- Add Biome formatter/linter with config, format entire codebase
  (tabs→2-space, sorted imports, line wrapping)
- Validate dash-prefixed git tool inputs (log, blame, checkout,
  diff, show) to prevent option injection
- Add URL protocol validation and safe basename sanitization
  in web command pre-fetch
- Move rg/fd detection from tool creation to execution time -
  return error message instead of throwing
- Add fdfind fallback for Debian-based systems
- Fix nullish coalescing bugs (|| → ??) in env.ts
- Add try/catch around workspace.cleanup() in both commands
- Add --absolute-path flag to fd invocation
- Change git_refs default from -a to no flag
- Update AGENTS.md with new scripts and grep gotcha

ensureWorkspacePath() previously used path.resolve() which normalizes ..
segments but does not follow symlinks. A symlink inside the workspace
pointing outside (e.g. <workspace>/escape -> /etc) would pass the textual
prefix check and let tools operate beyond the sandbox boundary.

Fix:
- Add safeRealpath() that calls fs.realpathSync() and walks up to the
  nearest existing ancestor on ENOENT (needed for write targets that
  don't exist yet)
- ensureWorkspacePath() now resolves both the workspace and target via
  realpath before checking containment
- The cheap textual check runs first as a fast path; the realpath check
  catches symlink-based escapes

Tests: 9 new cases covering symlink dirs/files pointing outside,
symlinks within workspace (allowed), nested escapes, non-existent write
targets through escaped parents, and writeWorkspaceFile integration.

Co-authored-by: Shelley <shelley@exe.dev>

- Deduplicate ensureContained() in content.ts: import ensureWorkspacePath
  from path-utils.ts instead of maintaining an identical private copy
- Remove unused DEFAULT_MAX_BYTES/DEFAULT_MAX_LINES imports from
  git blame, diff, and show tools (truncateHead uses them internally)
- Fix -u without value silently setting options["u"] = true: now leaves
  uri unset so command handlers can validate properly
- Extract expandHomePath() utility for system_prompt_path tilde
  expansion, replacing fragile inline regex that missed bare ~ and
  empty HOME
- Remove unnecessary parseArgs re-export from cli/index.ts (tests
  import directly from parse-args.ts)
- Add test for -u at end of args

Co-authored-by: Shelley <shelley@exe.dev>

- git_show, git_diff, git_blame: apply truncateHead() consistent with
  filesystem tools (DEFAULT_MAX_LINES=2000, DEFAULT_MAX_BYTES=50KB),
  appending a [truncated] notice when output is clipped.
- git_log: apply default limit of 20 when n is omitted, matching the
  schema description.
- Add test/git-tools.test.ts covering both truncation and default-limit
  behavior.

Co-authored-by: Shelley <shelley@exe.dev>

Export ConfigSchema and PartialConfigSchema from schema.ts.
Use TypeBox Value.Check/Value.Errors in loader.ts to validate
parsed TOML before merging with defaults, and validate the
merged result against the full schema. Invalid config now throws
ConfigError with path, expected type, and actual value for each
violation.

Closes review issue #3.

Co-authored-by: Shelley <shelley@exe.dev>

Address review issues #1 and #4:

Issue #1 - Path traversal in tools:
- Add ensureWorkspacePath() call after path resolution in read, grep,
  ls,
and find tools. Previously, paths were resolved but never checked
against workspace boundaries, allowing traversal via ../ or absolute
paths.
- Remove tilde (~) expansion from expandPath(). In a workspace-sandboxed
context, expanding ~ to the user's home directory bypasses containment.
Tildes are now treated as literal path characters.
- Move ensureWorkspacePath() from index.ts to path-utils.ts to avoid
circular imports, re-export from index.ts for backward compatibility.

Issue #4 - writeWorkspaceFile lacks traversal protection:
- Add ensureContained() validation in writeWorkspaceFile() that checks
  the
resolved file path stays within the workspace boundary before writing.

Also:
- Fix tsconfig.json rootDir from 'src' to '.' so test/ files are
  included
in type checking (the include array already listed 'test').
- Add comprehensive test suite (28 tests) covering workspace containment
for all affected modules.

- bun-types: 1.3.8 → 1.3.11
- @types/node: 22.19.9 → 25.5.0
- simple-git: 3.30.0 → 3.33.0
- @tabstack/sdk: 2.1.0 → 2.3.0
- @sinclair/typebox: 0.32.35 → 0.34.48
- @mariozechner/pi-agent-core: 0.52.8 → 0.60.0
- @mariozechner/pi-ai: 0.52.8 → 0.60.0

Add note explaining OpenAI's developer role usage for reasoning models
and compatibility issues with OpenAI-compatible endpoints that return
"Incorrect role information" errors. Include configuration example for
custom models with reasoning=true.

Add SPDX headers to all source files, license texts, and sidecar files
for REUSE.software compliance. Rewrite README with badges, better
description, and usage examples. Minor capitalization fix in CLI help
(rumilo → Rúmilo).

Change 'Current time:' to 'Current date/time:' in prompt templates to
accurately reflect that currentTime includes both date and time
information.

- Note context-aware prompt building in control flow
- Add System Prompts section documenting builder functions
- Update pre-fetch injection to reflect tags

Convert static system prompt strings to builder functions that accept
runtime context (current time, git history availability).

- Replace Markdown sections with XML-style tags (approach, answering,
environment)
- Add librarian persona to repo mode, field researcher to web mode
- Make git history guidance conditional on full vs shallow clone
- Remove duplicative tool descriptions that restated tool schemas
- Repo prompt now prioritises agent instruction files for orientation
- Web prompt no longer assumes SERP-then-fetch workflow
- Pre-fetch injection uses XML tags instead of raw
string concatenation

- More descriptive error messages with examples for invalid model format
  and missing config
- Clearer, more consistent tool descriptions across all agent tools
- Comprehensive help text with version, commands, usage, options, and
  config sections
- Add commit.gpgsign=false to test setups to prevent GPG signing issues
- Minor formatting consistency (e.g., 'KB' without space)

Remove private flag and add publishing metadata: description, license,
files whitelist, and prepublishOnly build script.

Migrate from @mariozechner/pi-agent to @mariozechner/pi-agent-core
v0.52.8, alongside pi-ai v0.52.8 which adds AWS Bedrock support.

Security improvements for workspace sandboxing:
- Remove tilde expansion from expandPath() to prevent homedir escape
- Add symlink traversal detection in ensureWorkspacePath()
- Filesystem tools (read, grep, ls, find) now enforce containment

New features for custom model configuration:
- api_key field with env var, $VAR, ${VAR}, and !shell command
  resolution
- Optional custom headers support with same value resolution

Other changes:
- Add comprehensive test suite (bun test)
- Improve workspace cleanup on clone/checkout failures
- Update AGENTS.md and README.md documentation