pi-lens 3.8.39 → 3.8.41

package/clients/dispatch/runners/semgrep.ts

@@ -0,0 +1,269 @@
+import * as path from "node:path";
+import { classifyDefect } from "../diagnostic-taxonomy.js";
+import { PRIORITY } from "../priorities.js";
+import type {
+	DefectClass,
+	Diagnostic,
+	DispatchContext,
+	OutputSemantic,
+	RunnerDefinition,
+	RunnerResult,
+} from "../types.js";
+import { safeSpawnAsync } from "../../safe-spawn.js";
+import { resolveSemgrepConfig } from "../../semgrep-config.js";
+import { createAvailabilityChecker } from "./utils/runner-helpers.js";
+
+const semgrep = createAvailabilityChecker("semgrep", ".exe");
+const MAX_DIAGNOSTICS = 50;
+
+interface SemgrepJsonOutput {
+	results?: SemgrepResult[];
+	errors?: Array<{ message?: string; type?: string; level?: string }>;
+}
+
+interface SemgrepResult {
+	check_id?: string;
+	path?: string;
+	start?: { line?: number; col?: number };
+	extra?: {
+		message?: string;
+		severity?: string;
+		metadata?: Record<string, unknown>;
+		fix?: string;
+		fix_regex?: unknown;
+	};
+}
+
+function getPiLensMetadata(
+	metadata: Record<string, unknown>,
+): Record<string, unknown> {
+	const nested = metadata["pi-lens"] ?? metadata.pi_lens;
+	return nested && typeof nested === "object"
+		? (nested as Record<string, unknown>)
+		: {};
+}
+
+function metadataString(
+	metadata: Record<string, unknown>,
+	piLens: Record<string, unknown>,
+	key: string,
+): string | undefined {
+	const direct = piLens[key] ?? metadata[`pi_lens_${key}`];
+	return typeof direct === "string" && direct.trim()
+		? direct.trim()
+		: undefined;
+}
+
+function metadataBoolean(
+	metadata: Record<string, unknown>,
+	piLens: Record<string, unknown>,
+	key: string,
+): boolean {
+	return piLens[key] === true || metadata[`pi_lens_${key}`] === true;
+}
+
+function normalizeDefectClass(
+	value: string | undefined,
+): DefectClass | undefined {
+	if (!value) return undefined;
+	const normalized = value.toLowerCase().replace(/_/g, "-");
+	if (
+		normalized === "silent-error" ||
+		normalized === "injection" ||
+		normalized === "secrets" ||
+		normalized === "async-misuse" ||
+		normalized === "correctness" ||
+		normalized === "safety" ||
+		normalized === "style" ||
+		normalized === "unknown" ||
+		normalized === "unused-value"
+	) {
+		return normalized;
+	}
+	if (
+		normalized.includes("traversal") ||
+		normalized.includes("ssrf") ||
+		normalized.includes("xss") ||
+		normalized.includes("deserial") ||
+		normalized.includes("crypto") ||
+		normalized.includes("auth")
+	) {
+		return "safety";
+	}
+	return undefined;
+}
+
+function semgrepSemantic(
+	result: SemgrepResult,
+	defectClass: DefectClass,
+): OutputSemantic {
+	const metadata = result.extra?.metadata ?? {};
+	const piLens = getPiLensMetadata(metadata);
+	const explicitSemantic = metadataString(metadata, piLens, "semantic");
+	if (
+		explicitSemantic === "blocking" ||
+		metadataBoolean(metadata, piLens, "blocking")
+	) {
+		return "blocking";
+	}
+	if (explicitSemantic === "warning" || explicitSemantic === "silent") {
+		return explicitSemantic;
+	}
+
+	const severity = String(result.extra?.severity ?? "").toUpperCase();
+	const confidence = String(
+		metadata.confidence ??
+			metadata.semgrep_confidence ??
+			piLens.confidence ??
+			"",
+	).toLowerCase();
+	const highSignalSecurity =
+		defectClass === "injection" ||
+		defectClass === "secrets" ||
+		defectClass === "safety";
+
+	if (severity === "ERROR" && highSignalSecurity && confidence !== "low") {
+		return "blocking";
+	}
+
+	return "warning";
+}
+
+function mapSeverity(
+	semgrepSeverity: string | undefined,
+	semantic: OutputSemantic,
+): Diagnostic["severity"] {
+	if (semantic === "blocking") return "error";
+	const severity = String(semgrepSeverity ?? "").toUpperCase();
+	if (severity === "ERROR") return "error";
+	if (severity === "INFO") return "info";
+	return "warning";
+}
+
+function parseSemgrepJson(raw: string, ctx: DispatchContext): Diagnostic[] {
+	if (!raw.trim()) return [];
+	let parsed: SemgrepJsonOutput;
+	try {
+		parsed = JSON.parse(raw) as SemgrepJsonOutput;
+	} catch {
+		return [];
+	}
+
+	const results = Array.isArray(parsed.results) ? parsed.results : [];
+	const diagnostics: Diagnostic[] = [];
+
+	for (const [index, result] of results.entries()) {
+		if (diagnostics.length >= MAX_DIAGNOSTICS) break;
+		const rule = result.check_id || "semgrep";
+		const message = result.extra?.message || rule;
+		const metadata = result.extra?.metadata ?? {};
+		const piLens = getPiLensMetadata(metadata);
+		const explicitDefect = normalizeDefectClass(
+			metadataString(metadata, piLens, "defect_class"),
+		);
+		const defectClass =
+			explicitDefect ?? classifyDefect(rule, "semgrep", message);
+		const semantic = semgrepSemantic(result, defectClass);
+		const filePath = result.path || ctx.filePath;
+		const line = result.start?.line ?? 1;
+		const column = result.start?.col ?? 1;
+		const fixSuggestion =
+			metadataString(metadata, piLens, "fix") ??
+			(typeof result.extra?.fix === "string" ? result.extra.fix : undefined);
+
+		diagnostics.push({
+			id: `semgrep:${rule}:${path.basename(filePath)}:${line}:${column}:${index}`,
+			message: `[${rule}] ${message}`,
+			filePath,
+			line,
+			column,
+			severity: mapSeverity(result.extra?.severity, semantic),
+			semantic,
+			tool: "semgrep",
+			rule,
+			defectClass,
+			fixable: Boolean(fixSuggestion || result.extra?.fix_regex),
+			autoFixAvailable: false,
+			fixKind:
+				fixSuggestion || result.extra?.fix_regex ? "suggestion" : undefined,
+			fixSuggestion,
+		});
+	}
+
+	return diagnostics;
+}
+
+const semgrepRunner: RunnerDefinition = {
+	id: "semgrep",
+	appliesTo: [
+		"csharp",
+		"css",
+		"cxx",
+		"dart",
+		"docker",
+		"go",
+		"html",
+		"java",
+		"json",
+		"jsts",
+		"kotlin",
+		"lua",
+		"php",
+		"python",
+		"ruby",
+		"rust",
+		"shell",
+		"swift",
+		"terraform",
+		"yaml",
+	],
+	priority: PRIORITY.DEEP_LANGUAGE_ANALYSIS,
+	enabledByDefault: false,
+
+	async when(ctx: DispatchContext): Promise<boolean> {
+		return resolveSemgrepConfig(ctx.cwd, {
+			enabled: Boolean(ctx.pi.getFlag("lens-semgrep")),
+			config: ctx.pi.getFlag("lens-semgrep-config"),
+		}).enabled;
+	},
+
+	async run(ctx: DispatchContext): Promise<RunnerResult> {
+		const cwd = ctx.cwd || process.cwd();
+		const resolved = resolveSemgrepConfig(cwd, {
+			enabled: Boolean(ctx.pi.getFlag("lens-semgrep")),
+			config: ctx.pi.getFlag("lens-semgrep-config"),
+		});
+		if (!resolved.enabled) {
+			return { status: "skipped", diagnostics: [], semantic: "none" };
+		}
+
+		if (!semgrep.isAvailable(cwd)) {
+			return { status: "skipped", diagnostics: [], semantic: "none" };
+		}
+		const cmd = semgrep.getCommand(cwd) ?? "semgrep";
+		const args = ["scan", "--json", "--metrics=off", "--timeout", "5"];
+		if (resolved.configArg) args.push("--config", resolved.configArg);
+		args.push(ctx.filePath);
+
+		const result = await safeSpawnAsync(cmd, args, { cwd, timeout: 20000 });
+		const raw = result.stdout || "";
+		const diagnostics = parseSemgrepJson(raw, ctx);
+		if (diagnostics.length === 0) {
+			return {
+				status: result.error ? "failed" : "succeeded",
+				diagnostics: [],
+				semantic: "none",
+				rawOutput: (result.stderr || "").slice(0, 500),
+			};
+		}
+
+		const hasBlocking = diagnostics.some((d) => d.semantic === "blocking");
+		return {
+			status: hasBlocking ? "failed" : "succeeded",
+			diagnostics,
+			semantic: hasBlocking ? "blocking" : "warning",
+		};
+	},
+};
+
+export default semgrepRunner;

package/clients/dispatch/runners/shellcheck.ts

@@ -148,14 +148,8 @@ const shellcheckRunner: RunnerDefinition = {
 		}
 		if (!cmd) return { status: "skipped", diagnostics: [], semantic: "none" };
 
-		// Determine shell dialect from file extension
-		const shellDialect = ctx.filePath.endsWith(".zsh")
-			? "bash"
-			: ctx.filePath.endsWith(".fish")
-				? "bash"
-				: ctx.filePath.endsWith(".sh")
-					? "bash"
-					: "bash"; // Default to bash for generic shell files
+		// Determine shell dialect from file extension (all map to bash for shellcheck)
+		const shellDialect = "bash";
 
 		// Build args
 		// --format json: JSON output

package/clients/dispatch/runners/tree-sitter.ts

@@ -32,6 +32,11 @@ import type {
 // Creating a new TreeSitterClient() on every write resets TRANSFER_BUFFER (a module-level
 // WASM pointer) — concurrent writes race on _ts_init() and corrupt shared WASM state → crash.
 let _sharedClient: TreeSitterClient | null = null;
+// Once the wasm runtime aborts, the entire module-level wasm heap is corrupted — no
+// recovery is possible within this process. Flag it and skip all further tree-sitter work
+// rather than re-invoking the dead runtime (which prints "Aborted()" on every call and
+// leaks memory on each retry).
+let _wasmAborted = false;
 const blastCooldownByFile = new Map<string, number>();
 const BLAST_COOLDOWN_MS = 5_000;
 
@@ -244,7 +249,8 @@ function isLineInModifiedRanges(
 	return ranges.some((r) => line >= r.start && line <= r.end);
 }
 
-function getSharedClient(): TreeSitterClient {
+function getSharedClient(): TreeSitterClient | null {
+	if (_wasmAborted) return null;
 	if (!_sharedClient) {
 		_sharedClient = new TreeSitterClient();
 	}
@@ -276,11 +282,11 @@ const treeSitterRunner: RunnerDefinition = {
 		// Use singleton client — WASM must never be re-initialized after first call
 		const client = getSharedClient();
 		logTreeSitter({ phase: "runner_start", filePath: ctx.filePath });
-		if (!client.isAvailable()) {
+		if (!client || !client.isAvailable()) {
 			logTreeSitter({
 				phase: "runner_skip",
 				filePath: ctx.filePath,
-				reason: "client_unavailable",
+				reason: _wasmAborted ? "wasm_aborted" : "client_unavailable",
 				status: "skipped",
 			});
 			return { status: "skipped", diagnostics: [], semantic: "none" };
@@ -506,14 +512,29 @@ const treeSitterRunner: RunnerDefinition = {
 						}
 					} catch (err) {
 						// pi-lens-ignore: missing-error-propagation — per-query resilience loop, intentional
-						console.error(`[tree-sitter] Query ${query.id} failed:`, err);
-						logTreeSitter({
-							phase: "query_error",
-							filePath,
-							languageId,
-							queryId: query.id,
-							error: err instanceof Error ? err.message : String(err),
-						});
+						const msg = err instanceof Error ? err.message : String(err);
+						// Emscripten abort() corrupts the entire module-level wasm heap.
+						// Poison the singleton so no further queries attempt to use the dead runtime.
+						if (msg.includes("Aborted") || msg.includes("abort()")) {
+							_wasmAborted = true;
+							_sharedClient = null;
+							logTreeSitter({
+								phase: "query_error",
+								filePath,
+								languageId,
+								queryId: query.id,
+								error: "wasm_aborted_fatal",
+							});
+						} else {
+							console.error(`[tree-sitter] Query ${query.id} failed:`, err);
+							logTreeSitter({
+								phase: "query_error",
+								filePath,
+								languageId,
+								queryId: query.id,
+								error: msg,
+							});
+						}
 					}
 					return queryDiagnostics;
 				}),

package/clients/dispatch/tool-profile.ts

@@ -26,6 +26,7 @@ const TOOL_PROFILE_MAP: Record<string, ToolProfile> = {
 	"rust-clippy": { dedupPriority: 95, lintLike: true },
 	shellcheck: { dedupPriority: 95, lintLike: true },
 	"type-safety": { dedupPriority: 95, lintLike: true },
+	semgrep: { dedupPriority: 105, lintLike: false },
 };
 
 export function getToolProfile(

package/clients/format-service.ts

@@ -12,6 +12,7 @@
  */
 
 import * as path from "node:path";
+import { recordFormatter } from "./widget-state.js";
 import { FileTime } from "./file-time.js";
 import {
 	clearFormatterRuntimeState,
@@ -114,6 +115,15 @@ export class FormatService {
 		// Record new file state after formatting
 		this.fileTime.read(absolutePath);
 
+		for (const [index, result] of results.entries()) {
+			recordFormatter(
+				absolutePath,
+				formatters[index]?.name ?? "unknown",
+				result.changed,
+				result.success,
+			);
+		}
+
 		// Build summary
 		const anyChanged = results.some((r) => r.changed);
 		const allSucceeded = results.every((r) => r.success);

package/clients/formatters.ts

@@ -778,7 +778,11 @@ export const cmakeFormatFormatter: FormatterInfo = {
 
 export const psscriptanalyzerFormatFormatter: FormatterInfo = {
 	name: "psscriptanalyzer-format",
-	command: ["pwsh", "-Command", "Invoke-Formatter -ScriptDefinition (Get-Content -Raw '$FILE') | Set-Content '$FILE'"],
+	command: [
+		"pwsh",
+		"-Command",
+		"Invoke-Formatter -ScriptDefinition (Get-Content -Raw '$FILE') | Set-Content '$FILE'",
+	],
 	extensions: [".ps1", ".psm1", ".psd1"],
 	async resolveCommand(filePath, _cwd) {
 		const pwsh = (await which("pwsh")) ?? (await which("powershell"));
@@ -794,11 +798,15 @@ export const psscriptanalyzerFormatFormatter: FormatterInfo = {
 		const pwsh = (await which("pwsh")) ?? (await which("powershell"));
 		if (!pwsh) return false;
 		// Check PSScriptAnalyzer module is available
-		const result = safeSpawn(pwsh, [
-			"-NoProfile",
-			"-Command",
-			"Get-Module -ListAvailable PSScriptAnalyzer | Select-Object -First 1 -ExpandProperty Name",
-		], { timeout: 5_000 });
+		const result = safeSpawn(
+			pwsh,
+			[
+				"-NoProfile",
+				"-Command",
+				"Get-Module -ListAvailable PSScriptAnalyzer | Select-Object -First 1 -ExpandProperty Name",
+			],
+			{ timeout: 5_000 },
+		);
 		return (result.stdout ?? "").includes("PSScriptAnalyzer");
 	},
 };
@@ -925,7 +933,9 @@ export async function getFormattersForFile(
 	} else if (!formatterPolicy) {
 		selectionReason = "detect";
 	} else {
-		selectionReason = candidateFormatters.some((f) => hasExplicitFormatterConfig(f.name, cwd))
+		selectionReason = candidateFormatters.some((f) =>
+			hasExplicitFormatterConfig(f.name, cwd),
+		)
 			? "explicit-config"
 			: "smart-default";
 	}
@@ -934,7 +944,11 @@ export async function getFormattersForFile(
 		phase: "formatter_selected",
 		filePath: filePath,
 		durationMs: 0,
-		metadata: { formatter: selected?.name ?? null, reason: selectionReason, cwd },
+		metadata: {
+			formatter: selected?.name ?? null,
+			reason: selectionReason,
+			cwd,
+		},
 	});
 
 	// Store the list of enabled formatter names in cache

package/clients/installer/index.ts

@@ -1344,7 +1344,7 @@ async function installGitHubTool(
 			const srcBinary = path.join(tmpDir, spec.binaryInArchive ?? binaryName);
 			await fs.rename(srcBinary, destPath);
 			await fs.rm(tmpDir, { recursive: true, force: true });
-			if (!isWindows) await fs.chmod(destPath, 0o755);
+			if (!isWindows) await fs.chmod(destPath, 0o750);
 		} else if (assetName.endsWith(".zip")) {
 			// Write zip to temp, extract with unzip (Linux/macOS) or Expand-Archive (Windows)
 			const tmpArchive = path.join(GITHUB_BIN_DIR, `_tmp_${assetName}`);
@@ -1395,7 +1395,7 @@ async function installGitHubTool(
 			}
 			await fs.rename(srcBinary, destPath);
 			await fs.rm(tmpDir, { recursive: true, force: true });
-			if (!isWindows) await fs.chmod(destPath, 0o755);
+			if (!isWindows) await fs.chmod(destPath, 0o750);
 		} else {
 			// Bare binary (e.g. shfmt_*_linux_amd64)
 			await fs.writeFile(destPath, assetBuffer, { mode: 0o755 });
@@ -1538,7 +1538,7 @@ async function installNpmTool(
 		// Make executable on Unix
 		if (process.platform !== "win32") {
 			try {
-				await fs.chmod(binPath, 0o755);
+				await fs.chmod(binPath, 0o750);
 			} catch {
 				/* ignore */
 			}