FE-841: Embed pi as an in-process SDK to drop the external pi CLI dependency

[kostandinang]

Stack Context

Base of the cook stack. Replaces the external pi CLI dependency with an in-process agent session so a fresh checkout can run brunch without an out-of-band binary on $PATH.

What?

• runPi now drives an in-process createAgentSession over @earendil-works/pi-coding-agent (pinned 0.79.1) -- no external binary, only ANTHROPIC_API_KEY.
• buildSessionOptions maps the old CLI flags to SDK config: --tools -> tools allowlist, --model -> registry lookup, --append-system-prompt -> systemPromptOverride, --no-context-files/--no-session -> empty resource overrides + in-memory session.
• Auth fed from brunch's own ANTHROPIC_API_KEY (no pi login/auth.json); one reused per-process agent dir; output captured off text_delta events, never stdout (keeps the cook SSE stream clean); cooperative timeout + 10MB cap.
• Read-only evaluator scoping (I126-K) preserved via the SDK tools allowlist; an injectable SessionFactory keeps the drive loop offline-testable.
• Drops the which pi prereq from the cook guide (npx pi for the interim plan-translation helper).

Why?

The cook harness drove the agent by shelling out to a pi CLI (spawn('pi', ...)), so running brunch required an external pi binary on $PATH -- an out-of-band prerequisite a fresh checkout couldn't satisfy.

Tests

npm run verify (check + test + build). A PI_REAL_LLM-gated smoke drives a real in-process session end-to-end -- skipped in CI, verified passing live with the global pi binary off $PATH.

[cursor]

PR Summary

Medium Risk
Changes core cook agent execution and auth (API key handling) with a large new dependency tree and stricter Node version; behavior is heavily tested but real LLM paths differ from CI.

Overview
Cook no longer shells out to a global pi CLI. runPi now drives @earendil-works/pi-coding-agent via createAgentSession, with session options mapped from the old CLI flags (tools allowlist, model registry lookup, prompt file as system prompt, stripped context/skills, in-memory session).

Auth comes only from ANTHROPIC_API_KEY in an isolated temp agent dir per run (no pi login / ~/.pi). Agent text is buffered from text_delta events—not stdout—so the cook SSE stream stays clean; timeouts and a 10MB output cap abort cooperatively. evaluate-done still gets a read-only SDK tool list (I126-K). An injectable SessionFactory plus a large pi-actions.test suite covers timeouts, caps, isolation, and optional PI_REAL_LLM smoke.

Packaging: adds pinned @earendil-works/pi-coding-agent@0.79.1, bumps engines.node to >=22.19.0, and npm overrides for transitive deps. docs/praxis/orchestration-guide.md drops the which pi prereq and documents embedded cook + npx pi for interim plan translation.

^{Reviewed by Cursor Bugbot for commit 9d0df30. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Dependency Review

The following issues were found:

• ❌ 2 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 11 packages with OpenSSF Scorecard issues.

View full job summary

[kostandinang]

• FE-841: Embed pi as an in-process SDK to drop the external pi CLI dependency #194 : 2 dependent PRs (#198 , #211 ) 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6449742. Configure here.}