All notable changes to pi_agent_rust are documented here.
Versions marked Release have published binaries on GitHub Releases. Versions marked Tag-only exist as git tags without a corresponding GitHub Release (no downloadable binaries). Versions marked Draft have an unpublished draft release on GitHub.
Repository: https://github.com/Dicklesworthstone/pi_agent_rust
- Newer z.ai (GLM) and MiniMax models in the registry — the model catalog
now includes z.ai GLM-5.1 (
glm-5.1, 200K context) and GLM-5.2 (glm-5.2, 1M context) under thezaiprovider, and MiniMax-M3 (MiniMax-M3, 1M context) under bothminimaxandminimax-cn. The upstream provider-id snapshot is updated so the mainlandzhipuai/BigModel endpoint and thezai-coding-plan/zhipuai-coding-plan/minimax-coding-planrouting presets also surface these ids. Context windows, max-output ceilings, pricing, and reasoning support are taken from the published models.dev catalog and verified against the official z.ai and MiniMax API docs. Select them with e.g.pi --provider zai --model glm-5.2orpi --provider minimax --model MiniMax-M3. Fixes #115. /mcpslash command — reports MCP (Model Context Protocol) server status in the interactive TUI instead of returning "Unknown command". Lists any MCP servers an installed extension has registered and clarifies that Pi does not read standalone MCP config files (.agents/mcp.json,.pi/mcp.json,~/.pi/agent/mcp.json). Fixes #112.
- Windows
WSAENOTCONNretry now also fires for TLS errors surfaced through non-Iovariants —is_retryable_not_connected_tlswalks theTlsErrorsource chain in addition to matching the directIovariant, so a "socket not connected" (os error 10057) reported via the TLS library is still detected and retried with a fresh connection. Hardens #111 / #106.
v0.1.20 — 2026-06-13 — Tag-only
- Windows connect retries now survive
WSAENOTCONN("Socket is not connected") — the HTTP client retries the TCP connect when Winsock reportsWSAENOTCONN, and the error-classification logic walks the fullio::Error::get_refsource chain so the code is detected even when it is wrapped several layers deep. A Winsock remediation hint is surfaced when the condition is hit. Fixes #106.
- Synced
Cargo.lockto the released0.1.19dependency set.
v0.1.19 — 2026-06-11 — Tag-only
- ACP dynamic configuration — ACP mode supports
session/set_modelandsession/set_config_option, so clients can switch the active model and tune config options mid-session. Fixes #105. - ACP sessions can persist to disk —
--session-diris honored in ACP mode, letting ACP-driven sessions be stored and resumed like interactive ones. Fixes #102.
- System prompt emits date only (no clock time) — the system prompt now carries a date-only stamp instead of a full timestamp, so the leading prompt prefix stays byte-stable within a day and provider KV caches are preserved instead of being invalidated on every turn. Fixes #103.
llamacppandmistral.rsare treated as keyless local providers — these local OpenAI-compatible backends no longer demand an API key to be selectable. Fixes #104.- Bundled TLS roots + cached connector — the HTTP client uses bundled webpki
roots and caches the TLS connector, avoiding slow per-request system trust-store
parsing (notably the multi-second
SecTrustSettingsstall on macOS arm64). Fixes #101. - Snapshot/override entries honored for native-adapter legacy providers —
models.jsonsnapshot andmodels-override.jsonentries are no longer silently dropped for native-adapter providers (openai-codex, github-copilot, google-gemini-cli, google-antigravity). Fixes #100.
- Upgraded
asupersyncto0.3.4, dropping the=0.3.2pin (0.3.3was yanked). - Pinned
rust-toolchaintonightly-2026-02-19to stop clippy lint drift, and the publish workflow now emits the missing-token error on stdout. - Docs: model examples use the
openai-completionsAPI id rather thanopenai.
v0.1.18 — 2026-06-05 — Release
- TUI front-end is feature-gated behind a default-on
tuifeature — SDK and library consumers can now build without compiling the terminal stack by disabling thetuifeature, while default installs are unchanged. Fixes #98.
- The publish workflow fails loudly when
CARGO_REGISTRY_TOKENis missing, so crates.io publishes can no longer be silently skipped. Fixes #99. - Formatting and beads export housekeeping.
v0.1.17 — 2026-06-04 — Release
- Configurable provider-aware HTTP request timeout — request timeouts are now configurable and provider-aware, addressing spurious "Request timed out" failures on slow providers. Fixes #90.
- Dynamic model fetch with caching — providers can fetch their live model list with a 5-minute TTL cache and a static-registry fallback; the static fallback is no longer cached so a transient fetch failure does not pin a stale list.
- GitHub Copilot sign-in works out of the box — a default Copilot
client_idis shipped and the Copilot device flow is wired into/loginwith an SSH/headless fallback, so login no longer requires manual client configuration. Fixes #97. - Idle CPU churn from cursor blink removed — the interactive front-end stops the cursor-blink repaint loop while idle so the async runtime can actually park.
- Kimi-for-coding fallbacks modernized — prefer K2.6/K2.5 over the legacy K2-thinking model as concrete fallbacks.
- Release binary size budget raised from 20 MB to 25 MB; no-mock CI now gates
only new violations via a
.no-mock-allowlistfile; fuzz target forced tox86_64-unknown-linux-gnuso ASan links against dynamic libc; trimmed 70 more staleext_conformanceartifact fixtures.
v0.1.16 — 2026-05-22 — Release
- Configurable tool-iteration cap — added
--max-tool-iterations <N>CLI flag andPI_MAX_TOOL_ITERATIONSenv var. Both override the historical hardcoded default of 50. Clamped to[1, 1000]; invalid or zero values fall back to 50 with a warning. Without this, long multi-step agentic tasks (multi-file refactors, multi-phase spec implementations) were forcibly stopped with no graceful handoff. - Soft handoff warning at 80% of the iteration cap — when an agent
crosses
(max * 4) / 5tool iterations, the runtime injects a one-shot steering message ("Tool-iteration budget at ≥80%; begin graceful handoff per spec…") so the agent can self-pace into anincomplete-handoffenvelope rather than being silently killed at the cap. Skipped for caps below 5 to avoid noise on tiny ceilings. Pairs with--max-tool-iterationsto make iteration-aware-handoff protocols self-enforceable.
- Coding-plan providers are now selectable by
--provideralone — selecting a provider that has no models in the registry (the routing-only presets such aszai-coding-plan,minimax-coding-plan, andkimi-for-coding) previously failed withNo models available for provider …. Such providers now synthesize an ad-hoc model entry from a per-provider default, honoringconfig.default_modelonly when it is paired with the same provider viaconfig.default_provider. - Ad-hoc model entries resolve credentials from stored auth / env —
synthesized entries started with no API key, so
model_entry_is_readyreported them as unconfigured even when valid credentials existed. Keys are now resolved when the entry is created (the SAP path keeps its own resolver), so readiness reflects reality. - Provider default model ids modernized —
zai/zai-coding-plandefault toglm-4.7(wasglm-4.6),minimax/minimax-cn/minimax-coding-plandefault toMiniMax-M2.7(wasMiniMax-M2.5), and the Kimi for Coding plan uses its stable virtual model idkimi-for-coding. The single defaults table now also feeds ad-hoc synthesis, eliminating duplication. - Active model auto-switches when it loses credentials — when the selected model's credentials disappear mid-session, the interactive front-end switches to a still-ready model instead of failing the next turn. Fixes #81.
- Actionable hints for host/network-unreachable connect failures — connect
errors (host unreachable / network unreachable, e.g. the macOS arm64
EHOSTUNREACHcase) now surface a remediation hint instead of a bare OS error. Fixes #88.
asupersyncupgraded to0.3.2, fixing a post-session persistence worker that spun at ~500% CPU after a session completed. Fixes #83.- Large QuickJS Node-shim conformance push — extensive hardening of the
embedded-runtime Node API shims, especially the global
Buffersurface (encoding/length coercion, integer read/write bounds and validation, base64/hex decoding,ArrayBuffersharing/offsets, byte-swap parity, single-byte encodings) plusfs/cryptoshim fixes, tighter extension-VFS path scoping and hermetic fixtures, and fail-closed handling of non-primary entrypoint load errors. Adds the@mariozechner/pi-aicompletion + model-registry host bridge. - Swarm operations + autopilot tooling — deterministic swarm-replay engine
and ingestor,
pi doctorswarm checks (rch warm-target affinity planner, conflict predictor, reservation recommendations, affinity-proof gate), an autopilot dry-run next-action planner with budget-drift watcher and failure action catalog, a completion-audit generator, and a swarm operations runbook. - Regenerate
rquickjsbindings at build time on Android/Termux; trackscripts/skill-smoke.shand thepi-agent-rustskill so the installer regression harness passes in clean CI checkouts.
- Default OpenAI Codex model now prefers GPT-5.5 with xhigh reasoning —
startup, setup, and model-candidate resolution prefer
openai-codex/gpt-5.5over older GPT-5.4 defaults, with fuzzy aliases covering GPT-5.5 model names. - RPC startup paths no longer accidentally behave like interactive TUI
sessions — the
--rpcshortcut is parsed as an explicit RPC mode, avoids incompatible--printcombinations, and skips interactive-only session-index maintenance. - Non-interactive exits are deterministic — the CLI process exits after the selected mode returns, avoiding runtime-drop hangs after terminal shutdown.
- Streaming and tool-call edge cases are fail-closed — SSE EOF flushing is terminal across repeated polls, SIGPIPE trampoline exec failures propagate as tool errors, and Bun/Node extension helpers avoid invalid native argument shapes.
- Filesystem and extension tests are confinement-aware — grep output remains relative from symlinked working directories, Bun file-write coverage avoids escaping the extension root, and validation tolerates unvendored candidate-pool hits without weakening hard gates.
- Release evidence writers honor off-repo target directories — performance,
lifecycle, provider-registry, and scenario harnesses now write artifacts under
CARGO_TARGET_DIRwhen set, preventing release gates from failing on unwritable or missing repositorytarget/paths.
- Stabilize HTTP, model-registry, model-selector, provider backward-lock, non-mock compliance, and perf regression fixtures so the release compile, clippy, format, workspace test, and release-build gates run cleanly in the high-capacity release workspace.
-
Slash dropdown Enter accepts highlighted entry — When the autocomplete dropdown is open with a highlighted item (the user pressed Down to navigate to a specific entry), Enter now accepts the highlight and runs the selected command, matching the dropdown's own footer hint "Enter/Tab accept" and the convention used by fzf, vim completion, Slack/IRC slash menus, etc. The prior behavior — Enter submits the raw editor contents regardless of the highlight — is preserved when no item is highlighted, so users who never navigated keep the existing escape-hatch behavior. Fixes #61. Regression tests in
src/interactive/tests.rs::enter_accepts_highlighted_autocomplete_itemandenter_submits_when_no_autocomplete_item_highlighted. -
File mode bits preserved on session rewrite and tool write — earlier release notes (51b7776d) for write-time mode preservation. Bug fix preserves permissions across session rewrites that previously stomped them.
-
User-overridable model list — Drop a JSON file at
<config_dir>/pi/models-override.json(or setPI_MODELS_OVERRIDEto point pi at a path elsewhere) to extend the bundled model snapshot at runtime. The override file uses the same shape as the bundled snapshot:{ "anthropic": ["claude-opus-4-7"], "openrouter": ["anthropic/claude-opus-4-7"] }Override entries union with the bundled snapshot (set semantics, deduped). Missing/blank/malformed files log a warning and are treated as empty so a typo never breaks startup. The model catalog cache fingerprint folds in a CRC of the override file so memoized consumers refresh correctly when the override changes. Documented in
docs/models.md. Fixes #60. This obsoletes the recurring one-line PRs that just add new model IDs to the bundled snapshot — drop them in your config instead. -
claude-opus-4-7 in anthropic snapshot — Anthropic shipped Opus 4.7 on 2026-04-28; surfaced in
/modelautocomplete. Mirrors PR #59 (closed in favor of independent implementation per project policy).
- Refactor the snapshot ↔ override merge into a
merge_provider_model_idshelper for testability. - Address three nightly clippy lints in
package_manager.rs,extension_preflight.rs, andextensions.rsthat were blocking thecargo clippy --all-targets -- -D warningsCI gate. - (Concurrent agent work also merged this cycle — see git log between v0.1.13 and v0.1.14 for the full set, including RPC lifecycle event refactors and permission recovery test probes.)
- Seven pre-existing test failures in
src/app.rs::tests::select_model_*,src/rpc.rs::tests::auto_compaction_*, andsrc/session.rs::tests::test_continue_recent_*predate this release. Tracked in beadsbd-d8v93for follow-up.
- Actually fix Windows build. v0.1.11 attempted to work around the published
sqlmodel-sqlite0.2.1 dynamic-link issue by addinglibsqlite3-syswithbundled-windowsas a top-level direct dep. That attempt failed becausesqlmodel-sqlite0.2.1 still declared#[link(name = "sqlite3")](dynamic) without importing any item fromlibsqlite3-sys, so rustc elided thelibsqlite3-sysrlib and dropped its build-script static-link directives before link time — leaving only the dynamic-link directive, which failed with__imp_sqlite3_*: unresolved external symbolon MSVC. Upgrading tosqlmodel-sqlite0.2.2 picks up50e1aca(always bundle vialibsqlite3-sysfeaturebundled) andc8bb7d7(pin the rlib with an explicit#[link(name = "sqlite3", kind = "static")]), which make the static-link directives actually survive into the link step. Fixes #55.
- Bump
sqlmodel-sqliteandsqlmodel-corefrom 0.2.1 to 0.2.2. - Drop the now-redundant
[target.'cfg(windows)'.dependencies] libsqlite3-sysblock and the FreeBSDlibsqlite3-sysmirror of the same workaround. Both are subsumed bysqlmodel-sqlite0.2.2 bundling sqlite on every target.
- Fix Windows build: Add
libsqlite3-syswithbundled-windowsas a direct dependency. The publishedsqlmodel-sqlitecrate was missing the[target.'cfg(windows)'.dependencies]section, causingLINK : fatal error LNK1181: cannot open input file 'sqlite3.lib'on MSVC. Fixes #48. - Fix Windows compiler warnings: Suppress platform-conditional unused
variable/mut warnings in
rpc.rs,tools.rs,doctor.rs, andsession_store_v2.rsusing targeted#[cfg_attr(not(unix), ...)]attributes.
- Bump
sqlmodel-sqliteandsqlmodel-corefrom 0.2.0 to 0.2.1.
Unreleased (after v0.1.9)
Commits since v0.1.9 tag (2026-03-12) through 2026-03-21.
- Add built-in entries for GPT-5.2 Codex, Gemini 2.5 Pro CLI, and Gemini 3 Flash (
43ddc6f).
- Support
$ENV:prefix inauth.jsonso API keys can reference environment variables instead of storing secrets in plain text (266be4c). - Async Kimi OAuth flow, theme picker caching, session index offloading, and config error surfacing (
943085f). - Random-port OAuth callback server and viewport scroll clipping fix (
bda35a4). - Fix OAuth callback
redirect_uriper RFC 6749 Section 4.1.3 (d264bb8,c44dfbd). - Fix config override package toggle persistence (
8268a8c). - Deterministic scope update ordering in package toggle tests (
73eb0b6).
- Fail closed on invalid extension manifests (
028be33,9bb1f8c). - Fail closed on malformed package manifests (
ebffa82). - Fail closed on invalid hostcall reactor configs (
7b0a0b6,3621449). - Cap
randomBytesnative hostcall to prevent OOM DoS; usesync_channelfor RPC stdout backpressure (c5afccf). - Cap WASM
Vecpre-allocation inextract_bytesto prevent OOM on large arrays (95d4128). - Share WASM virtual files via
Arcand fix UTF-8 read truncation (61b400b). - Prevent DoS vectors via unbounded thread creation and indefinite stream blocking (
a7ecaa3). - Remove implicit panics from lazy regex initialization and serialization unwraps (
4c32edc). - Reject non-regular-file paths in extension
fs_op_readhostcall (a09f2a3). - Normalize repository shorthands and suppress unsafe extension walks (
53f80eb).
- Prune stale session index rows when project directories disappear (
d8bc4f4). - Prune stale resume index rows and corrupt recents entries (
1bd3887,ddd006a). - Defer session picker prune on permission errors (
e510294). - Harden
SessionStoreV2newline-heal rebuild path (0ee28af). - Harden session index and auth async flows (
609ba33). - Clear stale session index names (
38a37d3). - Propagate read errors during JSONL session loading instead of silently skipping (
a1c725c).
- Refine extension JS bridge, RPC protocol, and tool dispatch (
02b49de). - Resolve remaining O(N^2) string concatenations in extension polyfills and WASM memory cloning (
ec1dfeb,b56b156). - Fix exec wrapper double-buffering that lost stdout/stderr on close (
fc1f91f). - Fix RPC extension precedence and queue mode propagation (
af4f1a7,c1f97e6). - Sync RPC session state with typed SDK (
14736c1). - Expand extension stress testing, tool dispatch, and tree view (
fcf99ca). - Skip empty extension runtime boot (
4e70a65).
- Allow empty keybinding overrides to unbind defaults (
60d63a6). - Refine keybinding dispatch and tool argument handling (
d6fc889).
- Make chunked transfer-encoding and header parsing tolerant of bare LF line endings (
d1e7166). - Reject unsupported transfer-coding chains (
184a2a6). - Harden Transfer-Encoding aggregation and outbound header names (
b613709,1df7610). - Drop caller-supplied
Transfer-Encodingheader from outbound requests (b3625e2). - Stream JSONL migration instead of
read_to_stringfor lower peak memory (ed47943).
- Avoid duplicating first string stream delta (
c354a0c). - Honor native adapter defaults and sync session connector channel (
e65dcad). - Expand provider module and e2e live test coverage (
a5a27a4). - Normalize bare OpenAI/Cohere origins to
/v1endpoints and always persist thinking level (7145c6e).
- Enable grep/find/ls by default and document 8 built-in tools (
7fc5cc5). - Discard incomplete bash spill files (
e8b94d3). - Clean up incomplete bash spill files (
e8b81e4).
- Batch session entry inserts in chunks of 200 for SQLite (
86368c2). - Skip resolution when all resource categories disabled; deduplicate cached extension entries (
996dcf3).
- Embed changelog into binary (
c3385cb). - Harden ARM64 Linux release build against future regressions (
aef5fb8). - Fix SSE retry field parsing (
f5457f6).
v0.1.9 -- 2026-03-12 -- Release
Tag: 81bf62d
A reliability-focused release with deep hardening of the backpressure model, HTTP RFC compliance, session lifecycle, and the asupersync runtime migration.
- Systematically prevent silent message drops under backpressure in the interactive event loop (
3dcbf0a). - Replace
try_sendwith backpressure-aware enqueue for extension host action events (cc97fa5). - Preserve async error events under backpressure (
ab3ac63). - Use guaranteed send for
UiShutdownon bounded event channel (1d995da). - Send
UiShutdownevent to unblock async bridge after TUI exits (bc645f0).
- Validate
Content-Lengthheaders and reject malformed or conflicting values (c25efc6). - Handle coalesced
Content-Lengthheaders per RFC 9110 (4dbd0d4). - Treat 1xx/204/205/304 responses as empty-body per RFC 9110 (
6e6c123). - Add
write_all_with_retryto handle transientOk(0)from TLS transports (7722a14). - Flush TLS write buffer on zero-byte retry (
8dcf945).
- Migrate compaction worker from std threads to asupersync runtime (
009c97b). - Migrate compaction worker to externally-injected runtime handles (
95081cd). - Propagate asupersync
Cxthrough RPC, agent, interactive, and session layers (ae91ad9). - Migrate Session save-path metadata to asupersync async filesystem (
8179452). - Migrate GrepTool
fs::metadatato asupersync async filesystem (2a36d88). - Add binary body support to fetch shim (
2edd6c8).
- V2 sidecar staleness detection with JSONL rehydration fallback and cross-format chain hash verification (
7d0cc00). - Atomic sidecar rebuild with staging/backup swap and trash-based deletion (
e578369). - Honor SQLite WAL sidecars in metadata and deletion (
5239849). - Unify file stat logic through WAL-aware
session_file_statshelper (4806396). - Session health validation and extension index NPM package name preservation (
f9731cc). - Skip re-parsing unchanged session files in session picker (
6e8b817). - Harden auth migration for malformed entries and fix config path fallback (
ae105be).
- Handle agent-busy state gracefully in tree navigation and branch picker (
66e2c89). - Handle busy session locks correctly in branch navigation UI (
36640ec). - Consolidate interactive model-switching into
switch_active_modelwith thinking-level clamping (2614d57). - Atomicize model/thinking-level management with session header sync and deduplication (
720dc56). - Fix thinking-level fallback on header-less sessions and model-switch gating (
790a362). - Scope tmux mouse-wheel override to current pane, traverse parent dirs for git HEAD (
60fe95e). - Correct tmux wheel binding save/restore and reduce mouse event noise (
72a1082).
- Scope extension filesystem access by extension ID and harden path traversal controls (
4d6ab94). - Heuristic token fallback, module path traversal guard, and config-driven queue modes (
77a44af). - Preserve runtime IDs for permission cache (
08922e4). - Use explicit permissions path, add
empty_atfallback constructor (670c935). - Extract
safe_canonicalizeto deduplicate path validation (6cd8211). - Replace hand-rolled semver parser with
semvercrate for correct pre-release ordering (add7336,cf729a2). - Preserve exact bare version constraints in extensions (
90f60c5).
- Redact normalized text request bodies and single-pair sensitive form bodies in VCR cassettes (
ae24ad4,7d929dd). - Recover poisoned env override lookups and distinguish absent vs explicitly-unset overrides (
babd3cd,421ad64). - Fail closed on zero-baseline telemetry in replay (
eae5a87). - Report schema mismatches during comparison (
52527d0). - Scope SSE buffer guard to retained tail (
3f6ebe0).
- Preserve decorated URL normalization (
6ebfef8). - Extension session with compaction state, Unknown credential variant, URL origin validation, and tilde fence support (
89c92cc). - Harden extension popularity, file tools, and JS-to-JSON conversion (
f29ae31). - Normalize bare official OpenAI/Cohere origins to
/v1endpoints (7145c6e).
- Use
BTreeMapforPermissionsFiledeserialization for deterministic JSON diffs (cbc94ca). - Stabilize JSON serialization order for deterministic diffs (
3537b9c). - Add schema version validation and proper timestamp-aware expiry checking (
42b2c7d).
- Use
macos-15-intelrunner for x86_64 Darwin release builds (11c8e6a). - Extract
drain_bash_output()with selective cancellation semantics (9efb65e).
v0.1.8 -- 2026-02-28 -- Release
Tag: ae35bfe
Major feature release introducing the HashlineEditTool, image tool results for more providers, deep security hardening, and dozens of reliability fixes across the agent, streaming, and session subsystems.
- HashlineEditTool: line-addressed file editing tool that supports edits by hashline reference, reducing ambiguity in multi-edit sessions (
0b1baad). - Enable
hashline_editin the default tool set and add system prompt guidelines (c947acc,332d1e0). - Add hashline output mode to GrepTool (
72d8125). - Merge overlapping context windows in GrepTool output (
f68fb76).
- Support image content in tool results for Azure and Bedrock providers (
35ed28b). - Accumulate streaming tool call deltas instead of overwriting (
3df7373). - Per-model reasoning detection for Claude 3 Sonnet/Opus/Haiku, DeepSeek, Mistral, Llama, Gemini variants, and QWQ (
0189ed4,06595fe,e382c78). - Consolidate reasoning detection into
model_is_reasoning(b88817b). - Canonical provider preference and per-model reasoning detection (
f799a7b). - Add
WriteZeroretry to Anthropic provider and reduce idle worker threads (012f0f6). - Include response data in Bedrock/JSON parse error messages (
e224d5d,e8321b7). - Populate error message metadata and include thinking in response detection (
5834f24).
- Set
0o600permissions on migratedauth.jsonand session files; shared file locks for auth reads (4dafcd9,6ec4ac2). - Prevent zero-filled output on
getrandomfailure in crypto shim (96f8187). - Canonicalize extension read roots before path comparison (
6e65575). - Block extension
fs_writeoutside workspace root (adversarial gap G2) (d408bd0). - Close monorepo escape path traversal bypass (
c84feac). - Harden JS extension module resolution with fail-closed empty-roots and canonicalized escape detection (
0f0a899). - Cap all subprocess pipe reads to
READ_TOOL_MAX_BYTESto prevent OOM (617f571). - Harden JS array limits, process cleanup, mutex recovery, and oscillation guard (
42a9174).
- Race tool execution against abort signal for prompt cancellation (
bf77ad6). - Prevent context duplication on API retry; strip dangling tool calls on error (
4a11c20). - Emit
TurnEndevents on error paths; enforce write access inmkdtempSync(25cd30a). - Graceful error recovery during stream event processing (
888c614). - Fix slash menu pre-selection and multi-line input overflow (
32fce5e). - Add
--hide-cwd-in-promptflag (37f8361).
- Delete sidecar directory when trashing session files (
efed69b). - Gracefully handle missing
pi_session_metatable; reject directory paths in file tool (75987eb). - Move index snapshot writes to background thread (
d3dad76). - Always break bash RPC loop after kill; restrict session store truncation to last segment only (
1bf7b3d).
- Add
find_rg_binaryhelper and respect workspace.gitignorein grep/find (12cce2e). - Use
subarrayforBuffer.sliceandgetrandomfor crypto randomness in shims (6cdfbbe). - Correct CRLF normalization and between-changes diff context (
50c9e10). - Replace unbounded file read with size-limited read in EditTool (
fa50f24). - Canonicalize file paths in EditTool/WriteTool and harden GrepTool match iteration (
e4426bd). - Guard ReadTool image scaling against division-by-zero and simplify line counting (
cf69a47). - Rewrite
split_diff_prefixwith explicit byte-walking parser (d80d5b4). - CRLF idempotency bug, redundant counter, div-by-zero guard,
kill()clarity (ba6df5e).
- Handle transient
WriteZeroerrors in SSE streaming gracefully (closes #12) (5360d79). - Handle EINTR across all streaming read loops (
b2e7150). - Clamp HTTP buffer consume to bounds (
fa66d94). - Add
sync_all()before atomic renames for crash safety (eaa63b3).
- Preserve string buffer capacity by replacing
mem::takewithclone+clear(2927bbd).
- Split clippy into per-target-kind gates to avoid rch timeout (
d12a83a). - Harden proposal validation paths, file ref quoting, and tree selection arithmetic (
c603f8f).
v0.1.7 -- 2026-02-22 -- Draft
Tag: 5bffab9
A stabilization release focused on streaming renderer performance, session index optimization, and CI/build reliability. Draft release (no published binaries).
- Optimize streaming markdown rendering with intelligent format detection (
57fe905). - Add streaming markdown fence stabilization for live rendering (
8903571). - Optimize streaming renderer hot path and session serialization (
c5d8ae6).
- Add best-effort session index snapshot update helper (
a5c86f6). - Optimize session index snapshot update with borrowed parameters (
c0e86a8).
- Harden agent dispatch, SSE streaming, provider selection, and risk scoring (
0513a80). - Harden abort handling, UTF-8 safety, IO guards, and extension streaming (
ee12566). - Remove local
charmed-bubbleteapatch that breaks CI builds (9673414).
- Prevent
PROXY_ARGSunbound variable error on bash < 4.4 (f9f1c3d).
- Repair release workflow: stub missing submodule, use ARM macOS runner (
3357e30). - Include
docs/wit/extension.witin crate package (5bffab9).
v0.1.6 -- 2026-02-21 -- Release
Tag: 9dd3b3b
Hotfix release addressing an OpenAI provider lifetime issue.
- Fix OpenAI lifetime issue that prevented streaming completion (
9dd3b3b).
v0.1.5 -- 2026-02-20 -- Tag-only
Tag: c22199d
Performance-focused release with allocation reduction, UI streaming overhaul, and critical deadlock/memory-leak fixes. No GitHub Release was published.
- Eliminate unnecessary heap allocations across providers, session store, and diff generation (
606fccb). - Eliminate redundant deep clones in agent loop and provider streams (
e9c108c). - Eliminate intermediate allocations in resource loading (
6b7caaf). - Reduce allocations across agent core, model catalog, and tool output paths (
96fec6d). - Fix message ordering in agent loop and pre-allocate session vectors (
2831682).
- Synchronous package resource resolution for config fast paths (
695ad17). - Fast-path
config --showand--jsonoutput when no packages installed (829dcbc).
- Fix potential deadlock: drop mutex guard before async channel send (
0211bbd). - Eliminate memory leak in Azure provider role name handling (
7216f86). - Fix scheduler
has_pendingfalse positive and clean up session parsing (f176d20).
- Overhaul UI streaming pipeline to eliminate flicker and improve responsiveness (
9ff9de8). - Harden streaming UI paths and reduce model-list churn (
8ae9022).
- Prevent XML injection in file tag name attributes (
e9623a0).
v0.1.4 -- 2026-02-20 -- Release
Tag: 12b2e6e
Major security hardening release with path traversal prevention, command obfuscation normalization, OOM guards, and a complete overhaul of the hostcall scheduler. Also introduces zero-copy OpenAI serialization and multi-source message fetchers.
- Path traversal prevention:
safe_canonicalize()handles non-existent paths via logical normalization with symlink-aware ancestor resolution; module resolution enforces scope monotonicity within extension roots (d1982f3). - Command obfuscation normalization: new
normalize_command_for_classification()strips shell obfuscation techniques (${ifs}, backslash-escaped whitespace) before dangerous command classification (d1982f3). - OOM guards: depth limits on recursive JSON hashing (128),
MAX_MODULE_SOURCE_BYTES(1 GB),MAX_JOBS_PER_TICK(10,000), SSE buffer limits (10 MB total, 100 MB per-event) (0e17d52). - Fast-lane policy enforcement: extension dispatcher fast-lane now runs capability policy checks before executing hostcalls (
d1982f3). - Atomic file permissions: auth storage and Anthropic device ID files use
OpenOptions::mode(0o600)instead of post-hocchmod(d1982f3).
- Zero-copy OpenAI serialization: request types use lifetime-parameterized borrows instead of owned
Strings (f518bb0). - Empty base URL handling: all
normalize_*_basefunctions now return canonical defaults for empty/whitespace input (f518bb0). - Gemini/Vertex robustness: unknown part types (executableCode, etc.) silently skipped;
ThinkingEndevents emitted for open thinking blocks (f518bb0).
- Multi-source message fetchers: steering and follow-up fetchers are now
Vec-based with additive registration, enabling RPC + extensions to both queue messages (355d7e9). - Queue bounds:
MAX_RPC_PENDING_MESSAGES(128),MAX_UI_PENDING_REQUESTS(64) prevent OOM (355d7e9). - Error persistence fix:
max_tool_iterationserror now synced to in-memory transcript (355d7e9).
- Batched index updates: group by
sessions_rootfor amortized DB access (1df017d). RawValueframes: session store v2 usesBox<RawValue>to avoid re-serializing payloads (1df017d).- Partial hydration tracking:
v2_message_count_offsetfor tail-mode session loading (1df017d).
- Correct truncation semantics: trailing newline no longer inflates line count (
d86e144). - DoS guard:
BASH_FILE_LIMIT_BYTES(100 MB) prevents unbounded output reads (d86e144).
- Log-sinking batch planner: preserves global request ordering with log-call buffering (
9792cf6). - Generation-keyed ghost cache:
O(log n)ghost operations replacingO(n)VecDequescans (9792cf6). - FIFO scheduler:
VecDequereplacesBinaryHeapfor monotone-sequence macrotask queue (9792cf6).
- Remove auto-hook installation; add idempotent removal of installer-managed hook entries from prior versions (
d2ffdbb). - Bound network fetch latency during post-install steps (
c7a3b2b).
- Extension events use camelCase serialization matching TypeScript wire format (
0e17d52). - Doctor checks for
rgandfd/fdfinddependencies (0e17d52). - Gist URL parser rejects profile links and non-canonical paths (
0e17d52). - TUI markup parser rewritten with explicit state machine (
0e17d52). - Explicitly shut down extension runtimes before session drop to prevent QuickJS GC assertion (
fa49f58). - 9 new regression tests covering security fixes and edge cases (
8b1db8a).
v0.1.3 -- 2026-02-19 -- Release
Tag: 6637f26
Re-enables the dual JS/TS + native-Rust extension runtime, introduces argument-aware runtime risk scoring with heredoc AST analysis, and adds a live-provider extension validation tool.
- Re-enable JS/TS extension runtime alongside native-Rust descriptors, restoring the dual-runtime model (
ee78a58). - Recognize JS/TS files as valid extension entrypoints in the package manager (
e9f3c9e).
- Argument-aware runtime risk scoring with DCG integration and heredoc AST analysis via
ast-grep(ad26a4f).
- Add
ext_release_binary_e2etool for live-provider extension validation against real (non-mocked) provider responses (409742e). - Harden release-binary extension harness for OAuth-first auth and stable capture (
2b41b09). - Overhaul scenario harness with setup merging, shared context, and parity improvements (
93ac8d9). - Add
normalize_anthropic_baseunit tests and proptest (374f8e6).
- Add
codex-sparkregistry entry andxhighthinking support (cef709c). - Make default request timeout env-configurable with explicit no-timeout mode (
74e8f1f).
v0.1.2 -- 2026-02-18 -- Release
Tag: 27bdebc
Focused on OpenAI Codex provider correctness and a comprehensive credential resolution overhaul adding OAuth support for multiple providers.
- Add all required Codex API fields (
instructions,store,tool_choice,parallel_tool_calls,text.verbosity,include,reasoning) (0485fb4). - Send system prompt as top-level
instructionsfield (2a56374). - Skip
max_output_tokens(unsupported by Codex API), use actual thinking level forreasoning.effort(1d7610b). - Tolerate missing
Content-Typeheader in streaming response (27bdebc).
- Case-insensitive provider matching across all provider lookups (
8671312). - Native OAuth support for OpenAI Codex, Google Gemini CLI, and Google Antigravity (
14e5016). - Kimi Code OAuth support and credential resolution overhaul (
8671312). - Convenience aliases for Kimi, Vercel, and Azure providers (
2581af0). - OAuth CSRF validation, bearer token marking, gcloud project discovery, and Windows home directory support (
63265e5). - Anthropic base URL normalization and OAuth bearer lane (
efba9c8). - Keyless model support for models that do not require configured credentials (
705f692). - Filter
/modeloverlay to show only credential-configured providers (9e350a5).
- Add offline tarball mode, proxy support, and agent hook management (
be404aa). - Reorder download candidates, suppress 404 noise (
6025912). - Handle missing SHA256SUMS and prioritize archive candidates (
7cc84de).
v0.1.0 -- 2026-02-17 -- Tag-only
Tag: f8980ad
First tagged milestone. The complete from-scratch Rust port of Pi Agent by Mario Zechner, built on asupersync and rich_rust. No GitHub Release was published for this tag.
- Single static binary, no Node/Bun runtime dependency.
- Built on
asupersyncstructured concurrency runtime with HTTP/TLS andCx-based capability contexts. - Terminal UI powered by
rich_rust(Rust port of Python Rich) with markup syntax, tables, panels, and progress bars.
- Full agent loop with streaming token output, extended thinking support, and conversation branching.
- Anthropic, OpenAI Chat Completions, Azure, Bedrock, Gemini/Vertex, Cohere, Kimi, and Ollama provider implementations.
- Custom SSE parser with UTF-8 tail handling, scanned-byte tracking, and chunk boundary normalization.
read-- file contents and image reading with automatic resizing.write-- file creation and overwrite.edit-- surgical string replacement.bash-- shell command execution with process tree management and timeout.grep-- content search with context lines.find-- file discovery by pattern.ls-- directory listing.- All tools include automatic truncation (2000 lines / 50 KB) and detailed metadata.
- JSONL-based session persistence with conversation branching and tree visualization.
- Session picker with resume, recent session tracking, and project-scoped sessions.
- Model/thinking level change tracking within sessions.
- QuickJS-based JS/TS extension runtime (no Node or Bun required).
- Native-Rust descriptor runtime for
*.native.jsonextensions. - Node API shims for
fs,path,os,crypto,child_process,url, and more. - Capability-gated hostcall connectors (
tool/exec/http/session/ui/events). - Command-level exec mediation blocking dangerous shell signatures before spawn.
- Trust-state lifecycle (
pending/acknowledged/trusted/killed) with kill-switch audit logs. - Hostcall reactor mesh with deterministic shard routing and bounded queue backpressure.
- Sub-100 ms cold load (P95), sub-1 ms warm load (P99).
- 224-entry extension catalog with per-extension conformance status.
- Multi-line text editor with history and scrollable conversation viewport.
- Model selector (
Ctrl+L), scoped model cycling (Ctrl+P/Ctrl+Shift+P). - Session branch navigator (
/tree). - Real-time token/cost tracking.
- Context-aware autocomplete for
@file references and/slash commands with fuzzy scoring. - Login/logout slash commands.
- Interactive (
pi) -- full TUI with streaming, tools, session branching. - Print (
pi -p "...") -- single response to stdout, scriptable. - RPC (
pi --mode rpc) -- line-delimited JSON protocol for IDE integration.
- Allocation-free hostcall dispatch and zero-copy tool execution.
- Fast-path bypass for io_uring and allocation-free shadow sampling.
- Enum-based session hostcall dispatch replacing string matching.
- Session save hotpath optimization and tree traversal for large sessions.
- NUMA-aware slab pool and replay trace recording to hostcall reactor.
- Extension runtime from QuickJS/JS migrated to native Rust during this cycle.
- CI with clippy, rustfmt, test, and benchmark gates.
- Release workflow for Linux (x86_64, aarch64), macOS (x86_64, aarch64), and Windows targets.
- Conformance test suite with 224/224 vendored extension scenarios.
- FrankenNode compatibility test harness for Node.js detection and Bun shim rejection.
- Benchmark comparison reports against legacy TypeScript implementation.
curl | bashinstaller with platform detection, SHA256 verification, andlegacy-pialias creation.- Session migration command and credential pruning.
- Clipboard via
arboardand Copilot/GitLab OAuth providers.
Initial development from first commit (37b6c7b)
through to the v0.1.0 tag. This period covers the entire from-scratch port
including core architecture, all providers, the extension system, the
interactive TUI, and the benchmark/conformance infrastructure.
Key early commits:
- Initialize Rust port project with guidelines and legacy code (
37b6c7b). - Implement core Rust port foundation (
53a8f7d). - Add SSE parser and fix compilation (
36fcd89). - Integrate rich_rust for terminal UI (
149e54e). - Implement OpenAI Chat Completions provider (
6dd3d70). - Complete pi_agent_rust MVP with session picker and test fixes (
a72dfca). - Add session branching, expanded conformance fixtures (
21c735d). - Wire interactive TUI and add extension docs (
7694d65). - Add package manager, extensions, and fix Unicode panic (
b2ff486). - Port RPC mode, conformance, and benchmarks (
cd23248). - Add login/logout slash commands to TUI (
d8a093a). - Migrate extension runtime from QuickJS/JS to native Rust (
d20f236). - Migrate clipboard to arboard and add Copilot/GitLab OAuth providers (
91d3f0b).