oh-my-harness 0.13.0 → 0.14.0

package/README.md

@@ -416,9 +416,8 @@ oh-my-harness/
 - [x] GitHub star prompt — first-time only
 - [x] Codex emitter — `AGENTS.md` + `.codex/hooks.json` + `.codex/config.toml`
 - [x] Unified `.omh/` layout — single source of truth for hooks & state across runtimes
-- [ ] Cursor (`.cursor/rules/`) emitter
-- [ ] Pi ([pi.dev](https://pi.dev)) emitter — generate harness config for the Pi coding agent
-- [x] `ask` mode — request approval before executing risky tools (Claude; Codex falls back to block)
+- [x] Pi ([pi.dev](https://pi.dev)) emitter — bridge extension (`.pi/extensions/omh-harness.ts`) reusing the same `.omh/hooks/*.sh`
+- [x] `ask` mode — request approval before executing risky tools (Claude native prompt / Pi `ctx.ui.select`; Codex falls back to block)
 - [ ] Community harness.yaml registry — share and reuse configs
 - [ ] `omh modify "change X"` — NL config editing
 

package/dist/cli/commands/doctor.d.ts

@@ -10,6 +10,7 @@ export interface DoctorResult {
         agentsMd: boolean;
         settingsJson: boolean;
         codexConfig: boolean;
+        piConfig: boolean;
         hooksExecutable: boolean;
     };
     messages: string[];

package/dist/cli/commands/doctor.js

@@ -11,6 +11,7 @@ export async function doctorCommand(options = {}) {
         agentsMd: false,
         settingsJson: false,
         codexConfig: false,
+        piConfig: false,
         hooksExecutable: false,
     };
     // 1. Check .claude/oh-my-harness.json exists
@@ -88,7 +89,28 @@ export async function doctorCommand(options = {}) {
             messages.push("FAIL: .codex/hooks.json or .codex/config.toml is invalid or unreadable.");
         }
     }
-    // 6. Check hook scripts exist and are executable
+    // 6. Pi bridge extension (.pi/extensions/omh-harness.ts). Only generated when
+    // PreToolUse hooks exist, so absence is acceptable; a present-but-corrupt file
+    // (hand-edit / merge conflict) is a failure.
+    const piExtPath = path.join(projectDir, ".pi", "extensions", "omh-harness.ts");
+    try {
+        const raw = await fs.readFile(piExtPath, "utf-8");
+        if (raw.includes("AUTO-GENERATED by oh-my-harness") && raw.includes('pi.on("tool_call"')) {
+            checks.piConfig = true;
+        }
+        else {
+            messages.push("FAIL: .pi/extensions/omh-harness.ts exists but is not a valid oh-my-harness bridge; run `omh sync`.");
+        }
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            checks.piConfig = true; // no Pi extension — acceptable
+        }
+        else {
+            messages.push("FAIL: .pi/extensions/omh-harness.ts is unreadable.");
+        }
+    }
+    // 7. Check hook scripts exist and are executable
     const hooksDir = path.join(projectDir, OMH_HOOKS_DIR);
     try {
         const files = await fs.readdir(hooksDir);

package/dist/core/generator.js

@@ -3,6 +3,7 @@ import { generateAgentsMd } from "../generators/agents-md.js";
 import { generateHooks } from "../generators/hooks.js";
 import { generateSettings } from "../generators/settings.js";
 import { generateCodexConfig } from "../generators/codex-config.js";
+import { generatePiExtension } from "../generators/pi-extension.js";
 import { updateGitignore } from "../generators/gitignore.js";
 import { migrateLegacyState } from "../utils/state-migration.js";
 import { OMH_DIR } from "../utils/paths.js";
@@ -21,13 +22,14 @@ export async function generate(options) {
     // depend on hooksOutput, so this stage runs first.
     const hooksOutput = await generateHooks({ projectDir, config });
     files.push(...hooksOutput.generatedFiles);
-    // Claude settings.json and Codex config write to disjoint files using the
-    // same hooksOutput — independent.
-    const [, codexFiles] = await Promise.all([
+    // Claude settings.json, Codex config, and the Pi bridge extension write to
+    // disjoint files using the same hooksOutput — independent.
+    const [, codexFiles, piFiles] = await Promise.all([
         generateSettings({ projectDir, config, hooksOutput }),
         generateCodexConfig({ projectDir, hooksOutput }),
+        generatePiExtension({ projectDir, hooksOutput }),
     ]);
-    files.push(`${projectDir}/.claude/settings.json`, ...codexFiles);
+    files.push(`${projectDir}/.claude/settings.json`, ...codexFiles, ...piFiles);
     // .omh/state/ holds volatile log data; hooks/manifest are reproducible.
     await updateGitignore(projectDir, [`${OMH_DIR}/state/`]);
     files.push(`${projectDir}/.gitignore`);

package/dist/generators/pi-extension.d.ts

@@ -0,0 +1,48 @@
+import type { HooksOutput } from "./hooks.js";
+/**
+ * Pi (pi.dev) emitter.
+ *
+ * Pi hooks are TypeScript extensions (`pi.on("tool_call", ...)`), not shell
+ * scripts. Rather than re-implement every catalog block in TypeScript, the
+ * emitter generates a thin *bridge* extension that shells out to the same
+ * `.omh/hooks/*.sh` scripts the Claude and Codex emitters use — keeping a
+ * single source of truth for block logic.
+ *
+ * The bridge always sends a Claude-style payload (a `transcript_path` field is
+ * present), so the runtime-detecting `_emit_decision` in each script emits
+ * `permissionDecision:"ask"` for ask-mode blocks and `decision:"block"` for
+ * block-mode blocks. The bridge maps those back onto Pi's native primitives:
+ * `ctx.ui.select` for ask, `{ block: true }` for block.
+ */
+export interface PiBinding {
+    /** Pi tool names this binding intercepts (e.g. ["edit", "write"]). */
+    tools: string[];
+    /**
+     * The exact shell command line that runs the generated hook, as emitted into
+     * the Claude/Codex settings (e.g. `bash '/abs/.omh/hooks/foo.sh'`). The bridge
+     * runs it through a shell so the format stays identical across all emitters.
+     */
+    command: string;
+}
+/**
+ * Extract the PreToolUse bindings the Pi bridge can express. Pi's `tool_call`
+ * event fires before execution and can block, which maps onto PreToolUse.
+ * Other events (PostToolUse, SessionStart, ...) have no `tool_call` equivalent
+ * and are skipped for now.
+ */
+export declare function extractPiBindings(hooksConfig: HooksOutput["hooksConfig"]): PiBinding[];
+/**
+ * Render the bridge extension TypeScript source for the given bindings.
+ * Pure (no IO) so it can be unit-tested.
+ */
+export declare function buildPiExtension(bindings: PiBinding[]): string;
+export interface GeneratePiExtensionOptions {
+    projectDir: string;
+    hooksOutput: HooksOutput;
+}
+/**
+ * Write the Pi bridge extension to .pi/extensions/omh-harness.ts. Returns the
+ * list of generated file paths (empty when there are no PreToolUse bindings,
+ * in which case no file is written).
+ */
+export declare function generatePiExtension(options: GeneratePiExtensionOptions): Promise<string[]>;

package/dist/generators/pi-extension.js

@@ -0,0 +1,177 @@
+import { mkdir, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+const PI_EXTENSION_DIR = ".pi/extensions";
+const PI_EXTENSION_FILE = "omh-harness.ts";
+// Claude/catalog matcher tool names -> Pi tool names. Pi exposes lowercase
+// built-in tools: bash, read, edit, write, grep, find, ls.
+const MATCHER_TO_PI_TOOL = {
+    bash: "bash",
+    edit: "edit",
+    write: "write",
+    read: "read",
+    grep: "grep",
+    find: "find",
+    ls: "ls",
+};
+/**
+ * Translate a catalog matcher (e.g. "Edit|Write") into the set of Pi tool
+ * names the bridge should intercept. Unknown tokens are dropped.
+ */
+function matcherToPiTools(matcher) {
+    const tools = [];
+    for (const token of matcher.split("|")) {
+        const pi = MATCHER_TO_PI_TOOL[token.trim().toLowerCase()];
+        if (pi && !tools.includes(pi))
+            tools.push(pi);
+    }
+    return tools;
+}
+/**
+ * Extract the PreToolUse bindings the Pi bridge can express. Pi's `tool_call`
+ * event fires before execution and can block, which maps onto PreToolUse.
+ * Other events (PostToolUse, SessionStart, ...) have no `tool_call` equivalent
+ * and are skipped for now.
+ */
+export function extractPiBindings(hooksConfig) {
+    const pre = hooksConfig["PreToolUse"] ?? [];
+    const bindings = [];
+    for (const entry of pre) {
+        const tools = matcherToPiTools(entry.matcher);
+        if (tools.length === 0)
+            continue;
+        for (const hook of entry.hooks) {
+            bindings.push({ tools, command: hook.command });
+        }
+    }
+    return bindings;
+}
+/**
+ * Render the bridge extension TypeScript source for the given bindings.
+ * Pure (no IO) so it can be unit-tested.
+ */
+export function buildPiExtension(bindings) {
+    const bindingLiterals = bindings
+        .map((b) => `  { tools: ${JSON.stringify(b.tools)}, command: ${JSON.stringify(b.command)} },`)
+        .join("\n");
+    return `// AUTO-GENERATED by oh-my-harness. Do not edit by hand.
+//
+// Bridges oh-my-harness catalog hooks onto the Pi coding agent. Each binding
+// shells out to a generated .omh/hooks/*.sh script (the single source of truth
+// shared with the Claude and Codex emitters) and maps its decision onto Pi's
+// native tool_call result.
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { spawnSync } from "node:child_process";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+interface Binding {
+  tools: string[];
+  command: string;
+}
+
+const BINDINGS: Binding[] = [
+${bindingLiterals}
+];
+
+// .pi/extensions/omh-harness.ts -> project root is three levels up.
+const PROJECT_ROOT = join(dirname(fileURLToPath(import.meta.url)), "..", "..");
+
+// Map a Pi tool_call onto the Claude-style payload the shell hooks expect.
+// A transcript_path field marks the payload as Claude-like so ask-mode hooks
+// emit permissionDecision:"ask" instead of a hard block.
+function buildPayload(toolName: string, input: Record<string, unknown>): unknown {
+  const base = { transcript_path: "pi", hook_event_name: "PreToolUse" };
+  switch (toolName) {
+    case "bash":
+      return { ...base, tool_name: "Bash", tool_input: { command: input.command ?? "" } };
+    case "edit":
+      return { ...base, tool_name: "Edit", tool_input: { file_path: input.path ?? "" } };
+    case "write":
+      return { ...base, tool_name: "Write", tool_input: { file_path: input.path ?? "", content: input.content ?? "" } };
+    case "read":
+      return { ...base, tool_name: "Read", tool_input: { file_path: input.path ?? "" } };
+    default:
+      return { ...base, tool_name: toolName, tool_input: input };
+  }
+}
+
+export default function (pi: ExtensionAPI) {
+  pi.on("tool_call", async (event, ctx) => {
+    for (const binding of BINDINGS) {
+      if (!binding.tools.includes(event.toolName)) continue;
+
+      const payload = buildPayload(event.toolName, event.input as Record<string, unknown>);
+      // binding.command is a full shell command line (e.g. bash '/abs/foo.sh'),
+      // identical to what Claude/Codex settings invoke — run it through a shell.
+      const proc = spawnSync(binding.command, {
+        cwd: PROJECT_ROOT,
+        input: JSON.stringify(payload),
+        encoding: "utf-8",
+        timeout: 10000,
+        shell: true,
+      });
+
+      // The generated hook scripts always exit 0 in normal operation (allow or
+      // block is signalled via stdout JSON), so a spawn error (timeout/signal)
+      // or a non-zero exit means the guard itself malfunctioned. Fail closed:
+      // a guardrail must never be silently downgraded to allow by a failure.
+      if (proc.error || (typeof proc.status === "number" && proc.status !== 0)) {
+        return {
+          block: true,
+          reason: "oh-my-harness hook failed: " + (proc.error?.message ?? "exited with code " + proc.status),
+        };
+      }
+
+      const out = (proc.stdout ?? "").trim();
+      if (!out) continue;
+
+      let decision: any;
+      try {
+        decision = JSON.parse(out);
+      } catch {
+        continue; // non-JSON output is treated as a pass-through
+      }
+
+      const isAsk = decision?.hookSpecificOutput?.permissionDecision === "ask";
+      const isBlock = decision?.decision === "block" || decision?.hookSpecificOutput?.permissionDecision === "deny";
+      const reason: string =
+        decision?.hookSpecificOutput?.permissionDecisionReason ??
+        decision?.reason ??
+        "blocked by oh-my-harness";
+
+      if (isAsk) {
+        if (!ctx.hasUI) {
+          return { block: true, reason: reason + " (no UI to confirm)" };
+        }
+        const choice = await ctx.ui.select(\`oh-my-harness — approve this action?\\n\\n  \${reason}\`, ["Yes", "No"]);
+        if (choice !== "Yes") {
+          return { block: true, reason: "declined by user" };
+        }
+        continue; // approved — keep checking remaining bindings
+      }
+
+      if (isBlock) {
+        return { block: true, reason };
+      }
+    }
+    return undefined;
+  });
+}
+`;
+}
+/**
+ * Write the Pi bridge extension to .pi/extensions/omh-harness.ts. Returns the
+ * list of generated file paths (empty when there are no PreToolUse bindings,
+ * in which case no file is written).
+ */
+export async function generatePiExtension(options) {
+    const { projectDir, hooksOutput } = options;
+    const bindings = extractPiBindings(hooksOutput.hooksConfig);
+    if (bindings.length === 0)
+        return [];
+    const dir = join(projectDir, PI_EXTENSION_DIR);
+    await mkdir(dir, { recursive: true });
+    const filePath = join(dir, PI_EXTENSION_FILE);
+    await writeFile(filePath, buildPiExtension(bindings), "utf-8");
+    return [filePath];
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-harness",
-  "version": "0.13.0",
+  "version": "0.14.0",
   "description": "Tame your AI coding agents with natural language",
   "type": "module",
   "bin": {