npm - xtrm-tools - Versions diffs - 2.1.10 → 2.1.11 - Mend

xtrm-tools 2.1.10 → 2.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/cli/dist/index.cjs +551 -473
package/cli/dist/index.cjs.map +1 -1
package/cli/package.json +1 -1
package/config/pi/auth.json.template +14 -0
package/config/pi/extensions/auto-session-name.ts +29 -0
package/config/pi/extensions/auto-update.ts +71 -0
package/config/pi/extensions/bg-process.ts +230 -0
package/config/pi/extensions/compact-header.ts +69 -0
package/config/pi/extensions/custom-footer.ts +95 -0
package/config/pi/extensions/custom-provider-qwen-cli/index.ts +363 -0
package/config/pi/extensions/custom-provider-qwen-cli/package.json +1 -0
package/config/pi/extensions/git-checkpoint.ts +53 -0
package/config/pi/extensions/git-guard.ts +45 -0
package/config/pi/extensions/safe-guard.ts +46 -0
package/config/pi/extensions/todo.ts +299 -0
package/config/pi/install-schema.json +41 -0
package/config/pi/models.json.template +76 -0
package/config/pi/settings.json.template +15 -0
package/package.json +1 -1

package/config/pi/extensions/custom-provider-qwen-cli/index.ts ADDED Viewed

@@ -0,0 +1,363 @@
+/**
+ * Qwen CLI Provider Extension
+ *
+ * Provides access to Qwen models via OAuth authentication with chat.qwen.ai.
+ * Uses device code flow with PKCE for secure browser-based authentication.
+ *
+ * Usage:
+ * pi -e ./packages/coding-agent/examples/extensions/custom-provider-qwen-cli
+ * # Then /login qwen-cli, or set QWEN_CLI_API_KEY=...
+ */
+import type { OAuthCredentials, OAuthLoginCallbacks } from "@mariozechner/pi-ai";
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+// =============================================================================
+// Constants
+// =============================================================================
+const QWEN_DEVICE_CODE_ENDPOINT = "https://chat.qwen.ai/api/v1/oauth2/device/code";
+const QWEN_TOKEN_ENDPOINT = "https://chat.qwen.ai/api/v1/oauth2/token";
+const QWEN_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
+const QWEN_SCOPE = "openid profile email model.completion";
+const QWEN_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+const QWEN_DEFAULT_BASE_URL = "https://dashscope.aliyuncs.com/compatible-mode/v1";
+const QWEN_POLL_INTERVAL_MS = 2000;
+// =============================================================================
+// PKCE Helpers
+// =============================================================================
+async function generatePKCE(): Promise<{ verifier: string; challenge: string }> {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  const verifier = btoa(String.fromCharCode(...array))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  const challenge = btoa(String.fromCharCode(...new Uint8Array(hash)))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+  return { verifier, challenge };
+}
+// =============================================================================
+// OAuth Implementation
+// =============================================================================
+interface DeviceCodeResponse {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete?: string;
+  expires_in: number;
+  interval?: number;
+}
+interface TokenResponse {
+  access_token: string;
+  refresh_token?: string;
+  token_type: string;
+  expires_in: number;
+  resource_url?: string;
+}
+function abortableSleep(ms: number, signal?: AbortSignal): Promise<void> {
+  return new Promise((resolve, reject) => {
+    if (signal?.aborted) {
+      reject(new Error("Login cancelled"));
+      return;
+    }
+    const timeout = setTimeout(resolve, ms);
+    signal?.addEventListener(
+      "abort",
+      () => {
+        clearTimeout(timeout);
+        reject(new Error("Login cancelled"));
+      },
+      { once: true },
+    );
+  });
+}
+async function startDeviceFlow(): Promise<{ deviceCode: DeviceCodeResponse; verifier: string }> {
+  const { verifier, challenge } = await generatePKCE();
+  const body = new URLSearchParams({
+    client_id: QWEN_CLIENT_ID,
+    scope: QWEN_SCOPE,
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+  });
+  const headers: Record<string, string> = {
+    "Content-Type": "application/x-www-form-urlencoded",
+    Accept: "application/json",
+  };
+  const requestId = globalThis.crypto?.randomUUID?.();
+  if (requestId) headers["x-request-id"] = requestId;
+  const response = await fetch(QWEN_DEVICE_CODE_ENDPOINT, {
+    method: "POST",
+    headers,
+    body: body.toString(),
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(`Device code request failed: ${response.status} ${text}`);
+  }
+  const data = (await response.json()) as DeviceCodeResponse;
+  if (!data.device_code || !data.user_code || !data.verification_uri) {
+    throw new Error("Invalid device code response: missing required fields");
+  }
+  return { deviceCode: data, verifier };
+}
+async function pollForToken(
+  deviceCode: string,
+  verifier: string,
+  intervalSeconds: number | undefined,
+  expiresIn: number,
+  signal?: AbortSignal,
+): Promise<TokenResponse> {
+  const deadline = Date.now() + expiresIn * 1000;
+  const resolvedIntervalSeconds =
+    typeof intervalSeconds === "number" &&
+    Number.isFinite(intervalSeconds) &&
+    intervalSeconds > 0
+      ? intervalSeconds
+      : QWEN_POLL_INTERVAL_MS / 1000;
+  let intervalMs = Math.max(1000, Math.floor(resolvedIntervalSeconds * 1000));
+  const handleTokenError = async (
+    error: string,
+    description?: string,
+  ): Promise<boolean> => {
+    switch (error) {
+      case "authorization_pending":
+        await abortableSleep(intervalMs, signal);
+        return true;
+      case "slow_down":
+        intervalMs = Math.min(intervalMs + 5000, 10000);
+        await abortableSleep(intervalMs, signal);
+        return true;
+      case "expired_token":
+        throw new Error("Device code expired. Please restart authentication.");
+      case "access_denied":
+        throw new Error("Authorization denied by user.");
+      default:
+        throw new Error(`Token request failed: ${error} - ${description || ""}`);
+    }
+  };
+  while (Date.now() < deadline) {
+    if (signal?.aborted) {
+      throw new Error("Login cancelled");
+    }
+    const body = new URLSearchParams({
+      grant_type: QWEN_GRANT_TYPE,
+      client_id: QWEN_CLIENT_ID,
+      device_code: deviceCode,
+      code_verifier: verifier,
+    });
+    const response = await fetch(QWEN_TOKEN_ENDPOINT, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: body.toString(),
+    });
+    const responseText = await response.text();
+    let data:
+      | (TokenResponse & { error?: string; error_description?: string })
+      | null = null;
+    if (responseText) {
+      try {
+        data = JSON.parse(responseText) as TokenResponse & {
+          error?: string;
+          error_description?: string;
+        };
+      } catch {
+        data = null;
+      }
+    }
+    const error = data?.error;
+    const errorDescription = data?.error_description;
+    if (!response.ok) {
+      if (error && (await handleTokenError(error, errorDescription))) {
+        continue;
+      }
+      throw new Error(
+        `Token request failed: ${response.status} ${response.statusText}. Response: ${responseText}`,
+      );
+    }
+    if (data?.access_token) {
+      return data;
+    }
+    if (error && (await handleTokenError(error, errorDescription))) {
+      continue;
+    }
+    throw new Error("Token request failed: missing access token in response");
+  }
+  throw new Error("Authentication timed out. Please try again.");
+}
+async function loginQwen(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials> {
+  const { deviceCode, verifier } = await startDeviceFlow();
+  // Show verification URL and user code to user
+  const authUrl =
+    deviceCode.verification_uri_complete || deviceCode.verification_uri;
+  const instructions = deviceCode.verification_uri_complete
+    ? undefined // Code is already embedded in the URL
+    : `Enter code: ${deviceCode.user_code}`;
+  callbacks.onAuth({ url: authUrl, instructions });
+  // Poll for token
+  const tokenResponse = await pollForToken(
+    deviceCode.device_code,
+    verifier,
+    deviceCode.interval,
+    deviceCode.expires_in,
+    callbacks.signal,
+  );
+  // Calculate expiry with 5-minute buffer
+  const expiresAt = Date.now() + tokenResponse.expires_in * 1000 - 5 * 60 * 1000;
+  return {
+    refresh: tokenResponse.refresh_token || "",
+    access: tokenResponse.access_token,
+    expires: expiresAt,
+    // Store resource_url for API base URL if provided
+    enterpriseUrl: tokenResponse.resource_url,
+  };
+}
+async function refreshQwenToken(credentials: OAuthCredentials): Promise<OAuthCredentials> {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: credentials.refresh,
+    client_id: QWEN_CLIENT_ID,
+  });
+  const response = await fetch(QWEN_TOKEN_ENDPOINT, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json",
+    },
+    body: body.toString(),
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(`Token refresh failed: ${response.status} ${text}`);
+  }
+  const data = (await response.json()) as TokenResponse;
+  if (!data.access_token) {
+    throw new Error("Token refresh failed: no access token in response");
+  }
+  const expiresAt = Date.now() + data.expires_in * 1000 - 5 * 60 * 1000;
+  return {
+    refresh: data.refresh_token || credentials.refresh,
+    access: data.access_token,
+    expires: expiresAt,
+    enterpriseUrl: data.resource_url ?? credentials.enterpriseUrl,
+  };
+}
+function getQwenBaseUrl(resourceUrl?: string): string {
+  if (!resourceUrl) {
+    return QWEN_DEFAULT_BASE_URL;
+  }
+  let url = resourceUrl.startsWith("http") ? resourceUrl : `https://${resourceUrl}`;
+  if (!url.endsWith("/v1")) {
+    url = `${url}/v1`;
+  }
+  return url;
+}
+// =============================================================================
+// Extension Entry Point
+// =============================================================================
+export default function (pi: ExtensionAPI) {
+  pi.registerProvider("qwen-cli", {
+    baseUrl: QWEN_DEFAULT_BASE_URL,
+    apiKey: "QWEN_CLI_API_KEY",
+    api: "openai-completions",
+    models: [
+      {
+        id: "qwen3-coder-plus",
+        name: "Qwen3 Coder Plus",
+        reasoning: false,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 1000000,
+        maxTokens: 65536,
+      },
+      {
+        id: "qwen3-coder-flash",
+        name: "Qwen3 Coder Flash",
+        reasoning: false,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 1000000,
+        maxTokens: 65536,
+      },
+      {
+        id: "vision-model",
+        name: "Qwen3 VL Plus",
+        reasoning: true,
+        input: ["text", "image"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 262144,
+        maxTokens: 32768,
+        compat: {
+          supportsDeveloperRole: false,
+          thinkingFormat: "qwen",
+        },
+      },
+    ],
+    oauth: {
+      name: "Qwen CLI",
+      login: loginQwen,
+      refreshToken: refreshQwenToken,
+      getApiKey: (cred) => cred.access,
+      modifyModels: (models, cred) => {
+        const baseUrl = getQwenBaseUrl(cred.enterpriseUrl as string | undefined);
+        return models.map((m) =>
+          m.provider === "qwen-cli" ? { ...m, baseUrl } : m,
+        );
+      },
+    },
+  });
+}

package/config/pi/extensions/custom-provider-qwen-cli/package.json ADDED Viewed

	@@ -0,0 +1 @@
1	+ { "name": "pi-extension-custom-provider-qwen-cli", "private": true, "version": "1.7.1", "type": "module", "scripts": { "clean": "echo 'nothing to clean'", "build": "echo 'nothing to build'", "check": "echo 'nothing to check'" }, "pi": { "extensions": [ "./index.ts" ] } }

package/config/pi/extensions/git-checkpoint.ts ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Git Checkpoint Extension
+ *
+ * Creates git stash checkpoints at each turn so /fork can restore code state.
+ * When forking, offers to restore code to that point in history.
+ */
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+export default function (pi: ExtensionAPI) {
+	const checkpoints = new Map<string, string>();
+	let currentEntryId: string | undefined;
+	// Track the current entry ID when user messages are saved
+	pi.on("tool_result", async (_event, ctx) => {
+		const leaf = ctx.sessionManager.getLeafEntry();
+		if (leaf) currentEntryId = leaf.id;
+	});
+	pi.on("turn_start", async () => {
+		// Create a git stash entry before LLM makes changes
+		const { stdout } = await pi.exec("git", ["stash", "create"]);
+		const ref = stdout.trim();
+		if (ref && currentEntryId) {
+			checkpoints.set(currentEntryId, ref);
+		}
+	});
+	pi.on("session_before_fork", async (event, ctx) => {
+		const ref = checkpoints.get(event.entryId);
+		if (!ref) return;
+		if (!ctx.hasUI) {
+			// In non-interactive mode, don't restore automatically
+			return;
+		}
+		const choice = await ctx.ui.select("Restore code state?", [
+			"Yes, restore code to that point",
+			"No, keep current code",
+		]);
+		if (choice?.startsWith("Yes")) {
+			await pi.exec("git", ["stash", "apply", ref]);
+			ctx.ui.notify("Code restored to checkpoint", "info");
+		}
+	});
+	pi.on("agent_end", async () => {
+		// Clear checkpoints after agent completes
+		checkpoints.clear();
+	});
+}

package/config/pi/extensions/git-guard.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * oh-pi Git Checkpoint Extension
+ *
+ * Auto-stash before each turn, notify on agent completion.
+ * Combines git-checkpoint + notify + dirty-repo-guard.
+ */
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+function terminalNotify(title: string, body: string): void {
+  if (process.env.KITTY_WINDOW_ID) {
+    process.stdout.write(`\x1b]99;i=1:d=0;${title}\x1b\\`);
+    process.stdout.write(`\x1b]99;i=1:p=body;${body}\x1b\\`);
+  } else {
+    process.stdout.write(`\x1b]777;notify;${title};${body}\x07`);
+  }
+}
+export default function (pi: ExtensionAPI) {
+  let turnCount = 0;
+  // Warn on dirty repo at session start
+  pi.on("session_start", async (_event, ctx) => {
+    try {
+      const { stdout } = await pi.exec("git", ["status", "--porcelain"]);
+      if (stdout.trim() && ctx.hasUI) {
+        const lines = stdout.trim().split("\n").length;
+        ctx.ui.notify(`⚠️ Dirty repo: ${lines} uncommitted change(s)`, "warning");
+      }
+    } catch { /* not a git repo, ignore */ }
+  });
+  // Stash checkpoint before each turn
+  pi.on("turn_start", async () => {
+    turnCount++;
+    try {
+      await pi.exec("git", ["stash", "create", "-m", `oh-pi-turn-${turnCount}`]);
+    } catch { /* not a git repo */ }
+  });
+  // Notify when agent is done
+  pi.on("agent_end", async () => {
+    terminalNotify("oh-pi", `Done after ${turnCount} turn(s). Ready for input.`);
+    turnCount = 0;
+  });
+}

package/config/pi/extensions/safe-guard.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * oh-pi Safe Guard Extension
+ *
+ * Combines destructive command confirmation + protected paths in one extension.
+ */
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+export const DANGEROUS_PATTERNS = [
+  /\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+|.*-rf\b|.*--force\b)/,
+  /\bsudo\s+rm\b/,
+  /\b(DROP|TRUNCATE|DELETE\s+FROM)\b/i,
+  /\bchmod\s+777\b/,
+  /\bmkfs\b/,
+  /\bdd\s+if=/,
+  />\s*\/dev\/sd[a-z]/,
+];
+export const PROTECTED_PATHS = [".env", ".git/", "node_modules/", ".pi/", "id_rsa", ".ssh/"];
+export default function (pi: ExtensionAPI) {
+  pi.on("tool_call", async (event, ctx) => {
+    // Check bash commands for dangerous patterns
+    if (event.toolName === "bash") {
+      const cmd = (event.input as { command?: string }).command ?? "";
+      const match = DANGEROUS_PATTERNS.find((p) => p.test(cmd));
+      if (match && ctx.hasUI) {
+        const ok = await ctx.ui.confirm("⚠️ Dangerous Command", `Execute: ${cmd}?`);
+        if (!ok) return { block: true, reason: "Blocked by user" };
+      }
+    }
+    // Check write/edit for protected paths
+    if (event.toolName === "write" || event.toolName === "edit") {
+      const path = (event.input as { path?: string }).path ?? "";
+      const hit = PROTECTED_PATHS.find((p) => path.includes(p));
+      if (hit) {
+        if (ctx.hasUI) {
+          const ok = await ctx.ui.confirm("🛡️ Protected Path", `Allow write to ${path}?`);
+          if (!ok) return { block: true, reason: `Protected path: ${hit}` };
+        } else {
+          return { block: true, reason: `Protected path: ${hit}` };
+        }
+      }
+    }
+  });
+}