@oh-my-pi/pi-coding-agent 4.1.0 → 4.2.0

package/src/core/tools/web-search/auth.ts

@@ -4,19 +4,26 @@
  * 4-tier auth resolution:
  *   1. ANTHROPIC_SEARCH_API_KEY / ANTHROPIC_SEARCH_BASE_URL env vars
  *   2. Provider with api="anthropic-messages" in ~/.omp/agent/models.json
- *   3. OAuth credentials in ~/.omp/agent/auth.json (with expiry check)
+ *   3. OAuth credentials in ~/.omp/agent/agent.db (with expiry check)
  *   4. ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL fallback
  */
 
 import * as os from "node:os";
 import * as path from "node:path";
 import { buildBetaHeader, claudeCodeHeaders, claudeCodeVersion } from "@oh-my-pi/pi-ai";
-import { getConfigDirPaths } from "../../../config";
-import type { AnthropicAuthConfig, AnthropicOAuthCredential, AuthJson, ModelsJson } from "./types";
+import { getAgentDbPath, getConfigDirPaths } from "../../../config";
+import { AgentStorage } from "../../agent-storage";
+import type { AuthCredential, AuthCredentialEntry, AuthStorageData } from "../../auth-storage";
+import { migrateJsonStorage } from "../../storage-migration";
+import type { AnthropicAuthConfig, AnthropicOAuthCredential, ModelsJson } from "./types";
 
 const DEFAULT_BASE_URL = "https://api.anthropic.com";
 
-/** Parse a .env file and return key-value pairs */
+/**
+ * Parses a .env file and extracts key-value pairs.
+ * @param filePath - Path to the .env file
+ * @returns Object containing parsed environment variables
+ */
 async function parseEnvFile(filePath: string): Promise<Record<string, string>> {
 	const result: Record<string, string> = {};
 	try {
@@ -47,7 +54,11 @@ async function parseEnvFile(filePath: string): Promise<Record<string, string>> {
 	return result;
 }
 
-/** Get env var from process.env or .env files */
+/**
+ * Gets an environment variable from process.env or .env files.
+ * @param key - The environment variable name to look up
+ * @returns The value if found, undefined otherwise
+ */
 export async function getEnv(key: string): Promise<string | undefined> {
 	if (process.env[key]) return process.env[key];
 
@@ -60,7 +71,11 @@ export async function getEnv(key: string): Promise<string | undefined> {
 	return undefined;
 }
 
-/** Read JSON file safely */
+/**
+ * Reads and parses a JSON file safely.
+ * @param filePath - Path to the JSON file
+ * @returns Parsed JSON content, or null if file doesn't exist or parsing fails
+ */
 async function readJson<T>(filePath: string): Promise<T | null> {
 	try {
 		const file = Bun.file(filePath);
@@ -72,22 +87,85 @@ async function readJson<T>(filePath: string): Promise<T | null> {
 	}
 }
 
-/** Check if a token is an OAuth token (sk-ant-oat* prefix) */
+/**
+ * Checks if a token is an OAuth token by looking for sk-ant-oat prefix.
+ * @param apiKey - The API key to check
+ * @returns True if the token is an OAuth token
+ */
 export function isOAuthToken(apiKey: string): boolean {
 	return apiKey.includes("sk-ant-oat");
 }
 
-function normalizeAnthropicOAuthCredentials(entry: AuthJson["anthropic"] | undefined): AnthropicOAuthCredential[] {
+/**
+ * Converts a generic AuthCredential to AnthropicOAuthCredential if it's a valid OAuth entry.
+ * @param credential - The credential to convert
+ * @returns The converted OAuth credential, or null if not a valid OAuth type
+ */
+function toAnthropicOAuthCredential(credential: AuthCredential): AnthropicOAuthCredential | null {
+	if (credential.type !== "oauth") return null;
+	if (typeof credential.access !== "string" || typeof credential.expires !== "number") return null;
+	return {
+		type: "oauth",
+		access: credential.access,
+		refresh: credential.refresh,
+		expires: credential.expires,
+	};
+}
+
+function normalizeAuthEntry(entry: AuthCredentialEntry | undefined): AuthCredential[] {
 	if (!entry) return [];
 	return Array.isArray(entry) ? entry : [entry];
 }
 
+async function readLegacyAnthropicOAuthCredentials(configDir: string): Promise<AnthropicOAuthCredential[]> {
+	const authJson = await readJson<AuthStorageData>(path.join(configDir, "auth.json"));
+	if (!authJson) return [];
+	const entry = authJson.anthropic as AuthCredentialEntry | undefined;
+	const credentials = normalizeAuthEntry(entry);
+	const results: AnthropicOAuthCredential[] = [];
+	for (const credential of credentials) {
+		const mapped = toAnthropicOAuthCredential(credential);
+		if (mapped) results.push(mapped);
+	}
+	return results;
+}
+
 /**
- * Find Anthropic auth config using 4-tier priority:
+ * Reads Anthropic OAuth credentials from agent.db, migrating from legacy auth.json if needed.
+ * @param configDir - Path to the config directory containing agent.db
+ * @returns Array of valid Anthropic OAuth credentials
+ */
+async function readAnthropicOAuthCredentials(configDir: string): Promise<AnthropicOAuthCredential[]> {
+	await migrateJsonStorage({
+		agentDir: configDir,
+		settingsPath: path.join(configDir, "settings.json"),
+		authPaths: [path.join(configDir, "auth.json")],
+	});
+
+	const storage = AgentStorage.open(getAgentDbPath(configDir));
+	const records = storage.listAuthCredentials("anthropic");
+	const credentials: AnthropicOAuthCredential[] = [];
+	for (const record of records) {
+		const mapped = toAnthropicOAuthCredential(record.credential);
+		if (mapped) {
+			credentials.push(mapped);
+		}
+	}
+
+	if (credentials.length === 0) {
+		return readLegacyAnthropicOAuthCredentials(configDir);
+	}
+
+	return credentials;
+}
+
+/**
+ * Finds Anthropic auth config using 4-tier priority:
  *   1. ANTHROPIC_SEARCH_API_KEY / ANTHROPIC_SEARCH_BASE_URL
  *   2. Provider with api="anthropic-messages" in models.json
- *   3. OAuth in auth.json (with 5-minute expiry buffer)
+ *   3. OAuth in agent.db (with 5-minute expiry buffer)
  *   4. ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL fallback
+ * @returns The first valid auth configuration found, or null if none available
  */
 export async function findAnthropicAuth(): Promise<AnthropicAuthConfig | null> {
 	// Get all config directories (user-level only) for fallback support
@@ -131,14 +209,13 @@ export async function findAnthropicAuth(): Promise<AnthropicAuthConfig | null> {
 		}
 	}
 
-	// 3. OAuth credentials in auth.json (with 5-minute expiry buffer, check all config dirs)
+	// 3. OAuth credentials in agent.db (with 5-minute expiry buffer, check all config dirs)
 	const expiryBuffer = 5 * 60 * 1000; // 5 minutes
 	const now = Date.now();
 	for (const configDir of configDirs) {
-		const authJson = await readJson<AuthJson>(path.join(configDir, "auth.json"));
-		const credentials = normalizeAnthropicOAuthCredentials(authJson?.anthropic);
+		const credentials = await readAnthropicOAuthCredentials(configDir);
 		for (const credential of credentials) {
-			if (credential.type !== "oauth" || !credential.access) continue;
+			if (!credential.access) continue;
 			if (credential.expires > now + expiryBuffer) {
 				return {
 					apiKey: credential.access,
@@ -163,6 +240,11 @@ export async function findAnthropicAuth(): Promise<AnthropicAuthConfig | null> {
 	return null;
 }
 
+/**
+ * Checks if a base URL points to the official Anthropic API.
+ * @param baseUrl - The base URL to check
+ * @returns True if the URL is for api.anthropic.com over HTTPS
+ */
 function isAnthropicBaseUrl(baseUrl: string): boolean {
 	try {
 		const url = new URL(baseUrl);
@@ -172,7 +254,11 @@ function isAnthropicBaseUrl(baseUrl: string): boolean {
 	}
 }
 
-/** Build headers for Anthropic API request */
+/**
+ * Builds HTTP headers for Anthropic API requests.
+ * @param auth - The authentication configuration
+ * @returns Headers object ready for use in fetch requests
+ */
 export function buildAnthropicHeaders(auth: AnthropicAuthConfig): Record<string, string> {
 	const baseBetas = auth.isOAuth
 		? [
@@ -205,7 +291,11 @@ export function buildAnthropicHeaders(auth: AnthropicAuthConfig): Record<string,
 	return headers;
 }
 
-/** Build API URL (OAuth requires ?beta=true) */
+/**
+ * Builds the full API URL for Anthropic messages endpoint.
+ * @param auth - The authentication configuration
+ * @returns The complete API URL with beta query parameter
+ */
 export function buildAnthropicUrl(auth: AnthropicAuthConfig): string {
 	const base = `${auth.baseUrl}/v1/messages`;
 	return `${base}?beta=true`;

package/src/core/tools/web-search/index.ts

@@ -17,6 +17,7 @@ import { Type } from "@sinclair/typebox";
 import type { Theme } from "../../../modes/interactive/theme/theme";
 import webSearchDescription from "../../../prompts/tools/web-search.md" with { type: "text" };
 import type { CustomTool, CustomToolContext, RenderResultOptions } from "../../custom-tools/types";
+import { renderPromptTemplate } from "../../prompt-templates";
 import { callExaTool, findApiKey as findExaKey, formatSearchResults, isSearchResponse } from "../exa/mcp-client";
 import { renderExaCall, renderExaResult } from "../exa/render";
 import type { ExaRenderDetails } from "../exa/types";
@@ -332,7 +333,7 @@ async function executeWebSearch(
 export const webSearchTool: AgentTool<typeof webSearchSchema> = {
 	name: "web_search",
 	label: "Web Search",
-	description: webSearchDescription,
+	description: renderPromptTemplate(webSearchDescription),
 	parameters: webSearchSchema,
 	execute: async (toolCallId, params) => {
 		return executeWebSearch(toolCallId, params as WebSearchParams);
@@ -343,7 +344,7 @@ export const webSearchTool: AgentTool<typeof webSearchSchema> = {
 export const webSearchCustomTool: CustomTool<typeof webSearchSchema, WebSearchRenderDetails> = {
 	name: "web_search",
 	label: "Web Search",
-	description: webSearchDescription,
+	description: renderPromptTemplate(webSearchDescription),
 	parameters: webSearchSchema,
 
 	async execute(

package/src/core/tools/web-search/providers/anthropic.ts

@@ -22,6 +22,12 @@ const DEFAULT_MAX_TOKENS = 4096;
 const WEB_SEARCH_TOOL_NAME = "web_search";
 const WEB_SEARCH_TOOL_TYPE = "web_search_20250305";
 
+/**
+ * Applies OAuth-specific tool prefix to search tool name.
+ * @param name - The base tool name
+ * @param isOAuth - Whether OAuth authentication is being used
+ * @returns Tool name with prefix if OAuth, otherwise unchanged
+ */
 const applySearchToolPrefix = (name: string, isOAuth: boolean): string => {
 	return isOAuth ? applyClaudeToolPrefix(name) : name;
 };
@@ -33,11 +39,21 @@ export interface AnthropicSearchParams {
 	num_results?: number;
 }
 
-/** Get model from env or use default */
+/**
+ * Gets the model to use for web search from environment or default.
+ * @returns Model identifier string
+ */
 async function getModel(): Promise<string> {
 	return (await getEnv("ANTHROPIC_SEARCH_MODEL")) ?? DEFAULT_MODEL;
 }
 
+/**
+ * Builds system instruction blocks for the Anthropic API request.
+ * @param auth - Authentication configuration
+ * @param model - Model identifier (affects whether Claude Code instruction is included)
+ * @param systemPrompt - Optional custom system prompt
+ * @returns Array of system blocks for the API request
+ */
 function buildSystemBlocks(
 	auth: AnthropicAuthConfig,
 	model: string,
@@ -53,7 +69,16 @@ function buildSystemBlocks(
 	});
 }
 
-/** Call Anthropic API with web search */
+/**
+ * Calls the Anthropic API with web search tool enabled.
+ * @param auth - Authentication configuration (API key or OAuth)
+ * @param model - Model identifier to use
+ * @param query - Search query from the user
+ * @param systemPrompt - Optional custom system prompt
+ * @param maxTokens - Maximum tokens for the response
+ * @returns Raw API response from Anthropic
+ * @throws {WebSearchProviderError} If the API request fails
+ */
 async function callWebSearch(
 	auth: AnthropicAuthConfig,
 	model: string,
@@ -100,7 +125,11 @@ async function callWebSearch(
 	return response.json() as Promise<AnthropicApiResponse>;
 }
 
-/** Parse page_age string into seconds (e.g., "2 days ago", "3h ago", "1 week ago") */
+/**
+ * Parses a human-readable page age string into seconds.
+ * @param pageAge - Age string like "2 days ago", "3h ago", "1 week ago"
+ * @returns Age in seconds, or undefined if parsing fails
+ */
 function parsePageAge(pageAge: string | null | undefined): number | undefined {
 	if (!pageAge) return undefined;
 
@@ -132,7 +161,11 @@ function parsePageAge(pageAge: string | null | undefined): number | undefined {
 	return value * (multipliers[unit] ?? 86400);
 }
 
-/** Parse API response into unified WebSearchResponse */
+/**
+ * Parses the Anthropic API response into a unified WebSearchResponse.
+ * @param response - Raw API response containing content blocks
+ * @returns Normalized response with answer, sources, citations, and usage
+ */
 function parseResponse(response: AnthropicApiResponse): WebSearchResponse {
 	const answerParts: string[] = [];
 	const searchQueries: string[] = [];
@@ -193,12 +226,17 @@ function parseResponse(response: AnthropicApiResponse): WebSearchResponse {
 	};
 }
 
-/** Execute Anthropic web search */
+/**
+ * Executes a web search using Anthropic's Claude with built-in web search tool.
+ * @param params - Search parameters including query and optional settings
+ * @returns Search response with synthesized answer, sources, and citations
+ * @throws {Error} If no Anthropic credentials are configured
+ */
 export async function searchAnthropic(params: AnthropicSearchParams): Promise<WebSearchResponse> {
 	const auth = await findAnthropicAuth();
 	if (!auth) {
 		throw new Error(
-			"No Anthropic credentials found. Set ANTHROPIC_API_KEY or configure OAuth in ~/.omp/agent/auth.json",
+			"No Anthropic credentials found. Set ANTHROPIC_API_KEY or configure OAuth in ~/.omp/agent/agent.db",
 		);
 	}
 

package/src/core/tools/write.ts

@@ -5,6 +5,7 @@ import { Type } from "@sinclair/typebox";
 import { getLanguageFromPath, highlightCode, type Theme } from "../../modes/interactive/theme/theme";
 import writeDescription from "../../prompts/tools/write.md" with { type: "text" };
 import type { RenderResultOptions } from "../custom-tools/types";
+import { renderPromptTemplate } from "../prompt-templates";
 import type { ToolSession } from "../sdk";
 import { untilAborted } from "../utils";
 import { createLspWritethrough, type FileDiagnosticsResult } from "./lsp/index";
@@ -28,7 +29,7 @@ export function createWriteTool(session: ToolSession): AgentTool<typeof writeSch
 	return {
 		name: "write",
 		label: "Write",
-		description: writeDescription,
+		description: renderPromptTemplate(writeDescription),
 		parameters: writeSchema,
 		execute: async (
 			_toolCallId: string,

package/src/core/voice.ts

@@ -7,12 +7,14 @@ import voiceSummaryPrompt from "../prompts/voice-summary.md" with { type: "text"
 import { logger } from "./logger";
 import type { ModelRegistry } from "./model-registry";
 import { findSmolModel } from "./model-resolver";
+import { renderPromptTemplate } from "./prompt-templates";
 import type { VoiceSettings } from "./settings-manager";
 
 const DEFAULT_SAMPLE_RATE = 16000;
 const DEFAULT_CHANNELS = 1;
 const DEFAULT_BITS = 16;
 const SUMMARY_MAX_CHARS = 6000;
+const VOICE_SUMMARY_PROMPT = renderPromptTemplate(voiceSummaryPrompt);
 
 export interface VoiceRecordingHandle {
 	filePath: string;
@@ -286,7 +288,7 @@ export async function summarizeForVoice(
 	const truncated = text.length > SUMMARY_MAX_CHARS ? `${text.slice(0, SUMMARY_MAX_CHARS)}...` : text;
 	const request = {
 		model: `${model.provider}/${model.id}`,
-		systemPrompt: voiceSummaryPrompt,
+		systemPrompt: VOICE_SUMMARY_PROMPT,
 		userMessage: `<assistant_response>\n${truncated}\n</assistant_response>`,
 	};
 	logger.debug("voice: summary request", request);

package/src/main.ts

@@ -76,7 +76,7 @@ async function runInteractiveMode(
 	mode.renderInitialMessages();
 
 	if (migratedProviders.length > 0) {
-		mode.showWarning(`Migrated credentials to auth.json: ${migratedProviders.join(", ")}`);
+		mode.showWarning(`Migrated credentials to agent.db: ${migratedProviders.join(", ")}`);
 	}
 
 	if (modelsJsonError) {

package/src/migrations.ts

@@ -3,9 +3,11 @@
  */
 
 import { existsSync, mkdirSync, readdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
+import { join } from "node:path";
 import chalk from "chalk";
-import { getAgentDir, getBinDir } from "./config";
+import { getAgentDbPath, getAgentDir, getBinDir } from "./config";
+import { AgentStorage } from "./core/agent-storage";
+import type { AuthCredential } from "./core/auth-storage";
 
 /**
  * Migrate PI_* environment variables to OMP_* equivalents.
@@ -29,28 +31,27 @@ export function migrateEnvVars(): string[] {
 }
 
 /**
- * Migrate legacy oauth.json and settings.json apiKeys to auth.json.
+ * Migrate legacy oauth.json and settings.json apiKeys to agent.db.
  *
  * @returns Array of provider names that were migrated
  */
-export function migrateAuthToAuthJson(): string[] {
+export function migrateAuthToAgentDb(): string[] {
 	const agentDir = getAgentDir();
-	const authPath = join(agentDir, "auth.json");
 	const oauthPath = join(agentDir, "oauth.json");
 	const settingsPath = join(agentDir, "settings.json");
+	const storage = AgentStorage.open(getAgentDbPath(agentDir));
 
-	// Skip if auth.json already exists
-	if (existsSync(authPath)) return [];
-
-	const migrated: Record<string, unknown> = {};
+	const migrated: Record<string, AuthCredential[]> = {};
 	const providers: string[] = [];
 
-	// Migrate oauth.json
 	if (existsSync(oauthPath)) {
 		try {
 			const oauth = JSON.parse(readFileSync(oauthPath, "utf-8"));
 			for (const [provider, cred] of Object.entries(oauth)) {
-				migrated[provider] = { type: "oauth", ...(cred as object) };
+				if (storage.listAuthCredentials(provider).length > 0) {
+					continue;
+				}
+				migrated[provider] = [{ type: "oauth", ...(cred as object) } as AuthCredential];
 				providers.push(provider);
 			}
 			renameSync(oauthPath, `${oauthPath}.migrated`);
@@ -59,17 +60,17 @@ export function migrateAuthToAuthJson(): string[] {
 		}
 	}
 
-	// Migrate settings.json apiKeys
 	if (existsSync(settingsPath)) {
 		try {
 			const content = readFileSync(settingsPath, "utf-8");
 			const settings = JSON.parse(content);
 			if (settings.apiKeys && typeof settings.apiKeys === "object") {
 				for (const [provider, key] of Object.entries(settings.apiKeys)) {
-					if (!migrated[provider] && typeof key === "string") {
-						migrated[provider] = { type: "api_key", key };
-						providers.push(provider);
-					}
+					if (typeof key !== "string") continue;
+					if (migrated[provider]) continue;
+					if (storage.listAuthCredentials(provider).length > 0) continue;
+					migrated[provider] = [{ type: "api_key", key }];
+					providers.push(provider);
 				}
 				delete settings.apiKeys;
 				writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
@@ -79,9 +80,8 @@ export function migrateAuthToAuthJson(): string[] {
 		}
 	}
 
-	if (Object.keys(migrated).length > 0) {
-		mkdirSync(dirname(authPath), { recursive: true });
-		writeFileSync(authPath, JSON.stringify(migrated, null, 2), { mode: 0o600 });
+	for (const [provider, credentials] of Object.entries(migrated)) {
+		storage.replaceAuthCredentialsForProvider(provider, credentials);
 	}
 
 	return providers;
@@ -201,7 +201,7 @@ export async function runMigrations(_cwd: string): Promise<{
 	const migratedEnvVars = migrateEnvVars();
 
 	// Then: run data migrations
-	const migratedAuthProviders = migrateAuthToAuthJson();
+	const migratedAuthProviders = migrateAuthToAgentDb();
 	migrateSessionsFromAgentRoot();
 	migrateToolsToBin();