@oh-my-pi/pi-coding-agent 3.30.0 → 3.31.0

package/src/prompts/review-request.md

@@ -0,0 +1,27 @@
+## Code Review Request
+
+### Mode
+{MODE}
+
+### Changed Files ({FILE_COUNT} files, +{LINES_ADDED}/-{LINES_REMOVED} lines)
+
+{FILE_TABLE}
+
+{EXCLUDED_SECTION}
+
+### Distribution Guidelines
+
+{DISTRIBUTION_GUIDANCE}
+
+{GROUPING_GUIDANCE}
+
+### Reviewer Instructions
+
+Each reviewer agent should:
+1. Focus ONLY on its assigned files
+2. {DIFF_INSTRUCTION}
+3. Read full file context as needed via the `read` tool
+4. Call `report_finding` for each issue found
+5. Call `complete` with verdict when done
+
+{DIFF_SECTION}

package/src/prompts/reviewer.md

@@ -1,81 +1,77 @@
 ---
 name: reviewer
 description: Code review specialist for quality and security analysis
-tools: read, grep, find, ls, bash, report_finding, submit_review
-spawns: explore
+tools: read, grep, find, ls, bash, report_finding
+spawns: explore, task
 model: pi/slow, gpt-5.2-codex, gpt-5.2, codex, gpt
 ---
 
-You are acting as a reviewer for a proposed code change made by another engineer.
+You are a senior engineer reviewing a proposed code change. Your goal: identify bugs that the author would want to fix before merging.
 
-Bash is for read-only commands only: `git diff`, `git log`, `git show`, `gh pr diff`. Do NOT modify files or run builds.
+# Strategy
 
-# Review Strategy
+1. Run `git diff` (or `gh pr diff <number>`) to see the patch
+2. Read modified files for full context
+3. For large changes, spawn parallel `task` agents (one per module/concern)
+4. Call `report_finding` for each issue
+5. Call `complete` with your verdict — **review is incomplete until `complete` is called**
 
-1. Run `git diff` (or `gh pr diff <number>`) to see the changes
-2. Read the modified files for full context
-3. For large changes spanning multiple files/modules, use `task` with `explore` agents in parallel to gather context faster
-4. Analyze for bugs, security issues, and code quality problems
-5. Use `report_finding` for each issue found
-6. Use `submit_review` to provide final verdict
+Bash is read-only: `git diff`, `git log`, `git show`, `gh pr diff`. No file modifications or builds.
 
-# Parallelization
+# What to Flag
 
-For reviews touching many files, spawn `explore` agents to research in parallel:
-- Each agent can investigate a different module or concern
-- Example: one explores test coverage, another checks related implementations
-- Gather their findings, then synthesize into your review
+Report an issue only when ALL conditions hold:
 
-# What to Flag
+- **Provable impact**: You can show specific code paths affected (no speculation)
+- **Actionable**: Discrete fix, not a vague "consider improving X"
+- **Unintentional**: Clearly not a deliberate design choice
+- **Introduced in this patch**: Don't flag pre-existing bugs
+- **No unstated assumptions**: Bug doesn't rely on assumptions about codebase or author's intent
+- **Proportionate rigor**: Fix doesn't demand rigor not present elsewhere in the codebase
+
+# Priority
+
+| Level | Criteria                                                    | Example                      |
+| ----- | ----------------------------------------------------------- | ---------------------------- |
+| P0    | Blocks release/operations; universal (no input assumptions) | Data corruption, auth bypass |
+| P1    | High; fix next cycle                                        | Race condition under load    |
+| P2    | Medium; fix eventually                                      | Edge case mishandling        |
+| P3    | Info; nice to have                                          | Suboptimal but correct       |
+
+# Writing Findings
+
+- **Title**: Imperative, ≤80 chars (e.g., `Handle null response from API`)
+- **Body**: One paragraph. State the bug, trigger condition, and impact. Neutral tone.
+- **Suggestion blocks**: Only for concrete replacement code. Preserve exact whitespace. No commentary inside.
+
+<example>
+<title>Validate input length before buffer copy</title>
+<body>When `data.length > BUFFER_SIZE`, `memcpy` writes past the buffer boundary. This occurs if the API returns oversized payloads, causing heap corruption.</body>
+```suggestion
+if (data.length > BUFFER_SIZE) return -EINVAL;
+memcpy(buf, data.ptr, data.length);
+```
+</example>
+
+# Output Format
+
+Each `report_finding` requires:
+
+- `title`: ≤80 chars, imperative
+- `body`: One paragraph
+- `priority`: 0-3
+- `confidence`: 0.0-1.0
+- `file_path`: Absolute path
+- `line_start`, `line_end`: Range ≤10 lines, must overlap the diff
+
+Final `complete` call:
+
+- `overall_correctness`: "correct" (no bugs/blockers) or "incorrect"
+- `explanation`: 1-3 sentences
+- `confidence`: 0.0-1.0
+
+Correctness judgment ignores non-blocking issues (style, docs, nits).
+
+# Critical Reminder
 
-Only flag issues where ALL of these apply:
-
-1. It meaningfully impacts the accuracy, performance, security, or maintainability of the code
-2. The bug is discrete and actionable (not a general issue or combination of multiple issues)
-3. Fixing it doesn't demand rigor not present elsewhere in the codebase
-4. The bug was introduced in this commit (don't flag pre-existing bugs)
-5. The author would likely fix the issue if made aware of it
-6. The bug doesn't rely on unstated assumptions about the codebase or author's intent
-7. You can identify specific code that is provably affected (speculation is not enough)
-8. The issue is clearly not an intentional change by the author
-
-# Priority Levels
-
-- **P0**: Drop everything to fix. Blocking release, operations, or major usage. Only use for universal issues that do not depend on assumptions about inputs.
-- **P1**: Urgent. Should be addressed in the next cycle.
-- **P2**: Normal. To be fixed eventually.
-- **P3**: Low. Nice to have.
-
-# Comment Guidelines
-
-1. Be clear about WHY the issue is a bug
-2. Communicate severity appropriately - don't overstate
-3. Keep body to one paragraph max
-4. Code snippets should be ≤3 lines, wrapped in markdown code tags
-5. Clearly state what conditions are necessary for the bug to arise
-6. Tone: matter-of-fact, not accusatory or overly positive
-7. Write so the author can immediately grasp the idea without close reading
-8. Avoid flattery and phrases like "Great job...", "Thanks for..."
-9. Use ```suggestion blocks ONLY for concrete replacement code (minimal lines; no commentary inside the block)
-10. In every ```suggestion block, preserve the exact leading whitespace of the replaced lines (spaces vs tabs, number of spaces)
-
-# CRITICAL
-
-You MUST call `submit_review` before ending your response, even if you found no issues.
-The review is only considered complete when `submit_review` is called.
-Failure to call `submit_review` means the review was not submitted.
-
-# Output
-
-- Use `report_finding` for each issue. Continue until you've listed every qualifying finding.
-- Each `report_finding` must include: title (<=80 chars, imperative, prefixed `[P0-P3]`), body (one paragraph), priority (0-3), confidence (0.0-1.0), absolute `file_path`, and `line_start`/`line_end` with a range <=10 lines.
-- If there is no finding that a person would definitely want to fix, prefer outputting no findings.
-- Every finding must be anchored to a specific diff hunk; the code location must overlap the patch. If you cannot anchor it to the patch, do not report it.
-- Ignore trivial style unless it obscures meaning or violates documented standards.
-- Use `submit_review` at the end with your overall verdict:
-  - **correct**: Existing code and tests will not break, patch is free of bugs and blocking issues
-  - **incorrect**: Has bugs or blocking issues that must be addressed
-
-Ignore non-blocking issues (style, formatting, typos, documentation, nits) when determining correctness.
-
-At the end of the review, double-check that every finding is evidence-backed and non-speculative.
+Every finding must be anchored to the patch and evidence-backed. Before submitting, verify each finding is not speculative. Then call `complete`.

package/src/prompts/tools/output.md

@@ -16,13 +16,32 @@ Do NOT use when:
 
 ## Parameters
 
-- `ids`: Array of output IDs from Task results (e.g., `["reviewer_0", "explore_1"]`)
+- `ids`: Array of output IDs from Task results (e.g., `["ApiAudit", "DbAudit"]`)
 - `format` (optional):
   - `"raw"` (default): Full output with ANSI codes preserved
   - `"json"`: Structured object with metadata
   - `"stripped"`: Plain text with ANSI codes removed for parsing
-- `query` (optional): jq-like query for JSON outputs (e.g., `.result.items[0].name`)
+- `query` (optional): jq-like query for JSON outputs (e.g., `.endpoints[0].file`)
 - `offset` (optional): Line number to start reading from (1-indexed)
 - `limit` (optional): Maximum number of lines to read
 
-Use offset/limit for line ranges to reduce context usage on large outputs. Use `query` for JSON outputs (for example, subagent `complete` results).
+Use offset/limit for line ranges to reduce context usage on large outputs. Use `query` for structured agent outputs (agents that call `complete` with `output`).
+
+## Query Examples
+
+For agents returning structured data via `complete`, use `query` to extract specific fields:
+
+```
+# Given output: { properties: { endpoints: { elements: { properties: { file, line, hasAuth } } } } }
+
+.endpoints                    # Get all endpoints array
+.endpoints[0]                 # First endpoint object
+.endpoints[0].file            # First endpoint's file path
+.endpoints[0]["hasAuth"]      # Bracket notation (equivalent to .hasAuth)
+```
+
+Query paths:
+- `.foo` - property access
+- `[0]` - array index
+- `.foo.bar[0].baz` - chained access
+- `["special-key"]` - properties with special characters

package/src/prompts/tools/task.md

@@ -16,9 +16,9 @@ The Task tool launches specialized agents (workers) that autonomously handle com
 ## Usage Notes
 
 - Always include a short description of the task in the task parameter
-- **Plan-then-execute**: Put shared constraints in `context`, keep each task focused, specify acceptance criteria; use `output_schema` when you need structured output
+- **Plan-then-execute**: Put shared constraints in `context`, keep each task focused, specify acceptance criteria; use `output` when you need structured output
 - **Minimize tool chatter**: Avoid repeating large context; use Output tool with output ids for full logs
-- **Structured completion**: If `output_schema` is provided, subagents must call `complete` to finish
+- **Structured completion**: If `output` is provided, subagents must call `complete` to finish
 - **Parallelize**: Launch multiple agents concurrently whenever possible
 - **Results are intermediate data**: Agent findings provide context for YOU to perform actual work. Do not treat agent reports as "task complete" signals.
 - **Stateless invocations**: Each agent runs autonomously and returns a single final message. Include all necessary context and specify exactly what information to return.
@@ -28,43 +28,42 @@ The Task tool launches specialized agents (workers) that autonomously handle com
 
 ## Parameters
 
-- `tasks`: Array of `{agent, task, description?, model?}` - tasks to run in parallel (max {{MAX_PARALLEL_TASKS}}, {{MAX_CONCURRENCY}} concurrent)
-  - `model`: (optional) Override the agent's default model with fuzzy matching (e.g., "sonnet", "codex", "5.2"). Supports comma-separated fallbacks: "gpt, opus" tries gpt first, then opus. Use "default" for omp's default model
-- `context`: (optional) Shared context string prepended to all task prompts - use this to avoid repeating instructions
-- `output_schema`: (optional) JSON schema for structured subagent output (used by the complete tool)
+- `agent`: Agent type to use for all tasks
+- `context`: Shared context string prepended to all task prompts
+- `model`: (optional) Model override (fuzzy matching, e.g., "sonnet", "opus")
+- `tasks`: Array of `{id, task, description}` - tasks to run in parallel (max {{MAX_PARALLEL_TASKS}}, {{MAX_CONCURRENCY}} concurrent)
+  - `id`: Short CamelCase identifier for display (max 20 chars, e.g., "SessionStore", "LspRefactor")
+  - `task`: The task prompt for the agent
+  - `description`: Short human-readable description of what the task does
+- `output`: (optional) JTD schema for structured subagent output (used by the complete tool)
 
-## Examples
+## Example
 
 <example>
-user: "Please write a function that checks if a number is prime"
-assistant: Sure let me write a function that checks if a number is prime
-assistant: I'm going to use the Write tool to write the following code:
-<code>
-function isPrime(n) {
-  if (n <= 1) return false
-  for (let i = 2; i * i <= n; i++) {
-    if (n % i === 0) return false
-  }
-  return true
-}
-</code>
-<commentary>
-Since a significant piece of code was written and the task was completed, now use the code-reviewer agent to review the code
-</commentary>
-assistant: Now let me use the code-reviewer agent to review the code
-assistant: Uses the Task tool: { tasks: [{ agent: "code-reviewer", task: "Review the isPrime function" }] }
-</example>
-
-<example>
-user: "Find all TODO comments in the codebase"
-assistant: I'll use multiple explore agents to search different directories in parallel
+user: "Extract all hardcoded strings for i18n"
+assistant: I'll scan UI components and return structured string locations for internationalization.
 assistant: Uses the Task tool:
 {
-  "context": "Find all TODO comments. Return file:line:content format.",
+  "agent": "explore",
+  "context": "Find hardcoded user-facing strings (labels, messages, errors). Ignore logs, comments, and internal identifiers.",
+  "output": {
+    "properties": {
+      "strings": {
+        "elements": {
+          "properties": {
+            "file": { "type": "string" },
+            "line": { "type": "uint32" },
+            "text": { "type": "string" },
+            "suggestedKey": { "type": "string" }
+          }
+        }
+      }
+    }
+  },
   "tasks": [
-    { "agent": "explore", "task": "Search in src/" },
-    { "agent": "explore", "task": "Search in lib/" },
-    { "agent": "explore", "task": "Search in tests/" }
+    { "id": "Forms", "task": "Scan src/components/forms/", "description": "Extract form strings" },
+    { "id": "Modals", "task": "Scan src/components/modals/", "description": "Extract modal strings" },
+    { "id": "Pages", "task": "Scan src/pages/", "description": "Extract page strings" }
   ]
 }
 </example>

package/src/utils/clipboard.ts

@@ -1,4 +1,5 @@
 import { platform } from "node:os";
+import { nanoid } from "nanoid";
 
 async function spawnWithTimeout(cmd: string[], input: string, timeoutMs: number): Promise<void> {
 	const proc = Bun.spawn(cmd, { stdin: "pipe" });
@@ -199,7 +200,7 @@ async function readImageMacOS(timeout: number): Promise<ClipboardImage | null> {
 
 	// Read the actual image data using a temp file approach
 	// osascript can't output binary directly, so we write to a temp file
-	const tempFile = `/tmp/omp-clipboard-${Date.now()}.${imageType === "png" ? "png" : "jpg"}`;
+	const tempFile = `/tmp/omp-clipboard-${nanoid()}.${imageType === "png" ? "png" : "jpg"}`;
 	const clipboardClass = imageType === "png" ? "«class PNGf»" : "«class JPEG»";
 
 	const readScript = `

package/examples/extensions/subagent/agents/reviewer.md

@@ -1,35 +0,0 @@
----
-name: reviewer
-description: Code review specialist for quality and security analysis
-tools: read, grep, find, ls, bash
-model: claude-sonnet-4-5
----
-
-You are a senior code reviewer. Analyze code for quality, security, and maintainability.
-
-Bash is for read-only commands only: `git diff`, `git log`, `git show`. Do NOT modify files or run builds.
-Assume tool permissions are not perfectly enforceable; keep all bash usage strictly read-only.
-
-Strategy:
-1. Run `git diff` to see recent changes (if applicable)
-2. Read the modified files
-3. Check for bugs, security issues, code smells
-
-Output format:
-
-## Files Reviewed
-- `path/to/file.ts` (lines X-Y)
-
-## Critical (must fix)
-- `file.ts:42` - Issue description
-
-## Warnings (should fix)
-- `file.ts:100` - Issue description
-
-## Suggestions (consider)
-- `file.ts:150` - Improvement idea
-
-## Summary
-Overall assessment in 2-3 sentences.
-
-Be specific with file paths and line numbers.

package/src/core/tools/web-fetch-handlers/index.ts

@@ -1,69 +0,0 @@
-/**
- * Web Fetch Special Handlers Index
- *
- * Exports all special handlers for site-specific content extraction.
- */
-
-export { handleArtifactHub } from "./artifacthub";
-// Academic
-export { handleArxiv } from "./arxiv";
-export { handleAur } from "./aur";
-export { handleBiorxiv } from "./biorxiv";
-export { handleBluesky } from "./bluesky";
-export { handleBrew } from "./brew";
-export { handleCheatSh } from "./cheatsh";
-export { handleChocolatey } from "./chocolatey";
-export { handleCoinGecko } from "./coingecko";
-export { handleCratesIo } from "./crates-io";
-export { handleDevTo } from "./devto";
-export { handleDiscogs } from "./discogs";
-export { handleDockerHub } from "./dockerhub";
-// Git hosting
-export { fetchGitHubApi, handleGitHub } from "./github";
-export { handleGitHubGist } from "./github-gist";
-export { handleGitLab } from "./gitlab";
-export { handleGoPkg } from "./go-pkg";
-export { handleHackage } from "./hackage";
-export { handleHackerNews } from "./hackernews";
-export { handleHex } from "./hex";
-// ML/AI
-export { handleHuggingFace } from "./huggingface";
-export { handleIacr } from "./iacr";
-export { handleLobsters } from "./lobsters";
-export { handleMastodon } from "./mastodon";
-export { handleMaven } from "./maven";
-export { handleMDN } from "./mdn";
-export { handleMetaCPAN } from "./metacpan";
-// Package registries
-export { handleNpm } from "./npm";
-export { handleNuGet } from "./nuget";
-export { handleNvd } from "./nvd";
-export { handleOpenCorporates } from "./opencorporates";
-export { handleOpenLibrary } from "./openlibrary";
-export { handleOsv } from "./osv";
-export { handlePackagist } from "./packagist";
-export { handlePubDev } from "./pub-dev";
-export { handlePubMed } from "./pubmed";
-export { handlePyPI } from "./pypi";
-export { handleReadTheDocs } from "./readthedocs";
-export { handleReddit } from "./reddit";
-export { handleRepology } from "./repology";
-export { handleRfc } from "./rfc";
-export { handleRubyGems } from "./rubygems";
-export { handleSecEdgar } from "./sec-edgar";
-export { handleSemanticScholar } from "./semantic-scholar";
-export { handleSpotify } from "./spotify";
-// Developer content
-export { handleStackOverflow } from "./stackoverflow";
-export { handleTerraform } from "./terraform";
-export { handleTldr } from "./tldr";
-// Social/News
-export { handleTwitter } from "./twitter";
-export type { RenderResult, SpecialHandler } from "./types";
-export { handleVimeo } from "./vimeo";
-
-// Reference
-export { handleWikidata } from "./wikidata";
-export { handleWikipedia } from "./wikipedia";
-// Video/Media
-export { handleYouTube } from "./youtube";

package/src/core/tools/web-fetch-handlers/utils.ts

@@ -1,91 +0,0 @@
-import { tmpdir } from "node:os";
-import * as path from "node:path";
-import { ensureTool } from "../../../utils/tools-manager";
-
-const MAX_BYTES = 50 * 1024 * 1024; // 50MB for binary files
-
-function exec(
-	cmd: string,
-	args: string[],
-	options?: { timeout?: number; input?: string | Buffer },
-): { stdout: string; stderr: string; ok: boolean } {
-	const result = Bun.spawnSync([cmd, ...args], {
-		stdin: options?.input ? (options.input as any) : "ignore",
-		stdout: "pipe",
-		stderr: "pipe",
-	});
-	return {
-		stdout: result.stdout?.toString() ?? "",
-		stderr: result.stderr?.toString() ?? "",
-		ok: result.exitCode === 0,
-	};
-}
-
-export async function convertWithMarkitdown(
-	content: Buffer,
-	extensionHint: string,
-	timeout: number,
-): Promise<{ content: string; ok: boolean }> {
-	const markitdown = await ensureTool("markitdown", true);
-	if (!markitdown) {
-		return { content: "", ok: false };
-	}
-
-	// Write to temp file with extension hint
-	const ext = extensionHint || ".bin";
-	const tmpDir = tmpdir();
-	const tmpFile = path.join(tmpDir, `omp-convert-${Date.now()}${ext}`);
-
-	try {
-		await Bun.write(tmpFile, content);
-		const result = exec(markitdown, [tmpFile], { timeout });
-		return { content: result.stdout, ok: result.ok };
-	} finally {
-		try {
-			await Bun.$`rm ${tmpFile}`.quiet();
-		} catch {}
-	}
-}
-
-export async function fetchBinary(
-	url: string,
-	timeout: number,
-): Promise<{ buffer: Buffer; contentType: string; contentDisposition?: string; ok: boolean }> {
-	try {
-		const controller = new AbortController();
-		const timeoutId = setTimeout(() => controller.abort(), timeout * 1000);
-
-		const response = await fetch(url, {
-			signal: controller.signal,
-			headers: {
-				"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/131.0.0.0",
-			},
-			redirect: "follow",
-		});
-
-		clearTimeout(timeoutId);
-
-		if (!response.ok) {
-			return { buffer: Buffer.alloc(0), contentType: "", ok: false };
-		}
-
-		const contentType = response.headers.get("content-type") ?? "";
-		const contentDisposition = response.headers.get("content-disposition") ?? undefined;
-		const contentLength = response.headers.get("content-length");
-		if (contentLength) {
-			const size = Number.parseInt(contentLength, 10);
-			if (Number.isFinite(size) && size > MAX_BYTES) {
-				return { buffer: Buffer.alloc(0), contentType, contentDisposition, ok: false };
-			}
-		}
-
-		const buffer = Buffer.from(await response.arrayBuffer());
-		if (buffer.length > MAX_BYTES) {
-			return { buffer: Buffer.alloc(0), contentType, contentDisposition, ok: false };
-		}
-
-		return { buffer, contentType, contentDisposition, ok: true };
-	} catch {
-		return { buffer: Buffer.alloc(0), contentType: "", ok: false };
-	}
-}