@oh-my-pi/pi-coding-agent 14.2.0 → 14.3.0

package/src/tools/path-utils.ts

@@ -193,6 +193,7 @@ export interface ResolvedMultiSearchPath {
 	basePath: string;
 	glob?: string;
 	scopePath: string;
+	exactFilePaths?: string[];
 }
 
 export interface ResolvedMultiFindPattern {
@@ -438,6 +439,28 @@ async function areDelimitedTokensResolvable(
 	return true;
 }
 
+async function filterResolvableTokens(
+	tokens: string[],
+	cwd: string,
+	parseBasePath: (value: string) => string,
+): Promise<string[]> {
+	const out: string[] = [];
+	for (const token of tokens) {
+		if (TOP_LEVEL_INTERNAL_URL_PREFIXES.some(prefix => token.startsWith(prefix))) continue;
+		const basePath = parseBasePath(token);
+		const resolvedBasePath = resolveToCwd(basePath, cwd);
+		if (await pathExists(resolvedBasePath)) {
+			out.push(token);
+			continue;
+		}
+		const resolvedExactPath = resolveToCwd(token, cwd);
+		if (await pathExists(resolvedExactPath)) {
+			out.push(token);
+		}
+	}
+	return out;
+}
+
 async function splitDelimitedSearchInput(
 	rawInput: string,
 	cwd: string,
@@ -452,8 +475,11 @@ async function splitDelimitedSearchInput(
 	}
 
 	const commaSeparated = splitTopLevel(trimmed, "comma");
-	if (commaSeparated.length > 1 && (await areDelimitedTokensResolvable(commaSeparated, cwd, parseBasePath, true))) {
-		return [...new Set(commaSeparated)];
+	if (commaSeparated.length > 1) {
+		const resolvable = await filterResolvableTokens(commaSeparated, cwd, parseBasePath);
+		if (resolvable.length >= 1) {
+			return [...new Set(resolvable)];
+		}
 	}
 
 	const whitespaceSeparated = splitTopLevel(trimmed, "whitespace");
@@ -473,7 +499,7 @@ export async function resolveMultiSearchPath(
 	suffixGlob?: string,
 ): Promise<ResolvedMultiSearchPath | undefined> {
 	const pathItems = await splitDelimitedSearchInput(rawPath, cwd, value => parseSearchPath(value).basePath);
-	if (!pathItems || pathItems.length <= 1) {
+	if (!pathItems || pathItems.length < 1) {
 		return undefined;
 	}
 
@@ -486,6 +512,7 @@ export async function resolveMultiSearchPath(
 		}),
 	);
 
+	const allExactFiles = !suffixGlob && parsedItems.every(item => !item.parsedPath.glob && item.stat.isFile());
 	const commonBasePath = findCommonBasePath(parsedItems.map(item => item.absoluteBasePath));
 	const combinedPatterns = parsedItems.map(item => {
 		const relativeBasePath = normalizePosixPath(path.relative(commonBasePath, item.absoluteBasePath)) || ".";
@@ -507,6 +534,7 @@ export async function resolveMultiSearchPath(
 		basePath: commonBasePath,
 		glob: buildBraceUnion(combinedPatterns),
 		scopePath: toScopeDisplay(pathItems),
+		exactFilePaths: allExactFiles ? parsedItems.map(item => item.absoluteBasePath) : undefined,
 	};
 }
 

package/src/tools/resolve.ts

@@ -23,6 +23,7 @@ export interface ResolveToolDetails {
 	reason: string;
 	sourceToolName?: string;
 	label?: string;
+	sourceResultDetails?: unknown;
 }
 
 function resolveReasonPreview(reason?: string): string | undefined {
@@ -67,14 +68,21 @@ export function queueResolveHandler(
 		onRejected: () => "requeue",
 		onInvoked: async (input: unknown) => {
 			const params = input as ResolveParams;
+			const withResolveDetails = (result: AgentToolResult<unknown>): AgentToolResult<ResolveToolDetails> => ({
+				...result,
+				details: {
+					...detailsFor(params),
+					...(result.details != null ? { sourceResultDetails: result.details } : {}),
+				},
+			});
 			if (params.action === "apply") {
 				const result = await options.apply(params.reason);
-				return { ...result, details: detailsFor(params) };
+				return withResolveDetails(result);
 			}
 			if (params.action === "discard" && options.reject != null) {
 				const result = await options.reject(params.reason);
 				if (result != null) {
-					return { ...result, details: detailsFor(params) };
+					return withResolveDetails(result);
 				}
 			}
 			return {
@@ -154,9 +162,10 @@ export const resolveToolRenderer = {
 		const reason = replaceTabs(details?.reason?.trim() || "No reason provided");
 		const action = details?.action ?? "apply";
 		const isApply = action === "apply" && !result.isError;
+		const isFailedApply = action === "apply" && result.isError;
 		const bgColor = result.isError ? "error" : isApply ? "success" : "warning";
 		const icon = isApply ? uiTheme.status.success : uiTheme.status.error;
-		const verb = isApply ? "Accept" : "Discard";
+		const verb = isApply ? "Accept" : isFailedApply ? "Failed" : "Discard";
 		const separator = ": ";
 		const separatorIndex = label.indexOf(separator);
 		const sourceLabel = separatorIndex > 0 ? label.slice(0, separatorIndex).trim() : undefined;

package/src/tools/sqlite-reader.ts

@@ -252,6 +252,112 @@ function resolveOrderClause(order: string | undefined, columns: string[]): strin
 	return ` ORDER BY ${quoteSqliteIdentifier(column)} ${direction.toUpperCase()}`;
 }
 
+const FORBIDDEN_WHERE_KEYWORDS = new Set([
+	"limit",
+	"offset",
+	"union",
+	"intersect",
+	"except",
+	"attach",
+	"detach",
+	"pragma",
+]);
+
+const COMMENT_OR_TERMINATOR_ERROR =
+	"SQLite 'where' clause must not contain comments or statement terminators; use '?q=SELECT ...' for raw SQL";
+const FORBIDDEN_KEYWORD_ERROR =
+	"SQLite 'where' clause must not contain LIMIT/OFFSET/UNION/INTERSECT/EXCEPT/ATTACH/DETACH/PRAGMA; use '?q=SELECT ...' for raw SQL";
+
+/**
+ * Scans a `where=` clause character-by-character, tracking single- and double-quoted
+ * string literals, and rejects SQL control syntax that would otherwise let the
+ * structured helper path escape the bound `LIMIT ? OFFSET ?` pagination:
+ *
+ * - comments (`--`, `/* ... *\/`) and statement terminators (`;`) outside quotes
+ * - pagination / attach / pragma keywords outside quotes
+ *
+ * Raw SQL remains available through `?q=SELECT ...`.
+ */
+function findWhereClauseViolation(sql: string): string | null {
+	let inSingleQuote = false;
+	let inDoubleQuote = false;
+	let tokenStart = -1;
+	let keywordViolation: string | null = null;
+
+	const flushToken = (end: number): void => {
+		if (tokenStart < 0 || keywordViolation) {
+			tokenStart = -1;
+			return;
+		}
+		const token = sql.slice(tokenStart, end).toLowerCase();
+		tokenStart = -1;
+		if (FORBIDDEN_WHERE_KEYWORDS.has(token)) {
+			keywordViolation = FORBIDDEN_KEYWORD_ERROR;
+		}
+	};
+
+	for (let index = 0; index <= sql.length; index++) {
+		const char = index < sql.length ? sql[index] : undefined;
+		const next = index + 1 < sql.length ? sql[index + 1] : undefined;
+
+		if (inSingleQuote) {
+			if (char === "'" && next === "'") {
+				index += 1;
+				continue;
+			}
+			if (char === "'") {
+				inSingleQuote = false;
+			}
+			continue;
+		}
+		if (inDoubleQuote) {
+			if (char === '"' && next === '"') {
+				index += 1;
+				continue;
+			}
+			if (char === '"') {
+				inDoubleQuote = false;
+			}
+			continue;
+		}
+
+		const isIdent = char !== undefined && /[A-Za-z0-9_]/.test(char);
+		if (isIdent) {
+			if (tokenStart < 0) tokenStart = index;
+			continue;
+		}
+
+		flushToken(index);
+
+		if (char === undefined) break;
+		if (char === "'") {
+			inSingleQuote = true;
+			continue;
+		}
+		if (char === '"') {
+			inDoubleQuote = true;
+			continue;
+		}
+		if (char === ";") return COMMENT_OR_TERMINATOR_ERROR;
+		if ((char === "-" && next === "-") || (char === "/" && next === "*") || (char === "*" && next === "/")) {
+			return COMMENT_OR_TERMINATOR_ERROR;
+		}
+	}
+
+	return keywordViolation;
+}
+
+function validateWhereClause(where: string | undefined): string | undefined {
+	if (!where) return undefined;
+	const trimmed = where.trim();
+	if (!trimmed) return undefined;
+	const violation = findWhereClauseViolation(trimmed);
+	if (violation) {
+		throw new ToolError(violation);
+	}
+	return trimmed;
+}
+
 function normalizeWriteValue(value: unknown, column: string): SqliteBinding {
 	if (value === null) return null;
 	if (
@@ -360,7 +466,7 @@ export function parseSqliteSelector(subPath: string, queryString: string): Sqlit
 		return { kind: "row", table, key };
 	}
 
-	const where = params.get("where")?.trim() || undefined;
+	const where = validateWhereClause(params.get("where") ?? undefined);
 	const order = params.get("order")?.trim() || undefined;
 	const hasQueryParams = params.has("limit") || params.has("offset") || order !== undefined || where !== undefined;
 	if (hasQueryParams) {
@@ -448,12 +554,19 @@ export function queryRows(
 	opts: { limit: number; offset: number; order?: string; where?: string },
 ): { columns: string[]; rows: Record<string, unknown>[]; totalCount: number } {
 	const columns = getTableColumns(db, table);
-	const whereClause = opts.where?.trim() ? ` WHERE ${opts.where.trim()}` : "";
+	const validatedWhere = validateWhereClause(opts.where);
+	const whereClause = validatedWhere ? ` WHERE ${validatedWhere}` : "";
 	const orderClause = resolveOrderClause(opts.order, columns);
 	const countSql = `SELECT COUNT(*) AS count FROM ${quoteSqliteIdentifier(table)}${whereClause}`;
 	const selectSql = `SELECT * FROM ${quoteSqliteIdentifier(table)}${whereClause}${orderClause} LIMIT ? OFFSET ?`;
 	const totalCount = db.prepare<SqliteCountRow, []>(countSql).get()?.count ?? 0;
-	const rows = db.prepare<SqliteRow, SQLQueryBindings[]>(selectSql).all(opts.limit, opts.offset);
+	const statement = db.prepare<SqliteRow, SQLQueryBindings[]>(selectSql);
+	if (statement.paramsCount !== 2) {
+		throw new ToolError(
+			"SQLite where clause changed the expected pagination parameters; use q=SELECT ... for raw SQL",
+		);
+	}
+	const rows = statement.all(opts.limit, opts.offset);
 	return { columns, rows, totalCount };
 }
 

package/src/tools/vim.ts

@@ -639,7 +639,7 @@ export class VimTool implements AgentTool<typeof vimSchema, VimToolDetails> {
 
 				await executeVimSteps(engine, steps, {
 					pauseLastStep: params.pause === true,
-					onKbdStep: emitUpdate ? () => emitUpdate() : undefined,
+					onKbdStep: emitUpdate ? () => emitUpdate(true) : undefined,
 					onInsertStep: emitUpdate ? () => emitUpdate(true) : undefined,
 				});
 

package/src/web/search/providers/codex.ts

@@ -106,6 +106,125 @@ function isImagePlaceholderAnswer(text: string): boolean {
 	return text.trim().toLowerCase() === "(see attached image)";
 }
 
+function addSource(sources: SearchSource[], source: SearchSource): void {
+	if (!sources.some(existing => existing.url === source.url)) {
+		sources.push(source);
+	}
+}
+
+function countCharacter(text: string, target: string): number {
+	let count = 0;
+	for (const char of text) {
+		if (char === target) {
+			count += 1;
+		}
+	}
+	return count;
+}
+
+/**
+ * Strips prose punctuation and unmatched closing delimiters from extracted URLs.
+ * Codex often returns links in markdown or sentence text without structured annotations.
+ */
+function normalizeExtractedUrl(candidate: string): string | null {
+	let url = candidate.trim();
+
+	while (url.length > 0) {
+		const lastCharacter = url.at(-1);
+		if (!lastCharacter) break;
+		if (/[.,!?;:'"]/u.test(lastCharacter)) {
+			url = url.slice(0, -1);
+			continue;
+		}
+		if (lastCharacter === ")" && countCharacter(url, ")") > countCharacter(url, "(")) {
+			url = url.slice(0, -1);
+			continue;
+		}
+		if (lastCharacter === "]" && countCharacter(url, "]") > countCharacter(url, "[")) {
+			url = url.slice(0, -1);
+			continue;
+		}
+		if (lastCharacter === "}" && countCharacter(url, "}") > countCharacter(url, "{")) {
+			url = url.slice(0, -1);
+			continue;
+		}
+		break;
+	}
+
+	if (!/^https?:\/\//.test(url)) {
+		return null;
+	}
+
+	try {
+		return new URL(url).toString();
+	} catch {
+		return null;
+	}
+}
+
+function findMarkdownLinkUrlEnd(text: string, openParenIndex: number): number | null {
+	let depth = 0;
+
+	for (let index = openParenIndex; index < text.length; index += 1) {
+		const character = text[index];
+		if (!character || character === "\n") {
+			return null;
+		}
+		if (character === "(") {
+			depth += 1;
+			continue;
+		}
+		if (character !== ")") {
+			continue;
+		}
+		depth -= 1;
+		if (depth === 0) {
+			return index;
+		}
+		if (depth < 0) {
+			return null;
+		}
+	}
+
+	return null;
+}
+
+/**
+ * Extracts citation sources from markdown links and bare URLs in the answer text.
+ * Used as a fallback when the Codex response omits `url_citation` annotations.
+ */
+function extractTextSources(text: string): SearchSource[] {
+	const sources: SearchSource[] = [];
+
+	for (let index = 0; index < text.length; index += 1) {
+		if (text[index] !== "[") {
+			continue;
+		}
+		const titleEnd = text.indexOf("]", index + 1);
+		if (titleEnd === -1 || text[titleEnd + 1] !== "(") {
+			continue;
+		}
+		const urlEnd = findMarkdownLinkUrlEnd(text, titleEnd + 1);
+		if (urlEnd === null) {
+			continue;
+		}
+		const title = text.slice(index + 1, titleEnd).trim();
+		const url = normalizeExtractedUrl(text.slice(titleEnd + 2, urlEnd));
+		if (url) {
+			addSource(sources, { title: title || url, url });
+		}
+		index = urlEnd;
+	}
+
+	for (const match of text.matchAll(/https?:\/\/\S+/g)) {
+		const url = normalizeExtractedUrl(match[0] ?? "");
+		if (!url) continue;
+		addSource(sources, { title: url, url });
+	}
+
+	return sources;
+}
+
 /**
  * Extracts account ID from a Codex access token.
  * @param accessToken - JWT access token
@@ -211,6 +330,7 @@ async function callCodexSearch(
 				search_context_size: options.searchContextSize ?? "high",
 			},
 		],
+		tool_choice: { type: "web_search" },
 		instructions: options.systemPrompt ?? DEFAULT_INSTRUCTIONS,
 	};
 
@@ -262,12 +382,7 @@ async function callCodexSearch(
 							for (const annotation of part.annotations) {
 								if (annotation.type === "url_citation" && annotation.url) {
 									// Deduplicate by URL
-									if (!sources.some(s => s.url === annotation.url)) {
-										sources.push({
-											title: annotation.title ?? annotation.url,
-											url: annotation.url,
-										});
-									}
+									addSource(sources, { title: annotation.title ?? annotation.url, url: annotation.url });
 								}
 							}
 						}
@@ -317,6 +432,14 @@ async function callCodexSearch(
 				? streamedAnswer
 				: finalAnswer;
 
+	// Fallback: when Codex omits url_citation annotations, scrape markdown links
+	// and bare URLs from the synthesized answer so callers still receive sources.
+	if (sources.length === 0 && answer.length > 0) {
+		for (const source of extractTextSources(answer)) {
+			addSource(sources, source);
+		}
+	}
+
 	return {
 		answer,
 		sources,