@oh-my-pi/pi-coding-agent 14.8.0 → 14.9.0

package/src/modes/rpc/rpc-mode.ts

@@ -10,6 +10,7 @@
  * - Events: AgentSessionEvent objects streamed as they occur
  * - Extension UI: Extension UI requests are emitted, client responds with extension_ui_response
  */
+import { getOAuthProviders } from "@oh-my-pi/pi-ai/utils/oauth";
 import { $env, readJsonl, Snowflake } from "@oh-my-pi/pi-utils";
 import type {
 	ExtensionUIContext,
@@ -149,7 +150,6 @@ export function requestRpcEditor(
 	} as RpcExtensionUIRequest);
 	return promise;
 }
-
 /**
  * Run in RPC mode.
  * Listens for JSON commands on stdin, outputs events and responses on stdout.
@@ -755,6 +755,72 @@ export async function runRpcMode(session: AgentSession): Promise<never> {
 				return success(id, "get_messages", { messages: session.messages });
 			}
 
+			// =================================================================
+			// Login
+			// =================================================================
+
+			case "get_login_providers": {
+				const providers = getOAuthProviders().map(provider => ({
+					id: provider.id,
+					name: provider.name,
+					available: provider.available,
+					authenticated: session.modelRegistry.authStorage.hasAuth(provider.id),
+				}));
+				return success(id, "get_login_providers", { providers });
+			}
+
+			case "login": {
+				const knownProvider = getOAuthProviders().find(p => p.id === command.providerId);
+				if (!knownProvider) {
+					return error(id, "login", `Unknown OAuth provider: ${command.providerId}`);
+				}
+				const uiCtx = new RpcExtensionUIContext(pendingExtensionRequests, output);
+				// Track whether onAuth has fired. Providers that use OAuthCallbackFlow
+				// always call onAuth first (emit browser URL), then onManualCodeInput as
+				// a fallback. Providers that require interactive input (API-key paste,
+				// GitHub Enterprise URL, device-code entry) call onPrompt before onAuth.
+				// We use this ordering to self-classify at runtime — no static allowlist.
+				let authEmitted = false;
+				try {
+					await session.modelRegistry.authStorage.login(command.providerId, {
+						onAuth: info => {
+							authEmitted = true;
+							output({
+								type: "extension_ui_request",
+								id: Snowflake.next() as string,
+								method: "open_url",
+								url: info.url,
+								instructions: info.instructions,
+							} as RpcExtensionUIRequest);
+						},
+						onProgress: message => {
+							uiCtx.notify(message, "info");
+						},
+						onPrompt: () => {
+							if (!authEmitted) {
+								// onPrompt called before any auth URL — provider requires
+								// interactive input that cannot be satisfied headlessly.
+								return Promise.reject(
+									new Error(
+										`Provider '${command.providerId}' requires interactive prompts ` +
+											"which are not supported in RPC mode. Use the terminal UI to log in.",
+									),
+								);
+							}
+							// onAuth has already fired — we are inside OAuthCallbackFlow's
+							// manual-redirect fallback race. Returning a never-settling promise
+							// lets the race block until the callback server wins; a rejection
+							// would be caught as null and spin the while(true) loop.
+							return new Promise<string>(() => {});
+						},
+					});
+					await session.modelRegistry.refresh();
+					return success(id, "login", { providerId: command.providerId });
+				} catch (err: unknown) {
+					return error(id, "login", err instanceof Error ? err.message : String(err));
+				}
+			}
+
 			default: {
 				const unknownCommand = command as { type: string };
 				return error(undefined, unknownCommand.type, `Unknown command: ${unknownCommand.type}`);

package/src/modes/rpc/rpc-types.ts

@@ -67,7 +67,11 @@ export type RpcCommand =
 	| { id?: string; type: "handoff"; customInstructions?: string }
 
 	// Messages
-	| { id?: string; type: "get_messages" };
+	| { id?: string; type: "get_messages" }
+
+	// Login
+	| { id?: string; type: "get_login_providers" }
+	| { id?: string; type: "login"; providerId: string };
 
 // ============================================================================
 // RPC State
@@ -193,6 +197,16 @@ export type RpcResponse =
 	// Messages
 	| { id?: string; type: "response"; command: "get_messages"; success: true; data: { messages: AgentMessage[] } }
 
+	// Login
+	| {
+			id?: string;
+			type: "response";
+			command: "get_login_providers";
+			success: true;
+			data: { providers: Array<{ id: string; name: string; available: boolean; authenticated: boolean }> };
+	  }
+	| { id?: string; type: "response"; command: "login"; success: true; data: { providerId: string } }
+
 	// Error response (any command can fail)
 	| { id?: string; type: "response"; command: string; success: false; error: string };
 
@@ -244,7 +258,8 @@ export type RpcExtensionUIRequest =
 			widgetPlacement?: "aboveEditor" | "belowEditor";
 	  }
 	| { type: "extension_ui_request"; id: string; method: "setTitle"; title: string }
-	| { type: "extension_ui_request"; id: string; method: "set_editor_text"; text: string };
+	| { type: "extension_ui_request"; id: string; method: "set_editor_text"; text: string }
+	| { type: "extension_ui_request"; id: string; method: "open_url"; url: string; instructions?: string };
 
 // ============================================================================
 // Host Tool Frames (bidirectional)

package/src/modes/types.ts

@@ -1,6 +1,6 @@
 import type { AgentMessage } from "@oh-my-pi/pi-agent-core";
 import type { AssistantMessage, ImageContent, Message, UsageReport } from "@oh-my-pi/pi-ai";
-import type { Component, Container, Loader, Spacer, Text, TUI } from "@oh-my-pi/pi-tui";
+import type { Component, Container, EditorTheme, Loader, Spacer, Text, TUI } from "@oh-my-pi/pi-tui";
 import type { KeybindingsManager } from "../config/keybindings";
 import type { Settings } from "../config/settings";
 import type {
@@ -131,6 +131,9 @@ export interface InteractiveModeContext {
 	setToolUIContext(uiContext: ExtensionUIContext, hasUI: boolean): void;
 	initializeHookRunner(uiContext: ExtensionUIContext, hasUI: boolean): void;
 	createBackgroundUiContext(): ExtensionUIContext;
+	setEditorComponent(
+		factory: ((tui: TUI, theme: EditorTheme, keybindings: KeybindingsManager) => CustomEditor) | undefined,
+	): void;
 
 	// Event handling
 	handleBackgroundEvent(event: AgentSessionEvent): Promise<void>;

package/src/modes/utils/ui-helpers.ts

@@ -226,7 +226,9 @@ export class UiHelpers {
 				break;
 			}
 			case "assistant": {
-				const assistantComponent = new AssistantMessageComponent(message, this.ctx.hideThinkingBlock);
+				const assistantComponent = new AssistantMessageComponent(message, this.ctx.hideThinkingBlock, () =>
+					this.ctx.ui.requestRender(),
+				);
 				this.ctx.chatContainer.addChild(assistantComponent);
 				break;
 			}

package/src/prompts/agents/reviewer.md

@@ -77,6 +77,20 @@ Report issue only when ALL conditions hold:
 - **Proportionate rigor**: Fix doesn't demand rigor absent elsewhere in codebase
 </criteria>
 
+<cross-boundary>
+For every new type, variant, or value introduced by the patch that crosses a function or module boundary
+(event, message, command, frame, enum variant, queue item, IPC payload):
+1. Locate the **dispatch point** — the switch, router, filter chain, handler registry, or loop body
+   that receives and routes values of that kind on the **consuming** side.
+2. Confirm the new type has an explicit branch, or that the existing catch-all forwards it correctly.
+3. If the new type falls through to a silent drop, no-op, or discard (e.g. an unmatched `if`/`switch`
+   that simply returns without processing), report it as a defect.
+
+The dispatch point is frequently **outside the diff**. You **MUST** read it before concluding
+the producing side is correct. Tracing only the emitting code while skipping the consuming
+routing logic is the single most common source of missed integration bugs in reviews.
+</cross-boundary>
+
 <priority>
 |Level|Criteria|Example|
 |---|---|---|

package/src/prompts/tools/hashline.md

@@ -10,17 +10,18 @@ Purely textual format. The tool has NO awareness of language, indentation, brack
 @PATH            header: subsequent ops apply to PATH
 + ANCHOR         insert lines AFTER  the anchored line (or EOF); payload follows as `{{hsep}}TEXT` lines
 < ANCHOR         insert lines BEFORE the anchored line (or BOF); payload follows as `{{hsep}}TEXT` lines
-- A..B           delete the line range (inclusive); `- A` for one line
-= A..B           replace the range with payload `{{hsep}}TEXT` lines, or with one blank line if no payload follows
+- A..B           delete the line range (inclusive).
+= A..B           replace the range with payload `{{hsep}}TEXT` lines, or with one blank line if no payload follows.
 </ops>
 
 <rules>
 - Every line of inserted/replacement content **MUST** be emitted as a payload line starting with `{{hsep}}`.
 - `{{hsep}}` is syntax, not content. The inserted text begins after the first `{{hsep}}`; use a bare `{{hsep}}` to insert a blank line.
 - `< A` inserts before line A; `+ A` inserts after line A. `< BOF` / `+ BOF` both prepend; `< EOF` / `+ EOF` both append.
-- `= A..B` replaces the inclusive range with the following payload lines. `= A` (or `= A..B`) with no payload blanks the range to a single empty line.
-- `- A..B` deletes the inclusive range; omit `..B` for one line.
-- Pick the smallest op for the change: pure addition → `+`/`<`; pure deletion → `-`; `= A..B` ONLY when content inside `A..B` is actually being modified or removed.
+- `= A..B` replaces the inclusive range with the following payload lines. `= A..B` with no payload blanks the range to a single empty line.
+- `- A..B` deletes the inclusive range; `A..A` for one line.
+- **Choose a self-contained syntactic unit first.** If the change touches part of a multiline call, destructuring assignment, control-flow header, wrapper, or other construct, widen the range to include the whole construct before optimizing for size.
+- Only after the range is self-contained, pick the smallest op for the change: pure addition → `+`/`<`; pure deletion → `-`; `= A..B` ONLY when content inside `A..B` is actually being modified or removed.
 </rules>
 
 <brace-shapes>
@@ -35,7 +36,7 @@ When your edit involves brace boundaries (`{` / `}`), prefer these shapes:
 - **Do not replay the line past your range.** For `= A..B`, never end the payload with content that already exists at B+1. Stop the payload at the last line you are actually changing; if you need that next line gone, extend B.
 - **Do not duplicate chunks inside one payload.** When emitting a long `=` payload, never paste the same multi-line block twice. If you catch yourself re-emitting an earlier run of lines, stop and rewrite the op.
 - **Anchor only inside the visible region.** If the read output around your `=`/`-` end anchor is truncated (you cannot see the line at B+1), issue a fresh `read` before editing — anchoring blind drops or duplicates the boundary line.
-- **Prefer narrow ops over wide `=`.** A `+`/`<` insert plus a small `-` delete is almost always clearer and safer than a single wide `= A..B` that re-emits unchanged context.
+- **Prefer the narrowest self-contained edit.** Once your range cleanly contains the construct you are changing, a `+`/`<` insert plus a small `-` delete is almost always clearer and safer than a single wide `= A..B` that re-emits unchanged context.
 </common-failures>
 
 <case file="a.ts">
@@ -47,10 +48,22 @@ When your edit involves brace boundaries (`{` / `}`), prefer these shapes:
 {{hline 6 "}"}}
 </case>
 
+<case file="b.ts">
+{{hline 1 "const {"}}
+{{hline 2 "\tevents,"}}
+{{hline 3 "\tresponse,"}}
+{{hline 4 "\trequestId,"}}
+{{hline 5 "} = await getStreamResponse("}}
+{{hline 6 "\trequest,"}}
+{{hline 7 "\tsignal,"}}
+{{hline 8 ");"}}
+{{hline 9 "await notify(requestId);"}}
+</case>
+
 <examples>
 # Replace one line (preserve the leading tab from the original)
 @a.ts
-= {{hrefr 5}}
+= {{hrefr 5}}..{{hrefr 5}}
 {{hsep}}	return clean.trim().toUpperCase();
 
 # Replace a contiguous range with multiple lines
@@ -59,6 +72,19 @@ When your edit involves brace boundaries (`{` / `}`), prefer these shapes:
 {{hsep}}	const clean = (name || DEF).trim();
 {{hsep}}	return clean.length === 0 ? DEF : clean.toUpperCase();
 
+# Replace a full multiline destructuring/call statement
+@b.ts
+= {{hrefr 1}}..{{hrefr 8}}
+{{hsep}}const {
+{{hsep}}	events,
+{{hsep}}	response,
+{{hsep}}	requestId,
+{{hsep}}} = await getStreamResponse(
+{{hsep}}	request,
+{{hsep}}	signal,
+{{hsep}}	onEvent,
+{{hsep}});
+
 # Insert BEFORE a line
 @a.ts
 < {{hrefr 5}}
@@ -80,11 +106,11 @@ When your edit involves brace boundaries (`{` / `}`), prefer these shapes:
 
 # Delete a single line
 @a.ts
-- {{hrefr 2}}
+- {{hrefr 2}}..{{hrefr 2}}
 
 # Blank a line in place (no payload required)
 @a.ts
-= {{hrefr 2}}
+= {{hrefr 2}}..{{hrefr 2}}
 </examples>
 
 <anti-pattern>
@@ -103,7 +129,28 @@ When your edit involves brace boundaries (`{` / `}`), prefer these shapes:
 + {{hrefr 1}}
 {{hsep}}const DEBUG = false;
 
-If your replacement payload would render with even one unchanged line in the diff, you have the wrong op or range. Stop and rewrite as `+`/`<`/`-` plus a narrower `=`.
+# WRONG — continuation-fragment payload from the middle of a larger statement.
+@b.ts
+= {{hrefr 5}}..{{hrefr 7}}
+{{hsep}}} = await getStreamResponse(
+{{hsep}}	request,
+{{hsep}}	signal,
+{{hsep}}	onEvent,
+
+# RIGHT — widen to the full statement so the payload starts at a self-contained boundary.
+@b.ts
+= {{hrefr 1}}..{{hrefr 8}}
+{{hsep}}const {
+{{hsep}}	events,
+{{hsep}}	response,
+{{hsep}}	requestId,
+{{hsep}}} = await getStreamResponse(
+{{hsep}}	request,
+{{hsep}}	signal,
+{{hsep}}	onEvent,
+{{hsep}});
+
+If your replacement payload would render with even one unchanged line in the diff, or if the first or last payload line is only a continuation fragment from a larger construct (`} =`, `);`, `,`, `.method(`), you have the wrong op or range. Stop and widen to a self-contained boundary before minimizing the edit.
 </anti-pattern>
 
 <critical>

package/src/sdk.ts

@@ -1675,9 +1675,9 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			preferWebsockets: preferOpenAICodexWebsockets,
 			getToolContext: tc => toolContextStore.getContext(tc),
 			getApiKey: async provider => {
-				// Use the provider-facing session id for sticky credential selection so cache keys
-				// and provider auth affinity stay aligned across fresh benchmark sessions.
-				const key = await modelRegistry.getApiKeyForProvider(provider, providerSessionId);
+				// Read agent.sessionId at call time so credential selection stays aligned
+				// with metadataResolver after /new, fork, resume, or branch switches.
+				const key = await modelRegistry.getApiKeyForProvider(provider, agent.sessionId);
 				if (!key) {
 					throw new Error(`No API key found for provider "${provider}"`);
 				}
@@ -1757,6 +1757,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			asyncJobManager,
 			agentId: resolvedAgentId,
 			agentRegistry,
+			providerSessionId: options.providerSessionId,
 		});
 		hasSession = true;