@vtstech/pi-shared 1.1.2 → 1.1.4

package/debug.js

@@ -0,0 +1,10 @@
+// shared/debug.ts
+var DEBUG_ENABLED = process.env.PI_EXTENSIONS_DEBUG === "1";
+function debugLog(module, message, ...args) {
+  if (!DEBUG_ENABLED) return;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  console.debug(`[pi-ext:${module}] ${timestamp} ${message}`, ...args);
+}
+export {
+  debugLog
+};

package/model-test-utils.js

@@ -0,0 +1,325 @@
+// shared/model-test-utils.ts
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+var CONFIG = {
+  // General API settings
+  DEFAULT_TIMEOUT_MS: 999999,
+  // ~16.7 minutes — effectively unlimited for slow models
+  CONNECT_TIMEOUT_S: 60,
+  // 60 seconds to establish connection
+  MAX_RETRIES: 1,
+  // Single retry for transient failures
+  RETRY_DELAY_MS: 1e4,
+  // 10 seconds between retries
+  // Model generation settings
+  NUM_PREDICT: 1024,
+  // Max tokens in response
+  TEMPERATURE: 0.1,
+  // Low temperature for more deterministic output
+  // Test-specific settings
+  MIN_THINKING_LENGTH: 10,
+  // Minimum chars to consider thinking tokens valid
+  TOOL_TEST_TIMEOUT_MS: 999999,
+  // Effectively unlimited for slow tool usage tests
+  TOOL_SUPPORT_TIMEOUT_MS: 999999,
+  // Effectively unlimited for tool support detection
+  // Metadata retrieval
+  TAGS_TIMEOUT_MS: 15e3,
+  // 15 seconds for /api/tags
+  MODEL_INFO_TIMEOUT_MS: 3e4,
+  // 30 seconds for model info lookup
+  // Provider API settings
+  PROVIDER_TIMEOUT_MS: 999999,
+  // Effectively unlimited for cloud provider API calls
+  PROVIDER_TOOL_TIMEOUT_MS: 12e4,
+  // 120 seconds for tool usage tests on providers
+  // Rate limiting
+  TEST_DELAY_MS: 1e4
+  // 10 seconds between tests to avoid rate limiting
+};
+var WEATHER_TOOL_DEFINITION = {
+  type: "function",
+  function: {
+    name: "get_weather",
+    description: "Get the current weather for a location",
+    parameters: {
+      type: "object",
+      properties: {
+        location: { type: "string", description: "City name" },
+        unit: { type: "string", enum: ["celsius", "fahrenheit"] }
+      },
+      required: ["location"]
+    }
+  }
+};
+function scoreReasoning(msg) {
+  const allNumbers = msg.match(/\b(\d+)\b/g) || [];
+  const answer = allNumbers.length > 0 ? allNumbers[allNumbers.length - 1] : "?";
+  const isCorrect = answer === "8";
+  const reasoningPatterns = [
+    "because",
+    "therefore",
+    "since",
+    "step",
+    "subtract",
+    "minus",
+    "each day",
+    "each night",
+    "slides",
+    "climbs",
+    "night",
+    "reaches",
+    "finally",
+    "last day"
+  ];
+  const hasReasoningWords = reasoningPatterns.some((w) => msg.toLowerCase().includes(w));
+  const hasNumberedSteps = /^\s*\d+\.\s/m.test(msg);
+  const hasReasoning = hasReasoningWords || hasNumberedSteps;
+  if (isCorrect && hasReasoning) return { score: "STRONG", pass: true };
+  if (isCorrect) return { score: "MODERATE", pass: true };
+  if (hasReasoning) return { score: "WEAK", pass: false };
+  return { score: "FAIL", pass: false };
+}
+function scoreNativeToolCall(fnName, args) {
+  const hasCorrectTool = fnName === "get_weather";
+  const hasLocation = typeof args.location === "string" && args.location.toLowerCase().includes("paris");
+  const unitValid = args.unit === void 0 || typeof args.unit === "string" && ["celsius", "fahrenheit"].includes(args.unit.toLowerCase());
+  if (hasCorrectTool && hasLocation && unitValid) return { score: "STRONG", pass: true };
+  if (hasCorrectTool && hasLocation) return { score: "MODERATE", pass: true };
+  return { score: "WEAK", pass: false };
+}
+function scoreTextToolCall(fnName, args) {
+  const isWeatherTool = fnName === "get_weather";
+  const hasLocation = typeof args.location === "string" && args.location.toLowerCase().includes("paris");
+  if (isWeatherTool && hasLocation) return { score: "STRONG", pass: true };
+  if (isWeatherTool) return { score: "MODERATE", pass: true };
+  return { score: "WEAK", pass: false };
+}
+function parseTextToolCall(content) {
+  const firstBrace = content.indexOf("{");
+  if (firstBrace === -1) return null;
+  const lastBrace = content.lastIndexOf("}");
+  if (lastBrace <= firstBrace) return null;
+  const jsonCandidate = content.slice(firstBrace, lastBrace + 1);
+  let textToolParsed = null;
+  try {
+    textToolParsed = JSON.parse(jsonCandidate);
+  } catch {
+    return null;
+  }
+  if (!textToolParsed || typeof textToolParsed.name !== "string") return null;
+  const rawArgs = textToolParsed.arguments || { ...textToolParsed };
+  const { name: _, ...fnArgs } = rawArgs;
+  return { fnName: textToolParsed.name, args: fnArgs };
+}
+var TOOL_SUPPORT_CACHE_DIR = path.join(os.homedir(), ".pi", "agent", "cache");
+var TOOL_SUPPORT_CACHE_PATH = path.join(TOOL_SUPPORT_CACHE_DIR, "tool_support.json");
+var _toolSupportCacheInMemory = null;
+function readToolSupportCache() {
+  try {
+    if (fs.existsSync(TOOL_SUPPORT_CACHE_PATH)) {
+      const raw = fs.readFileSync(TOOL_SUPPORT_CACHE_PATH, "utf-8");
+      return JSON.parse(raw);
+    }
+  } catch {
+  }
+  return {};
+}
+function writeToolSupportCache(cache) {
+  if (!fs.existsSync(TOOL_SUPPORT_CACHE_DIR)) {
+    fs.mkdirSync(TOOL_SUPPORT_CACHE_DIR, { recursive: true });
+  }
+  fs.writeFileSync(TOOL_SUPPORT_CACHE_PATH, JSON.stringify(cache, null, 2) + "\n", "utf-8");
+}
+function getCachedToolSupport(model) {
+  const cache = _toolSupportCacheInMemory || readToolSupportCache();
+  if (!_toolSupportCacheInMemory) _toolSupportCacheInMemory = cache;
+  const entry = cache[model];
+  if (!entry) return null;
+  if (!entry.support || !["native", "react", "none"].includes(entry.support)) return null;
+  return entry;
+}
+function cacheToolSupport(model, support, family) {
+  const cache = _toolSupportCacheInMemory || readToolSupportCache();
+  cache[model] = {
+    support,
+    testedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    family
+  };
+  _toolSupportCacheInMemory = cache;
+  writeToolSupportCache(cache);
+}
+var REASONING_PROMPT = `A snail climbs 3 feet up a wall each day, but slides back 2 feet each night. The wall is 10 feet tall. How many days does it take the snail to reach the top? Think step by step and give the final answer on its own line like: ANSWER: <number>`;
+var TOOL_SYSTEM_PROMPT = "You are a helpful assistant. Use the available tools when needed.";
+var TOOL_USER_PROMPT = "What's the weather like in Paris right now?";
+async function testToolUsageUnified(chatFn, model, options) {
+  const tools = options?.tools || [WEATHER_TOOL_DEFINITION];
+  const systemPrompt = options?.systemPrompt || TOOL_SYSTEM_PROMPT;
+  try {
+    const result = await chatFn(model, [
+      { role: "system", content: systemPrompt },
+      { role: "user", content: TOOL_USER_PROMPT }
+    ], { tools });
+    const content = result.content;
+    const toolCalls = result.toolCalls;
+    if (toolCalls && toolCalls.length > 0) {
+      const call = toolCalls[0];
+      const fn = call.function || {};
+      let args = {};
+      try {
+        args = typeof fn.arguments === "string" ? JSON.parse(fn.arguments) : fn.arguments || {};
+      } catch {
+        return {
+          pass: true,
+          score: "WEAK",
+          hasToolCalls: true,
+          toolCall: `malformed args: ${String(fn.arguments)}`,
+          response: content,
+          elapsedMs: result.elapsedMs
+        };
+      }
+      const { score, pass } = scoreNativeToolCall(fn.name || "", args);
+      return {
+        pass,
+        score,
+        hasToolCalls: true,
+        toolCall: `${fn.name}(${JSON.stringify(args)})`,
+        response: content,
+        elapsedMs: result.elapsedMs
+      };
+    }
+    const textParsed = parseTextToolCall(content);
+    if (textParsed) {
+      const { score, pass } = scoreTextToolCall(textParsed.fnName, textParsed.args);
+      return {
+        pass,
+        score,
+        hasToolCalls: true,
+        toolCall: `${textParsed.fnName}(${JSON.stringify(textParsed.args)})`,
+        response: content,
+        elapsedMs: result.elapsedMs
+      };
+    }
+    return {
+      pass: false,
+      score: "FAIL",
+      hasToolCalls: false,
+      toolCall: "none",
+      response: content,
+      elapsedMs: result.elapsedMs
+    };
+  } catch (e) {
+    return { pass: false, score: "ERROR", hasToolCalls: false, toolCall: `error: ${e.message}`, response: "", elapsedMs: 0 };
+  }
+}
+async function testReasoningUnified(chatFn, model) {
+  try {
+    const result = await chatFn(model, [
+      { role: "user", content: REASONING_PROMPT }
+    ]);
+    const msg = result.content.trim();
+    if (msg.length === 0) {
+      return { pass: false, score: "ERROR", reasoning: "Empty response", answer: "?", elapsedMs: result.elapsedMs };
+    }
+    const allNumbers = msg.match(/\b(\d+)\b/g) || [];
+    const answer = allNumbers.length > 0 ? allNumbers[allNumbers.length - 1] : "?";
+    const { score, pass } = scoreReasoning(msg);
+    return { pass, score, reasoning: msg, answer, elapsedMs: result.elapsedMs };
+  } catch (e) {
+    return { pass: false, score: "ERROR", reasoning: e.message, answer: "?", elapsedMs: 0 };
+  }
+}
+async function testInstructionFollowingUnified(chatFn, model) {
+  const prompt = `You must respond with ONLY a valid JSON object. No markdown, no explanation, no backticks, no extra text.
+
+The JSON object must have exactly these 4 keys:
+- "name" (string): your model name
+- "can_count" (boolean): true
+- "sum" (number): the result of 15 + 27
+- "language" (string): the language you are responding in`;
+  try {
+    const result = await chatFn(model, [
+      { role: "user", content: prompt }
+    ]);
+    const msg = result.content.trim();
+    let parsed = null;
+    let repairNote = "";
+    try {
+      const cleaned = msg.replace(/```json?\s*/gi, "").replace(/```/g, "").trim();
+      parsed = JSON.parse(cleaned);
+    } catch {
+      const cleaned = msg.replace(/```json?\s*/gi, "").replace(/```/g, "").trim();
+      let braceDepth = 0, bracketDepth = 0;
+      let inString = false, escapeNext = false;
+      for (let i = 0; i < cleaned.length; i++) {
+        const c = cleaned[i];
+        if (escapeNext) {
+          escapeNext = false;
+          continue;
+        }
+        if (c === "\\") {
+          if (inString) escapeNext = true;
+          continue;
+        }
+        if (c === '"') {
+          inString = !inString;
+          continue;
+        }
+        if (inString) continue;
+        if (c === "{") braceDepth++;
+        else if (c === "}") braceDepth = Math.max(0, braceDepth - 1);
+        else if (c === "[") bracketDepth++;
+        else if (c === "]") bracketDepth = Math.max(0, bracketDepth - 1);
+      }
+      if (braceDepth > 0 || bracketDepth > 0) {
+        const repaired = cleaned + "}".repeat(braceDepth) + "]".repeat(bracketDepth);
+        try {
+          parsed = JSON.parse(repaired);
+          repairNote = " (repaired truncated JSON)";
+        } catch {
+        }
+      }
+    }
+    if (!parsed) {
+      return { pass: false, score: "FAIL", output: msg, elapsedMs: result.elapsedMs };
+    }
+    const hasKeys = parsed.name && parsed.can_count !== void 0 && parsed.sum !== void 0 && parsed.language;
+    const correctSum = parsed.sum === 42;
+    const hasCorrectCount = parsed.can_count === true;
+    let score;
+    if (hasKeys && correctSum && hasCorrectCount) {
+      score = "STRONG";
+    } else if (hasKeys && (correctSum || hasCorrectCount)) {
+      score = "MODERATE";
+    } else if (parsed.sum !== void 0 || parsed.name) {
+      score = "WEAK";
+    } else {
+      score = "FAIL";
+    }
+    return {
+      pass: hasKeys,
+      score,
+      output: JSON.stringify(parsed) + repairNote,
+      elapsedMs: result.elapsedMs
+    };
+  } catch (e) {
+    return { pass: false, score: "ERROR", output: e.message, elapsedMs: 0 };
+  }
+}
+export {
+  CONFIG,
+  TOOL_SUPPORT_CACHE_PATH,
+  WEATHER_TOOL_DEFINITION,
+  cacheToolSupport,
+  getCachedToolSupport,
+  parseTextToolCall,
+  readToolSupportCache,
+  scoreNativeToolCall,
+  scoreReasoning,
+  scoreTextToolCall,
+  testInstructionFollowingUnified,
+  testReasoningUnified,
+  testToolUsageUnified,
+  writeToolSupportCache
+};

package/ollama.js

@@ -2,7 +2,17 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import os from "node:os";
-var EXTENSION_VERSION = "1.1.2";
+
+// shared/debug.ts
+var DEBUG_ENABLED = process.env.PI_EXTENSIONS_DEBUG === "1";
+function debugLog(module, message, ...args) {
+  if (!DEBUG_ENABLED) return;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  console.debug(`[pi-ext:${module}] ${timestamp} ${message}`, ...args);
+}
+
+// shared/ollama.ts
+var EXTENSION_VERSION = "1.1.4";
 var MODELS_JSON_PATH = path.join(os.homedir(), ".pi", "agent", "models.json");
 var _modelsJsonCache = null;
 var _ollamaBaseUrlCache = null;
@@ -21,7 +31,8 @@ function getOllamaBaseUrl() {
         return result;
       }
     }
-  } catch {
+  } catch (err) {
+    debugLog("ollama", "failed to parse models.json for base URL", err);
   }
   if (process.env.OLLAMA_HOST) {
     const result = `http://${process.env.OLLAMA_HOST.replace(/^https?:\/\//, "")}`;
@@ -42,7 +53,8 @@ function readModelsJson() {
       _modelsJsonCache = { data, ts: now };
       return data;
     }
-  } catch {
+  } catch (err) {
+    debugLog("ollama", "failed to read/parse models.json", err);
   }
   const empty = { providers: {} };
   _modelsJsonCache = { data: empty, ts: now };
@@ -53,7 +65,9 @@ function writeModelsJson(data) {
   if (!fs.existsSync(dir)) {
     fs.mkdirSync(dir, { recursive: true });
   }
-  fs.writeFileSync(MODELS_JSON_PATH, JSON.stringify(data, null, 2) + "\n", "utf-8");
+  const tmpPath = MODELS_JSON_PATH + ".tmp";
+  fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2) + "\n", "utf-8");
+  fs.renameSync(tmpPath, MODELS_JSON_PATH);
   _modelsJsonCache = null;
   _ollamaBaseUrlCache = null;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vtstech/pi-shared",
-  "version": "1.1.2",
+  "version": "1.1.4",
   "description": "Shared utilities for Pi Coding Agent extensions",
   "exports": {
     "./format": "./format.js",

package/react-parser.js

@@ -0,0 +1,393 @@
+// shared/react-parser.ts
+function sanitizeModelJson(text) {
+  text = text.replace(/:\s*True\b/g, ": true");
+  text = text.replace(/:\s*False\b/g, ": false");
+  text = text.replace(/:\s*None\b/g, ": null");
+  text = text.replace(/\[\s*True\b/g, "[true");
+  text = text.replace(/\[\s*False\b/g, "[false");
+  text = text.replace(/\[\s*None\b/g, "[null");
+  text = text.replace(/("(?:[^"\\]|\\.)*")\s*\+\s*[^,}'"\]\n]+/g, "$1");
+  text = text.replace(/,\s*([}\]])/g, "$1");
+  text = text.replace(/\\\\\\\\/g, "\\\\");
+  return text;
+}
+var REACT_DIALECTS = [
+  {
+    name: "react",
+    actionTag: "Action:",
+    inputTag: "Action Input:",
+    thoughtTag: "Thought:",
+    stopTags: ["Observation:", "Thought:", "Final Answer:", "Action:"],
+    finalTag: "Final Answer:"
+  },
+  {
+    name: "function",
+    actionTag: "Function:",
+    inputTag: "Function Input:",
+    thoughtTag: "Thought:",
+    stopTags: ["Observation:", "Thought:", "Final Answer:", "Function:", "Action:"],
+    finalTag: "Final Answer:"
+  },
+  {
+    name: "tool",
+    actionTag: "Tool:",
+    inputTag: "Tool Input:",
+    thoughtTag: "Thought:",
+    stopTags: ["Observation:", "Thought:", "Final Answer:", "Tool:", "Action:"],
+    finalTag: "Final Answer:"
+  },
+  {
+    name: "call",
+    actionTag: "Call:",
+    inputTag: "Input:",
+    thoughtTag: "Thought:",
+    stopTags: ["Observation:", "Thought:", "Final Answer:", "Call:", "Action:"],
+    finalTag: "Final Answer:"
+  }
+];
+function buildDialectPatterns(d) {
+  const esc = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const aT = esc(d.actionTag);
+  const iT = esc(d.inputTag);
+  const stopAlt = d.stopTags.map(esc).join("|");
+  const tT = d.thoughtTag ? esc(d.thoughtTag) : void 0;
+  const fT = d.finalTag ? esc(d.finalTag) : void 0;
+  const thoughtRe = tT ? new RegExp(`${tT}\\s*(.*?)(?=${aT}|${fT}|$)`, "is") : void 0;
+  const actionRe = new RegExp(
+    `${aT}\\s*[\\x60"']?(\\w+)[\\x60"']?\\s*\\n?\\s*${iT}\\s*(.*?)(?=\\n\\s*(?:${stopAlt})|$)`,
+    "is"
+  );
+  const actionReSameline = new RegExp(
+    `${aT}\\s*[\\x60"']?(\\w+)[\\x60"']?\\s+${iT}\\s*(.*?)(?=\\n\\s*(?:${stopAlt})|$)`,
+    "is"
+  );
+  const actionReLoose = new RegExp(
+    `${aT}\\s*(.+?)\\n\\s*${iT}\\s*(.*?)(?=\\n\\s*(?:${stopAlt})|$)`,
+    "is"
+  );
+  const actionReParen = new RegExp(`${aT}\\s*(\\w+)\\s*\\(([^)]*)\\)`, "i");
+  const finalAnswerRe = fT ? new RegExp(`${fT}\\s*([\\s\\S]*?)$`, "i") : void 0;
+  return { thoughtRe, actionRe, actionReSameline, actionReLoose, actionReParen, finalAnswerRe, dialect: d };
+}
+var ALL_DIALECT_PATTERNS = REACT_DIALECTS.map(buildDialectPatterns);
+var CLASSIC_PATTERNS = ALL_DIALECT_PATTERNS[0];
+var THOUGHT_RE = CLASSIC_PATTERNS.thoughtRe;
+var ACTION_RE = CLASSIC_PATTERNS.actionRe;
+var ACTION_RE_SAMELINE = CLASSIC_PATTERNS.actionReSameline;
+var ACTION_RE_LOOSE = CLASSIC_PATTERNS.actionReLoose;
+var ACTION_RE_PAREN = CLASSIC_PATTERNS.actionReParen;
+var FINAL_ANSWER_RE = CLASSIC_PATTERNS.finalAnswerRe;
+function extractJsonArgs(rawArgs) {
+  const start = rawArgs.indexOf("{");
+  if (start === -1) return null;
+  let depth = 0;
+  let end = -1;
+  for (let i = start; i < rawArgs.length; i++) {
+    if (rawArgs[i] === "{") depth++;
+    else if (rawArgs[i] === "}") {
+      depth--;
+      if (depth === 0) {
+        end = i;
+        break;
+      }
+    }
+  }
+  if (end === -1) return null;
+  const jsonStr = rawArgs.slice(start, end + 1);
+  try {
+    const parsed = JSON.parse(jsonStr);
+    return typeof parsed === "object" && parsed !== null && !Array.isArray(parsed) ? parsed : { input: String(parsed) };
+  } catch {
+  }
+  try {
+    const sanitized = sanitizeModelJson(jsonStr);
+    const parsed = JSON.parse(sanitized);
+    return typeof parsed === "object" && parsed !== null && !Array.isArray(parsed) ? parsed : { input: String(parsed) };
+  } catch {
+  }
+  const exprMatch = jsonStr.match(/['"]expression['"]:\s*['"]([^'"]+)['"]/);
+  if (exprMatch) return { expression: exprMatch[1] };
+  const cmdMatch = jsonStr.match(/['"]command['"]:\s*['"]([^'"]+)['"]/);
+  if (cmdMatch) return { command: cmdMatch[1] };
+  return { input: jsonStr };
+}
+function parseReact(text) {
+  for (const dp of ALL_DIALECT_PATTERNS) {
+    const result = parseReactWithPatterns(text, dp);
+    if (result) return result;
+  }
+  return null;
+}
+function parseReactWithPatterns(text, dp, tightLoose = false, availableTools) {
+  let thought;
+  if (dp.thoughtRe) {
+    const thoughtMatch = dp.thoughtRe.exec(text);
+    if (thoughtMatch) thought = thoughtMatch[1].trim();
+  }
+  let match = dp.actionRe.exec(text);
+  if (!match) match = dp.actionReSameline.exec(text);
+  let looseMatch = false;
+  if (!match) {
+    const looseResult = dp.actionReLoose.exec(text);
+    if (looseResult) {
+      if (tightLoose) {
+        const candidate = looseResult[1].trim().replace(/[`"']/g, "");
+        const isToolIdentifier = /^\w+$/.test(candidate) && (candidate.includes("_") || candidate.includes("-"));
+        const isKnownTool = /^(get_weather|calculate)$/i.test(candidate);
+        if (isToolIdentifier || isKnownTool) {
+          match = looseResult;
+          looseMatch = true;
+        }
+      } else {
+        match = looseResult;
+        looseMatch = true;
+      }
+    }
+  }
+  let parenMatch = false;
+  if (!match) match = dp.actionReParen.exec(text), parenMatch = true;
+  if (match) {
+    let toolName = match[1].trim().replace(/[`"']/g, "");
+    if (looseMatch && !tightLoose && availableTools) {
+      const tools = availableTools || [];
+      for (const real of tools) {
+        const rl = real.toLowerCase().replace(/_/g, "");
+        if (toolName.toLowerCase().includes(rl)) {
+          toolName = real;
+          break;
+        }
+      }
+      if (toolName.includes(" ")) {
+        const words = toolName.split(/\s+/);
+        for (const w of words) {
+          const wc = w.replace(/[^a-zA-Z0-9_-]/g, "");
+          if (wc.length < 3) continue;
+          for (const real of tools) {
+            const rl = real.toLowerCase().replace(/_/g, "");
+            if (rl.includes(wc.toLowerCase())) {
+              toolName = real;
+              break;
+            }
+          }
+          if (!toolName.includes(" ")) break;
+        }
+      }
+    }
+    const rawArgs = match[2].trim().replace(/^```\w*\s*/gm, "").replace(/```\s*$/gm, "").trim();
+    let args;
+    if (parenMatch && rawArgs && !rawArgs.startsWith("{")) {
+      const pairs = rawArgs.match(/(\w+)\s*:\s*("[^"]*"|'[^']*'|\S+)/g);
+      if (pairs) {
+        const obj = {};
+        for (const p of pairs) {
+          const colonIdx = p.indexOf(":");
+          const key = p.slice(0, colonIdx).trim();
+          let val = p.slice(colonIdx + 1).trim();
+          if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
+            val = val.slice(1, -1);
+          }
+          obj[key] = val;
+        }
+        args = obj;
+      } else {
+        args = { input: rawArgs };
+      }
+    } else {
+      args = extractJsonArgs(rawArgs) || { input: rawArgs };
+    }
+    let finalAnswer;
+    if (dp.finalAnswerRe) {
+      const faMatch = dp.finalAnswerRe.exec(text);
+      if (faMatch) finalAnswer = faMatch[1].trim();
+    }
+    return { name: toolName, args, thought, finalAnswer, raw: match[0], dialect: dp.dialect.name };
+  }
+  return null;
+}
+function detectReactDialect(text) {
+  for (const dp of ALL_DIALECT_PATTERNS) {
+    const tagPattern = new RegExp(`^\\s*${dp.dialect.actionTag.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*`, "im");
+    if (tagPattern.test(text)) return dp.dialect;
+  }
+  return null;
+}
+function extractToolFromJson(obj) {
+  if (!obj || typeof obj !== "object") return null;
+  let name = obj.name || obj.function || obj.tool || obj.action;
+  let args = obj.arguments || obj.parameters || obj.args || obj.actionInput || {};
+  if (!name) {
+    for (const key of Object.keys(obj)) {
+      const kl = key.toLowerCase();
+      if (kl === "action" && typeof obj[key] === "string") {
+        name = obj[key];
+      }
+      if (kl === "action input" || kl === "actioninput" || kl === "action_input") {
+        const val = obj[key];
+        if (typeof val === "object" && val !== null) args = val;
+        else if (val) args = { input: val };
+      }
+    }
+  }
+  if (!name) {
+    const argToTool = { expression: "calculator", command: "shell" };
+    const nonToolKeys = /* @__PURE__ */ new Set(["response", "method", "answer", "result", "explanation", "output", "text"]);
+    const objKeys = Object.keys(obj);
+    if (!objKeys.some((k) => nonToolKeys.has(k))) {
+      for (const key of objKeys) {
+        if (key in argToTool) {
+          name = argToTool[key];
+          args = obj;
+          break;
+        }
+      }
+    }
+  }
+  if (!name || typeof args !== "object" || args === null) return null;
+  return { name, args };
+}
+var FUZZY_MIN_PREFIX_LENGTH = 4;
+var WORD_MAPPINGS = {
+  calculate: ["calculator"],
+  calc: ["calculator"],
+  math: ["calculator"],
+  compute: ["calculator"],
+  eval: ["calculator"],
+  expression: ["calculator"],
+  power: ["calculator"],
+  pow: ["calculator"],
+  sqrt: ["calculator"],
+  python: ["shell"],
+  repl: ["shell"],
+  code: ["shell"],
+  execute: ["shell"],
+  shell: ["bash"],
+  bash: ["bash"],
+  cmd: ["bash"],
+  command: ["bash"],
+  ls: ["bash"],
+  cat: ["bash"],
+  echo: ["bash"],
+  grep: ["bash"],
+  read: ["read"],
+  write: ["write"],
+  file: ["read"],
+  weather: ["get_weather"],
+  search: ["bash"]
+};
+function fuzzyMatchToolName(hallucinated, availableTools) {
+  const lower = hallucinated.toLowerCase().replace(/_/g, "");
+  if (availableTools.includes(hallucinated)) return hallucinated;
+  for (const real of availableTools) {
+    const rl = real.toLowerCase().replace(/_/g, "");
+    if (rl === lower || rl.includes(lower) || lower.includes(rl)) return real;
+  }
+  for (const [keyword, hints] of Object.entries(WORD_MAPPINGS)) {
+    if (lower.includes(keyword)) {
+      for (const hint of hints) {
+        for (const real of availableTools) {
+          if (real.includes(hint) || real === hint) return real;
+        }
+      }
+    }
+  }
+  if (lower.length >= FUZZY_MIN_PREFIX_LENGTH) {
+    for (const real of availableTools) {
+      const rl = real.toLowerCase();
+      if (rl.length >= FUZZY_MIN_PREFIX_LENGTH && rl.slice(0, FUZZY_MIN_PREFIX_LENGTH) === lower.slice(0, FUZZY_MIN_PREFIX_LENGTH)) return real;
+    }
+  }
+  return null;
+}
+var ARG_ALIASES = {
+  expression: ["expr", "exp", "formula", "calculation", "math"],
+  file_path: ["path", "filepath", "file", "filename", "location"],
+  content: ["text", "data", "body", "value"],
+  command: ["cmd", "shell", "script", "exec"],
+  url: ["uri", "link", "endpoint", "address"],
+  query: ["search", "term", "keywords", "q"],
+  input: ["value", "arg", "parameter"],
+  timeout: ["time_limit", "max_time", "seconds"]
+};
+function normalizeArguments(args, expectedParams) {
+  if (!args || typeof args !== "object") return args;
+  const expectedSet = new Set(expectedParams.map((p) => p.toLowerCase()));
+  const normalized = {};
+  const powerParts = {};
+  for (const [key, value] of Object.entries(args)) {
+    const keyLower = key.toLowerCase().replace(/-/g, "_");
+    let targetParam = null;
+    for (const param of expectedParams) {
+      if (param.toLowerCase() === keyLower) {
+        targetParam = param;
+        break;
+      }
+    }
+    if (!targetParam) {
+      for (const [canonical, aliases] of Object.entries(ARG_ALIASES)) {
+        if (aliases.includes(keyLower) && expectedSet.has(canonical.toLowerCase())) {
+          targetParam = canonical;
+          break;
+        }
+      }
+    }
+    if (!targetParam) {
+      for (const param of expectedParams) {
+        if (keyLower.includes(param.toLowerCase()) || keyLower.startsWith(param.toLowerCase())) {
+          targetParam = param;
+          break;
+        }
+      }
+    }
+    if (["base", "value", "x"].includes(keyLower) || ["exponent", "power", "n", "p", "exp"].includes(keyLower)) {
+      powerParts[keyLower] = value;
+      continue;
+    }
+    const finalKey = targetParam || key;
+    if (!(finalKey in normalized)) normalized[finalKey] = value;
+  }
+  if (powerParts && expectedSet.has("expression")) {
+    const base = powerParts.base ?? powerParts.value ?? powerParts.x;
+    const exp = powerParts.exponent ?? powerParts.power ?? powerParts.n ?? powerParts.p ?? powerParts.exp;
+    if (base !== void 0 && exp !== void 0) normalized.expression = `${base} ** ${exp}`;
+    else if (base !== void 0) normalized.expression = String(base);
+  }
+  return normalized;
+}
+function looksLikeSchemaDump(text) {
+  if (!text) return false;
+  const indicators = [
+    '{"function <nil>',
+    '"type":"function"',
+    '"parameters":{"type":"object"',
+    '[{"type":',
+    '"required":',
+    '"properties":'
+  ];
+  const lower = text.toLowerCase();
+  const matches = indicators.filter((i) => lower.includes(i.toLowerCase())).length;
+  return matches >= 2;
+}
+export {
+  ACTION_RE,
+  ACTION_RE_LOOSE,
+  ACTION_RE_PAREN,
+  ACTION_RE_SAMELINE,
+  ALL_DIALECT_PATTERNS,
+  ARG_ALIASES,
+  CLASSIC_PATTERNS,
+  FINAL_ANSWER_RE,
+  FUZZY_MIN_PREFIX_LENGTH,
+  REACT_DIALECTS,
+  THOUGHT_RE,
+  WORD_MAPPINGS,
+  buildDialectPatterns,
+  detectReactDialect,
+  extractJsonArgs,
+  extractToolFromJson,
+  fuzzyMatchToolName,
+  looksLikeSchemaDump,
+  normalizeArguments,
+  parseReact,
+  parseReactWithPatterns,
+  sanitizeModelJson
+};

package/security.js

@@ -2,6 +2,17 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import os from "node:os";
+
+// shared/debug.ts
+var DEBUG_ENABLED = process.env.PI_EXTENSIONS_DEBUG === "1";
+function debugLog(module, message, ...args) {
+  if (!DEBUG_ENABLED) return;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  console.debug(`[pi-ext:${module}] ${timestamp} ${message}`, ...args);
+}
+
+// shared/security.ts
+var SETTINGS_PATH = path.join(os.homedir(), ".pi", "agent", "settings.json");
 var BLOCKED_COMMANDS = /* @__PURE__ */ new Set([
   // System modification
   "rm",
@@ -155,7 +166,11 @@ function validatePath(filePath, allowedDirs) {
     "/.gnupg/",
     path.join(os.homedir(), ".ssh"),
     path.join(os.homedir(), ".gnupg"),
-    path.join(os.homedir(), ".pi", "agent", "models.json")
+    SETTINGS_PATH
+    // NOTE: models.json is intentionally excluded from sensitivePaths.
+    // Extensions use readModelsJson()/writeModelsJson() from shared/ollama.ts
+    // for direct file I/O — not via Pi's tool system — so blocking it here
+    // would prevent legitimate model configuration updates.
   ];
   for (const sensitive of sensitivePaths) {
     if (resolved.startsWith(sensitive) || resolved === sensitive) {
@@ -195,9 +210,16 @@ function isSafeUrl(url, blockSsrf = true) {
     return { safe: false, error: "URL must have a hostname" };
   }
   const hostname = parsed.hostname.toLowerCase();
+  const normalized = hostname.replace(/\.$/, "");
+  if (/[^\x00-\x7F]/.test(normalized)) {
+    return { safe: false, error: "URL hostname contains non-ASCII characters" };
+  }
+  if (/^0x[0-9a-f]+$/i.test(normalized) || /^0[0-7]+$/i.test(normalized)) {
+    return { safe: false, error: "URL hostname uses non-decimal IP format" };
+  }
   if (blockSsrf) {
     for (const pattern of BLOCKED_URL_PATTERNS) {
-      if (hostname === pattern || hostname.endsWith("." + pattern) || hostname.startsWith(pattern)) {
+      if (normalized === pattern || normalized.endsWith("." + pattern) || normalized.startsWith(pattern)) {
         return { safe: false, error: `SSRF protection: blocked hostname pattern '${pattern}'` };
       }
     }
@@ -205,26 +227,20 @@ function isSafeUrl(url, blockSsrf = true) {
   return { safe: true, error: "" };
 }
 var INJECTION_PATTERNS = [
-  /;\s*\w+/,
-  // Command chaining
-  /\|\s*\w+/,
-  // Piping to another command
-  /&&\s*\w+/,
-  // AND chaining
-  /\|\|\s*\w+/,
-  // OR chaining
+  // Command chaining with dangerous commands only
+  /;\s*(rm|sudo|chmod|chown|mkfs|dd|shred|kill|pkill)\b/i,
+  // Piping to dangerous commands
+  /\|\s*(rm|sudo|chmod|chown|shred|mkfs)\b/i,
+  // AND chaining with dangerous commands
+  /&&\s*(rm|sudo|chmod|chown|mkfs|dd|shred|kill)\b/i,
+  // Command substitution (backticks) — still dangerous
   /`[^`]+`/,
-  // Command substitution (backticks)
+  // Command substitution ($()) — still dangerous
   /\$\([^)]+\)/,
-  // Command substitution ($())
-  /\$\{[^}]+\}/,
-  // Variable expansion
-  />\s*\S+/,
-  // Output redirection
-  /<\s*\S+/,
-  // Input redirection
+  // Variable expansion targeting sensitive env vars
+  /\$\{?(?:HOME|USER|PATH|SHELL|PWD|SSH|GPG|API_KEY|TOKEN|SECRET|PASSWORD)\}?/i,
+  // Bare pipe without space (likely injection, not intentional piping)
   /\|(?=[^\s|])/
-  // Bare pipe without space
 ];
 function sanitizeCommand(command) {
   if (!command) return { isSafe: false, error: "Command cannot be empty", command: "" };
@@ -256,7 +272,8 @@ function appendAuditEntry(entry) {
     }
     const line = JSON.stringify(entry) + "\n";
     fs.appendFileSync(AUDIT_LOG_PATH, line, "utf-8");
-  } catch {
+  } catch (err) {
+    debugLog("security", "audit log write failure", err);
   }
 }
 function readRecentAuditEntries(count = 50) {
@@ -272,7 +289,8 @@ function readRecentAuditEntries(count = 50) {
         return {};
       }
     });
-  } catch {
+  } catch (err) {
+    debugLog("security", "failed to read audit log", err);
     return [];
   }
 }
@@ -335,6 +353,7 @@ export {
   AUDIT_LOG_PATH,
   BLOCKED_COMMANDS,
   BLOCKED_URL_PATTERNS,
+  SETTINGS_PATH,
   appendAuditEntry,
   checkBashToolInput,
   checkFileToolInput,