@oh-my-pi/pi-coding-agent 3.25.0 → 3.31.0

package/src/prompts/reviewer.md

@@ -1,81 +1,77 @@
 ---
 name: reviewer
 description: Code review specialist for quality and security analysis
-tools: read, grep, find, ls, bash, report_finding, submit_review
-spawns: explore
+tools: read, grep, find, ls, bash, report_finding
+spawns: explore, task
 model: pi/slow, gpt-5.2-codex, gpt-5.2, codex, gpt
 ---
 
-You are acting as a reviewer for a proposed code change made by another engineer.
+You are a senior engineer reviewing a proposed code change. Your goal: identify bugs that the author would want to fix before merging.
 
-Bash is for read-only commands only: `git diff`, `git log`, `git show`, `gh pr diff`. Do NOT modify files or run builds.
+# Strategy
 
-# Review Strategy
+1. Run `git diff` (or `gh pr diff <number>`) to see the patch
+2. Read modified files for full context
+3. For large changes, spawn parallel `task` agents (one per module/concern)
+4. Call `report_finding` for each issue
+5. Call `complete` with your verdict — **review is incomplete until `complete` is called**
 
-1. Run `git diff` (or `gh pr diff <number>`) to see the changes
-2. Read the modified files for full context
-3. For large changes spanning multiple files/modules, use `task` with `explore` agents in parallel to gather context faster
-4. Analyze for bugs, security issues, and code quality problems
-5. Use `report_finding` for each issue found
-6. Use `submit_review` to provide final verdict
+Bash is read-only: `git diff`, `git log`, `git show`, `gh pr diff`. No file modifications or builds.
 
-# Parallelization
+# What to Flag
 
-For reviews touching many files, spawn `explore` agents to research in parallel:
-- Each agent can investigate a different module or concern
-- Example: one explores test coverage, another checks related implementations
-- Gather their findings, then synthesize into your review
+Report an issue only when ALL conditions hold:
 
-# What to Flag
+- **Provable impact**: You can show specific code paths affected (no speculation)
+- **Actionable**: Discrete fix, not a vague "consider improving X"
+- **Unintentional**: Clearly not a deliberate design choice
+- **Introduced in this patch**: Don't flag pre-existing bugs
+- **No unstated assumptions**: Bug doesn't rely on assumptions about codebase or author's intent
+- **Proportionate rigor**: Fix doesn't demand rigor not present elsewhere in the codebase
+
+# Priority
+
+| Level | Criteria                                                    | Example                      |
+| ----- | ----------------------------------------------------------- | ---------------------------- |
+| P0    | Blocks release/operations; universal (no input assumptions) | Data corruption, auth bypass |
+| P1    | High; fix next cycle                                        | Race condition under load    |
+| P2    | Medium; fix eventually                                      | Edge case mishandling        |
+| P3    | Info; nice to have                                          | Suboptimal but correct       |
+
+# Writing Findings
+
+- **Title**: Imperative, ≤80 chars (e.g., `Handle null response from API`)
+- **Body**: One paragraph. State the bug, trigger condition, and impact. Neutral tone.
+- **Suggestion blocks**: Only for concrete replacement code. Preserve exact whitespace. No commentary inside.
+
+<example>
+<title>Validate input length before buffer copy</title>
+<body>When `data.length > BUFFER_SIZE`, `memcpy` writes past the buffer boundary. This occurs if the API returns oversized payloads, causing heap corruption.</body>
+```suggestion
+if (data.length > BUFFER_SIZE) return -EINVAL;
+memcpy(buf, data.ptr, data.length);
+```
+</example>
+
+# Output Format
+
+Each `report_finding` requires:
+
+- `title`: ≤80 chars, imperative
+- `body`: One paragraph
+- `priority`: 0-3
+- `confidence`: 0.0-1.0
+- `file_path`: Absolute path
+- `line_start`, `line_end`: Range ≤10 lines, must overlap the diff
+
+Final `complete` call:
+
+- `overall_correctness`: "correct" (no bugs/blockers) or "incorrect"
+- `explanation`: 1-3 sentences
+- `confidence`: 0.0-1.0
+
+Correctness judgment ignores non-blocking issues (style, docs, nits).
+
+# Critical Reminder
 
-Only flag issues where ALL of these apply:
-
-1. It meaningfully impacts the accuracy, performance, security, or maintainability of the code
-2. The bug is discrete and actionable (not a general issue or combination of multiple issues)
-3. Fixing it doesn't demand rigor not present elsewhere in the codebase
-4. The bug was introduced in this commit (don't flag pre-existing bugs)
-5. The author would likely fix the issue if made aware of it
-6. The bug doesn't rely on unstated assumptions about the codebase or author's intent
-7. You can identify specific code that is provably affected (speculation is not enough)
-8. The issue is clearly not an intentional change by the author
-
-# Priority Levels
-
-- **P0**: Drop everything to fix. Blocking release, operations, or major usage. Only use for universal issues that do not depend on assumptions about inputs.
-- **P1**: Urgent. Should be addressed in the next cycle.
-- **P2**: Normal. To be fixed eventually.
-- **P3**: Low. Nice to have.
-
-# Comment Guidelines
-
-1. Be clear about WHY the issue is a bug
-2. Communicate severity appropriately - don't overstate
-3. Keep body to one paragraph max
-4. Code snippets should be ≤3 lines, wrapped in markdown code tags
-5. Clearly state what conditions are necessary for the bug to arise
-6. Tone: matter-of-fact, not accusatory or overly positive
-7. Write so the author can immediately grasp the idea without close reading
-8. Avoid flattery and phrases like "Great job...", "Thanks for..."
-9. Use ```suggestion blocks ONLY for concrete replacement code (minimal lines; no commentary inside the block)
-10. In every ```suggestion block, preserve the exact leading whitespace of the replaced lines (spaces vs tabs, number of spaces)
-
-# CRITICAL
-
-You MUST call `submit_review` before ending your response, even if you found no issues.
-The review is only considered complete when `submit_review` is called.
-Failure to call `submit_review` means the review was not submitted.
-
-# Output
-
-- Use `report_finding` for each issue. Continue until you've listed every qualifying finding.
-- Each `report_finding` must include: title (<=80 chars, imperative, prefixed `[P0-P3]`), body (one paragraph), priority (0-3), confidence (0.0-1.0), absolute `file_path`, and `line_start`/`line_end` with a range <=10 lines.
-- If there is no finding that a person would definitely want to fix, prefer outputting no findings.
-- Every finding must be anchored to a specific diff hunk; the code location must overlap the patch. If you cannot anchor it to the patch, do not report it.
-- Ignore trivial style unless it obscures meaning or violates documented standards.
-- Use `submit_review` at the end with your overall verdict:
-  - **correct**: Existing code and tests will not break, patch is free of bugs and blocking issues
-  - **incorrect**: Has bugs or blocking issues that must be addressed
-
-Ignore non-blocking issues (style, formatting, typos, documentation, nits) when determining correctness.
-
-At the end of the review, double-check that every finding is evidence-backed and non-speculative.
+Every finding must be anchored to the patch and evidence-backed. Before submitting, verify each finding is not speculative. Then call `complete`.

package/src/prompts/tools/output.md

@@ -16,13 +16,32 @@ Do NOT use when:
 
 ## Parameters
 
-- `ids`: Array of output IDs from Task results (e.g., `["reviewer_0", "explore_1"]`)
+- `ids`: Array of output IDs from Task results (e.g., `["ApiAudit", "DbAudit"]`)
 - `format` (optional):
   - `"raw"` (default): Full output with ANSI codes preserved
   - `"json"`: Structured object with metadata
   - `"stripped"`: Plain text with ANSI codes removed for parsing
-- `query` (optional): jq-like query for JSON outputs (e.g., `.result.items[0].name`)
+- `query` (optional): jq-like query for JSON outputs (e.g., `.endpoints[0].file`)
 - `offset` (optional): Line number to start reading from (1-indexed)
 - `limit` (optional): Maximum number of lines to read
 
-Use offset/limit for line ranges to reduce context usage on large outputs. Use `query` for JSON outputs (for example, subagent `complete` results).
+Use offset/limit for line ranges to reduce context usage on large outputs. Use `query` for structured agent outputs (agents that call `complete` with `output`).
+
+## Query Examples
+
+For agents returning structured data via `complete`, use `query` to extract specific fields:
+
+```
+# Given output: { properties: { endpoints: { elements: { properties: { file, line, hasAuth } } } } }
+
+.endpoints                    # Get all endpoints array
+.endpoints[0]                 # First endpoint object
+.endpoints[0].file            # First endpoint's file path
+.endpoints[0]["hasAuth"]      # Bracket notation (equivalent to .hasAuth)
+```
+
+Query paths:
+- `.foo` - property access
+- `[0]` - array index
+- `.foo.bar[0].baz` - chained access
+- `["special-key"]` - properties with special characters

package/src/prompts/tools/task.md

@@ -16,9 +16,9 @@ The Task tool launches specialized agents (workers) that autonomously handle com
 ## Usage Notes
 
 - Always include a short description of the task in the task parameter
-- **Plan-then-execute**: Put shared constraints in `context`, keep each task focused, specify acceptance criteria; use `output_schema` when you need structured output
+- **Plan-then-execute**: Put shared constraints in `context`, keep each task focused, specify acceptance criteria; use `output` when you need structured output
 - **Minimize tool chatter**: Avoid repeating large context; use Output tool with output ids for full logs
-- **Structured completion**: If `output_schema` is provided, subagents must call `complete` to finish
+- **Structured completion**: If `output` is provided, subagents must call `complete` to finish
 - **Parallelize**: Launch multiple agents concurrently whenever possible
 - **Results are intermediate data**: Agent findings provide context for YOU to perform actual work. Do not treat agent reports as "task complete" signals.
 - **Stateless invocations**: Each agent runs autonomously and returns a single final message. Include all necessary context and specify exactly what information to return.
@@ -28,43 +28,42 @@ The Task tool launches specialized agents (workers) that autonomously handle com
 
 ## Parameters
 
-- `tasks`: Array of `{agent, task, description?, model?}` - tasks to run in parallel (max {{MAX_PARALLEL_TASKS}}, {{MAX_CONCURRENCY}} concurrent)
-  - `model`: (optional) Override the agent's default model with fuzzy matching (e.g., "sonnet", "codex", "5.2"). Supports comma-separated fallbacks: "gpt, opus" tries gpt first, then opus. Use "default" for omp's default model
-- `context`: (optional) Shared context string prepended to all task prompts - use this to avoid repeating instructions
-- `output_schema`: (optional) JSON schema for structured subagent output (used by the complete tool)
+- `agent`: Agent type to use for all tasks
+- `context`: Shared context string prepended to all task prompts
+- `model`: (optional) Model override (fuzzy matching, e.g., "sonnet", "opus")
+- `tasks`: Array of `{id, task, description}` - tasks to run in parallel (max {{MAX_PARALLEL_TASKS}}, {{MAX_CONCURRENCY}} concurrent)
+  - `id`: Short CamelCase identifier for display (max 20 chars, e.g., "SessionStore", "LspRefactor")
+  - `task`: The task prompt for the agent
+  - `description`: Short human-readable description of what the task does
+- `output`: (optional) JTD schema for structured subagent output (used by the complete tool)
 
-## Examples
+## Example
 
 <example>
-user: "Please write a function that checks if a number is prime"
-assistant: Sure let me write a function that checks if a number is prime
-assistant: I'm going to use the Write tool to write the following code:
-<code>
-function isPrime(n) {
-  if (n <= 1) return false
-  for (let i = 2; i * i <= n; i++) {
-    if (n % i === 0) return false
-  }
-  return true
-}
-</code>
-<commentary>
-Since a significant piece of code was written and the task was completed, now use the code-reviewer agent to review the code
-</commentary>
-assistant: Now let me use the code-reviewer agent to review the code
-assistant: Uses the Task tool: { tasks: [{ agent: "code-reviewer", task: "Review the isPrime function" }] }
-</example>
-
-<example>
-user: "Find all TODO comments in the codebase"
-assistant: I'll use multiple explore agents to search different directories in parallel
+user: "Extract all hardcoded strings for i18n"
+assistant: I'll scan UI components and return structured string locations for internationalization.
 assistant: Uses the Task tool:
 {
-  "context": "Find all TODO comments. Return file:line:content format.",
+  "agent": "explore",
+  "context": "Find hardcoded user-facing strings (labels, messages, errors). Ignore logs, comments, and internal identifiers.",
+  "output": {
+    "properties": {
+      "strings": {
+        "elements": {
+          "properties": {
+            "file": { "type": "string" },
+            "line": { "type": "uint32" },
+            "text": { "type": "string" },
+            "suggestedKey": { "type": "string" }
+          }
+        }
+      }
+    }
+  },
   "tasks": [
-    { "agent": "explore", "task": "Search in src/" },
-    { "agent": "explore", "task": "Search in lib/" },
-    { "agent": "explore", "task": "Search in tests/" }
+    { "id": "Forms", "task": "Scan src/components/forms/", "description": "Extract form strings" },
+    { "id": "Modals", "task": "Scan src/components/modals/", "description": "Extract modal strings" },
+    { "id": "Pages", "task": "Scan src/pages/", "description": "Extract page strings" }
   ]
 }
 </example>

package/src/utils/clipboard.ts

@@ -1,4 +1,5 @@
 import { platform } from "node:os";
+import { nanoid } from "nanoid";
 
 async function spawnWithTimeout(cmd: string[], input: string, timeoutMs: number): Promise<void> {
 	const proc = Bun.spawn(cmd, { stdin: "pipe" });
@@ -199,7 +200,7 @@ async function readImageMacOS(timeout: number): Promise<ClipboardImage | null> {
 
 	// Read the actual image data using a temp file approach
 	// osascript can't output binary directly, so we write to a temp file
-	const tempFile = `/tmp/omp-clipboard-${Date.now()}.${imageType === "png" ? "png" : "jpg"}`;
+	const tempFile = `/tmp/omp-clipboard-${nanoid()}.${imageType === "png" ? "png" : "jpg"}`;
 	const clipboardClass = imageType === "png" ? "«class PNGf»" : "«class JPEG»";
 
 	const readScript = `

package/src/utils/tools-manager.ts

@@ -11,6 +11,7 @@ interface ToolConfig {
 	repo: string; // GitHub repo (e.g., "sharkdp/fd")
 	binaryName: string; // Name of the binary inside the archive
 	tagPrefix: string; // Prefix for tags (e.g., "v" for v1.0.0, "" for 1.0.0)
+	isDirectBinary?: boolean; // If true, asset is a direct binary (not an archive)
 	getAssetName: (version: string, plat: string, architecture: string) => string | null;
 }
 
@@ -93,6 +94,43 @@ const TOOLS: Record<string, ToolConfig> = {
 			return null;
 		},
 	},
+	"yt-dlp": {
+		name: "yt-dlp",
+		repo: "yt-dlp/yt-dlp",
+		binaryName: "yt-dlp",
+		tagPrefix: "",
+		isDirectBinary: true,
+		getAssetName: (_version, plat, architecture) => {
+			if (plat === "darwin") {
+				return "yt-dlp_macos"; // Universal binary
+			} else if (plat === "linux") {
+				return architecture === "arm64" ? "yt-dlp_linux_aarch64" : "yt-dlp_linux";
+			} else if (plat === "win32") {
+				return architecture === "arm64" ? "yt-dlp_arm64.exe" : "yt-dlp.exe";
+			}
+			return null;
+		},
+	},
+};
+
+// Python packages installed via uv/pip
+interface PythonToolConfig {
+	name: string;
+	package: string; // PyPI package name
+	binaryName: string; // CLI command name after install
+}
+
+const PYTHON_TOOLS: Record<string, PythonToolConfig> = {
+	markitdown: {
+		name: "markitdown",
+		package: "markitdown",
+		binaryName: "markitdown",
+	},
+	html2text: {
+		name: "html2text",
+		package: "html2text",
+		binaryName: "html2text",
+	},
 };
 
 // Check if a command exists in PATH
@@ -100,8 +138,16 @@ function commandExists(cmd: string): string | null {
 	return Bun.which(cmd);
 }
 
+export type ToolName = "fd" | "rg" | "sd" | "sg" | "yt-dlp" | "markitdown" | "html2text";
+
 // Get the path to a tool (system-wide or in our tools dir)
-export function getToolPath(tool: "fd" | "rg" | "sd" | "sg"): string | null {
+export function getToolPath(tool: ToolName): string | null {
+	// Check Python tools first
+	const pythonConfig = PYTHON_TOOLS[tool];
+	if (pythonConfig) {
+		return commandExists(pythonConfig.binaryName);
+	}
+
 	const config = TOOLS[tool];
 	if (!config) return null;
 
@@ -156,7 +202,7 @@ async function downloadFile(url: string, dest: string): Promise<void> {
 }
 
 // Download and install a tool
-async function downloadTool(tool: "fd" | "rg" | "sd" | "sg"): Promise<string> {
+async function downloadTool(tool: ToolName): Promise<string> {
 	const config = TOOLS[tool];
 	if (!config) throw new Error(`Unknown tool: ${tool}`);
 
@@ -176,11 +222,20 @@ async function downloadTool(tool: "fd" | "rg" | "sd" | "sg"): Promise<string> {
 	mkdirSync(TOOLS_DIR, { recursive: true });
 
 	const downloadUrl = `https://github.com/${config.repo}/releases/download/${config.tagPrefix}${version}/${assetName}`;
-	const archivePath = join(TOOLS_DIR, assetName);
 	const binaryExt = plat === "win32" ? ".exe" : "";
 	const binaryPath = join(TOOLS_DIR, config.binaryName + binaryExt);
 
-	// Download
+	// Handle direct binary downloads (no archive extraction needed)
+	if (config.isDirectBinary) {
+		await downloadFile(downloadUrl, binaryPath);
+		if (plat !== "win32") {
+			chmodSync(binaryPath, 0o755);
+		}
+		return binaryPath;
+	}
+
+	// Download archive
+	const archivePath = join(TOOLS_DIR, assetName);
 	await downloadFile(downloadUrl, archivePath);
 
 	// Extract
@@ -231,17 +286,64 @@ async function downloadTool(tool: "fd" | "rg" | "sd" | "sg"): Promise<string> {
 	return binaryPath;
 }
 
+// Install a Python package via uv (preferred) or pip
+function installPythonPackage(pkg: string): boolean {
+	// Try uv first (faster, better isolation)
+	const uv = commandExists("uv");
+	if (uv) {
+		const result = Bun.spawnSync([uv, "tool", "install", pkg], {
+			stdin: "ignore",
+			stdout: "pipe",
+			stderr: "pipe",
+		});
+		if (result.exitCode === 0) return true;
+	}
+
+	// Fall back to pip
+	const pip = commandExists("pip3") || commandExists("pip");
+	if (pip) {
+		const result = Bun.spawnSync([pip, "install", "--user", pkg], {
+			stdin: "ignore",
+			stdout: "pipe",
+			stderr: "pipe",
+		});
+		return result.exitCode === 0;
+	}
+
+	return false;
+}
+
 // Ensure a tool is available, downloading if necessary
 // Returns the path to the tool, or null if unavailable
-export async function ensureTool(
-	tool: "fd" | "rg" | "sd" | "sg",
-	silent: boolean = false,
-): Promise<string | undefined> {
+export async function ensureTool(tool: ToolName, silent: boolean = false): Promise<string | undefined> {
 	const existingPath = getToolPath(tool);
 	if (existingPath) {
 		return existingPath;
 	}
 
+	// Handle Python tools
+	const pythonConfig = PYTHON_TOOLS[tool];
+	if (pythonConfig) {
+		if (!silent) {
+			console.log(chalk.dim(`${pythonConfig.name} not found. Installing via uv/pip...`));
+		}
+		const success = installPythonPackage(pythonConfig.package);
+		if (success) {
+			// Re-check for the command after installation
+			const path = commandExists(pythonConfig.binaryName);
+			if (path) {
+				if (!silent) {
+					console.log(chalk.dim(`${pythonConfig.name} installed successfully`));
+				}
+				return path;
+			}
+		}
+		if (!silent) {
+			console.log(chalk.yellow(`Failed to install ${pythonConfig.name}`));
+		}
+		return undefined;
+	}
+
 	const config = TOOLS[tool];
 	if (!config) return undefined;
 

package/examples/extensions/subagent/agents/reviewer.md

@@ -1,35 +0,0 @@
----
-name: reviewer
-description: Code review specialist for quality and security analysis
-tools: read, grep, find, ls, bash
-model: claude-sonnet-4-5
----
-
-You are a senior code reviewer. Analyze code for quality, security, and maintainability.
-
-Bash is for read-only commands only: `git diff`, `git log`, `git show`. Do NOT modify files or run builds.
-Assume tool permissions are not perfectly enforceable; keep all bash usage strictly read-only.
-
-Strategy:
-1. Run `git diff` to see recent changes (if applicable)
-2. Read the modified files
-3. Check for bugs, security issues, code smells
-
-Output format:
-
-## Files Reviewed
-- `path/to/file.ts` (lines X-Y)
-
-## Critical (must fix)
-- `file.ts:42` - Issue description
-
-## Warnings (should fix)
-- `file.ts:100` - Issue description
-
-## Suggestions (consider)
-- `file.ts:150` - Improvement idea
-
-## Summary
-Overall assessment in 2-3 sentences.
-
-Be specific with file paths and line numbers.