pi-lens 3.8.39 → 3.8.41

package/index.ts

@@ -7,6 +7,11 @@ import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
 import { AstGrepClient } from "./clients/ast-grep-client.js";
 import { loadBootstrapClients } from "./clients/bootstrap.js";
 import { CacheManager } from "./clients/cache-manager.js";
+import {
+	clearWidgetState,
+	renderWidget,
+	setRenderCallback,
+} from "./clients/widget-state.js";
 import { getDiagnosticTracker } from "./clients/diagnostic-tracker.js";
 import {
 	getCascadeSessionStats,
@@ -46,8 +51,21 @@ import {
 } from "./clients/runtime-context.js";
 import { RuntimeCoordinator } from "./clients/runtime-coordinator.js";
 import { handleSessionStart } from "./clients/runtime-session.js";
-import { handleToolResult } from "./clients/runtime-tool-result.js";
+import {
+	clearLastAnalyzedStateCache,
+	handleToolResult,
+} from "./clients/runtime-tool-result.js";
 import { cancelLSPIdleReset, handleTurnEnd } from "./clients/runtime-turn.js";
+import { isExternalOrVendorFile } from "./clients/path-utils.js";
+import { safeSpawnAsync } from "./clients/safe-spawn.js";
+import {
+	createStarterSemgrepConfig,
+	findLocalSemgrepConfig,
+	loadPiLensSemgrepConfig,
+	removePiLensSemgrepConfig,
+	resolveSemgrepConfig,
+	savePiLensSemgrepConfig,
+} from "./clients/semgrep-config.js";
 import { TreeSitterClient } from "./clients/tree-sitter-client.js";
 import { handleBooboo } from "./commands/booboo.js";
 import { initI18n, t } from "./i18n.js";
@@ -201,12 +219,16 @@ function isLspCapableFile(filePath: string): boolean {
 	return LANGUAGE_POLICY[kind]?.lspCapable !== false;
 }
 
-function shouldSkipLspAutoTouch(filePath: string): boolean {
+function shouldSkipLspAutoTouch(
+	filePath: string,
+	projectRoot: string,
+): boolean {
 	const normalized = path.resolve(filePath).replace(/\\/g, "/").toLowerCase();
 	const base = path.basename(filePath).toLowerCase();
 
 	if (normalized.includes("/.pi-lens/")) return true;
 	if (normalized.includes("/.harness/")) return true;
+	if (isExternalOrVendorFile(filePath, projectRoot)) return true;
 	if (
 		base === "stdout.jsonl" ||
 		base === "stderr.txt" ||
@@ -295,6 +317,13 @@ export default function (pi: ExtensionAPI) {
 
 	// --- Flags ---
 
+	pi.registerFlag("no-lens", {
+		description:
+			"Start pi-lens disabled for this session. Re-enable with /lens-toggle.",
+		type: "boolean",
+		default: false,
+	});
+
 	pi.registerFlag("no-lsp", {
 		description:
 			"Disable unified LSP diagnostics and use language-specific fallbacks (for example ts-lsp, pyright)",
@@ -341,14 +370,148 @@ export default function (pi: ExtensionAPI) {
 		default: false,
 	});
 
+	pi.registerFlag("lens-semgrep", {
+		description:
+			"Enable Semgrep dispatch when a Semgrep config is available (or with --lens-semgrep-config)",
+		type: "boolean",
+		default: false,
+	});
+
+	pi.registerFlag("lens-semgrep-config", {
+		description:
+			"Semgrep config for dispatch: local path, auto, p/<pack>, or r/<rule>. Requires --lens-semgrep.",
+		type: "string",
+		default: "",
+	});
+
 	pi.registerFlag("no-read-guard", {
 		description: "Disable read-before-edit behavior monitor",
 		type: "boolean",
 		default: false,
 	});
 
+	let lensEnabled = !pi.getFlag("no-lens");
+
 	// --- Commands ---
 
+	pi.registerCommand("lens-toggle", {
+		description:
+			"Toggle pi-lens on/off for the current session. Usage: /lens-toggle",
+		handler: async (_args, ctx) => {
+			lensEnabled = !lensEnabled;
+			ctx.ui.notify(
+				lensEnabled
+					? "pi-lens enabled for this session."
+					: "pi-lens disabled for this session. Run /lens-toggle again to resume.",
+				lensEnabled ? "info" : "warning",
+			);
+		},
+	});
+
+	pi.registerCommand("lens-semgrep", {
+		description:
+			"Manage Semgrep dispatch. Usage: /lens-semgrep status | enable [--config <auto|p/pack|path>] | disable | init",
+		handler: async (args, ctx) => {
+			const parts = normalizeCommandArgs(args);
+			const action = parts[0] ?? "status";
+			const cwd = ctx.cwd ?? runtime.projectRoot;
+
+			function readConfigArg(): string | undefined {
+				const flagIndex = parts.findIndex(
+					(part) => part === "--config" || part === "-c",
+				);
+				if (flagIndex >= 0) return parts[flagIndex + 1];
+				return parts[1] && !parts[1].startsWith("-") ? parts[1] : undefined;
+			}
+
+			if (action === "enable") {
+				const config = readConfigArg();
+				const localConfig = findLocalSemgrepConfig(cwd);
+				if (!config && !localConfig) {
+					ctx.ui.notify(
+						[
+							"Semgrep dispatch not enabled yet: no local .semgrep.yml was found.",
+							"Use `/lens-semgrep init` to create a starter local config, or `/lens-semgrep enable --config auto` / `p/<pack>` if you want Semgrep registry/platform configuration.",
+							"pi-lens will not auto-install Semgrep; install it with pipx/uv/brew first and login only if your chosen Semgrep config requires it.",
+						].join("\n"),
+						"warning",
+					);
+					return;
+				}
+
+				const savedPath = savePiLensSemgrepConfig(cwd, {
+					enabled: true,
+					...(config ? { config } : {}),
+				});
+				ctx.ui.notify(
+					`Semgrep dispatch enabled (${config ? `config: ${config}` : `local config: ${localConfig}`}). Saved ${savedPath}`,
+					"info",
+				);
+				return;
+			}
+
+			if (action === "disable") {
+				const savedPath = savePiLensSemgrepConfig(cwd, { enabled: false });
+				ctx.ui.notify(`Semgrep dispatch disabled. Saved ${savedPath}`, "info");
+				return;
+			}
+
+			if (action === "clear") {
+				const removed = removePiLensSemgrepConfig(cwd);
+				ctx.ui.notify(
+					removed
+						? "Removed .pi-lens/semgrep.json; Semgrep now auto-enables only when local .semgrep.yml exists."
+						: "No .pi-lens/semgrep.json found.",
+					"info",
+				);
+				return;
+			}
+
+			if (action === "init") {
+				const configPath = createStarterSemgrepConfig(cwd);
+				const savedPath = savePiLensSemgrepConfig(cwd, { enabled: true });
+				ctx.ui.notify(
+					`Created starter Semgrep config at ${configPath} and enabled Semgrep dispatch (${savedPath}).`,
+					"info",
+				);
+				return;
+			}
+
+			if (action !== "status") {
+				ctx.ui.notify(
+					"Usage: /lens-semgrep status | enable [--config <auto|p/pack|path>] | disable | clear | init",
+					"warning",
+				);
+				return;
+			}
+
+			const localConfig = findLocalSemgrepConfig(cwd);
+			const piLensConfig = loadPiLensSemgrepConfig(cwd);
+			const resolved = resolveSemgrepConfig(cwd, {
+				enabled: Boolean(pi.getFlag("lens-semgrep")),
+				config: pi.getFlag("lens-semgrep-config"),
+			});
+			const version = await safeSpawnAsync("semgrep", ["--version"], {
+				cwd,
+				timeout: 5000,
+			});
+			const lines = [
+				"🔎 SEMGREP DISPATCH",
+				`CLI: ${!version.error && version.status === 0 ? `installed (${(version.stdout || version.stderr).trim()})` : "not found on PATH"}`,
+				`Local config: ${localConfig ?? "none"}`,
+				`pi-lens config: ${piLensConfig ? JSON.stringify(piLensConfig) : "none"}`,
+				`Effective: ${resolved.enabled ? "enabled" : "disabled"}`,
+				`Config arg: ${resolved.configArg ?? "none"}`,
+			];
+			if (resolved.reason) lines.push(`Reason: ${resolved.reason}`);
+			lines.push(
+				"",
+				"No auto-install. Token/login is only needed for Semgrep AppSec/Pro/managed configs; local .semgrep.yml scans do not require a token.",
+			);
+			ctx.ui.notify(lines.join("\n"), resolved.enabled ? "info" : "warning");
+		},
+	});
+
 	pi.registerCommand("lens-booboo", {
 		description:
 			"Full codebase review: design smells, complexity, AI slop detection, TODOs, dead code, duplicates, type coverage. Results saved to .pi-lens/reviews/. Usage: /lens-booboo [path]",
@@ -762,6 +925,20 @@ export default function (pi: ExtensionAPI) {
 				resetLSPService,
 			});
 			ctx.ui && updateLspStatus(ctx.ui.setStatus, ctx.ui.theme);
+			clearWidgetState();
+			if (ctx.ui?.setWidget) {
+				ctx.ui.setWidget(
+					"pi-lens",
+					(tui: any, theme: any) => {
+						setRenderCallback(() => tui.requestRender());
+						return {
+							render: (width: number) => renderWidget(width, theme),
+							invalidate: () => setRenderCallback(() => {}),
+						};
+					},
+					{ placement: "belowEditor" },
+				);
+			}
 		} catch (sessionErr) {
 			dbg(`session_start crashed: ${sessionErr}`);
 			dbg(`session_start crash stack: ${(sessionErr as Error).stack}`);
@@ -770,6 +947,7 @@ export default function (pi: ExtensionAPI) {
 
 	pi.on("tool_call", async (event, ctx) => {
 		const toolName = (event as { toolName?: string }).toolName ?? "";
+		if (!lensEnabled) return;
 		if (
 			pi.getFlag("lens-guard") &&
 			isGitCommitOrPushAttempt(toolName, event.input)
@@ -812,8 +990,16 @@ export default function (pi: ExtensionAPI) {
 		);
 		if (!nodeFs.existsSync(filePath)) return;
 
+		const isExternalOrVendor = isExternalOrVendorFile(
+			filePath,
+			runtime.projectRoot,
+		);
+
 		const lspCapableFile = isLspCapableFile(filePath);
-		const lspAutoTouchSkipped = shouldSkipLspAutoTouch(filePath);
+		const lspAutoTouchSkipped = shouldSkipLspAutoTouch(
+			filePath,
+			runtime.projectRoot,
+		);
 		const lspAutoTouchEligible = lspCapableFile && !lspAutoTouchSkipped;
 		const shouldWarmReadLsp =
 			toolName === "read" &&
@@ -907,6 +1093,7 @@ export default function (pi: ExtensionAPI) {
 		if (
 			toolName === "read" &&
 			!pi.getFlag("no-lsp") &&
+			!isExternalOrVendor &&
 			filePath &&
 			readInput &&
 			requestedReadLimit != null &&
@@ -961,7 +1148,7 @@ export default function (pi: ExtensionAPI) {
 		}
 
 		// --- Read-Before-Edit Guard: record reads ---
-		if (toolName === "read" && filePath) {
+		if (toolName === "read" && filePath && !isExternalOrVendor) {
 			const totalLines = countFileLines(filePath);
 			const deliveredLimit = effectiveReadLimit ?? 1;
 			logReadGuardEvent({
@@ -1002,6 +1189,7 @@ export default function (pi: ExtensionAPI) {
 		// Record complexity baseline for historical tracking (booboo/tdi).
 		// Not shown inline - just captured for delta analysis.
 		if (
+			!isExternalOrVendor &&
 			complexityClient.isSupportedFile(filePath) &&
 			!runtime.complexityBaselines.has(filePath)
 		) {
@@ -1073,14 +1261,18 @@ export default function (pi: ExtensionAPI) {
 					.map(({ label, value, corrected }) => {
 						const preview = value.trimStart().slice(0, 60).replace(/\n/g, "↵");
 						return (
-							`${label} ("${preview}…") uses different indentation than the file. ` +
-							`Corrected value (use this exactly):\n\n${corrected}`
+							`${label} ("${preview}…") has mismatched indentation (tabs vs spaces).\n` +
+							`Replace ${label} with this verbatim (do not shorten, do not change newText):\n\n${corrected}`
 						);
 					})
 					.join("\n\n");
 				return {
 					block: true,
-					reason: `🔄 RETRYABLE — Indentation mismatch in oldText\n\n${details}`,
+					reason:
+						`🔄 RETRYABLE — Indentation mismatch detected\n\n` +
+						`The file uses a different indentation style than your oldText. ` +
+						`Retry the same edit call immediately with the corrected oldText shown below — copy it exactly as-is.\n\n` +
+						details,
 				};
 			}
 		}
@@ -1090,11 +1282,8 @@ export default function (pi: ExtensionAPI) {
 				typeof readGuard?.isNewFile !== "function" ||
 				!readGuard.isNewFile(filePath);
 			if (readGuard && isExistingFile) {
-				const { touchedLines, preflightError } = getTouchedLinesForGuard(
-					event,
-					filePath,
-					runtime.telemetrySessionId,
-				);
+				const { touchedLines, editRanges, preflightError } =
+					getTouchedLinesForGuard(event, filePath, runtime.telemetrySessionId);
 				if (preflightError) {
 					return { block: true, reason: preflightError };
 				}
@@ -1110,7 +1299,7 @@ export default function (pi: ExtensionAPI) {
 				});
 				const verdict =
 					typeof readGuard.checkEdit === "function"
-						? readGuard.checkEdit(filePath, touchedLines)
+						? readGuard.checkEdit(filePath, touchedLines, editRanges)
 						: { action: "allow" as const };
 				if (verdict.action === "block") {
 					return {
@@ -1133,12 +1322,30 @@ export default function (pi: ExtensionAPI) {
 				const dupeWarnings: string[] = [];
 				const exportRe =
 					/export\s+(?:async\s+)?(?:function|class|const|let|type|interface)\s+(\w+)/g;
+				// Read current on-disk content once so we can check whether the file
+				// being written already owns a given export (e.g. it IS the source and
+				// another file merely re-exports from it). cachedExports only tracks one
+				// file per name — whichever was scanned first — so a re-exporter can
+				// win the slot and incorrectly shadow the original definition.
+				let currentFileExports: Set<string> | undefined;
+				if (filePath && nodeFs.existsSync(filePath)) {
+					try {
+						const currentContent = nodeFs.readFileSync(filePath, "utf-8");
+						currentFileExports = new Set<string>();
+						for (const m of currentContent.matchAll(exportRe)) {
+							currentFileExports.add(m[1]);
+						}
+					} catch {
+						// non-fatal — fall back to no current-export knowledge
+					}
+				}
 				for (const match of newContent.matchAll(exportRe)) {
 					const name = match[1];
 					const existingFile = runtime.cachedExports.get(name);
 					if (
 						existingFile &&
-						path.resolve(existingFile) !== path.resolve(filePath)
+						path.resolve(existingFile) !== path.resolve(filePath) &&
+						!currentFileExports?.has(name)
 					) {
 						dupeWarnings.push(
 							`\`${name}\` already exists in ${path.relative(runtime.projectRoot, existingFile)}`,
@@ -1148,7 +1355,9 @@ export default function (pi: ExtensionAPI) {
 				if (dupeWarnings.length > 0) {
 					return {
 						block: true,
-						reason: "🔴 STOP - Redefining existing export(s). Import instead:\n" + dupeWarnings.map((w) => "  • " + w).join("\n"),
+						reason:
+							"🔴 STOP - Redefining existing export(s). Import instead:\n" +
+							dupeWarnings.map((w) => "  • " + w).join("\n"),
 					};
 				}
 
@@ -1241,6 +1450,7 @@ export default function (pi: ExtensionAPI) {
 	// Real-time feedback on file writes/edits
 	// biome-ignore lint/suspicious/noExplicitAny: pi.on overload mismatch for tool_result event type
 	(pi as any).on("tool_result", async (event: any) => {
+		if (!lensEnabled) return;
 		updateRuntimeIdentityFromEvent(event);
 		const { biomeClient, ruffClient, metricsClient, agentBehaviorClient } =
 			await loadBootstrapClients();
@@ -1263,11 +1473,13 @@ export default function (pi: ExtensionAPI) {
 
 	// --- Turn end: batch jscpd/madge on collected files, then clear state ---
 	// Clear cascade snapshot at start of each new turn so stale data never leaks
-	pi.on("turn_start", () => {
+	pi.on("turn_start", (_event: any) => {
 		runtime.beginTurn();
+		clearLastAnalyzedStateCache();
 	});
 
 	pi.on("agent_end", async (_event, ctx) => {
+		if (!lensEnabled) return;
 		try {
 			await handleAgentEnd({
 				ctxCwd: ctx.cwd,
@@ -1286,7 +1498,8 @@ export default function (pi: ExtensionAPI) {
 		}
 	});
 
-	pi.on("turn_end", async (_event, ctx) => {
+	pi.on("turn_end", async (_event: any, ctx) => {
+		if (!lensEnabled) return;
 		try {
 			const { jscpdClient, knipClient, depChecker, testRunnerClient } =
 				await loadBootstrapClients();
@@ -1331,6 +1544,7 @@ export default function (pi: ExtensionAPI) {
 			event: { messages?: Array<{ role: string; content: unknown }> } | unknown,
 			ctx: { cwd?: string },
 		) => {
+			if (!lensEnabled) return;
 			try {
 				const cwd = ctx.cwd ?? process.cwd();
 				const turnEndFindings = consumeTurnEndFindings(cacheManager, cwd);

package/package.json

@@ -1,8 +1,8 @@
 {
 	"name": "pi-lens",
-	"version": "3.8.39",
+	"version": "3.8.41",
 	"type": "module",
-	"description": "Real-time code feedback for pi \u2014 LSP, linters, formatters, type-checking, structural analysis & booboo",
+	"description": "Real-time code feedback for pi — LSP, linters, formatters, type-checking, structural analysis & booboo",
 	"repository": {
 		"type": "git",
 		"url": "git+https://github.com/apmantza/pi-lens.git"
@@ -63,6 +63,7 @@
 	},
 	"dependencies": {
 		"@ast-grep/napi": "^0.42.1",
+		"@mariozechner/pi-tui": "^0.72.1",
 		"minimatch": "^10.2.5",
 		"typebox": "^1.0.0",
 		"typescript": "^6.0.3",

package/rules/rule-catalog.json

@@ -110,6 +110,30 @@
     { "rule_id": "raise-application-error-codes", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "invalid-error-code", "severity_default": "error", "confidence": "high", "status": "active" },
     { "rule_id": "no-synchronize", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "synchronize-usage", "severity_default": "error", "confidence": "high", "status": "active" },
     { "rule_id": "send-file-mimetype", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "send-file-missing-mimetype", "severity_default": "error", "confidence": "high", "status": "active" },
-    { "rule_id": "noexcept-functions", "engine": "tree-sitter", "language": "cpp", "family": "reliability", "scope": "function", "canonical_concept": "missing-noexcept", "severity_default": "error", "confidence": "medium", "status": "active" }
+    { "rule_id": "noexcept-functions", "engine": "tree-sitter", "language": "cpp", "family": "reliability", "scope": "function", "canonical_concept": "missing-noexcept", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-octal-values", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "file", "canonical_concept": "octal-literal-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "short-circuit-logic", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "non-short-circuit-operator", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "infinite-loop", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "infinite-loop", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "infinite-recursion", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "infinite-recursion", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "name-capitalization-conflict", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "class", "canonical_concept": "name-capitalization-conflict", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "no-super-torchscript", "engine": "tree-sitter", "language": "python", "family": "reliability", "scope": "function", "canonical_concept": "torchscript-super-call", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "unnecessary-bit-ops", "engine": "tree-sitter", "language": "cpp", "family": "maintainability", "scope": "function", "canonical_concept": "unnecessary-bit-operation", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "unnecessary-bit-ops-java", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "unnecessary-bit-operation", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "switch-case-termination-js", "engine": "tree-sitter", "language": "javascript", "family": "reliability", "scope": "function", "canonical_concept": "switch-case-no-termination", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "nchar-nvarchar2-bytes", "engine": "tree-sitter", "language": "plsql", "family": "reliability", "scope": "function", "canonical_concept": "nchar-size-in-bytes", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "tests-include-assertions", "engine": "tree-sitter", "language": "java", "family": "maintainability", "scope": "function", "canonical_concept": "test-without-assertion", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "mockito-initialized", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "class", "canonical_concept": "mockito-not-initialized", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "resources-closed", "engine": "tree-sitter", "language": "java", "family": "reliability", "scope": "function", "canonical_concept": "resource-leak", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "lock-table", "engine": "tree-sitter", "language": "plsql", "family": "maintainability", "scope": "function", "canonical_concept": "lock-table-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "lock-table-cobol", "engine": "tree-sitter", "language": "cobol", "family": "maintainability", "scope": "file", "canonical_concept": "lock-table-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "await-in-loop", "engine": "tree-sitter", "language": "typescript", "family": "performance", "scope": "function", "canonical_concept": "await-inside-loop", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "switch-case-termination", "engine": "tree-sitter", "language": "typescript", "family": "reliability", "scope": "function", "canonical_concept": "switch-case-no-termination", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "no-octal-values", "engine": "tree-sitter", "language": "typescript", "family": "maintainability", "scope": "file", "canonical_concept": "octal-literal-usage", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "short-circuit-logic", "engine": "tree-sitter", "language": "typescript", "family": "maintainability", "scope": "function", "canonical_concept": "non-short-circuit-operator", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "infinite-loop", "engine": "tree-sitter", "language": "typescript", "family": "reliability", "scope": "function", "canonical_concept": "infinite-loop", "severity_default": "error", "confidence": "medium", "status": "active" },
+    { "rule_id": "self-assignment", "engine": "tree-sitter", "language": "typescript", "family": "reliability", "scope": "function", "canonical_concept": "self-assignment", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "duplicate-function-arg", "engine": "tree-sitter", "language": "typescript", "family": "reliability", "scope": "function", "canonical_concept": "duplicate-parameter-name", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "empty-switch-case", "engine": "tree-sitter", "language": "typescript", "family": "reliability", "scope": "function", "canonical_concept": "empty-switch-case", "severity_default": "error", "confidence": "high", "status": "active" },
+    { "rule_id": "default-not-last", "engine": "tree-sitter", "language": "typescript", "family": "maintainability", "scope": "function", "canonical_concept": "default-clause-not-last", "severity_default": "error", "confidence": "high", "status": "active" }
   ]
 }

package/rules/tree-sitter-queries/cobol/lock-table-cobol.yml

@@ -0,0 +1,35 @@
+# COBOL LOCK TABLE
+# Detects LOCK TABLE in COBOL
+id: lock-table-cobol
+name: LOCK TABLE Should Not Be Used
+severity: error
+category: maintainability
+defect_class: correctness
+inline_tier: blocking
+language: cobol
+
+message: "LOCK TABLE should not be used"
+
+description: |
+  LOCK TABLE causes concurrency issues. Use row-level locking.
+
+query: |
+  (lock_table_statement
+    (LOCK) @LOCK)
+
+metavars:
+  - LOCK
+
+tags:
+  - maintainability
+  - cobol
+  - bad-practice
+
+examples:
+  bad: |
+    EXEC SQL LOCK TABLE employees IN EXCLUSIVE MODE END-EXEC  -- BAD
+
+  good: |
+    EXEC SQL SELECT * FROM employees FOR UPDATE END-EXEC  -- GOOD
+
+has_fix: false

package/rules/tree-sitter-queries/cpp/unnecessary-bit-ops.yml

@@ -0,0 +1,58 @@
+# Unnecessary Bit Operations
+# Detects bit operations that have no effect
+id: unnecessary-bit-ops
+name: Unnecessary Bit Operations Should Not Be Performed
+severity: error
+category: maintainability
+defect_class: correctness
+inline_tier: blocking
+language: cpp
+
+message: "Unnecessary bit operation - has no effect"
+
+description: |
+  Operations like (x | 0), (x & -1), (x ^ 0) have no effect.
+  They indicate confusion or incomplete refactoring. Remove them.
+
+  ✅ FIX: Remove unnecessary operation
+
+  ```cpp
+  int y = x;  // GOOD - simplified
+  ```
+
+query: |
+  (binary_expression
+    (identifier) @VAR
+    "|" @OP
+    (number_literal) @ZERO (#eq? @ZERO "0"))
+  (binary_expression
+    (identifier) @VAR
+    "&" @OP
+    (number_literal) @VAL (#match? @VAL "^-?1+$"))
+  (binary_expression
+    (identifier) @VAR
+    "^" @OP
+    (number_literal) @ZERO (#eq? @ZERO "0"))
+
+metavars:
+  - VAR
+  - OP
+  - ZERO
+  - VAL
+
+tags:
+  - maintainability
+  - cpp
+  - suspicious
+
+examples:
+  bad: |
+    int y = x | 0;   // BAD - no effect
+    int z = x & -1;  // BAD - no effect
+    int w = x ^ 0;   // BAD - no effect
+
+  good: |
+    int y = x;       // GOOD - simplified
+
+has_fix: true
+fix_action: remove_bit_operation

package/rules/tree-sitter-queries/java/infinite-loop.yml

@@ -0,0 +1,58 @@
+# Infinite Loop
+# Detects potentially infinite while(true) loops without break
+id: infinite-loop
+name: Loops Should Not Be Infinite
+severity: error
+category: reliability
+defect_class: correctness
+inline_tier: blocking
+language: java
+
+message: "Loop appears to be infinite with no break condition"
+
+description: |
+  while(true) or for(;;) without a break condition creates an
+  infinite loop. Ensure there's an exit condition with break,
+  return, or System.exit().
+
+  ✅ FIX: Add break condition or use scheduled executor
+
+  ```java
+  while (running) {  // GOOD - control flag
+      if (shouldStop()) break;
+  }
+  ```
+
+query: |
+  (while_statement
+    condition: (true) @COND
+    body: (block) @BODY)
+  (for_statement
+    condition: (null)
+    body: (block) @BODY)
+
+metavars:
+  - COND
+  - BODY
+
+post_filter: no_break_or_return
+
+tags:
+  - reliability
+  - java
+  - cert
+  - bugs
+
+examples:
+  bad: |
+    while (true) {  // BAD - infinite
+        doWork();
+    }
+
+  good: |
+    while (true) {  // GOOD - has exit
+        if (shouldStop()) break;
+        doWork();
+    }
+
+has_fix: false