pi-lens 3.8.41 → 3.8.43

package/CHANGELOG.md

@@ -4,6 +4,95 @@ All notable changes to pi-lens will be documented in this file.
 
 ## [Unreleased]
 
+## [3.8.43] - 2026-05-10
+
+### Added
+
+- **Unresolved inline blocker re-surfacing at turn_end** — when the agent ignores a blocking diagnostic shown during a write/edit and moves to the next turn without fixing it, the blocker now reappears in the turn_end injection framed as `"Unresolved from this turn — <file>: 🔴 STOP…"`. Previously, unresolved inline blockers were silently lost until cascade happened to re-touch the same file via an importer. `RuntimeCoordinator` tracks the last-seen blocking output per file (`_pendingInlineBlockers`); a subsequent write that produces no blockers clears the entry, so only genuinely unresolved issues resurface. The map is cleared at `beginTurn` to prevent cross-turn contamination.
+- **S1219 (switch non-case labels) and S2970 (incomplete assertions) blocking tree-sitter rules** — S1219 detects labeled statements inside switch cases in TypeScript (SonarCloud S1219); S2970 detects Jest/Vitest `expect()` chains that are never called (e.g. `expect(x).toBe(y)` without `await`), with Chai property assertion exclusion. S2083 (path traversal) moved to disabled — regex heuristics on tree-sitter syntax are the wrong layer; needs taint/data-flow analysis. Adds `parent?` field to `TreeSitterNode` interface.
+- **Inline code snippets in blocker output** — each 🔴 STOP diagnostic now includes the exact source line the agent wrote that caused the violation, so the agent can identify and fix the issue without re-reading the file. `fixSuggestion` is also surfaced inline when present. Snippet capped at 120 chars.
+- **AST node type and matched text in blocker output** — tree-sitter diagnostics now carry `matchedText` (the exact matched node, more precise than the full source line) and `astNodeType` (e.g. `call_expression`, `template_string`). The agent sees: `L12: SQL query built with string interpolation (template_string) → db.query(...)`.
+- **Persist review graph to disk** — `_workspaceGraphCache` is now backed by `.pi-lens/cache/review-graph.json`. On cold start, if source file signatures match the stored cache, the full 2–4 s tree-sitter + import-fact build is skipped (~20 ms JSON parse + `rebuildIndexes` instead). Write is fire-and-forget, never blocks dispatch.
+- **Preserve last known LSP diagnostics when LSP goes inactive** — when no live clients are available (dead client respawning, circuit-breaker cooldown), `getDiagnostics` now returns the last non-empty result for that file instead of `[]`. The widget keeps showing the last known issues rather than going blank mid-session. Live clients returning `[]` clears the stale entry. Stale hits are logged as `failureKind: "no_clients_stale"`.
+
+### Fixed
+
+- **Read-guard false-positive block on files outside the project root** — edits to files outside `projectRoot` (e.g. `C:/llama/*.bat`, scripts in arbitrary directories) were always blocked with `zero_read` because reads for external files are intentionally not recorded (`isExternalOrVendor` gate in the read handler), but the `checkEdit` call had no matching guard. Added `!isExternalOrVendor` to the `checkEdit` condition so external files bypass the read-guard entirely, consistent with how reads are handled.
+
+### Changed
+
+- **Replace pyright-langserver and pylsp with jedi-language-server for Python LSP** — `PythonServer` (pyright-langserver) and `PythonPylspServer` (pylsp) removed from `LSP_SERVERS`; replaced by `PythonJediServer` which spawns `jedi-language-server`. pyright-langserver was causing 5–14 s cold-start delays on large Python projects (e.g. tinygrad) because it performs full workspace analysis on startup; jedi starts in ~200–500 ms via lazy per-file analysis. pylsp was removed because it consistently returned 0 diagnostics (no venv → jedi can't resolve imports; 1500 ms aggregate timeout hit on warm runs). Deep type checking is unaffected — the standalone `pyright` CLI runner and `mypy` runner continue to run in parallel. Added `"python-jedi"` strategy entry (`seedFirstPush: true`, `aggregateWaitMs: 1000`). Wall-clock gate for Python dispatch shifts from LSP (~5–14 s) to mypy (~3.5 s).
+
+## [3.8.42] - 2026-05-08
+
+### Added
+
+- **Fact-rules wired into all language dispatch plans** — the `fact-rules` runner was registered but never listed in any `RunnerGroup`; 20 TypeScript FactRule instances (`corsWildcardRule`, `jwtWithoutVerifyRule`, `dynamicRegexpRule`, `errorObscuringRule`, `highComplexityRule`, etc.) were never executing. Added `mode:all fact-rules` group to jsts, python, go, rust, ruby, cmake, and shell write plans.
+- **3 fact-rules promoted to blocking (inline at write time):** `cors-wildcard` (CORS `*` origin — no ast-grep/tree-sitter equivalent), `error-swallowing` (empty catch — smarter than the disabled tree-sitter `empty-catch`, skips fs-boundary and documented fallbacks), `no-commented-credentials` (credentials in commented code — complementary to ast-grep which covers live code). `high-entropy-string` was already blocking.
+- **Fact-rule false-positive reductions:** `no-boolean-params` now exempts names with `*Only`/`*Enabled`/`*Disabled` suffixes, `allow*`/`skip*`/`needs*`/`auto*` prefixes, and `_`-prefixed params. `duplicate-string-literal` SKIP_STRINGS expanded with DSL discriminators (`types`, `fallback`, `direct`, `all`, `mode`, `source`) and infrastructure strings (`github`, `rubocop`, `arm64`). `high-import-coupling` threshold raised 10→15 and exempts `index.ts`/`integration.ts` registry/hub files. `no-commented-credentials` exempts scanner/fixture files.
+- **Severity alignment for 3 existing TS tree-sitter blocking rules** — `ts-command-injection`, `ts-ssrf`, `unsafe-regex` had `inline_tier: blocking` but `severity: warning`, producing `semantic: "warning"` which is never shown inline. Fixed to `severity: error` → `semantic: "blocking"` → actually surfaces to the agent.
+- **Fixed `inline_tier: error` typo** on `ts-hallucinated-react-import` and `python-hallucinated-import` (→ `blocking`).
+- **13 new high-confidence blocking promotions across 5 languages** (all `severity: error`, `inline_tier: blocking`):
+  - *TypeScript:* `ts-weak-hash` (`createHash("md5"/"sha1")` — confidence: high)
+  - *Python:* `python-command-injection`, `python-sql-injection`, `python-insecure-deserialization`, `python-weak-hash`
+  - *Go:* `go-command-injection`, `go-sql-injection`, `go-shared-map-write-goroutine`, `go-weak-hash`
+  - *Ruby:* `ruby-weak-hash`
+  - *Rust:* `rust-lock-held-across-await`
+- **4 new blocking tree-sitter rules (SonarCloud BLOCKER equivalents)**:
+  - `ts-xss-dom-sink` (S5696) — flags dynamic values assigned to `innerHTML`/`outerHTML` or passed to `document.write()` / `document.writeln()`
+  - `ts-dynamic-require` (S5335) — flags `require()` called with a non-string-literal argument (arbitrary module loading)
+  - `ts-open-redirect` (S6105) — flags `res.redirect(variable)` / `response.redirect` / `ctx.redirect` with dynamic URL, and `window.location.href = variable`
+  - `ts-nosql-injection` (S5147) — flags any MongoDB `$where` key (JS-execution sink, dangerous regardless of value)
+- **2 existing security rules promoted to `inline_tier: blocking`** — `ts-command-injection` (maps to SonarCloud S2076) and `ts-ssrf` (maps to S5146) were previously `warning`; now block the agent turn on detection.
+
+### Fixed
+
+- **`fact-rules` `RuleCache` blind to built-in rule changes** — the cache hash only covered project-local rule files; for any project with no local `rules/` directory the hash was a constant, so new pi-lens built-in rules were silently ignored after the first run. Fixed by including both project-local files and `resolvePackagePath()`-resolved built-in files in the hash, with a `Set` to deduplicate when pi-lens analyzes itself.
+
+### Changed
+
+- **`max-switch-cases` threshold raised 30→40** — `applyPostFilter` dispatch table now has 31 cases and is expected to grow; the old threshold triggered a false positive on pi-lens itself.
+- **Package scope migration** — all `@mariozechner/*` import references updated to `@earendil-works/*` following the repo move to `earendil-works/pi-mono`. `@earendil-works/pi-tui` dependency bumped to `^0.74.0`.
+- **Startup: `lsp-config` phase is now fully fire-and-forget** — `loadLSPConfig` and `igniteWarmFiles` no longer block the interactive path, removing ~1s from session start on Windows (previously dominated by sequential ENOENT `readFile` calls walking the directory tree to find a config file).
+- **Startup: persistent tool probe cache** — `ensureTool` now checks `~/.pi-lens/probe-cache.json` before falling back to the full `verifyToolBinary` process spawn. Cache entries are validated with `fs.access` + mtime check and expire after 24 h; stale or missing entries fall through to the full probe and update the cache on success.
+
+### Added
+
+- **Startup observability** — `checkProbeCache` now logs the reason for each cache miss (`ttl expired`, `gone`, `mtime changed`); the lsp-config fire-and-forget callback logs how many warm files were configured once the config resolves asynchronously.
+
+
+
+### Added
+
+- **Test runner: import-based fallback discovery** — when basename pattern lookup finds no test file for a modified source file (e.g. `cline.test.ts` for `cline-auth.ts`), the runner now scans `tests/`, `__tests__/`, and the source file's own directory for any `*.test.*` file whose content references the source basename in an import path. Fixes the silent `no test file found` for files whose test is named after a module rather than the source file.
+- **Test runner: prefer local `node_modules/.bin` binary over `npx`** — `vitest` and `jest` now resolve the project-local binary (`node_modules/.bin/vitest.cmd` on Windows, `node_modules/.bin/vitest` on Unix) before falling back to `npx`, saving ~150ms of startup overhead per test run.
+- **Turn-end test runner logging** — `turn_end` now logs the outcome of every test run: `turn_end: test vitest util.test.ts → PASS 8p/0f (412ms)` or `FAIL 2p/8f (930ms)`. Stale results (turn advanced while tests ran) are logged with a `[stale]` prefix instead of being silently discarded. All-pass turns are no longer silent.
+- **Per-file test target logging** — `turn_end` now logs which test file was resolved for each modified source file, or `no test file found` when none matched. Previously silent; impossible to distinguish "runner disabled" from "no test found".
+- **Session-scoped turn-end dedup** — `turn-end-findings-last` now stores the current session ID alongside the content signature. Identical findings from a previous session are no longer suppressed — each new session sees its blockers fresh. Same-session dedup continues to work as before.
+- **Cross-session turn state eviction** — turn state (modified file ranges) now carries the session ID set at first edit. If `turn_end` reads a turn state written by a different session, it evicts it immediately and logs `turn_end: evicting stale turn state (session X ≠ current Y)`, preventing stale cross-session file lists from triggering jscpd, madge, or test runs.
+
+### Changed
+
+- **Context injections framed as automated checks** — all three `consume*` injections (`turn-end findings`, `test findings`, `session guidance`) now prefix their content with `[pi-lens automated check — not a user request]` so the agent cannot mistake a hook-injected message for a direct user command. Advisory sections additionally carry `ℹ️ Advisory — no action required this turn:` before their content; blockers (🔴) continue to require action.
+
+- **`/lens-widget-toggle` command** — toggles the pi-lens diagnostics widget below the editor on/off for the current session, so users can reclaim footer/editor space without disabling pi-lens analysis.
+
+### Changed
+
+- **Removed per-turn jscpd scans** — jscpd remains in the session-start project scan, but no longer runs unconditionally at `turn_end`; inline structural-similarity checks cover the high-value duplicate-code signal during active edits without the repeated multi-second clone scan.
+- **Cascade avoids low-value work** — unsupported graph kinds now skip review-graph construction and go straight to passive LSP fallback diagnostics, and neighbor files that recently returned clean can skip repeated active LSP touches for a few turns unless the passive snapshot already contains fresh errors.
+- **Knip now surfaces unused-export regressions** — newly unused exports in modified files are shown as advisory end-of-turn findings when they were absent from the previous Knip cache.
+
+### Fixed
+
+- **Knip latency log now includes result metadata** — the `turn_end` Knip phase previously logged only duration with empty `metadata: {}`, making it impossible to distinguish a clean run from a silent failure. It now logs `success`, `totalIssues`, `newIssues`, `blockerIssues`, and `skipped` when the startup scan is still in flight.
+
+- **LSP timeout log now includes `serverIds`** — `lsp_client_wait_timeout` previously only recorded `maxWaitMs`, making it impossible to identify which server consistently failed to respond within the budget. The event now includes the array of server IDs that were being waited on.
+
+- **Vendor/third-party files excluded from cascade neighbor analysis** — `isExternalOrVendorFile()` previously only checked `node_modules`; it now checks every path segment against `vendor`, `vendors`, `third_party`, and `third-party` as well. Cascade neighbor discovery and fallback neighbor injection both skip files inside these directories, preventing vendored dependency diagnostics from surfacing in cascade output.
+
+- **`lens-booboo` hangs on repos with large vendored trees (fixes #57)** — `collectSourceFiles` and the `sg scan` runner in `lens-booboo` now exclude `vendor/`, `third_party/`, `third-party/`, and `vendors/` by default (added to `EXCLUDED_DIRS`). Additionally, `readGitignoreDirs()` reads the root `.gitignore` and extracts simple directory-name entries (bare names and `name/` patterns — no wildcards, negations, or internal slashes), merging them into the exclusion list for `collectSourceFiles` and the `sg scan` glob arguments. This covers project-specific large dirs (e.g. `my-upstream/`) without requiring full gitignore-spec compliance.
+
 ## [3.8.41] - 2026-05-05
 
 ### Fixed

package/README.md

@@ -124,25 +124,45 @@ Supported: TypeScript, TSX, JavaScript, JSX, Python, Go, Rust, Ruby.
 
 ### Fact Rules Pipeline
 
-Covers JavaScript/TypeScript, Python, Go, Rust, Ruby, Shell, and CMake. Dispatch includes a fact-rule engine that extracts function-level metrics (cyclomatic complexity, nesting depth, outgoing calls) and evaluates quality rules inline:
-
-- **high-complexity** — flags functions exceeding configurable CC thresholds
-- **unsafe-boundary** — detects dangerous boundary crossings (unvalidated user input → trusted context)
-- **high-fan-out** — flags excessive outgoing call count (default threshold: 20)
-- **comment-facts** — classifies comment quality (TODO density, doc coverage)
-- **try-catch-facts** — flags empty/obscuring catch blocks
-- **import-facts** — detects circular/star/unused imports
-- **file-role** — classifies files as source/test/config/vendor and adjusts severity
+Covers JavaScript/TypeScript, Python, Go, Rust, Ruby, Shell, and CMake. A TypeScript AST-based fact-rule engine extracts function-level metrics and evaluates quality and security rules inline. Blocking rules surface immediately at write time; advisory rules are available via `/lens-booboo`.
+
+**Blocking (surface inline at write time):**
+- **cors-wildcard** — `Access-Control-Allow-Origin: *` in server-side code
+- **error-swallowing** — empty catch block (skips documented local fallbacks and fs-boundary catches)
+- **no-commented-credentials** — password/token/secret in commented-out code
+- **high-entropy-string** — string literals with suspiciously high Shannon entropy (possible hardcoded secret)
+
+**Advisory (accessible via `/lens-booboo`):**
+- **high-complexity** / **no-complex-conditionals** — cyclomatic complexity and deeply nested conditions
+- **high-fan-out** — function calls too many distinct functions (coordination smell)
+- **unsafe-boundary** — dangerous `any` casts at API boundaries
+- **async-noise** / **async-unnecessary-wrapper** — async functions with no await; wrappers that add no value
+- **pass-through-wrappers** — trivial wrapper functions
+- **dynamic-regexp** — `new RegExp(variable)` (potential ReDoS; complements tree-sitter `unsafe-regex`)
+- **jwt-without-verify** — `jwt.sign()` without `jwt.verify()` in the same file
+- **missing-error-propagation** — catch blocks that log but don't rethrow
+- **error-obscuring** — catch blocks that wrap errors in a different type
+- **duplicate-string-literal** / **no-boolean-params** / **high-import-coupling** — code-quality signals
 
 ### Tree-sitter Rules
 
-Structural rules are organized by language in `rules/tree-sitter-queries/`:
+Structural rules organized by language in `rules/tree-sitter-queries/`. Rules marked **🔴** block the agent inline at write time (only for lines in the current edit); others are advisory.
+
+**TypeScript (23 rules):**
+🔴 `eval`, `sql-injection`, `ts-command-injection`, `ts-ssrf`, `ts-xss-dom-sink`, `ts-dynamic-require`, `ts-open-redirect`, `ts-nosql-injection`, `ts-weak-hash`, `ts-hallucinated-react-import`, `unsafe-regex`, `debugger`, `default-not-last`, `duplicate-function-arg`, `empty-switch-case`, `infinite-loop`, `self-assignment`, `switch-case-termination`  
+⚠️ `console-statement`, `deep-promise-chain`, `mixed-async-styles`, `ts-insecure-random`, `ts-detached-async-call`, `ts-react-antipatterns`, `ts-weak-hash`, `variable-shadowing`
+
+**Python:** 🔴 `python-command-injection`, `python-sql-injection`, `python-insecure-deserialization`, `python-weak-hash`, `python-hallucinated-import` + 20 advisory rules
+
+**Go:** 🔴 `go-command-injection`, `go-sql-injection`, `go-shared-map-write-goroutine`, `go-weak-hash` + 13 advisory rules
+
+**Rust:** 🔴 `rust-lock-held-across-await` + 3 advisory rules (`rust-unsafe-block`, `rust-expect`, `rust-clone-in-loop`)
+
+**Ruby:** 🔴 `ruby-weak-hash` + 14 advisory rules
+
+**Suppressing a finding:** add `// pi-lens-ignore: rule-id` on the flagged line or the line above (JS/TS), or `# pi-lens-ignore: rule-id` for Python/Ruby/Shell. This suppresses that specific rule at that location only.
 
-- **TypeScript** (18 rules): console-statement, debugger, deep-nesting, eval, sql-injection, ssrf, weak-hash, unsafe-regex, variable-shadowing, and more
-- **Python** (26 rules): debug statements, hardcoded secrets, mutable class attrs, unsafe regex, empty except, and more
-- **Go** (17 rules): defer-in-loop, hardcoded secrets, unchecked errors, and more
-- **Rust** (6 rules): unsafe blocks, unwrap outside tests, and more
-- **Ruby** (15 rules): empty rescue, rescue Exception, debugger, hardcoded secrets, and more
+**Project-wide disabling** is not currently supported through config — there is no `.pi-lens/disabled-rules` file. Use inline suppression for per-occurrence overrides. When editing pi-lens itself, move a rule file to the `<language>-disabled/` directory to prevent it from running.
 
 ### Ast-Grep Rules
 
@@ -268,6 +288,7 @@ pi --lens-semgrep-config p/ci  # Explicit Semgrep config for dispatch (requires
 ## Key Commands
 
 - `/lens-toggle` — toggle pi-lens on/off for the current session without restarting
+- `/lens-widget-toggle` — show/hide the pi-lens diagnostics widget below the editor
 - `/lens-booboo` — full quality report for current project state
 - `/lens-health` — runtime health, latency, and diagnostic telemetry
 - `/lens-tools` — tool installation status: globally installed, auto-installed, or npx fallback

package/clients/cache-manager.ts

@@ -43,6 +43,7 @@ export interface TurnState {
 	turnCycles: number;
 	maxCycles: number;
 	lastUpdated: string;
+	sessionId?: string;
 }
 
 // --- Defaults ---
@@ -250,8 +251,10 @@ export class CacheManager {
 		range: ModifiedRange,
 		importsChanged: boolean,
 		cwd: string,
+		sessionId?: string,
 	): TurnState {
 		const state = this.readTurnState(cwd);
+		if (sessionId) state.sessionId = sessionId;
 		const normalizedPath = this.toTurnStateKey(filePath, cwd);
 
 		const existing = state.files[normalizedPath];

package/clients/dispatch/dispatcher.ts

@@ -742,7 +742,8 @@ export async function dispatchForFile(
 
 	// Format output — only blocking issues shown inline
 	// Warnings tracked but not shown (noise) — surfaced via /lens-booboo
-	let output = formatDiagnostics(inlineBlockers, "blocking");
+	const blockerOutput = formatDiagnostics(inlineBlockers, "blocking");
+	let output = blockerOutput;
 	output += formatDiagnostics(inlineFixed, "fixed");
 	if (coverageNotice) {
 		output += formatDiagnostics([coverageNotice], "warning", 1);
@@ -807,6 +808,7 @@ export async function dispatchForFile(
 		fixed: fixedItems,
 		resolvedCount,
 		output,
+		blockerOutput,
 		hasBlockers: blockers.length > 0,
 	};
 }

package/clients/dispatch/integration.ts

@@ -48,7 +48,7 @@ import type { CascadeResult } from "../cascade-types.js";
 import { getDiagnosticTracker } from "../diagnostic-tracker.js";
 import { getServersForFileWithConfig } from "../lsp/config.js";
 import { getLSPService } from "../lsp/index.js";
-import { normalizeMapKey } from "../path-utils.js";
+import { isExternalOrVendorFile, normalizeMapKey } from "../path-utils.js";
 import {
 	clearReviewGraphWorkspaceCache,
 	getLastGraphBuildInfo,
@@ -325,7 +325,8 @@ function withSemgrepGroup(
 		config: ctx.pi.getFlag("lens-semgrep-config"),
 	});
 	if (!config.enabled) return groups;
-	if (groups.some((group) => group.runnerIds.includes("semgrep"))) return groups;
+	if (groups.some((group) => group.runnerIds.includes("semgrep")))
+		return groups;
 	return [
 		...groups,
 		{
@@ -402,16 +403,29 @@ export function resetDispatchBaselines(): void {
 	clearCoverageNoticeState();
 	clearReviewGraphWorkspaceCache();
 	neighborTouchCache.clear();
+	recentlyCleanNeighborCache.clear();
 	primaryFilesThisTurn.clear();
 	cascadeDiagnosticBaselines.clear();
-	cascadeSessionStats = { runs: 0, diagnosticsSurfaced: 0, coldSnapshotTouches: 0 };
+	cascadeSessionStats = {
+		runs: 0,
+		diagnosticsSurfaced: 0,
+		coldSnapshotTouches: 0,
+	};
 	for (const timer of astGrepWarnDebounceTimers.values()) clearTimeout(timer);
 	astGrepWarnDebounceTimers.clear();
 }
 
-let cascadeSessionStats = { runs: 0, diagnosticsSurfaced: 0, coldSnapshotTouches: 0 };
+let cascadeSessionStats = {
+	runs: 0,
+	diagnosticsSurfaced: 0,
+	coldSnapshotTouches: 0,
+};
 
-export function getCascadeSessionStats(): { runs: number; diagnosticsSurfaced: number; coldSnapshotTouches: number } {
+export function getCascadeSessionStats(): {
+	runs: number;
+	diagnosticsSurfaced: number;
+	coldSnapshotTouches: number;
+} {
 	return { ...cascadeSessionStats };
 }
 
@@ -425,6 +439,16 @@ type NeighborCacheEntry = {
 };
 const neighborTouchCache = new Map<string, NeighborCacheEntry>();
 
+// Cross-turn clean cache: neighbor touches that recently returned no errors can
+// be skipped for a few turns. LSP servers push diagnostics proactively when a
+// file becomes unhealthy, so repeatedly re-opening known-clean neighbors is low value.
+type RecentlyCleanNeighborEntry = { turnSeq: number; checkedAt: number };
+const recentlyCleanNeighborCache = new Map<
+	string,
+	RecentlyCleanNeighborEntry
+>();
+const RECENTLY_CLEAN_TTL_TURNS = 5;
+
 // B10: tracks files that were the *primary* edited file this turn.
 // These are excluded from cascade neighbor results — their own pipeline run
 // already reported their diagnostics authoritatively.
@@ -436,11 +460,17 @@ function ensureCascadeTurnScope(turnSeq: number): void {
 	cascadeTurnScope = turnSeq;
 	primaryFilesThisTurn.clear();
 	neighborTouchCache.clear();
+	for (const [key, entry] of recentlyCleanNeighborCache) {
+		if (turnSeq - entry.turnSeq > RECENTLY_CLEAN_TTL_TURNS) {
+			recentlyCleanNeighborCache.delete(key);
+		}
+	}
 }
 
 const CASCADE_TTL_MS = 240_000;
 const MAX_PER_FILE = RUNTIME_CONFIG.pipeline.cascadeMaxDiagnosticsPerFile;
 const MAX_FILES = RUNTIME_CONFIG.pipeline.cascadeMaxFiles;
+const CASCADE_GRAPH_KINDS = new Set(["jsts", "python", "go", "rust", "ruby"]);
 
 /**
  * Unified cascade orchestration — builds graph, discovers neighbors, and
@@ -477,7 +507,8 @@ export async function computeCascadeForFile(
 		return undefined;
 	}
 
-	if (!detectFileKind(filePath)) {
+	const fileKind = detectFileKind(filePath);
+	if (!fileKind) {
 		logCascade({ phase: "cascade_skip", filePath, reason: "non_code_file" });
 		return undefined;
 	}
@@ -489,54 +520,87 @@ export async function computeCascadeForFile(
 	// turn won't show it as a neighbor.
 	primaryFilesThisTurn.add(normalizedFileKey);
 
-	const graphStart = Date.now();
-	const graph = await buildOrUpdateGraph(cwd, [normalizedFile], sessionFacts);
-	const graphMs = Date.now() - graphStart;
-
-	// Count files represented in the graph (nodes with a filePath).
-	const graphFileCount = new Set(
-		[...graph.nodes.values()].flatMap((n) => (n.filePath ? [n.filePath] : [])),
-	).size;
+	let impact: ReturnType<typeof computeImpactCascade> = {
+		filePath: normalizedFile,
+		changedSymbols: [],
+		directImporters: [],
+		directCallers: [],
+		neighborFiles: [],
+		riskFlags: [],
+	};
+	let sortedNeighbors: string[] = [];
+	let importerSet = new Set<string>();
+	let callerSet = new Set<string>();
+	let referenceCount = 0;
+
+	if (CASCADE_GRAPH_KINDS.has(fileKind)) {
+		const graphStart = Date.now();
+		const graph = await buildOrUpdateGraph(cwd, [normalizedFile], sessionFacts);
+		const graphMs = Date.now() - graphStart;
+
+		// Count files represented in the graph (nodes with a filePath).
+		const graphFileCount = new Set(
+			[...graph.nodes.values()].flatMap((n) =>
+				n.filePath ? [n.filePath] : [],
+			),
+		).size;
 
-	const graphBuildInfo = getLastGraphBuildInfo();
-	logCascade({
-		phase: "graph_build",
-		filePath,
-		graphBuiltMs: graphMs,
-		graphReused: graphBuildInfo.reused,
-		graphNodeCount: graph.nodes.size,
-		graphFileCount,
-		graphChangedSymbolCount: (
-			graph.changedSymbolsByFile.get(normalizedFileKey) ?? []
-		).length,
-		metadata: { graphBuildMode: graphBuildInfo.mode },
-	});
+		const graphBuildInfo = getLastGraphBuildInfo();
+		logCascade({
+			phase: "graph_build",
+			filePath,
+			graphBuiltMs: graphMs,
+			graphReused: graphBuildInfo.reused,
+			graphNodeCount: graph.nodes.size,
+			graphFileCount,
+			graphChangedSymbolCount: (
+				graph.changedSymbolsByFile.get(normalizedFileKey) ?? []
+			).length,
+			metadata: { graphBuildMode: graphBuildInfo.mode },
+		});
 
-	const impact = computeImpactCascade(graph, normalizedFile);
-
-	// Sort by relationship strength (B6) then cap to MAX_FILES.
-	// directImporters are most impactful, then callers, then reference edges.
-	const importerSet = new Set(impact.directImporters);
-	const callerSet = new Set(impact.directCallers);
-	// neighbors that are neither direct importers nor callers are reference-edge neighbors
-	const importerOrCallerSet = new Set([
-		...impact.directImporters,
-		...impact.directCallers,
-	]);
-	const referenceCount = impact.neighborFiles.filter(
-		(n) => !importerOrCallerSet.has(n),
-	).length;
-	const sortedNeighbors = [...impact.neighborFiles]
-		.filter((n) => nodeFs.existsSync(n))
-		// B10: exclude files already edited as primary this turn — their own pipeline
-		// run is the authoritative diagnostic source; showing them as neighbors is noise.
-		.filter((n) => !primaryFilesThisTurn.has(normalizeMapKey(n)))
-		.sort((a, b) => {
-			const rank = (p: string) =>
-				importerSet.has(p) ? 0 : (callerSet.has(p) ? 1 : 2);
-			return rank(a) - rank(b);
-		})
-		.slice(0, MAX_FILES);
+		impact = computeImpactCascade(graph, normalizedFile);
+
+		// Sort by relationship strength (B6) then cap to MAX_FILES.
+		// directImporters are most impactful, then callers, then reference edges.
+		importerSet = new Set(impact.directImporters);
+		callerSet = new Set(impact.directCallers);
+		// neighbors that are neither direct importers nor callers are reference-edge neighbors
+		const importerOrCallerSet = new Set([
+			...impact.directImporters,
+			...impact.directCallers,
+		]);
+		referenceCount = impact.neighborFiles.filter(
+			(n) => !importerOrCallerSet.has(n),
+		).length;
+		sortedNeighbors = [...impact.neighborFiles]
+			.filter((n) => nodeFs.existsSync(n))
+			.filter((n) => !isExternalOrVendorFile(n, cwd))
+			// B10: exclude files already edited as primary this turn — their own pipeline
+			// run is the authoritative diagnostic source; showing them as neighbors is noise.
+			.filter((n) => !primaryFilesThisTurn.has(normalizeMapKey(n)))
+			.sort((a, b) => {
+				const rank = (p: string) =>
+					importerSet.has(p) ? 0 : callerSet.has(p) ? 1 : 2;
+				return rank(a) - rank(b);
+			})
+			.slice(0, MAX_FILES);
+	} else {
+		logCascade({
+			phase: "graph_build",
+			filePath,
+			graphBuiltMs: 0,
+			graphReused: false,
+			graphNodeCount: 0,
+			graphFileCount: 0,
+			graphChangedSymbolCount: 0,
+			metadata: {
+				graphBuildMode: "skipped",
+				reason: "unsupported_kind",
+				fileKind,
+			},
+		});
+	}
 
 	logCascade({
 		phase: "neighbors_computed",
@@ -634,6 +698,41 @@ export async function computeCascadeForFile(
 				const neighborStart = Date.now();
 				const cacheKey = normalizeMapKey(neighborPath);
 
+				const passiveEntry = allDiags.get(cacheKey);
+				const hasFreshPassiveErrors =
+					passiveEntry != null &&
+					Date.now() - passiveEntry.ts < CASCADE_TTL_MS &&
+					passiveEntry.diags.some((d) => d.severity === 1);
+				const recentlyClean = recentlyCleanNeighborCache.get(cacheKey);
+				if (
+					recentlyClean &&
+					turnSeq - recentlyClean.turnSeq <= RECENTLY_CLEAN_TTL_TURNS &&
+					!hasFreshPassiveErrors
+				) {
+					producedLspData = true;
+					const durationMs = Date.now() - neighborStart;
+					logCascade({
+						phase: "neighbor_snapshot",
+						filePath,
+						neighborFile: neighborPath,
+						diagnosticCount: 0,
+						durationMs,
+						autoPropagate: false,
+						snapshotMissing: false,
+						metadata: {
+							recentlyClean: true,
+							cleanTurnSeq: recentlyClean.turnSeq,
+						},
+					});
+					return {
+						filePath: neighborPath,
+						reason: neighborReason(importerSet, callerSet, neighborPath),
+						diagnostics: [],
+						lspTouched: false,
+						durationMs,
+					} satisfies CascadeResult["neighbors"][number];
+				}
+
 				// A5: skip re-touch if this neighbor was already diagnosed at the current
 				// write sequence. A new write (higher writeSeq) invalidates the cache entry.
 				const cached =
@@ -704,6 +803,14 @@ export async function computeCascadeForFile(
 						diagnostics: diags,
 					});
 				}
+				if (diags.length === 0) {
+					recentlyCleanNeighborCache.set(cacheKey, {
+						turnSeq,
+						checkedAt: Date.now(),
+					});
+				} else {
+					recentlyCleanNeighborCache.delete(cacheKey);
+				}
 				producedLspData = true;
 
 				logCascade({
@@ -769,7 +876,7 @@ export async function computeCascadeForFile(
 	// CR-3/A2: degraded fallback when no neighbor produced trustworthy LSP data —
 	// not merely when the graph returned zero neighbors.
 	if (!producedLspData) {
-		appendFallbackNeighbors(neighbors, allDiags, normalizedFileKey);
+		appendFallbackNeighbors(neighbors, allDiags, normalizedFileKey, cwd);
 		if (neighbors.some((n) => n.reason === "fallback")) {
 			logCascade({
 				phase: "neighbor_fallback",
@@ -867,6 +974,7 @@ function appendFallbackNeighbors(
 		{ diags: import("../lsp/client.js").LSPDiagnostic[]; ts: number }
 	>,
 	normalizedFileKey: string,
+	cwd: string,
 ): void {
 	const now = Date.now();
 	const seen = new Set(neighbors.map((n) => normalizeMapKey(n.filePath)));
@@ -874,6 +982,7 @@ function appendFallbackNeighbors(
 		const diagKey = normalizeMapKey(diagPath);
 		if (diagKey === normalizedFileKey || seen.has(diagKey)) continue;
 		if (primaryFilesThisTurn.has(diagKey)) continue;
+		if (isExternalOrVendorFile(diagPath, cwd)) continue;
 		if (!nodeFs.existsSync(diagPath)) continue;
 		if (now - ts > CASCADE_TTL_MS) continue;
 		const errors = convertLspDiagnostics(
@@ -921,7 +1030,10 @@ function formatCascadeResult(
 	});
 	if (!diagnosticsBlock) return "";
 
-	const impactHeader = formatImpactCascade(impact, RUNTIME_CONFIG.pipeline.cascadeMaxFiles);
+	const impactHeader = formatImpactCascade(
+		impact,
+		RUNTIME_CONFIG.pipeline.cascadeMaxFiles,
+	);
 	let out = impactHeader
 		? `${impactHeader}\n${diagnosticsBlock}`
 		: diagnosticsBlock;
@@ -972,7 +1084,11 @@ export async function dispatchLint(
 	const kind = ctx.kind;
 	if (!kind) return "";
 
-	const groups = withSemgrepGroup(kind, getDispatchGroupsForKind(kind, pi), ctx);
+	const groups = withSemgrepGroup(
+		kind,
+		getDispatchGroupsForKind(kind, pi),
+		ctx,
+	);
 	if (groups.length === 0) return "";
 
 	await runProviders(ctx);
@@ -1011,11 +1127,16 @@ export async function dispatchLintWithResult(
 			fixed: [],
 			resolvedCount: 0,
 			output: "",
+			blockerOutput: "",
 			hasBlockers: false,
 		};
 	}
 
-	const groups = withSemgrepGroup(kind, getDispatchGroupsForKind(kind, pi), ctx);
+	const groups = withSemgrepGroup(
+		kind,
+		getDispatchGroupsForKind(kind, pi),
+		ctx,
+	);
 	if (groups.length === 0) {
 		return {
 			diagnostics: [],
@@ -1025,6 +1146,7 @@ export async function dispatchLintWithResult(
 			fixed: [],
 			resolvedCount: 0,
 			output: "",
+			blockerOutput: "",
 			hasBlockers: false,
 		};
 	}

package/clients/dispatch/plan.ts

@@ -35,6 +35,7 @@ export const LANGUAGE_CAPABILITY_MATRIX: Record<
 		writeGroups: [
 			primary("jsts"),
 			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["jsts"] },
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["jsts"] },
 			{ mode: "all", runnerIds: ["ast-grep-napi"], filterKinds: ["jsts"] },
 			{ mode: "fallback", runnerIds: ["type-safety"], filterKinds: ["jsts"] },
 			{
@@ -59,6 +60,7 @@ export const LANGUAGE_CAPABILITY_MATRIX: Record<
 			{ mode: "fallback", runnerIds: ["ruff-lint"], filterKinds: ["python"] },
 			{ mode: "fallback", runnerIds: ["mypy"], filterKinds: ["python"] },
 			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["python"] },
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["python"] },
 		],
 		fullOnlyGroups: [
 			{ mode: "fallback", runnerIds: ["python-slop"], filterKinds: ["python"] },
@@ -72,6 +74,7 @@ export const LANGUAGE_CAPABILITY_MATRIX: Record<
 			{ mode: "fallback", runnerIds: ["go-vet"], filterKinds: ["go"] },
 			{ mode: "fallback", runnerIds: ["golangci-lint"], filterKinds: ["go"] },
 			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["go"] },
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["go"] },
 		],
 	},
 	rust: {
@@ -81,6 +84,7 @@ export const LANGUAGE_CAPABILITY_MATRIX: Record<
 			primary("rust"),
 			{ mode: "fallback", runnerIds: ["rust-clippy"], filterKinds: ["rust"] },
 			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["rust"] },
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["rust"] },
 		],
 	},
 	ruby: {
@@ -90,6 +94,7 @@ export const LANGUAGE_CAPABILITY_MATRIX: Record<
 			primary("ruby"),
 			{ mode: "fallback", runnerIds: ["rubocop"], filterKinds: ["ruby"] },
 			{ mode: "all", runnerIds: ["tree-sitter"], filterKinds: ["ruby"] },
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["ruby"] },
 		],
 	},
 	cxx: {
@@ -100,12 +105,18 @@ export const LANGUAGE_CAPABILITY_MATRIX: Record<
 	cmake: {
 		name: "CMake Processing",
 		capabilities: ["lint"],
-		writeGroups: [primary("cmake")],
+		writeGroups: [
+			primary("cmake"),
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["cmake"] },
+		],
 	},
 	shell: {
 		name: "Shell Script Linting",
 		capabilities: ["lint", "security"],
-		writeGroups: [primary("shell")],
+		writeGroups: [
+			primary("shell"),
+			{ mode: "all", runnerIds: ["fact-rules"], filterKinds: ["shell"] },
+		],
 	},
 	json: {
 		name: "JSON Processing",

package/clients/dispatch/rules/error-swallowing.ts

@@ -24,8 +24,8 @@ export const errorSwallowingRule: FactRule = {
           filePath: ctx.filePath,
           line: s.line,
           column: s.column,
-          severity: "warning",
-          semantic: "warning",
+          severity: "error",
+          semantic: "blocking",
           message: `Empty catch block silently swallows errors`,
         });
       }