pi-lens 3.8.42 → 3.8.43

package/CHANGELOG.md

@@ -4,6 +4,25 @@ All notable changes to pi-lens will be documented in this file.
 
 ## [Unreleased]
 
+## [3.8.43] - 2026-05-10
+
+### Added
+
+- **Unresolved inline blocker re-surfacing at turn_end** — when the agent ignores a blocking diagnostic shown during a write/edit and moves to the next turn without fixing it, the blocker now reappears in the turn_end injection framed as `"Unresolved from this turn — <file>: 🔴 STOP…"`. Previously, unresolved inline blockers were silently lost until cascade happened to re-touch the same file via an importer. `RuntimeCoordinator` tracks the last-seen blocking output per file (`_pendingInlineBlockers`); a subsequent write that produces no blockers clears the entry, so only genuinely unresolved issues resurface. The map is cleared at `beginTurn` to prevent cross-turn contamination.
+- **S1219 (switch non-case labels) and S2970 (incomplete assertions) blocking tree-sitter rules** — S1219 detects labeled statements inside switch cases in TypeScript (SonarCloud S1219); S2970 detects Jest/Vitest `expect()` chains that are never called (e.g. `expect(x).toBe(y)` without `await`), with Chai property assertion exclusion. S2083 (path traversal) moved to disabled — regex heuristics on tree-sitter syntax are the wrong layer; needs taint/data-flow analysis. Adds `parent?` field to `TreeSitterNode` interface.
+- **Inline code snippets in blocker output** — each 🔴 STOP diagnostic now includes the exact source line the agent wrote that caused the violation, so the agent can identify and fix the issue without re-reading the file. `fixSuggestion` is also surfaced inline when present. Snippet capped at 120 chars.
+- **AST node type and matched text in blocker output** — tree-sitter diagnostics now carry `matchedText` (the exact matched node, more precise than the full source line) and `astNodeType` (e.g. `call_expression`, `template_string`). The agent sees: `L12: SQL query built with string interpolation (template_string) → db.query(...)`.
+- **Persist review graph to disk** — `_workspaceGraphCache` is now backed by `.pi-lens/cache/review-graph.json`. On cold start, if source file signatures match the stored cache, the full 2–4 s tree-sitter + import-fact build is skipped (~20 ms JSON parse + `rebuildIndexes` instead). Write is fire-and-forget, never blocks dispatch.
+- **Preserve last known LSP diagnostics when LSP goes inactive** — when no live clients are available (dead client respawning, circuit-breaker cooldown), `getDiagnostics` now returns the last non-empty result for that file instead of `[]`. The widget keeps showing the last known issues rather than going blank mid-session. Live clients returning `[]` clears the stale entry. Stale hits are logged as `failureKind: "no_clients_stale"`.
+
+### Fixed
+
+- **Read-guard false-positive block on files outside the project root** — edits to files outside `projectRoot` (e.g. `C:/llama/*.bat`, scripts in arbitrary directories) were always blocked with `zero_read` because reads for external files are intentionally not recorded (`isExternalOrVendor` gate in the read handler), but the `checkEdit` call had no matching guard. Added `!isExternalOrVendor` to the `checkEdit` condition so external files bypass the read-guard entirely, consistent with how reads are handled.
+
+### Changed
+
+- **Replace pyright-langserver and pylsp with jedi-language-server for Python LSP** — `PythonServer` (pyright-langserver) and `PythonPylspServer` (pylsp) removed from `LSP_SERVERS`; replaced by `PythonJediServer` which spawns `jedi-language-server`. pyright-langserver was causing 5–14 s cold-start delays on large Python projects (e.g. tinygrad) because it performs full workspace analysis on startup; jedi starts in ~200–500 ms via lazy per-file analysis. pylsp was removed because it consistently returned 0 diagnostics (no venv → jedi can't resolve imports; 1500 ms aggregate timeout hit on warm runs). Deep type checking is unaffected — the standalone `pyright` CLI runner and `mypy` runner continue to run in parallel. Added `"python-jedi"` strategy entry (`seedFirstPush: true`, `aggregateWaitMs: 1000`). Wall-clock gate for Python dispatch shifts from LSP (~5–14 s) to mypy (~3.5 s).
+
 ## [3.8.42] - 2026-05-08
 
 ### Added

package/clients/dispatch/dispatcher.ts

@@ -742,7 +742,8 @@ export async function dispatchForFile(
 
 	// Format output — only blocking issues shown inline
 	// Warnings tracked but not shown (noise) — surfaced via /lens-booboo
-	let output = formatDiagnostics(inlineBlockers, "blocking");
+	const blockerOutput = formatDiagnostics(inlineBlockers, "blocking");
+	let output = blockerOutput;
 	output += formatDiagnostics(inlineFixed, "fixed");
 	if (coverageNotice) {
 		output += formatDiagnostics([coverageNotice], "warning", 1);
@@ -807,6 +808,7 @@ export async function dispatchForFile(
 		fixed: fixedItems,
 		resolvedCount,
 		output,
+		blockerOutput,
 		hasBlockers: blockers.length > 0,
 	};
 }

package/clients/dispatch/integration.ts

@@ -1127,6 +1127,7 @@ export async function dispatchLintWithResult(
 			fixed: [],
 			resolvedCount: 0,
 			output: "",
+			blockerOutput: "",
 			hasBlockers: false,
 		};
 	}
@@ -1145,6 +1146,7 @@ export async function dispatchLintWithResult(
 			fixed: [],
 			resolvedCount: 0,
 			output: "",
+			blockerOutput: "",
 			hasBlockers: false,
 		};
 	}

package/clients/dispatch/runners/oxlint.ts

@@ -22,12 +22,10 @@ import type {
 	RunnerResult,
 } from "../types.js";
 import {
-	createAvailabilityChecker,
+	resolveToolCommand,
 	resolveToolCommandWithInstallFallback,
 } from "./utils/runner-helpers.js";
 
-const oxlint = createAvailabilityChecker("oxlint", ".exe");
-
 function resolveLocalVp(cwd: string): string | null {
 	const isWin = process.platform === "win32";
 	let dir = cwd;
@@ -81,11 +79,14 @@ const oxlintRunner: RunnerDefinition = {
 		}
 		if (cmd) {
 			args = ["lint", "--format", "unix", ctx.filePath];
-		} else if (oxlint.isAvailable(cwd)) {
-			cmd = oxlint.getCommand(cwd);
-			args = ["--format", "unix", ctx.filePath];
 		} else {
-			cmd = await resolveToolCommandWithInstallFallback(cwd, "oxlint");
+			// Use ctx.hasTool for async availability check — avoids the synchronous
+			// spawnSync probe that blocks the event loop on first call per cwd.
+			// FactStore caches the result for the session so subsequent writes are free.
+			const oxlintCmd = resolveToolCommand(cwd, "oxlint") ?? "oxlint";
+			cmd = (await ctx.hasTool(oxlintCmd))
+				? oxlintCmd
+				: await resolveToolCommandWithInstallFallback(cwd, "oxlint");
 			args = ["--format", "unix", ctx.filePath];
 		}
 		if (!cmd) {

package/clients/dispatch/runners/tree-sitter.ts

@@ -449,6 +449,11 @@ const treeSitterRunner: RunnerDefinition = {
 		const queryResults: Diagnostic[][] = [];
 
 		for (let i = 0; i < effectiveQueries.length; i += CONCURRENCY_LIMIT) {
+			// Yield the event loop between batches so already-resolved promises from
+			// other parallel groups (LSP, eslint skip, etc.) can drain. Each wasm query
+			// batch is synchronous CPU work that would otherwise pin the event loop for
+			// the full runner duration, making other runners' latency measurements wrong.
+			if (i > 0) await new Promise<void>((r) => setImmediate(r));
 			const batch = effectiveQueries.slice(i, i + CONCURRENCY_LIMIT);
 			const batchResults = await Promise.all(
 				batch.map(async (query) => {
@@ -519,6 +524,8 @@ const treeSitterRunner: RunnerDefinition = {
 								autoFixAvailable: false,
 								fixKind: hasSuggestedFix ? "suggestion" : undefined,
 								fixSuggestion: suggestion,
+								matchedText: match.matchedText || undefined,
+								astNodeType: match.nodeType || undefined,
 							});
 						}
 					} catch (err) {

package/clients/dispatch/types.ts

@@ -84,6 +84,10 @@ export interface Diagnostic {
 	fixKind?: "pipeline" | "manual" | "suggestion";
 	/** Auto-fix command/suggestion */
 	fixSuggestion?: string;
+	/** Exact matched text from tree-sitter (more precise than the full source line) */
+	matchedText?: string;
+	/** Tree-sitter AST node type of the match (e.g. "call_expression", "template_string") */
+	astNodeType?: string;
 }
 
 export interface DispatchResult {
@@ -101,6 +105,8 @@ export interface DispatchResult {
 	resolvedCount: number;
 	/** Formatted output for display */
 	output: string;
+	/** Blocking-only portion of output (without auto-fix section) — for turn_end re-surfacing */
+	blockerOutput: string;
 	/** Whether any blockers were found */
 	hasBlockers: boolean;
 }

package/clients/lsp/client.ts

@@ -13,6 +13,7 @@ import { EventEmitter } from "node:events";
 import { existsSync } from "node:fs";
 import { pathToFileURL } from "node:url";
 import type { MessageConnection } from "vscode-jsonrpc";
+import { logLatency } from "../latency-logger.js";
 import {
 	createMessageConnection,
 	StreamMessageReader,
@@ -549,10 +550,24 @@ function setupConnectionLifecycle(state: LSPClientState): void {
 		disposeClientConnection(state);
 	});
 
-	state.lspProcess.process.on("exit", (_code) => {
+	state.lspProcess.process.on("exit", (code) => {
+		const wasConnected = state.isConnected;
 		state.isConnected = false;
 		state.isDestroyed = true;
 		disposeClientConnection(state);
+		if (wasConnected) {
+			logLatency({
+				type: "phase",
+				phase: "lsp_server_unexpected_exit",
+				filePath: state.root,
+				durationMs: 0,
+				metadata: {
+					serverId: state.serverId,
+					pid: state.lspProcess.pid,
+					exitCode: code ?? null,
+				},
+			});
+		}
 	});
 }
 

package/clients/lsp/index.ts

@@ -30,6 +30,7 @@ export interface LSPState {
 	servers: Map<string, LSPServerInfo>;
 	broken: Map<string, number>; // servers that failed to initialize with retry-at timestamp
 	inFlight: Map<string, Promise<SpawnedServer | undefined>>; // prevent duplicate spawns
+	clientSpawnedAt: Map<string, number>; // key: "serverId:root" → epoch ms of last successful spawn
 }
 
 const BROKEN_BASE_COOLDOWN_MS = 15_000;
@@ -137,6 +138,15 @@ export class LSPService {
 	private readonly optionalDisabled = new Set<string>();
 	/** Consecutive failure counts for exponential backoff circuit breaker */
 	private readonly failureCounts = new Map<string, number>();
+	/**
+	 * Last non-empty diagnostic result per normalized file path.
+	 * Returned as a fallback when no live LSP clients are available so the
+	 * widget keeps showing the last known issues rather than going blank.
+	 */
+	private readonly lastKnownDiagnostics = new Map<
+		string,
+		import("./client.js").LSPDiagnostic[]
+	>();
 	private readonly recentTouches = new Map<
 		string,
 		{ fingerprint: string; touchedAt: number; clientScope: "primary" | "all" }
@@ -150,6 +160,7 @@ export class LSPService {
 			servers: new Map(),
 			broken: new Map(),
 			inFlight: new Map(),
+			clientSpawnedAt: new Map(),
 		};
 	}
 
@@ -287,6 +298,14 @@ export class LSPService {
 		]);
 
 		if (!timeoutResult) {
+			// Snapshot known client health — scan by serverId prefix (no root needed)
+			const knownHealth = [...this.state.clients.entries()]
+				.filter(([k]) => servers.some((s) => k.startsWith(`${s.id}:`)))
+				.map(([k, c]) => ({
+					serverId: k.split(":")[0],
+					alive: c.isAlive(),
+					spawnedAt: this.state.clientSpawnedAt.get(k) ?? null,
+				}));
 			logLatency({
 				type: "phase",
 				phase: "lsp_client_wait_timeout",
@@ -295,6 +314,8 @@ export class LSPService {
 				metadata: {
 					maxWaitMs: effectiveMaxWaitMs,
 					serverIds: servers.map((s) => s.id),
+					// servers absent from knownHealth were never spawned or are still spawning
+					knownClientHealth: knownHealth,
 				},
 			});
 		}
@@ -374,12 +395,26 @@ export class LSPService {
 				}
 				return { client: existing, info: server };
 			}
+			// Dead client — was previously alive, now needs respawn
+			const spawnedAt = this.state.clientSpawnedAt.get(key);
+			logLatency({
+				type: "phase",
+				phase: "lsp_server_respawn",
+				filePath,
+				durationMs: 0,
+				metadata: {
+					serverId: server.id,
+					root,
+					uptimeMs: spawnedAt != null ? Date.now() - spawnedAt : null,
+				},
+			});
 			try {
 				await existing.shutdown();
 			} catch {
 				/* ignore dead client shutdown errors */
 			}
 			this.state.clients.delete(key);
+			this.state.clientSpawnedAt.delete(key);
 			this.state.broken.delete(key);
 		}
 
@@ -482,6 +517,7 @@ export class LSPService {
 						};
 
 			this.state.clients.set(key, client);
+			this.state.clientSpawnedAt.set(key, Date.now());
 			this.failureCounts.delete(key);
 			if (isOptionalServer) {
 				this.optionalDisabled.delete(key);
@@ -699,6 +735,7 @@ export class LSPService {
 		const normalizedPath = normalizeMapKey(filePath);
 		const { clients: spawned, serverCountAttempted } = await this.getClientsForFile(filePath);
 		if (spawned.length === 0) {
+			const stale = this.lastKnownDiagnostics.get(normalizedPath);
 			logLatency({
 				type: "phase",
 				phase: "lsp_diagnostics_aggregate",
@@ -707,14 +744,14 @@ export class LSPService {
 				metadata: {
 					serverCountAttempted,
 					serverCountReady: 0,
-					mergedCount: 0,
+					mergedCount: stale?.length ?? 0,
 					dedupDroppedCount: 0,
-					failureKind: "no_clients",
+					failureKind: stale?.length ? "no_clients_stale" : "no_clients",
 					health: "no_clients",
 					servers: [],
 				},
 			});
-			return [];
+			return stale ?? [];
 		}
 
 		// Per-server entries produced by client waits. Each promise resolves
@@ -840,6 +877,15 @@ export class LSPService {
 			},
 		});
 
+		// Keep last known so the widget can show stale diagnostics if LSP dies.
+		// Live clients returning [] means genuinely no errors — clear the stale
+		// entry so the widget doesn't show resolved issues.
+		if (merged.length > 0) {
+			this.lastKnownDiagnostics.set(normalizedPath, merged);
+		} else {
+			this.lastKnownDiagnostics.delete(normalizedPath);
+		}
+
 		return merged;
 	}
 

package/clients/lsp/server-strategies.ts

@@ -48,6 +48,13 @@ export const SERVER_DIAGNOSTIC_STRATEGIES: Record<string, DiagnosticStrategy> =
 			aggregateWaitMs: 1500,
 			expectSemanticSecondPush: false,
 		},
+		"python-jedi": {
+			seedFirstPush: true,
+			pullRetryBudgetMs: 0,
+			debounceMs: 100,
+			aggregateWaitMs: 1000,
+			expectSemanticSecondPush: false,
+		},
 		eslint: {
 			seedFirstPush: true,
 			pullRetryBudgetMs: 0,

package/clients/lsp/server.ts

@@ -969,9 +969,9 @@ export const PythonServer: LSPServerInfo = {
 	},
 };
 
-export const PythonPylspServer: LSPServerInfo = {
-	id: "python-pylsp",
-	name: "Python LSP Server (pylsp)",
+export const PythonJediServer: LSPServerInfo = {
+	id: "python-jedi",
+	name: "Jedi Language Server",
 	extensions: KIND_EXTENSIONS["python"],
 	root: RootWithFallback(
 		createRootDetector([
@@ -986,10 +986,10 @@ export const PythonPylspServer: LSPServerInfo = {
 	),
 	async spawn(root) {
 		try {
-			const proc = await launchLSP("pylsp", [], { cwd: root });
+			const proc = await launchLSP("jedi-language-server", [], { cwd: root });
 			const pythonPath = await detectPythonVenv(root);
 			const initialization: Record<string, unknown> = pythonPath
-				? { pylsp: { plugins: { jedi: { environment: pythonPath } } } }
+				? { workspace: { environmentPath: pythonPath } }
 				: {};
 			return { process: proc, source: "direct", initialization };
 		} catch {
@@ -1703,8 +1703,7 @@ export const CssServer: LSPServerInfo = {
 export const LSP_SERVERS: LSPServerInfo[] = [
 	TypeScriptServer,
 	DenoServer,
-	PythonServer,
-	PythonPylspServer,
+	PythonJediServer,
 	GoServer,
 	RustServer,
 	RubyServer,

package/clients/pipeline.ts

@@ -28,7 +28,7 @@ import {
 	resolveToolCommand,
 	resolveToolCommandWithInstallFallback,
 } from "./dispatch/runners/utils/runner-helpers.js";
-import type { PiAgentAPI } from "./dispatch/types.js";
+import type { Diagnostic, PiAgentAPI } from "./dispatch/types.js";
 import { detectFileKind, getFileKindLabel } from "./file-kinds.js";
 import {
 	detectFileChangedAfterCommand,
@@ -178,6 +178,8 @@ export interface PipelineResult {
 	fileModified: boolean;
 	/** Files modified by pi-lens format/autofix, including side-effect files. */
 	changedFiles?: string[];
+	/** Blocking-only formatted output for turn_end re-surfacing if agent didn't fix */
+	inlineBlockerSummary?: string;
 }
 
 // --- Phase timing helpers ---
@@ -765,6 +767,45 @@ export async function runFormatPhase(
 	return { formatChanged, formattersUsed, formatFailures, fileContent };
 }
 
+/**
+ * Build the 🔴 STOP blocker output with an inline code snippet for each
+ * diagnostic so the agent can see the exact line it wrote without re-reading
+ * the file.
+ *
+ * Example:
+ *   L4: 'randomInt' is declared but its value is never read.
+ *       → const randomInt = Math.floor(result);
+ */
+function buildEnrichedBlockerOutput(
+	blockers: Diagnostic[],
+	fileContent: string,
+): string {
+	const fileLines = fileContent.split("\n");
+	const MAX_SNIPPET = 120; // chars — keep it tight in context
+
+	let out = `\n\n🔴 STOP — ${blockers.length} issue(s) must be fixed:\n`;
+	const shown = blockers.slice(0, 10);
+
+	for (const d of shown) {
+		const lineNo = d.line ?? 1;
+		const nodeCtx = d.astNodeType ? ` (${d.astNodeType})` : "";
+		out += `  L${lineNo}: ${d.message}${nodeCtx}\n`;
+		// Prefer the exact matched node text (tree-sitter); fall back to the
+		// full source line (LSP / other runners).
+		const snippet = d.matchedText
+			? d.matchedText.trim().split("\n")[0]?.slice(0, MAX_SNIPPET)
+			: fileLines[lineNo - 1]?.trim().slice(0, MAX_SNIPPET);
+		if (snippet) out += `      → ${snippet}\n`;
+		if (d.fixSuggestion) out += `      💡 ${d.fixSuggestion}\n`;
+	}
+
+	if (blockers.length > 10) {
+		out += `  ... and ${blockers.length - 10} more\n`;
+	}
+
+	return out;
+}
+
 // --- Main Pipeline ---
 
 export async function runPipeline(
@@ -942,7 +983,17 @@ export async function runPipeline(
 		getDiagnosticTracker().trackAgentFixed(dispatchResult.resolvedCount);
 
 	let output = "";
-	if (dispatchResult.output) output += `\n\n${dispatchResult.output}`;
+	if (dispatchResult.hasBlockers && fileContent) {
+		// Enrich blocker output with a code snippet so the agent can see the
+		// exact line it wrote that caused each violation — no re-read needed.
+		output += buildEnrichedBlockerOutput(dispatchResult.blockers, fileContent);
+		// Append fixed/coverage parts from the original output (slice off the
+		// blocker section we're replacing).
+		const rest = dispatchResult.output.slice(dispatchResult.blockerOutput.length);
+		if (rest) output += rest;
+	} else if (dispatchResult.output) {
+		output += `\n\n${dispatchResult.output}`;
+	}
 	if (fixedCount > 0) {
 		const detail =
 			autofixTools.length > 0 ? ` (${autofixTools.join(", ")})` : "";
@@ -1005,5 +1056,8 @@ export async function runPipeline(
 		isError: false,
 		fileModified: formatChanged || fixedCount > 0,
 		changedFiles: [...piChangedFiles],
+		inlineBlockerSummary: dispatchResult.hasBlockers
+			? dispatchResult.blockerOutput.trim() || undefined
+			: undefined,
 	};
 }

package/clients/review-graph/builder.ts

@@ -174,6 +174,59 @@ function rebuildIndexes(graph: ReviewGraph): void {
 	}
 }
 
+const GRAPH_CACHE_REL = path.join(".pi-lens", "cache", "review-graph.json");
+
+interface PersistedGraphData {
+	version: string;
+	builtAt: string;
+	signature: string;
+	nodes: Array<[string, ReviewGraphNode]>;
+	edges: ReviewGraphEdge[];
+}
+
+function loadPersistedGraph(
+	cwd: string,
+): { signature: string; graph: ReviewGraph } | null {
+	const cachePath = path.join(cwd, GRAPH_CACHE_REL);
+	try {
+		const raw = fs.readFileSync(cachePath, "utf-8");
+		const data = JSON.parse(raw) as PersistedGraphData;
+		if (data.version !== REVIEW_GRAPH_VERSION) return null;
+		const graph: ReviewGraph = {
+			version: data.version,
+			builtAt: data.builtAt,
+			nodes: new Map(data.nodes),
+			edges: data.edges,
+			edgesByFrom: new Map(),
+			edgesByTo: new Map(),
+			fileNodes: new Map(),
+			symbolNodesByFile: new Map(),
+			changedSymbolsByFile: new Map(),
+		};
+		rebuildIndexes(graph);
+		return { signature: data.signature, graph };
+	} catch {
+		return null;
+	}
+}
+
+function persistGraph(cwd: string, signature: string, graph: ReviewGraph): void {
+	const cacheDir = path.join(cwd, ".pi-lens", "cache");
+	const cachePath = path.join(cwd, GRAPH_CACHE_REL);
+	const data: PersistedGraphData = {
+		version: graph.version,
+		builtAt: graph.builtAt,
+		signature,
+		nodes: Array.from(graph.nodes.entries()),
+		edges: graph.edges,
+	};
+	const json = JSON.stringify(data);
+	fs.mkdir(cacheDir, { recursive: true }, (mkdirErr) => {
+		if (mkdirErr) return;
+		fs.writeFile(cachePath, json, "utf-8", () => {});
+	});
+}
+
 function localImportToFile(
 	cwd: string,
 	filePath: string,
@@ -456,19 +509,40 @@ async function _doBuildGraph(
 	const normalizedChanged = changedFiles.map((file) => normalizeMapKey(file));
 	const filesToBuild = getGraphSourceFiles(cwd);
 	const signature = sourceSignature(filesToBuild);
-	const cached = _workspaceGraphCache.get(normalizedCwd);
-	if (cached?.signature === signature) {
-		const graph = cloneGraph(cached.graph);
+
+	// Tier 1: in-memory cache (hot path — same process, already built this session)
+	const memCached = _workspaceGraphCache.get(normalizedCwd);
+	if (memCached?.signature === signature) {
+		const graph = cloneGraph(memCached.graph);
+		rebuildIndexes(graph);
+		graph.changedSymbolsByFile.clear();
+		for (const file of normalizedChanged) {
+			upsertChangedSymbols(graph, facts, file);
+		}
+		_lastGraphBuildInfo = { reused: true, mode: "cached" };
+		facts.setSessionFact("session.reviewGraph", graph);
+		return graph;
+	}
+
+	// Tier 2: disk cache (cold start — files unchanged since last persist)
+	const diskCached = loadPersistedGraph(cwd);
+	if (diskCached?.signature === signature) {
+		const graph = cloneGraph(diskCached.graph);
 		rebuildIndexes(graph);
 		graph.changedSymbolsByFile.clear();
 		for (const file of normalizedChanged) {
 			upsertChangedSymbols(graph, facts, file);
 		}
+		_workspaceGraphCache.set(normalizedCwd, {
+			signature,
+			graph: cloneGraph(diskCached.graph),
+		});
 		_lastGraphBuildInfo = { reused: true, mode: "cached" };
 		facts.setSessionFact("session.reviewGraph", graph);
 		return graph;
 	}
 
+	// Tier 3: full build
 	const graph = createEmptyGraph();
 	for (const file of filesToBuild) {
 		const kind = detectFileKind(file);
@@ -490,10 +564,9 @@ async function _doBuildGraph(
 	resolveDeferredSymbolEdges(graph);
 	graph.version = REVIEW_GRAPH_VERSION;
 	graph.builtAt = new Date().toISOString();
-	_workspaceGraphCache.set(normalizedCwd, {
-		signature,
-		graph: cloneGraph(graph),
-	});
+	const graphSnapshot = cloneGraph(graph);
+	_workspaceGraphCache.set(normalizedCwd, { signature, graph: graphSnapshot });
+	persistGraph(cwd, signature, graphSnapshot); // fire-and-forget
 	_lastGraphBuildInfo = { reused: false, mode: "full" };
 	facts.setSessionFact("session.reviewGraph", graph);
 	return graph;

package/clients/runtime-coordinator.ts

@@ -61,6 +61,10 @@ export class RuntimeCoordinator {
 		string,
 		{ status: "warming" | "ready"; ts: number }
 	>();
+	private readonly _pendingInlineBlockers = new Map<
+		string,
+		{ filePath: string; summary: string }
+	>();
 
 	resetForSession(): void {
 		this._sessionGeneration += 1;
@@ -87,6 +91,7 @@ export class RuntimeCoordinator {
 		this._readGuard = null;
 		this._pendingDeferredFormatFiles.clear();
 		this._lspReadWarmState.clear();
+		this._pendingInlineBlockers.clear();
 	}
 
 	get sessionStartedAt(): number {
@@ -132,6 +137,7 @@ export class RuntimeCoordinator {
 
 	beginTurn(): void {
 		this._cascadeResults = [];
+		this._pendingInlineBlockers.clear();
 		this._turnIndex += 1;
 		this._writeIndex = 0;
 		this._reportedThisTurn.clear();
@@ -266,6 +272,20 @@ export class RuntimeCoordinator {
 		return results;
 	}
 
+	recordInlineBlockers(filePath: string, summary: string): void {
+		this._pendingInlineBlockers.set(path.resolve(filePath), { filePath, summary });
+	}
+
+	clearInlineBlockers(filePath: string): void {
+		this._pendingInlineBlockers.delete(path.resolve(filePath));
+	}
+
+	consumeInlineBlockers(): Array<{ filePath: string; summary: string }> {
+		const entries = [...this._pendingInlineBlockers.values()];
+		this._pendingInlineBlockers.clear();
+		return entries;
+	}
+
 	get complexityBaselines(): Map<string, FileComplexity> {
 		return this._complexityBaselines;
 	}

package/clients/runtime-tool-result.ts

@@ -281,6 +281,7 @@ export async function handleToolResult(deps: ToolResultDeps): Promise<{
 		isError?: boolean;
 		cascadeResult?: import("./cascade-types.js").CascadeResult;
 		changedFiles?: string[];
+		inlineBlockerSummary?: string;
 	};
 	const pipelinePromise = runPipeline(
 		{
@@ -401,6 +402,12 @@ export async function handleToolResult(deps: ToolResultDeps): Promise<{
 		runtime.appendCascadeResult(result.cascadeResult);
 	}
 
+	if (result.inlineBlockerSummary) {
+		runtime.recordInlineBlockers(filePath, result.inlineBlockerSummary);
+	} else {
+		runtime.clearInlineBlockers(filePath);
+	}
+
 	if (result.isError) {
 		return {
 			content: [...event.content, { type: "text", text: result.output }],

package/clients/runtime-turn.ts

@@ -129,6 +129,14 @@ export async function handleTurnEnd(deps: TurnEndDeps): Promise<void> {
 	const blockerParts: string[] = [];
 	const advisoryParts: string[] = [];
 
+	// Re-surface inline blockers from this turn that the agent didn't fix.
+	// These were shown inline during write/edit but the agent moved on without resolving them.
+	const unresolvedBlockers = runtime.consumeInlineBlockers();
+	for (const { filePath: bPath, summary } of unresolvedBlockers) {
+		const displayPath = toRunnerDisplayPath(cwd, bPath);
+		blockerParts.push(`Unresolved from this turn — ${displayPath}:\n${summary}`);
+	}
+
 	// Merge accumulated cascade results from all pipeline runs this turn.
 	// Two-pass dedup:
 	//   1. Primary-level: dedup by primary file (last writer wins).

package/clients/tree-sitter-client.ts

@@ -43,6 +43,7 @@ interface TreeSitterNode {
 	type: string;
 	text: string;
 	children: TreeSitterNode[];
+	parent?: TreeSitterNode | null;
 	isNamed: boolean;
 	childCount: number;
 	startPosition: { row: number; column: number };
@@ -80,6 +81,8 @@ export interface StructuralMatch {
 	line: number;
 	column: number;
 	matchedText: string;
+	/** Tree-sitter node type of the first capture (e.g. "call_expression") */
+	nodeType?: string;
 	captures: Record<string, string>;
 }
 
@@ -973,6 +976,61 @@ export class TreeSitterClient {
 			}
 			case "ts_detached_async_call":
 				return /(Async$|fetch$|request$)/.test(captures.FN?.text ?? "");
+			case "incomplete_assertion": {
+				const expectNode = captures.EXPECT;
+				if (!expectNode) return false;
+				const CHAI_PROPERTY_ASSERTIONS = new Set([
+					"true",
+					"false",
+					"null",
+					"undefined",
+					"empty",
+					"NaN",
+					"finite",
+					"exist",
+					"arguments",
+					"extensible",
+					"sealed",
+					"frozen",
+					"locked",
+				]);
+				// The expect identifier is inside a call_expression. Walk up past that
+				// call_expression to the container that determines if it's a complete
+				// assertion or an incomplete one.
+				let current: TreeSitterNode | null | undefined = expectNode.parent;
+				if (!current) return false;
+				current = current.parent; // skip the expect(...) call_expression
+				if (!current) return false;
+				// Bare expect(foo); or return expect(foo);
+				if (
+					current.type === "expression_statement" ||
+					current.type === "return_statement"
+				)
+					return true;
+				let lastPropertyName: string | null = null;
+				while (current && current.type === "member_expression") {
+					const propNode = current.children?.find(
+						(c: any) => c.type === "property_identifier",
+					);
+					if (propNode) lastPropertyName = propNode.text;
+					const parent: TreeSitterNode | null | undefined = current.parent;
+					if (!parent) return false;
+					if (
+						parent.type === "expression_statement" ||
+						parent.type === "return_statement"
+					) {
+						if (
+							lastPropertyName &&
+							CHAI_PROPERTY_ASSERTIONS.has(lastPropertyName)
+						)
+							return false;
+						return true;
+					}
+					if (parent.type === "call_expression") return false;
+					current = parent;
+				}
+				return false;
+			}
 			case "py_command_injection_sink": {
 				const mod = captures.MOD?.text ?? "";
 				const fn = captures.FN?.text ?? "";
@@ -1119,6 +1177,7 @@ export class TreeSitterClient {
 						line: firstNode.startPosition.row + 1,
 						column: firstNode.startPosition.column + 1,
 						matchedText: firstNode.text,
+						nodeType: firstNode.type as string | undefined,
 						captures: textCaptures,
 					});
 				}

package/index.ts

@@ -1339,7 +1339,7 @@ export default function (pi: ExtensionAPI) {
 			const isExistingFile =
 				typeof readGuard?.isNewFile !== "function" ||
 				!readGuard.isNewFile(filePath);
-			if (readGuard && isExistingFile) {
+			if (readGuard && isExistingFile && !isExternalOrVendor) {
 				const { touchedLines, editRanges, preflightError } =
 					getTouchedLinesForGuard(event, filePath, runtime.telemetrySessionId);
 				if (preflightError) {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pi-lens",
-	"version": "3.8.42",
+	"version": "3.8.43",
 	"type": "module",
 	"description": "Real-time code feedback for pi — LSP, linters, formatters, type-checking, structural analysis & booboo",
 	"repository": {

package/rules/tree-sitter-queries/typescript/incomplete-assertion.yml

@@ -0,0 +1,50 @@
+# TypeScript Incomplete Assertion
+# Detects expect() chains that are never called (Jest/Vitest style).
+# Chai property assertions (e.g. expect(foo).to.be.true) are excluded.
+id: ts-incomplete-assertion
+name: Incomplete Test Assertion
+severity: error
+category: testing
+defect_class: correctness
+inline_tier: blocking
+language: typescript
+
+message: "Incomplete assertion — expect() chain is not called"
+
+description: |
+  Jest and Vitest matchers are methods that must be called.
+  `expect(foo).toBe` (without parentheses) or `expect(foo)` (without a
+  matcher) does not actually assert anything. The test will pass silently.
+
+  ✅ FIX: call the matcher: `expect(foo).toBe(true)`
+
+query: |
+  (call_expression
+    function: (identifier) @EXPECT
+    (#eq? @EXPECT "expect")
+    arguments: (arguments)) @EXPR
+
+metavars:
+  - EXPECT
+  - EXPR
+
+post_filter: incomplete_assertion
+
+has_fix: false
+
+tags:
+  - typescript
+  - testing
+  - jest
+  - vitest
+  - assertions
+
+examples:
+  bad: |
+    expect(foo).toBe;        // BAD — matcher not called
+    expect(foo).not.toBe;    // BAD — matcher not called
+    expect(foo);             // BAD — no matcher at all
+
+  good: |
+    expect(foo).toBe(true);  // OK
+    expect(foo).not.toBe(1); // OK

package/rules/tree-sitter-queries/typescript/switch-non-case-labels.yml

@@ -0,0 +1,53 @@
+# TypeScript Switch Non-Case Labels
+# Detects non-case labels inside switch statements in TypeScript
+id: switch-non-case-labels-ts
+name: Switch Should Not Contain Non-Case Labels
+severity: error
+category: reliability
+defect_class: correctness
+inline_tier: blocking
+language: typescript
+
+message: "switch statements should not contain non-case labels"
+
+description: |
+  Non-case labels in switch statements create confusing control flow.
+  This is a MISRA rule violation.
+
+  ✅ FIX: Remove labels or restructure code
+
+query: |
+  (switch_statement
+    body: (switch_body
+      (switch_case
+        (labeled_statement
+          (statement_identifier) @LABEL) @LABELED)))
+
+metavars:
+  - LABEL
+  - LABELED
+
+tags:
+  - reliability
+  - typescript
+  - misra
+  - control-flow
+
+examples:
+  bad: |
+    switch (x) {
+        case 1:
+            break;
+        myLabel:  // BAD
+            doSomething();
+    }
+
+  good: |
+    switch (x) {
+        case 1:
+            break;
+        default:
+            break;
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/typescript-disabled/ts-path-traversal.yml

@@ -0,0 +1,71 @@
+# TypeScript Path Traversal
+# Detects fs and path API calls with potentially user-controlled paths.
+id: ts-path-traversal
+name: Path Traversal Risk
+severity: error
+category: security
+defect_class: injection
+inline_tier: blocking
+language: typescript
+
+message: "Potential path traversal sink — avoid filesystem I/O with untrusted input"
+
+description: |
+  File-system APIs (`fs.readFile`, `fs.writeFile`, `path.join`, etc.) are
+  vulnerable when path arguments include untrusted input. An attacker can
+  inject `../` sequences to access files outside the intended directory.
+
+  ✅ FIX: validate and sanitize paths; use allowlists or chroot jails.
+
+query: |
+  (call_expression
+    function: (member_expression
+      object: (identifier) @MOD
+      property: (property_identifier) @FN)
+    arguments: (arguments
+      [(identifier) (member_expression) (template_string) (call_expression) (binary_expression)] @PATH)
+    (#eq? @MOD "fs"))
+  (call_expression
+    function: (member_expression
+      object: (identifier) @MOD
+      property: (property_identifier) @FN)
+    arguments: (arguments
+      [(identifier) (member_expression) (template_string) (call_expression) (binary_expression)] @PATH)
+    (#eq? @MOD "path")
+    (#match? @FN "^(join|resolve)$"))
+  (call_expression
+    function: (member_expression
+      object: (member_expression
+        object: (identifier) @MOD
+        property: (property_identifier) @PROMISES)
+      property: (property_identifier) @FN)
+    arguments: (arguments
+      [(identifier) (member_expression) (template_string) (call_expression) (binary_expression)] @PATH)
+    (#eq? @MOD "fs")
+    (#eq? @PROMISES "promises"))
+
+metavars:
+  - MOD
+  - PROMISES
+  - FN
+  - PATH
+
+post_filter: ts_path_traversal_sink
+
+has_fix: false
+
+tags:
+  - typescript
+  - security
+  - path-traversal
+  - cwe-22
+  - owasp-a01
+
+examples:
+  bad: |
+    fs.readFile(req.query.path);   // BAD — user controls path
+    path.join(baseDir, userFile);  // BAD — user controls segment
+
+  good: |
+    fs.readFile("./safe.txt");     // OK — literal path
+    path.join(baseDir, "static");  // OK — literal segment