semgrep: filesystem-deletion rule lacks paths:exclude for src/hooks/

[pszymkowiak]

Problem

The filesystem-deletion rule in .semgrep.yml matches the syntactic pattern fs::remove_file(...) / fs::remove_dir_all(...) with no paths: scoping. Its own message states the intent:

File/directory deletion detected. Expected in hooks/init cleanup, surprising in a filter module. Verify intent.

But because the rule has no path filter, it scans src/hooks/ too. The CI runs semgrep scan --config .semgrep.yml --baseline-commit <base> --error, so any PR that adds a new deletion call to src/hooks/init.rs (uninstall logic for a new agent) produces a fresh finding and fails the scan — even though deletion there is exactly what the rule says it expects.

init.rs already contains ~8 fs::remove_file calls (Claude, Gemini, Cursor, Codex uninstall paths); they only pass CI because they predate the baseline. Every future agent-uninstall PR will hit this false positive (e.g. #1741, Pi support).

Proposed fix

Add a paths: exclude so the rule reflects its stated intent — flag deletions in filter modules, not in the hooks/init cleanup code:

  - id: filesystem-deletion
    pattern-either:
      - pattern: fs::remove_file(...)
      - pattern: fs::remove_dir_all(...)
      - pattern: std::fs::remove_file(...)
      - pattern: std::fs::remove_dir_all(...)
    paths:
      exclude:
        - src/hooks/
    message: >
      ...

Workaround until fixed

New uninstall PRs can add // nosemgrep: filesystem-deletion on the offending line.