
+# Detects potential confusion between std::move and std::forward
+id: no-confused-move-forward
+name: std::move and std::forward Should Not Be Confused
+severity: error
+category: reliability
+defect_class: correctness
+inline_tier: blocking
+language: cpp
+
+message: "std::move and std::forward should not be confused"
+
+description: |
+  std::move unconditionally casts to rvalue, while std::forward
+  conditionally casts based on template parameter. Using the wrong
+  one can lead to subtle bugs and unexpected copies/moves.
+
+  ✅ FIX: Use std::move for known objects, std::forward for templates
+
+  ```cpp
+  template<typename T>
+  void process(T&& t) {
+      other(std::forward<T>(t));  // Correct - preserve value category
+  }
+  ```
+
+query: |
+  (call_expression
+    function: (qualified_identifier
+      name: (identifier) @FUNC
+      (#match? @FUNC "^(move|forward)$"))
+    arguments: (argument_list) @ARGS)
+
+post_filter: confused_move_forward
+
+metavars:
+  - FUNC
+  - ARGS
+
+tags:
+  - reliability
+  - cpp
+  - move-semantics
+  - cppcoreguidelines
+
+examples:
+  bad: |
+    template<typename T>
+    void wrapper(T&& t) {
+        return foo(std::move(t));  // BAD - breaks perfect forwarding
+    }
+
+  good: |
+    template<typename T>
+    void wrapper(T&& t) {
+        return foo(std::forward<T>(t));  // GOOD - preserves category
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/cpp/no-memset-sensitive-data.yml

@@ -0,0 +1,57 @@
+# No Memset For Sensitive Data
+# Detects memset used to clear sensitive data
+id: no-memset-sensitive-data
+name: memset Should Not Be Used to Delete Sensitive Data
+severity: error
+category: security
+defect_class: security
+inline_tier: blocking
+language: cpp
+
+message: "memset should not be used to delete sensitive data — use SecureZeroMemory or explicit_bzero"
+
+description: |
+  memset can be optimized away by compilers, leaving sensitive data
+  in memory. Use SecureZeroMemory (Windows), explicit_bzero (Linux),
+  or std::fill with volatile for clearing passwords/keys.
+
+  ✅ FIX: Use secure memory clearing functions
+
+  ```cpp
+  #ifdef _WIN32
+  SecureZeroMemory(password, sizeof(password));
+  #else
+  explicit_bzero(password, sizeof(password));
+  #endif
+  ```
+
+query: |
+  (call_expression
+    function: (identifier) @FUNC (#eq? @FUNC "memset")
+    arguments: (argument_list) @ARGS)
+
+metavars:
+  - FUNC
+  - ARGS
+
+post_filter: memset_for_sensitive_data
+
+tags:
+  - security
+  - cpp
+  - cwe
+  - cryptography
+  - memory
+
+examples:
+  bad: |
+    char password[32];
+    // ... use password ...
+    memset(password, 0, sizeof(password));  // BAD - may be optimized away!
+
+  good: |
+    char password[32];
+    // ... use password ...
+    explicit_bzero(password, sizeof(password));  // GOOD - guaranteed clear
+
+has_fix: false