FE-841: Embed pi as an in-process SDK to drop the external pi CLI dependency

[kostandinang]

Problem

The cook harness drove the agent by shelling out to a pi CLI (spawn('pi', …)), so running brunch required an external pi binary on $PATH — an out-of-band prerequisite a fresh checkout couldn't satisfy.

Change

• runPi now drives an in-process createAgentSession over @earendil-works/pi-coding-agent (pinned 0.79.1) — no external binary, only ANTHROPIC_API_KEY.
• buildSessionOptions maps the old CLI flags to SDK config: --tools → tools allowlist, --model → registry lookup, --append-system-prompt → systemPromptOverride, --no-context-files/--no-session → empty resource overrides + in-memory session.
• Auth fed from brunch's own ANTHROPIC_API_KEY (no pi login/auth.json); one reused per-process agent dir; output captured off text_delta events, never stdout (keeps the cook SSE stream clean); cooperative timeout + 10MB cap.
• Read-only evaluator scoping (I126-K) preserved via the SDK tools allowlist; an injectable SessionFactory keeps the drive loop offline-testable.
• Drops the which pi prereq from the cook guide (npx pi for the interim plan-translation helper).

Verification

npm run verify (check + test + build). A PI_REAL_LLM-gated smoke drives a real in-process session end-to-end — skipped in CI, verified passing live with the global pi binary off $PATH.

[cursor]

PR Summary

Medium Risk
Touches cook’s agent orchestration and API key handling; behavior is well-covered by new tests but adds a large dependency tree and changes how long-running LLM work runs in-process.

Overview
Cook no longer shells out to a global pi CLI. runPi drives @earendil-works/pi-coding-agent (0.79.1) via createAgentSession, so a fresh checkout only needs ANTHROPIC_API_KEY in .env—not pi on $PATH.

Session setup maps the old CLI flags into SDK config: comma-separated tools → allowlist, prompt file → systemPromptOverride, empty skills/context overrides, in-memory session. Auth uses ANTHROPIC_API_KEY in an isolated temp agent dir per run (removed after dispose), not pi login / ~/.pi. Agent text is buffered from text_delta events (UTF-8 byte cap, cooperative abort) and is not written to process.stdout, so the cook SSE stream stays clean. Timeouts cover session creation and the prompt turn.

I126-K is unchanged: evaluate-done still gets read-only tools via toolsForAction; slice completion remains verification-target execution, not an LLM verdict. An injectable SessionFactory plus broad runPi unit tests and an opt-in PI_REAL_LLM smoke exercise the drive loop without network.

Docs drop the which pi pre-flight; interim plan translation uses npx pi from the bundled dependency.

^{Reviewed by Cursor Bugbot for commit 81e0833. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 11 packages with OpenSSF Scorecard issues.

View full job summary

[kostandinang]

• FE-841: Embed pi as an in-process SDK to drop the external pi CLI dependency #194 : 2 dependent PRs (#198 , #211 ) 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 21f80de. Configure here.}