From dea4c2dbc1e21332592286dc9daad8f22f7feccc Mon Sep 17 00:00:00 2001 From: Mikael Hugo Date: Wed, 29 Apr 2026 14:35:55 +0200 Subject: [PATCH] docs: update Tier 0 with port status; flag SSE parser refactor as bigger work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 5 of 9 Tier 0 items landed: - #1 HTML export escape (security) 701ec8fb8 + 92c6d933c - #2 Empty tools array fix 58b1d7c60 - #4 undici 5min timeout d0907b6d8 - #5 Bedrock inference profile 7c487bb60 Deferred: - #3 Anthropic SSE proxy event tolerance — fix applies to pi-mono's custom SSE parser, but we still use @anthropic-ai/sdk directly. To get protection we'd need to port the full "own Anthropic SSE parsing" refactor (3 commits, ~200 LOC). Added as a separate Tier 0 item. Remaining TODO from Tier 0: items #6-#9 (symlinked dedup, setWorkingVisible extension API, Cloudflare provider, Azure Cognitive Services). Co-Authored-By: Claude Sonnet 4.6 --- BUILD_PLAN.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/BUILD_PLAN.md b/BUILD_PLAN.md index 2b8bb08f2..8b592c622 100644 --- a/BUILD_PLAN.md +++ b/BUILD_PLAN.md @@ -16,17 +16,18 @@ Pi-mono (`badlogic/pi-mono`) has shipped 4 releases (v0.70.3 → v0.70.6) since Order: **security first → real bugs → infra → features**. -| Order | Pi-mono fix | Why | Reference (pi-mono SHA) | -|---|---|---|---| -| 1 | **HTML export: escape image data + session metadata** | Security — crafted session content could inject markup in exported HTML | PRs #3819, #3883 (in v0.70.6) | -| 2 | **Empty `tools` array fix for providers that reject** | Correctness bug — some providers reject the call | PR #3650 (in v0.70.3) | -| 3 | **Anthropic SSE: ignore unknown proxy events** | Correctness bug — proxies emit OpenAI-style `done` events that crash our parser | issue #3708 (in v0.70.3) | -| 4 | **Long local-LLM SSE timeout (5-min undici cutoff)** | Correctness bug — local Ollama / LM Studio sessions over 5 min die with `UND_ERR_BODY_TIMEOUT` | issue #3715 (in v0.70.3) | -| 5 | **Bedrock inference profile normalization** | Bedrock prompt-caching + adaptive-thinking checks fail on inference profile ARNs | PR #3527 (in v0.70.3) | -| 6 | **Symlinked packages/resources/skills/sessions dedup** | Selectors and loaders show duplicates when paths are symlinked | PR #3818 (in v0.70.3) | -| 7 | **`ctx.ui.setWorkingVisible()` extension API** | Lets extensions hide the built-in working-loader row; useful for autopilot UX | issue #3674 (in v0.70.3) | -| 8 | **Cloudflare Workers AI provider** | New provider option (`CLOUDFLARE_API_KEY`/`CLOUDFLARE_ACCOUNT_ID`) | PR #3851 (in v0.70.6) | -| 9 | **Azure Cognitive Services endpoint** | Azure OpenAI Responses base URL support | PR #3799 (in v0.70.3) | +| Order | Pi-mono fix | Why | Status | Reference | +|---|---|---|---|---| +| 1 | **HTML export: escape image data + session metadata** | Security — crafted session content could inject markup in exported HTML | ✅ `701ec8fb8` + dist `92c6d933c` | PRs #3819, #3883 | +| 2 | **Empty `tools` array fix for providers that reject** | Correctness bug — some providers reject the call | ✅ `58b1d7c60` | PR #3650 | +| 3 | **Anthropic SSE: ignore unknown proxy events** | Correctness bug — proxies emit OpenAI-style `done` events | **DEFERRED** — fix doesn't apply directly. Pi-mono moved off the SDK to a custom SSE parser (3 commits: `4b926a30a` + `e58d631c8` + `3e7ffff18`); we still use `client.messages.stream()` from `@anthropic-ai/sdk`. To get this protection we'd need to port the entire pi-mono custom-SSE refactor (~200 LOC). Real engineering effort, separate item. | issue #3708 | +| 4 | **Long local-LLM SSE timeout (5-min undici cutoff)** | Correctness bug — local Ollama / LM Studio over 5 min die with UND_ERR_BODY_TIMEOUT | ✅ `d0907b6d8` | issue #3715 | +| 5 | **Bedrock inference profile normalization** | Bedrock prompt-caching + adaptive-thinking checks fail on inference profile ARNs | ✅ `7c487bb60` | PR #3527 | +| 6 | **Symlinked packages/resources/skills/sessions dedup** | Selectors and loaders show duplicates when paths are symlinked | TODO | PR #3818 | +| 7 | **`ctx.ui.setWorkingVisible()` extension API** | Lets extensions hide the built-in working-loader row; useful for autopilot UX | TODO | issue #3674 | +| 8 | **Cloudflare Workers AI provider** | New provider option (`CLOUDFLARE_API_KEY`/`CLOUDFLARE_ACCOUNT_ID`) | TODO | PR #3851 | +| 9 | **Azure Cognitive Services endpoint** | Azure OpenAI Responses base URL support | TODO | PR #3799 | +| **NEW** | **Port pi-mono custom Anthropic SSE parsing (replaces SDK)** | Address #3 properly: own the SSE parser like pi-mono, then unknown-event filter applies. Multi-commit refactor. | TODO | `4b926a30a` + `e58d631c8` + `3e7ffff18` | **Process for each:** read the pi-mono commit, port the fix to our `packages/pi-*` (cherry-pick should work cleanly here — same namespace as upstream); commit with `port(pi-mono): (refs )` style.