@vtstech/pi-shared 1.1.7 → 1.1.9

package/config-io.js

@@ -0,0 +1,57 @@
+// shared/config-io.ts
+import * as fs from "node:fs";
+import * as path from "node:path";
+import os from "node:os";
+
+// shared/debug.ts
+var DEBUG_ENABLED = process.env.PI_EXTENSIONS_DEBUG === "1";
+function debugLog(module, message, ...args) {
+  if (!DEBUG_ENABLED) return;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  console.debug(`[pi-ext:${module}] ${timestamp} ${message}`, ...args);
+}
+
+// shared/config-io.ts
+var PI_AGENT_DIR = path.join(os.homedir(), ".pi", "agent");
+function readJsonConfig(filePath, defaultValue = {}) {
+  try {
+    if (fs.existsSync(filePath)) {
+      return JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    }
+  } catch (err) {
+    debugLog("config-io", `failed to read config: ${filePath}`, err);
+  }
+  return defaultValue;
+}
+function writeJsonConfig(filePath, data) {
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  const content = JSON.stringify(data, null, 2) + "\n";
+  const tmpPath = filePath + ".tmp";
+  try {
+    fs.writeFileSync(tmpPath, content, "utf-8");
+    fs.renameSync(tmpPath, filePath);
+  } catch {
+    fs.writeFileSync(filePath, content, "utf-8");
+  }
+}
+var SETTINGS_PATH = path.join(PI_AGENT_DIR, "settings.json");
+var SECURITY_PATH = path.join(PI_AGENT_DIR, "security.json");
+var REACT_MODE_PATH = path.join(PI_AGENT_DIR, "react-mode.json");
+var MODEL_TEST_CONFIG_PATH = path.join(PI_AGENT_DIR, "model-test-config.json");
+function readSettings() {
+  return readJsonConfig(SETTINGS_PATH);
+}
+function writeSettings(data) {
+  writeJsonConfig(SETTINGS_PATH, data);
+}
+export {
+  MODEL_TEST_CONFIG_PATH,
+  REACT_MODE_PATH,
+  SECURITY_PATH,
+  SETTINGS_PATH,
+  readJsonConfig,
+  readSettings,
+  writeJsonConfig,
+  writeSettings
+};

package/errors.js

@@ -0,0 +1,56 @@
+var __defProp = Object.defineProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+
+// shared/errors.ts
+var ExtensionError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    __publicField(this, "code", code);
+    this.name = "ExtensionError";
+  }
+};
+var ConfigError = class extends ExtensionError {
+  constructor(message) {
+    super(message, "CONFIG_ERROR");
+    this.name = "ConfigError";
+  }
+};
+var ApiError = class extends ExtensionError {
+  constructor(message, statusCode, url) {
+    super(message, "API_ERROR");
+    __publicField(this, "statusCode", statusCode);
+    __publicField(this, "url", url);
+    this.name = "ApiError";
+  }
+};
+var ExtensionTimeoutError = class extends ExtensionError {
+  constructor(message, timeoutMs) {
+    super(message, "TIMEOUT");
+    __publicField(this, "timeoutMs", timeoutMs);
+    this.name = "ExtensionTimeoutError";
+  }
+};
+var SecurityError = class extends ExtensionError {
+  constructor(message, rule, detail) {
+    super(message, "SECURITY_VIOLATION");
+    __publicField(this, "rule", rule);
+    __publicField(this, "detail", detail);
+    this.name = "SecurityError";
+  }
+};
+var ToolError = class extends ExtensionError {
+  constructor(message, toolName) {
+    super(message, "TOOL_ERROR");
+    __publicField(this, "toolName", toolName);
+    this.name = "ToolError";
+  }
+};
+export {
+  ApiError,
+  ConfigError,
+  ExtensionError,
+  ExtensionTimeoutError,
+  SecurityError,
+  ToolError
+};

package/format.js

@@ -32,6 +32,7 @@ function msHuman(ms) {
 }
 function fmtBytes(b) {
   if (b === 0) return "0B";
+  if (b < 1024) return `${b}B`;
   if (b >= 1073741824) return `${(b / 1073741824).toFixed(1)}G`;
   if (b >= 1048576) return `${(b / 1048576).toFixed(0)}M`;
   return `${(b / 1024).toFixed(0)}K`;

package/model-test-utils.js

@@ -34,6 +34,9 @@ var CONFIG = {
   // Effectively unlimited for cloud provider API calls
   PROVIDER_TOOL_TIMEOUT_MS: 12e4,
   // 120 seconds for tool usage tests on providers
+  // Context length fetching
+  CONTEXT_BATCH_SIZE: 3,
+  // Concurrent requests when fetching model context lengths
   // Rate limiting
   TEST_DELAY_MS: 1e4
   // 10 seconds between tests to avoid rate limiting
@@ -62,6 +65,7 @@ function getEffectiveConfig() {
     TOOL_TEST_TIMEOUT_MS: userConfig.toolTestTimeoutMs ?? CONFIG.TOOL_TEST_TIMEOUT_MS,
     PROVIDER_TIMEOUT_MS: userConfig.providerTimeoutMs ?? CONFIG.PROVIDER_TIMEOUT_MS,
     PROVIDER_TOOL_TIMEOUT_MS: userConfig.providerToolTimeoutMs ?? CONFIG.PROVIDER_TOOL_TIMEOUT_MS,
+    CONTEXT_BATCH_SIZE: userConfig.contextBatchSize ?? CONFIG.CONTEXT_BATCH_SIZE,
     NUM_PREDICT: userConfig.numPredict ?? CONFIG.NUM_PREDICT,
     TEMPERATURE: userConfig.temperature ?? CONFIG.TEMPERATURE
   };

package/ollama.js

@@ -12,7 +12,7 @@ function debugLog(module, message, ...args) {
 }
 
 // shared/ollama.ts
-var EXTENSION_VERSION = "1.1.7";
+var EXTENSION_VERSION = "1.1.9";
 var MODELS_JSON_PATH = path.join(os.homedir(), ".pi", "agent", "models.json");
 var _modelsJsonCache = null;
 var _ollamaBaseUrlCache = null;
@@ -179,7 +179,8 @@ async function fetchModelContextLength(baseUrl, modelName) {
       }
       const numCtx = data?.model_info?.["num_ctx"];
       if (typeof numCtx === "number") return numCtx;
-    } catch {
+    } catch (err) {
+      debugLog("ollama", `failed to fetch context length for ${modelName}`, err);
       return void 0;
     }
     return void 0;
@@ -213,7 +214,8 @@ var BUILTIN_PROVIDERS = {
   xai: { api: "openai-completions", baseUrl: "https://api.x.ai/v1", envKey: "XAI_API_KEY" },
   together: { api: "openai-completions", baseUrl: "https://api.together.xyz/v1", envKey: "TOGETHER_API_KEY" },
   fireworks: { api: "openai-completions", baseUrl: "https://api.fireworks.ai/inference/v1", envKey: "FIREWORKS_API_KEY" },
-  cohere: { api: "cohere-chat", baseUrl: "https://api.cohere.com/v1", envKey: "COHERE_API_KEY" }
+  cohere: { api: "cohere-chat", baseUrl: "https://api.cohere.com/v1", envKey: "COHERE_API_KEY" },
+  zai: { api: "openai-completions", baseUrl: "https://open.bigmodel.cn/api/paas/v4", envKey: "ZAI_API_KEY" }
 };
 function detectModelFamily(modelName) {
   const name = modelName.toLowerCase();
@@ -233,6 +235,8 @@ function detectModelFamily(modelName) {
     ["gemma", "gemma2"],
     ["granite", "granite"],
     ["dolphin", "dolphin"],
+    ["glm-4", "glm"],
+    ["glm", "glm"],
     ["deepseek-r1", "deepseek-r1"],
     ["deepseek", "deepseek"],
     ["mistral", "qwen2"],
@@ -285,6 +289,11 @@ function detectProvider(ctx) {
   }
   return { kind: "unknown", name: providerName };
 }
+function isLocalProvider(baseUrl, providerName) {
+  if (providerName === "ollama") return true;
+  const url = baseUrl || "";
+  return url.includes("localhost") || url.includes("127.0.0.1") || url.includes("0.0.0.0");
+}
 export {
   BUILTIN_PROVIDERS,
   EXTENSION_VERSION,
@@ -296,6 +305,7 @@ export {
   fetchModelContextLength,
   fetchOllamaModels,
   getOllamaBaseUrl,
+  isLocalProvider,
   isReasoningModel,
   readModelsJson,
   readModifyWriteModelsJson,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vtstech/pi-shared",
-  "version": "1.1.7",
+  "version": "1.1.9",
   "description": "Shared utilities for Pi Coding Agent extensions",
   "exports": {
     "./debug": "./debug.js",

package/provider-sync.js

@@ -0,0 +1,18 @@
+// shared/provider-sync.ts
+function mergeModels(newModels, oldModels) {
+  const oldModelMap = new Map(oldModels.map((m) => [m.id, m]));
+  return newModels.map((m) => {
+    const old = oldModelMap.get(m.id);
+    if (old) {
+      const merged = { ...m };
+      for (const [k, v] of Object.entries(old)) {
+        if (!(k in m)) merged[k] = v;
+      }
+      return merged;
+    }
+    return m;
+  });
+}
+export {
+  mergeModels
+};

package/react-parser.js

@@ -111,6 +111,23 @@ function extractJsonArgs(rawArgs) {
   if (cmdMatch) return { command: cmdMatch[1] };
   return { input: jsonStr };
 }
+function extractBraceJson(raw) {
+  const jsonStart = raw.indexOf("{");
+  if (jsonStart === -1) return "";
+  let depth = 0;
+  let jsonEnd = -1;
+  for (let i = jsonStart; i < raw.length; i++) {
+    if (raw[i] === "{") depth++;
+    else if (raw[i] === "}") {
+      depth--;
+      if (depth === 0) {
+        jsonEnd = i;
+        break;
+      }
+    }
+  }
+  return jsonEnd !== -1 ? raw.slice(jsonStart, jsonEnd + 1) : "";
+}
 function parseReact(text) {
   for (const dp of ALL_DIALECT_PATTERNS) {
     const result = parseReactWithPatterns(text, dp);
@@ -382,6 +399,7 @@ export {
   WORD_MAPPINGS,
   buildDialectPatterns,
   detectReactDialect,
+  extractBraceJson,
   extractJsonArgs,
   extractToolFromJson,
   fuzzyMatchToolName,

package/security.js

@@ -1,7 +1,7 @@
 // shared/security.ts
 import * as fs from "node:fs";
-import * as path from "node:path";
-import os from "node:os";
+import * as path2 from "node:path";
+import os2 from "node:os";
 
 // shared/debug.ts
 var DEBUG_ENABLED = process.env.PI_EXTENSIONS_DEBUG === "1";
@@ -13,8 +13,19 @@ function debugLog(module, message, ...args) {
 
 // shared/security.ts
 import dns from "node:dns";
-var SETTINGS_PATH = path.join(os.homedir(), ".pi", "agent", "settings.json");
-var SECURITY_CONFIG_PATH = path.join(os.homedir(), ".pi", "agent", "security.json");
+
+// shared/config-io.ts
+import * as path from "node:path";
+import os from "node:os";
+var PI_AGENT_DIR = path.join(os.homedir(), ".pi", "agent");
+var SETTINGS_PATH = path.join(PI_AGENT_DIR, "settings.json");
+var SECURITY_PATH = path.join(PI_AGENT_DIR, "security.json");
+var REACT_MODE_PATH = path.join(PI_AGENT_DIR, "react-mode.json");
+var MODEL_TEST_CONFIG_PATH = path.join(PI_AGENT_DIR, "model-test-config.json");
+
+// shared/security.ts
+var SETTINGS_PATH2 = SETTINGS_PATH;
+var SECURITY_CONFIG_PATH = SECURITY_PATH;
 function getSecurityMode() {
   try {
     if (!fs.existsSync(SECURITY_CONFIG_PATH)) return "max";
@@ -28,7 +39,7 @@ function getSecurityMode() {
   }
 }
 function setSecurityMode(mode) {
-  const configDir = path.dirname(SECURITY_CONFIG_PATH);
+  const configDir = path2.dirname(SECURITY_CONFIG_PATH);
   try {
     if (!fs.existsSync(configDir)) {
       fs.mkdirSync(configDir, { recursive: true });
@@ -159,6 +170,8 @@ var BLOCKED_URL_ALWAYS = /* @__PURE__ */ new Set([
   "172.29.",
   "172.30.",
   "172.31.",
+  // IPv6-mapped IPv4 cloud metadata (always blocked)
+  "::ffff:169.254.169.254",
   // Internal service patterns
   "internal.",
   "private.",
@@ -172,6 +185,25 @@ var BLOCKED_URL_MAX_ONLY = /* @__PURE__ */ new Set([
   "::1",
   "::ffff:127.0.0.1",
   "::ffff:0.0.0.0",
+  // IPv6-mapped IPv4 private ranges (always blocked in max mode)
+  "::ffff:10.",
+  "::ffff:192.168.",
+  "::ffff:172.16.",
+  "::ffff:172.17.",
+  "::ffff:172.18.",
+  "::ffff:172.19.",
+  "::ffff:172.20.",
+  "::ffff:172.21.",
+  "::ffff:172.22.",
+  "::ffff:172.23.",
+  "::ffff:172.24.",
+  "::ffff:172.25.",
+  "::ffff:172.26.",
+  "::ffff:172.27.",
+  "::ffff:172.28.",
+  "::ffff:172.29.",
+  "::ffff:172.30.",
+  "::ffff:172.31.",
   // Local/internal patterns
   "local."
 ]);
@@ -201,7 +233,7 @@ function validatePath(filePath, allowedDirs) {
   }
   let resolved;
   try {
-    resolved = path.resolve(filePath);
+    resolved = path2.resolve(filePath);
     try {
       resolved = fs.realpathSync(resolved);
     } catch {
@@ -219,9 +251,9 @@ function validatePath(filePath, allowedDirs) {
     "/etc/passwd",
     "/.ssh/",
     "/.gnupg/",
-    path.join(os.homedir(), ".ssh"),
-    path.join(os.homedir(), ".gnupg"),
-    SETTINGS_PATH,
+    path2.join(os2.homedir(), ".ssh"),
+    path2.join(os2.homedir(), ".gnupg"),
+    SETTINGS_PATH2,
     SECURITY_CONFIG_PATH
     // NOTE: models.json is intentionally excluded from sensitivePaths.
     // Extensions use readModelsJson()/writeModelsJson() from shared/ollama.ts
@@ -234,14 +266,14 @@ function validatePath(filePath, allowedDirs) {
     }
   }
   const cwd = process.cwd();
-  const safePrefixes = ["/tmp", "/var/tmp", "/home", cwd];
+  const safePrefixes = ["/home", "/tmp", cwd];
   for (const prefix of safePrefixes) {
-    if (resolved.startsWith(prefix)) return { valid: true, error: "" };
+    if (resolved.startsWith(prefix + "/") || resolved === prefix) return { valid: true, error: "" };
   }
   if (allowedDirs) {
     for (const dir of allowedDirs) {
       try {
-        const absDir = path.resolve(dir);
+        const absDir = path2.resolve(dir);
         if (resolved.startsWith(absDir)) return { valid: true, error: "" };
       } catch {
       }
@@ -249,16 +281,23 @@ function validatePath(filePath, allowedDirs) {
   }
   return { valid: false, error: `Path not in allowed directories: ${filePath}` };
 }
+function stripIpv6Mapped(ip) {
+  if (ip.startsWith("::ffff:") && !ip.startsWith("::ffff:0:0")) {
+    return ip.slice(7);
+  }
+  return ip;
+}
 function isLoopbackIp(ip) {
-  if (ip.startsWith("127.") || ip === "0.0.0.0") return true;
+  const norm = stripIpv6Mapped(ip);
+  if (norm.startsWith("127.") || norm === "0.0.0.0") return true;
   if (ip === "::1" || ip === "::ffff:0.0.0.0") return true;
-  if (ip.startsWith("::ffff:127.")) return true;
   return false;
 }
 function isPrivateIp(ip) {
-  if (ip.startsWith("10.") || ip.startsWith("192.168.")) return true;
-  if (/^172\.(1[6-9]|2\d|3[01])\./.test(ip)) return true;
-  if (ip === "169.254.169.254") return true;
+  const norm = stripIpv6Mapped(ip);
+  if (norm.startsWith("10.") || norm.startsWith("192.168.")) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(norm)) return true;
+  if (norm === "169.254.169.254") return true;
   if (ip.startsWith("fc") || ip.startsWith("fd")) return true;
   if (ip.startsWith("fe80:")) return true;
   return false;
@@ -276,7 +315,8 @@ async function resolveAndCheckHostname(hostname, blockPrivate = true) {
     }
     for (const addr of addresses) {
       const ip = addr.address;
-      if (ip === "169.254.169.254") {
+      const normIp = stripIpv6Mapped(ip);
+      if (normIp === "169.254.169.254") {
         return { safe: false, error: `SSRF protection: hostname ${hostname} resolves to cloud metadata IP ${ip}` };
       }
       if (blockPrivate && (isLoopbackIp(ip) || isPrivateIp(ip))) {
@@ -316,12 +356,24 @@ function isSafeUrl(url, blockSsrf = true) {
     const mode = getSecurityMode();
     for (const pattern of BLOCKED_URL_ALWAYS) {
       if (normalized === pattern || normalized.endsWith("." + pattern) || normalized.startsWith(pattern)) {
+        if (/^\d|^::/.test(pattern)) {
+          const nextChar = normalized[pattern.length];
+          if (nextChar && nextChar !== "/" && nextChar !== ":" && !/\d/.test(nextChar)) {
+            continue;
+          }
+        }
         return { safe: false, error: `SSRF protection: blocked hostname pattern '${pattern}'` };
       }
     }
     if (mode === "max") {
       for (const pattern of BLOCKED_URL_MAX_ONLY) {
         if (normalized === pattern || normalized.endsWith("." + pattern) || normalized.startsWith(pattern)) {
+          if (/^\d|^::/.test(pattern)) {
+            const nextChar = normalized[pattern.length];
+            if (nextChar && nextChar !== "/" && nextChar !== ":" && !/\d/.test(nextChar)) {
+              continue;
+            }
+          }
           return { safe: false, error: `SSRF protection: blocked hostname pattern '${pattern}' (max mode)` };
         }
       }
@@ -330,25 +382,20 @@ function isSafeUrl(url, blockSsrf = true) {
   return { safe: true, error: "" };
 }
 var INJECTION_PATTERNS = [
-  // Command chaining with dangerous commands only
+  // Semicolon chaining to dangerous commands — mode-independent.
+  // Unlike && (conditional), ; ALWAYS runs the second command.
   /;\s*(rm|sudo|chmod|chown|mkfs|dd|shred|kill|pkill)\b/i,
-  // Piping to dangerous commands
-  /\|\s*(rm|sudo|chmod|chown|shred|mkfs)\b/i,
-  // AND chaining with dangerous commands
-  /&&\s*(rm|sudo|chmod|chown|mkfs|dd|shred|kill)\b/i,
   // Command substitution (backticks) — still dangerous
   /`[^`]+`/,
   // Command substitution ($()) — still dangerous
   /\$\([^)]+\)/,
   // Variable expansion targeting sensitive env vars
-  /\$\{?(?:HOME|USER|PATH|SHELL|PWD|SSH|GPG|API_KEY|TOKEN|SECRET|PASSWORD)\}?/i,
-  // Bare pipe without space (likely injection, not intentional piping)
-  /\|(?=[^\s|])/
+  /\$\{?(?:HOME|USER|PATH|SHELL|PWD|SSH|GPG|API_KEY|TOKEN|SECRET|PASSWORD)\}?/i
 ];
-function sanitizeCommand(command) {
-  if (!command) return { isSafe: false, error: "Command cannot be empty", command: "" };
-  const parts = command.trim().split(/\s+/);
-  if (!parts.length) return { isSafe: false, error: "Command cannot be empty", command: "" };
+function checkSingleCommand(command, mode) {
+  const trimmed = command.trim();
+  if (!trimmed) return { isSafe: true, error: "", command: "" };
+  const parts = trimmed.split(/\s+/);
   let baseCmd = parts[0].toLowerCase();
   if (baseCmd.includes("/")) baseCmd = baseCmd.split("/").pop();
   if (baseCmd.includes("\\")) baseCmd = baseCmd.split("\\").pop();
@@ -360,23 +407,57 @@ function sanitizeCommand(command) {
       return { isSafe: false, error: `Blocked command: ${word} (critical)`, command: "" };
     }
   }
-  const mode = getSecurityMode();
   if (mode === "max" && EXTENDED_COMMANDS.has(baseCmd)) {
     return { isSafe: false, error: `Blocked command: ${baseCmd} (max mode)`, command: "" };
   }
-  const stripped = command.replace(/\n/g, " ").replace(/\r/g, " ");
-  if (stripped !== command) {
+  for (const pattern of INJECTION_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return { isSafe: false, error: `Potential injection pattern detected in: ${trimmed}`, command: "" };
+    }
+  }
+  return { isSafe: true, error: "", command: trimmed };
+}
+function sanitizeCommand(command) {
+  if (!command) return { isSafe: false, error: "Command cannot be empty", command: "" };
+  let normalizedCmd = command.normalize("NFKC");
+  normalizedCmd = normalizedCmd.replace(/[\u0000-\u001f\u007f-\u009f\u200b-\u200f\u2028-\u202e\ufeff\u2060-\u2069]/g, "");
+  const strippedForCompare = command.replace(/[\u0000-\u001f\u007f-\u009f\u200b-\u200f\u2028-\u202e\ufeff\u2060-\u2069]/g, "").normalize("NFKC");
+  if (normalizedCmd !== strippedForCompare) {
+    return { isSafe: false, error: `Command rejected: Unicode normalization variance detected (possible homoglyph bypass)`, command: "" };
+  }
+  command = normalizedCmd;
+  const trimmed = command.trim();
+  if (!trimmed) return { isSafe: false, error: "Command cannot be empty", command: "" };
+  const newlineStripped = command.replace(/\n/g, " ").replace(/\r/g, " ");
+  if (newlineStripped !== command) {
     return { isSafe: false, error: "Newline characters detected: potential command injection", command: "" };
   }
   for (const pattern of INJECTION_PATTERNS) {
-    if (pattern.test(command)) {
+    if (pattern.test(trimmed)) {
       return { isSafe: false, error: `Potential injection pattern detected`, command: "" };
     }
   }
+  const subCommands = [];
+  let remaining = trimmed;
+  const chainRegex = /&&|\|\||(?<!\|)\|(?!\|)/g;
+  let match;
+  let lastIndex = 0;
+  while ((match = chainRegex.exec(remaining)) !== null) {
+    subCommands.push(remaining.slice(lastIndex, match.index));
+    lastIndex = match.index + match[0].length;
+  }
+  subCommands.push(remaining.slice(lastIndex));
+  const mode = getSecurityMode();
+  for (const subCmd of subCommands) {
+    const result = checkSingleCommand(subCmd, mode);
+    if (!result.isSafe) {
+      return { isSafe: false, error: result.error, command: "" };
+    }
+  }
   return { isSafe: true, error: "", command };
 }
-var AUDIT_DIR = path.join(os.homedir(), ".pi", "agent");
-var AUDIT_LOG_PATH = path.join(AUDIT_DIR, "audit.log");
+var AUDIT_DIR = path2.join(os2.homedir(), ".pi", "agent");
+var AUDIT_LOG_PATH = path2.join(AUDIT_DIR, "audit.log");
 var AUDIT_BUFFER_MAX_ENTRIES = 50;
 var AUDIT_FLUSH_INTERVAL_MS = 500;
 var _auditBuffer = [];
@@ -409,6 +490,19 @@ function flushAuditBuffer() {
 function appendAuditEntry(entry) {
   try {
     ensureAuditFlushTimer();
+    const AUDIT_LOG_MAX_SIZE = 5 * 1024 * 1024;
+    try {
+      if (fs.existsSync(AUDIT_LOG_PATH)) {
+        const stat = fs.statSync(AUDIT_LOG_PATH);
+        if (stat.size > AUDIT_LOG_MAX_SIZE) {
+          const entries = readRecentAuditEntries(1e3);
+          const content = entries.map((e) => JSON.stringify(e)).join("\n") + "\n";
+          fs.writeFileSync(AUDIT_LOG_PATH, content, "utf-8");
+        }
+      }
+    } catch (err) {
+      debugLog("security", "audit log rotation failed", err);
+    }
     const enriched = { ...entry, securityMode: getSecurityMode() };
     const line = JSON.stringify(enriched) + "\n";
     _auditBuffer.push(line);
@@ -422,8 +516,31 @@ function appendAuditEntry(entry) {
 function readRecentAuditEntries(count = 50) {
   try {
     if (!fs.existsSync(AUDIT_LOG_PATH)) return [];
-    const content = fs.readFileSync(AUDIT_LOG_PATH, "utf-8");
-    const lines = content.trim().split("\n");
+    const fileSize = fs.statSync(AUDIT_LOG_PATH).size;
+    if (fileSize === 0) return [];
+    const fd = fs.openSync(AUDIT_LOG_PATH, "r");
+    const bufferSize = 8192;
+    const buffer = Buffer.alloc(bufferSize);
+    const lines = [];
+    let pos = fileSize;
+    let partial = "";
+    while (pos > 0 && lines.length < count) {
+      const readSize = Math.min(bufferSize, pos);
+      pos -= readSize;
+      fs.readSync(fd, buffer, 0, readSize, pos);
+      const chunk = buffer.slice(0, readSize).toString("utf-8");
+      partial = chunk + partial;
+      const lineBreak = partial.lastIndexOf("\n");
+      if (lineBreak !== -1) {
+        const complete = partial.slice(lineBreak + 1);
+        if (complete.trim()) lines.unshift(complete);
+        partial = partial.slice(0, lineBreak);
+      }
+    }
+    fs.closeSync(fd);
+    if (partial.trim() && lines.length < count) {
+      lines.unshift(partial);
+    }
     const recent = lines.slice(-count);
     return recent.map((line) => {
       try {
@@ -437,6 +554,12 @@ function readRecentAuditEntries(count = 50) {
     return [];
   }
 }
+process.on("exit", () => {
+  flushAuditBuffer();
+});
+process.on("SIGTERM", () => {
+  flushAuditBuffer();
+});
 function checkBashToolInput(input) {
   const command = input.command ?? input.cmd ?? "";
   if (!command) return { safe: true, rule: "", detail: "" };
@@ -501,7 +624,7 @@ export {
   CRITICAL_COMMANDS,
   EXTENDED_COMMANDS,
   SECURITY_CONFIG_PATH,
-  SETTINGS_PATH,
+  SETTINGS_PATH2 as SETTINGS_PATH,
   appendAuditEntry,
   checkBashToolInput,
   checkFileToolInput,

package/test-report.js

@@ -0,0 +1,89 @@
+// shared/format.ts
+function section(title) {
+  return `
+\u2500\u2500 ${title} ${"\u2500".repeat(Math.max(1, 60 - title.length - 4))}`;
+}
+function ok(msg) {
+  return `  \u2705 ${msg}`;
+}
+function fail(msg) {
+  return `  \u274C ${msg}`;
+}
+function warn(msg) {
+  return `  \u26A0\uFE0F  ${msg}`;
+}
+function info(msg) {
+  return `  \u2139\uFE0F  ${msg}`;
+}
+function msHuman(ms) {
+  if (ms < 1e3) return `${ms.toFixed(0)}ms`;
+  if (ms < 6e4) return `${(ms / 1e3).toFixed(1)}s`;
+  return `${(ms / 6e4).toFixed(1)}m`;
+}
+
+// shared/ollama.ts
+import * as path from "node:path";
+import os from "node:os";
+
+// shared/debug.ts
+var DEBUG_ENABLED = process.env.PI_EXTENSIONS_DEBUG === "1";
+
+// shared/ollama.ts
+var EXTENSION_VERSION = "1.1.9";
+var MODELS_JSON_PATH = path.join(os.homedir(), ".pi", "agent", "models.json");
+
+// shared/test-report.ts
+var branding = [
+  `  \u26A1 Pi Model Benchmark v${EXTENSION_VERSION}`,
+  `  Written by VTSTech`,
+  `  GitHub: https://github.com/VTSTech`,
+  `  Website: www.vts-tech.org`
+].join("\n");
+function formatTestScore(score, label) {
+  switch (score) {
+    case "STRONG":
+      return ok(`${label} (${score})`);
+    case "MODERATE":
+      return ok(`${label} (${score})`);
+    case "WEAK":
+      return warn(`${label} (${score})`);
+    case "FAIL":
+      return fail(`${label} (${score})`);
+    case "ERROR":
+      return fail(`Error: ${label}`);
+    default:
+      return fail(`${label} (${score})`);
+  }
+}
+function formatTestSummary(tests, totalMs) {
+  const lines = [];
+  lines.push(section("SUMMARY"));
+  for (const t of tests) {
+    lines.push(t.pass ? ok(`${t.name}: ${t.score}`) : fail(`${t.name}: ${t.score}`));
+  }
+  lines.push(info(`Total time: ${msHuman(totalMs)}`));
+  const passed = tests.filter((t) => t.pass).length;
+  lines.push(info(`Score: ${passed}/${tests.length} tests passed`));
+  return lines;
+}
+function formatRecommendation(model, passed, total, via) {
+  const suffix = via ? ` via ${via}` : "";
+  const lines = [];
+  lines.push(section("RECOMMENDATION"));
+  if (passed === total) {
+    lines.push(ok(`${model} is a STRONG model${suffix} \u2014 full capability`));
+  } else if (passed > 0 && passed >= total - 1) {
+    lines.push(ok(`${model} is a GOOD model${suffix} \u2014 most capabilities work`));
+  } else if (passed > 0 && passed >= total - 2) {
+    lines.push(warn(`${model} is USABLE${suffix} \u2014 some capabilities are limited`));
+  } else {
+    lines.push(fail(`${model} is WEAK${suffix} \u2014 limited capabilities for agent use`));
+  }
+  return lines;
+}
+export {
+  branding,
+  formatRecommendation,
+  formatTestScore,
+  formatTestSummary
+};