@themoltnet/pi-extension 0.13.5 → 0.14.0

package/dist/index.d.ts

@@ -3,6 +3,7 @@ import { connect } from '@themoltnet/sdk';
 import { EditOperations } from '@earendil-works/pi-coding-agent';
 import { ExtensionAPI } from '@earendil-works/pi-coding-agent';
 import { ReadOperations } from '@earendil-works/pi-coding-agent';
+import { Skill } from '@earendil-works/pi-coding-agent';
 import { Static } from '@sinclair/typebox';
 import { TArray } from '@sinclair/typebox';
 import { TBoolean } from '@sinclair/typebox';
@@ -35,6 +36,31 @@ declare interface ClaimedTask {
     traceHeaders: Record<string, string>;
 }
 
+/**
+ * One context entry. Bytes are inlined: the imposer chose them, and the
+ * task's `inputCid` already pins the entire input — including
+ * `context[]` — so we don't need a separate per-entry hash, fetcher, or
+ * flagged-content gate. Tasks reference rendered packs (or any other
+ * external content) by copying their bytes into `content` at task
+ * creation time.
+ *
+ * - `slug` — short identifier the daemon uses to disambiguate
+ *            entries. For `skill` binding it becomes the directory
+ *            name under the runtime's skill discovery path. Must be
+ *            kebab-case-safe (alphanumeric + dashes/underscores).
+ * - `binding` — how the bytes are delivered to the LLM (see above).
+ * - `content` — the actual bytes (UTF-8 text). Capped at 32 KiB per
+ *               entry; total per-task context bytes are bounded by the
+ *               soft `maxItems` cap and per-binding daemon limits.
+ */
+declare const ContextRef: TObject<    {
+    slug: TString;
+    binding: TUnion<[TLiteral<"skill">, TLiteral<"prompt_prefix">, TLiteral<"user_inline">]>;
+    content: TString;
+}>;
+
+declare type ContextRef = Static<typeof ContextRef>;
+
 export declare function createGondolinBashOps(vm: VM, localCwd: string): BashOperations;
 
 export declare function createGondolinEditOps(vm: VM, localCwd: string): EditOperations;
@@ -91,7 +117,7 @@ export declare interface ExecutePiTaskOptions {
     /** Sandbox overrides (env, VFS shadows, resources). */
     sandboxConfig?: SandboxConfig;
     /**
-     * Forwarded to `buildPromptForTask` for per-type builders. Static
+     * Forwarded to `buildTaskUserPrompt` for per-type builders. Static
      * across tasks. Today no built-in builder needs per-task `extras` —
      * judges fetch their own dependent data via MoltNet tools
      * (`moltnet_get_task`, `moltnet_list_task_attempts`, etc.) at run
@@ -107,6 +133,24 @@ export declare interface ExecutePiTaskOptions {
      * across tasks.
      */
     checkpointPath?: string;
+    /**
+     * Optional callback invoked alongside every `reporter.record()` so
+     * the daemon can mirror task messages into its local logger.
+     * Bound at executor-construction time — use when one task runs per
+     * process (e.g. `once.ts`) and per-task context is known before
+     * the executor is built. For poll mode, prefer `makeOnTurnEvent`
+     * below. If both are set, `makeOnTurnEvent` wins.
+     * See `TurnEventHandler` for payload shape. Defaults to a no-op.
+     */
+    onTurnEvent?: TurnEventHandler;
+    /**
+     * Per-task factory variant for `onTurnEvent`. Invoked once per
+     * task with the claimed task before any emit, so the returned
+     * handler can bind taskId / attemptN into a pino child.
+     * Use in poll mode where N tasks run sequentially in the same
+     * process. See #1078.
+     */
+    makeOnTurnEvent?: TurnEventHandlerFactory;
 }
 
 /**
@@ -121,6 +165,32 @@ export declare function findMainWorktree(): string;
  */
 export declare const HOST_EXEC_DEFAULT_BASE_ENV: ReadonlySet<string>;
 
+export declare interface InjectedTaskContext {
+    /** Refs that were delivered, in declared order, for audit. */
+    injected: ContextRef[];
+    /** Synthetic Skill objects to splice into pi's skillsOverride. */
+    skills: Skill[];
+    /** Prepend this to `appendSystemPrompt`. Empty when nothing
+     *  contributed (omit the array entry rather than pass an empty
+     *  string to keep pi's prompt assembly tidy). */
+    systemPromptPrefix: string;
+    /** Append this to the task user prompt BEFORE `session.prompt()`. */
+    userInlineSuffix: string;
+}
+
+/**
+ * Resolve a task's `input.context[]` and inject the side effects pi
+ * needs. Safe to call with an empty array — returns an inert result.
+ */
+export declare function injectTaskContext(args: InjectTaskContextArgs): Promise<InjectedTaskContext>;
+
+export declare interface InjectTaskContextArgs {
+    /** Empty array (the default for any non-eval task) is a no-op. */
+    context: TaskContext;
+    /** Guest filesystem handle. In production this is `managed.vm.fs`. */
+    fs: VmFsForContext;
+}
+
 export declare function loadCredentials(agentDir: string): VmCredentials;
 
 export declare interface ManagedVm {
@@ -264,6 +334,10 @@ declare const Task: TObject<    {
     imposedByHumanId: TUnion<[TString, TNull]>;
     acceptedAttemptN: TUnion<[TNumber, TNull]>;
     requiredExecutorTrustLevel: TUnion<[TLiteral<"selfDeclared">, TLiteral<"agentSigned">, TLiteral<"releaseVerifiedTool">, TLiteral<"sandboxAttested">]>;
+    allowedExecutors: TArray<TObject<    {
+        provider: TString;
+        model: TString;
+    }>>;
     status: TUnion<[TLiteral<"queued">, TLiteral<"dispatched">, TLiteral<"running">, TLiteral<"completed">, TLiteral<"failed">, TLiteral<"cancelled">, TLiteral<"expired">]>;
     queuedAt: TString;
     completedAt: TUnion<[TString, TNull]>;
@@ -278,6 +352,15 @@ declare const Task: TObject<    {
 
 declare type Task = Static<typeof Task>;
 
+/** Reusable input fragment for any task type. Soft cap at 5 items. */
+declare const TaskContext: TArray<TObject<    {
+    slug: TString;
+    binding: TUnion<[TLiteral<"skill">, TLiteral<"prompt_prefix">, TLiteral<"user_inline">]>;
+    content: TString;
+}>>;
+
+declare type TaskContext = Static<typeof TaskContext>;
+
 declare const TaskMessage: TObject<    {
     taskId: TString;
     attemptN: TNumber;
@@ -410,6 +493,14 @@ declare interface TrackedError {
     timestamp: number;
 }
 
+export declare interface TurnEventHandler {
+    (event: TurnEventKind, summary: Record<string, unknown>): void;
+}
+
+export declare type TurnEventHandlerFactory = (claimedTask: ClaimedTask) => TurnEventHandler;
+
+export declare type TurnEventKind = Parameters<TaskReporter['record']>[0]['kind'];
+
 export declare interface VmConfig {
     /** Absolute path to the qcow2 checkpoint. */
     checkpointPath: string;
@@ -444,4 +535,19 @@ export declare interface VmCredentials {
     githubAppPemFilename: string | null;
 }
 
+/**
+ * Subset of `@earendil-works/gondolin`'s `VmFs` we actually use. We
+ * narrow the dependency surface so unit tests can hand in a
+ * vitest-mocked object without instantiating a real VM. We use `any`
+ * for the options parameter to make this interface bivariantly
+ * compatible with `VmFs` (whose options types differ between
+ * `mkdir` and `writeFile`); the orchestrator only ever calls these
+ * methods with the documented option shape, so the looseness is
+ * confined to this seam.
+ */
+export declare interface VmFsForContext {
+    mkdir: (dirPath: string, options?: any) => Promise<void>;
+    writeFile: (filePath: string, data: string | Uint8Array, options?: any) => Promise<void>;
+}
+
 export { }

package/dist/index.js

@@ -2,17 +2,17 @@ import { createRequire } from "node:module";
 import { execFileSync } from "node:child_process";
 import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync } from "node:fs";
 import path, { join } from "node:path";
-import { DefaultResourceLoader, SessionManager, createAgentSession, createBashTool, createBashToolDefinition, createEditTool, createEditToolDefinition, createReadTool, createReadToolDefinition, createWriteTool, createWriteToolDefinition, defineTool } from "@earendil-works/pi-coding-agent";
+import { DefaultResourceLoader, SessionManager, createAgentSession, createBashTool, createBashToolDefinition, createEditTool, createEditToolDefinition, createReadTool, createReadToolDefinition, createSyntheticSourceInfo, createWriteTool, createWriteToolDefinition, defineTool, parseFrontmatter } from "@earendil-works/pi-coding-agent";
 import { createHash } from "node:crypto";
 import crypto, { createHash as createHash$1 } from "crypto";
 import { readFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { Type, getModel } from "@earendil-works/pi-ai";
-import { RealFSProvider, ShadowProvider, VM, VmCheckpoint, createHttpHooks, createShadowPathPredicate, ensureImageSelector, loadGuestAssets } from "@earendil-works/gondolin";
+import { MemoryProvider, RealFSProvider, ShadowProvider, VM, VmCheckpoint, createHttpHooks, createShadowPathPredicate, ensureImageSelector, loadGuestAssets } from "@earendil-works/gondolin";
 import { parseEnv } from "node:util";
 import { SpanStatusCode, context, metrics, trace } from "@opentelemetry/api";
-import { FormatRegistry, Type as Type$1 } from "@sinclair/typebox";
 import { Value } from "@sinclair/typebox/value";
+import { FormatRegistry, Type as Type$1 } from "@sinclair/typebox";
 //#region \0rolldown/runtime.js
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -2424,13 +2424,31 @@ function problemToError(problem, statusCode) {
 //#endregion
 //#region ../sdk/src/agent-context.ts
 function unwrapResult(result) {
-	if (result.error) {
+	if (result.error !== void 0 && result.error !== null) {
 		const error = result.error;
-		throw problemToError(error, error.status ?? 500);
+		if (isProblemDetails(error)) throw problemToError(error, error.status);
+		if (error instanceof Error && result.response === void 0) {
+			const networkError = new NetworkError(error.message, { detail: error.cause ? stringifyUnknown(error.cause) : void 0 });
+			networkError.stack = error.stack;
+			throw networkError;
+		}
+		throw new MoltNetError(`Unexpected error from MoltNet API: ${stringifyUnknown(error)}`, { code: "UNKNOWN" });
 	}
 	if (result.data === void 0) throw new MoltNetError("Unexpected empty response from MoltNet API", { code: "EMPTY_RESPONSE" });
 	return result.data;
 }
+function isProblemDetails(error) {
+	if (!error || typeof error !== "object") return false;
+	return typeof error.status === "number" && ("title" in error || "detail" in error);
+}
+function stringifyUnknown(value) {
+	if (value instanceof Error) return `${value.name}: ${value.message}`;
+	try {
+		return JSON.stringify(value) ?? String(value);
+	} catch {
+		return String(value);
+	}
+}
 function unwrapRequired(result, message, code) {
 	if (result.error || !result.data) throw new MoltNetError(message, { code });
 	return result.data;
@@ -8057,138 +8075,29 @@ function pruneOldSnapshots(maxCached, currentDir) {
 	});
 }
 //#endregion
-//#region src/tool-operations.ts
-/**
-* Gondolin tool operations: redirect pi's built-in tool operations
-* (read, write, edit, bash) to execute inside the VM.
-*
-* Follows the same pattern as upstream pi-gondolin.ts — pi's tool factories
-* accept an `operations` object that provides the underlying I/O.
-*/
+//#region src/vm-manager.ts
 var GUEST_WORKSPACE$2 = "/workspace";
-function shQuote(s) {
-	return "'" + s.replace(/'/g, "'\\''") + "'";
-}
 /**
-* Map a host-side absolute path to a guest-side /workspace path.
-* Throws if the path escapes the workspace.
-*/
-function toGuestPath(localCwd, localPath) {
-	if (localPath === GUEST_WORKSPACE$2 || localPath.startsWith(`${GUEST_WORKSPACE$2}/`)) return localPath;
-	const rel = path.relative(localCwd, localPath);
-	if (rel === "") return GUEST_WORKSPACE$2;
-	if (rel.startsWith("..") || path.isAbsolute(rel)) throw new Error(`path escapes workspace: ${localPath}`);
-	const posixRel = rel.split(path.sep).join(path.posix.sep);
-	return path.posix.join(GUEST_WORKSPACE$2, posixRel);
-}
-function createGondolinReadOps(vm, localCwd) {
-	return {
-		readFile: async (p) => {
-			const r = await vm.exec(["/bin/cat", toGuestPath(localCwd, p)]);
-			if (!r.ok) throw new Error(`cat failed (${r.exitCode}): ${r.stderr}`);
-			return r.stdoutBuffer;
-		},
-		access: async (p) => {
-			if (!(await vm.exec([
-				"/bin/sh",
-				"-lc",
-				`test -r ${shQuote(toGuestPath(localCwd, p))}`
-			])).ok) throw new Error(`not readable: ${p}`);
-		},
-		detectImageMimeType: async (p) => {
-			try {
-				const r = await vm.exec([
-					"/bin/sh",
-					"-lc",
-					`file --mime-type -b ${shQuote(toGuestPath(localCwd, p))}`
-				]);
-				if (!r.ok) return null;
-				const m = r.stdout.trim();
-				return [
-					"image/jpeg",
-					"image/png",
-					"image/gif",
-					"image/webp"
-				].includes(m) ? m : null;
-			} catch {
-				return null;
-			}
-		}
-	};
-}
-function createGondolinWriteOps(vm, localCwd) {
-	return {
-		writeFile: async (p, content) => {
-			const guestPath = toGuestPath(localCwd, p);
-			const dir = path.posix.dirname(guestPath);
-			const b64 = Buffer.from(content, "utf8").toString("base64");
-			const r = await vm.exec([
-				"/bin/sh",
-				"-lc",
-				[
-					"set -eu",
-					`mkdir -p ${shQuote(dir)}`,
-					`echo ${shQuote(b64)} | base64 -d > ${shQuote(guestPath)}`
-				].join("\n")
-			]);
-			if (!r.ok) throw new Error(`write failed (${r.exitCode}): ${r.stderr}`);
-		},
-		mkdir: async (dir) => {
-			const r = await vm.exec([
-				"/bin/mkdir",
-				"-p",
-				toGuestPath(localCwd, dir)
-			]);
-			if (!r.ok) throw new Error(`mkdir failed (${r.exitCode}): ${r.stderr}`);
-		}
-	};
-}
-function createGondolinEditOps(vm, localCwd) {
-	const r = createGondolinReadOps(vm, localCwd);
-	const w = createGondolinWriteOps(vm, localCwd);
-	return {
-		readFile: r.readFile,
-		access: r.access,
-		writeFile: w.writeFile
-	};
-}
-function createGondolinBashOps(vm, localCwd) {
-	return { exec: async (command, cwd, { onData, signal, timeout, env }) => {
-		const guestCwd = toGuestPath(localCwd, cwd);
-		const ac = new AbortController();
-		const onAbort = () => ac.abort();
-		signal?.addEventListener("abort", onAbort, { once: true });
-		let timedOut = false;
-		const timer = timeout && timeout > 0 ? setTimeout(() => {
-			timedOut = true;
-			ac.abort();
-		}, timeout * 1e3) : void 0;
-		try {
-			const proc = vm.exec([
-				"/bin/sh",
-				"-lc",
-				command
-			], {
-				cwd: guestCwd,
-				signal: ac.signal,
-				stdout: "pipe",
-				stderr: "pipe"
-			});
-			for await (const chunk of proc.output()) onData(typeof chunk.data === "string" ? Buffer.from(chunk.data, "utf8") : chunk.data);
-			return { exitCode: (await proc).exitCode };
-		} catch (err) {
-			if (signal?.aborted) throw new Error("aborted");
-			if (timedOut) throw new Error(`timeout:${timeout}`);
-			throw err;
-		} finally {
-			if (timer) clearTimeout(timer);
-			signal?.removeEventListener("abort", onAbort);
-		}
-	} };
-}
-//#endregion
-//#region src/vm-manager.ts
-var GUEST_WORKSPACE$1 = "/workspace";
+* Memory-backed VFS mount used by the daemon to inject task-context
+* skills (#943 slice 1.5). Sibling of /workspace, NOT a sub-path —
+* Gondolin mounts can't nest. The agent's Gondolin-bound Read tool
+* accepts paths under this prefix (see toGuestPath in tool-operations.ts).
+*
+* Why MemoryProvider rather than a path under /workspace:
+*   - Injected skills are ephemeral by intent: per-task-attempt input
+*     scoped to the VM lifetime. MemoryProvider models that exactly —
+*     in-memory, per-VM-instance, zero host artefacts, automatic
+*     cleanup on VM close.
+*   - Writing under /workspace fails in worktrees because we symlink
+*     `.moltnet/` to the main repo (so credentials are reachable from
+*     worktrees), and Gondolin's RealFSProvider correctly refuses to
+*     create paths whose ancestors' realpath escapes the mount root.
+*     That refusal is a deliberate sandbox-escape protection, not a
+*     bug. See diary semantic entry cd27d9d3-efdc-4aec-ac0d-5fd8ce258d1f
+*     and episodic 7affbfeb-18a2-4963-aeac-c177eb2afa2d for the full
+*     investigation and the alternatives we rejected.
+*/
+var GUEST_TASK_SKILLS_MOUNT = "/moltnet-task-skills";
 /**
 * Resolve the main worktree root (where .moltnet/ lives — it's untracked,
 * only exists in the main worktree, not in git worktrees).
@@ -8317,7 +8226,10 @@ async function resumeVm(config) {
 		env: vmEnv,
 		...resources?.memory && { memory: resources.memory },
 		...resources?.cpus && { cpus: resources.cpus },
-		vfs: { mounts: { [GUEST_WORKSPACE$1]: workspaceProvider } }
+		vfs: { mounts: {
+			[GUEST_WORKSPACE$2]: workspaceProvider,
+			[GUEST_TASK_SKILLS_MOUNT]: new MemoryProvider()
+		} }
 	});
 	await vm.exec(`sh -c '
     cp /etc/gondolin/mitm/ca.crt /usr/local/share/ca-certificates/gondolin-mitm.crt
@@ -8347,7 +8259,7 @@ nameserver 1.1.1.1" > /etc/resolv.conf'`);
 		vm,
 		credentials: creds,
 		mountPath: config.mountPath,
-		guestWorkspace: GUEST_WORKSPACE$1,
+		guestWorkspace: GUEST_WORKSPACE$2,
 		agentDir
 	};
 }
@@ -8400,6 +8312,137 @@ function ensureRelativeWorktreePaths(gitconfig) {
 	return `${gitconfig}${gitconfig.endsWith("\n") ? "" : "\n"}[worktree]\n\tuseRelativePaths = true\n`;
 }
 //#endregion
+//#region src/tool-operations.ts
+/**
+* Gondolin tool operations: redirect pi's built-in tool operations
+* (read, write, edit, bash) to execute inside the VM.
+*
+* Follows the same pattern as upstream pi-gondolin.ts — pi's tool factories
+* accept an `operations` object that provides the underlying I/O.
+*/
+var GUEST_WORKSPACE$1 = "/workspace";
+function shQuote(s) {
+	return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+/**
+* Map a host-side absolute path to a guest-side /workspace path.
+* Throws if the path escapes the workspace.
+*/
+function toGuestPath(localCwd, localPath) {
+	if (localPath === GUEST_WORKSPACE$1 || localPath.startsWith(`${GUEST_WORKSPACE$1}/`)) return localPath;
+	if (localPath === "/moltnet-task-skills" || localPath.startsWith(`/moltnet-task-skills/`)) return localPath;
+	const rel = path.relative(localCwd, localPath);
+	if (rel === "") return GUEST_WORKSPACE$1;
+	if (rel.startsWith("..") || path.isAbsolute(rel)) throw new Error(`path escapes workspace: ${localPath}`);
+	const posixRel = rel.split(path.sep).join(path.posix.sep);
+	return path.posix.join(GUEST_WORKSPACE$1, posixRel);
+}
+function createGondolinReadOps(vm, localCwd) {
+	return {
+		readFile: async (p) => {
+			const r = await vm.exec(["/bin/cat", toGuestPath(localCwd, p)]);
+			if (!r.ok) throw new Error(`cat failed (${r.exitCode}): ${r.stderr}`);
+			return r.stdoutBuffer;
+		},
+		access: async (p) => {
+			if (!(await vm.exec([
+				"/bin/sh",
+				"-lc",
+				`test -r ${shQuote(toGuestPath(localCwd, p))}`
+			])).ok) throw new Error(`not readable: ${p}`);
+		},
+		detectImageMimeType: async (p) => {
+			try {
+				const r = await vm.exec([
+					"/bin/sh",
+					"-lc",
+					`file --mime-type -b ${shQuote(toGuestPath(localCwd, p))}`
+				]);
+				if (!r.ok) return null;
+				const m = r.stdout.trim();
+				return [
+					"image/jpeg",
+					"image/png",
+					"image/gif",
+					"image/webp"
+				].includes(m) ? m : null;
+			} catch {
+				return null;
+			}
+		}
+	};
+}
+function createGondolinWriteOps(vm, localCwd) {
+	return {
+		writeFile: async (p, content) => {
+			const guestPath = toGuestPath(localCwd, p);
+			const dir = path.posix.dirname(guestPath);
+			const b64 = Buffer.from(content, "utf8").toString("base64");
+			const r = await vm.exec([
+				"/bin/sh",
+				"-lc",
+				[
+					"set -eu",
+					`mkdir -p ${shQuote(dir)}`,
+					`echo ${shQuote(b64)} | base64 -d > ${shQuote(guestPath)}`
+				].join("\n")
+			]);
+			if (!r.ok) throw new Error(`write failed (${r.exitCode}): ${r.stderr}`);
+		},
+		mkdir: async (dir) => {
+			const r = await vm.exec([
+				"/bin/mkdir",
+				"-p",
+				toGuestPath(localCwd, dir)
+			]);
+			if (!r.ok) throw new Error(`mkdir failed (${r.exitCode}): ${r.stderr}`);
+		}
+	};
+}
+function createGondolinEditOps(vm, localCwd) {
+	const r = createGondolinReadOps(vm, localCwd);
+	const w = createGondolinWriteOps(vm, localCwd);
+	return {
+		readFile: r.readFile,
+		access: r.access,
+		writeFile: w.writeFile
+	};
+}
+function createGondolinBashOps(vm, localCwd) {
+	return { exec: async (command, cwd, { onData, signal, timeout, env }) => {
+		const guestCwd = toGuestPath(localCwd, cwd);
+		const ac = new AbortController();
+		const onAbort = () => ac.abort();
+		signal?.addEventListener("abort", onAbort, { once: true });
+		let timedOut = false;
+		const timer = timeout && timeout > 0 ? setTimeout(() => {
+			timedOut = true;
+			ac.abort();
+		}, timeout * 1e3) : void 0;
+		try {
+			const proc = vm.exec([
+				"/bin/sh",
+				"-lc",
+				command
+			], {
+				cwd: guestCwd,
+				signal: ac.signal,
+				stdout: "pipe",
+				stderr: "pipe"
+			});
+			for await (const chunk of proc.output()) onData(typeof chunk.data === "string" ? Buffer.from(chunk.data, "utf8") : chunk.data);
+			return { exitCode: (await proc).exitCode };
+		} catch (err) {
+			if (signal?.aborted) throw new Error("aborted");
+			if (timedOut) throw new Error(`timeout:${timeout}`);
+			throw err;
+		} finally {
+			if (timer) clearTimeout(timer);
+			signal?.removeEventListener("abort", onAbort);
+		}
+	} };
+}
+//#endregion
 //#region src/otel/index.ts
 var TRACER_NAME = "@themoltnet/pi-extension/otel";
 function stripReservedAttrs(attrs) {
@@ -8537,6 +8580,61 @@ function extractUsage(message) {
 	};
 }
 //#endregion
+//#region ../agent-runtime/src/context-bindings.ts
+var PROMPT_SEPARATOR = "\n\n---\n\n";
+/**
+* Resolve `task.input.context[]` into delivered side-effects (skills
+* persisted via `deliver.skill`) and prompt fragments
+* (`systemPromptPrefix`, `userInlineSuffix`) the caller weaves into the
+* built prompt.
+*
+* Per-binding semantics (V1):
+*   - `skill`         → `deliver.skill({ slug, content })` once per ref.
+*                       Slug collisions on distinct contents are
+*                       refused loudly.
+*   - `prompt_prefix` → content appended to `systemPromptPrefix` with
+*                       the canonical `\n\n---\n\n` separator (in
+*                       declared order).
+*   - `user_inline`   → content appended to `userInlineSuffix` in
+*                       declared order, same separator.
+*
+* No fetching, no hashing — bytes are inlined in `ContextRef.content`,
+* and the task's `inputCid` already pins the entire input. The imposer
+* chose these bytes; the resolver just dispatches them.
+*
+* The function is pure with respect to its arguments: file writes are
+* confined to the injected `deliver` callback, which makes the
+* resolver trivial to test.
+*/
+async function resolveTaskContext(args) {
+	const promptParts = [];
+	const userParts = [];
+	const injected = [];
+	const usedSlugs = /* @__PURE__ */ new Map();
+	for (const ref of args.context) {
+		if (ref.binding === "skill") {
+			const prior = usedSlugs.get(ref.slug);
+			if (prior !== void 0) {
+				if (prior !== ref.content) throw new Error(`slug collision on '${ref.slug}': two skill entries share the same slug but have different content`);
+				injected.push(ref);
+				continue;
+			}
+			usedSlugs.set(ref.slug, ref.content);
+			await args.deliver.skill({
+				slug: ref.slug,
+				content: ref.content
+			});
+		} else if (ref.binding === "prompt_prefix") promptParts.push(ref.content);
+		else userParts.push(ref.content);
+		injected.push(ref);
+	}
+	return {
+		injected,
+		systemPromptPrefix: promptParts.join(PROMPT_SEPARATOR),
+		userInlineSuffix: userParts.join(PROMPT_SEPARATOR)
+	};
+}
+//#endregion
 //#region ../tasks/src/formats.ts
 /**
 * Register TypeBox string formats used across Task / TaskOutput / task-type
@@ -8551,6 +8649,55 @@ var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a
 if (!FormatRegistry.Has("uuid")) FormatRegistry.Set("uuid", (v) => UUID_RE.test(v));
 if (!FormatRegistry.Has("date-time")) FormatRegistry.Set("date-time", (v) => !Number.isNaN(Date.parse(v)));
 //#endregion
+//#region ../tasks/src/context.ts
+/**
+* How an executor delivers a context entry to its underlying LLM.
+* V1 bindings only; Tier-2 (reference_file, mcp_resource, imported_file,
+* tool_response_seed, additional_context_hook) ship in a later slice.
+*/
+var ContextBinding = Type$1.Union([
+	Type$1.Literal("skill"),
+	Type$1.Literal("prompt_prefix"),
+	Type$1.Literal("user_inline")
+], { $id: "ContextBinding" });
+/**
+* One context entry. Bytes are inlined: the imposer chose them, and the
+* task's `inputCid` already pins the entire input — including
+* `context[]` — so we don't need a separate per-entry hash, fetcher, or
+* flagged-content gate. Tasks reference rendered packs (or any other
+* external content) by copying their bytes into `content` at task
+* creation time.
+*
+* - `slug` — short identifier the daemon uses to disambiguate
+*            entries. For `skill` binding it becomes the directory
+*            name under the runtime's skill discovery path. Must be
+*            kebab-case-safe (alphanumeric + dashes/underscores).
+* - `binding` — how the bytes are delivered to the LLM (see above).
+* - `content` — the actual bytes (UTF-8 text). Capped at 32 KiB per
+*               entry; total per-task context bytes are bounded by the
+*               soft `maxItems` cap and per-binding daemon limits.
+*/
+var ContextRef = Type$1.Object({
+	slug: Type$1.String({
+		minLength: 1,
+		maxLength: 64,
+		pattern: "^[a-zA-Z0-9_-]+$"
+	}),
+	binding: ContextBinding,
+	content: Type$1.String({
+		minLength: 1,
+		maxLength: 32768
+	})
+}, {
+	$id: "ContextRef",
+	additionalProperties: false
+});
+/** Reusable input fragment for any task type. Soft cap at 5 items. */
+var TaskContext = Type$1.Array(ContextRef, {
+	$id: "TaskContext",
+	maxItems: 5
+});
+//#endregion
 //#region ../tasks/src/rubric.ts
 /**
 * Rubric — structured acceptance criteria used by judgment tasks.
@@ -9099,6 +9246,60 @@ var RenderPackOutput = Type$1.Object({
 	additionalProperties: false
 });
 //#endregion
+//#region ../tasks/src/task-types/run-eval.ts
+/**
+* `run_eval` — execute a scenario prompt under a named variant for
+* later cross-variant grading by `judge_eval_variant` (Slice 2).
+*
+* output_kind: artifact
+* criteria: optional (when set, output.verification is required —
+*   producer self-assessment; the judge is the binding evaluator)
+* references: not required (scenario lives entirely in input)
+*/
+var RUN_EVAL_TYPE = "run_eval";
+var RunEvalInput = Type$1.Object({
+	scenario: Type$1.Object({
+		prompt: Type$1.String({ minLength: 1 }),
+		inputFiles: Type$1.Optional(Type$1.Array(Type$1.String({ minLength: 1 })))
+	}, { additionalProperties: false }),
+	variantLabel: Type$1.String({
+		minLength: 1,
+		maxLength: 64
+	}),
+	context: TaskContext,
+	successCriteria: Type$1.Optional(SuccessCriteria)
+}, {
+	$id: "RunEvalInput",
+	additionalProperties: false
+});
+var RunEvalOutput = Type$1.Object({
+	response: Type$1.String({ minLength: 1 }),
+	artifacts: Type$1.Optional(Type$1.Array(Type$1.Object({
+		path: Type$1.String({ minLength: 1 }),
+		cid: Type$1.String({ minLength: 1 })
+	}, { additionalProperties: false }))),
+	totalTokens: Type$1.Integer({ minimum: 0 }),
+	durationMs: Type$1.Integer({ minimum: 0 }),
+	traceparent: Type$1.String({ minLength: 1 }),
+	verification: Type$1.Optional(VerificationRecord)
+}, {
+	$id: "RunEvalOutput",
+	additionalProperties: false
+});
+/**
+* Cross-field rule mirroring the `requireVerificationWhenCriteriaPresent`
+* rule used by the brief task types: when input declares
+* `successCriteria`, output MUST carry `verification`; when it doesn't,
+* output MUST NOT carry one.
+*/
+function validateRunEvalOutput(output, input) {
+	const hasCriteria = input !== null && input !== void 0 && input.successCriteria !== void 0;
+	const hasVerification = output !== null && output !== void 0 && output.verification !== void 0;
+	if (hasCriteria && !hasVerification) return "output.verification is required because input.successCriteria is set; the producer LLM must self-assess against the criteria";
+	if (!hasCriteria && hasVerification) return "output.verification was supplied but input.successCriteria is unset; omit verification when there are no criteria to assess against";
+	return null;
+}
+//#endregion
 //#region ../tasks/src/task-types/index.ts
 /**
 * Validate that a judgment-task input carries a rubric inside its
@@ -9177,6 +9378,14 @@ var BUILT_IN_TASK_TYPES = {
 		requiresReferences: true,
 		validateInput: validateJudgmentInput,
 		validateOutput: validateJudgePackOutput
+	},
+	[RUN_EVAL_TYPE]: {
+		name: RUN_EVAL_TYPE,
+		inputSchema: RunEvalInput,
+		outputSchema: RunEvalOutput,
+		outputKind: "artifact",
+		requiresReferences: false,
+		validateOutput: validateRunEvalOutput
 	}
 };
 //#endregion
@@ -9275,6 +9484,14 @@ var ExecutorTrustLevel = Type$1.Union([
 	Type$1.Literal("releaseVerifiedTool"),
 	Type$1.Literal("sandboxAttested")
 ], { $id: "ExecutorTrustLevel" });
+/** Identifies a (provider, model) daemon pair allowed to claim a task. */
+var ExecutorRef = Type$1.Object({
+	provider: Type$1.String({ minLength: 1 }),
+	model: Type$1.String({ minLength: 1 })
+}, {
+	$id: "ExecutorRef",
+	additionalProperties: false
+});
 var OutputKind = Type$1.Union([Type$1.Literal("artifact"), Type$1.Literal("judgment")], { $id: "OutputKind" });
 var TaskMessageKind = Type$1.Union([
 	Type$1.Literal("text_delta"),
@@ -9367,6 +9584,7 @@ Type$1.Object({
 	imposedByHumanId: Type$1.Union([Uuid, Type$1.Null()]),
 	acceptedAttemptN: Type$1.Union([Type$1.Number(), Type$1.Null()]),
 	requiredExecutorTrustLevel: ExecutorTrustLevel,
+	allowedExecutors: Type$1.Array(ExecutorRef, { maxItems: 16 }),
 	status: TaskStatus,
 	queuedAt: IsoTimestamp,
 	completedAt: Type$1.Union([IsoTimestamp, Type$1.Null()]),
@@ -9552,7 +9770,7 @@ function buildFinalOutputBlock(opts) {
 //#endregion
 //#region ../agent-runtime/src/prompts/assess-brief.ts
 /**
-* Build the system prompt for an `assess_brief` judge attempt.
+* Build the first user-message prompt for an `assess_brief` judge attempt.
 *
 * Design note — no pre-resolved `target` projection
 * --------------------------------------------------
@@ -9573,7 +9791,7 @@ function buildFinalOutputBlock(opts) {
 * future task types whose products are docs / configs / changes /
 * anything) work without any code path here.
 */
-function buildAssessBriefPrompt(input, ctx) {
+function buildAssessBriefUserPrompt(input, ctx) {
 	const rubric = input.successCriteria.rubric;
 	const criteriaList = rubric.criteria.map((c, i) => `${i + 1}. **${c.id}** (weight ${c.weight}, scoring: \`${c.scoring}\`) — ${c.description}`).join("\n");
 	const preambleSection = rubric.preamble ? [
@@ -9688,7 +9906,7 @@ function buildSelfVerificationBlock(taskId) {
 //#endregion
 //#region ../agent-runtime/src/prompts/curate-pack.ts
 /**
-* Build the system prompt for a `curate_pack` task.
+* Build the first user-message prompt for a `curate_pack` task.
 *
 * Design note: this prompt is deliberately NOT a numbered command
 * sequence. The curator's value comes from judgment — inferring scope
@@ -9709,7 +9927,7 @@ function buildSelfVerificationBlock(taskId) {
 * emits pruned state at phase boundaries so a follow-up session can
 * resume without replaying the tool history.
 */
-function buildCuratePackPrompt(input, ctx) {
+function buildCuratePackUserPrompt(input, ctx) {
 	const { diaryId, taskPrompt, entryTypes, tagFilters, tokenBudget, recipe } = input;
 	const entryTypesPinned = Boolean(entryTypes);
 	const resolvedRecipe = recipe ?? "topic-focused-v1";
@@ -9845,13 +10063,13 @@ function buildCuratePackPrompt(input, ctx) {
 //#endregion
 //#region ../agent-runtime/src/prompts/fulfill-brief.ts
 /**
-* Build the system prompt for a `fulfill_brief` task.
+* Build the first user-message prompt for a `fulfill_brief` task.
 *
 * Generalized from the original `resolve-issue` prompt. No longer
 * GitHub-specific; references live on `Task.references[]` and the agent
 * is told to inspect them itself.
 */
-function buildFulfillBriefPrompt(input, ctx) {
+function buildFulfillBriefUserPrompt(input, ctx) {
 	const { brief, title, acceptanceCriteria, seedFiles, scopeHint } = input;
 	const criteriaSection = acceptanceCriteria?.length ? [
 		"### Acceptance criteria",
@@ -9931,7 +10149,7 @@ function buildFulfillBriefPrompt(input, ctx) {
 }
 //#endregion
 //#region ../agent-runtime/src/prompts/judge-pack.ts
-function buildJudgePackPrompt(input, ctx) {
+function buildJudgePackUserPrompt(input, ctx) {
 	const { renderedPackId, sourcePackId, successCriteria } = input;
 	const rubric = successCriteria.rubric;
 	const criteriaList = rubric.criteria.map((c, i) => `${i + 1}. **${c.id}** (weight ${c.weight}, scoring: \`${c.scoring}\`) — ${c.description}`).join("\n");
@@ -10058,10 +10276,10 @@ function buildJudgePackPrompt(input, ctx) {
 //#endregion
 //#region ../agent-runtime/src/prompts/render-pack.ts
 /**
-* Build the system prompt for a `render_pack` task. Almost mechanical:
+* Build the first user-message prompt for a `render_pack` task. Almost mechanical:
 * wraps `moltnet_pack_render` and emits the receipt.
 */
-function buildRenderPackPrompt(input, ctx) {
+function buildRenderPackUserPrompt(input, ctx) {
 	const { packId, persist = true, pinned = false } = input;
 	return [
 		"# Render Pack Agent",
@@ -10115,19 +10333,87 @@ function buildRenderPackPrompt(input, ctx) {
 	].join("\n");
 }
 //#endregion
+//#region ../agent-runtime/src/prompts/run-eval.ts
+/**
+* Build the first user-message prompt for a `run_eval` task.
+*
+* Free-form: no git workflow, no commit ceremony. The executor produces
+* a textual response (and optional file artifacts) that a later
+* `judge_eval_variant` task (Slice 2) grades against the rubric.
+*
+* Context delivery is handled by `resolveTaskContext` (see
+* libs/agent-runtime/src/context-bindings.ts) and runs BEFORE this
+* prompt is rendered: `prompt_prefix` items are concatenated ahead of
+* the body, `skill` items are persisted at the runtime's skill path,
+* and `user_inline` items are appended to the first user message. This
+* builder does NOT inline `input.context[]` itself.
+*/
+function buildRunEvalUserPrompt(input, ctx) {
+	const { scenario, variantLabel, successCriteria } = input;
+	const inputFilesSection = scenario.inputFiles?.length ? [
+		"### Input files",
+		"",
+		...scenario.inputFiles.map((f) => `- \`${f}\``),
+		""
+	].join("\n") : "";
+	const verificationSection = successCriteria ? buildSelfVerificationBlock(ctx.taskId) : "";
+	const correlationSection = ctx.correlationId ? [
+		"### Correlation",
+		"",
+		`This task carries correlationId \`${ctx.correlationId}\`. It joins`,
+		"this variant to its sibling `run_eval` tasks (other variants of the",
+		"same scenario) and to the eventual `judge_eval_variant` task that",
+		"will grade them together. You do not need to act on it directly —",
+		"it is recorded for cross-variant aggregation at query time.",
+		""
+	].join("\n") : "";
+	const finalOutputBlock = buildFinalOutputBlock({
+		taskType: "run_eval",
+		outputSchemaName: "RunEvalOutput",
+		shapeSketch: [
+			"{",
+			"  \"response\": \"<your free-form answer>\",",
+			"  \"artifacts\": [{ \"path\": \"...\", \"cid\": \"...\" }],  // optional",
+			"  \"totalTokens\": <int>,",
+			"  \"durationMs\": <int>,",
+			"  \"traceparent\": \"<from claim>\",",
+			"  \"verification\": <required iff input.successCriteria; see Self-verification>",
+			"}"
+		].join("\n")
+	});
+	return [
+		"# Run Eval Agent\n",
+		`You are running an evaluation scenario as variant \`${variantLabel}\`.\nTask id: \`${ctx.taskId}\`\n`,
+		correlationSection,
+		`### Scenario\n\n${scenario.prompt}\n`,
+		inputFilesSection,
+		verificationSection,
+		finalOutputBlock
+	].filter((s) => s !== "").join("\n");
+}
+//#endregion
 //#region ../agent-runtime/src/prompts/index.ts
 /**
-* Resolve the correct prompt builder for `task.taskType` and invoke it.
-* Throws if the type is unknown or the input fails TypeBox validation.
-*/
-function buildPromptForTask(task, ctx) {
+* Resolve the correct user-prompt builder for `task.taskType` and
+* invoke it. Throws if the type is unknown or the input fails TypeBox
+* validation.
+*
+* Role note: the returned string is delivered as the **first user
+* message** of the agent's session (pi-coding-agent's
+* `session.prompt(text)` puts text in the user role). The system
+* prompt is built separately by pi from `appendSystemPrompt` (the
+* runtime instructor lives there). Builders here are free-form Markdown
+* for the user turn; they don't replace or prepend to the system
+* prompt.
+*/
+function buildTaskUserPrompt(task, ctx) {
 	switch (task.taskType) {
 		case FULFILL_BRIEF_TYPE:
 			if (!Value.Check(FulfillBriefInput, task.input)) {
 				const errors = [...Value.Errors(FulfillBriefInput, task.input)];
 				throw new Error(`fulfill_brief input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
 			}
-			return buildFulfillBriefPrompt(task.input, {
+			return buildFulfillBriefUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
 				taskId: ctx.taskId,
 				correlationId: task.correlationId
@@ -10137,7 +10423,7 @@ function buildPromptForTask(task, ctx) {
 				const errors = [...Value.Errors(AssessBriefInput, task.input)];
 				throw new Error(`assess_brief input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
 			}
-			return buildAssessBriefPrompt(task.input, {
+			return buildAssessBriefUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
 				taskId: ctx.taskId
 			});
@@ -10146,7 +10432,7 @@ function buildPromptForTask(task, ctx) {
 				const errors = [...Value.Errors(CuratePackInput, task.input)];
 				throw new Error(`curate_pack input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
 			}
-			return buildCuratePackPrompt(task.input, {
+			return buildCuratePackUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
 				taskId: ctx.taskId
 			});
@@ -10155,7 +10441,7 @@ function buildPromptForTask(task, ctx) {
 				const errors = [...Value.Errors(RenderPackInput, task.input)];
 				throw new Error(`render_pack input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
 			}
-			return buildRenderPackPrompt(task.input, {
+			return buildRenderPackUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
 				taskId: ctx.taskId
 			});
@@ -10164,10 +10450,20 @@ function buildPromptForTask(task, ctx) {
 				const errors = [...Value.Errors(JudgePackInput, task.input)];
 				throw new Error(`judge_pack input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
 			}
-			return buildJudgePackPrompt(task.input, {
+			return buildJudgePackUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
 				taskId: ctx.taskId
 			});
+		case RUN_EVAL_TYPE:
+			if (!Value.Check(RunEvalInput, task.input)) {
+				const errors = [...Value.Errors(RunEvalInput, task.input)];
+				throw new Error(`run_eval input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
+			}
+			return buildRunEvalUserPrompt(task.input, {
+				diaryId: ctx.diaryId,
+				taskId: ctx.taskId,
+				correlationId: task.correlationId
+			});
 		default: throw new Error(`No prompt builder registered for taskType="${task.taskType}"`);
 	}
 }
@@ -13639,6 +13935,114 @@ var require_multistream = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	module.exports.pino = pino;
 })))();
 //#endregion
+//#region src/runtime/inject-task-context.ts
+/**
+* Slice 1.5 of #943 — wire the agent-runtime resolver into the
+* pi-extension execution path.
+*
+* `resolveTaskContext` is a pure dispatcher; this module provides the
+* Gondolin-aware deliverer and the post-resolution shape the
+* `execute-pi-task` caller needs to splice into pi's setup:
+*
+*   - `systemPromptPrefix` → fed into `appendSystemPrompt` alongside
+*      the runtime instructor (it IS a system-prompt fragment).
+*   - `userInlineSuffix`   → appended to the `buildTaskUserPrompt`
+*      output BEFORE `session.prompt(text)`.
+*   - `skills`             → spliced into the `skillsOverride` callback's
+*      return value. pi includes them in `<available_skills>` in the
+*      system prompt; the agent fetches the body on demand via the
+*      Read tool.
+*
+* Skill files are written into the VM at
+* `/workspace/.moltnet/skills/<slug>/SKILL.md`. The agent's
+* Gondolin-bound Read tool is scoped to `/workspace`, so that path is
+* the only location the agent can actually read at runtime. pi only
+* reads `<available_skills>` metadata (name, description, location),
+* never the file body, so we construct synthetic `Skill` objects
+* pointing at the in-VM path without ever materialising the file on
+* the host.
+*/
+/**
+* Where in the VM we write skill bodies — the memory-backed mount
+* declared in `vm-manager.ts`. See the comment on
+* `GUEST_TASK_SKILLS_MOUNT` there for the full rationale (ephemeral
+* by intent + the worktree symlink interaction with Gondolin's
+* sandbox-escape protection). The agent's Gondolin Read tool accepts
+* paths under this mount via `toGuestPath` in `tool-operations.ts`.
+*/
+var SKILL_ROOT_IN_VM = GUEST_TASK_SKILLS_MOUNT;
+/** Bounds borrowed from pi's skill validation; conservative caps so a
+*  malformed SKILL.md doesn't bloat the system prompt. */
+var MAX_SKILL_NAME = 64;
+var MAX_SKILL_DESCRIPTION = 1024;
+/**
+* Resolve a task's `input.context[]` and inject the side effects pi
+* needs. Safe to call with an empty array — returns an inert result.
+*/
+async function injectTaskContext(args) {
+	const skills = [];
+	const resolved = await resolveTaskContext({
+		context: args.context,
+		deliver: { skill: async ({ slug, content }) => {
+			const dir = `${SKILL_ROOT_IN_VM}/${slug}`;
+			const filePath = `${dir}/SKILL.md`;
+			await args.fs.mkdir(dir, { recursive: true });
+			await args.fs.writeFile(filePath, content, { mode: 420 });
+			skills.push(buildSyntheticSkill({
+				slug,
+				content,
+				filePath,
+				dir
+			}));
+		} }
+	});
+	return {
+		injected: resolved.injected,
+		skills,
+		systemPromptPrefix: resolved.systemPromptPrefix,
+		userInlineSuffix: resolved.userInlineSuffix
+	};
+}
+/**
+* Build a `Skill` object pi will faithfully render in
+* `<available_skills>`. We extract `name` and `description` from the
+* skill content's YAML frontmatter using pi's own `parseFrontmatter`
+* helper (proper YAML, not a regex hack) and fall back to the slug +
+* a generic description so a SKILL.md without frontmatter still
+* renders something meaningful.
+*
+* Frontmatter parsing is best-effort: a malformed YAML block is
+* optional metadata, not a reason to fail the task. We swallow parser
+* errors and fall back to the slug-derived metadata; the skill body
+* is unaffected.
+*
+* pi's `formatSkillsForPrompt` only reads `name`, `description`, and
+* `filePath` — `sourceInfo`/`baseDir` exist on the type but never
+* surface in the prompt, so a synthetic `SourceInfo` is enough.
+*/
+function buildSyntheticSkill(args) {
+	let fm = {};
+	try {
+		fm = parseFrontmatter(args.content).frontmatter;
+	} catch {}
+	return {
+		name: clip(typeof fm.name === "string" && fm.name.trim().length > 0 ? fm.name.trim() : args.slug, MAX_SKILL_NAME),
+		description: clip(typeof fm.description === "string" && fm.description.trim().length > 0 ? fm.description.trim() : `Task-injected context skill (${args.slug})`, MAX_SKILL_DESCRIPTION),
+		filePath: args.filePath,
+		baseDir: args.dir,
+		sourceInfo: createSyntheticSourceInfo(args.filePath, {
+			source: "moltnet:task-context",
+			scope: "temporary",
+			origin: "top-level",
+			baseDir: args.dir
+		}),
+		disableModelInvocation: fm["disable-model-invocation"] === true
+	};
+}
+function clip(s, max) {
+	return s.length > max ? s.slice(0, max) : s;
+}
+//#endregion
 //#region src/runtime/runtime-instructor.ts
 /**
 * Build the daemon-controlled invariant prose injected into the system prompt
@@ -13962,6 +14366,7 @@ function resolveSubmitTools(taskType, opts = {}) {
 * Anthropic-SDK one) plug in via the `executeTask` function injected into
 * `AgentRuntime`.
 */
+var noopTurnEventHandler = () => {};
 /**
 * Factory that builds a pi-specific `executeTask` function suitable for
 * injection into `AgentRuntime`. The returned function caches the resolved
@@ -14058,10 +14463,25 @@ async function executePiTask(claimedTask, reporter, opts) {
 			attemptN
 		});
 		reporterOpen = true;
-		const emit = (kind, payload) => reporter.record({
-			kind,
-			payload
-		});
+		let onTurnEvent;
+		if (opts.makeOnTurnEvent) try {
+			onTurnEvent = opts.makeOnTurnEvent(claimedTask);
+		} catch (err) {
+			process.stderr.write(`[emit] makeOnTurnEvent threw: ${err instanceof Error ? err.message : String(err)}\n`);
+			onTurnEvent = noopTurnEventHandler;
+		}
+		else onTurnEvent = opts.onTurnEvent ?? noopTurnEventHandler;
+		const emit = (kind, payload) => {
+			try {
+				onTurnEvent(kind, summarizePayloadForLog(kind, payload));
+			} catch (err) {
+				process.stderr.write(`[emit] onTurnEvent threw for kind="${kind}": ${err instanceof Error ? err.message : String(err)}\n`);
+			}
+			return reporter.record({
+				kind,
+				payload
+			});
+		};
 		await emit("info", {
 			event: "execute_start",
 			taskType: task.taskType,
@@ -14071,7 +14491,7 @@ async function executePiTask(claimedTask, reporter, opts) {
 		});
 		let taskPrompt;
 		try {
-			taskPrompt = buildPromptForTask(task, {
+			taskPrompt = buildTaskUserPrompt(task, {
 				diaryId,
 				taskId: task.id,
 				extras: opts.promptExtras
@@ -14084,6 +14504,30 @@ async function executePiTask(claimedTask, reporter, opts) {
 			});
 			return makeFailedOutput("prompt_build_failed", message);
 		}
+		const rawContext = task.input.context;
+		let injectedContext;
+		try {
+			const contextArray = rawContext === void 0 ? [] : rawContext;
+			if (!Value.Check(TaskContext, contextArray)) throw new Error(`task.input.context failed TaskContext validation: ${JSON.stringify([...Value.Errors(TaskContext, contextArray)].slice(0, 3))}`);
+			injectedContext = await injectTaskContext({
+				context: contextArray,
+				fs: managed.vm.fs
+			});
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			await emit("error", {
+				message,
+				phase: "context_resolution"
+			});
+			return makeFailedOutput("context_resolution_failed", message);
+		}
+		if (injectedContext.injected.length > 0) await emit("info", {
+			event: "context_injected",
+			count: injectedContext.injected.length,
+			bindings: injectedContext.injected.map((r) => r.binding),
+			slugs: injectedContext.injected.map((r) => r.slug)
+		});
+		if (injectedContext.userInlineSuffix) taskPrompt = `${taskPrompt}\n\n---\n\n${injectedContext.userInlineSuffix}`;
 		const gondolinCustomTools = [
 			createReadToolDefinition(mountPath, { operations: createGondolinReadOps(managed.vm, mountPath) }),
 			createWriteToolDefinition(mountPath, { operations: createGondolinWriteOps(managed.vm, mountPath) }),
@@ -14120,21 +14564,23 @@ async function executePiTask(claimedTask, reporter, opts) {
 					"moltnet.task.type": task.taskType
 				}
 			});
-			const runtimeInstructor = buildRuntimeInstructor({
+			const appendSystemPrompt = [buildRuntimeInstructor({
 				taskId: task.id,
 				taskType: task.taskType,
 				attemptN,
 				diaryId,
 				agentName: opts.agentName,
 				correlationId: task.correlationId ?? null
-			});
+			})];
+			if (injectedContext.systemPromptPrefix) appendSystemPrompt.push(injectedContext.systemPromptPrefix);
+			const injectedSkills = injectedContext.skills;
 			const resourceLoader = new DefaultResourceLoader({
 				cwd: mountPath,
 				agentDir: piAuthDir,
 				extensionFactories: [piOtelExtension],
-				appendSystemPrompt: [runtimeInstructor],
+				appendSystemPrompt,
 				skillsOverride: () => ({
-					skills: [],
+					skills: injectedSkills,
 					diagnostics: []
 				})
 			});
@@ -14359,6 +14805,27 @@ function wireSessionAbort(cancelSignal, session) {
 * `task_messages.payload` row. Bodies above 4 KiB are replaced with a
 * `{ truncated, original_size }` marker so the JSONL/DB size stays bounded.
 */
+function summarizePayloadForLog(kind, payload) {
+	switch (kind) {
+		case "text_delta": {
+			const delta = payload.delta;
+			return { chars: typeof delta === "string" ? delta.length : 0 };
+		}
+		case "tool_call_start": return { tool: payload.tool_name };
+		case "tool_call_end": return {
+			tool: payload.tool_name,
+			is_error: payload.is_error === true,
+			...payload.is_error === true && payload.result !== void 0 ? { result: payload.result } : {}
+		};
+		case "turn_end": return { stop_reason: payload.stop_reason };
+		case "error": return {
+			phase: payload.phase,
+			message: typeof payload.message === "string" ? payload.message.slice(0, TRUNCATE_LIMIT) : payload.message
+		};
+		case "info": return Object.fromEntries(Object.entries(payload).map(([k, v]) => [k, typeof v === "string" ? v.slice(0, TRUNCATE_LIMIT) : v]));
+		default: return payload;
+	}
+}
 var TRUNCATE_LIMIT = 4 * 1024;
 function truncateForWire(value) {
 	if (value === null || value === void 0) return value;
@@ -14659,4 +15126,4 @@ function moltnetExtension(pi) {
 	registerMoltnetReflectCommand(pi, state);
 }
 //#endregion
-export { HOST_EXEC_DEFAULT_BASE_ENV, activateAgentEnv, createGondolinBashOps, createGondolinEditOps, createGondolinReadOps, createGondolinWriteOps, createMoltNetTools, createPiOtelExtension, createPiTaskExecutor, moltnetExtension as default, ensureSnapshot, executePiTask, findMainWorktree, loadCredentials, resumeVm, toGuestPath };
+export { HOST_EXEC_DEFAULT_BASE_ENV, activateAgentEnv, createGondolinBashOps, createGondolinEditOps, createGondolinReadOps, createGondolinWriteOps, createMoltNetTools, createPiOtelExtension, createPiTaskExecutor, moltnetExtension as default, ensureSnapshot, executePiTask, findMainWorktree, injectTaskContext, loadCredentials, resumeVm, toGuestPath };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/pi-extension",
-  "version": "0.13.5",
+  "version": "0.14.0",
   "type": "module",
   "description": "MoltNet pi extension — sandboxed tool execution in Gondolin VMs with MoltNet identity and persistent memory",
   "license": "MIT",
@@ -31,8 +31,8 @@
     "@earendil-works/gondolin": "^0.9.1",
     "@opentelemetry/api": "^1.9.0",
     "@sinclair/typebox": "^0.34.0",
-    "@themoltnet/agent-runtime": "0.11.0",
-    "@themoltnet/sdk": "0.99.0"
+    "@themoltnet/agent-runtime": "0.12.0",
+    "@themoltnet/sdk": "0.100.0"
   },
   "peerDependencies": {
     "@earendil-works/pi-coding-agent": ">=0.74.0",