@themoltnet/pi-extension 0.15.2 → 0.16.1

package/README.md

@@ -126,6 +126,16 @@ the base snapshot is used (Alpine + git + gh + MoltNet CLI + agent user).
     "GOPATH": "/home/agent/go",
     "GOROOT": "/usr/lib/go"
   },
+  "hostExec": {
+    "autoApprove": [
+      {
+        "argsExcludes": ["--mirror", "--all"],
+        "argsPrefix": ["push"],
+        "executable": "git"
+      },
+      { "argsPrefix": ["pr", "create"], "executable": "gh" }
+    ]
+  },
   "resources": {
     "cpus": 2,
     "memory": "6G"
@@ -183,6 +193,45 @@ Environment variable overrides applied to the guest VM. Use this to fix host
 env pollution (e.g. `GOROOT` from mise/asdf pointing at a macOS path leaking
 into the Linux guest).
 
+### `hostExec`
+
+Host-side escape hatch policy for `moltnet_host_exec`. The executable must
+still be in the built-in host-exec allowlist (`git`, `gh`, `moltnet`); this
+setting only controls whether the per-call UI approval dialog is skipped.
+
+`autoApprove: true` skips the dialog for every allowed host command. Use that
+only on isolated hosts or disposable machines.
+
+For local daemon runs, prefer rule-based approval:
+
+```json
+{
+  "hostExec": {
+    "autoApprove": [
+      {
+        "argsExcludes": ["--mirror", "--all"],
+        "argsPrefix": ["push"],
+        "executable": "git"
+      },
+      { "argsPrefix": ["pr", "create"], "executable": "gh" },
+      { "argsPrefix": ["pr", "view"], "executable": "gh" }
+    ]
+  }
+}
+```
+
+Each rule matches an exact executable plus optional argument constraints:
+
+| Field          | Description                                                 |
+| -------------- | ----------------------------------------------------------- |
+| `executable`   | Exact executable name                                       |
+| `argsPrefix`   | Ordered argument prefix; later flags/args are still allowed |
+| `argsContains` | Tokens that must appear anywhere in the args                |
+| `argsExcludes` | Tokens that block auto-approval when present                |
+
+If a rule only sets `executable`, all argument lists for that executable are
+auto-approved after the built-in executable allowlist check.
+
 ## Base snapshot
 
 Every snapshot includes:

package/dist/index.d.ts

@@ -249,6 +249,34 @@ export declare interface ExecutePiTaskOptions {
      * process. See #1078.
      */
     makeOnTurnEvent?: TurnEventHandlerFactory;
+    /**
+     * Cap the number of tool-use turns per attempt. When the limit is
+     * reached, the pi session is aborted and the attempt finalizes with
+     * `error.code: max_turns_exceeded`. A tool-use turn = any `turn_end`
+     * whose `stopReason !== 'end_turn'` (matches the Anthropic SDK
+     * `max_turns` semantics: the model's final text-only response doesn't
+     * count). Default `0` = disabled. Recommended `30` for `fulfill_brief`.
+     * Closes part of #1094.
+     */
+    maxTurns?: number;
+    /**
+     * Cap the number of `bash` tool timeouts per attempt. A timeout is a
+     * `tool_execution_end` for `bash` whose result text contains
+     * "Command timed out after" (pi's stable error wrapper from
+     * `@earendil-works/pi-coding-agent`'s bash tool). When the limit is
+     * reached, the pi session is aborted and the attempt finalizes with
+     * `error.code: max_bash_timeouts_exceeded`. Catches the death-spiral
+     * pattern from task `a3762f44` where the model kept retrying
+     * long-blocking shell commands until the host job timeout fired.
+     * Default `3`. Set to `0` to disable. Closes part of #1094.
+     */
+    maxBashTimeouts?: number;
+    /**
+     * Skip per-call UI approval for matching `moltnet_host_exec` commands.
+     * Keep false/undefined for interactive consumers. `true` skips every dialog
+     * after HOST_EXEC_ALLOWED; an array limits auto-approval to matching rules.
+     */
+    hostExecAutoApprove?: HostExecAutoApproveConfig;
 }
 
 /**
@@ -263,6 +291,19 @@ export declare function findMainWorktree(): string;
  */
 export declare const HOST_EXEC_DEFAULT_BASE_ENV: ReadonlySet<string>;
 
+declare type HostExecAutoApproveConfig = boolean | readonly HostExecAutoApproveRule[];
+
+declare interface HostExecAutoApproveRule {
+    /** Exact executable name. Must still pass HOST_EXEC_ALLOWED. */
+    executable: string;
+    /** Optional ordered argument prefix; flags after the prefix are allowed. */
+    argsPrefix?: readonly string[];
+    /** Optional unordered argument tokens that must appear somewhere. */
+    argsContains?: readonly string[];
+    /** Optional argument tokens that prevent auto-approval when present. */
+    argsExcludes?: readonly string[];
+}
+
 export declare interface InjectedTaskContext {
     /** Refs that were delivered, in declared order, for audit. */
     injected: ContextRef[];
@@ -341,6 +382,19 @@ declare interface MoltNetToolsConfig {
      * Defaults to HOST_EXEC_DEFAULT_BASE_ENV when omitted.
      */
     hostExecBaseEnv?: ReadonlySet<string>;
+    /**
+     * When true, `moltnet_host_exec` skips the per-call UI approval dialog.
+     * Intended for non-interactive daemon automation only; interactive
+     * consumers should keep the default false behavior.
+     */
+    autoApproveHostExec?: boolean;
+    /**
+     * Host-exec auto-approval policy. `true` skips all dialogs after the
+     * executable allowlist check. An array skips only commands matching one of
+     * the supplied executable/argument rules. Omitted/false preserves the
+     * interactive approval flow.
+     */
+    hostExecAutoApprove?: HostExecAutoApproveConfig;
     /**
      * Active-task context, populated by the agent-daemon path. When set,
      * `moltnet_create_entry` enforces `diaryId === taskContext.diaryId` and
@@ -397,6 +451,19 @@ export declare interface SandboxConfig {
     };
     /** Environment variable overrides for the guest VM (applied on top of defaults). */
     env?: Record<string, string>;
+    /** Host-side escape hatch policy. Applies only to `moltnet_host_exec`. */
+    hostExec?: {
+        /**
+         * `true` auto-approves every allowed executable. An array auto-approves
+         * only commands matching one of the executable/argument rules.
+         */
+        autoApprove?: boolean | {
+            executable: string;
+            argsPrefix?: string[];
+            argsContains?: string[];
+            argsExcludes?: string[];
+        }[];
+    };
     /** VM resource allocation. */
     resources?: {
         /** Memory size in qemu syntax (default '1G'). */

package/dist/index.js

@@ -7274,6 +7274,7 @@ function renderPhase6Markdown(pack) {
 * These tools run on the host (not in the VM) via the MoltNet SDK,
 * so agent credentials never touch the VM filesystem.
 */
+var DIARY_TAG_MAX_LENGTH = 128;
 /**
 * Baseline env keys forwarded to host-exec child processes.
 * Callers can extend this set at sandbox startup via `MoltNetToolsConfig.hostExecBaseEnv`.
@@ -7302,6 +7303,19 @@ function ensureConnected(config) {
 		teamId: config.getTeamId() ?? ""
 	};
 }
+function hostExecMatchesAutoApproveRule(params, rule) {
+	if (params.executable !== rule.executable) return false;
+	if (rule.argsExcludes?.some((arg) => params.args.includes(arg))) return false;
+	if (rule.argsPrefix && !rule.argsPrefix.every((arg, index) => params.args[index] === arg)) return false;
+	if (rule.argsContains && !rule.argsContains.every((arg) => params.args.includes(arg))) return false;
+	return true;
+}
+function shouldAutoApproveHostExec(params, config) {
+	const policy = config.autoApproveHostExec === true ? true : config.hostExecAutoApprove ?? false;
+	if (policy === true) return true;
+	if (!Array.isArray(policy)) return false;
+	return policy.some((rule) => hostExecMatchesAutoApproveRule(params, rule));
+}
 /**
 * Expand the `taskFilter` shorthand on the diary list/search tools into
 * the matching `task:*` provenance tags emitted by `moltnet_create_entry`
@@ -7520,14 +7534,14 @@ function createMoltNetTools(config) {
 			limit: Type.Optional(Type.Number({ description: "Max entries to return (default 10)" })),
 			tags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Tags filter — entry must have ALL listed tags (AND). Max 20.",
 				maxItems: 20
 			})),
 			excludeTags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Tags to exclude — entry must have NONE of these. Max 20.",
 				maxItems: 20
@@ -7620,14 +7634,14 @@ function createMoltNetTools(config) {
 			limit: Type.Optional(Type.Number({ description: "Max results (default 5)" })),
 			tags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Entry must have ALL listed tags (AND). Max 20.",
 				maxItems: 20
 			})),
 			excludeTags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Entry must have NONE of these tags. Max 20.",
 				maxItems: 20
@@ -7673,7 +7687,7 @@ function createMoltNetTools(config) {
 	const createEntry = defineTool({
 		name: "moltnet_create_entry",
 		label: "Create MoltNet Diary Entry",
-		description: "Create a new diary entry to record decisions, findings, incidents, or reflections. During an active task, the entry is forced into the task diary and tagged with the task:* provenance namespace (task:id:<id>, task:type:<type>, task:attempt:<n>, plus task:correlation:<id> when set); an explicit diaryId mismatching the task diary is rejected.",
+		description: "Create a new diary entry to record decisions, findings, incidents, or reflections. During an active task, the entry is forced into the task diary and tagged with the task:* provenance namespace (task:id:<id>, task:type:<type>, task:attempt:<n>, plus task:correlation:<id> when set); an explicit diaryId mismatching the task diary is rejected. Use this tool — NOT `moltnet entry create` / `moltnet entry create-signed` via bash. The CLI path bypasses task-tag auto-injection and leaves entries invisible to taskFilter queries.",
 		parameters: Type.Object({
 			title: Type.String({ description: "Entry title (concise, descriptive)" }),
 			content: Type.String({ description: "Entry content (markdown)" }),
@@ -7813,7 +7827,7 @@ function createMoltNetTools(config) {
 			}),
 			async execute(_id, params, _signal, _onUpdate, ctx) {
 				if (!HOST_EXEC_ALLOWED.has(params.executable)) throw new Error(`host_exec: '${params.executable}' is not in the allowed list (${[...HOST_EXEC_ALLOWED].join(", ")}). Extend HOST_EXEC_ALLOWED only after explicit security review.`);
-				if (ctx?.ui) {
+				if (ctx?.ui && !shouldAutoApproveHostExec(params, config)) {
 					const cmdDisplay = [params.executable, ...params.args].join(" ");
 					if (!await ctx.ui.confirm("Allow host command?", `The agent wants to run on your machine:\n\n  ${cmdDisplay}\n\nAllow?`)) throw new Error(`host_exec: user declined approval for: ${cmdDisplay}`);
 				}
@@ -8253,38 +8267,48 @@ async function resumeVm(config) {
 			[GUEST_TASK_SKILLS_MOUNT]: new MemoryProvider()
 		} }
 	});
-	await vm.exec(`sh -c '
+	try {
+		await vm.exec(`sh -c '
     cp /etc/gondolin/mitm/ca.crt /usr/local/share/ca-certificates/gondolin-mitm.crt
     update-ca-certificates 2>/dev/null
     cat /etc/gondolin/mitm/ca.crt >> /etc/ssl/certs/ca-certificates.crt
   '`);
-	await vmRun(vm, "DNS resolvers", `printf 'nameserver 8.8.8.8\\nnameserver 1.1.1.1\\n' > /etc/resolv.conf`);
-	await vmRun(vm, "git safe.directory", `git config --system --add safe.directory '*'`);
-	for (const [i, cmd] of (config.sandboxConfig?.resumeCommands ?? []).entries()) await vmRun(vm, `resumeCommands[${i}]`, cmd);
-	const vmSshDir = `${vmAgentDir}/ssh`;
-	await vm.exec(`mkdir -p ${vmAgentDir}/ssh /home/agent/.pi/agent`);
-	if (creds.piAuthJson !== null) await vm.fs.writeFile("/home/agent/.pi/agent/auth.json", creds.piAuthJson, { mode: 384 });
-	const vmMoltnetJson = rewriteMoltnetJsonPaths(creds.moltnetJson, vmAgentDir, vmSshDir, creds.githubAppPemFilename);
-	await vm.fs.writeFile(`${vmAgentDir}/moltnet.json`, vmMoltnetJson, { mode: 384 });
-	await vm.fs.writeFile(`${vmAgentDir}/env`, creds.agentEnvRaw, { mode: 384 });
-	if (creds.gitconfig) {
-		const vmSigningKey = `${vmSshDir}/id_ed25519`;
-		let vmGitconfig = creds.gitconfig.replace(/signingKey\s*=\s*.+/g, `signingKey = ${vmSigningKey}`);
-		vmGitconfig = ensureRelativeWorktreePaths(vmGitconfig);
-		await vm.fs.writeFile(`${vmAgentDir}/gitconfig`, vmGitconfig, { mode: 420 });
-	}
-	if (creds.sshPrivateKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519`, creds.sshPrivateKey, { mode: 384 });
-	if (creds.sshPublicKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519.pub`, creds.sshPublicKey, { mode: 420 });
-	if (creds.allowedSigners) await vm.fs.writeFile(`${vmSshDir}/allowed_signers`, creds.allowedSigners, { mode: 420 });
-	if (creds.githubAppPem && creds.githubAppPemFilename) await vm.fs.writeFile(`${vmAgentDir}/${creds.githubAppPemFilename}`, creds.githubAppPem, { mode: 384 });
-	await vm.exec("chown -R agent:agent /home/agent/.pi /home/agent/.moltnet");
-	return {
-		vm,
-		credentials: creds,
-		mountPath: config.mountPath,
-		guestWorkspace: GUEST_WORKSPACE$2,
-		agentDir
-	};
+		await vmRun(vm, "DNS resolvers", `printf 'nameserver 8.8.8.8\\nnameserver 1.1.1.1\\n' > /etc/resolv.conf`);
+		await vmRun(vm, "git safe.directory", `git config --system --add safe.directory '*'`);
+		for (const [i, cmd] of (config.sandboxConfig?.resumeCommands ?? []).entries()) await vmRun(vm, `resumeCommands[${i}]`, cmd);
+		const vmSshDir = `${vmAgentDir}/ssh`;
+		await vm.exec(`mkdir -p ${vmAgentDir}/ssh /home/agent/.pi/agent`);
+		if (creds.piAuthJson !== null) await vm.fs.writeFile("/home/agent/.pi/agent/auth.json", creds.piAuthJson, { mode: 384 });
+		const vmMoltnetJson = rewriteMoltnetJsonPaths(creds.moltnetJson, vmAgentDir, vmSshDir, creds.githubAppPemFilename);
+		await vm.fs.writeFile(`${vmAgentDir}/moltnet.json`, vmMoltnetJson, { mode: 384 });
+		await vm.fs.writeFile(`${vmAgentDir}/env`, creds.agentEnvRaw, { mode: 384 });
+		if (creds.gitconfig) {
+			const vmSigningKey = `${vmSshDir}/id_ed25519`;
+			let vmGitconfig = creds.gitconfig.replace(/signingKey\s*=\s*.+/g, `signingKey = ${vmSigningKey}`);
+			vmGitconfig = ensureRelativeWorktreePaths(vmGitconfig);
+			await vm.fs.writeFile(`${vmAgentDir}/gitconfig`, vmGitconfig, { mode: 420 });
+		}
+		if (creds.sshPrivateKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519`, creds.sshPrivateKey, { mode: 384 });
+		if (creds.sshPublicKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519.pub`, creds.sshPublicKey, { mode: 420 });
+		if (creds.allowedSigners) await vm.fs.writeFile(`${vmSshDir}/allowed_signers`, creds.allowedSigners, { mode: 420 });
+		if (creds.githubAppPem && creds.githubAppPemFilename) await vm.fs.writeFile(`${vmAgentDir}/${creds.githubAppPemFilename}`, creds.githubAppPem, { mode: 384 });
+		await vm.exec("chown -R agent:agent /home/agent/.pi /home/agent/.moltnet");
+		return {
+			vm,
+			credentials: creds,
+			mountPath: config.mountPath,
+			guestWorkspace: GUEST_WORKSPACE$2,
+			agentDir
+		};
+	} catch (err) {
+		try {
+			await vm.close();
+		} catch (closeErr) {
+			const m = closeErr instanceof Error ? closeErr.message : String(closeErr);
+			process.stderr.write(`[vm] post-throw vm.close() failed: ${m}\n`);
+		}
+		throw err;
+	}
 }
 /**
 * Rewrite host-absolute paths inside moltnet.json to VM-local equivalents.
@@ -14706,8 +14730,8 @@ function buildRuntimeInstructor(ctx) {
 		"## Diary discipline",
 		"",
 		`- During this task, every diary entry MUST land in \`${ctx.diaryId}\``,
-		"  (the task diary). The MCP `moltnet_create_entry` tool enforces this",
-		"  and rejects mismatched explicit `diaryId` parameters.",
+		"  (the task diary). The `moltnet_create_entry` custom tool enforces",
+		"  this and rejects mismatched explicit `diaryId` parameters.",
 		`- Provenance tags \`task:id:${ctx.taskId}\`, \`task:type:${ctx.taskType}\`,`,
 		`  and \`task:attempt:${ctx.attemptN}\`${ctx.correlationId ? `, plus \`task:correlation:${ctx.correlationId}\`` : ""} are auto-injected on every entry.`,
 		"  These share the `task:` namespace so `moltnet_diary_tags` with",
@@ -14715,12 +14739,23 @@ function buildRuntimeInstructor(ctx) {
 		"  `taskFilter` shorthand on `moltnet_list_entries` /",
 		"  `moltnet_search_entries` expands into them. You may add additional",
 		"  tags but you cannot remove the auto-injected ones.",
+		"- **DO NOT shell out to `moltnet entry create` / `moltnet entry",
+		"  create-signed` / any other `moltnet entry` subcommand via bash.**",
+		"  Those CLI paths hit the REST API directly and bypass the",
+		"  custom tool's task-tag auto-injection, leaving you with",
+		"  untagged entries that `moltnet_list_entries` with a",
+		"  `taskFilter: { taskId: ... }` cannot find. The legreffier skill",
+		"  recommends `moltnet entry *` for normal interactive sessions —",
+		"  inside a running task that advice does not apply. Use the",
+		"  `moltnet_create_entry` custom tool only.",
 		"",
 		"## Accountable commits",
 		"",
 		"- Every commit you make during this task MUST be paired with a signed",
-		"  diary entry created via `moltnet_create_entry`. Embed the returned",
-		"  entry id in the commit trailer `MoltNet-Diary: <id>`.",
+		"  diary entry created via the `moltnet_create_entry` custom tool",
+		"  (NOT via `moltnet entry create-signed` from bash — see Diary",
+		"  discipline above). Embed the returned entry id in the commit",
+		"  trailer `MoltNet-Diary: <id>`.",
 		"- Commits must be signed with the agent credentials (gitconfig is",
 		"  pre-configured). Do not bypass signing.",
 		"",
@@ -15345,6 +15380,7 @@ async function executePiTask(claimedTask, reporter, opts) {
 				clearSessionErrors: () => {},
 				getHostCwd: () => mountPath,
 				hostExecBaseEnv: new Set([...HOST_EXEC_DEFAULT_BASE_ENV, ...Object.keys(managed.credentials.agentEnv)]),
+				hostExecAutoApprove: opts.hostExecAutoApprove ?? opts.sandboxConfig?.hostExec?.autoApprove ?? false,
 				getTaskContext: () => ({
 					taskId: task.id,
 					taskType: task.taskType,
@@ -15417,6 +15453,11 @@ async function executePiTask(claimedTask, reporter, opts) {
 		let assistantText = "";
 		let reporterError = null;
 		const usage = finalUsage;
+		let capAbort = null;
+		let toolUseTurnCount = 0;
+		let bashTimeoutCount = 0;
+		const maxTurns = opts.maxTurns ?? 0;
+		const maxBashTimeouts = opts.maxBashTimeouts ?? 3;
 		cancelListener = wireSessionAbort(reporter.cancelSignal, session);
 		const recordingPromise = [];
 		const track = (p) => {
@@ -15431,6 +15472,23 @@ async function executePiTask(claimedTask, reporter, opts) {
 				}
 			}));
 		};
+		const liveSession = session;
+		const triggerCapAbort = (code, message) => {
+			if (capAbort) return;
+			capAbort = {
+				code,
+				message
+			};
+			liveSession.abort().catch((err) => {
+				const m = err instanceof Error ? err.message : String(err);
+				process.stderr.write(`[cap] session.abort() failed: ${m}\n`);
+			});
+			track(emit("info", {
+				event: "cap_abort",
+				code,
+				message
+			}));
+		};
 		session.subscribe((event) => {
 			if (event.type === "message_update") {
 				const ae = event.assistantMessageEvent;
@@ -15439,12 +15497,17 @@ async function executePiTask(claimedTask, reporter, opts) {
 					track(emit("text_delta", { delta: ae.delta }));
 				}
 			} else if (event.type === "tool_execution_start") track(emit("tool_call_start", { tool_name: event.toolName }));
-			else if (event.type === "tool_execution_end") track(emit("tool_call_end", {
-				tool_name: event.toolName,
-				is_error: event.isError,
-				result: event.isError ? truncateForWire(event.result) : void 0
-			}));
-			else if (event.type === "turn_end") {
+			else if (event.type === "tool_execution_end") {
+				track(emit("tool_call_end", {
+					tool_name: event.toolName,
+					is_error: event.isError,
+					result: event.isError ? truncateForWire(event.result) : void 0
+				}));
+				if (maxBashTimeouts > 0 && event.toolName === "bash" && event.isError && isBashTimeoutResult(event.result)) {
+					bashTimeoutCount += 1;
+					if (bashTimeoutCount >= maxBashTimeouts) triggerCapAbort("max_bash_timeouts_exceeded", `Aborted after ${bashTimeoutCount} bash timeouts in this attempt (cap ${maxBashTimeouts}).`);
+				}
+			} else if (event.type === "turn_end") {
 				const msg = event.message;
 				if (msg?.role === "assistant" && msg.usage) {
 					usage.inputTokens += Math.max(0, msg.usage.input ?? 0);
@@ -15454,7 +15517,12 @@ async function executePiTask(claimedTask, reporter, opts) {
 					if (cr) usage.cacheReadTokens = (usage.cacheReadTokens ?? 0) + cr;
 					if (cw) usage.cacheWriteTokens = (usage.cacheWriteTokens ?? 0) + cw;
 				}
-				track(emit("turn_end", { stop_reason: msg?.stopReason ?? "end_turn" }));
+				const stopReason = msg?.stopReason ?? "end_turn";
+				track(emit("turn_end", { stop_reason: stopReason }));
+				if (maxTurns > 0 && stopReason !== "end_turn" && stopReason !== "aborted" && stopReason !== "error") {
+					toolUseTurnCount += 1;
+					if (toolUseTurnCount >= maxTurns) triggerCapAbort("max_turns_exceeded", `Aborted after ${toolUseTurnCount} tool-use turns (cap ${maxTurns}).`);
+				}
 				llmAbort = msg?.stopReason === "error";
 				if (msg?.stopReason === "error") llmErrorMessage = typeof msg.errorMessage === "string" && msg.errorMessage.length > 0 ? msg.errorMessage : null;
 				else llmErrorMessage = null;
@@ -15483,7 +15551,7 @@ async function executePiTask(claimedTask, reporter, opts) {
 		let parsedOutput = null;
 		let parsedOutputCid = null;
 		let parseError = null;
-		if (!runError && !llmAbort && !cancelled) {
+		if (!runError && !llmAbort && !cancelled && !capAbort) {
 			const captured = submitToolHandle?.getCaptured() ?? null;
 			if (captured) try {
 				parsedOutput = captured;
@@ -15536,6 +15604,21 @@ async function executePiTask(claimedTask, reporter, opts) {
 				retryable: false
 			}
 		};
+		const capAbortSnapshot = capAbort;
+		if (capAbortSnapshot) return {
+			taskId: task.id,
+			attemptN,
+			status: "failed",
+			output: null,
+			outputCid: null,
+			usage,
+			durationMs: Date.now() - startTime,
+			error: {
+				code: capAbortSnapshot.code,
+				message: capAbortSnapshot.message,
+				retryable: false
+			}
+		};
 		const status = runError || llmAbort || parseError || reporterError ? "failed" : "completed";
 		const errorCode = runError?.code ?? parseError?.code ?? reporterError?.code ?? (llmAbort ? "llm_api_error" : void 0);
 		const errorMessage = runError?.message ?? parseError?.message ?? reporterError?.message ?? (llmAbort ? llmErrorMessage ?? "LLM API error during turn" : void 0);
@@ -15637,6 +15720,25 @@ function summarizePayloadForLog(kind, payload) {
 		default: return payload;
 	}
 }
+/**
+* Detect pi's bash-timeout error wrapper in a `tool_execution_end`
+* result. The bash tool surfaces a timeout as a structured tool result
+* `{ content: [{ type: 'text', text: '… Command timed out after N
+* seconds' }] }` (see `@earendil-works/pi-coding-agent`'s bash.js).
+* Substring-match against the stable wrapper string is the only
+* mechanism short of patching pi; the string is part of pi's external
+* tool-error API and changing it would break agents that read tool
+* errors.
+*/
+function isBashTimeoutResult(result) {
+	if (result === null || result === void 0) return false;
+	if (typeof result === "string") return result.includes("Command timed out after");
+	if (typeof result !== "object") return false;
+	const content = result.content;
+	if (!Array.isArray(content)) return false;
+	for (const part of content) if (typeof part === "object" && part !== null && typeof part.text === "string" && part.text.includes("Command timed out after")) return true;
+	return false;
+}
 var TRUNCATE_LIMIT = 4 * 1024;
 function truncateForWire(value) {
 	if (value === null || value === void 0) return value;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/pi-extension",
-  "version": "0.15.2",
+  "version": "0.16.1",
   "type": "module",
   "description": "MoltNet pi extension — sandboxed tool execution in Gondolin VMs with MoltNet identity and persistent memory",
   "license": "MIT",