@matyah00/openpi 0.1.4 → 0.2.0

package/extensions/agent-chain.ts

@@ -1,13 +1,17 @@
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { Type } from "@sinclair/typebox";
-import { Text } from "@mariozechner/pi-tui";
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { Type } from "typebox";
+import { Text } from "@earendil-works/pi-tui";
 import { spawn } from "child_process";
-import { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync } from "fs";
+import { existsSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync, unlinkSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
 import { join, resolve } from "path";
+import { parse as parseYaml } from "yaml";
 import { bundledAgentsDir } from "./lib/packagePaths.ts";
+import { arrayField, parseMarkdownFrontmatter, stringField } from "./lib/markdown.ts";
+import { writeAuditLog } from "./lib/auditLogger.ts";
 
-type ChainStep = { agent: string; prompt: string };
-type ChainDef = { name: string; description: string; steps: ChainStep[] };
+type ChainStep = { agent: string; prompt: string; timeout?: number };
+type ChainDef = { name: string; description: string; steps: ChainStep[]; continueOnError?: boolean };
 type AgentDef = { name: string; description: string; tools: string; systemPrompt: string };
 type StepState = { agent: string; status: "pending" | "running" | "done" | "error"; elapsed: number; lastWork: string };
 
@@ -16,57 +20,53 @@ function displayName(name: string): string {
 }
 
 function parseChainYaml(raw: string): ChainDef[] {
-  const chains: ChainDef[] = [];
-  let current: ChainDef | null = null;
-  let currentStep: ChainStep | null = null;
-
-  for (const line of raw.split("\n")) {
-    const chainMatch = line.match(/^(\S[^:]*):$/);
-    if (chainMatch) {
-      if (current && currentStep) current.steps.push(currentStep);
-      current = { name: chainMatch[1].trim(), description: "", steps: [] };
-      currentStep = null;
-      chains.push(current);
-      continue;
-    }
-    const descMatch = line.match(/^\s+description:\s+(.+)$/);
-    if (descMatch && current && !currentStep) {
-      current.description = descMatch[1].trim().replace(/^["']|["']$/g, "");
-      continue;
-    }
-    const agentMatch = line.match(/^\s+-\s+agent:\s+(.+)$/);
-    if (agentMatch && current) {
-      if (currentStep) current.steps.push(currentStep);
-      currentStep = { agent: agentMatch[1].trim(), prompt: "" };
-      continue;
-    }
-    const promptMatch = line.match(/^\s+prompt:\s+(.+)$/);
-    if (promptMatch && currentStep) {
-      currentStep.prompt = promptMatch[1].trim().replace(/^["']|["']$/g, "").replace(/\\n/g, "\n");
-    }
-  }
-  if (current && currentStep) current.steps.push(currentStep);
-  return chains;
+  const parsed = parseYaml(raw);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return [];
+
+  return Object.entries(parsed as Record<string, unknown>).flatMap(([name, value]) => {
+    if (!value || typeof value !== "object" || Array.isArray(value)) return [];
+    const chain = value as { description?: unknown; steps?: unknown; continueOnError?: unknown };
+    if (!Array.isArray(chain.steps)) return [];
+    const steps = chain.steps.flatMap((step): ChainStep[] => {
+      if (!step || typeof step !== "object" || Array.isArray(step)) return [];
+      const item = step as { agent?: unknown; prompt?: unknown; timeout?: unknown };
+      if (typeof item.agent !== "string" || typeof item.prompt !== "string") return [];
+      return [{
+        agent: item.agent,
+        prompt: item.prompt,
+        timeout: typeof item.timeout === "number" ? item.timeout : undefined,
+      }];
+    });
+    if (!steps.length) return [];
+    return [{
+      name,
+      description: typeof chain.description === "string" ? chain.description : "",
+      steps,
+      continueOnError: typeof chain.continueOnError === "boolean" ? chain.continueOnError : undefined,
+    }];
+  });
 }
 
 function parseAgentFile(filePath: string): AgentDef | null {
   const raw = readFileSync(filePath, "utf-8");
-  const match = raw.match(/^---\s*\n([\s\S]*?)\n---\s*\n([\s\S]*)$/);
-  if (!match) return null;
-  const frontmatter: Record<string, string> = {};
-  for (const line of match[1].split("\n")) {
-    const idx = line.indexOf(":");
-    if (idx > 0) frontmatter[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
-  }
-  if (!frontmatter.name) return null;
+  const { frontmatter, body } = parseMarkdownFrontmatter(raw);
+  const name = stringField(frontmatter.name);
+  if (!name) return null;
   return {
-    name: frontmatter.name,
-    description: frontmatter.description || "",
-    tools: frontmatter.tools || "read,grep,find,ls",
-    systemPrompt: match[2].trim(),
+    name,
+    description: stringField(frontmatter.description),
+    tools: arrayField(frontmatter.tools).join(",") || "read,grep,find,ls",
+    systemPrompt: body,
   };
 }
 
+function writeSystemPromptFile(agentName: string, systemPrompt: string): { dir: string; filePath: string } {
+  const dir = mkdtempSync(join(tmpdir(), "openpi-chain-"));
+  const filePath = join(dir, `system-${agentName.replace(/[^\w.-]+/g, "_")}.md`);
+  writeFileSync(filePath, systemPrompt, { encoding: "utf-8", mode: 0o600 });
+  return { dir, filePath };
+}
+
 function scanAgentDirs(cwd: string): Map<string, AgentDef> {
   const dirs = [join(cwd, ".pi", "agents"), join(cwd, "agents"), bundledAgentsDir];
   const agents = new Map<string, AgentDef>();
@@ -121,17 +121,24 @@ export default function (pi: ExtensionAPI) {
     }));
   }
 
-  function runAgent(agentDef: AgentDef, task: string, stepIndex: number, ctx: any): Promise<{ output: string; exitCode: number; elapsed: number }> {
+  function runAgent(
+    agentDef: AgentDef,
+    task: string,
+    stepIndex: number,
+    timeoutSecs: number | undefined,
+    ctx: any,
+  ): Promise<{ output: string; exitCode: number; elapsed: number }> {
     const model = ctx.model ? `${ctx.model.provider}/${ctx.model.id}` : "";
     const agentKey = agentDef.name.toLowerCase().replace(/\s+/g, "-");
     const agentSessionFile = join(sessionDir, `chain-${agentKey}.json`);
+    const systemPrompt = writeSystemPromptFile(agentKey, agentDef.systemPrompt);
     const args = [
       "--mode", "json",
       "-p",
       "--no-extensions",
       "--tools", agentDef.tools,
       "--thinking", "off",
-      "--append-system-prompt", agentDef.systemPrompt,
+      "--append-system-prompt", systemPrompt.filePath,
       "--session", agentSessionFile,
     ];
     if (model) args.splice(4, 0, "--model", model);
@@ -142,8 +149,21 @@ export default function (pi: ExtensionAPI) {
     const start = Date.now();
     const chunks: string[] = [];
 
+    const timeoutMs = timeoutSecs ? timeoutSecs * 1000 : 120000;
+
     return new Promise((resolveDone) => {
+      const cleanupPrompt = () => rmSync(systemPrompt.dir, { recursive: true, force: true });
       const proc = spawn("pi", args, { stdio: ["ignore", "pipe", "pipe"], env: { ...process.env } });
+
+      let killed = false;
+      const killTimer = setTimeout(() => {
+        killed = true;
+        proc.kill("SIGTERM");
+        setTimeout(() => {
+          if (proc.exitCode === null) proc.kill("SIGKILL");
+        }, 2000);
+      }, timeoutMs);
+
       const timer = setInterval(() => {
         state.elapsed = Date.now() - start;
         updateWidget();
@@ -170,13 +190,19 @@ export default function (pi: ExtensionAPI) {
       proc.stderr!.setEncoding("utf-8");
       proc.stderr!.on("data", () => {});
       proc.on("close", (code) => {
+        clearTimeout(killTimer);
         clearInterval(timer);
+        cleanupPrompt();
         state.elapsed = Date.now() - start;
         if (code === 0) agentSessions.set(agentKey, agentSessionFile);
-        resolveDone({ output: chunks.join(""), exitCode: code ?? 1, elapsed: state.elapsed });
+        const exitCode = killed ? 124 : (code ?? 1);
+        const finalOutput = killed ? `${chunks.join("")}\n\n[Agent timeout after ${timeoutSecs}s]` : chunks.join("");
+        resolveDone({ output: finalOutput, exitCode, elapsed: state.elapsed });
       });
       proc.on("error", (error) => {
+        clearTimeout(killTimer);
         clearInterval(timer);
+        cleanupPrompt();
         resolveDone({ output: `Error spawning agent: ${error.message}`, exitCode: 1, elapsed: Date.now() - start });
       });
     });
@@ -190,28 +216,89 @@ export default function (pi: ExtensionAPI) {
 
     let input = task;
     const original = task;
+    const outputs: string[] = [];
+
     for (let i = 0; i < activeChain.steps.length; i++) {
       const step = activeChain.steps[i];
       stepStates[i].status = "running";
       updateWidget();
 
-      const prompt = step.prompt.replace(/\$INPUT/g, input).replace(/\$ORIGINAL/g, original);
+      let prompt = step.prompt.replace(/\$INPUT/g, input).replace(/\$ORIGINAL/g, original);
+      // Replace $STEP_N references
+      prompt = prompt.replace(/\$STEP_(\d+)/g, (match, numStr) => {
+        const num = parseInt(numStr, 10);
+        if (num > 0 && num <= outputs.length) {
+          return outputs[num - 1];
+        }
+        return match;
+      });
+
       const agentDef = allAgents.get(step.agent.toLowerCase());
       if (!agentDef) {
         stepStates[i].status = "error";
-        return { output: `Agent "${step.agent}" not found`, success: false, elapsed: Date.now() - start };
+        const errResult = { output: `Agent "${step.agent}" not found`, success: false, elapsed: Date.now() - start };
+        writeAuditLog(ctx.cwd, {
+          type: "chain_run",
+          name: activeChain.name,
+          task,
+          input: task,
+          output: errResult.output,
+          exitCode: 1,
+          elapsedMs: errResult.elapsed,
+          metadata: { stepsCount: activeChain.steps.length, success: false, error: "agent_not_found" }
+        });
+        return errResult;
       }
 
-      const result = await runAgent(agentDef, prompt, i, ctx);
+      const result = await runAgent(agentDef, prompt, i, step.timeout, ctx);
+      writeAuditLog(ctx.cwd, {
+        type: "chain_step",
+        name: `${activeChain.name}:${step.agent}`,
+        task: prompt,
+        input: input,
+        output: result.output,
+        exitCode: result.exitCode,
+        elapsedMs: result.elapsed,
+        metadata: { stepIndex: i, chainName: activeChain.name, agent: step.agent }
+      });
+
       if (result.exitCode !== 0) {
         stepStates[i].status = "error";
-        return { output: result.output, success: false, elapsed: Date.now() - start };
+        if (activeChain.continueOnError) {
+          outputs.push("");
+          updateWidget();
+          continue;
+        }
+        const errResult = { output: result.output, success: false, elapsed: Date.now() - start };
+        writeAuditLog(ctx.cwd, {
+          type: "chain_run",
+          name: activeChain.name,
+          task,
+          input: task,
+          output: errResult.output,
+          exitCode: 1,
+          elapsedMs: errResult.elapsed,
+          metadata: { stepsCount: activeChain.steps.length, success: false, error: "step_failed", failedStep: step.agent }
+        });
+        return errResult;
       }
       stepStates[i].status = "done";
       input = result.output;
+      outputs.push(result.output);
       updateWidget();
     }
-    return { output: input, success: true, elapsed: Date.now() - start };
+    const finalResult = { output: input, success: true, elapsed: Date.now() - start };
+    writeAuditLog(ctx.cwd, {
+      type: "chain_run",
+      name: activeChain.name,
+      task,
+      input: task,
+      output: finalResult.output,
+      exitCode: 0,
+      elapsedMs: finalResult.elapsed,
+      metadata: { stepsCount: activeChain.steps.length, success: true }
+    });
+    return finalResult;
   }
 
   pi.registerTool({

package/extensions/agent-team.ts

@@ -1,10 +1,14 @@
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { Type } from "@sinclair/typebox";
-import { Text } from "@mariozechner/pi-tui";
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { Type } from "typebox";
+import { Text } from "@earendil-works/pi-tui";
 import { spawn } from "child_process";
-import { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync } from "fs";
+import { existsSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync, unlinkSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
 import { join, resolve } from "path";
+import { parse as parseYaml } from "yaml";
 import { bundledAgentsDir } from "./lib/packagePaths.ts";
+import { arrayField, parseMarkdownFrontmatter, stringField } from "./lib/markdown.ts";
+import { writeAuditLog } from "./lib/auditLogger.ts";
 
 type AgentDef = {
   name: string;
@@ -28,42 +32,39 @@ function displayName(name: string): string {
 }
 
 function parseTeamsYaml(raw: string): Record<string, string[]> {
+  const parsed = parseYaml(raw);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return {};
+
   const teams: Record<string, string[]> = {};
-  let current: string | null = null;
-  for (const line of raw.split("\n")) {
-    const teamMatch = line.match(/^(\S[^:]*):$/);
-    if (teamMatch) {
-      current = teamMatch[1].trim();
-      teams[current] = [];
-      continue;
-    }
-    const itemMatch = line.match(/^\s+-\s+(.+)$/);
-    if (itemMatch && current) teams[current].push(itemMatch[1].trim());
+  for (const [name, members] of Object.entries(parsed as Record<string, unknown>)) {
+    if (!Array.isArray(members)) continue;
+    teams[name] = members.filter((member): member is string => typeof member === "string");
   }
   return teams;
 }
 
 function parseAgentFile(filePath: string): AgentDef | null {
   const raw = readFileSync(filePath, "utf-8");
-  const match = raw.match(/^---\s*\n([\s\S]*?)\n---\s*\n([\s\S]*)$/);
-  if (!match) return null;
-
-  const frontmatter: Record<string, string> = {};
-  for (const line of match[1].split("\n")) {
-    const idx = line.indexOf(":");
-    if (idx > 0) frontmatter[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
-  }
-  if (!frontmatter.name) return null;
+  const { frontmatter, body } = parseMarkdownFrontmatter(raw);
+  const name = stringField(frontmatter.name);
+  if (!name) return null;
 
   return {
-    name: frontmatter.name,
-    description: frontmatter.description || "",
-    tools: frontmatter.tools || "read,grep,find,ls",
-    systemPrompt: match[2].trim(),
+    name,
+    description: stringField(frontmatter.description),
+    tools: arrayField(frontmatter.tools).join(",") || "read,grep,find,ls",
+    systemPrompt: body,
     file: filePath,
   };
 }
 
+function writeSystemPromptFile(agentKey: string, systemPrompt: string): { dir: string; filePath: string } {
+  const dir = mkdtempSync(join(tmpdir(), "openpi-team-"));
+  const filePath = join(dir, `system-${agentKey.replace(/[^\w.-]+/g, "_")}.md`);
+  writeFileSync(filePath, systemPrompt, { encoding: "utf-8", mode: 0o600 });
+  return { dir, filePath };
+}
+
 function scanAgentDirs(cwd: string): AgentDef[] {
   const dirs = [join(cwd, ".pi", "agents"), join(cwd, "agents"), bundledAgentsDir];
   const agents: AgentDef[] = [];
@@ -161,13 +162,14 @@ export default function (pi: ExtensionAPI) {
     const model = ctx.model ? `${ctx.model.provider}/${ctx.model.id}` : "";
     const agentKey = state.def.name.toLowerCase().replace(/\s+/g, "-");
     const agentSessionFile = join(sessionDir, `${agentKey}.json`);
+    const systemPrompt = writeSystemPromptFile(agentKey, state.def.systemPrompt);
     const args = [
       "--mode", "json",
       "-p",
       "--no-extensions",
       "--tools", state.def.tools,
       "--thinking", "off",
-      "--append-system-prompt", state.def.systemPrompt,
+      "--append-system-prompt", systemPrompt.filePath,
       "--session", agentSessionFile,
     ];
     if (model) args.splice(4, 0, "--model", model);
@@ -178,6 +180,7 @@ export default function (pi: ExtensionAPI) {
     const chunks: string[] = [];
 
     return new Promise((resolveDone) => {
+      const cleanupPrompt = () => rmSync(systemPrompt.dir, { recursive: true, force: true });
       const proc = spawn("pi", args, { stdio: ["ignore", "pipe", "pipe"], env: { ...process.env } });
       const timer = setInterval(() => {
         state.elapsed = Date.now() - start;
@@ -206,6 +209,7 @@ export default function (pi: ExtensionAPI) {
       proc.stderr!.on("data", () => {});
       proc.on("close", (code) => {
         clearInterval(timer);
+        cleanupPrompt();
         state.elapsed = Date.now() - start;
         state.status = code === 0 ? "done" : "error";
         if (code === 0) state.sessionFile = agentSessionFile;
@@ -214,6 +218,7 @@ export default function (pi: ExtensionAPI) {
       });
       proc.on("error", (error) => {
         clearInterval(timer);
+        cleanupPrompt();
         state.status = "error";
         state.lastWork = error.message;
         updateWidget();
@@ -234,6 +239,16 @@ export default function (pi: ExtensionAPI) {
       const { agent, task } = params as { agent: string; task: string };
       onUpdate?.({ content: [{ type: "text", text: `Dispatching to ${agent}...` }], details: { agent, task, status: "running" } });
       const result = await dispatchAgent(agent, task, ctx);
+      writeAuditLog(ctx.cwd, {
+        type: "team_agent",
+        name: agent,
+        task: task,
+        input: task,
+        output: result.output,
+        exitCode: result.exitCode,
+        elapsedMs: result.elapsed,
+        metadata: { teamName: activeTeamName }
+      });
       const text = result.output.length > 8000 ? `${result.output.slice(0, 8000)}\n\n... [truncated]` : result.output;
       return {
         content: [{ type: "text", text: `[${agent}] ${result.exitCode === 0 ? "done" : "error"} in ${Math.round(result.elapsed / 1000)}s\n\n${text}` }],

package/extensions/audit-tools.ts

@@ -31,6 +31,19 @@ const SECRET_PATTERNS = [
   ["sendgrid-key", /SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}/g],
   ["private-key", /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g],
   ["jwt-like-token", /eyJ[A-Za-z0-9_-]{40,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g],
+  // New patterns
+  ["supabase-key", /sbp_[a-f0-9]{40}/g],
+  ["twilio-sid", /AC[a-f0-9]{32}/g],
+  ["twilio-auth", /SK[a-f0-9]{32}/g],
+  ["mailgun-key", /key-[a-zA-Z0-9]{32}/g],
+  ["slack-webhook", /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[a-zA-Z0-9]+/g],
+  ["digitalocean-token", /dop_v1_[a-f0-9]{64}/g],
+  ["databricks-token", /dapi[a-f0-9]{32}/g],
+  ["openai-key", /sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}/g],
+  ["anthropic-key", /sk-ant-[a-zA-Z0-9_-]{90,}/g],
+  ["azure-connection-string", /DefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[^;]+/g],
+  ["vercel-token", /vercel_[A-Za-z0-9_-]{24,}/g],
+  ["hashicorp-vault-token", /hvs\.[A-Za-z0-9_-]{24,}/g],
 ] as const;
 
 const GHOST_PATTERNS = [
@@ -38,6 +51,30 @@ const GHOST_PATTERNS = [
   ["exit-bypass", /sys\.exit\s*\(\s*0\s*\)|os\._exit\s*\(\s*0\s*\)|process\.exit\s*\(\s*0\s*\)/g],
   ["pytest-report-patch", /TestReport\.from_item_and_call|pytest_runtest_makereport|monkeypatch.*TestReport/g],
   ["assertion-monkeypatch", /expect\s*=\s*jest\.fn|assert\s*=\s*lambda|monkeypatch.*assert/g],
+  // New patterns
+  ["empty-test-body", /it\s*\(\s*['"][^'"]*['"]\s*,\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)|def\s+test_\w+\s*\([^)]*\)\s*:\s*\n\s*pass\b/g],
+  ["catch-all-swallow", /catch\s*\([^)]*\)\s*\{\s*\}|except\s*:\s*\n\s*pass\b/g],
+  ["self-comparison", /expect\s*\(\s*(\w+)\s*\)\s*\.toBe\s*\(\s*\1\s*\)|assert\s+(\w+)\s*==\s*\2\b/g],
+  ["disabled-tests", /\bxit\s*\(|\bxdescribe\s*\(|\bxtest\s*\(|@pytest\.mark\.skip(?!\(reason)|\.skip\s*\(\s*\)/g],
+  ["console-only-validation", /(?:it|test)\s*\([^)]*\)\s*(?:=>|{)[\s\S]{0,200}console\.\w+[\s\S]{0,50}(?:\}|\))\s*(?:;|\n)(?![\s\S]{0,50}(?:expect|assert|should))/g],
+  ["unreachable-assertion", /\breturn\b[\s\S]{0,20}\n\s*(?:expect|assert)\b/g],
+  ["mock-everything", /jest\.mock\s*\(\s*['"]\.\.?\//g],
+  ["timeout-zero", /setTimeout\s*\(\s*(?:done|resolve|callback)\s*,\s*0\s*\)/g],
+] as const;
+
+const SAST_PATTERNS = [
+  ["eval-usage", /\beval\s*\(/g],
+  ["function-constructor", /new\s+Function\s*\(/g],
+  ["child-process-exec", /child_process.*\.exec\s*\(|exec\s*\(\s*`/g],
+  ["sql-concat", /['"`]\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[\s\S]{0,80}\$\{|['"`]\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[\s\S]{0,80}\+\s*\w/g],
+  ["innerhtml-assign", /\.innerHTML\s*=\s*(?!['"`]<)/g],
+  ["dangerous-react", /dangerouslySetInnerHTML/g],
+  ["path-traversal", /\.\.\/|\.\.\\|req\.\w+\.\w+.*(?:readFile|writeFile|createReadStream|path\.join|path\.resolve)/g],
+  ["prototype-pollution", /\[['"`]__proto__['"`]\]|\[['"`]constructor['"`]\]|\[['"`]prototype['"`]\]/g],
+  ["ssrf-pattern", /fetch\s*\(\s*(?:req\.|request\.|params\.|query\.)|axios\.\w+\s*\(\s*(?:req\.|request\.|params\.|query\.)/g],
+  ["hardcoded-secret-assign", /(?:password|secret|apiKey|api_key|token|auth)\s*[:=]\s*['"][^'"]{8,}['"]/g],
+  ["unvalidated-redirect", /res\.redirect\s*\(\s*req\.|response\.redirect\s*\(\s*request\./g],
+  ["cors-wildcard", /(?:Access-Control-Allow-Origin|origin)\s*[:=]\s*['"]\*['"]/g],
 ] as const;
 
 function walkFiles(root: string, maxFiles: number): string[] {
@@ -103,17 +140,64 @@ function detectFrameworks(root: string): string[] {
       if (deps.react) found.add("React");
       if (deps.vite) found.add("Vite");
       if (deps["@sveltejs/kit"]) found.add("SvelteKit");
+      if (deps.svelte) found.add("Svelte");
       if (deps.vue) found.add("Vue");
       if (deps.express) found.add("Express");
       if (deps.vitest) found.add("Vitest");
       if (deps.jest) found.add("Jest");
       if (deps.typescript) found.add("TypeScript");
+      // New framework detections
+      if (deps.astro) found.add("Astro");
+      if (deps["@remix-run/node"] || deps["@remix-run/react"]) found.add("Remix");
+      if (deps.nuxt) found.add("Nuxt");
+      if (deps["@angular/core"]) found.add("Angular");
+      if (deps["@nestjs/core"]) found.add("NestJS");
+      if (deps.fastify) found.add("Fastify");
+      if (deps.hono) found.add("Hono");
+      if (deps.elysia) found.add("Elysia");
+      if (deps.prisma || deps["@prisma/client"]) found.add("Prisma");
+      if (deps["drizzle-orm"]) found.add("Drizzle");
+      if (deps["@trpc/server"]) found.add("tRPC");
+      if (deps.graphql || deps["@apollo/server"]) found.add("GraphQL");
+      if (deps.tailwindcss) found.add("Tailwind CSS");
+      if (deps.playwright || deps["@playwright/test"]) found.add("Playwright");
+      if (deps.cypress) found.add("Cypress");
+      if (deps.storybook || deps["@storybook/react"]) found.add("Storybook");
+      if (deps.turborepo || deps.turbo) found.add("Turborepo");
+      if (deps.electron) found.add("Electron");
+      if (deps["react-native"]) found.add("React Native");
+      if (deps.expo) found.add("Expo");
     }
   }
-  if (fs.existsSync(path.join(root, "pyproject.toml")) || fs.existsSync(path.join(root, "requirements.txt"))) found.add("Python");
+  if (fs.existsSync(path.join(root, "pyproject.toml")) || fs.existsSync(path.join(root, "requirements.txt"))) {
+    found.add("Python");
+    const pyReqs = readSmallText(path.join(root, "requirements.txt"));
+    const pyProject = readSmallText(path.join(root, "pyproject.toml"));
+    const pyContent = (pyReqs || "") + (pyProject || "");
+    if (pyContent.includes("fastapi") || pyContent.includes("FastAPI")) found.add("FastAPI");
+    if (pyContent.includes("django") || pyContent.includes("Django")) found.add("Django");
+    if (pyContent.includes("flask") || pyContent.includes("Flask")) found.add("Flask");
+    if (pyContent.includes("pytest")) found.add("pytest");
+  }
   if (fs.existsSync(path.join(root, "Cargo.toml"))) found.add("Rust");
   if (fs.existsSync(path.join(root, "go.mod"))) found.add("Go");
   if (fs.existsSync(path.join(root, "Dockerfile"))) found.add("Docker");
+  if (fs.existsSync(path.join(root, "Gemfile"))) {
+    found.add("Ruby");
+    const gemfile = readSmallText(path.join(root, "Gemfile"));
+    if (gemfile?.includes("rails")) found.add("Rails");
+  }
+  if (fs.existsSync(path.join(root, "mix.exs"))) {
+    found.add("Elixir");
+    const mix = readSmallText(path.join(root, "mix.exs"));
+    if (mix?.includes("phoenix")) found.add("Phoenix");
+  }
+  if (fs.existsSync(path.join(root, "pom.xml")) || fs.existsSync(path.join(root, "build.gradle"))) {
+    found.add("Java");
+    const pom = readSmallText(path.join(root, "pom.xml")) || "";
+    const gradle = readSmallText(path.join(root, "build.gradle")) || "";
+    if (pom.includes("spring-boot") || gradle.includes("spring-boot")) found.add("Spring Boot");
+  }
   return Array.from(found);
 }
 
@@ -131,7 +215,7 @@ function dependencyInventory(root: string): string {
       if (loose.length) sections.push(`Loose pins: ${loose.slice(0, 20).map(([name, version]) => `${name}@${version}`).join(", ")}${loose.length > 20 ? `, +${loose.length - 20} more` : ""}`);
     }
   }
-  for (const file of ["requirements.txt", "pyproject.toml", "Cargo.toml", "go.mod", "Gemfile"]) {
+  for (const file of ["requirements.txt", "pyproject.toml", "Cargo.toml", "go.mod", "Gemfile", "mix.exs", "pom.xml", "build.gradle"]) {
     if (fs.existsSync(path.join(root, file))) sections.push(`Manifest: ${file}`);
   }
   return sections.join("\n") || "No common dependency manifests found.";
@@ -179,7 +263,7 @@ export default function auditToolsExtension(pi: ExtensionAPI) {
   pi.registerTool({
     name: "secret_scan",
     label: "Secret Scan",
-    description: "Read-only high-signal secret scan with redacted findings.",
+    description: "Read-only high-signal secret scan with redacted findings. Detects 22 secret patterns including cloud provider keys, API tokens, and private keys.",
     promptSnippet: "Use secret_scan before shipping, importing external files, or touching credentials.",
     parameters: Type.Object({
       maxFiles: Type.Optional(Type.Number({ description: "Maximum files to scan. Default 5000." })),
@@ -202,7 +286,7 @@ export default function auditToolsExtension(pi: ExtensionAPI) {
       const envGitignored = !fs.existsSync(path.join(ctx.cwd, ".env")) || (readSmallText(path.join(ctx.cwd, ".gitignore")) || "").includes(".env");
       const verdict = findings.length ? "BLOCKED" : "CLEAN";
       return {
-        content: [{ type: "text", text: [`secret_scan verdict: ${verdict}`, `.env gitignored: ${envGitignored ? "yes" : "no"}`, "", ...(findings.length ? findings : ["No high-signal secrets found."])].join("\n") }],
+        content: [{ type: "text", text: [`secret_scan verdict: ${verdict}`, `patterns: ${SECRET_PATTERNS.length}`, `files scanned: ${files.length}`, `.env gitignored: ${envGitignored ? "yes" : "no"}`, "", ...(findings.length ? findings : ["No high-signal secrets found."])].join("\n") }],
         details: { findings },
       };
     },
@@ -214,7 +298,7 @@ export default function auditToolsExtension(pi: ExtensionAPI) {
   pi.registerTool({
     name: "ghost_test_scan",
     label: "Ghost Test Scan",
-    description: "Static scan for test-suite reward hacking patterns such as always-true equality, exit bypasses, and framework patching.",
+    description: "Static scan for test-suite reward hacking patterns: always-true equality, exit bypasses, empty test bodies, disabled tests, self-comparisons, and framework patching.",
     promptSnippet: "Use ghost_test_scan when validating test integrity before trusting green tests.",
     parameters: Type.Object({
       maxFiles: Type.Optional(Type.Number({ description: "Maximum files to scan. Default 3000." })),
@@ -235,7 +319,7 @@ export default function auditToolsExtension(pi: ExtensionAPI) {
         }
       }
       return {
-        content: [{ type: "text", text: [`ghost_test_scan verdict: ${findings.length ? "SUSPICIOUS" : "CLEAN"}`, `files scanned: ${files.length}`, "", ...(findings.length ? findings : ["No static reward-hack patterns found."])].join("\n") }],
+        content: [{ type: "text", text: [`ghost_test_scan verdict: ${findings.length ? "SUSPICIOUS" : "CLEAN"}`, `patterns: ${GHOST_PATTERNS.length}`, `files scanned: ${files.length}`, "", ...(findings.length ? findings : ["No static reward-hack patterns found."])].join("\n") }],
         details: { findings },
       };
     },
@@ -257,4 +341,39 @@ export default function auditToolsExtension(pi: ExtensionAPI) {
       return new Text(theme.fg("toolTitle", theme.bold("dependency_inventory")), 0, 0);
     },
   });
+
+  pi.registerTool({
+    name: "sast_scan",
+    label: "SAST Scan",
+    description: "Static application security testing: detects eval(), SQL injection, prototype pollution, SSRF, XSS, unvalidated redirects, CORS wildcards, and hardcoded secrets in code.",
+    promptSnippet: "Use sast_scan to detect dangerous code patterns before shipping or reviewing external contributions.",
+    parameters: Type.Object({
+      maxFiles: Type.Optional(Type.Number({ description: "Maximum files to scan. Default 5000." })),
+    }),
+    async execute(_toolCallId, params, _signal, _onUpdate, ctx) {
+      const maxFiles = Math.max(100, Math.min(Number(params.maxFiles ?? 5000), 20000));
+      const codeExts = /\.(ts|tsx|js|jsx|mjs|cjs|py|rb|go|rs|java|php)$/i;
+      const files = walkFiles(ctx.cwd, maxFiles).filter((file) => codeExts.test(file));
+      const findings: string[] = [];
+      for (const file of files) {
+        const content = readSmallText(file);
+        if (!content) continue;
+        for (const [rule, pattern] of SAST_PATTERNS) {
+          pattern.lastIndex = 0;
+          let match: RegExpExecArray | null;
+          while ((match = pattern.exec(content))) {
+            findings.push(`${relative(ctx.cwd, file)}:${lineOf(content, match.index)} ${rule}`);
+          }
+        }
+      }
+      const severity = findings.some((f) => /eval-usage|sql-concat|child-process-exec|prototype-pollution/.test(f)) ? "HIGH" : findings.length ? "MEDIUM" : "CLEAN";
+      return {
+        content: [{ type: "text", text: [`sast_scan verdict: ${severity}`, `patterns: ${SAST_PATTERNS.length}`, `files scanned: ${files.length}`, "", ...(findings.length ? findings : ["No dangerous code patterns found."])].join("\n") }],
+        details: { findings, severity },
+      };
+    },
+    renderCall(_args, theme) {
+      return new Text(theme.fg("toolTitle", theme.bold("sast_scan")), 0, 0);
+    },
+  });
 }

package/extensions/damage-control-continue.ts

@@ -12,8 +12,8 @@
  * Usage: pi -e extensions/damage-control-continue.ts
  */
 
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { isToolCallEventType } from "@earendil-works/pi-coding-agent";
 import { parse as yamlParse } from "yaml";
 import * as fs from "fs";
 import * as path from "path";