pi-mono-all 1.2.2 → 1.2.4

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # pi-mono-all
 
+## 1.2.4
+
+### Patch Changes
+
+- Bundle `pi-mono-sentinel@1.12.0` with project-scoped config stored under the Pi agent directory instead of the current working directory.
+
+## 1.2.3
+
+### Patch Changes
+
+- Bundle `pi-mono-linear@0.2.3` with Linear schema drift fixes and team-key resolution for issue creation.
+
 ## 1.2.2
 
 ### Patch Changes

package/node_modules/pi-mono-linear/CHANGELOG.md

@@ -1,5 +1,12 @@
 # pi-mono-linear
 
+## 0.2.3
+
+### Patch Changes
+
+- Update Project GraphQL selections to use `teams` instead of removed `team` fields.
+- Resolve `linear_create_issue` team keys to UUIDs before calling the Linear mutation and return clearer errors for unknown keys.
+
 ## 0.2.2
 
 ### Patch Changes

package/node_modules/pi-mono-linear/README.md

@@ -129,6 +129,7 @@ Linear API keys are sent in the `Authorization` header as the raw key value; do
 ## Usage tips
 
 - Use `linear_workspace_metadata` first when team/project/state/label/user IDs are unknown.
+- `linear_create_issue` accepts either a team UUID or a team key; keys are resolved to UUIDs before the Linear mutation.
 - Use `linear_search_issues` for keyword lookup.
 - Use `linear_get_issue` before updating an issue or creating a comment.
 - Use `linear_list_issues` for filtered issue lists by team, assignee, status, and limit.

package/node_modules/pi-mono-linear/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-mono-linear",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Pi extension and skill for Linear GraphQL tools",
   "type": "module",
   "keywords": [

package/node_modules/pi-mono-linear/src/linear-client.ts

@@ -68,6 +68,18 @@ interface FileUploadMutationResponse {
 	};
 }
 
+interface LinearTeamNode {
+	id: string;
+	name?: string;
+	key?: string;
+}
+
+interface ListTeamsResponse {
+	teams?: {
+		nodes?: LinearTeamNode[];
+	};
+}
+
 export interface UploadedFileResult {
 	filename: string;
 	contentType: string;
@@ -134,8 +146,9 @@ export class LinearClient {
 		return this.cached(`myIssues:${limit}`, () => this.graphql(queries.LIST_MY_ISSUES, { first: limit }));
 	}
 
-	createIssue(input: CreateIssueInput): Promise<unknown> {
-		return this.graphql(queries.CREATE_ISSUE, { input: compact(input) });
+	async createIssue(input: CreateIssueInput): Promise<unknown> {
+		const teamId = await this.resolveTeamId(input.teamId);
+		return this.graphql(queries.CREATE_ISSUE, { input: compact({ ...input, teamId }) });
 	}
 
 	updateIssue(issueId: string, input: UpdateIssueInput): Promise<unknown> {
@@ -227,6 +240,24 @@ export class LinearClient {
 		return this.cached(`document:${documentId}`, () => this.graphql(queries.GET_DOCUMENT, { id: documentId }));
 	}
 
+	private async resolveTeamId(teamIdOrKey: string): Promise<string> {
+		const value = teamIdOrKey.trim();
+		if (!value) throw new ApiError("teamId is required", 400, undefined, "Linear");
+		if (isUuid(value)) return value;
+
+		const teams = await this.cached("teams", () => this.graphql<ListTeamsResponse>(queries.LIST_TEAMS));
+		const nodes = teams.teams?.nodes ?? [];
+		const match = nodes.find((team) => team.key?.toLowerCase() === value.toLowerCase());
+		if (match?.id) return match.id;
+
+		throw new ApiError(
+			`teamId must be a Linear team UUID or a known team key; "${value}" did not match any team key`,
+			400,
+			{ providedTeamId: value, availableTeamKeys: nodes.map((team) => team.key).filter(Boolean) },
+			"Linear",
+		);
+	}
+
 	private async graphql<T = unknown>(query: string, variables: Variables = {}): Promise<T> {
 		return this.limiter.schedule(async () => {
 			const response = await this.http.post<GraphQlResponse<T>>("", { query, variables });
@@ -246,6 +277,10 @@ export function readLinearToken(): Promise<string> {
 	return readAuthToken({ envName: "LINEAR_API_KEY", authPath: ["linear", "key"] });
 }
 
+function isUuid(value: string): boolean {
+	return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(value);
+}
+
 function buildIssueFilter(options: ListIssuesOptions): Variables {
 	const filter: Variables = {};
 	if (options.teamId) filter.team = { id: { eq: options.teamId } };

package/node_modules/pi-mono-linear/src/linear-queries.ts

@@ -51,9 +51,9 @@ export const UPDATE_ISSUE = `mutation($id: String!, $input: IssueUpdateInput!) {
   issueUpdate(id: $id, input: $input) { success issue { id identifier title priority state { id name } } }
 }`;
 
-export const LIST_PROJECTS = `query { projects { nodes { id name description state team { id name key } } } }`;
+export const LIST_PROJECTS = `query { projects { nodes { id name description state teams { nodes { id name key } } } } }`;
 export const LIST_TEAM_PROJECTS = `query($id: String!) { team(id: $id) { id name projects { nodes { id name description state } } } }`;
-export const GET_PROJECT = `query($id: String!) { project(id: $id) { id name description state url team { id name key } lead { id name } } }`;
+export const GET_PROJECT = `query($id: String!) { project(id: $id) { id name description state url teams { nodes { id name key } } lead { id name } } }`;
 
 export const LIST_STATUSES = `query { workflowStates { nodes { id name type color position team { id name key } } } }`;
 export const LIST_TEAM_STATUSES = `query($id: String!) { team(id: $id) { id name states { nodes { id name type color position } } } }`;
@@ -94,7 +94,7 @@ export const GET_DOCUMENT = `query($id: String!) { document(id: $id) { id title
 
 export const WORKSPACE_METADATA = `query {
   teams { nodes { id name key } }
-  projects { nodes { id name description state team { id name } } }
+  projects { nodes { id name description state teams { nodes { id name key } } } }
   workflowStates { nodes { id name type color position team { id name key } } }
   issueLabels { nodes { id name color team { id name key } } }
   users { nodes { id name email displayName } }

package/node_modules/pi-mono-linear/src/linear-schemas.ts

@@ -5,7 +5,7 @@ export const MaxResponseCharsSchema = Type.Optional(
 );
 
 export const LimitSchema = Type.Optional(Type.Number({ description: "Maximum number of records to fetch", minimum: 1, maximum: 250 }));
-export const TeamIdSchema = Type.String({ description: "Linear team UUID or key where accepted by Linear" });
+export const TeamIdSchema = Type.String({ description: "Linear team UUID or key (keys are resolved to UUIDs for issue creation)" });
 export const IssueIdSchema = Type.String({ description: "Linear issue UUID or identifier such as ENG-123" });
 export const UserIdSchema = Type.String({ description: "Linear user UUID" });
 export const ProjectIdSchema = Type.String({ description: "Linear project UUID" });

package/node_modules/pi-mono-linear/src/linear-tools.ts

@@ -157,7 +157,7 @@ export function registerLinearTools(pi: ExtensionAPI): void {
 	pi.registerTool({
 		name: "linear_create_issue",
 		label: "Linear Create Issue",
-		description: "Create a Linear issue. Use linear_workspace_metadata first if team/state/user/project IDs are unknown.",
+		description: "Create a Linear issue. Accepts a team UUID or team key; keys are resolved before calling Linear. Use linear_workspace_metadata first if team/state/user/project IDs are unknown.",
 		parameters: LinearCreateIssueParams,
 		async execute(_id, params, _signal, _onUpdate, ctx) {
 			const result = await withLinearAuth(ctx, () => client.createIssue({

package/node_modules/pi-mono-sentinel/CHANGELOG.md

@@ -1,5 +1,11 @@
 # pi-mono-sentinel
 
+## 1.12.0
+
+### Changed
+
+- Store project-scoped Sentinel config under the Pi agent directory (`~/.pi/agent/extensions/sentinel/projects/`) instead of creating `.pi/extensions/sentinel.json` in the current working directory. Existing cwd-local config files are still read for compatibility.
+
 ## 1.11.0
 
 ### Minor Changes

package/node_modules/pi-mono-sentinel/README.md

@@ -14,11 +14,13 @@ It addresses cross-cutting security gaps that pure command-based guardrails miss
 Sentinel reads and merges optional JSON config from three scopes:
 
 1. Global: `$PI_CODING_AGENT_DIR/extensions/sentinel.json` or `~/.pi/agent/extensions/sentinel.json`
-2. Local/project: `.pi/extensions/sentinel.json` under the current working directory
+2. Local/project: a current-working-directory scoped file under `$PI_CODING_AGENT_DIR/extensions/sentinel/projects/` or `~/.pi/agent/extensions/sentinel/projects/`
 3. Memory: session-only grants written internally while Pi is running
 
 Merge priority is `memory > local > global > defaults`.
 
+Local/project config is stored in Pi's agent directory instead of the user's working directory, so Sentinel does not create `.pi/` files in arbitrary project folders. Existing legacy `.pi/extensions/sentinel.json` files are still read for compatibility, but new local/project writes go to the agent directory.
+
 ```json
 {
   "enabled": true,

package/node_modules/pi-mono-sentinel/__tests__/config.test.ts

@@ -1,7 +1,7 @@
 import assert from "node:assert/strict";
-import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
-import { join } from "node:path";
+import { dirname, join } from "node:path";
 import { afterEach, beforeEach, describe, test } from "node:test";
 
 import { SentinelConfigLoader } from "../config.ts";
@@ -39,7 +39,7 @@ describe("SentinelConfigLoader", () => {
 		mkdirSync(join(agentDir, "extensions"), { recursive: true });
 		writeFileSync(loader.getConfigPath("global"), JSON.stringify({ pathAccess: { allowedPaths: ["/global"] } }), { flag: "w" });
 		loader.load(cwd);
-		mkdirSync(join(cwd, ".pi", "extensions"), { recursive: true });
+		mkdirSync(dirname(loader.getConfigPath("local")), { recursive: true });
 		writeFileSync(loader.getConfigPath("local"), JSON.stringify({ features: { pathAccess: true }, pathAccess: { allowedPaths: ["/local"] } }), { flag: "w" });
 		loader.load(cwd);
 		loader.save("memory", { pathAccess: { mode: "block", allowedPaths: ["/memory"] } });
@@ -49,12 +49,26 @@ describe("SentinelConfigLoader", () => {
 		assert.deepEqual(config.pathAccess.allowedPaths, ["/memory"]);
 	});
 
-	test("save writes global and local config files", () => {
+	test("save writes global and cwd-scoped local config files under the agent dir", () => {
 		const loader = new SentinelConfigLoader();
 		loader.load(cwd);
 		loader.save("global", { enabled: false });
 		loader.save("local", { features: { pathAccess: true } });
 		assert.deepEqual(loader.getRawConfig("global"), { enabled: false });
 		assert.deepEqual(loader.getRawConfig("local"), { features: { pathAccess: true } });
+		assert.equal(loader.getConfigPath("local").startsWith(join(agentDir, "extensions", "sentinel", "projects")), true);
+		assert.equal(existsSync(join(cwd, ".pi", "extensions", "sentinel.json")), false);
+	});
+
+	test("reads legacy cwd-local config without writing back to cwd", () => {
+		const loader = new SentinelConfigLoader();
+		mkdirSync(join(cwd, ".pi", "extensions"), { recursive: true });
+		writeFileSync(join(cwd, ".pi", "extensions", "sentinel.json"), JSON.stringify({ features: { pathAccess: true } }), { flag: "w" });
+
+		loader.load(cwd);
+		assert.equal(loader.getConfig().features.pathAccess, true);
+
+		loader.save("local", { pathAccess: { allowedPaths: ["/outside"] } });
+		assert.equal(existsSync(loader.getConfigPath("local")), true);
 	});
 });

package/node_modules/pi-mono-sentinel/__tests__/path-access.test.ts

@@ -44,7 +44,10 @@ describe("path-access helpers", () => {
 	});
 
 	test("derives and persists selected path-access grants with the correct scope and target", () => {
+		const originalAgentDir = process.env.PI_CODING_AGENT_DIR;
+		const agentDir = mkdtempSync(join(tmpdir(), "sentinel-path-access-agent-"));
 		const cwd = mkdtempSync(join(tmpdir(), "sentinel-path-access-cwd-"));
+		process.env.PI_CODING_AGENT_DIR = agentDir;
 		try {
 			configLoader.load(cwd);
 			configLoader.save("memory", { features: { pathAccess: true }, pathAccess: { mode: "ask", allowedPaths: [] } });
@@ -69,6 +72,9 @@ describe("path-access helpers", () => {
 			configLoader.addAllowedPath(localFileGrant.scope, localFileGrant.grant);
 			assert.ok(configLoader.getRawConfig("local")?.pathAccess?.allowedPaths?.includes("/tmp/outside-file.txt"));
 		} finally {
+			if (originalAgentDir === undefined) delete process.env.PI_CODING_AGENT_DIR;
+			else process.env.PI_CODING_AGENT_DIR = originalAgentDir;
+			rmSync(agentDir, { recursive: true, force: true });
 			rmSync(cwd, { recursive: true, force: true });
 		}
 	});

package/node_modules/pi-mono-sentinel/config.ts

@@ -1,6 +1,7 @@
+import { createHash } from "node:crypto";
 import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
-import { dirname, join } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 
 export type SentinelConfigScope = "global" | "local" | "memory";
 export type SentinelPathAccessMode = "allow" | "ask" | "block";
@@ -92,6 +93,20 @@ function writeJson(path: string, value: SentinelConfig): void {
 	writeFileSync(path, `${JSON.stringify(value, null, 2)}\n`, "utf-8");
 }
 
+function localScopeId(cwd: string): string {
+	const normalizedCwd = resolve(cwd);
+	const slug = (basename(normalizedCwd) || "root")
+		.replace(/[^a-zA-Z0-9._-]+/g, "-")
+		.replace(/^-+|-+$/g, "")
+		.slice(0, 48) || "root";
+	const hash = createHash("sha256").update(normalizedCwd).digest("hex").slice(0, 12);
+	return `${slug}-${hash}.json`;
+}
+
+function legacyLocalConfigPath(cwd: string): string {
+	return join(resolve(cwd), ".pi", "extensions", "sentinel.json");
+}
+
 function isPlainObject(value: unknown): value is Record<string, unknown> {
 	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -127,7 +142,11 @@ export class SentinelConfigLoader {
 	load(cwd = process.cwd()): void {
 		this.localCwd = cwd;
 		this.globalConfig = readJson(this.getConfigPath("global"));
-		this.localConfig = readJson(this.getConfigPath("local"));
+		const legacyLocalConfig = readJson(legacyLocalConfigPath(this.localCwd));
+		const scopedLocalConfig = readJson(this.getConfigPath("local"));
+		this.localConfig = legacyLocalConfig && scopedLocalConfig
+			? mergeConfig(legacyLocalConfig, scopedLocalConfig)
+			: scopedLocalConfig ?? legacyLocalConfig;
 		this.resolvedConfig = undefined;
 	}
 
@@ -152,7 +171,7 @@ export class SentinelConfigLoader {
 	getConfigPath(scope: Exclude<SentinelConfigScope, "memory">): string {
 		return scope === "global"
 			? join(getAgentDir(), "extensions", "sentinel.json")
-			: join(this.localCwd, ".pi", "extensions", "sentinel.json");
+			: join(getAgentDir(), "extensions", "sentinel", "projects", localScopeId(this.localCwd));
 	}
 
 	save(scope: SentinelConfigScope, partial: SentinelConfig): void {

package/node_modules/pi-mono-sentinel/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-mono-sentinel",
-  "version": "1.11.0",
+  "version": "1.12.0",
   "description": "Pi extension that guards against content-based secret leaks and indirect script execution",
   "keywords": [
     "pi-package",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-mono-all",
-  "version": "1.2.2",
+  "version": "1.2.4",
   "description": "All pi-mono extensions and bundled skills",
   "type": "module",
   "keywords": [
@@ -14,19 +14,19 @@
     "pi-mono-btw": "1.7.4",
     "pi-mono-clear": "1.7.3",
     "pi-mono-context": "0.1.1",
-    "pi-mono-figma": "0.2.2",
-    "pi-mono-linear": "0.2.2",
     "pi-mono-context-guard": "1.7.3",
-    "pi-mono-loop": "1.7.3",
-    "pi-mono-review": "1.8.2",
+    "pi-mono-linear": "0.2.3",
+    "pi-common": "0.1.1",
+    "pi-mono-figma": "0.2.2",
     "pi-mono-multi-edit": "1.7.3",
-    "pi-mono-sentinel": "1.11.0",
+    "pi-mono-sentinel": "1.12.0",
     "pi-mono-simplify": "1.7.3",
+    "pi-mono-review": "1.8.2",
+    "pi-mono-team-mode": "2.3.2",
     "pi-mono-status-line": "1.7.3",
     "pi-mono-usage": "0.1.1",
     "pi-mono-web-search": "0.1.0",
-    "pi-common": "0.1.1",
-    "pi-mono-team-mode": "2.3.2"
+    "pi-mono-loop": "1.7.3"
   },
   "bundledDependencies": [
     "pi-mono-ask-user-question",