npm - omegon - Versions diffs - 0.6.0 - Mend

omegon 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/.gitattributes +3 -0
package/AGENTS.md +16 -0
package/LICENSE +15 -0
package/README.md +289 -0
package/bin/pi.mjs +30 -0
package/extensions/00-secrets/index.ts +1126 -0
package/extensions/01-auth/auth.ts +401 -0
package/extensions/01-auth/index.ts +289 -0
package/extensions/auto-compact.ts +42 -0
package/extensions/bootstrap/deps.ts +291 -0
package/extensions/bootstrap/index.ts +811 -0
package/extensions/chronos/chronos.sh +487 -0
package/extensions/chronos/index.ts +148 -0
package/extensions/cleave/assessment.ts +754 -0
package/extensions/cleave/bridge.ts +31 -0
package/extensions/cleave/conflicts.ts +250 -0
package/extensions/cleave/dispatcher.ts +808 -0
package/extensions/cleave/guardrails.ts +426 -0
package/extensions/cleave/index.ts +3121 -0
package/extensions/cleave/lifecycle-emitter.ts +20 -0
package/extensions/cleave/openspec.ts +811 -0
package/extensions/cleave/planner.ts +260 -0
package/extensions/cleave/review.ts +579 -0
package/extensions/cleave/skills.ts +355 -0
package/extensions/cleave/types.ts +261 -0
package/extensions/cleave/workspace.ts +861 -0
package/extensions/cleave/worktree.ts +243 -0
package/extensions/core-renderers.ts +253 -0
package/extensions/dashboard/context-gauge.ts +58 -0
package/extensions/dashboard/file-watch.ts +14 -0
package/extensions/dashboard/footer.ts +1145 -0
package/extensions/dashboard/git.ts +185 -0
package/extensions/dashboard/index.ts +478 -0
package/extensions/dashboard/memory-audit.ts +34 -0
package/extensions/dashboard/overlay-data.ts +705 -0
package/extensions/dashboard/overlay.ts +365 -0
package/extensions/dashboard/render-utils.ts +54 -0
package/extensions/dashboard/types.ts +191 -0
package/extensions/dashboard/uri-helper.ts +45 -0
package/extensions/debug.ts +69 -0
package/extensions/defaults.ts +282 -0
package/extensions/design-tree/dashboard-state.ts +161 -0
package/extensions/design-tree/design-card.ts +362 -0
package/extensions/design-tree/index.ts +2130 -0
package/extensions/design-tree/lifecycle-emitter.ts +41 -0
package/extensions/design-tree/tree.ts +1607 -0
package/extensions/design-tree/types.ts +163 -0
package/extensions/distill.ts +127 -0
package/extensions/effort/index.ts +395 -0
package/extensions/effort/tiers.ts +146 -0
package/extensions/effort/types.ts +105 -0
package/extensions/lib/git-state.ts +227 -0
package/extensions/lib/local-models.ts +157 -0
package/extensions/lib/model-preferences.ts +51 -0
package/extensions/lib/model-routing.ts +720 -0
package/extensions/lib/operator-fallback.ts +205 -0
package/extensions/lib/operator-profile.ts +360 -0
package/extensions/lib/slash-command-bridge.ts +253 -0
package/extensions/lib/typebox-helpers.ts +16 -0
package/extensions/local-inference/index.ts +727 -0
package/extensions/mcp-bridge/README.md +220 -0
package/extensions/mcp-bridge/index.ts +951 -0
package/extensions/mcp-bridge/lib.ts +365 -0
package/extensions/mcp-bridge/mcp.json +3 -0
package/extensions/mcp-bridge/package.json +11 -0
package/extensions/model-budget.ts +752 -0
package/extensions/offline-driver.ts +403 -0
package/extensions/openspec/archive-gate.ts +164 -0
package/extensions/openspec/branch-cleanup.ts +64 -0
package/extensions/openspec/dashboard-state.ts +50 -0
package/extensions/openspec/index.ts +1917 -0
package/extensions/openspec/lifecycle-emitter.ts +65 -0
package/extensions/openspec/lifecycle-files.ts +70 -0
package/extensions/openspec/lifecycle.ts +50 -0
package/extensions/openspec/reconcile.ts +187 -0
package/extensions/openspec/spec.ts +1385 -0
package/extensions/openspec/types.ts +98 -0
package/extensions/project-memory/DESIGN-global-mind.md +198 -0
package/extensions/project-memory/README.md +202 -0
package/extensions/project-memory/api-types.ts +382 -0
package/extensions/project-memory/compaction-policy.ts +29 -0
package/extensions/project-memory/core.ts +164 -0
package/extensions/project-memory/embeddings.ts +230 -0
package/extensions/project-memory/extraction-v2.ts +861 -0
package/extensions/project-memory/factstore.ts +2177 -0
package/extensions/project-memory/index.ts +3459 -0
package/extensions/project-memory/injection-metrics.ts +91 -0
package/extensions/project-memory/jsonl-io.ts +12 -0
package/extensions/project-memory/lifecycle.ts +331 -0
package/extensions/project-memory/migration.ts +293 -0
package/extensions/project-memory/package.json +9 -0
package/extensions/project-memory/sci-renderers.ts +7 -0
package/extensions/project-memory/template.ts +103 -0
package/extensions/project-memory/triggers.ts +52 -0
package/extensions/project-memory/types.ts +102 -0
package/extensions/render/composition/fonts/Inter-Bold.ttf +0 -0
package/extensions/render/composition/fonts/Inter-Regular.ttf +0 -0
package/extensions/render/composition/fonts/Tomorrow-Bold.ttf +0 -0
package/extensions/render/composition/fonts/Tomorrow-Regular.ttf +0 -0
package/extensions/render/composition/package-lock.json +534 -0
package/extensions/render/composition/package.json +22 -0
package/extensions/render/composition/render.mjs +246 -0
package/extensions/render/composition/test-comp.tsx +87 -0
package/extensions/render/composition/types.ts +24 -0
package/extensions/render/excalidraw/UPSTREAM.md +81 -0
package/extensions/render/excalidraw/elements.ts +764 -0
package/extensions/render/excalidraw/index.ts +66 -0
package/extensions/render/excalidraw/types.ts +223 -0
package/extensions/render/excalidraw-renderer/pyproject.toml +8 -0
package/extensions/render/excalidraw-renderer/render_excalidraw.py +182 -0
package/extensions/render/excalidraw-renderer/render_template.html +59 -0
package/extensions/render/index.ts +830 -0
package/extensions/render/native-diagrams/index.ts +57 -0
package/extensions/render/native-diagrams/motifs.ts +542 -0
package/extensions/render/native-diagrams/raster.ts +8 -0
package/extensions/render/native-diagrams/scene.ts +75 -0
package/extensions/render/native-diagrams/spec.ts +204 -0
package/extensions/render/native-diagrams/svg.ts +116 -0
package/extensions/sci-ui.ts +304 -0
package/extensions/session-log.ts +174 -0
package/extensions/shared-state.ts +146 -0
package/extensions/spinner-verbs.ts +91 -0
package/extensions/style.ts +281 -0
package/extensions/terminal-title.ts +191 -0
package/extensions/tool-profile/index.ts +291 -0
package/extensions/tool-profile/profiles.ts +290 -0
package/extensions/types.d.ts +9 -0
package/extensions/vault/index.ts +185 -0
package/extensions/version-check.ts +90 -0
package/extensions/view/index.ts +859 -0
package/extensions/view/uri-resolver.ts +148 -0
package/extensions/web-search/index.ts +182 -0
package/extensions/web-search/providers.ts +121 -0
package/extensions/web-ui/index.ts +110 -0
package/extensions/web-ui/server.ts +265 -0
package/extensions/web-ui/state.ts +462 -0
package/extensions/web-ui/static/index.html +145 -0
package/extensions/web-ui/types.ts +284 -0
package/package.json +76 -0
package/prompts/init.md +75 -0
package/prompts/new-repo.md +54 -0
package/prompts/oci-login.md +56 -0
package/prompts/status.md +50 -0
package/settings.json +4 -0
package/skills/cleave/SKILL.md +218 -0
package/skills/git/SKILL.md +209 -0
package/skills/git/_reference/ci-validation.md +204 -0
package/skills/oci/SKILL.md +338 -0
package/skills/openspec/SKILL.md +346 -0
package/skills/pi-extensions/SKILL.md +191 -0
package/skills/pi-tui/SKILL.md +517 -0
package/skills/python/SKILL.md +189 -0
package/skills/rust/SKILL.md +268 -0
package/skills/security/SKILL.md +206 -0
package/skills/style/SKILL.md +264 -0
package/skills/typescript/SKILL.md +225 -0
package/skills/vault/SKILL.md +102 -0
package/themes/alpharius-legacy.json +85 -0
package/themes/alpharius.conf +59 -0
package/themes/alpharius.json +88 -0

package/extensions/01-auth/auth.ts ADDED Viewed

@@ -0,0 +1,401 @@
+/**
+ * 01-auth/auth — Domain logic for authentication status checking.
+ *
+ * Extracted from index.ts so tests can import without pulling in
+ * pi-tui/pi-coding-agent dependencies (which aren't resolvable under tsx).
+ */
+import type { ExtensionAPI } from "@cwilson613/pi-coding-agent";
+// ─── Types ───────────────────────────────────────────────────────
+export type AuthStatus = "ok" | "expired" | "invalid" | "none" | "missing";
+export interface AuthResult {
+	provider: string;
+	status: AuthStatus;
+	detail: string;
+	error?: string;
+	refresh?: string;
+	secretHint?: string;
+}
+export interface AuthProvider {
+	/** Unique identifier: "github", "gitlab", "aws", etc. */
+	id: string;
+	/** Display name: "GitHub", "GitLab", "AWS", etc. */
+	name: string;
+	/** CLI binary name: "gh", "glab", "aws", etc. */
+	cli: string;
+	/** Env var that can provide a token (checked via process.env, populated by 00-secrets) */
+	tokenEnvVar?: string;
+	/** Command to refresh/login */
+	refreshCommand: string;
+	/** Check auth status. Returns structured result with diagnosis. */
+	check(pi: ExtensionAPI, signal?: AbortSignal): Promise<AuthResult>;
+}
+// ─── Error Diagnosis Helpers ─────────────────────────────────────
+/**
+ * Classify auth-specific error patterns from CLI stderr.
+ *
+ * Pattern ordering matters: expired is checked before invalid because
+ * "invalid token has expired" should classify as expired, not invalid.
+ *
+ * Only auth-specific keywords are matched. Generic terms like "denied"
+ * or "invalid" are scoped with adjacent auth context words to avoid
+ * false positives on non-auth errors like "invalid region".
+ */
+export function diagnoseError(stderr: string): { status: AuthStatus; reason: string } {
+	const lower = stderr.toLowerCase();
+	// Expired tokens — most specific, check first
+	if (lower.includes("token has expired") || lower.includes("token is expired")
+		|| lower.includes("session expired") || lower.includes("expiredtoken")
+		|| lower.includes("credentials have expired")
+		|| /\bexpired\b.*\b(?:token|session|credential|certificate)\b/.test(lower)
+		|| /\b(?:token|session|credential|certificate)\b.*\bexpired\b/.test(lower)) {
+		return { status: "expired", reason: "Token or session has expired" };
+	}
+	// Not logged in — check before invalid to avoid "not authenticated" matching "invalid"
+	if (lower.includes("not logged") || lower.includes("no token") || lower.includes("not authenticated")
+		|| lower.includes("login required") || lower.includes("no credentials")
+		|| lower.includes("no valid credentials")) {
+		return { status: "none", reason: "Not authenticated" };
+	}
+	// Invalid/revoked credentials — scoped to auth-relevant context
+	if (lower.includes("bad credentials") || lower.includes("authentication failed")
+		|| lower.includes("revoked")
+		|| /\b401\b/.test(lower) || lower.includes("unauthorized")) {
+		return { status: "invalid", reason: extractErrorLine(stderr) };
+	}
+	// Forbidden (authenticated but insufficient permissions)
+	if (/\b403\b/.test(lower) || lower.includes("insufficient scope")
+		|| lower.includes("access denied")) {
+		return { status: "invalid", reason: `Authenticated but forbidden: ${extractErrorLine(stderr)}` };
+	}
+	return { status: "none", reason: extractErrorLine(stderr) || "Authentication failed" };
+}
+/** Extract the most informative error line from multi-line stderr. */
+export function extractErrorLine(stderr: string): string {
+	const lines = stderr.trim().split("\n").filter(l => l.trim());
+	// Prefer lines with auth-relevant error keywords
+	const errorLine = lines.find(l => /error|failed|invalid|expired|denied|unauthorized|401|403/i.test(l));
+	if (errorLine) return errorLine.trim().slice(0, 200);
+	// Fall back to first non-empty line
+	return (lines[0] || "Unknown error").trim().slice(0, 200);
+}
+// ─── Providers ───────────────────────────────────────────────────
+const gitProvider: AuthProvider = {
+	id: "git",
+	name: "Git",
+	cli: "git",
+	refreshCommand: 'git config --global user.name "Your Name" && git config --global user.email "you@example.com"',
+	async check(pi, signal) {
+		const nameResult = await pi.exec("git", ["config", "user.name"], { signal, timeout: 5_000 });
+		const emailResult = await pi.exec("git", ["config", "user.email"], { signal, timeout: 5_000 });
+		const name = nameResult.stdout.trim() || "";
+		const email = emailResult.stdout.trim() || "";
+		if (name && email) {
+			return { provider: this.id, status: "ok", detail: `${name} <${email}>` };
+		}
+		return {
+			provider: this.id,
+			status: "none",
+			detail: `name: ${name || "(not set)"}, email: ${email || "(not set)"}`,
+			refresh: this.refreshCommand,
+		};
+	},
+};
+const githubProvider: AuthProvider = {
+	id: "github",
+	name: "GitHub",
+	cli: "gh",
+	tokenEnvVar: "GITHUB_TOKEN",
+	refreshCommand: "gh auth login",
+	async check(pi, signal) {
+		const which = await pi.exec("which", ["gh"], { signal, timeout: 3_000 });
+		if (which.code !== 0) {
+			return { provider: this.id, status: "missing", detail: "gh CLI not installed" };
+		}
+		const result = await pi.exec("gh", ["auth", "status"], { signal, timeout: 10_000 });
+		const output = (result.stdout + "\n" + result.stderr).trim();
+		if (result.code === 0) {
+			const accountMatch = output.match(/Logged in to \S+ account (\S+)/);
+			const scopeMatch = output.match(/Token scopes:(.+)/);
+			let detail = accountMatch ? accountMatch[1] : "authenticated";
+			if (scopeMatch) detail += ` (scopes: ${scopeMatch[1].trim()})`;
+			return { provider: this.id, status: "ok", detail, refresh: this.refreshCommand };
+		}
+		const diag = diagnoseError(output);
+		return {
+			provider: this.id,
+			status: diag.status,
+			detail: diag.reason,
+			error: output.slice(0, 300),
+			refresh: this.refreshCommand,
+			secretHint: "GITHUB_TOKEN",
+		};
+	},
+};
+const gitlabProvider: AuthProvider = {
+	id: "gitlab",
+	name: "GitLab",
+	cli: "glab",
+	tokenEnvVar: "GITLAB_TOKEN",
+	refreshCommand: "glab auth login",
+	async check(pi, signal) {
+		const which = await pi.exec("which", ["glab"], { signal, timeout: 3_000 });
+		if (which.code !== 0) {
+			if (process.env.GITLAB_TOKEN) {
+				return {
+					provider: this.id,
+					status: "ok",
+					detail: "GITLAB_TOKEN set (glab CLI not installed)",
+				};
+			}
+			return { provider: this.id, status: "missing", detail: "glab CLI not installed" };
+		}
+		const result = await pi.exec("glab", ["auth", "status"], { signal, timeout: 10_000 });
+		const output = (result.stdout + "\n" + result.stderr).trim();
+		if (result.code === 0) {
+			const accountMatch = output.match(/Logged in to \S+ (?:as|account) (\S+)/i);
+			const hostMatch = output.match(/Logged in to (\S+)/i);
+			let detail = accountMatch ? accountMatch[1] : "authenticated";
+			if (hostMatch) detail += ` @ ${hostMatch[1]}`;
+			return { provider: this.id, status: "ok", detail, refresh: this.refreshCommand };
+		}
+		const diag = diagnoseError(output);
+		return {
+			provider: this.id,
+			status: diag.status,
+			detail: diag.reason,
+			error: output.slice(0, 300),
+			refresh: this.refreshCommand,
+			secretHint: "GITLAB_TOKEN",
+		};
+	},
+};
+const awsProvider: AuthProvider = {
+	id: "aws",
+	name: "AWS",
+	cli: "aws",
+	tokenEnvVar: "AWS_ACCESS_KEY_ID",
+	refreshCommand: "aws sso login --profile <profile>",
+	async check(pi, signal) {
+		const which = await pi.exec("which", ["aws"], { signal, timeout: 3_000 });
+		if (which.code !== 0) {
+			return { provider: this.id, status: "missing", detail: "aws CLI not installed" };
+		}
+		const result = await pi.exec("aws", ["sts", "get-caller-identity", "--output", "json"], { signal, timeout: 10_000 });
+		if (result.code === 0) {
+			try {
+				const identity = JSON.parse(result.stdout.trim());
+				return {
+					provider: this.id,
+					status: "ok",
+					detail: identity.Arn || identity.Account || "authenticated",
+					refresh: this.refreshCommand,
+				};
+			} catch {
+				return { provider: this.id, status: "ok", detail: "authenticated", refresh: this.refreshCommand };
+			}
+		}
+		const diag = diagnoseError(result.stderr || result.stdout);
+		return {
+			provider: this.id,
+			status: diag.status,
+			detail: diag.reason,
+			error: (result.stderr || result.stdout).slice(0, 300),
+			refresh: this.refreshCommand,
+			secretHint: "AWS_ACCESS_KEY_ID",
+		};
+	},
+};
+const kubernetesProvider: AuthProvider = {
+	id: "kubernetes",
+	name: "Kubernetes",
+	cli: "kubectl",
+	refreshCommand: "kubectl config use-context <context>",
+	async check(pi, signal) {
+		const which = await pi.exec("which", ["kubectl"], { signal, timeout: 3_000 });
+		if (which.code !== 0) {
+			return { provider: this.id, status: "missing", detail: "kubectl not installed" };
+		}
+		const kctx = await pi.exec("kubectl", ["config", "current-context"], { signal, timeout: 5_000 });
+		if (kctx.code === 0) {
+			const context = kctx.stdout.trim();
+			const verify = await pi.exec("kubectl", ["cluster-info", "--request-timeout=5s"], { signal, timeout: 10_000 });
+			if (verify.code === 0) {
+				return {
+					provider: this.id,
+					status: "ok",
+					detail: `context: ${context}`,
+					refresh: this.refreshCommand,
+				};
+			}
+			const diag = diagnoseError(verify.stderr || verify.stdout);
+			return {
+				provider: this.id,
+				status: diag.status,
+				detail: `context: ${context} — ${diag.reason}`,
+				error: (verify.stderr || "").slice(0, 300),
+				refresh: this.refreshCommand,
+			};
+		}
+		return {
+			provider: this.id,
+			status: "none",
+			detail: "No context set",
+			refresh: this.refreshCommand,
+		};
+	},
+};
+const ociProvider: AuthProvider = {
+	id: "oci",
+	name: "OCI Registry (ghcr.io)",
+	cli: "podman",
+	refreshCommand: "gh auth token | podman login ghcr.io -u <user> --password-stdin",
+	async check(pi, signal) {
+		const podmanWhich = await pi.exec("which", ["podman"], { signal, timeout: 3_000 });
+		const dockerWhich = await pi.exec("which", ["docker"], { signal, timeout: 3_000 });
+		const cmd = podmanWhich.code === 0 ? "podman" : dockerWhich.code === 0 ? "docker" : null;
+		if (!cmd) {
+			return { provider: this.id, status: "missing", detail: "Neither podman nor docker installed" };
+		}
+		const refresh = `gh auth token | ${cmd} login ghcr.io -u $(gh api user --jq .login) --password-stdin`;
+		const result = await pi.exec(cmd, ["login", "--get-login", "ghcr.io"], { signal, timeout: 5_000 });
+		if (result.code === 0) {
+			return {
+				provider: this.id,
+				status: "ok",
+				detail: `ghcr.io: ${result.stdout.trim()} (${cmd})`,
+				refresh,
+			};
+		}
+		return {
+			provider: this.id,
+			status: "none",
+			detail: `Not logged in to ghcr.io (${cmd})`,
+			refresh,
+		};
+	},
+};
+// ─── Provider Registry ───────────────────────────────────────────
+/** All providers, ordered by typical check priority. */
+export const ALL_PROVIDERS: AuthProvider[] = [
+	gitProvider,
+	githubProvider,
+	gitlabProvider,
+	awsProvider,
+	kubernetesProvider,
+	ociProvider,
+];
+export function findProvider(idOrName: string): AuthProvider | undefined {
+	const lower = idOrName.toLowerCase();
+	return ALL_PROVIDERS.find(p => p.id === lower || p.name.toLowerCase() === lower);
+}
+// ─── Shared check-all helper ─────────────────────────────────────
+export async function checkAllProviders(pi: ExtensionAPI, signal?: AbortSignal): Promise<AuthResult[]> {
+	const results: AuthResult[] = [];
+	for (const provider of ALL_PROVIDERS) {
+		try {
+			results.push(await provider.check(pi, signal));
+		} catch (e: any) {
+			results.push({
+				provider: provider.id,
+				status: "none",
+				detail: `Check failed: ${e.message}`,
+			});
+		}
+	}
+	return results;
+}
+// ─── Formatting ──────────────────────────────────────────────────
+export const STATUS_ICONS: Record<AuthStatus, string> = {
+	ok: "✓",
+	expired: "⚠",
+	invalid: "✗",
+	none: "✗",
+	missing: "·",
+};
+export function formatResults(results: AuthResult[]): string {
+	const lines: string[] = ["**Auth Status**", ""];
+	for (const r of results) {
+		const icon = STATUS_ICONS[r.status];
+		let line = `  ${icon}  **${r.provider}**: ${r.detail}`;
+		if (r.error && r.status !== "ok") {
+			line += `\n      Error: ${r.error.split("\n")[0].slice(0, 120)}`;
+		}
+		lines.push(line);
+	}
+	// Actionable items
+	const fixable = results.filter(r =>
+		r.status === "expired" || r.status === "invalid" || r.status === "none"
+	);
+	if (fixable.length > 0) {
+		lines.push("", "**To fix:**");
+		for (const r of fixable) {
+			if (r.status === "expired") {
+				lines.push(`  ${r.provider}: token expired → \`${r.refresh}\``);
+			} else if (r.status === "invalid") {
+				lines.push(`  ${r.provider}: credentials invalid → \`${r.refresh}\``);
+				if (r.secretHint) {
+					lines.push(`    Or configure via: \`/secrets configure ${r.secretHint}\``);
+				}
+			} else {
+				lines.push(`  ${r.provider}: \`${r.refresh}\``);
+				if (r.secretHint) {
+					lines.push(`    Or configure via: \`/secrets configure ${r.secretHint}\``);
+				}
+			}
+		}
+	}
+	return lines.join("\n");
+}

package/extensions/01-auth/index.ts ADDED Viewed

@@ -0,0 +1,289 @@
+// @secret GITHUB_TOKEN "GitHub personal access token (alternative to gh auth login)"
+// @secret GITLAB_TOKEN "GitLab personal access token (alternative to glab auth login)"
+// @secret AWS_ACCESS_KEY_ID "AWS access key ID (alternative to aws sso login)"
+// @secret AWS_SECRET_ACCESS_KEY "AWS secret access key"
+/**
+ * Auth Extension — authentication status, diagnosis, and refresh across dev tools.
+ *
+ * Registers:
+ *   - `whoami` tool: LLM-callable auth status check
+ *   - `/auth` command: interactive auth management
+ *     - `/auth` or `/auth status` — check all providers
+ *     - `/auth check <provider>` — check a specific provider
+ *     - `/auth refresh <provider>` — show refresh command + offer /secrets path
+ *     - `/auth list` — list available providers
+ *
+ * Security model:
+ *   - Auth NEVER stores, caches, or manipulates secret values directly.
+ *   - All credential storage flows through 00-secrets (`/secrets configure`).
+ *   - Auth reads process.env (populated by 00-secrets at init) to check
+ *     whether token env vars are set.
+ *   - Auth runs CLI tools (`gh`, `glab`, `aws`, etc.) to check session state
+ *     and parse error output for specific failure reasons.
+ *
+ * Load order: 01-auth loads after 00-secrets, so process.env is populated.
+ */
+import type { ExtensionAPI } from "@cwilson613/pi-coding-agent";
+import { Text } from "@cwilson613/pi-tui";
+import { Type } from "@sinclair/typebox";
+import { sciCall, sciOk, sciErr, sciExpanded } from "../sci-ui.ts";
+// Import domain logic from auth.ts (testable without pi-tui dependency)
+import {
+	diagnoseError,
+	extractErrorLine,
+	ALL_PROVIDERS,
+	STATUS_ICONS,
+	formatResults,
+	findProvider,
+	checkAllProviders,
+	type AuthStatus,
+	type AuthResult,
+	type AuthProvider,
+} from "./auth.ts";
+// Re-export types for backward compatibility
+export type { AuthStatus, AuthResult, AuthProvider };
+// ─── Extension ───────────────────────────────────────────────────
+export default function authExtension(pi: ExtensionAPI) {
+	// ── Tool: whoami (LLM-callable) ───────────────────────────────
+	pi.registerTool({
+		name: "whoami",
+		label: "Auth Status",
+		description:
+			"Check authentication status across development tools " +
+			"(git, GitHub, GitLab, AWS, Kubernetes, OCI registries). " +
+			"Returns structured status with error diagnosis and refresh " +
+			"commands for expired or missing sessions.",
+		promptSnippet:
+			"Check auth status across dev tools (git, GitHub, GitLab, AWS, k8s, OCI registries)",
+		parameters: Type.Object({}),
+		async execute(_toolCallId, _params, signal, _onUpdate, _ctx) {
+			const results = await checkAllProviders(pi, signal);
+			const text = formatResults(results);
+			return {
+				content: [{ type: "text", text }],
+				details: {
+					checks: results.map(r => ({
+						provider: r.provider,
+						status: r.status,
+						detail: r.detail,
+						error: r.error,
+					})),
+				},
+			};
+		},
+		renderCall(_args, theme) {
+			return sciCall("whoami", "", theme);
+		},
+		renderResult(result, { expanded }, theme) {
+			if ((result as any).isError) {
+				const first = result.content?.[0];
+				return sciErr(first && 'text' in first ? first.text : "Error", theme);
+			}
+			const checks = ((result.details as any)?.checks || []) as Array<{ provider: string; status: string; detail: string }>;
+			const summary = checks.map(c => {
+				const icon = STATUS_ICONS[c.status as AuthStatus] || "?";
+				return `${icon} ${c.provider}`;
+			}).join(" · ");
+			const hasError = checks.some(c => c.status !== "ok" && c.status !== "missing");
+			if (expanded) {
+				const lines = checks.map(c => {
+					const icon = STATUS_ICONS[c.status as AuthStatus] || "?";
+					const color = c.status === "ok" ? "success"
+						: c.status === "expired" ? "warning"
+						: c.status === "missing" ? "muted"
+						: "error";
+					return theme.fg(color as Parameters<typeof theme.fg>[0], `${icon} ${c.provider}`) + (c.detail ? theme.fg("dim", `  ${c.detail}`) : "");
+				});
+				return sciExpanded(lines, summary, theme);
+			}
+			return hasError ? sciErr(summary, theme) : sciOk(summary, theme);
+		},
+	});
+	// ── Command: /auth ────────────────────────────────────────────
+	pi.registerCommand("auth", {
+		description: "Auth management: status | check <provider> | refresh <provider> | list",
+		getArgumentCompletions: (prefix: string) => {
+			const parts = prefix.split(/\s+/);
+			if (parts.length <= 1) {
+				const subs = ["status", "check", "refresh", "list"];
+				const filtered = subs.filter(s => s.startsWith(parts[0] || ""));
+				return filtered.length > 0
+					? filtered.map(s => ({ value: s, label: s }))
+					: null;
+			}
+			const sub = parts[0];
+			if ((sub === "check" || sub === "refresh") && parts.length === 2) {
+				const partial = parts[1] || "";
+				return ALL_PROVIDERS
+					.filter(p => p.id.startsWith(partial) || p.name.toLowerCase().startsWith(partial))
+					.map(p => ({
+						value: `${sub} ${p.id}`,
+						label: `${p.id} — ${p.name}`,
+					}));
+			}
+			return null;
+		},
+		handler: async (args, ctx) => {
+			const parts = (args || "status").trim().split(/\s+/);
+			const subcommand = parts[0];
+			const providerArg = parts.slice(1).join(" ");
+			switch (subcommand) {
+				case "status":
+				case "": {
+					const results = await checkAllProviders(pi);
+					const text = formatResults(results);
+					pi.sendMessage({ customType: "view", content: text, display: true });
+					break;
+				}
+				case "check": {
+					if (!providerArg) {
+						ctx.ui.notify("Usage: /auth check <provider>  (try /auth list)", "error");
+						return;
+					}
+					const provider = findProvider(providerArg);
+					if (!provider) {
+						ctx.ui.notify(
+							`Unknown provider: ${providerArg}\nAvailable: ${ALL_PROVIDERS.map(p => p.id).join(", ")}`,
+							"error"
+						);
+						return;
+					}
+					try {
+						const result = await provider.check(pi);
+						const text = formatResults([result]);
+						pi.sendMessage({ customType: "view", content: text, display: true });
+					} catch (e: any) {
+						ctx.ui.notify(`Check failed: ${e.message}`, "error");
+					}
+					break;
+				}
+				case "refresh": {
+					if (!providerArg) {
+						ctx.ui.notify("Usage: /auth refresh <provider>  (try /auth list)", "error");
+						return;
+					}
+					const provider = findProvider(providerArg);
+					if (!provider) {
+						ctx.ui.notify(
+							`Unknown provider: ${providerArg}\nAvailable: ${ALL_PROVIDERS.map(p => p.id).join(", ")}`,
+							"error"
+						);
+						return;
+					}
+					// Check current state first
+					let current: AuthResult;
+					try {
+						current = await provider.check(pi);
+					} catch (e: any) {
+						ctx.ui.notify(`Check failed: ${e.message}`, "error");
+						return;
+					}
+					if (current.status === "ok") {
+						ctx.ui.notify(`${provider.name} is already authenticated: ${current.detail}`, "info");
+						return;
+					}
+					if (current.status === "missing") {
+						ctx.ui.notify(
+							`${provider.name}: ${provider.cli} CLI is not installed.\n` +
+							(provider.tokenEnvVar
+								? `You can set ${provider.tokenEnvVar} instead: /secrets configure ${provider.tokenEnvVar}`
+								: `Install ${provider.cli} first.`),
+							"warning"
+						);
+						return;
+					}
+					// Show refresh instructions — don't execute interactive commands
+					// because pi.exec runs without a TTY. CLI login commands (gh auth login,
+					// glab auth login, aws sso login) require browser interaction.
+					const statusLabel = current.status === "expired"
+						? "expired"
+						: current.status === "invalid"
+							? "invalid"
+							: "not authenticated";
+					const lines = [
+						`**${provider.name}** — ${statusLabel}`,
+					];
+					if (current.error) {
+						lines.push(`Error: ${current.error.split("\n")[0].slice(0, 120)}`);
+					}
+					lines.push("", "**Options:**");
+					lines.push(`  1. Run in your terminal: \`${provider.refreshCommand}\``);
+					if (provider.tokenEnvVar) {
+						lines.push(`  2. Configure token: \`/secrets configure ${provider.tokenEnvVar}\``);
+					}
+					lines.push("", "After authenticating, run `/auth check " + provider.id + "` to verify.");
+					pi.sendMessage({ customType: "view", content: lines.join("\n"), display: true });
+					break;
+				}
+				case "list": {
+					const lines = ALL_PROVIDERS.map(p => {
+						let line = `  ${p.id} — ${p.name} (${p.cli})`;
+						if (p.tokenEnvVar) line += `  [env: ${p.tokenEnvVar}]`;
+						return line;
+					});
+					ctx.ui.notify("Available auth providers:\n\n" + lines.join("\n"), "info");
+					break;
+				}
+				default:
+					ctx.ui.notify(
+						"Usage: /auth <status|check|refresh|list> [provider]\n\n" +
+						"  /auth               — check all providers\n" +
+						"  /auth check github  — check a specific provider\n" +
+						"  /auth refresh aws   — show refresh instructions\n" +
+						"  /auth list          — list available providers",
+						"info"
+					);
+			}
+		},
+	});
+	// ── Backward compat: /whoami command ──────────────────────────
+	pi.registerCommand("whoami", {
+		description: "Alias for /auth status — check authentication across dev tools",
+		handler: async (_args, _ctx) => {
+			const results = await checkAllProviders(pi);
+			const text = formatResults(results);
+			pi.sendMessage({ customType: "view", content: text, display: true });
+		},
+	});
+}
+// Domain logic re-exported from auth.ts for backward compatibility
+export {
+	diagnoseError,
+	extractErrorLine,
+	ALL_PROVIDERS,
+	STATUS_ICONS,
+	formatResults,
+	findProvider,
+	checkAllProviders,
+} from "./auth.ts";