@oh-my-pi/pi-coding-agent 14.2.1 → 14.3.0

package/src/session/session-manager.ts

@@ -1264,74 +1264,245 @@ function extractTextFromContent(content: Message["content"]): string {
 		.join(" ");
 }
 
-async function collectSessionsFromFiles(files: string[], storage: SessionStorage): Promise<SessionInfo[]> {
-	const sessions: SessionInfo[] = [];
+const SESSION_LIST_PREFIX_BYTES = 1024;
+const SESSION_LIST_PARALLEL_THRESHOLD = 64;
+const SESSION_LIST_MAX_WORKERS = 16;
+const sessionListPrefixDecoder = new TextDecoder("utf-8", { fatal: false });
 
-	// Collect session info for all files in parallel
-	await Promise.all(
-		files.map(async file => {
-			try {
-				const content = await storage.readText(file);
-				const entries = parseJsonlLenient<Record<string, unknown>>(content);
-				if (entries.length === 0) return;
-
-				// Check first entry for valid session header
-				type SessionHeaderShape = {
-					type: string;
-					id: string;
-					cwd?: string;
-					title?: string;
-					titleSource?: "auto" | "user";
-					timestamp: string;
-				};
-				const header = entries[0] as SessionHeaderShape;
-				if (header.type !== "session" || !header.id) return;
+async function readSessionListPrefix(file: string, storage: SessionStorage, buffer: Buffer): Promise<string> {
+	if (!(storage instanceof FileSessionStorage)) {
+		return storage.readTextPrefix(file, buffer.byteLength);
+	}
+
+	const handle = await fs.promises.open(file, "r");
+	try {
+		const { bytesRead } = await handle.read(buffer, 0, buffer.byteLength, 0);
+		return sessionListPrefixDecoder.decode(buffer.subarray(0, bytesRead));
+	} finally {
+		await handle.close();
+	}
+}
+
+function decodeJsonStringFragment(value: string): string {
+	const safeValue = value.endsWith("\\") ? value.slice(0, -1) : value;
+	try {
+		return JSON.parse(`"${safeValue}"`) as string;
+	} catch {
+		return safeValue
+			.replace(/\\n/g, "\n")
+			.replace(/\\r/g, "\r")
+			.replace(/\\t/g, "\t")
+			.replace(/\\"/g, '"')
+			.replace(/\\\\/g, "\\");
+	}
+}
 
-				let messageCount = 0;
-				let firstMessage = "";
-				const allMessages: string[] = [];
-				let shortSummary: string | undefined;
+function extractStringProperty(source: string, name: string, startIndex = 0): string | undefined {
+	const propertyIndex = source.indexOf(`"${name}"`, startIndex);
+	if (propertyIndex === -1) return undefined;
 
-				for (let i = 1; i < entries.length; i++) {
-					const entry = entries[i] as { type?: string; message?: Message; shortSummary?: string };
+	const colonIndex = source.indexOf(":", propertyIndex + name.length + 2);
+	if (colonIndex === -1) return undefined;
 
-					if (entry.type === "compaction" && typeof entry.shortSummary === "string") {
-						shortSummary = entry.shortSummary;
-					}
+	let valueIndex = colonIndex + 1;
+	while (valueIndex < source.length) {
+		const char = source.charCodeAt(valueIndex);
+		if (char !== 32 && char !== 9 && char !== 10 && char !== 13) break;
+		valueIndex++;
+	}
+	if (source.charCodeAt(valueIndex) !== 34) return undefined;
+
+	const valueStart = valueIndex + 1;
+	let escaped = false;
+	for (let i = valueStart; i < source.length; i++) {
+		const char = source.charCodeAt(i);
+		if (escaped) {
+			escaped = false;
+			continue;
+		}
+		if (char === 92) {
+			escaped = true;
+			continue;
+		}
+		if (char === 34) {
+			return decodeJsonStringFragment(source.slice(valueStart, i));
+		}
+	}
+
+	return decodeJsonStringFragment(source.slice(valueStart));
+}
+
+function countMessageMarkers(content: string): number {
+	let count = 0;
+	let index = 0;
+	while (index < content.length) {
+		const typeIndex = content.indexOf('"type"', index);
+		if (typeIndex === -1) break;
+		const colonIndex = content.indexOf(":", typeIndex + 6);
+		if (colonIndex === -1) break;
+		const type = extractStringProperty(content, "type", typeIndex);
+		if (type === "message") count++;
+		index = colonIndex + 1;
+	}
+	return count;
+}
+
+function extractFirstUserMessageFromPrefix(content: string): string | undefined {
+	const roleIndex = content.indexOf('"role"');
+	if (roleIndex === -1) return undefined;
+
+	let index = roleIndex;
+	while (index !== -1) {
+		const role = extractStringProperty(content, "role", index);
+		if (role === "user") {
+			return extractStringProperty(content, "content", index) ?? extractStringProperty(content, "text", index);
+		}
+		index = content.indexOf('"role"', index + 6);
+	}
+
+	return undefined;
+}
+
+interface SessionListHeader {
+	type: "session";
+	id: string;
+	cwd?: string;
+	title?: string;
+	parentSession?: string;
+	timestamp?: string;
+}
 
-					if (entry.type === "message" && entry.message) {
-						messageCount++;
+function parseSessionListHeader(
+	content: string,
+	entries: Array<Record<string, unknown>>,
+): SessionListHeader | undefined {
+	const parsedHeader = entries[0];
+	if (parsedHeader?.type === "session" && typeof parsedHeader.id === "string") {
+		return {
+			type: "session",
+			id: parsedHeader.id,
+			cwd: typeof parsedHeader.cwd === "string" ? parsedHeader.cwd : undefined,
+			title: typeof parsedHeader.title === "string" ? parsedHeader.title : undefined,
+			parentSession: typeof parsedHeader.parentSession === "string" ? parsedHeader.parentSession : undefined,
+			timestamp: typeof parsedHeader.timestamp === "string" ? parsedHeader.timestamp : undefined,
+		};
+	}
+
+	const firstLineEnd = content.indexOf("\n");
+	const firstLine = firstLineEnd === -1 ? content : content.slice(0, firstLineEnd);
+	if (extractStringProperty(firstLine, "type") !== "session") return undefined;
+
+	const id = extractStringProperty(firstLine, "id");
+	if (!id) return undefined;
+
+	return {
+		type: "session",
+		id,
+		cwd: extractStringProperty(firstLine, "cwd"),
+		title: extractStringProperty(firstLine, "title"),
+		parentSession: extractStringProperty(firstLine, "parentSession"),
+		timestamp: extractStringProperty(firstLine, "timestamp"),
+	};
+}
+
+function getSessionListWorkerCount(fileCount: number): number {
+	if (fileCount <= SESSION_LIST_PARALLEL_THRESHOLD) return 1;
+	return Math.min(
+		SESSION_LIST_MAX_WORKERS,
+		os.availableParallelism(),
+		Math.ceil(fileCount / SESSION_LIST_PARALLEL_THRESHOLD),
+	);
+}
+
+async function collectSessionFromFile(
+	file: string,
+	storage: SessionStorage,
+	buffer: Buffer,
+): Promise<SessionInfo | undefined> {
+	try {
+		const content = await readSessionListPrefix(file, storage, buffer);
+		const entries = parseJsonlLenient<Record<string, unknown>>(content);
+		const header = parseSessionListHeader(content, entries);
+		if (!header) return undefined;
+
+		let parsedMessageCount = 0;
+		let firstMessage = "";
+		const allMessages: string[] = [];
+		let shortSummary: string | undefined;
+
+		for (let i = 1; i < entries.length; i++) {
+			const entry = entries[i] as { type?: string; message?: Message; shortSummary?: string };
+
+			if (entry.type === "compaction" && typeof entry.shortSummary === "string") {
+				shortSummary = entry.shortSummary;
+			}
 
-						if (entry.message.role === "user" || entry.message.role === "assistant") {
-							const textContent = extractTextFromContent(entry.message.content);
+			if (entry.type === "message" && entry.message) {
+				parsedMessageCount++;
 
-							if (textContent) {
-								allMessages.push(textContent);
+				if (entry.message.role === "user" || entry.message.role === "assistant") {
+					const textContent = extractTextFromContent(entry.message.content);
 
-								if (!firstMessage && entry.message.role === "user") {
-									firstMessage = textContent;
-								}
-							}
+					if (textContent) {
+						allMessages.push(textContent);
+
+						if (!firstMessage && entry.message.role === "user") {
+							firstMessage = textContent;
 						}
 					}
 				}
+			}
+		}
 
-				const stats = storage.statSync(file);
-				sessions.push({
-					path: file,
-					id: header.id,
-					cwd: typeof header.cwd === "string" ? header.cwd : "",
-					title: header.title ?? shortSummary,
-					parentSessionPath: (header as SessionHeader).parentSession,
-					created: new Date(header.timestamp),
-					modified: stats.mtime,
-					messageCount,
-					firstMessage: firstMessage || "(no messages)",
-					allMessagesText: allMessages.join(" "),
-				});
-			} catch {}
-		}),
-	);
+		firstMessage ||= extractFirstUserMessageFromPrefix(content) ?? "";
+		const messageCount = Math.max(parsedMessageCount, countMessageMarkers(content));
+		const stats = storage.statSync(file);
+		return {
+			path: file,
+			id: header.id,
+			cwd: header.cwd ?? "",
+			title: header.title ?? shortSummary,
+			parentSessionPath: header.parentSession,
+			created: new Date(header.timestamp ?? ""),
+			modified: stats.mtime,
+			messageCount,
+			firstMessage: firstMessage || "(no messages)",
+			allMessagesText: allMessages.length > 0 ? allMessages.join(" ") : firstMessage,
+		};
+	} catch {
+		return undefined;
+	}
+}
+
+async function collectSessionsFromFileStride(
+	files: string[],
+	storage: SessionStorage,
+	startIndex: number,
+	stride: number,
+): Promise<SessionInfo[]> {
+	const sessions: SessionInfo[] = [];
+	const buffer = Buffer.allocUnsafe(SESSION_LIST_PREFIX_BYTES);
+
+	for (let i = startIndex; i < files.length; i += stride) {
+		const session = await collectSessionFromFile(files[i], storage, buffer);
+		if (session) sessions.push(session);
+	}
+
+	return sessions;
+}
+
+async function collectSessionsFromFiles(files: string[], storage: SessionStorage): Promise<SessionInfo[]> {
+	const workerCount = getSessionListWorkerCount(files.length);
+	const sessions =
+		workerCount === 1
+			? await collectSessionsFromFileStride(files, storage, 0, 1)
+			: (
+					await Promise.all(
+						Array.from({ length: workerCount }, (_, workerIndex) =>
+							collectSessionsFromFileStride(files, storage, workerIndex, workerCount),
+						),
+					)
+				).flat();
 
 	sessions.sort((a, b) => b.modified.getTime() - a.modified.getTime());
 	return sessions;
@@ -2771,7 +2942,7 @@ export class SessionManager {
 	static async listAll(storage: SessionStorage = new FileSessionStorage()): Promise<SessionInfo[]> {
 		const sessionsRoot = path.join(getDefaultAgentDir(), "sessions");
 		try {
-			const files = Array.from(new Bun.Glob("**/*.jsonl").scanSync(sessionsRoot)).map(name =>
+			const files = await Array.fromAsync(new Bun.Glob("*/*.jsonl").scan(sessionsRoot), name =>
 				path.join(sessionsRoot, name),
 			);
 			return await collectSessionsFromFiles(files, storage);

package/src/session/streaming-output.ts

@@ -680,6 +680,17 @@ export class OutputSink {
 		});
 	}
 
+	/**
+	 * Replace the in-memory buffer with the given text while preserving the
+	 * streaming counters (totalLines/totalBytes reflect the raw chunks that
+	 * already reached the sink). Used when an upstream minimizer rewrites the
+	 * captured output after the raw bytes have already been streamed.
+	 */
+	replace(text: string): void {
+		this.#buffer = text;
+		this.#bufferBytes = Buffer.byteLength(text, "utf-8");
+	}
+
 	async dump(notice?: string): Promise<OutputSummary> {
 		const noticeLine = notice ? `[${notice}]\n` : "";
 		const outputLines = this.#buffer.length > 0 ? countNewlines(this.#buffer) + 1 : 0;

package/src/system-prompt.ts

@@ -275,13 +275,18 @@ async function getCachedGpu(): Promise<string | undefined> {
 }
 async function getEnvironmentInfo(): Promise<Array<{ label: string; value: string }>> {
 	const gpu = await getCachedGpu();
-	const cpus = os.cpus();
+	let cpuModel: string | undefined;
+	try {
+		cpuModel = os.cpus()[0]?.model;
+	} catch {
+		cpuModel = undefined;
+	}
 	const entries: Array<{ label: string; value: string | undefined }> = [
 		{ label: "OS", value: `${os.platform()} ${os.release()}` },
 		{ label: "Distro", value: os.type() },
 		{ label: "Kernel", value: os.version() },
 		{ label: "Arch", value: os.arch() },
-		{ label: "CPU", value: `${cpus[0]?.model}` },
+		{ label: "CPU", value: cpuModel },
 		{ label: "GPU", value: gpu },
 		{ label: "Terminal", value: getTerminalName() },
 	];

package/src/task/executor.ts

@@ -975,6 +975,7 @@ export async function runSubprocess(options: ExecutorOptions): Promise<SingleRes
 				enableLsp: lspEnabled,
 				skipPythonPreflight,
 				enableMCP,
+				mcpManager: options.mcpManager,
 				customTools: mcpProxyTools.length > 0 ? mcpProxyTools : undefined,
 			});
 

package/src/tools/bash.ts

@@ -30,6 +30,17 @@ export const BASH_DEFAULT_PREVIEW_LINES = 10;
 const BASH_ENV_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
 const DEFAULT_AUTO_BACKGROUND_THRESHOLD_MS = 60_000;
 
+async function saveBashOriginalArtifact(session: ToolSession, originalText: string): Promise<string | undefined> {
+	try {
+		const alloc = await session.allocateOutputArtifact?.("bash-original");
+		if (!alloc?.path || !alloc.id) return undefined;
+		await Bun.write(alloc.path, originalText);
+		return alloc.id;
+	} catch {
+		return undefined;
+	}
+}
+
 const bashSchemaBase = Type.Object({
 	command: Type.String({ description: "Command to execute" }),
 	env: Type.Optional(
@@ -390,6 +401,7 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 							latestText = tailBuffer.text();
 							void reportProgress(latestText, { async: { state: "running", jobId, type: "bash" } });
 						},
+						onMinimizedSave: originalText => saveBashOriginalArtifact(this.session, originalText),
 					});
 					const finalResult = this.#buildCompletedResult(
 						result,
@@ -656,6 +668,7 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 					artifactPath,
 					artifactId,
 					onChunk: streamTailUpdates(tailBuffer, onUpdate),
+					onMinimizedSave: originalText => saveBashOriginalArtifact(this.session, originalText),
 				});
 		if (result.cancelled) {
 			if (signal?.aborted) {

package/src/tools/gh.ts

@@ -611,14 +611,6 @@ function toLocalBranchRef(value: string): string {
 	return `refs/heads/${value}`;
 }
 
-function stripHeadsRef(value: string | undefined): string | undefined {
-	if (!value) {
-		return undefined;
-	}
-
-	return value.startsWith("refs/heads/") ? value.slice("refs/heads/".length) : value;
-}
-
 async function requireGitRepoRoot(cwd: string, signal?: AbortSignal): Promise<string> {
 	const repoRoot = await git.repo.root(cwd, signal);
 	if (!repoRoot) {
@@ -763,10 +755,13 @@ async function resolvePrBranchPushTarget(
 	maintainerCanModify?: boolean;
 	isCrossRepository: boolean;
 }> {
+	const headRef = await git.config.getBranch(repoRoot, localBranch, "ompPrHeadRef", signal);
+	if (!headRef) {
+		throw new ToolError(`branch ${localBranch} has no PR push metadata; check it out via gh_pr_checkout first`);
+	}
+
 	const pushRemote = await git.config.getBranch(repoRoot, localBranch, "pushRemote", signal);
 	const remote = await git.config.getBranch(repoRoot, localBranch, "remote", signal);
-	const mergeRef = await git.config.getBranch(repoRoot, localBranch, "merge", signal);
-	const headRef = await git.config.getBranch(repoRoot, localBranch, "ompPrHeadRef", signal);
 	const prUrl = await git.config.getBranch(repoRoot, localBranch, "ompPrUrl", signal);
 	const maintainerCanModifyValue = await git.config.getBranch(
 		repoRoot,
@@ -781,14 +776,9 @@ async function resolvePrBranchPushTarget(
 		throw new ToolError(`branch ${localBranch} has no configured push remote`);
 	}
 
-	const remoteBranch = headRef ?? stripHeadsRef(mergeRef);
-	if (!remoteBranch) {
-		throw new ToolError(`branch ${localBranch} has no tracked PR head ref`);
-	}
-
 	return {
 		remoteName,
-		remoteBranch,
+		remoteBranch: headRef,
 		remoteUrl: await git.remote.url(repoRoot, remoteName, signal),
 		prUrl,
 		maintainerCanModify:

package/src/tools/sqlite-reader.ts

@@ -252,6 +252,112 @@ function resolveOrderClause(order: string | undefined, columns: string[]): strin
 	return ` ORDER BY ${quoteSqliteIdentifier(column)} ${direction.toUpperCase()}`;
 }
 
+const FORBIDDEN_WHERE_KEYWORDS = new Set([
+	"limit",
+	"offset",
+	"union",
+	"intersect",
+	"except",
+	"attach",
+	"detach",
+	"pragma",
+]);
+
+const COMMENT_OR_TERMINATOR_ERROR =
+	"SQLite 'where' clause must not contain comments or statement terminators; use '?q=SELECT ...' for raw SQL";
+const FORBIDDEN_KEYWORD_ERROR =
+	"SQLite 'where' clause must not contain LIMIT/OFFSET/UNION/INTERSECT/EXCEPT/ATTACH/DETACH/PRAGMA; use '?q=SELECT ...' for raw SQL";
+
+/**
+ * Scans a `where=` clause character-by-character, tracking single- and double-quoted
+ * string literals, and rejects SQL control syntax that would otherwise let the
+ * structured helper path escape the bound `LIMIT ? OFFSET ?` pagination:
+ *
+ * - comments (`--`, `/* ... *\/`) and statement terminators (`;`) outside quotes
+ * - pagination / attach / pragma keywords outside quotes
+ *
+ * Raw SQL remains available through `?q=SELECT ...`.
+ */
+function findWhereClauseViolation(sql: string): string | null {
+	let inSingleQuote = false;
+	let inDoubleQuote = false;
+	let tokenStart = -1;
+	let keywordViolation: string | null = null;
+
+	const flushToken = (end: number): void => {
+		if (tokenStart < 0 || keywordViolation) {
+			tokenStart = -1;
+			return;
+		}
+		const token = sql.slice(tokenStart, end).toLowerCase();
+		tokenStart = -1;
+		if (FORBIDDEN_WHERE_KEYWORDS.has(token)) {
+			keywordViolation = FORBIDDEN_KEYWORD_ERROR;
+		}
+	};
+
+	for (let index = 0; index <= sql.length; index++) {
+		const char = index < sql.length ? sql[index] : undefined;
+		const next = index + 1 < sql.length ? sql[index + 1] : undefined;
+
+		if (inSingleQuote) {
+			if (char === "'" && next === "'") {
+				index += 1;
+				continue;
+			}
+			if (char === "'") {
+				inSingleQuote = false;
+			}
+			continue;
+		}
+		if (inDoubleQuote) {
+			if (char === '"' && next === '"') {
+				index += 1;
+				continue;
+			}
+			if (char === '"') {
+				inDoubleQuote = false;
+			}
+			continue;
+		}
+
+		const isIdent = char !== undefined && /[A-Za-z0-9_]/.test(char);
+		if (isIdent) {
+			if (tokenStart < 0) tokenStart = index;
+			continue;
+		}
+
+		flushToken(index);
+
+		if (char === undefined) break;
+		if (char === "'") {
+			inSingleQuote = true;
+			continue;
+		}
+		if (char === '"') {
+			inDoubleQuote = true;
+			continue;
+		}
+		if (char === ";") return COMMENT_OR_TERMINATOR_ERROR;
+		if ((char === "-" && next === "-") || (char === "/" && next === "*") || (char === "*" && next === "/")) {
+			return COMMENT_OR_TERMINATOR_ERROR;
+		}
+	}
+
+	return keywordViolation;
+}
+
+function validateWhereClause(where: string | undefined): string | undefined {
+	if (!where) return undefined;
+	const trimmed = where.trim();
+	if (!trimmed) return undefined;
+	const violation = findWhereClauseViolation(trimmed);
+	if (violation) {
+		throw new ToolError(violation);
+	}
+	return trimmed;
+}
+
 function normalizeWriteValue(value: unknown, column: string): SqliteBinding {
 	if (value === null) return null;
 	if (
@@ -360,7 +466,7 @@ export function parseSqliteSelector(subPath: string, queryString: string): Sqlit
 		return { kind: "row", table, key };
 	}
 
-	const where = params.get("where")?.trim() || undefined;
+	const where = validateWhereClause(params.get("where") ?? undefined);
 	const order = params.get("order")?.trim() || undefined;
 	const hasQueryParams = params.has("limit") || params.has("offset") || order !== undefined || where !== undefined;
 	if (hasQueryParams) {
@@ -448,12 +554,19 @@ export function queryRows(
 	opts: { limit: number; offset: number; order?: string; where?: string },
 ): { columns: string[]; rows: Record<string, unknown>[]; totalCount: number } {
 	const columns = getTableColumns(db, table);
-	const whereClause = opts.where?.trim() ? ` WHERE ${opts.where.trim()}` : "";
+	const validatedWhere = validateWhereClause(opts.where);
+	const whereClause = validatedWhere ? ` WHERE ${validatedWhere}` : "";
 	const orderClause = resolveOrderClause(opts.order, columns);
 	const countSql = `SELECT COUNT(*) AS count FROM ${quoteSqliteIdentifier(table)}${whereClause}`;
 	const selectSql = `SELECT * FROM ${quoteSqliteIdentifier(table)}${whereClause}${orderClause} LIMIT ? OFFSET ?`;
 	const totalCount = db.prepare<SqliteCountRow, []>(countSql).get()?.count ?? 0;
-	const rows = db.prepare<SqliteRow, SQLQueryBindings[]>(selectSql).all(opts.limit, opts.offset);
+	const statement = db.prepare<SqliteRow, SQLQueryBindings[]>(selectSql);
+	if (statement.paramsCount !== 2) {
+		throw new ToolError(
+			"SQLite where clause changed the expected pagination parameters; use q=SELECT ... for raw SQL",
+		);
+	}
+	const rows = statement.all(opts.limit, opts.offset);
 	return { columns, rows, totalCount };
 }