@agentuity/coder-tui 2.0.10 → 2.0.12

package/src/agentuity-cli.ts

@@ -0,0 +1,225 @@
+const SHELL_ASSIGNMENT_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=(?:"[^"]*"|'[^']*'|\S+)$/;
+
+export const AGENTUITY_CLI_MARK = '⨺';
+
+type ToolArgsInput = string | Record<string, unknown> | undefined;
+
+export interface ToolDisplayDescriptor {
+	toolName: string;
+	toolArgs?: string;
+	fullLabel: string;
+	branded: boolean;
+}
+
+function stripShellQuotes(value: string): string {
+	if (
+		(value.startsWith('"') && value.endsWith('"')) ||
+		(value.startsWith("'") && value.endsWith("'"))
+	) {
+		return value.slice(1, -1);
+	}
+	return value;
+}
+
+function tokenizeShellLike(command: string): string[] {
+	return (command.match(/"(?:\\.|[^"])*"|'(?:\\.|[^'])*'|&&|\|\||[;|()]|[^\s;|()]+/g) ?? []).map(
+		stripShellQuotes
+	);
+}
+
+function splitShellSegments(command: string): string[] {
+	return command
+		.split(/(?:\r?\n|&&|\|\||;|\|)/)
+		.map((segment) => segment.trim())
+		.filter(Boolean);
+}
+
+function optionConsumesValue(token: string): boolean {
+	return (
+		token === '-c' ||
+		token === '-g' ||
+		token === '-h' ||
+		token === '-p' ||
+		token === '-r' ||
+		token === '-t' ||
+		token === '-u' ||
+		token === '--chdir' ||
+		token === '--config' ||
+		token === '--group' ||
+		token === '--host' ||
+		token === '--package' ||
+		token === '--registry' ||
+		token === '--user'
+	);
+}
+
+function trimShellPrefix(tokens: string[]): string[] {
+	let index = 0;
+
+	while (index < tokens.length) {
+		const token = tokens[index];
+		if (!token || token === '!' || token === '(' || token === ')') {
+			index += 1;
+			continue;
+		}
+
+		if (token === 'env' || token === 'sudo') {
+			index += 1;
+			while (tokens[index]?.startsWith('-')) {
+				const option = tokens[index] ?? '';
+				index += optionConsumesValue(option) ? 2 : 1;
+			}
+			continue;
+		}
+
+		if (SHELL_ASSIGNMENT_PATTERN.test(token)) {
+			index += 1;
+			continue;
+		}
+
+		break;
+	}
+
+	return tokens.slice(index);
+}
+
+function extractAgentuityCliRemainderFromTokens(tokens: string[]): string | null {
+	const trimmed = trimShellPrefix(tokens);
+	if (trimmed.length === 0) return null;
+
+	const first = trimmed[0]?.toLowerCase();
+	if (first === 'agentuity') {
+		return trimmed.slice(1).join(' ').trim();
+	}
+
+	if (first === 'bunx' || first === 'npx') {
+		let index = 1;
+		while (trimmed[index]?.startsWith('-')) {
+			const option = trimmed[index] ?? '';
+			index += optionConsumesValue(option) ? 2 : 1;
+		}
+		if (trimmed[index] === '@agentuity/cli') {
+			return trimmed
+				.slice(index + 1)
+				.join(' ')
+				.trim();
+		}
+	}
+
+	if (first === 'pnpm' && trimmed[1]?.toLowerCase() === 'dlx') {
+		let index = 2;
+		while (trimmed[index]?.startsWith('-')) {
+			const option = trimmed[index] ?? '';
+			index += optionConsumesValue(option) ? 2 : 1;
+		}
+		if (trimmed[index] === '@agentuity/cli') {
+			return trimmed
+				.slice(index + 1)
+				.join(' ')
+				.trim();
+		}
+	}
+
+	return null;
+}
+
+function normalizeDisplayWhitespace(value: string): string {
+	return value.replace(/\s+/g, ' ').trim();
+}
+
+function trimDisplay(value: string, max: number): string {
+	const normalized = normalizeDisplayWhitespace(value);
+	if (normalized.length <= max) return normalized;
+	return `${normalized.slice(0, max - 3)}...`;
+}
+
+function getCommandArg(rawArgs?: ToolArgsInput): string | undefined {
+	if (typeof rawArgs === 'string' && rawArgs.trim()) {
+		return rawArgs.trim();
+	}
+
+	if (!rawArgs || typeof rawArgs !== 'object') {
+		return undefined;
+	}
+
+	const value = rawArgs.command ?? rawArgs.cmd;
+	return typeof value === 'string' && value.trim() ? value.trim() : undefined;
+}
+
+function getGenericToolArgsPreview(rawArgs?: ToolArgsInput): string | undefined {
+	if (typeof rawArgs === 'string' && rawArgs.trim()) {
+		return trimDisplay(rawArgs.trim(), 60);
+	}
+
+	if (!rawArgs || typeof rawArgs !== 'object') {
+		return undefined;
+	}
+
+	if (typeof rawArgs.command === 'string' && rawArgs.command.trim()) {
+		return trimDisplay(rawArgs.command.trim(), 60);
+	}
+	if (typeof rawArgs.filePath === 'string' && rawArgs.filePath.trim()) {
+		return rawArgs.filePath.trim();
+	}
+	if (typeof rawArgs.path === 'string' && rawArgs.path.trim()) {
+		return rawArgs.path.trim();
+	}
+	if (typeof rawArgs.pattern === 'string' && rawArgs.pattern.trim()) {
+		return trimDisplay(rawArgs.pattern.trim(), 40);
+	}
+
+	const first = Object.values(rawArgs)[0];
+	if (typeof first === 'string' && first.trim()) {
+		return trimDisplay(first.trim(), 40);
+	}
+
+	return undefined;
+}
+
+function isCommandToolName(toolName: string): boolean {
+	const normalized = toolName.trim().toLowerCase();
+	return normalized === 'bash' || normalized === 'execute_command' || normalized.includes('shell');
+}
+
+export function getAgentuityCliCommandRemainder(command?: string): string | null {
+	if (!command?.trim()) return null;
+
+	for (const segment of splitShellSegments(command)) {
+		const remainder = extractAgentuityCliRemainderFromTokens(tokenizeShellLike(segment));
+		if (remainder !== null) {
+			return remainder;
+		}
+	}
+
+	return null;
+}
+
+export function formatToolDisplay(
+	toolName: string,
+	rawArgs?: ToolArgsInput
+): ToolDisplayDescriptor {
+	const normalizedToolName = normalizeDisplayWhitespace(toolName) || 'tool';
+	const command = getCommandArg(rawArgs);
+
+	if (isCommandToolName(normalizedToolName) && command) {
+		const remainder = getAgentuityCliCommandRemainder(command);
+		if (remainder !== null) {
+			const brandedToolName = `${AGENTUITY_CLI_MARK} agentuity`;
+			const toolArgs = remainder ? trimDisplay(remainder, 60) : undefined;
+			return {
+				toolName: brandedToolName,
+				toolArgs,
+				fullLabel: toolArgs ? `${brandedToolName} ${toolArgs}` : brandedToolName,
+				branded: true,
+			};
+		}
+	}
+
+	const toolArgs = getGenericToolArgsPreview(rawArgs);
+	return {
+		toolName: normalizedToolName,
+		toolArgs,
+		fullLabel: toolArgs ? `${normalizedToolName} ${toolArgs}` : normalizedToolName,
+		branded: false,
+	};
+}

package/src/auth.ts

@@ -0,0 +1,75 @@
+const API_KEY_HEADER = 'x-agentuity-auth-api-key';
+const AUTHORIZATION_HEADER = 'Authorization';
+const ORG_HEADER = 'x-agentuity-orgid';
+const DEFAULT_ORG_ID_ENV_VARS = ['AGENTUITY_ORGID', 'AGENTUITY_CLOUD_ORG_ID'] as const;
+
+function normalizeApiKey(apiKey?: string | null): string | null {
+	const trimmed = apiKey?.trim();
+	return trimmed ? trimmed : null;
+}
+
+function normalizeOrgId(orgId?: string | null): string | null {
+	const trimmed = orgId?.trim();
+	return trimmed ? trimmed : null;
+}
+
+export function resolveCoderOrgId(orgId?: string | null): string | null {
+	const explicitOrgId = normalizeOrgId(orgId);
+	if (explicitOrgId) {
+		return explicitOrgId;
+	}
+
+	for (const envName of DEFAULT_ORG_ID_ENV_VARS) {
+		const envOrgId = normalizeOrgId(process.env[envName]);
+		if (envOrgId) {
+			return envOrgId;
+		}
+	}
+
+	return null;
+}
+
+export function isHubApiKey(apiKey?: string | null): boolean {
+	const token = normalizeApiKey(apiKey);
+	return token?.startsWith('agc_') ?? false;
+}
+
+export function applyCoderAuthHeaders(
+	headers: Record<string, string>,
+	apiKey?: string | null,
+	orgId?: string | null
+): Record<string, string> {
+	const token = normalizeApiKey(apiKey);
+	const normalizedOrgId = resolveCoderOrgId(orgId);
+	const nextHeaders: Record<string, string> = { ...headers };
+	if (normalizedOrgId) {
+		nextHeaders[ORG_HEADER] = normalizedOrgId;
+	}
+	if (!token) return nextHeaders;
+
+	if (isHubApiKey(token)) {
+		nextHeaders[API_KEY_HEADER] = token;
+		return nextHeaders;
+	}
+
+	nextHeaders[AUTHORIZATION_HEADER] = `Bearer ${token}`;
+	return nextHeaders;
+}
+
+export function getCoderAuthCurlArgs(apiKey?: string | null, orgId?: string | null): string[] {
+	const token = normalizeApiKey(apiKey);
+	const args: string[] = [];
+	const normalizedOrgId = resolveCoderOrgId(orgId);
+	if (normalizedOrgId) {
+		args.push('-H', `${ORG_HEADER}: ${normalizedOrgId}`);
+	}
+	if (!token) return args;
+
+	if (isHubApiKey(token)) {
+		args.push('-H', `${API_KEY_HEADER}: ${token}`);
+		return args;
+	}
+
+	args.push('-H', `${AUTHORIZATION_HEADER}: Bearer ${token}`);
+	return args;
+}

package/src/client.ts

@@ -1,4 +1,5 @@
 import type { HubClientMessage, HubRequest, HubResponse, InitMessage } from './protocol.ts';
+import { applyCoderAuthHeaders } from './auth.ts';
 
 /** How long to wait for a response before rejecting the pending promise (ms). */
 const SEND_TIMEOUT_MS = 30_000;
@@ -67,8 +68,7 @@ export class HubClient {
 	/** Called when an unsolicited server message arrives (broadcast, presence, hydration). */
 	public onServerMessage?: (message: Record<string, unknown>) => void;
 
-	/** API key for Hub authentication (sent as x-agentuity-auth-api-key header) */
-	// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
+	/** Hub auth token from the CLI environment. */
 	public apiKey: string | null = null;
 
 	private setConnectionState(state: ConnectionState): void {
@@ -259,11 +259,11 @@ export class HubClient {
 
 	private async connectInternal(url: string, isReconnect = false): Promise<InitMessage> {
 		const wsUrl = this.buildWebSocketUrl(url);
-		// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
+		const orgId = process.env.AGENTUITY_ORGID;
 		// Bun extension: custom headers on WebSocket upgrade request
-		const ws = this.apiKey
-			? new WebSocket(wsUrl, { headers: { 'x-agentuity-auth-api-key': this.apiKey } })
-			: new WebSocket(wsUrl);
+		const headers = applyCoderAuthHeaders({}, this.apiKey, orgId);
+		const ws =
+			Object.keys(headers).length > 0 ? new WebSocket(wsUrl, { headers }) : new WebSocket(wsUrl);
 		this.ws = ws;
 
 		return new Promise((resolve, reject) => {

package/src/hub-overlay-state.ts

@@ -1,3 +1,5 @@
+import { formatToolDisplay } from './agentuity-cli.ts';
+
 export interface StreamBuffer {
 	output: string;
 	thinking: string;
@@ -78,7 +80,8 @@ export function buildProjectionFromEntries(
 		const type = typeof entry.type === 'string' ? entry.type : '';
 		if (type === 'tool_call') {
 			const toolName = typeof entry.toolName === 'string' ? entry.toolName : 'tool';
-			append('output', `[tool_call] ${toolName}\n\n`, entry.taskId);
+			const display = formatToolDisplay(toolName, entry.toolArgs);
+			append('output', `[tool_call] ${display.fullLabel}\n\n`, entry.taskId);
 			continue;
 		}
 

package/src/hub-overlay.ts

@@ -9,6 +9,8 @@ import {
 	type StreamProjection,
 	type StreamProjectionSource,
 } from './hub-overlay-state.ts';
+import { applyCoderAuthHeaders } from './auth.ts';
+import { formatToolDisplay } from './agentuity-cli.ts';
 import { truncateToWidth } from './renderers.ts';
 import type {
 	ConversationEntry as HubConversationEntry,
@@ -1155,15 +1157,18 @@ export class HubOverlay implements Component, Focusable {
 		const controller = new AbortController();
 		const timeout = setTimeout(() => controller.abort(), timeoutMs);
 		try {
-			// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
 			const apiKey = process.env.AGENTUITY_CODER_API_KEY;
-			const headers: Record<string, string> = {
-				accept: 'application/json',
-				...(init?.headers && typeof init.headers === 'object'
-					? (init.headers as Record<string, string>)
-					: {}),
-			};
-			if (apiKey) headers['x-agentuity-auth-api-key'] = apiKey;
+			const orgId = process.env.AGENTUITY_ORGID;
+			const headers = applyCoderAuthHeaders(
+				{
+					accept: 'application/json',
+					...(init?.headers && typeof init.headers === 'object'
+						? (init.headers as Record<string, string>)
+						: {}),
+				},
+				apiKey,
+				orgId
+			);
 			const signal = init?.signal
 				? AbortSignal.any([controller.signal, init.signal])
 				: controller.signal;
@@ -1764,10 +1769,9 @@ export class HubOverlay implements Component, Focusable {
 		const subscribe = mode === 'full' ? '*' : 'session_*,task_*,agent_*';
 
 		try {
-			// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
 			const apiKey = process.env.AGENTUITY_CODER_API_KEY;
-			const sseHeaders: Record<string, string> = { accept: 'text/event-stream' };
-			if (apiKey) sseHeaders['x-agentuity-auth-api-key'] = apiKey;
+			const orgId = process.env.AGENTUITY_ORGID;
+			const sseHeaders = applyCoderAuthHeaders({ accept: 'text/event-stream' }, apiKey, orgId);
 			const response = await fetch(
 				`${this.baseUrl}/api/hub/session/${encodeURIComponent(sessionId)}/events?subscribe=${encodeURIComponent(subscribe)}`,
 				{
@@ -2125,6 +2129,13 @@ export class HubOverlay implements Component, Focusable {
 						? data.toolName
 						: 'tool';
 			const input = data?.args ?? data?.input;
+			const display = formatToolDisplay(
+				name,
+				typeof input === 'string' || (input && typeof input === 'object')
+					? (input as string | Record<string, unknown>)
+					: undefined
+			);
+			if (display.branded) return `tool_call ${display.fullLabel}`;
 			const summarized = summarizeToolCall(name, input);
 			if (summarized) return summarized;
 			const argsPreview = summarizeArgs(input, 90);
@@ -2168,15 +2179,18 @@ export class HubOverlay implements Component, Focusable {
 				const failed = data?.isError === true || details?.error === true;
 				return `${header}\n${failed ? 'failed' : `done${duration}`}`;
 			}
-			return `tool_result ${name}`;
+			const display = formatToolDisplay(name, input);
+			return `tool_result ${display.toolName}`;
 		}
 
 		if (eventName === 'agent_progress') {
 			const agent = typeof data?.agentName === 'string' ? data.agentName : 'agent';
 			const status = typeof data?.status === 'string' ? data.status : 'progress';
-			const toolName = typeof data?.currentTool === 'string' ? data.currentTool : '';
+			const rawToolName = typeof data?.currentTool === 'string' ? data.currentTool : '';
 			const toolArgsRaw = typeof data?.currentToolArgs === 'string' ? data.currentToolArgs : '';
-			const toolArgs = toolArgsRaw ? truncateToWidth(normalize(toolArgsRaw), 80) : '';
+			const display = formatToolDisplay(rawToolName, toolArgsRaw || undefined);
+			const toolName = display.toolName;
+			const toolArgs = display.toolArgs ? truncateToWidth(normalize(display.toolArgs), 80) : '';
 
 			// Deltas are already represented in rendered stream mode; skip them in event mode
 			// to avoid noisy, low-signal token lines.

package/src/index.ts

@@ -1,4 +1,5 @@
-import type {
+import {
+	createBashToolDefinition,
 	AgentToolResult,
 	ExtensionAPI,
 	ExtensionContext,
@@ -21,6 +22,10 @@ import { OutputViewerOverlay, type StoredResult } from './output-viewer.ts';
 import { setNativeRemoteExtensionContext } from './native-remote-ui-context.ts';
 import { handleRemoteUiRequest } from './remote-ui-handler.ts';
 import { buildInboundRpcPromptText, getInboundRpcDeliverAs } from './inbound-rpc.ts';
+import { applyCoderAuthHeaders, getCoderAuthCurlArgs } from './auth.ts';
+import { formatToolDisplay } from './agentuity-cli.ts';
+import { adaptInitMessageForLocalTui } from './local-init-filter.ts';
+import { selectSubAgentToolNames } from './subagent-tool-selection.ts';
 import type {
 	HubAction,
 	HubResponse,
@@ -43,9 +48,8 @@ const HUB_URL_ENV = 'AGENTUITY_CODER_HUB_URL';
 const AGENT_ENV = 'AGENTUITY_CODER_AGENT';
 const REMOTE_SESSION_ENV = 'AGENTUITY_CODER_REMOTE_SESSION';
 const NATIVE_REMOTE_ENV = 'AGENTUITY_CODER_NATIVE_REMOTE';
-// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
+// Populated by `agentuity coder start` for hub bootstrap and runtime auth.
 const API_KEY_ENV = 'AGENTUITY_CODER_API_KEY';
-const API_KEY_HEADER = 'x-agentuity-auth-api-key';
 const RECONNECT_WAIT_TIMEOUT_MS = 120_000;
 
 type HubUiStatus = 'connected' | 'reconnecting' | 'offline';
@@ -84,9 +88,7 @@ const MAX_OUTPUT_LINES = 5_000;
 const PROXY_EVENTS = [
 	'session_shutdown',
 	'session_before_switch',
-	'session_switch',
 	'session_before_fork',
-	'session_fork',
 	'session_before_compact',
 	'session_compact',
 	'before_agent_start',
@@ -119,12 +121,11 @@ function log(msg: string): void {
 }
 
 /** Build headers object with API key if available. Merges with any existing headers. */
-// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
 function authHeaders(extra?: Record<string, string>): Record<string, string> {
 	const apiKey = process.env[API_KEY_ENV];
+	const orgId = process.env.AGENTUITY_ORGID;
 	const headers: Record<string, string> = { ...extra };
-	if (apiKey) headers[API_KEY_HEADER] = apiKey;
-	return headers;
+	return applyCoderAuthHeaders(headers, apiKey, orgId);
 }
 
 // ══════════════════════════════════════════════
@@ -175,9 +176,9 @@ function fetchInitMessageSync(hubUrl: string, agentRole?: string): InitMessage |
 			'node:child_process'
 		) as typeof import('node:child_process');
 		const apiKey = process.env[API_KEY_ENV];
+		const orgId = process.env.AGENTUITY_ORGID;
 		const curlArgs = ['-s', '--connect-timeout', '3', '--max-time', '5'];
-		// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
-		if (apiKey) curlArgs.push('-H', `${API_KEY_HEADER}: ${apiKey}`);
+		curlArgs.push(...getCoderAuthCurlArgs(apiKey, orgId));
 		curlArgs.push(httpUrl);
 		const result = execFileSync('curl', curlArgs, { encoding: 'utf-8' });
 
@@ -286,6 +287,7 @@ export function agentuityCoderHub(pi: ExtensionAPI) {
 	// to an existing sandbox session. The full UI is set up (tools, commands, /hub)
 	// but user input is relayed to the remote sandbox instead of the local Pi agent.
 	const remoteSessionId = process.env[REMOTE_SESSION_ENV] || null;
+	const isRemoteSession = Boolean(remoteSessionId);
 	const isNativeRemote = !!process.env[NATIVE_REMOTE_ENV];
 	if (remoteSessionId) {
 		log(`Remote mode: will connect as controller to session ${remoteSessionId}`);
@@ -301,7 +303,10 @@ export function agentuityCoderHub(pi: ExtensionAPI) {
 	// This is how we discover what tools/agents the server provides.
 	// ══════════════════════════════════════════════
 
-	const initMsg = fetchInitMessageSync(hubUrl, agentRole);
+	const initialInitMsg = fetchInitMessageSync(hubUrl, agentRole);
+	const initMsg = initialInitMsg
+		? adaptInitMessageForLocalTui(initialInitMsg, { isRemoteSession })
+		: null;
 
 	if (!initMsg) {
 		log('Hub not reachable — no tools or agents registered');
@@ -414,12 +419,23 @@ export function agentuityCoderHub(pi: ExtensionAPI) {
 	// Titlebar: branding + spinner (registers its own event handlers)
 	setupTitlebar(pi);
 
+	// Override Pi's built-in bash call-row rendering so local transcript rows
+	// can brand Agentuity CLI invocations without changing bash execution/result behavior.
+	const hasBashTool = serverTools.some((tool) => tool.name === 'bash');
+	const localBashRenderers = hasBashTool ? getToolRenderers('bash') : undefined;
+	if (hasBashTool && localBashRenderers?.renderCall) {
+		const bashToolDefinition = createBashToolDefinition(process.cwd());
+		pi.registerTool({
+			...bashToolDefinition,
+			renderCall: localBashRenderers.renderCall as ToolDefinition['renderCall'],
+		});
+	}
+
 	// ══════════════════════════════════════════════
 	// WebSocket client for runtime communication (tool execution + events)
 	// ══════════════════════════════════════════════
 
 	const client = new HubClient();
-	// TODO: Remove/Change when we get Agentuity service level auth enabled, this is just temporary
 	client.apiKey = process.env[API_KEY_ENV] || null;
 	let cachedInitMessage: InitMessage | null = initMsg;
 	let currentSessionId: string | null = initMsg.sessionId ?? null;
@@ -457,9 +473,10 @@ export function agentuityCoderHub(pi: ExtensionAPI) {
 	}
 
 	function applyInitMessage(nextInit: InitMessage): void {
-		cachedInitMessage = nextInit;
-		if (nextInit.sessionId) currentSessionId = nextInit.sessionId;
-		if (nextInit.config) hubConfig = nextInit.config;
+		const effectiveInit = adaptInitMessageForLocalTui(nextInit, { isRemoteSession });
+		cachedInitMessage = effectiveInit;
+		if (effectiveInit.sessionId) currentSessionId = effectiveInit.sessionId;
+		if (effectiveInit.config) hubConfig = effectiveInit.config;
 	}
 
 	client.onInitMessage = (nextInit) => {
@@ -1759,13 +1776,7 @@ async function runSubAgent(
 	const { piSdk, piAi } = await loadPiSdk();
 	// Runtime-resolved dynamic imports — exact types unavailable statically
 	// eslint-disable-next-line @typescript-eslint/no-explicit-any
-	const {
-		createAgentSession,
-		DefaultResourceLoader,
-		SessionManager,
-		createCodingTools,
-		createReadOnlyTools,
-	} = piSdk as any;
+	const { createAgentSession, DefaultResourceLoader, getAgentDir, SessionManager } = piSdk as any;
 	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	const { getModel } = piAi as any;
 
@@ -1787,13 +1798,16 @@ async function runSubAgent(
 	// Sub-agents get Hub tools (memory, context7, etc.) via extensionFactories
 	// so they work in both driver and TUI mode.
 	const hubTools = agentConfig.hubTools ?? [];
+	const cwd = process.cwd();
+	const agentDir = getAgentDir();
 
 	// Resource loader — no extensions (prevents recursive task tool registration),
 	// no skills, agent's system prompt injected directly.
 	// Hub tools are injected via extensionFactories so sub-agents can use
 	// memory_recall, context7_search, etc.
 	const subLoader = new DefaultResourceLoader({
-		cwd: process.cwd(),
+		cwd,
+		agentDir,
 		noExtensions: true,
 		extensionFactories:
 			hubTools.length > 0
@@ -1812,9 +1826,12 @@ async function runSubAgent(
 	});
 	await subLoader.reload();
 
-	// Select tools based on readOnly flag
-	const cwd = process.cwd();
-	const tools = agentConfig.readOnly ? createReadOnlyTools(cwd) : createCodingTools(cwd);
+	// Pi v0.68.x uses a name allowlist for both built-in and extension/custom tools.
+	const builtInToolNames = selectSubAgentToolNames(agentConfig);
+	const hubToolNames = hubTools
+		.map((tool) => (typeof tool.name === 'string' ? tool.name.trim() : ''))
+		.filter((name): name is string => name.length > 0);
+	const tools = Array.from(new Set([...builtInToolNames, ...hubToolNames]));
 
 	const { session } = await createAgentSession({
 		// subModel is already untyped (from dynamic import) — createAgentSession is also dynamically imported
@@ -1828,7 +1845,8 @@ async function runSubAgent(
 			| 'xhigh',
 		tools,
 		resourceLoader: subLoader,
-		sessionManager: SessionManager.inMemory('/tmp'),
+		// Pi now tracks cwd per session, so bind in-memory sub-agents to the actual repo cwd.
+		sessionManager: SessionManager.inMemory(cwd),
 	});
 	await session.bindExtensions({});
 
@@ -1864,25 +1882,19 @@ async function runSubAgent(
 
 					if (evt.type === 'tool_execution_start') {
 						const toolName = evt.toolName || evt.name || evt.tool || 'unknown';
-						let toolArgs = '';
-						if (evt.args && typeof evt.args === 'object') {
-							const args = evt.args as Record<string, unknown>;
-							if (args.command) toolArgs = String(args.command).slice(0, 60);
-							else if (args.filePath || args.path)
-								toolArgs = String(args.filePath || args.path);
-							else if (args.pattern) toolArgs = String(args.pattern).slice(0, 40);
-							else {
-								const first = Object.values(args)[0];
-								if (first) toolArgs = String(first).slice(0, 40);
-							}
-						}
+						const display = formatToolDisplay(
+							toolName,
+							typeof evt.args === 'string' || (evt.args && typeof evt.args === 'object')
+								? (evt.args as string | Record<string, unknown>)
+								: undefined
+						);
 
 						onProgress({
 							agentName: agentConfig.name,
 							status: 'tool_start',
 							toolCallId: typeof evt.toolCallId === 'string' ? evt.toolCallId : undefined,
-							currentTool: toolName,
-							currentToolArgs: toolArgs,
+							currentTool: display.toolName,
+							currentToolArgs: display.toolArgs,
 							elapsed,
 						});
 					} else if (evt.type === 'tool_execution_end') {