← Back to directory

pi-vscode

Minimal VS Code extension for PI Coding Agent.

IDECaution★ 73MIT

Safety notes

Caution
Minimal VS Code bridge for Pi; localhost auth-token design deserves review before use.

Static scan findings

This is a first-pass static screen, not a formal audit. It flags patterns worth reading before install.

MEDIUM · token_access
AGENTS.md
  • - **Local IDE bridge**: VS Code starts a localhost HTTP bridge with an auth token and injects it into each pi terminal via env vars
  • - Every pi launch injects `PI_VSCODE_BRIDGE_URL`, `PI_VSCODE_BRIDGE_TOKEN`, and a per-terminal `PI_VSCODE_TERMINAL_ID` plus `--extension bridge/pi-vscode-bridge.js`
HIGH · system_write
test/resolve.test.ts
  • const customPath = "/usr/local/bin/pi";
  • const piPath = join("/usr/local/bin", "pi");
  • pathEnv: "/usr/bin:/usr/local/bin",
MEDIUM · spawn_shell
scripts/release.ts
  • import { execSync } from "node:child_process";
  • execSync(cmd, { cwd: rootDir, stdio: "inherit" });
  • execSync(`rm ${vsix}`, { cwd: rootDir });
MEDIUM · spawn_shell
src/packages.ts
  • import { execFile, spawn, type ChildProcess } from "node:child_process";
  • const proc = spawn(bin, args);
MEDIUM · spawn_shell
src/chat.ts
  • import { spawn } from "node:child_process";
  • const child = spawn(options.piPath, createPiRpcArgs(options.extensionUri), {
MEDIUM · token_access
src/chat.ts
  • getBridgeConfig(): { url: string; token: string } | undefined;
  • return async (request, _context, stream, token) => {
  • token,
MEDIUM · token_access
src/pi.ts
  • bridgeConfig: { url: string; token: string } | undefined,
  • PI_VSCODE_BRIDGE_TOKEN: bridgeConfig.token,
MEDIUM · token_access
src/extension.ts
  • let bridgeConfig: { url: string; token: string } | undefined;
  • bridgeConfig = { url: bridge.url, token: bridge.token };
MEDIUM · token_access
src/terminal.ts
  • bridgeConfig?: { url: string; token: string };
MEDIUM · token_access
src/sessions.ts
  • restore(extensionUri: vscode.Uri, bridgeConfig: { url: string; token: string }): Promise<void>;

Package scripts captured

package.json
{
  "build": "rolldown -c rolldown.config.ts",
  "dev": "rolldown -c rolldown.config.ts -w",
  "package": "pnpm build && pnpx @vscode/vsce package --no-dependencies",
  "install-local": "pnpm package && code --install-extension *.vsix",
  "release": "node scripts/release.ts",
  "fmt": "oxlint . --fix && oxfmt .",
  "lint": "oxlint . && oxfmt --check .",
  "typecheck": "tsgo --noEmit --skipLibCheck",
  "test": "pnpm lint && pnpm typecheck"
}