v3.8.61

Added

• Release notes now come from CHANGELOG.md (single source of truth) + per-language rule catalogs
• Trivy security suite — four scan modes (#131)
• typos spell-checker as a cross-cutting auxiliary LSP (#283)
• ast-grep project scan via the bundled napi engine (#308)
• 37 SonarCloud Python BLOCKER rules as ast-grep rules (#317)
• ast-grep flag-argument + Law-of-Demeter rules (#305)
• Go concurrency / correctness / GORM ast-grep rules
• module_report cross-file blast-radius (#304)
• Contributor guide + issue/PR templates
• License, Code of Conduct, security policy, and all-contributors
• Issue/PR automation
• GitHub Actions hardening
• README split into a landing page + docs

Changed

• Tool schemas aligned with the pi SDK house style
• Session-start guidance now surfaces module_report + read_symbol, and is leaner

Removed

• Standalone pilens_impact tool — folded into module_report (#304)
• Built-in regex secrets scanner (clients/secrets-scanner.ts)

Fixed

• Full-suite "Worker exited unexpectedly" flake (#283)
• Read-guard no longer false-blocks edits the host would apply
• Edit shapes pinned to the host's EditToolInput type
• Cached project diagnostics no longer replay stale findings
• lsp_diagnostics directory scans reuse the canonical exclusions and honor project ignore
• Cascade no longer surfaces diagnostics from ignored files