pi-sage 0.2.14 → 0.2.16

package/.pi/extensions/sage/caller-context.ts

@@ -0,0 +1,50 @@
+import type { CallerContext } from "./types.js";
+
+export type InputSource = "interactive" | "rpc" | "extension";
+export type InteractiveOrRpcSource = "interactive" | "rpc";
+
+export function isKnownInputSource(value: string): value is InputSource {
+  return value === "interactive" || value === "rpc" || value === "extension";
+}
+
+export function updateLastInteractiveOrRpcSource(
+  previous: InteractiveOrRpcSource | undefined,
+  source: string
+): InteractiveOrRpcSource | undefined {
+  if (source === "interactive" || source === "rpc") {
+    return source;
+  }
+  return previous;
+}
+
+export function buildCallerContextFromSignals(input: {
+  lastInteractiveOrRpcSource: InteractiveOrRpcSource | undefined;
+  unknownSourceSeen: boolean;
+  hasUI: boolean;
+  roleHint?: string;
+  isCI?: boolean;
+  isSubagent?: boolean;
+}): CallerContext | null {
+  const { lastInteractiveOrRpcSource, unknownSourceSeen, hasUI, roleHint, isCI, isSubagent } = input;
+  if (unknownSourceSeen) return null;
+  if (!lastInteractiveOrRpcSource) return null;
+
+  const normalizedRole = roleHint?.trim().toLowerCase();
+  const isRpcSource = lastInteractiveOrRpcSource === "rpc";
+  const interactive = hasUI && lastInteractiveOrRpcSource === "interactive";
+  const isInteractiveSupervisor = interactive && normalizedRole === "supervisor";
+
+  return {
+    session: {
+      interactive
+    },
+    agent: {
+      role: normalizedRole ?? "primary",
+      isSubagent: Boolean(isSubagent),
+      isRpcOrchestrated: isRpcSource || Boolean(normalizedRole && normalizedRole !== "primary" && !isInteractiveSupervisor)
+    },
+    runtime: {
+      mode: isCI ? "ci" : hasUI ? (isRpcSource ? "rpc" : "interactive") : "non-interactive"
+    }
+  };
+}

package/.pi/extensions/sage/index.ts

@@ -7,6 +7,12 @@ import {
   isHardCostCapExceeded,
   makeBlockedResult
 } from "./policy.js";
+import {
+  buildCallerContextFromSignals,
+  isKnownInputSource,
+  updateLastInteractiveOrRpcSource,
+  type InteractiveOrRpcSource
+} from "./caller-context.js";
 import {
   isSageRunnerPolicyError,
   runSageSingleShot,
@@ -34,8 +40,6 @@ import type {
   ToolProfile
 } from "./types.js";
 
-type InputSource = "interactive" | "rpc" | "extension";
-
 type ModelLike = {
   provider: string;
   id: string;
@@ -45,7 +49,7 @@ type ModelLike = {
 const ROLE_HINT_ENV_KEYS = ["TASKPLANE_ROLE", "TASKPLANE_AGENT_ROLE", "PI_AGENT_ROLE", "ORCH_AGENT_ROLE"];
 
 const REASONING_LEVELS: ReasoningLevel[] = ["minimal", "low", "medium", "high", "xhigh"];
-const TOOL_PROFILES: ToolProfile[] = ["none", "read-only-lite", "git-review-readonly", "custom-read-only"];
+const TOOL_PROFILES: ToolProfile[] = ["none", "read-only-lite", "git-review-readonly", "custom-read-only", "yolo"];
 const MODEL_INHERIT_VALUE = "inherit";
 
 const SAGE_GUIDANCE = [
@@ -57,7 +61,8 @@ const SAGE_GUIDANCE = [
   "For `sage_consult` params: `objective` is optional and must be one of debug|design|review|refactor|general (omit if unsure); `urgency` is optional and must be low|medium|high.",
   "In git-review-readonly policy, bash must start with an allowed git read command (status|diff|show|log|blame|rev-parse|branch --show-current).",
   "Read-only pipelines are allowed only with: head, tail, grep, cut, sed, wc, sort, uniq.",
-  "Do not use shell chaining or control operators (e.g., ;, &&, ||, >, <, $, backticks).",
+  "Do not use shell chaining or control operators (e.g., ;, &&, ||, >, <, $, backticks) unless tool profile is explicitly set to yolo.",
+  "If tool profile is yolo, Sage may use unrestricted available tools/commands (including node/npm/cd/tests); use only when operator intentionally accepts elevated risk.",
   "If a bash command is blocked, fall back to ls/glob/grep/read and continue with a best-effort advisory review instead of stopping."
 ].join("\n- ");
 
@@ -74,12 +79,22 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
     sessionCostTotal: 0
   };
 
-  let lastInputSource: InputSource | undefined;
+  let lastInteractiveOrRpcSource: InteractiveOrRpcSource | undefined;
+  let unknownInputSourceSeen = false;
 
   pi.on("input", (event) => {
-    if (event.source === "interactive" || event.source === "rpc" || event.source === "extension") {
-      lastInputSource = event.source;
+    const source = String(event.source ?? "");
+
+    if (!isKnownInputSource(source)) {
+      unknownInputSourceSeen = true;
+      return { action: "continue" };
     }
+
+    lastInteractiveOrRpcSource = updateLastInteractiveOrRpcSource(lastInteractiveOrRpcSource, source);
+    if (source === "interactive" || source === "rpc") {
+      unknownInputSourceSeen = false;
+    }
+
     return { action: "continue" };
   });
 
@@ -115,7 +130,8 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
       "`objective` is optional: debug|design|review|refactor|general. Omit instead of free text.",
       "`urgency` is optional: low|medium|high.",
       "For git-review-readonly, prefer plain git read commands and allowed read-only pipelines (head/tail/grep/cut/sed/wc/sort/uniq).",
-      "Avoid shell chaining/control operators (;, &&, ||, >, <, $, backticks).",
+      "Avoid shell chaining/control operators (;, &&, ||, >, <, $, backticks) unless tool profile is explicitly set to yolo.",
+      "If tool profile is yolo, unrestricted tools/commands (including node/npm/cd/tests) are permitted by policy and should be used carefully.",
       "If bash is blocked, continue with ls/glob/grep/read and still deliver best-effort findings.",
       "After Sage returns, synthesize recommendations and continue execution."
     ],
@@ -166,7 +182,7 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
         });
       }
 
-      const callerContext = buildCallerContext(lastInputSource, ctx.hasUI);
+      const callerContext = buildCallerContext(lastInteractiveOrRpcSource, unknownInputSourceSeen, ctx.hasUI);
       const eligibility = isEligibleCaller(callerContext);
       if (!eligibility.ok) {
         return makeBlockedResult({
@@ -225,17 +241,19 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
         });
       }
 
-      const disallowedCustomTools = getDisallowedCustomTools(settings.toolPolicy.customAllowedTools);
-      if (disallowedCustomTools.length > 0) {
-        return makeBlockedResult({
-          mode,
-          model: resolvedModel,
-          reasoningLevel: settings.reasoningLevel,
-          blockCode: "tool-disallowed",
-          reason: `Custom tool list contains disallowed tools: ${disallowedCustomTools.join(", ")}`,
-          allowedByContext: true,
-          allowedByBudget: false
-        });
+      if (shouldValidateCustomAllowedTools(settings.toolPolicy.profile)) {
+        const disallowedCustomTools = getDisallowedCustomTools(settings.toolPolicy.customAllowedTools);
+        if (disallowedCustomTools.length > 0) {
+          return makeBlockedResult({
+            mode,
+            model: resolvedModel,
+            reasoningLevel: settings.reasoningLevel,
+            blockCode: "tool-disallowed",
+            reason: `Custom tool list contains disallowed tools: ${disallowedCustomTools.join(", ")}`,
+            allowedByContext: true,
+            allowedByBudget: false
+          });
+        }
       }
 
       try {
@@ -347,6 +365,10 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
   });
 }
 
+export function shouldValidateCustomAllowedTools(profile: ToolProfile): boolean {
+  return profile === "custom-read-only";
+}
+
 function formatRunnerPolicyReason(blockCode: BlockCode, reason: string): string {
   if (blockCode === "tool-disallowed") {
     return `${reason}. Use allowed git read commands and read-only pipelines, or continue with ls/glob/grep/read for a best-effort review.`;
@@ -389,28 +411,19 @@ async function runSageWithFallback(
   }
 }
 
-function buildCallerContext(lastInputSource: InputSource | undefined, hasUI: boolean): CallerContext | null {
-  if (!lastInputSource) return null;
-
-  const roleHint = getRoleHint();
-  const isRpcSource = lastInputSource === "rpc";
-  const isSubagent = process.env.PI_SAGE_SUBAGENT === "1";
-  const interactive = hasUI && lastInputSource === "interactive";
-  const isInteractiveSupervisor = interactive && roleHint === "supervisor";
-
-  return {
-    session: {
-      interactive
-    },
-    agent: {
-      role: roleHint ?? "primary",
-      isSubagent,
-      isRpcOrchestrated: isRpcSource || Boolean(roleHint && roleHint !== "primary" && !isInteractiveSupervisor)
-    },
-    runtime: {
-      mode: process.env.CI ? "ci" : hasUI ? (isRpcSource ? "rpc" : "interactive") : "non-interactive"
-    }
-  };
+function buildCallerContext(
+  lastInteractiveOrRpcSource: InteractiveOrRpcSource | undefined,
+  unknownInputSourceSeen: boolean,
+  hasUI: boolean
+): CallerContext | null {
+  return buildCallerContextFromSignals({
+    lastInteractiveOrRpcSource,
+    unknownSourceSeen: unknownInputSourceSeen,
+    hasUI,
+    roleHint: getRoleHint(),
+    isCI: Boolean(process.env.CI),
+    isSubagent: process.env.PI_SAGE_SUBAGENT === "1"
+  });
 }
 
 function getRoleHint(): string | undefined {
@@ -440,6 +453,9 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
   let rootSelectionIndex = 0;
 
   while (true) {
+    const yoloActive = draft.toolPolicy.profile === "yolo";
+    const ignoredInYoloSuffix = yoloActive ? " (ignored in yolo)" : "";
+
     const rootOptions = [
       `Enabled: ${onOff(draft.enabled)}`,
       `Autonomous mode: ${onOff(draft.autonomousEnabled)}`,
@@ -453,12 +469,12 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       `Max question chars: ${draft.maxQuestionChars}`,
       `Max context chars: ${draft.maxContextChars}`,
       `Tool profile: ${draft.toolPolicy.profile}`,
-      `Custom tools: ${(draft.toolPolicy.customAllowedTools ?? []).join(",") || "(none)"}`,
-      `Max tool calls: ${draft.toolPolicy.maxToolCalls ?? 10}`,
-      `Max files read: ${draft.toolPolicy.maxFilesRead ?? 8}`,
-      `Max bytes/file: ${draft.toolPolicy.maxBytesPerFile ?? 200 * 1024}`,
-      `Max total bytes: ${draft.toolPolicy.maxTotalBytesRead ?? 1024 * 1024}`,
-      `Sensitive denylist: ${(draft.toolPolicy.sensitivePathDenylist ?? []).join(",")}`,
+      `Custom tools${ignoredInYoloSuffix}: ${(draft.toolPolicy.customAllowedTools ?? []).join(",") || "(none)"}`,
+      `Max tool calls${ignoredInYoloSuffix}: ${draft.toolPolicy.maxToolCalls ?? 10}`,
+      `Max files read${ignoredInYoloSuffix}: ${draft.toolPolicy.maxFilesRead ?? 8}`,
+      `Max bytes/file${ignoredInYoloSuffix}: ${draft.toolPolicy.maxBytesPerFile ?? 200 * 1024}`,
+      `Max total bytes${ignoredInYoloSuffix}: ${draft.toolPolicy.maxTotalBytesRead ?? 1024 * 1024}`,
+      `Sensitive denylist${ignoredInYoloSuffix}: ${(draft.toolPolicy.sensitivePathDenylist ?? []).join(",")}`,
       `Cost cap/session: ${draft.maxEstimatedCostPerSession ?? "(none)"}`,
       `Save scope: ${scope}`,
       "Test Sage call"
@@ -561,12 +577,29 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
     if (action.startsWith("Tool profile:")) {
       const selected = await selectScrollable(ctx, "Tool profile", [...TOOL_PROFILES]);
       if (selected && TOOL_PROFILES.includes(selected as ToolProfile)) {
+        if (selected === "yolo" && draft.toolPolicy.profile !== "yolo") {
+          const confirm = await selectScrollable(ctx, "Enable YOLO mode?", [
+            "No, keep current profile",
+            "Yes, enable yolo (unrestricted)"
+          ]);
+          if (confirm !== "Yes, enable yolo (unrestricted)") {
+            continue;
+          }
+        }
+
         draft = { ...draft, toolPolicy: { ...draft.toolPolicy, profile: selected as ToolProfile } };
         persistDraft();
+
+        if (selected === "yolo") {
+          ctx.ui.notify("YOLO mode enabled: tool/path/volume restrictions are bypassed for Sage.", "warning");
+        }
       }
       continue;
     }
-    if (action.startsWith("Custom tools:")) {
+    if (action.startsWith("Custom tools")) {
+      if (draft.toolPolicy.profile === "yolo") {
+        ctx.ui.notify("Custom tools are ignored while tool profile is yolo", "warning");
+      }
       const value = await ctx.ui.input("Comma-separated custom tools", "ls,glob,grep,read");
       if (value !== undefined) {
         const tools = value
@@ -578,7 +611,10 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       }
       continue;
     }
-    if (action.startsWith("Max tool calls:")) {
+    if (action.startsWith("Max tool calls")) {
+      if (draft.toolPolicy.profile === "yolo") {
+        ctx.ui.notify("Max tool calls is ignored while tool profile is yolo", "warning");
+      }
       const updated = await setToolPolicyNumberSetting(ctx, draft, "maxToolCalls", "Max tool calls", 1);
       if (updated !== draft) {
         draft = updated;
@@ -586,7 +622,10 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       }
       continue;
     }
-    if (action.startsWith("Max files read:")) {
+    if (action.startsWith("Max files read")) {
+      if (draft.toolPolicy.profile === "yolo") {
+        ctx.ui.notify("Max files read is ignored while tool profile is yolo", "warning");
+      }
       const updated = await setToolPolicyNumberSetting(ctx, draft, "maxFilesRead", "Max files read", 1);
       if (updated !== draft) {
         draft = updated;
@@ -594,7 +633,10 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       }
       continue;
     }
-    if (action.startsWith("Max bytes/file:")) {
+    if (action.startsWith("Max bytes/file")) {
+      if (draft.toolPolicy.profile === "yolo") {
+        ctx.ui.notify("Max bytes/file is ignored while tool profile is yolo", "warning");
+      }
       const updated = await setToolPolicyNumberSetting(ctx, draft, "maxBytesPerFile", "Max bytes per file", 1024);
       if (updated !== draft) {
         draft = updated;
@@ -602,7 +644,10 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       }
       continue;
     }
-    if (action.startsWith("Max total bytes:")) {
+    if (action.startsWith("Max total bytes")) {
+      if (draft.toolPolicy.profile === "yolo") {
+        ctx.ui.notify("Max total bytes is ignored while tool profile is yolo", "warning");
+      }
       const updated = await setToolPolicyNumberSetting(ctx, draft, "maxTotalBytesRead", "Max total bytes", 1024);
       if (updated !== draft) {
         draft = updated;
@@ -610,7 +655,10 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       }
       continue;
     }
-    if (action.startsWith("Sensitive denylist:")) {
+    if (action.startsWith("Sensitive denylist")) {
+      if (draft.toolPolicy.profile === "yolo") {
+        ctx.ui.notify("Sensitive denylist is ignored while tool profile is yolo", "warning");
+      }
       const value = await ctx.ui.input(
         "Comma-separated sensitive path denylist",
         (draft.toolPolicy.sensitivePathDenylist ?? []).join(",")

package/.pi/extensions/sage/runner.ts

@@ -78,10 +78,15 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
 
   const invocation = resolvePiInvocation();
   const prompt = buildSagePrompt(input);
-  const promptDir = await mkdtemp(join(tmpdir(), "pi-sage-"));
+  const promptDir = await mkdtemp(join(resolveSageTmpBase(), "pi-sage-"));
   const promptPath = join(promptDir, "prompt.txt");
   await writeFile(promptPath, prompt, "utf8");
-  const args = [...invocation.prefixArgs, ...buildPiArgs(input.model, input.reasoningLevel, policy.cliTools), `@${promptPath}`];
+  const isYoloProfile = policy.profile === "yolo";
+  const args = [
+    ...invocation.prefixArgs,
+    ...buildPiArgs(input.model, input.reasoningLevel, policy.cliTools, policy.allowAllCliTools),
+    `@${promptPath}`
+  ];
 
   const child = spawn(invocation.command, args, {
     cwd: input.cwd,
@@ -93,14 +98,8 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
     stdio: ["ignore", "pipe", "pipe"]
   });
 
-  const cleanupPromptFile = (): void => {
-    void rm(promptDir, { recursive: true, force: true });
-  };
-
-  child.once("close", cleanupPromptFile);
-  child.once("error", cleanupPromptFile);
-
-  let stdoutBuffer = "";
+  try {
+    let stdoutBuffer = "";
   let stderrBuffer = "";
   let assistantText = "";
   let stopReason = "unknown";
@@ -135,6 +134,11 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
       if (parsed.type === "tool_execution_start") {
         const toolName = parsed.toolName ?? "unknown";
 
+        if (toolName === "sage_consult") {
+          failPolicy("tool-disallowed", "Sage recursion is not allowed");
+          continue;
+        }
+
         if (!isToolAllowed(toolName, policy.allowedTools)) {
           failPolicy("tool-disallowed", `Tool not allowed by Sage policy: ${toolName}`);
           continue;
@@ -150,18 +154,20 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
         }
 
         toolUsage.callsUsed += 1;
-        if (toolUsage.callsUsed > policy.maxToolCalls) {
+        if (!isYoloProfile && toolUsage.callsUsed > policy.maxToolCalls) {
           failPolicy("volume-cap", "Exceeded max tool calls");
           continue;
         }
 
-        const candidatePaths = extractCandidatePaths(parsed.args);
-        for (const candidatePath of candidatePaths) {
-          const normalizedPath = isAbsolute(candidatePath) ? candidatePath : resolve(input.cwd, candidatePath);
-          const pathDecision = isPathAllowed(normalizedPath, [input.cwd], policy.sensitivePathDenylist);
-          if (!pathDecision.ok) {
-            failPolicy(pathDecision.blockCode ?? "path-denied", pathDecision.reason);
-            break;
+        if (!isYoloProfile) {
+          const candidatePaths = extractCandidatePaths(parsed.args);
+          for (const candidatePath of candidatePaths) {
+            const normalizedPath = isAbsolute(candidatePath) ? candidatePath : resolve(input.cwd, candidatePath);
+            const pathDecision = isPathAllowed(normalizedPath, [input.cwd], policy.sensitivePathDenylist);
+            if (!pathDecision.ok) {
+              failPolicy(pathDecision.blockCode ?? "path-denied", pathDecision.reason);
+              break;
+            }
           }
         }
       }
@@ -170,19 +176,19 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
         const chunkBytes = estimateContentBytes(parsed.result?.content);
         toolUsage.bytesRead += chunkBytes;
 
-        if (chunkBytes > policy.maxBytesPerFile) {
+        if (!isYoloProfile && chunkBytes > policy.maxBytesPerFile) {
           failPolicy("volume-cap", "Exceeded max bytes per file");
           continue;
         }
 
-        if (toolUsage.bytesRead > policy.maxTotalBytesRead) {
+        if (!isYoloProfile && toolUsage.bytesRead > policy.maxTotalBytesRead) {
           failPolicy("volume-cap", "Exceeded max total bytes read");
           continue;
         }
 
         if (parsed.toolName === "read") {
           toolUsage.filesRead += 1;
-          if (toolUsage.filesRead > policy.maxFilesRead) {
+          if (!isYoloProfile && toolUsage.filesRead > policy.maxFilesRead) {
             failPolicy("volume-cap", "Exceeded max files read");
             continue;
           }
@@ -203,39 +209,74 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
     stderrBuffer += chunk;
   });
 
-  let timedOut = false;
-  let escalationTimer: NodeJS.Timeout | undefined;
+  let timeoutSignal: (() => void) | undefined;
+
+  const timeoutTriggered = new Promise<{ kind: "timed-out" }>((resolve) => {
+    timeoutSignal = () => resolve({ kind: "timed-out" });
+  });
 
   const timeout = setTimeout(() => {
-    timedOut = true;
     try {
-      child.kill("SIGTERM");
+      child.kill();
     } catch {
       // Ignore kill errors
     }
 
-    escalationTimer = setTimeout(() => {
-      try {
-        child.kill("SIGKILL");
-      } catch {
-        // Ignore kill errors
-      }
-    }, 2000);
+    timeoutSignal?.();
   }, input.timeoutMs);
 
   if (input.signal) {
-    const onAbort = () => child.kill("SIGTERM");
+    const onAbort = () => child.kill();
     input.signal.addEventListener("abort", onAbort, { once: true });
     child.once("close", () => input.signal?.removeEventListener("abort", onAbort));
   }
 
-  const exit = await new Promise<{ code: number | null; signal: NodeJS.Signals | null }>((resolve, reject) => {
+  const closePromise = new Promise<{ code: number | null; signal: NodeJS.Signals | null }>((resolve, reject) => {
     child.once("error", (error) => reject(error));
     child.once("close", (code, signal) => resolve({ code, signal }));
   });
 
+  const closeOutcome = closePromise
+    .then((exit) => ({ kind: "exit" as const, exit }))
+    .catch((error) => ({ kind: "error" as const, error }));
+
+  const raced = await Promise.race([closeOutcome, timeoutTriggered]);
+
   clearTimeout(timeout);
-  if (escalationTimer) clearTimeout(escalationTimer);
+
+  if (raced.kind === "timed-out") {
+    const softClosed = await waitForCloseOutcome(closeOutcome, 400);
+    if (!softClosed) {
+      await forceKillProcessTree(child.pid);
+    }
+
+    const hardClosed = await waitForCloseOutcome(closeOutcome, 1500);
+    if (!hardClosed) {
+      try {
+        child.stdout.destroy();
+      } catch {
+        // Ignore stream destroy errors
+      }
+      try {
+        child.stderr.destroy();
+      } catch {
+        // Ignore stream destroy errors
+      }
+      try {
+        child.unref();
+      } catch {
+        // Ignore unref errors
+      }
+    }
+
+    throw new Error("Sage subprocess timed out");
+  }
+
+  if (raced.kind === "error") {
+    throw raced.error;
+  }
+
+  const exit = raced.exit;
 
   if (policyViolation) {
     throw policyViolation;
@@ -254,7 +295,7 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
 
   const latencyMs = Date.now() - startedAt;
 
-  if (timedOut || (exit.signal === "SIGTERM" && latencyMs >= input.timeoutMs)) {
+  if (exit.signal === "SIGTERM" && latencyMs >= input.timeoutMs) {
     throw new Error("Sage subprocess timed out");
   }
 
@@ -266,13 +307,72 @@ export async function runSageSingleShot(input: SageRunnerInput): Promise<SageRun
     throw new Error(`Sage subprocess returned no assistant text (code ${String(exit.code)}): ${stderrBuffer.trim() || "no stderr"}`);
   }
 
-  return {
-    text: assistantText,
-    latencyMs,
-    stopReason,
-    usage,
-    toolUsage
-  };
+    return {
+      text: assistantText,
+      latencyMs,
+      stopReason,
+      usage,
+      toolUsage
+    };
+  } finally {
+    await rm(promptDir, { recursive: true, force: true });
+  }
+}
+
+async function forceKillProcessTree(pid: number | undefined): Promise<void> {
+  if (typeof pid !== "number" || Number.isFinite(pid) === false) return;
+
+  if (process.platform === "win32") {
+    await new Promise<void>((resolve) => {
+      let settled = false;
+      let timer: NodeJS.Timeout | undefined;
+
+      const done = () => {
+        if (settled) return;
+        settled = true;
+        if (timer) clearTimeout(timer);
+        resolve();
+      };
+
+      try {
+        const killer = spawn("taskkill", ["/pid", String(pid), "/T", "/F"], {
+          stdio: "ignore",
+          windowsHide: true
+        });
+
+        killer.once("close", done);
+        killer.once("error", done);
+        timer = setTimeout(done, 1000);
+      } catch {
+        done();
+      }
+    });
+    return;
+  }
+
+  try {
+    process.kill(pid, "SIGKILL");
+  } catch {
+    // Ignore process kill errors
+  }
+}
+
+async function waitForCloseOutcome(
+  closeOutcome: Promise<{ kind: "exit"; exit: { code: number | null; signal: NodeJS.Signals | null } } | { kind: "error"; error: unknown }>,
+  timeoutMs: number
+): Promise<boolean> {
+  const result = await Promise.race<boolean>([
+    closeOutcome.then(() => true),
+    new Promise<boolean>((resolve) => setTimeout(() => resolve(false), timeoutMs))
+  ]);
+
+  return result;
+}
+
+function resolveSageTmpBase(): string {
+  const envBase = process.env.PI_SAGE_TMP_DIR?.trim();
+  if (envBase) return envBase;
+  return tmpdir();
 }
 
 function resolvePiInvocation(): { command: string; prefixArgs: string[]; shell: boolean } {
@@ -313,7 +413,12 @@ function tokenizeCommand(command: string): string[] {
   return tokens;
 }
 
-function buildPiArgs(model: string, reasoningLevel: ReasoningLevel, cliTools: string[]): string[] {
+function buildPiArgs(
+  model: string,
+  reasoningLevel: ReasoningLevel,
+  cliTools: string[],
+  allowAllCliTools = false
+): string[] {
   const args = [
     "--mode",
     "json",
@@ -329,6 +434,10 @@ function buildPiArgs(model: string, reasoningLevel: ReasoningLevel, cliTools: st
     reasoningLevel
   ];
 
+  if (allowAllCliTools) {
+    return args;
+  }
+
   if (cliTools.length === 0) {
     args.push("--no-tools");
   } else {
@@ -346,18 +455,27 @@ function buildSagePrompt(input: SageRunnerInput): string {
 
   lines.push("");
   lines.push("Operational constraints:");
-  lines.push("- Do not run node/npm/cd/tests.");
 
-  if (input.toolPolicy.profile === "git-review-readonly") {
+  if (input.toolPolicy.profile === "yolo") {
+    lines.push("- Tool profile is yolo: unrestricted tools/commands are available for this consultation.");
+    lines.push("- Node/npm/cd/test commands are permitted in yolo when needed.");
+    lines.push("- Prefer non-destructive actions and prioritize completing a useful review.");
+  } else {
+    lines.push("- Do not run node/npm/cd/tests.");
+
+    if (input.toolPolicy.profile === "git-review-readonly") {
+      lines.push(
+        "- If using bash, only use allowed git read commands (status|diff|show|log|blame|rev-parse|branch --show-current) and allowed read-only pipes (head/tail/grep/cut/sed/wc/sort/uniq)."
+      );
+    } else if (input.toolPolicy.profile === "read-only-lite") {
+      lines.push("- Bash is unavailable in this profile. Use ls/glob/grep/read only.");
+    }
+
     lines.push(
-      "- If using bash, only use allowed git read commands (status|diff|show|log|blame|rev-parse|branch --show-current) and allowed read-only pipes (head/tail/grep/cut/sed/wc/sort/uniq)."
+      "- If a command is blocked or unavailable, continue with ls/glob/grep/read and still deliver best-effort findings."
     );
-  } else if (input.toolPolicy.profile === "read-only-lite") {
-    lines.push("- Bash is unavailable in this profile. Use ls/glob/grep/read only.");
   }
 
-  lines.push("- If a command is blocked or unavailable, continue with ls/glob/grep/read and still deliver best-effort findings.");
-
   lines.push("");
   lines.push(`Question: ${input.question}`);
 
@@ -478,6 +596,7 @@ function extractBashCommand(args: unknown): string | undefined {
 
 function isToolAllowed(toolName: string, allowedTools: string[]): boolean {
   const allowed = new Set(allowedTools);
+  if (allowed.has("*")) return true;
   if (allowed.has(toolName)) return true;
 
   if (toolName === "find" && allowed.has("glob")) {

package/.pi/extensions/sage/settings.ts

@@ -132,7 +132,8 @@ function parseSettingsRaw(content: string): Partial<SageSettings> | undefined {
       toolPolicyRaw.profile === "none" ||
       toolPolicyRaw.profile === "read-only-lite" ||
       toolPolicyRaw.profile === "custom-read-only" ||
-      toolPolicyRaw.profile === "git-review-readonly"
+      toolPolicyRaw.profile === "git-review-readonly" ||
+      toolPolicyRaw.profile === "yolo"
         ? toolPolicyRaw.profile
         : undefined;
 

package/.pi/extensions/sage/tool-policy.ts

@@ -3,6 +3,7 @@ import type { ToolPolicySettings } from "./settings.js";
 
 export const READ_ONLY_LITE_TOOLS = ["ls", "glob", "grep", "read"] as const;
 export const GIT_REVIEW_READONLY_TOOLS = ["ls", "glob", "grep", "read", "bash"] as const;
+export const YOLO_TOOLS = ["*"] as const;
 
 const CLI_TOOL_NAME_MAP: Record<string, string> = {
   glob: "find"
@@ -21,6 +22,7 @@ export interface ResolvedToolPolicy {
   profile: ToolPolicySettings["profile"];
   allowedTools: string[];
   cliTools: string[];
+  allowAllCliTools: boolean;
   maxToolCalls: number;
   maxFilesRead: number;
   maxBytesPerFile: number;
@@ -41,6 +43,7 @@ export function resolveToolPolicy(settings: ToolPolicySettings): ResolvedToolPol
       profile: "none",
       allowedTools: [],
       cliTools: [],
+      allowAllCliTools: false,
       maxToolCalls: settings.maxToolCalls ?? 10,
       maxFilesRead: settings.maxFilesRead ?? 8,
       maxBytesPerFile: settings.maxBytesPerFile ?? 200 * 1024,
@@ -55,6 +58,7 @@ export function resolveToolPolicy(settings: ToolPolicySettings): ResolvedToolPol
       profile: "read-only-lite",
       allowedTools,
       cliTools: toCliTools(allowedTools),
+      allowAllCliTools: false,
       maxToolCalls: settings.maxToolCalls ?? 10,
       maxFilesRead: settings.maxFilesRead ?? 8,
       maxBytesPerFile: settings.maxBytesPerFile ?? 200 * 1024,
@@ -69,6 +73,7 @@ export function resolveToolPolicy(settings: ToolPolicySettings): ResolvedToolPol
       profile: "git-review-readonly",
       allowedTools,
       cliTools: toCliTools(allowedTools),
+      allowAllCliTools: false,
       maxToolCalls: settings.maxToolCalls ?? 20,
       maxFilesRead: settings.maxFilesRead ?? 20,
       maxBytesPerFile: settings.maxBytesPerFile ?? 300 * 1024,
@@ -77,6 +82,20 @@ export function resolveToolPolicy(settings: ToolPolicySettings): ResolvedToolPol
     };
   }
 
+  if (requestedProfile === "yolo") {
+    return {
+      profile: "yolo",
+      allowedTools: [...YOLO_TOOLS],
+      cliTools: [],
+      allowAllCliTools: true,
+      maxToolCalls: Number.MAX_SAFE_INTEGER,
+      maxFilesRead: Number.MAX_SAFE_INTEGER,
+      maxBytesPerFile: Number.MAX_SAFE_INTEGER,
+      maxTotalBytesRead: Number.MAX_SAFE_INTEGER,
+      sensitivePathDenylist: []
+    };
+  }
+
   const requested = settings.customAllowedTools ?? [];
   const filtered = requested
     .map((tool) => tool.trim())
@@ -90,6 +109,7 @@ export function resolveToolPolicy(settings: ToolPolicySettings): ResolvedToolPol
     profile: "custom-read-only",
     allowedTools: deduped,
     cliTools: toCliTools(deduped),
+    allowAllCliTools: false,
     maxToolCalls: settings.maxToolCalls ?? 10,
     maxFilesRead: settings.maxFilesRead ?? 8,
     maxBytesPerFile: settings.maxBytesPerFile ?? 200 * 1024,
@@ -144,8 +164,16 @@ export function validateBashCommandForProfile(
   profile: ToolProfile,
   command: string
 ): { ok: boolean; blockCode?: BlockCode; reason: string } {
+  if (profile === "yolo") {
+    return { ok: true, reason: "allowed (yolo)" };
+  }
+
   if (profile !== "git-review-readonly") {
-    return { ok: false, blockCode: "tool-disallowed", reason: "bash is only allowed in git-review-readonly profile" };
+    return {
+      ok: false,
+      blockCode: "tool-disallowed",
+      reason: "bash is only allowed in git-review-readonly or yolo profiles"
+    };
   }
 
   const trimmed = command.trim();

package/.pi/extensions/sage/types.ts

@@ -39,7 +39,7 @@ export interface CallerDecision {
   blockCode?: BlockCode;
 }
 
-export type ToolProfile = "none" | "read-only-lite" | "custom-read-only" | "git-review-readonly";
+export type ToolProfile = "none" | "read-only-lite" | "custom-read-only" | "git-review-readonly" | "yolo";
 
 export interface ToolPolicyCaps {
   maxToolCalls: number;

package/README.md

@@ -48,6 +48,7 @@ Then in Pi run:
 - `git-review-readonly` (default): adds restricted `bash` for allowlisted **read-only git** commands
 - `none`
 - `custom-read-only`
+- `yolo`: unrestricted available tools/commands (including node/npm/cd/tests). High risk, explicit opt-in only.
 
 ## Settings files (global + project override)
 

package/docs/SAGE_SPEC.md

@@ -28,7 +28,7 @@ This spec targets a **final architecture** (not MVP): Sage is implemented as a *
 1. Multi-Sage swarms or planner/reviewer pipelines.
 2. Full UI dashboard beyond command-based configuration and standard tool rendering.
 3. Automatic persistent learning from previous Sage calls.
-4. Having Sage directly modify files, run shell commands, or perform orchestration actions.
+4. Having Sage directly modify files or perform orchestration actions. Shell/tool usage is profile-controlled (default restricted; optional `yolo` can relax constraints).
 
 ---
 
@@ -73,7 +73,7 @@ This spec targets a **final architecture** (not MVP): Sage is implemented as a *
    - Provides dedicated Sage system prompt.
    - Enforces **single-shot execution** per call (one request → one response).
    - Enforces advisory tool policy (default `git-review-readonly`: `ls,glob,grep,read,bash` with strict allowlisted read-only git commands).
-   - Supports stricter `none` mode, optional `git-review-readonly` mode, and constrained custom read-only lists.
+   - Supports stricter `none` mode, optional `git-review-readonly` mode, constrained custom read-only lists, and explicit opt-in `yolo` mode.
    - Explicitly disables `sage_consult` inside Sage subprocess context to prevent subagent recursion.
 
 3. **Sage Settings Store**
@@ -133,7 +133,7 @@ Tool `details` returns structured metadata:
     costTotal?: number;
   };
   toolUsage?: {
-    profile: "none"|"read-only-lite"|"git-review-readonly"|"custom-read-only";
+    profile: "none"|"read-only-lite"|"git-review-readonly"|"custom-read-only"|"yolo";
     callsUsed: number;
     filesRead: number;
     bytesRead: number;
@@ -297,6 +297,7 @@ Interactive command to configure Sage runtime behavior.
    - read-only-lite (`ls,glob,grep,read`)
    - git-review-readonly (`ls,glob,grep,read,bash`) with strict allowlisted git read commands only **default**
    - custom read-only list (must exclude mutating/execution tools)
+   - yolo (unrestricted available tools/commands; explicit opt-in, high risk)
 10. **Per-call max tool calls** (default: 250)
 11. **Per-call max files read** (default: 100)
 12. **Per-file max bytes** (default: 200KB)
@@ -323,13 +324,14 @@ Interactive command to configure Sage runtime behavior.
 1. Default Sage tool profile is `git-review-readonly`: `ls,glob,grep,read,bash` with strict read-only git command allowlist.
 2. Allow `none` profile for stricter environments.
 3. Custom profile must be read-only; mutating/execution tools are disallowed.
-4. Explicitly disallow: `edit`, `write`, git-mutating tools, orchestration-control tools, and network/http tools.
+4. Explicitly disallow: `edit`, `write`, git-mutating tools, orchestration-control tools, and network/http tools in non-`yolo` profiles.
 5. Exception: `git-review-readonly` profile may allow `bash` only for allowlisted read-only git commands (e.g., status/diff/show/log/blame/rev-parse/branch --show-current).
+6. Optional `yolo` profile is explicit opt-in and lifts tool/bash/path/volume guardrails for maximum flexibility (including node/npm/cd/test command usage).
 
 ### 11.2 Data-access and volume guardrails
-1. Restrict reads to workspace/project roots.
-2. Denylist sensitive paths by default (e.g., `.env*`, `*.pem`, `*.key`, `id_rsa*`, credential stores).
-3. Enforce caps per Sage call:
+1. Restrict reads to workspace/project roots (except `yolo`).
+2. Denylist sensitive paths by default (e.g., `.env*`, `*.pem`, `*.key`, `id_rsa*`, credential stores) except `yolo`.
+3. Enforce caps per Sage call (except `yolo`):
    - max tool calls: `250`
    - max files read: `100`
    - max bytes per file: `200KB`
@@ -343,7 +345,7 @@ Interactive command to configure Sage runtime behavior.
 Each Sage call should expose:
 - mode (autonomous vs user-requested),
 - model + reasoning level,
-- tool profile used (`none`, `read-only-lite`, `git-review-readonly`, or `custom-read-only`),
+- tool profile used (`none`, `read-only-lite`, `git-review-readonly`, `custom-read-only`, or `yolo`),
 - elapsed time,
 - token usage + cost (if available),
 - refusal/error reason when blocked.
@@ -380,9 +382,9 @@ On tool-policy/data-policy block:
 5. Explicit user-requested Sage consultation can bypass soft limits, but still respects hard safety limits and caller-scope restrictions.
 6. No `/sage` command exists.
 7. `/sage-settings` supports model configuration interactively (including `inherit`) and persists selected value.
-8. Default Sage tool profile is `git-review-readonly` (`ls,glob,grep,read,bash` with strict allowlisted read-only git commands), with `none`, `read-only-lite`, and constrained custom read-only options available.
-9. Sage tool profile blocks mutating/execution/network/orchestration tools (including `edit`, `write`, and `sage_consult`), except allowlisted git-read bash commands in `git-review-readonly`.
-10. Sage enforces per-call guardrails (max tool calls/files/bytes and capped `grep`/`glob` output).
+8. Default Sage tool profile is `git-review-readonly` (`ls,glob,grep,read,bash` with strict allowlisted read-only git commands), with `none`, `read-only-lite`, constrained custom read-only, and opt-in `yolo` options available.
+9. Non-`yolo` Sage tool profiles block mutating/execution/network/orchestration tools (including `edit`, `write`, and `sage_consult`), except allowlisted git-read bash commands in `git-review-readonly`.
+10. Non-`yolo` Sage calls enforce per-call guardrails (max tool calls/files/bytes and capped `grep`/`glob` output).
 11. Sage calls obey hard safety limits (caller context, model/auth availability, timeout, optional absolute cost cap).
 12. Sage subprocess cannot invoke `sage_consult` (no recursion).
 13. Sage consultations are single-shot per call.
@@ -399,7 +401,7 @@ On tool-policy/data-policy block:
 5. Start with model interpretation for explicit-request detection; add phrase-detection hook only if testing reveals reliability issues.
 6. Sage subagents cannot invoke other Sage subagents (no recursion).
 7. Sage is advisory-only and should not perform implementation actions.
-8. Default Sage tool profile is `git-review-readonly` (`ls,glob,grep,read,bash`) with strict guardrails; `bash` is restricted to allowlisted read-only git commands.
+8. Default Sage tool profile is `git-review-readonly` (`ls,glob,grep,read,bash`) with strict guardrails; `bash` is restricted to allowlisted read-only git commands. `yolo` is explicit opt-in and intentionally relaxes these safeguards.
 
 ---
 
@@ -408,7 +410,7 @@ On tool-policy/data-policy block:
 1. Build settings store + `/sage-settings` command.
 2. Implement `sage_consult` subprocess runner + structured result metadata.
 3. Add hard caller-context gate (interactive top-level primary only; block CI/RPC-orchestrated roles).
-4. Implement advisory tool policy (`read-only-lite`, `none`, `git-review-readonly`, constrained custom) and hard denylist for mutating/execution tools.
+4. Implement advisory tool policy (`read-only-lite`, `none`, `git-review-readonly`, constrained custom) and optional opt-in `yolo` mode for unrestricted tooling.
 5. Add data-volume guardrails (tool-call/file/byte caps + `grep`/`glob` result caps + sensitive-path denylist).
 6. Add system-prompt guidance injection for autonomous invocation.
 7. Add budget gates and policy telemetry.
@@ -420,7 +422,7 @@ On tool-policy/data-policy block:
 ## 17) Concrete Implementation Checklist (`.pi/extensions/sage/index.ts`)
 
 ### 17.1 Types and constants
-- [ ] Add `ToolProfile = "none" | "read-only-lite" | "git-review-readonly" | "custom-read-only"`.
+- [ ] Add `ToolProfile = "none" | "read-only-lite" | "git-review-readonly" | "custom-read-only" | "yolo"`.
 - [ ] Add `BlockCode = "ineligible-caller" | "non-interactive" | "ci-mode" | "rpc-role" | "subagent" | "unknown-context" | "tool-disallowed" | "path-denied" | "volume-cap"`.
 - [ ] Add `CallerContext` type:
   - `session.interactive: boolean`
@@ -466,7 +468,7 @@ On tool-policy/data-policy block:
 - [ ] Ensure custom profile cannot include tools outside read-only allowlist.
 
 ### 17.5 `/sage-settings` command wiring
-- [ ] Add profile picker: `none`, `read-only-lite`, `git-review-readonly`, `custom-read-only`.
+- [ ] Add profile picker: `none`, `read-only-lite`, `git-review-readonly`, `custom-read-only`, `yolo`.
 - [ ] For `custom-read-only`, show multi-select constrained to read-only tools.
 - [ ] Add numeric inputs for guardrails (tool calls/files/bytes).
 - [ ] Add editable sensitive-path denylist (with safe defaults preloaded).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-sage",
-  "version": "0.2.14",
+  "version": "0.2.16",
   "private": false,
   "type": "module",
   "description": "Interactive-only advisory Sage extension for Pi",