Adds terminal.showTerminalProgress setting (default false) and wires it
to /settings. Guards all OSC 9;4 setProgress calls in interactive-mode.
closes#3588
Swaps hardcoded "pi" / ".pi" / "π" for the existing APP_NAME and
CONFIG_DIR_NAME extension points at four sites the original APP_NAME
rollout missed:
- /quit slash-command description
- process.title (cli.ts and bun/cli.ts)
- project-local extensions dir in loader.ts
For the terminal title, adds an APP_TITLE export in config.ts that
keeps pi's "π" glyph when piConfig.name is unset and falls back to
APP_NAME otherwise. Presence of piConfig.name acts as the "has been
rebranded" signal, so pi's own package.json drops the redundant
"name": "pi" (the existing `|| "pi"` fallback in config.ts makes this
a no-op for APP_NAME).
No behavior change for pi itself: process.title, /quit description,
terminal title prefix, and project-local extensions dir all resolve
to the same values as before.
closes#3476
* fix(typebox): migrate to v1 with extension compat
Replace AJV-based validation with TypeBox-native validation, keep legacy extension imports working (including @sinclair/typebox/compiler), and restore coercion for serialized/plain JSON schemas.
This change closes#3112.
* fix(typebox): use canonical imports and harden coercion
Switch first-party code to canonical typebox imports while retaining legacy extension aliases in the loader.
Remove obsolete runtime codegen guards, expand serialized JSON-schema coercion coverage, and update related tests and fixtures.
Fixes#3112.
---------
Co-authored-by: Mario Zechner <badlogicgames@gmail.com>
marked v15 does not filter dangerous URL protocols. The default link
renderer passes href values through verbatim, so markdown like
`[click](javascript:alert(1))` renders as a clickable XSS link in
shared/exported session HTML.
Add custom link and image renderers that:
- Block javascript:, vbscript:, and data: protocol URLs
- Escape href/title/alt attributes via escapeHtml()
Also escape img.mimeType in session image rendering to prevent
attribute breakout from crafted session JSONL.
Fixes#3531
Rename BUILTIN_TOOLS to TEMPLATE_RENDERED_TOOLS to match what the set
actually represents: tools rendered directly by the HTML template instead of
pre-rendered through the TUI→ANSI→HTML pipeline.
Move grep and find off the template-rendered exclusion path so they use their
existing TUI renderCall/renderResult output in HTML export.
Add a dedicated HTML renderer for ls and keep it in the template-rendered set.
Unlike grep and find, rendering ls through the terminal-oriented Text component
introduced spacing artifacts in exported HTML due to full-width line padding,
so ls is rendered natively in the export template instead.
- treat tools as a global allowlist across built-in, extension, and SDK tools
- remove process-cwd singleton tool usage from SDK and CLI paths
- add regression coverage for extension tool filtering
closes#3452closes#2835
Some models (Opus 4.6, GLM-5.1) send the edits parameter as a JSON
string instead of a parsed array. This fails AJV validation with
'must be array' and models fall back to sed/python.
Parse stringified edits in prepareEditArguments before validation.