decorated-pi 0.2.2 → 0.4.0

package/extensions/safety/patterns.ts

@@ -0,0 +1,155 @@
+/**
+ * Safety Detection — known secret patterns and safe-pattern exclusions
+ */
+
+import { basename, extname } from "node:path";
+import {
+  type SecretPattern,
+  type ConfigStringEntry,
+  CONFIG_FILE_EXTENSIONS,
+  CONFIG_BASENAME_REGEX,
+  SENSITIVE_CONFIG_KEY_REGEX,
+  PLACEHOLDER_VALUE_REGEX,
+  CONFIG_VALUE_MIN_LENGTH,
+} from "./types.js";
+
+// ─── High-confidence Secret Patterns (40+ known formats) ─────────────────
+
+export const SECRET_PATTERNS: SecretPattern[] = [
+  // AWS
+  { name: "AWS Access Key ID",         pattern: /AKIA[0-9A-Z]{16}/,                                                minLength: 16,  allowsSpaces: false, highConfidence: true },
+  { name: "AWS Secret Access Key",    pattern: /(?:aws)?_?(?:secret)?_?(?:access)?_?key['"\s:=]+['"]?[0-9a-zA-Z/+]{40}['"]?/i, minLength: 30, allowsSpaces: false, highConfidence: true },
+  // GitHub
+  { name: "GitHub OAuth Token",       pattern: /gho_[0-9a-zA-Z]{36}/,                                            minLength: 36,  allowsSpaces: false, highConfidence: true },
+  { name: "GitHub App Token",          pattern: /(?:ghu|ghs)_[0-9a-zA-Z]{36}/,                                    minLength: 36,  allowsSpaces: false, highConfidence: true },
+  { name: "GitHub PAT",               pattern: /ghp_[0-9a-zA-Z]{36}/,                                            minLength: 36,  allowsSpaces: false, highConfidence: true },
+  { name: "GitHub Fine-Grained Token", pattern: /github_pat_[0-9a-zA-Z_]{22,}/,                                   minLength: 26,  allowsSpaces: false, highConfidence: true },
+  // GitLab
+  { name: "GitLab PAT",              pattern: /glpat-[0-9a-zA-Z\-_]{20,}/,                                      minLength: 20,  allowsSpaces: false, highConfidence: true },
+  { name: "GitLab Runner Token",      pattern: /glrt-[0-9a-zA-Z_\-]{20,}/,                                      minLength: 20,  allowsSpaces: false, highConfidence: true },
+  // Slack
+  { name: "Slack Token",             pattern: /xox[baprs]-[0-9a-zA-Z\-]{10,48}/,                                minLength: 15,  allowsSpaces: false, highConfidence: true },
+  { name: "Slack Webhook URL",        pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]{8,}\/B[a-zA-Z0-9_]{8,}\/[a-zA-Z0-9_]{24}/, minLength: 60, allowsSpaces: false, highConfidence: true },
+  // JWT
+  { name: "JSON Web Token",          pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/, minLength: 36, allowsSpaces: false, highConfidence: true },
+  // Google
+  { name: "Google API Key",          pattern: /AIza[0-9A-Za-z\-_]{35}/,                                         minLength: 35,  allowsSpaces: false, highConfidence: true },
+  { name: "Google OAuth Token",       pattern: /ya29\.[0-9A-Za-z\-_]+/,                                          minLength: 10,  allowsSpaces: false, highConfidence: true },
+  // Stripe
+  { name: "Stripe Secret Key",       pattern: /sk_live_[0-9a-zA-Z]{24,}/,                                       minLength: 24,  allowsSpaces: false, highConfidence: true },
+  { name: "Stripe Restricted Key",    pattern: /rk_live_[0-9a-zA-Z]{24,}/,                                       minLength: 24,  allowsSpaces: false, highConfidence: true },
+  // Twilio / SendGrid / Discord
+  { name: "Twilio API Key",          pattern: /SK[a-z0-9]{32}/,                                                 minLength: 30,  allowsSpaces: false, highConfidence: true },
+  { name: "SendGrid API Key",        pattern: /SG\.[a-zA-Z0-9_-]{22,}\.[a-zA-Z0-9_-]{40,}/,                    minLength: 40,  allowsSpaces: false, highConfidence: true },
+  { name: "Discord Bot Token",        pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/,                    minLength: 40,  allowsSpaces: false, highConfidence: true },
+  // OpenAI / Anthropic / Volcengine Ark
+  { name: "OpenAI API Key",          pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/,                    minLength: 40,  allowsSpaces: false, highConfidence: true },
+  { name: "OpenAI API Key (New)",    pattern: /sk-(?:proj-)?[a-zA-Z0-9\-_]{40,}/,                               minLength: 40,  allowsSpaces: false, highConfidence: true },
+  { name: "Anthropic API Key",       pattern: /sk-ant-api[0-9]{2}-[a-zA-Z0-9\-_]{80,}/,                          minLength: 80,  allowsSpaces: false, highConfidence: true },
+  { name: "Volcengine Ark API Key",  pattern: /ark-[a-zA-Z0-9\-_]{20,}/,                                        minLength: 20,  allowsSpaces: false, highConfidence: true },
+  // NPM / PyPI
+  { name: "NPM Token",               pattern: /npm_[a-zA-Z0-9]{36}/,                                            minLength: 36,  allowsSpaces: false, highConfidence: true },
+  { name: "PyPI Token",              pattern: /pypi-[a-zA-Z0-9_\-]{50,}/,                                       minLength: 50,  allowsSpaces: false, highConfidence: true },
+  // Private Keys
+  { name: "RSA Private Key",         pattern: /-----BEGIN RSA PRIVATE KEY-----\r?\n(?:[A-Za-z0-9+/=]+\r?\n)+-----END RSA PRIVATE KEY-----/,                           minLength: 40,  allowsSpaces: true,  highConfidence: true },
+  { name: "OpenSSH Private Key",     pattern: /-----BEGIN OPENSSH PRIVATE KEY-----\r?\n(?:[A-Za-z0-9+/=]+\r?\n)+-----END OPENSSH PRIVATE KEY-----/,                   minLength: 40,  allowsSpaces: true,  highConfidence: true },
+  { name: "EC Private Key",          pattern: /-----BEGIN EC PRIVATE KEY-----\r?\n(?:[A-Za-z0-9+/=]+\r?\n)+-----END EC PRIVATE KEY-----/,                              minLength: 40,  allowsSpaces: true,  highConfidence: true },
+  { name: "PGP Private Key",         pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----\r?\n(?:[A-Za-z0-9+/=]+\r?\n)+-----END PGP PRIVATE KEY BLOCK-----/,              minLength: 40,  allowsSpaces: true,  highConfidence: true },
+  { name: "Generic Private Key",     pattern: /-----BEGIN (ENCRYPTED )?PRIVATE KEY-----\r?\n(?:[A-Za-z0-9+/=]+\r?\n)+-----END \1PRIVATE KEY-----/,                   minLength: 40,  allowsSpaces: true,  highConfidence: true },
+  // Database URIs
+  { name: "MongoDB Connection String", pattern: /mongodb(?:\+srv)?:\/\/[^\s'"]+:[^\s'"]+@[^\s'"]+/,           minLength: 20,  allowsSpaces: false, highConfidence: true },
+  { name: "PostgreSQL Connection String", pattern: /postgres(?:ql)?:\/\/[^\s'"]+:[^\s'"]+@[^\s'"]+/,        minLength: 20,  allowsSpaces: false, highConfidence: true },
+  { name: "MySQL Connection String",  pattern: /mysql:\/\/[^\s'"]+:[^\s'"]+@[^\s'"]+/,                        minLength: 20,  allowsSpaces: false, highConfidence: true },
+  { name: "Redis Connection String",  pattern: /redis:\/\/[^\s'"]*:[^\s'"]+@[^\s'"]+/,                         minLength: 15,  allowsSpaces: false, highConfidence: true },
+  // URL-embedded passwords
+  { name: "Password in URL",         pattern: /[a-zA-Z]{3,10}:\/\/[^/\s:@]{3,20}:[^/\s:@]{3,20}@[^\s'"]+/,    minLength: 15,  allowsSpaces: false, highConfidence: true },
+  // Generic assignments (lower confidence — checked against SAFE_PATTERNS)
+  { name: "Bearer Token",            pattern: /[Bb]earer\s+[a-zA-Z0-9\-._~+/]+=*/,                               minLength: 15,  allowsSpaces: false, highConfidence: false },
+  { name: "Basic Auth Header",       pattern: /[Bb]asic\s+[a-zA-Z0-9+/]{20,}={0,2}/,                            minLength: 20,  allowsSpaces: false, highConfidence: false },
+  { name: "API Key Assignment",      pattern: /(?:api[_-]?key|apikey|api[_-]?secret)['"\s:=]+['"]?[a-zA-Z0-9\-._]{20,}['"]?/i, minLength: 20, allowsSpaces: false, highConfidence: false },
+  { name: "Secret Assignment",       pattern: /(?:secret|token|password|passwd|pwd)['"\s:=]+['"]?[a-zA-Z0-9\-._!@#$%^&*]{8,}['"]?/i, minLength: 12, allowsSpaces: false, highConfidence: false },
+];
+
+// ─── Safe Patterns (false-positive exclusion) ────────────────────────────
+
+export const SAFE_PATTERNS: RegExp[] = [
+  /^https?:\/\/[a-zA-Z0-9.-]+(?:\/[a-zA-Z0-9.\/_\-?&=#%]*)?$/,  // URLs without credentials
+  /^\.\.?\/[a-zA-Z0-9_\-./]+$/,                                 // Relative file paths
+  /^\/[a-zA-Z0-9_\-./]+$/,                                       // Absolute Unix paths
+  /^[a-zA-Z]:\\[a-zA-Z0-9_\-\\./]+$/,                            // Windows paths
+  /^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$/,        // Email addresses
+  /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/, // UUIDs
+  /^v?\d+\.\d+\.\d+(?:-[a-zA-Z0-9.]+)?(?:\+[a-zA-Z0-9.]+)?$/,  // Semver
+  /^(?:xxx+|your[_-]?(?:api[_-]?)?key|placeholder|example|test|demo|sample)/i, // Placeholders
+  /^[0-9a-f]{40}$/i,                                              // Git SHA-1
+  /^[0-9a-f]{64}$/i,                                              // SHA-256
+  /^@[a-z0-9-]+\/[a-z0-9-]+$/,                                   // npm scoped packages
+];
+
+export function isSafeContent(content: string): boolean {
+  for (const pat of SAFE_PATTERNS) {
+    if (pat.test(content)) return true;
+  }
+  return false;
+}
+
+// ─── Config-file detection ───────────────────────────────────────────────
+
+export function isConfigLikeFile(filePath?: string): boolean {
+  if (!filePath) return false;
+  const name = basename(filePath);
+  if (CONFIG_BASENAME_REGEX.test(name)) return true;
+  return CONFIG_FILE_EXTENSIONS.has(extname(name).toLowerCase());
+}
+
+const CONFIG_STRING_PATTERNS: RegExp[] = [
+  /(?<key>"[^"\r\n]+"|'[^'\r\n]+'|[A-Za-z0-9_.-]+)\s*[:=]\s*"(?<value>(?:\\.|[^"\\])*)"/g,
+  /(?<key>"[^"\r\n]+"|'[^'\r\n]+'|[A-Za-z0-9_.-]+)\s*[:=]\s*'(?<value>(?:\\.|[^'\\])*)'/g,
+  /(?<key>[A-Za-z0-9_.-]+)\s*=\s*(?<value>[^\r\n#;]+)/g,
+];
+
+export function normalizeConfigKey(key: string): string {
+  return key
+    .trim()
+    .replace(/^['"]|['"]$/g, "")
+    .replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2")
+    .replace(/([a-z0-9])([A-Z])/g, "$1_$2")
+    .toLowerCase()
+    .replace(/[.\-\s]+/g, "_")
+    .replace(/_+/g, "_")
+    .replace(/^_+|_+$/g, "");
+}
+
+export function looksLikeSensitiveConfigValue(value: string): boolean {
+  const trimmed = value.trim();
+  if (!trimmed) return false;
+  if (PLACEHOLDER_VALUE_REGEX.test(trimmed)) return false;
+  if (isSafeContent(trimmed)) return false;
+  if (/^(?:true|false|null)$/i.test(trimmed)) return false;
+  if (/^[+-]?\d+(?:\.\d+)?$/.test(trimmed)) return false;
+  return trimmed.length >= CONFIG_VALUE_MIN_LENGTH;
+}
+
+export function extractConfigStringEntries(content: string): ConfigStringEntry[] {
+  const entries: ConfigStringEntry[] = [];
+  const seen = new Set<string>();
+
+  for (const pattern of CONFIG_STRING_PATTERNS) {
+    for (const match of content.matchAll(pattern)) {
+      const key = match.groups?.key;
+      const value = match.groups?.value;
+      if (!key || value === undefined || match.index === undefined) continue;
+      const full = match[0] ?? "";
+      const rel = full.indexOf(value);
+      if (rel < 0) continue;
+      const start = match.index + rel;
+      const end = start + value.length;
+      const dedupeKey = `${start}-${end}`;
+      if (seen.has(dedupeKey)) continue;
+      seen.add(dedupeKey);
+      entries.push({ key, normalizedKey: normalizeConfigKey(key), value, start, end });
+    }
+  }
+
+  return entries;
+}

package/extensions/safety/types.ts

@@ -0,0 +1,50 @@
+/**
+ * Safety Detection — shared types and constants
+ */
+
+// ─── Match types ──────────────────────────────────────────────────────────
+
+export type SecretMatchSource = "pattern" | "regex" | "entropy";
+
+export interface SecretMatch {
+  name: string;
+  start: number;
+  end: number;
+  original: string;
+  source: SecretMatchSource;
+}
+
+export interface SecretPattern {
+  name: string;
+  pattern: RegExp;
+  minLength: number;
+  allowsSpaces: boolean;
+  /** If true, skip safe-pattern exclusion (unambiguous prefix) */
+  highConfidence: boolean;
+}
+
+export interface DetectSecretsOptions {
+  filePath?: string;
+}
+
+// ─── Internal types ──────────────────────────────────────────────────────
+
+export interface ConfigStringEntry {
+  key: string;
+  normalizedKey: string;
+  value: string;
+  start: number;
+  end: number;
+}
+
+// ─── Constants ────────────────────────────────────────────────────────────
+
+export const MIN_SCAN_LENGTH = 10;
+export const CONFIG_VALUE_MIN_LENGTH = 32;
+export const CONFIG_FILE_EXTENSIONS = new Set([
+  ".json", ".jsonc", ".env", ".toml", ".yaml", ".yml",
+  ".ini", ".cfg", ".conf", ".properties",
+]);
+export const CONFIG_BASENAME_REGEX = /^\.env(?:\..+)?$/i;
+export const SENSITIVE_CONFIG_KEY_REGEX = /(?:^|_)(?:apikey|api_(?:key|secret|token)|access_(?:key|token)|refresh_token|client_secret|secret(?:_key)?|private_key|bearer_token|auth(?:orization|_token)?|pass(?:word|wd)?|pwd|token|webhook_secret)(?:_|$)/i;
+export const PLACEHOLDER_VALUE_REGEX = /^(?:\$\{[^}]+\}|\{\{[^}]+\}\}|<[^>]+>|xxx+|placeholder|example|sample|demo|test|changeme|your[_-]?(?:api[_-]?)?key(?:[_-]?here)?)$/i;

package/extensions/settings.ts

@@ -25,10 +25,17 @@ export interface ProviderCache {
   models: ProviderModelEntry[];
 }
 
+export interface McpServerEntry {
+  url: string;
+  enabled?: boolean;
+}
+
 export interface ModuleSettings {
   safety?: boolean;
   lsp?: boolean;
   "smart-at"?: boolean;
+  patch?: boolean;
+  mcp?: boolean;
 }
 
 export interface DecoratedPiConfig {
@@ -36,6 +43,7 @@ export interface DecoratedPiConfig {
   compactModelKey?: string | null;
   providers?: Record<string, ProviderCache>;
   modules?: ModuleSettings;
+  mcpServers?: Record<string, McpServerEntry>;
 }
 
 export function loadConfig(): DecoratedPiConfig {
@@ -111,6 +119,8 @@ const DEFAULT_MODULES: Required<ModuleSettings> = {
   safety: true,
   lsp: true,
   "smart-at": true,
+  patch: true,
+  mcp: true,
 };
 
 export function isModuleEnabled(name: keyof ModuleSettings): boolean {

package/extensions/slash.ts

@@ -2,14 +2,15 @@
  * Slash — 所有扩展命令
  *
  * /dp-model    → 模型选择器 (TAB 切换 Image/Compact)
- * /dp-settings → 模块开关 (safety / lsp / smart-at)
+ * /dp-settings → 模块开关 (patch / safety / lsp / smart-at)
  * /retry       → 中断后继续
  */
 
-import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
-import { ModelPickerComponent } from "./extend-model.js";
+import type { ExtensionAPI, ExtensionContext, Theme as PiTheme } from "@earendil-works/pi-coding-agent";
+import { ModelPickerComponent } from "./model-integration.js";
 import { getAllModuleSettings, setModuleEnabled, type ModuleSettings } from "./settings.js";
-import { Container, SettingsList, type TUI, type Theme as PiTheme, type SettingsListTheme, type Component } from "@earendil-works/pi-tui";
+import { getMcpStatus } from "./mcp/index.js";
+import { Container, SettingsList, Spacer, Text, type TUI, type SettingsListTheme, type Component, getKeybindings } from "@earendil-works/pi-tui";
 
 // ─── Border component (matches native DynamicBorder) ────────────────────────
 
@@ -60,15 +61,19 @@ function setupDpModelCommand(pi: ExtensionAPI) {
 // ─── /dp-settings ──────────────────────────────────────────────────────────
 
 const MODULE_LABELS: Record<keyof ModuleSettings, string> = {
-  safety: "Safety Layer",
-  lsp: "LSP Tools",
-  "smart-at": "Smart @ Search",
+  patch: "patch",
+  safety: "Secret Redaction",
+  lsp: "LSP",
+  "smart-at": "@ overload",
+  mcp: "MCP",
 };
 
 const MODULE_DESCS: Record<keyof ModuleSettings, string> = {
-  safety: "Command guard, protected paths, read guard, secret redaction",
+  patch: "Replace edit/write with patch tool (old_str/new_str replacement + overwrite)",
+  safety: "Redact secrets from read / bash output before they enter model context",
   lsp: "Language server diagnostics, hover, definition, references, symbols, rename",
   "smart-at": "Project-aware file search replacing default autocomplete",
+  mcp: "MCP client for context7 and exa (zero-config)",
 };
 
 class ModuleSettingsComponent extends Container {
@@ -117,7 +122,7 @@ function setupDpSettingsCommand(pi: ExtensionAPI) {
           (tui, theme, _kb, done) =>
             new ModuleSettingsComponent(tui, theme, () => done(undefined))
         );
-        ctx.ui.notify("Module settings updated. /reload to apply.", "info");
+        ctx.ui.notify("Module settings updated. /reload to apply.", "warning");
         return;
       }
       ctx.ui.notify("dp-settings requires interactive mode.", "warning");
@@ -125,6 +130,156 @@ function setupDpSettingsCommand(pi: ExtensionAPI) {
   });
 }
 
+// ─── /mcp ──────────────────────────────────────────────────────────────────
+
+class McpStatusComponent extends Container {
+  private textComponent: Text;
+  private tui: TUI;
+  private theme: PiTheme;
+  private done: () => void;
+  private timer: ReturnType<typeof setInterval> | null = null;
+
+  constructor(tui: TUI, theme: PiTheme, onDone: () => void) {
+    super();
+    this.tui = tui;
+    this.theme = theme;
+    this.done = onDone;
+
+    this.addChild(new DynamicBorder(theme));
+    this.addChild(new Spacer(1));
+
+    this.textComponent = new Text("", 1, 0);
+    this.addChild(this.textComponent);
+
+    this.addChild(new Spacer(1));
+    this.addChild(new Text(this.theme.fg("dim", "Press q to close."), 1, 0));
+    this.addChild(new Spacer(1));
+    this.addChild(new DynamicBorder(theme));
+
+    this.refresh();
+
+    this.timer = setInterval(() => {
+      this.refresh();
+      const allSettled = getMcpStatus().every((s) => s.state !== "connecting");
+      if (allSettled && this.timer) {
+        clearInterval(this.timer);
+        this.timer = null;
+      }
+    }, 500);
+  }
+
+  private refresh() {
+    const servers = getMcpStatus();
+
+    if (servers.length === 0) {
+      this.textComponent.setText("No MCP servers configured.");
+      this.tui.requestRender();
+      return;
+    }
+
+    const connected = servers.filter((s) => s.state === "connected");
+    const connecting = servers.filter((s) => s.state === "connecting");
+    const failed = servers.filter((s) => s.state === "failed");
+
+    const lines: string[] = [
+      `MCP servers (${servers.length}):`,
+      "",
+    ];
+
+    for (const s of connected) {
+      lines.push(this.theme.fg("accent", `• ${s.name}`) + ` (${s.source})`);
+      lines.push(`  URL: ${s.url}`);
+      lines.push(`  Tools: ${s.toolCount}`);
+      for (const tool of s.tools) {
+        const desc = tool.description ? ` — ${tool.description.slice(0, 60)}` : "";
+        lines.push(`    - ${tool.name}${desc}`);
+      }
+      lines.push("");
+    }
+
+    for (const s of connecting) {
+      lines.push(this.theme.fg("accent", `• ${s.name}`) + ` (${s.source})`);
+      lines.push(`  URL: ${s.url}`);
+      lines.push(`  Status: ${this.theme.fg("warning", "connecting...")}`);
+      lines.push("");
+    }
+
+    for (const s of failed) {
+      lines.push(this.theme.fg("accent", `• ${s.name}`) + ` (${s.source})`);
+      lines.push(`  URL: ${s.url}`);
+      lines.push(`  Status: ${this.theme.fg("error", "failed")} — ${s.error ?? "unknown error"}`);
+      lines.push("");
+    }
+
+    this.textComponent.setText(lines.join("\n"));
+    this.tui.requestRender();
+  }
+
+  handleInput(data: string) {
+    const kb = getKeybindings();
+    if (
+      data === "q" ||
+      data === "\r" ||
+      data === "\n" ||
+      kb.matches(data, "tui.select.cancel")
+    ) {
+      if (this.timer) {
+        clearInterval(this.timer);
+        this.timer = null;
+      }
+      this.done();
+    }
+  }
+
+  dispose() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+  }
+}
+
+function setupMcpCommand(pi: ExtensionAPI) {
+  pi.registerCommand("mcp", {
+    description: "Show active MCP servers and their tools",
+    handler: async (_args, ctx) => {
+      if (ctx.hasUI) {
+        await ctx.ui.custom<void>(
+          (tui, theme, _kb, done) => new McpStatusComponent(tui, theme, () => done(undefined))
+        );
+        return;
+      }
+
+      // Fallback for non-interactive (print / RPC) mode.
+      const servers = getMcpStatus();
+      if (servers.length === 0) {
+        ctx.ui.notify("No MCP servers configured.", "info");
+        return;
+      }
+
+      const lines: string[] = [`MCP servers (${servers.length}):`, ""];
+      for (const s of servers) {
+        lines.push(`• ${s.name} (${s.source})`);
+        lines.push(`  URL: ${s.url}`);
+        if (s.state === "connecting") {
+          lines.push(`  Status: connecting...`);
+        } else if (s.state === "failed") {
+          lines.push(`  Status: failed — ${s.error ?? "unknown error"}`);
+        } else {
+          lines.push(`  Tools: ${s.toolCount}`);
+          for (const tool of s.tools) {
+            const desc = tool.description ? ` — ${tool.description.slice(0, 60)}` : "";
+            lines.push(`    - ${tool.name}${desc}`);
+          }
+        }
+        lines.push("");
+      }
+
+      pi.sendMessage({ customType: "mcp-status", content: lines.join("\n"), display: true }, { triggerTurn: false });
+    },
+  });
+}
+
 // ─── /retry ────────────────────────────────────────────────────────────────
 
 function setupRetryCommand(pi: ExtensionAPI) {
@@ -163,5 +318,6 @@ function setupRetryCommand(pi: ExtensionAPI) {
 export function setupSlash(pi: ExtensionAPI) {
   setupDpModelCommand(pi);
   setupDpSettingsCommand(pi);
+  setupMcpCommand(pi);
   setupRetryCommand(pi);
 }