@oh-my-pi/pi-coding-agent 15.10.11 → 15.11.0

package/src/prompts/tools/task.md

@@ -1,43 +1,51 @@
-Launches subagents to parallelize workflows.
+{{#if batchEnabled}}Spawns subagents to work in the background — one per `tasks[]` item; a single spawn is a one-item batch.{{else}}Spawns ONE subagent per call to work in the background.{{/if}}
 
-{{#if asyncEnabled}}
-- Results are delivered automatically when complete.
-- The tool result lists the assigned task ids (e.g. `AuthLoader`) — those are the live agent ids.
+- Spawning is non-blocking: the call returns immediately with the agent id{{#if batchEnabled}}s{{/if}} and job id{{#if batchEnabled}}s{{/if}}; each result is delivered automatically when that agent yields.
+- Parallelism = {{#if batchEnabled}}`tasks[]` items in one call, and/or multiple `task` calls in one assistant message{{else}}multiple `task` calls in one assistant message{{/if}}. Concurrency is bounded at {{MAX_CONCURRENCY}} running subagents per session.
+- If genuinely blocked on a result, wait with `job poll`; otherwise keep working. `job cancel` terminates a task and **cannot carry a message** — only for stalled/abandoned work.
 {{#if ircEnabled}}
-- Coordinate with running tasks via `irc` using those ids. `job cancel` terminates a task and **cannot carry a message** — only use it for stalled/abandoned work.
-- If genuinely blocked on completion, wait with `job poll`; otherwise keep working.
-{{else}}
-- If genuinely blocked on completion, wait with `job poll`; otherwise keep working.
-- Use `job list` to snapshot manager state; `cancel: [id]` only to actually stop a stuck task.
-{{/if}}
+- Coordinate with running agents via `irc` using their ids. Agents reach you and their siblings live the same way.
 {{/if}}
 
-{{#if ircEnabled}}
-Subagents have no conversation history, but they can reach you and their siblings live via the `irc` tool. Front-load every fact, file path, and direction they need in {{#if contextEnabled}}`context` or `assignment`{{else}}each `assignment`{{/if}}.
-{{else}}
-Subagents have no conversation history. Every fact, file path, and direction they need MUST be explicit in {{#if contextEnabled}}`context` or `assignment`{{else}}each `assignment`{{/if}}.
-{{/if}}
+<lifecycle>
+- Finished agents stay alive: `idle` first, then `parked` after a TTL.{{#if ircEnabled}} Both remain addressable and revivable: messaging one via `irc` wakes it and runs your message as a follow-up turn. **Prefer messaging an agent that already holds the relevant context over spawning fresh** — check `irc` op:"list" for candidates.{{/if}}
+- `history://<id>` is the agent's transcript; `agent://<id>` its latest output artifact.
+</lifecycle>
 
 <parameters>
-- `agent`: agent type for all tasks
-- `tasks`: tasks to execute in parallel
- - `.id`: CamelCase, ≤32 chars
- - `.description`: UI label only — subagent never sees it
- - `.assignment`: complete self-contained instructions; one-liners and missing acceptance criteria are PROHIBITED
-{{#if contextEnabled}}- `context`: shared background prepended to every assignment; session-specific only{{/if}}
-{{#if customSchemaEnabled}}- `schema`: JTD schema for expected structured output (do not put format rules in assignments){{/if}}
-{{#if isolationEnabled}}- `isolated`: run in isolated env; use when tasks edit overlapping files{{/if}}
+- `agent`: agent type to spawn
+{{#if batchEnabled}}
+- `context`: shared background prepended to every assignment — goal, constraints, shared contract (see context-fmt); REQUIRED, session-specific only
+- `tasks`: tasks to spawn — one subagent per item, all in parallel:
+  - `assignment`: complete self-contained instructions; one-liners and missing acceptance criteria are PROHIBITED
+  - `id`: stable agent id, CamelCase, ≤32 chars; generated when omitted
+  - `description`: UI label only — subagent never sees it
+{{#if isolationEnabled}}
+  - `isolated`: run this spawn in an isolated env; returns patches. Isolated agents are torn down at completion — not addressable afterwards
+{{/if}}
+{{else}}
+- `id`: stable agent id, CamelCase, ≤32 chars; generated when omitted
+- `description`: UI label only — subagent never sees it
+- `assignment`: complete self-contained instructions; one-liners and missing acceptance criteria are PROHIBITED
+{{#if isolationEnabled}}
+- `isolated`: run in isolated env; returns patches. Isolated agents are torn down at completion — not addressable afterwards
+{{/if}}
+{{/if}}
 </parameters>
 
 <rules>
-- **Maximize batch width.** Spawn the widest parallel set the work decomposes into. NEVER spawn a single-task batch for divisible work, or defer work that could have been concurrent.
-- **Subagents do not verify, lint, or format.** Every assignment MUST instruct the subagent to skip all gates, formatters, and project-wide build/test/lint. You run them once at the end across the union of changed files — avoids redundant runs and racing formatter passes.
+- **Maximize fan-out.** Issue the widest {{#if batchEnabled}}`tasks[]` batch (or set of parallel `task` calls){{else}}set of parallel `task` calls{{/if}} the work decomposes into. NEVER serialize work that could run concurrently.
+- **Subagents do not verify, lint, or format.** Every assignment MUST instruct the subagent to skip all gates, formatters, and project-wide build/test/lint. You run them once at the end across the union of changed files.
 - No globs, no "update all", no package-wide scope. Fan out.
 - NEVER slow down or serialize because tasks might overlap on some files. Agents resolve collisions among themselves in real time.
-- Pass large payloads via `local://<path>` URIs, not inline. {{#if contextEnabled}} (other than the context){{/if}}
-{{#if contextEnabled}}- Put shared constraints in `context` once; do not duplicate across assignments.{{/if}}
+- Subagents have no conversation history. Every fact, file path, and direction they need MUST be explicit in {{#if batchEnabled}}`context` or the item's `assignment`{{else}}the `assignment`{{/if}}.
+{{#if batchEnabled}}
+- **Shared background** lives in `context` once — never duplicated across assignments. Pass large payloads via `local://<path>` URIs, not inline.
+{{else}}
+- **Shared background**: write it ONCE to a `local://` file (e.g. `local://ctx.md`) and reference that path in each assignment. Pass large payloads via `local://<path>` URIs, not inline.
+{{/if}}
 - Prefer agents that investigate **and** edit in one pass; only spin a read-only discovery step when affected files are genuinely unknown.
-- **Read-only agents**: Agents tagged READ-ONLY (e.g. `explore`) have no edit/write/command tools. NEVER hand them an assignment that requires changing files or running commands — they cannot do it and the turn is wasted. Use them to investigate and report back; do the edits yourself or delegate to a writing agent (`task`, `oracle`, `designer`).
+- **Read-only agents**: Agents tagged READ-ONLY (e.g. `explore`) have no edit/write/command tools. NEVER hand them an assignment that requires changing files or running commands. Use them to investigate and report back; do the edits yourself or delegate to a writing agent (`task`, `oracle`, `designer`).
 - **No reasoning offload**: NEVER offload reasoning, analysis, design, or decision-making to `quick_task` or `explore` — they run minimal-effort / small models for mechanical lookups and data collection only. Keep judgment and synthesis in your own context; delegate hard thinking to `task`, `plan`, or `oracle`.
 </rules>
 
@@ -51,9 +59,10 @@ Test: can task B run correctly without seeing A's output? If no, sequence A →
 Sequential when one task produces a contract (types, API, schema, core module) the other consumes.
 Parallel when tasks touch disjoint files or are independent refactors/tests.
 {{/if}}
+{{#if ircEnabled}}Sequenced follow-ups SHOULD message the agent that produced the prerequisite — it already holds the context.{{/if}}
 </parallelization>
 
-{{#if contextEnabled}}
+{{#if batchEnabled}}
 <context-fmt>
 # Goal         ← one sentence: what the batch accomplishes
 # Constraints  ← MUST/NEVER rules and session decisions

package/src/registry/agent-lifecycle.ts

@@ -0,0 +1,218 @@
+/**
+ * AgentLifecycleManager - Owns the idle → parked → revived lifecycle of
+ * adopted subagents.
+ *
+ * The task executor hands a finished agent over via {@link AgentLifecycleManager.adopt};
+ * from then on the manager arms a TTL timer whenever the agent goes `idle`,
+ * parks it on expiry (disposes the live session, keeps the AgentRef +
+ * sessionFile), and revives it on demand through
+ * {@link AgentLifecycleManager.ensureLive}. Only this manager flips
+ * `parked` ↔ `idle`.
+ */
+
+import { logger } from "@oh-my-pi/pi-utils";
+import type { AgentSession } from "../session/agent-session";
+import { AgentRegistry, MAIN_AGENT_ID, type RegistryEvent } from "./agent-registry";
+
+export type AgentReviver = () => Promise<AgentSession>;
+
+export interface AdoptOptions {
+	/** TTL before an idle agent is parked. <= 0 disables parking. */
+	idleTtlMs: number;
+	/** Recreates a live AgentSession from the ref's sessionFile. Absent => not resumable after park (e.g. isolated runs). */
+	revive?: AgentReviver;
+}
+
+interface AdoptedAgent {
+	idleTtlMs: number;
+	revive?: AgentReviver;
+	timer?: NodeJS.Timeout;
+}
+
+export class AgentLifecycleManager {
+	static #global: AgentLifecycleManager | undefined;
+
+	static global(): AgentLifecycleManager {
+		if (!AgentLifecycleManager.#global) {
+			AgentLifecycleManager.#global = new AgentLifecycleManager();
+		}
+		return AgentLifecycleManager.#global;
+	}
+
+	/** Reset the global manager. Test-only. */
+	static resetGlobalForTests(): void {
+		const current = AgentLifecycleManager.#global;
+		if (current) {
+			current.#unsubscribe?.();
+			current.#unsubscribe = undefined;
+			for (const adopted of current.#adopted.values()) {
+				clearTimeout(adopted.timer);
+			}
+			current.#adopted.clear();
+			current.#revivals.clear();
+			current.#parking.clear();
+		}
+		AgentLifecycleManager.#global = undefined;
+	}
+
+	readonly #registry: AgentRegistry;
+	readonly #adopted = new Map<string, AdoptedAgent>();
+	/** Ids whose session is being disposed by {@link park} right now. */
+	readonly #parking = new Set<string>();
+	/** In-flight revives, so concurrent {@link ensureLive} calls coalesce. */
+	readonly #revivals = new Map<string, Promise<AgentSession>>();
+	#unsubscribe: (() => void) | undefined;
+
+	constructor(registry: AgentRegistry = AgentRegistry.global()) {
+		this.#registry = registry;
+		this.#unsubscribe = registry.onChange(event => this.#onRegistryEvent(event));
+	}
+
+	/**
+	 * Take ownership of a finished subagent. Caller has already set registry
+	 * status to "idle". Arms the TTL timer (idleTtlMs <= 0 adopts without one).
+	 */
+	adopt(id: string, opts: AdoptOptions): void {
+		if (id === MAIN_AGENT_ID) return;
+		if (!this.#registry.get(id)) {
+			logger.warn("AgentLifecycleManager.adopt: unknown agent id", { id });
+			return;
+		}
+		const existing = this.#adopted.get(id);
+		clearTimeout(existing?.timer);
+		const adopted: AdoptedAgent = { idleTtlMs: opts.idleTtlMs, revive: opts.revive };
+		this.#adopted.set(id, adopted);
+		this.#armTimer(id, adopted);
+	}
+
+	/** True if the id is adopted (parked or live). */
+	has(id: string): boolean {
+		return this.#adopted.has(id);
+	}
+
+	/** True while {@link park} is disposing this agent's session (lets dispose hooks distinguish park from teardown). */
+	isParking(id: string): boolean {
+		return this.#parking.has(id);
+	}
+
+	/**
+	 * Dispose the live session, detach it from the registry, and mark the
+	 * agent `parked`. No-op unless the id is adopted and live.
+	 */
+	async park(id: string): Promise<void> {
+		const adopted = this.#adopted.get(id);
+		if (!adopted) return;
+		const ref = this.#registry.get(id);
+		if (!ref?.session) return;
+		if (adopted.timer) {
+			clearTimeout(adopted.timer);
+			adopted.timer = undefined;
+		}
+		this.#parking.add(id);
+		try {
+			try {
+				await ref.session.dispose();
+			} catch (error) {
+				logger.warn("AgentLifecycleManager.park: session dispose failed", { id, error: String(error) });
+			}
+			this.#registry.detachSession(id);
+			this.#registry.setStatus(id, "parked");
+		} finally {
+			this.#parking.delete(id);
+		}
+	}
+
+	/**
+	 * Return the live session, reviving from the sessionFile if parked.
+	 * Throws a plain Error if the id is unknown or parked without a reviver.
+	 * Concurrent calls share one in-flight revive.
+	 */
+	async ensureLive(id: string): Promise<AgentSession> {
+		const ref = this.#registry.get(id);
+		if (!ref) {
+			throw new Error(
+				`Unknown agent "${id}" — it was never registered or has been released. If a transcript exists, read history://${id}.`,
+			);
+		}
+		if (ref.session) return ref.session;
+		const inflight = this.#revivals.get(id);
+		if (inflight) return inflight;
+		const adopted = this.#adopted.get(id);
+		if (ref.status !== "parked" || !adopted?.revive) {
+			throw new Error(
+				`Agent "${id}" is ${ref.status} and cannot be revived${adopted?.revive ? "" : " (no reviver registered)"}. Its transcript remains readable at history://${id}.`,
+			);
+		}
+		const revival = this.#revive(id, adopted.revive, ref.sessionFile);
+		this.#revivals.set(id, revival);
+		try {
+			return await revival;
+		} finally {
+			this.#revivals.delete(id);
+		}
+	}
+
+	/** Hard removal: dispose if live, unregister from registry, drop timers. */
+	async release(id: string): Promise<void> {
+		const adopted = this.#adopted.get(id);
+		clearTimeout(adopted?.timer);
+		this.#adopted.delete(id);
+		const ref = this.#registry.get(id);
+		if (ref?.session) {
+			try {
+				await ref.session.dispose();
+			} catch (error) {
+				logger.warn("AgentLifecycleManager.release: session dispose failed", { id, error: String(error) });
+			}
+		}
+		this.#registry.unregister(id);
+	}
+
+	/** Teardown everything (process exit / main session dispose). */
+	async dispose(): Promise<void> {
+		this.#unsubscribe?.();
+		this.#unsubscribe = undefined;
+		const ids = [...this.#adopted.keys()];
+		await Promise.all(ids.map(id => this.release(id)));
+		this.#revivals.clear();
+		this.#parking.clear();
+	}
+
+	async #revive(id: string, revive: AgentReviver, sessionFile: string | null): Promise<AgentSession> {
+		const session = await revive();
+		this.#registry.attachSession(id, session, sessionFile);
+		// Emits status_changed → "idle", which re-arms the TTL timer below.
+		this.#registry.setStatus(id, "idle");
+		return session;
+	}
+
+	#armTimer(id: string, adopted: AdoptedAgent): void {
+		if (adopted.idleTtlMs <= 0) return;
+		clearTimeout(adopted.timer);
+		const timer = setTimeout(() => {
+			adopted.timer = undefined;
+			void this.park(id);
+		}, adopted.idleTtlMs);
+		timer.unref?.();
+		adopted.timer = timer;
+	}
+
+	#onRegistryEvent(event: RegistryEvent): void {
+		const adopted = this.#adopted.get(event.ref.id);
+		if (!adopted) return;
+		if (event.type === "removed") {
+			clearTimeout(adopted.timer);
+			this.#adopted.delete(event.ref.id);
+			return;
+		}
+		if (event.type !== "status_changed") return;
+		if (event.ref.status === "running") {
+			if (adopted.timer) {
+				clearTimeout(adopted.timer);
+				adopted.timer = undefined;
+			}
+		} else if (event.ref.status === "idle") {
+			this.#armTimer(event.ref.id, adopted);
+		}
+	}
+}

package/src/registry/agent-registry.ts

@@ -1,16 +1,26 @@
 /**
- * AgentRegistry - Process-global registry of live AgentSession instances.
+ * AgentRegistry - Process-global registry of agents (the main session plus
+ * every subagent), keyed by stable id.
  *
- * Tracks every alive agent (the main session plus every subagent) so the
- * `irc` tool can address peers by id. Sessions are registered explicitly at
- * creation and removed when the owner releases them.
+ * Tracks each agent's status and (when live) its AgentSession so peers can be
+ * addressed by id (`irc`, `task resume`, `history://`). Sessions are
+ * registered explicitly at creation; finished agents stay registered as
+ * `idle` (live) or `parked` (session disposed, ref + sessionFile retained for
+ * revival) and are only removed on explicit release/teardown.
  */
 
 import type { AgentSession } from "../session/agent-session";
 
 export const MAIN_AGENT_ID = "Main";
 
-export type AgentStatus = "running" | "idle" | "completed" | "aborted";
+/**
+ * - `running`: a turn is in flight.
+ * - `idle`: live AgentSession in memory, awaiting work. Finished agents are
+ *   `idle`, not removed.
+ * - `parked`: session disposed; AgentRef + sessionFile retained, revivable.
+ * - `aborted`: hard-killed, terminal.
+ */
+export type AgentStatus = "running" | "idle" | "parked" | "aborted";
 export type AgentKind = "main" | "sub";
 
 export interface AgentRef {
@@ -19,6 +29,7 @@ export interface AgentRef {
 	kind: AgentKind;
 	parentId?: string;
 	status: AgentStatus;
+	/** Null exactly when parked/aborted. */
 	session: AgentSession | null;
 	sessionFile: string | null;
 	createdAt: number;

package/src/sdk.ts

@@ -34,7 +34,7 @@ import {
 	Snowflake,
 } from "@oh-my-pi/pi-utils";
 import chalk from "chalk";
-import { type AsyncJob, AsyncJobManager, isBackgroundJobSupportEnabled } from "./async";
+import { type AsyncJob, AsyncJobManager } from "./async";
 import { loadCapability } from "./capability";
 import { type Rule, ruleCapability, setActiveRules } from "./capability/rule";
 import { bucketRules } from "./capability/rule-buckets";
@@ -89,16 +89,18 @@ import type { HindsightSessionState } from "./hindsight/state";
 import { LocalProtocolHandler, type LocalProtocolOptions } from "./internal-urls";
 import { LSP_STARTUP_EVENT_CHANNEL, type LspStartupEvent } from "./lsp/startup-events";
 import { discoverAndLoadMCPTools, MCPManager, type MCPToolsLoadResult } from "./mcp";
-import { resolveMemoryBackend } from "./memory-backend";
+import { createSessionMemoryRuntimeContext, resolveMemoryBackend } from "./memory-backend";
 import type { MnemopiSessionState } from "./mnemopi/state";
 import asyncResultTemplate from "./prompts/tools/async-result.md" with { type: "text" };
 import lateDiagnosticTemplate from "./prompts/tools/lsp-late-diagnostic.md" with { type: "text" };
+import { AgentLifecycleManager } from "./registry/agent-lifecycle";
 import { AgentRegistry, MAIN_AGENT_ID } from "./registry/agent-registry";
 import {
 	collectEnvSecrets,
 	deobfuscateSessionContext,
 	loadSecrets,
 	obfuscateMessages,
+	obfuscateProviderContext,
 	SecretObfuscator,
 } from "./secrets";
 import { AgentSession } from "./session/agent-session";
@@ -134,6 +136,7 @@ import {
 	parseThinkingLevel,
 	resolveProvisionalAutoLevel,
 	resolveThinkingLevelForModel,
+	shouldDisableReasoning,
 	toReasoningEffort,
 } from "./thinking";
 import { countToolsForAutoDiscovery, resolveEffectiveToolDiscoveryMode } from "./tool-discovery/mode";
@@ -1291,7 +1294,6 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 	let hasSession = false;
 	let hasRegistered = false;
 	const enableLsp = options.enableLsp ?? true;
-	const backgroundJobsEnabled = isBackgroundJobSupportEnabled(settings);
 	const asyncMaxJobs = Math.min(100, Math.max(1, settings.get("async.maxJobs") ?? 100));
 	const ASYNC_INLINE_RESULT_MAX_CHARS = 12_000;
 	const ASYNC_PREVIEW_MAX_CHARS = 4_000;
@@ -1324,7 +1326,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 	// (issue #1923). The `instance()` guard means later sessions also skip
 	// constructing an orphaned manager that nothing would ever route to.
 	const asyncJobManager =
-		backgroundJobsEnabled && !options.parentTaskPrefix && !AsyncJobManager.instance()
+		!options.parentTaskPrefix && !AsyncJobManager.instance()
 			? new AsyncJobManager({
 					maxRunningJobs: asyncMaxJobs,
 					onJobComplete: async (jobId, result, job) => {
@@ -1349,6 +1351,17 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 	const resolvedAgentId = options.agentId ?? options.parentTaskPrefix ?? MAIN_AGENT_ID;
 	const resolvedAgentDisplayName =
 		options.agentDisplayName ?? ((options.taskDepth ?? 0) > 0 || options.parentTaskPrefix ? "sub" : "main");
+	const agentKind = (options.taskDepth ?? 0) > 0 || options.parentTaskPrefix ? ("sub" as const) : ("main" as const);
+	/**
+	 * Forget the agent ref on teardown — unless the agent is being parked (or is
+	 * already parked). Parking disposes the session but keeps the ref addressable
+	 * (history://, revive); only process teardown / explicit kill unregisters.
+	 */
+	const unregisterUnlessParked = (): void => {
+		if (agentRegistry.get(resolvedAgentId)?.status === "parked") return;
+		if (AgentLifecycleManager.global().isParking(resolvedAgentId)) return;
+		agentRegistry.unregister(resolvedAgentId);
+	};
 	const evalKernelOwnerId = `agent-session:${Snowflake.next()}`;
 
 	try {
@@ -1407,7 +1420,6 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			getTurnBudget: () => sessionManager.getTurnBudget(),
 			recordEvalSubagentUsage: output => sessionManager.recordEvalSubagentOutput(output),
 			getClientBridge: () => session?.clientBridge,
-			getCompactContext: () => session.formatCompactContext(),
 			queueDeferredDiagnostics: entry => session?.yieldQueue.enqueue(LSP_LATE_DIAGNOSTIC_MESSAGE_TYPE, entry),
 			bumpFileMutationVersion: path => {
 				const next = (fileMutationVersions.get(path) ?? 0) + 1;
@@ -1791,6 +1803,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			cwd,
 			sessionManager,
 			modelRegistry,
+			() => (hasSession ? createSessionMemoryRuntimeContext(session, agentDir, cwd) : undefined),
 		);
 
 		credentialDisabledTarget = extensionRunner;
@@ -2080,7 +2093,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 		agentRegistry.register({
 			id: resolvedAgentId,
 			displayName: resolvedAgentDisplayName,
-			kind: (options.taskDepth ?? 0) > 0 || options.parentTaskPrefix ? "sub" : "main",
+			kind: agentKind,
 			parentId: options.parentTaskPrefix,
 			session: null,
 			sessionFile: sessionManager.getSessionFile() ?? null,
@@ -2138,6 +2151,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			if (!obfuscator?.hasSecrets()) return converted;
 			return obfuscateMessages(obfuscator, converted);
 		};
+
 		const transformContext = async (messages: AgentMessage[], _signal?: AbortSignal) => {
 			const withContext = await extensionRunner.emitContext(messages);
 			return wrapSteeringForModel(withContext);
@@ -2173,6 +2187,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 				systemPrompt,
 				model,
 				thinkingLevel: toReasoningEffort(effectiveThinkingLevel),
+				disableReasoning: shouldDisableReasoning(effectiveThinkingLevel),
 				tools: initialTools,
 			},
 			convertToLlm: convertToLlmFinal,
@@ -2181,6 +2196,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			sessionId: providerSessionId,
 			promptCacheKey: options.providerPromptCacheKey,
 			transformContext,
+			transformProviderContext: obfuscator ? context => obfuscateProviderContext(obfuscator, context) : undefined,
 			steeringMode: settings.get("steeringMode") ?? "one-at-a-time",
 			followUpMode: settings.get("followUpMode") ?? "one-at-a-time",
 			interruptMode: settings.get("interruptMode") ?? "immediate",
@@ -2267,6 +2283,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			thinkingLevel: autoThinking ? AUTO_THINKING : effectiveThinkingLevel,
 			sessionManager,
 			settings,
+			autoApprove: options.autoApprove,
 			evalKernelOwnerId,
 			// Defined only for top-level sessions (creation is gated above).
 			// AgentSession uses this to decide whether it may dispose the global
@@ -2313,7 +2330,6 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			ttsrManager,
 			obfuscator,
 			agentId: resolvedAgentId,
-			agentRegistry,
 			providerSessionId: options.providerSessionId,
 			parentEvalSessionId: options.parentEvalSessionId,
 		});
@@ -2334,15 +2350,26 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 
 		// Attach the live session to the pre-registered ref so peers can route IRC
 		// messages here. Refresh sessionFile in case it was unavailable at pre-register
-		// time. The dispose wrapper below unregisters on teardown.
+		// time. The dispose wrapper below unregisters on teardown (unless parked).
 		agentRegistry.attachSession(resolvedAgentId, session, sessionManager.getSessionFile() ?? null);
 		{
 			const originalDispose = session.dispose.bind(session);
 			session.dispose = async () => {
 				try {
+					// Reject new session work (Python/eval starts) the moment disposal
+					// begins — the lifecycle await below opens an async gap before
+					// AgentSession.dispose() would otherwise set its guards.
+					session.beginDispose();
+					if (agentKind === "main") {
+						// Top-level teardown owns the global agent lifecycle: park timers,
+						// adopted subagent sessions, revivers. Tear it down while shared
+						// resources (kernels, MCP, LSP) are still live. Subagent disposal
+						// must NOT touch the global lifecycle.
+						await AgentLifecycleManager.global().dispose();
+					}
 					await originalDispose();
 				} finally {
-					agentRegistry.unregister(resolvedAgentId);
+					unregisterUnlessParked();
 					unsubscribeCredentialDisabled?.();
 				}
 			};
@@ -2495,7 +2522,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			if (hasSession) {
 				await session.dispose();
 			} else {
-				if (hasRegistered) agentRegistry.unregister(resolvedAgentId);
+				if (hasRegistered) unregisterUnlessParked();
 				if (asyncJobManager) {
 					if (AsyncJobManager.instance() === asyncJobManager) {
 						AsyncJobManager.setInstance(undefined);

package/src/secrets/index.ts

@@ -4,7 +4,14 @@ import { YAML } from "bun";
 import type { SecretEntry } from "./obfuscator";
 import { compileSecretRegex } from "./regex";
 
-export { deobfuscateSessionContext, obfuscateMessages, type SecretEntry, SecretObfuscator } from "./obfuscator";
+export {
+	deobfuscateSessionContext,
+	obfuscateMessages,
+	obfuscateProviderContext,
+	obfuscateProviderTools,
+	type SecretEntry,
+	SecretObfuscator,
+} from "./obfuscator";
 
 /**
  * Load secrets from project-local and global secrets.yml files.

package/src/secrets/obfuscator.ts

@@ -1,4 +1,5 @@
-import type { Message, TextContent } from "@oh-my-pi/pi-ai";
+import type { Context, Message, Tool } from "@oh-my-pi/pi-ai";
+import { toolWireSchema } from "@oh-my-pi/pi-ai/utils/schema";
 import type { SessionContext } from "../session/session-manager";
 import { compileSecretRegex } from "./regex";
 
@@ -184,6 +185,12 @@ export class SecretObfuscator {
 		return deepWalkStrings(obj, s => this.deobfuscate(s));
 	}
 
+	/** Deep-walk an object, obfuscating all string values. */
+	obfuscateObject<T>(obj: T): T {
+		if (!this.#hasAny) return obj;
+		return deepWalkStrings(obj, s => this.obfuscate(s));
+	}
+
 	/** Find the obfuscate index for a known secret value. */
 	#findObfuscateIndex(secret: string): number | undefined {
 		// Check plain mappings first
@@ -211,25 +218,34 @@ export function deobfuscateSessionContext(
 // Message obfuscation (outbound to LLM)
 // ═══════════════════════════════════════════════════════════════════════════
 
-/** Obfuscate all text content in LLM messages (for outbound interception). */
+/** Obfuscate all string content in LLM messages (for outbound interception). */
 export function obfuscateMessages(obfuscator: SecretObfuscator, messages: Message[]): Message[] {
-	return messages.map(msg => {
-		if (!Array.isArray(msg.content)) return msg;
+	return obfuscator.obfuscateObject(messages);
+}
 
-		let changed = false;
-		const content = msg.content.map(block => {
-			if (block.type === "text") {
-				const obfuscated = obfuscator.obfuscate(block.text);
-				if (obfuscated !== block.text) {
-					changed = true;
-					return { ...block, text: obfuscated } as TextContent;
-				}
-			}
-			return block;
-		});
+/** Obfuscate provider request context without walking live tool schema instances. */
+export function obfuscateProviderContext(obfuscator: SecretObfuscator | undefined, context: Context): Context {
+	if (!obfuscator?.hasSecrets()) return context;
+	return {
+		...context,
+		systemPrompt: obfuscator.obfuscateObject(context.systemPrompt),
+		messages: obfuscator.obfuscateObject(context.messages),
+		tools: obfuscateProviderTools(obfuscator, context.tools),
+	};
+}
 
-		return changed ? ({ ...msg, content } as typeof msg) : msg;
-	});
+/** Convert tool schemas to wire JSON Schema before obfuscating provider-visible strings. */
+export function obfuscateProviderTools(
+	obfuscator: SecretObfuscator | undefined,
+	tools: Tool[] | undefined,
+): Tool[] | undefined {
+	if (!tools || !obfuscator?.hasSecrets()) return tools;
+	return tools.map(tool => ({
+		...tool,
+		description: obfuscator.obfuscate(tool.description),
+		parameters: obfuscator.obfuscateObject(toolWireSchema(tool)),
+		customFormat: tool.customFormat ? obfuscator.obfuscateObject(tool.customFormat) : undefined,
+	}));
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
@@ -262,7 +278,7 @@ function deepWalkStrings<T>(obj: T, transform: (s: string) => string): T {
 		});
 		return (changed ? result : obj) as unknown as T;
 	}
-	if (obj !== null && typeof obj === "object") {
+	if (obj !== null && typeof obj === "object" && isPlainRecord(obj)) {
 		let changed = false;
 		const result: Record<string, unknown> = {};
 		for (const key of Object.keys(obj)) {
@@ -275,3 +291,8 @@ function deepWalkStrings<T>(obj: T, transform: (s: string) => string): T {
 	}
 	return obj;
 }
+
+function isPlainRecord(obj: object): obj is Record<string, unknown> {
+	const prototype = Object.getPrototypeOf(obj);
+	return prototype === Object.prototype || prototype === null;
+}