@themoltnet/pi-extension 0.16.0 → 0.16.2

package/README.md

@@ -126,10 +126,21 @@ the base snapshot is used (Alpine + git + gh + MoltNet CLI + agent user).
     "GOPATH": "/home/agent/go",
     "GOROOT": "/usr/lib/go"
   },
+  "hostExec": {
+    "autoApprove": [
+      {
+        "argsExcludes": ["--mirror", "--all"],
+        "argsPrefix": ["push"],
+        "executable": "git"
+      },
+      { "argsPrefix": ["pr", "create"], "executable": "gh" }
+    ]
+  },
   "resources": {
     "cpus": 2,
     "memory": "6G"
   },
+  "resumeCommands": ["corepack enable"],
   "snapshot": {
     "allowedHosts": ["unofficial-builds.nodejs.org"],
     "overlaySize": "8G",
@@ -165,6 +176,25 @@ VM resource limits applied at runtime.
 | `cpus`   | Number of virtual CPUs  |
 | `memory` | RAM limit (e.g. `"6G"`) |
 
+### `resumeCommands`
+
+Shell commands that run on every VM resume, after platform setup and before the
+agent session starts.
+
+Use this for per-session bootstrap that should not invalidate the snapshot
+cache: mounting tmpfs, warming package-manager state, lightweight repo-local
+setup.
+
+Important properties:
+
+- runs after TLS, DNS, and `git safe.directory` setup
+- not part of the snapshot cache key
+- each command runs in a fresh shell with `set -eu` and `set -o pipefail`
+- first non-zero exit aborts VM resume
+
+This split exists so repo-specific bootstrap can live in `sandbox.json` while
+`pi-extension` stays consumer-agnostic.
+
 ### `vfs`
 
 VFS shadow configuration — hide host paths from the guest mount.
@@ -177,12 +207,76 @@ VFS shadow configuration — hide host paths from the guest mount.
 Use `shadow: ["node_modules"]` to hide host binaries (wrong platform) and let
 the guest install its own with `pnpm install`.
 
+#### VFS caveat: shadowing is not a pnpm performance fix
+
+For this repo we hit two distinct `/workspace` problems:
+
+- the FUSE bridge makes file-write-heavy installs much slower than guest-local filesystems
+- the `/workspace` VFS path drops `chmod()` calls, which breaks tools that create files and chmod them later
+
+Dogfood trail:
+
+- `47b67636-067a-4254-9098-38d00b4867bb` — `/workspace` install path measured at roughly 80x slower than guest tmpfs
+- `62082ec9-0554-4bdc-9c64-9d89ece3fa40` — `chmod()` gap on the workspace mount
+- `17f0ac6f-07f0-4e12-b5e5-d35a0fa2df6c` — first 100x pnpm recipe
+- `2e4e25a9-ef4b-46bf-a55d-6c2b1159ee61` — follow-up fix for per-workspace `node_modules`
+
+`vfs.shadow: ["node_modules"]` is still useful to hide host-built artifacts,
+but it does not solve the hot-path problem by itself. For fast pnpm setup, move
+both endpoints off the FUSE bridge:
+
+- package store on guest-local disk, e.g. `NPM_CONFIG_STORE_DIR=/opt/pnpm-store`
+- install target on guest tmpfs via `resumeCommands`
+
+Current themoltnet `sandbox.json` does this by mounting tmpfs over the root and
+per-workspace `node_modules` directories before running `pnpm install
+--frozen-lockfile`.
+
 ### `env`
 
 Environment variable overrides applied to the guest VM. Use this to fix host
 env pollution (e.g. `GOROOT` from mise/asdf pointing at a macOS path leaking
 into the Linux guest).
 
+### `hostExec`
+
+Host-side escape hatch policy for `moltnet_host_exec`. The executable must
+still be in the built-in host-exec allowlist (`git`, `gh`, `moltnet`); this
+setting only controls whether the per-call UI approval dialog is skipped.
+
+`autoApprove: true` skips the dialog for every allowed host command. Use that
+only on isolated hosts or disposable machines.
+
+For local daemon runs, prefer rule-based approval:
+
+```json
+{
+  "hostExec": {
+    "autoApprove": [
+      {
+        "argsExcludes": ["--mirror", "--all"],
+        "argsPrefix": ["push"],
+        "executable": "git"
+      },
+      { "argsPrefix": ["pr", "create"], "executable": "gh" },
+      { "argsPrefix": ["pr", "view"], "executable": "gh" }
+    ]
+  }
+}
+```
+
+Each rule matches an exact executable plus optional argument constraints:
+
+| Field          | Description                                                 |
+| -------------- | ----------------------------------------------------------- |
+| `executable`   | Exact executable name                                       |
+| `argsPrefix`   | Ordered argument prefix; later flags/args are still allowed |
+| `argsContains` | Tokens that must appear anywhere in the args                |
+| `argsExcludes` | Tokens that block auto-approval when present                |
+
+If a rule only sets `executable`, all argument lists for that executable are
+auto-approved after the built-in executable allowlist check.
+
 ## Base snapshot
 
 Every snapshot includes:

package/dist/index.d.ts

@@ -271,6 +271,12 @@ export declare interface ExecutePiTaskOptions {
      * Default `3`. Set to `0` to disable. Closes part of #1094.
      */
     maxBashTimeouts?: number;
+    /**
+     * Skip per-call UI approval for matching `moltnet_host_exec` commands.
+     * Keep false/undefined for interactive consumers. `true` skips every dialog
+     * after HOST_EXEC_ALLOWED; an array limits auto-approval to matching rules.
+     */
+    hostExecAutoApprove?: HostExecAutoApproveConfig;
 }
 
 /**
@@ -285,6 +291,19 @@ export declare function findMainWorktree(): string;
  */
 export declare const HOST_EXEC_DEFAULT_BASE_ENV: ReadonlySet<string>;
 
+declare type HostExecAutoApproveConfig = boolean | readonly HostExecAutoApproveRule[];
+
+declare interface HostExecAutoApproveRule {
+    /** Exact executable name. Must still pass HOST_EXEC_ALLOWED. */
+    executable: string;
+    /** Optional ordered argument prefix; flags after the prefix are allowed. */
+    argsPrefix?: readonly string[];
+    /** Optional unordered argument tokens that must appear somewhere. */
+    argsContains?: readonly string[];
+    /** Optional argument tokens that prevent auto-approval when present. */
+    argsExcludes?: readonly string[];
+}
+
 export declare interface InjectedTaskContext {
     /** Refs that were delivered, in declared order, for audit. */
     injected: ContextRef[];
@@ -363,6 +382,19 @@ declare interface MoltNetToolsConfig {
      * Defaults to HOST_EXEC_DEFAULT_BASE_ENV when omitted.
      */
     hostExecBaseEnv?: ReadonlySet<string>;
+    /**
+     * When true, `moltnet_host_exec` skips the per-call UI approval dialog.
+     * Intended for non-interactive daemon automation only; interactive
+     * consumers should keep the default false behavior.
+     */
+    autoApproveHostExec?: boolean;
+    /**
+     * Host-exec auto-approval policy. `true` skips all dialogs after the
+     * executable allowlist check. An array skips only commands matching one of
+     * the supplied executable/argument rules. Omitted/false preserves the
+     * interactive approval flow.
+     */
+    hostExecAutoApprove?: HostExecAutoApproveConfig;
     /**
      * Active-task context, populated by the agent-daemon path. When set,
      * `moltnet_create_entry` enforces `diaryId === taskContext.diaryId` and
@@ -419,6 +451,19 @@ export declare interface SandboxConfig {
     };
     /** Environment variable overrides for the guest VM (applied on top of defaults). */
     env?: Record<string, string>;
+    /** Host-side escape hatch policy. Applies only to `moltnet_host_exec`. */
+    hostExec?: {
+        /**
+         * `true` auto-approves every allowed executable. An array auto-approves
+         * only commands matching one of the executable/argument rules.
+         */
+        autoApprove?: boolean | {
+            executable: string;
+            argsPrefix?: string[];
+            argsContains?: string[];
+            argsExcludes?: string[];
+        }[];
+    };
     /** VM resource allocation. */
     resources?: {
         /** Memory size in qemu syntax (default '1G'). */

package/dist/index.js

@@ -1,7 +1,7 @@
 import { createRequire } from "node:module";
 import { execFileSync } from "node:child_process";
 import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync } from "node:fs";
-import path, { join } from "node:path";
+import path, { join, relative } from "node:path";
 import { DefaultResourceLoader, SessionManager, createAgentSession, createBashTool, createBashToolDefinition, createEditTool, createEditToolDefinition, createReadTool, createReadToolDefinition, createSyntheticSourceInfo, createWriteTool, createWriteToolDefinition, defineTool, parseFrontmatter } from "@earendil-works/pi-coding-agent";
 import { createHash } from "node:crypto";
 import { readFile } from "node:fs/promises";
@@ -7274,6 +7274,7 @@ function renderPhase6Markdown(pack) {
 * These tools run on the host (not in the VM) via the MoltNet SDK,
 * so agent credentials never touch the VM filesystem.
 */
+var DIARY_TAG_MAX_LENGTH = 128;
 /**
 * Baseline env keys forwarded to host-exec child processes.
 * Callers can extend this set at sandbox startup via `MoltNetToolsConfig.hostExecBaseEnv`.
@@ -7302,6 +7303,19 @@ function ensureConnected(config) {
 		teamId: config.getTeamId() ?? ""
 	};
 }
+function hostExecMatchesAutoApproveRule(params, rule) {
+	if (params.executable !== rule.executable) return false;
+	if (rule.argsExcludes?.some((arg) => params.args.includes(arg))) return false;
+	if (rule.argsPrefix && !rule.argsPrefix.every((arg, index) => params.args[index] === arg)) return false;
+	if (rule.argsContains && !rule.argsContains.every((arg) => params.args.includes(arg))) return false;
+	return true;
+}
+function shouldAutoApproveHostExec(params, config) {
+	const policy = config.autoApproveHostExec === true ? true : config.hostExecAutoApprove ?? false;
+	if (policy === true) return true;
+	if (!Array.isArray(policy)) return false;
+	return policy.some((rule) => hostExecMatchesAutoApproveRule(params, rule));
+}
 /**
 * Expand the `taskFilter` shorthand on the diary list/search tools into
 * the matching `task:*` provenance tags emitted by `moltnet_create_entry`
@@ -7520,14 +7534,14 @@ function createMoltNetTools(config) {
 			limit: Type.Optional(Type.Number({ description: "Max entries to return (default 10)" })),
 			tags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Tags filter — entry must have ALL listed tags (AND). Max 20.",
 				maxItems: 20
 			})),
 			excludeTags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Tags to exclude — entry must have NONE of these. Max 20.",
 				maxItems: 20
@@ -7620,14 +7634,14 @@ function createMoltNetTools(config) {
 			limit: Type.Optional(Type.Number({ description: "Max results (default 5)" })),
 			tags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Entry must have ALL listed tags (AND). Max 20.",
 				maxItems: 20
 			})),
 			excludeTags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Entry must have NONE of these tags. Max 20.",
 				maxItems: 20
@@ -7813,7 +7827,7 @@ function createMoltNetTools(config) {
 			}),
 			async execute(_id, params, _signal, _onUpdate, ctx) {
 				if (!HOST_EXEC_ALLOWED.has(params.executable)) throw new Error(`host_exec: '${params.executable}' is not in the allowed list (${[...HOST_EXEC_ALLOWED].join(", ")}). Extend HOST_EXEC_ALLOWED only after explicit security review.`);
-				if (ctx?.ui) {
+				if (ctx?.ui && !shouldAutoApproveHostExec(params, config)) {
 					const cmdDisplay = [params.executable, ...params.args].join(" ");
 					if (!await ctx.ui.confirm("Allow host command?", `The agent wants to run on your machine:\n\n  ${cmdDisplay}\n\nAllow?`)) throw new Error(`host_exec: user declined approval for: ${cmdDisplay}`);
 				}
@@ -8810,22 +8824,6 @@ function validateRubricWeights(rubric) {
 	if (Math.abs(sum - 1) > 1e-6) return `Rubric weights must sum to 1.0 (got ${sum.toFixed(6)})`;
 	return null;
 }
-`
-You are reviewing a GitHub pull request for **complexity** — how hard
-this change is to review safely, NOT whether it's correct or whether
-the feature is worthwhile. The diff has already been opened by the
-producer; your job is to score reviewability.
-
-You may run \`gh pr diff <number>\`, \`gh pr view <number>\`, and read
-files in the workspace. Don't run tests, don't push commits, don't
-modify anything. The PR's GitHub URL is in the target metadata.
-
-When in doubt about a criterion, score conservatively (lower) and
-explain what made the call ambiguous. Reviewers will read your
-rationale; "looks fine" is not useful, "the change touches three
-unrelated subsystems and the test coverage on the auth path is
-unchanged" is.
-`.trim();
 //#endregion
 //#region ../tasks/src/success-criteria.ts
 /**
@@ -9704,6 +9702,7 @@ var BUILT_IN_TASK_TYPES = {
 		inputSchema: FulfillBriefInput,
 		outputSchema: FulfillBriefOutput,
 		outputKind: "artifact",
+		workspaceMode: "dedicated_worktree",
 		requiresReferences: false,
 		validateOutput: requireVerificationWhenCriteriaPresent
 	},
@@ -9712,6 +9711,7 @@ var BUILT_IN_TASK_TYPES = {
 		inputSchema: AssessBriefInput,
 		outputSchema: AssessBriefOutput,
 		outputKind: "judgment",
+		workspaceMode: "dedicated_worktree",
 		requiresReferences: true,
 		validateInput: validateJudgmentInput,
 		validateInputAsync: validateAssessBriefInputAsync
@@ -9825,6 +9825,15 @@ function getTaskOutputSchema(taskType) {
 function taskTypeUsesSubagents(taskType) {
 	return getTaskTypeEntry(taskType)?.usesSubagents === true;
 }
+/**
+* Filesystem isolation policy requested by the task type.
+*
+* Unknown task types and task types without an explicit policy default to the
+* legacy/shared behaviour.
+*/
+function taskTypeWorkspaceMode(taskType) {
+	return getTaskTypeEntry(taskType)?.workspaceMode ?? "shared_mount";
+}
 //#endregion
 //#region ../tasks/src/wire.ts
 /**
@@ -10312,6 +10321,15 @@ function buildAssessBriefUserPrompt(input, ctx) {
 		rubric.preamble,
 		""
 	].join("\n") : "";
+	const workspaceSection = ctx.workspace?.mode === "dedicated_worktree" ? [
+		"### Workspace",
+		"",
+		"This review attempt is running inside a dedicated disposable git",
+		"worktree created for this task. If you need to check out the target",
+		"branch or inspect refs locally, do it only inside this worktree.",
+		ctx.workspace.branch ? `The current review branch is \`${ctx.workspace.branch}\`. You may replace it with the target branch locally if that helps your inspection.` : "The current checkout is disposable and will be cleaned up when the task ends.",
+		""
+	].join("\n") : "";
 	return [
 		"# Assess Brief Judge",
 		"",
@@ -10352,6 +10370,7 @@ function buildAssessBriefUserPrompt(input, ctx) {
 		"  read it from the task you fetched in step 1 and pass",
 		"  `taskFilter: { correlationId: \"<id>\" }`.",
 		"",
+		workspaceSection,
 		preambleSection,
 		"## Criteria",
 		"",
@@ -10611,6 +10630,14 @@ function buildFulfillBriefUserPrompt(input, ctx) {
 		"from this branch naming scheme when correlationId is set.",
 		""
 	].join("\n") : "";
+	const workspaceSection = ctx.workspace?.mode === "dedicated_worktree" ? [
+		"### Workspace",
+		"",
+		"This attempt is running inside a dedicated git worktree created",
+		"for this task. Do not repurpose or switch the primary checkout.",
+		ctx.workspace.branch ? `The current branch is \`${ctx.workspace.branch}\`. Stay on this branch unless the runtime instructor explicitly tells you otherwise.` : "Stay on the branch that was pre-provisioned for this task.",
+		""
+	].join("\n") : "";
 	return [
 		"# Fulfill Brief Agent",
 		"",
@@ -10631,9 +10658,10 @@ function buildFulfillBriefUserPrompt(input, ctx) {
 		criteriaSection,
 		seedSection,
 		correlationSection,
+		workspaceSection,
 		"### Workflow",
 		"",
-		`1. Create a feature branch (starting prefix suggestion: \`${branchSlug}<short-slug>\`).`,
+		ctx.workspace?.mode === "dedicated_worktree" ? `1. Use the already-provisioned dedicated worktree branch${ctx.workspace.branch ? ` (\`${ctx.workspace.branch}\`)` : ""}; do not create or switch the primary checkout.` : `1. Create a feature branch (starting prefix suggestion: \`${branchSlug}<short-slug>\`).`,
 		"2. Understand the problem — read relevant code; do not speculate.",
 		"3. Implement the change. Keep commits small and coherent.",
 		"4. Add tests if applicable.",
@@ -11031,7 +11059,8 @@ function buildTaskUserPrompt(task, ctx) {
 			return buildFulfillBriefUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
 				taskId: ctx.taskId,
-				correlationId: task.correlationId
+				correlationId: task.correlationId,
+				workspace: ctx.workspace
 			});
 		case ASSESS_BRIEF_TYPE:
 			if (!Value.Check(AssessBriefInput, task.input)) {
@@ -11040,7 +11069,8 @@ function buildTaskUserPrompt(task, ctx) {
 			}
 			return buildAssessBriefUserPrompt(task.input, {
 				diaryId: ctx.diaryId,
-				taskId: ctx.taskId
+				taskId: ctx.taskId,
+				workspace: ctx.workspace
 			});
 		case CURATE_PACK_TYPE:
 			if (!Value.Check(CuratePackInput, task.input)) {
@@ -15216,7 +15246,8 @@ async function executePiTask(claimedTask, reporter, opts) {
 	const task = claimedTask.task;
 	const attemptN = claimedTask.attemptN;
 	const startTime = Date.now();
-	const mountPath = opts.mountPath ?? process.cwd();
+	const workspace = prepareTaskWorkspace(task, opts.mountPath ?? process.cwd());
+	const mountPath = workspace.mountPath;
 	if (reporter.cancelSignal.aborted) return {
 		taskId: task.id,
 		attemptN,
@@ -15247,7 +15278,8 @@ async function executePiTask(claimedTask, reporter, opts) {
 			"--relative-paths"
 		], { stdio: "pipe" });
 	} catch {}
-	const managed = await resumeVm({
+	let managed = null;
+	managed = await resumeVm({
 		checkpointPath,
 		agentName: opts.agentName,
 		mountPath,
@@ -15307,13 +15339,19 @@ async function executePiTask(claimedTask, reporter, opts) {
 			taskType: task.taskType,
 			teamId: task.teamId,
 			provider: opts.provider,
-			model: opts.model
+			model: opts.model,
+			workspaceMode: workspace.mode,
+			workspaceBranch: workspace.branch
 		});
 		let taskPrompt;
 		try {
 			taskPrompt = buildTaskUserPrompt(task, {
 				diaryId,
 				taskId: task.id,
+				workspace: {
+					mode: workspace.mode,
+					branch: workspace.branch
+				},
 				extras: opts.promptExtras
 			});
 		} catch (err) {
@@ -15366,6 +15404,7 @@ async function executePiTask(claimedTask, reporter, opts) {
 				clearSessionErrors: () => {},
 				getHostCwd: () => mountPath,
 				hostExecBaseEnv: new Set([...HOST_EXEC_DEFAULT_BASE_ENV, ...Object.keys(managed.credentials.agentEnv)]),
+				hostExecAutoApprove: opts.hostExecAutoApprove ?? opts.sandboxConfig?.hostExec?.autoApprove ?? false,
 				getTaskContext: () => ({
 					taskId: task.id,
 					taskType: task.taskType,
@@ -15642,7 +15681,114 @@ async function executePiTask(claimedTask, reporter, opts) {
 				console.error(`executePiTask: reporter.close() failed for task ${task.id} attempt ${attemptN}: ${detail}`);
 			}
 		}
-		await managed.vm.close();
+		if (managed) await managed.vm.close();
+		try {
+			workspace.cleanup();
+		} catch (err) {
+			const detail = err instanceof Error ? err.message : String(err);
+			console.error(`executePiTask: workspace cleanup failed for task ${task.id} attempt ${attemptN}: ${detail}`);
+		}
+	}
+}
+function resolveTaskWorktreeBranch(task) {
+	if (taskTypeWorkspaceMode(task.taskType) !== "dedicated_worktree") return null;
+	if (task.taskType === "fulfill_brief") {
+		const input = task.input;
+		const slug = slugifyBranchComponent(typeof input.title === "string" && input.title.trim().length > 0 ? input.title : typeof input.brief === "string" && input.brief.trim().length > 0 ? input.brief : task.taskType) || "task";
+		if (task.correlationId) return `moltnet/${task.correlationId}/${slug}`;
+		return `feat/${(typeof input.scopeHint === "string" && input.scopeHint.trim().length > 0 ? slugifyBranchComponent(input.scopeHint) : "task") || "task"}-${slug}`;
+	}
+	return `task/${slugifyBranchComponent(task.taskType) || "task"}-${task.id.slice(0, 8)}`;
+}
+function slugifyBranchComponent(input) {
+	return input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 60).replace(/-+$/g, "");
+}
+function prepareTaskWorkspace(task, requestedMountPath) {
+	const branch = resolveTaskWorktreeBranch(task);
+	if (!branch) return {
+		mountPath: requestedMountPath,
+		mode: "shared_mount",
+		branch: null,
+		cleanup: () => {}
+	};
+	const mainRepo = findMainWorktree();
+	const worktreeDir = join(mainRepo, ".worktrees", `task-${task.id}`);
+	removeExistingTaskWorktree(mainRepo, worktreeDir);
+	const relMount = relative(mainRepo, requestedMountPath);
+	const mountPath = relMount === "" || relMount.startsWith("..") ? worktreeDir : join(worktreeDir, relMount);
+	const baseRef = resolveWorktreeBaseRef(mainRepo);
+	execFileSync("git", gitRefExists(mainRepo, `refs/heads/${branch}`) ? [
+		"-C",
+		mainRepo,
+		"worktree",
+		"add",
+		worktreeDir,
+		branch
+	] : [
+		"-C",
+		mainRepo,
+		"worktree",
+		"add",
+		"-b",
+		branch,
+		worktreeDir,
+		baseRef
+	], { stdio: "pipe" });
+	return {
+		mountPath,
+		mode: "dedicated_worktree",
+		branch,
+		cleanup: () => {
+			execFileSync("git", [
+				"-C",
+				mainRepo,
+				"worktree",
+				"remove",
+				"--force",
+				worktreeDir
+			], { stdio: "pipe" });
+		}
+	};
+}
+function removeExistingTaskWorktree(mainRepo, worktreeDir) {
+	if (!existsSync(worktreeDir)) return;
+	const list = execFileSync("git", [
+		"-C",
+		mainRepo,
+		"worktree",
+		"list",
+		"--porcelain"
+	], {
+		encoding: "utf8",
+		stdio: "pipe"
+	});
+	const marker = `worktree ${worktreeDir}\n`;
+	if (!list.includes(marker) && !list.endsWith(`worktree ${worktreeDir}`)) return;
+	execFileSync("git", [
+		"-C",
+		mainRepo,
+		"worktree",
+		"remove",
+		"--force",
+		worktreeDir
+	], { stdio: "pipe" });
+}
+function resolveWorktreeBaseRef(mainRepo) {
+	return gitRefExists(mainRepo, "refs/heads/main") ? "main" : "HEAD";
+}
+function gitRefExists(mainRepo, ref) {
+	try {
+		execFileSync("git", [
+			"-C",
+			mainRepo,
+			"show-ref",
+			"--verify",
+			"--quiet",
+			ref
+		], { stdio: "pipe" });
+		return true;
+	} catch {
+		return false;
 	}
 }
 function emptyUsage(provider, model) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/pi-extension",
-  "version": "0.16.0",
+  "version": "0.16.2",
   "type": "module",
   "description": "MoltNet pi extension — sandboxed tool execution in Gondolin VMs with MoltNet identity and persistent memory",
   "license": "MIT",
@@ -31,8 +31,8 @@
     "@earendil-works/gondolin": "^0.9.1",
     "@opentelemetry/api": "^1.9.0",
     "@sinclair/typebox": "^0.34.0",
-    "@themoltnet/agent-runtime": "0.15.0",
-    "@themoltnet/sdk": "0.102.0"
+    "@themoltnet/sdk": "0.102.0",
+    "@themoltnet/agent-runtime": "0.15.1"
   },
   "peerDependencies": {
     "@earendil-works/pi-coding-agent": ">=0.74.0",