CLI utilities for pi orchestrator plugins
Project description
Pi Orchestrator Config
A pi package that implements an orchestrator pattern — the main agent delegates all work to specialist subagents.
What's Included
Extension: orchestrator
Single extension that provides:
| Feature | Description |
|---|---|
| Subagent tool | Delegate tasks to specialist agents (single, parallel, chain modes) |
| Python/pip enforcement | Blocks python/pip — requires uv/uvx |
| Git protection | Blocks commits/pushes to main/master, merged branches, --no-verify, git add . |
| Dangerous command gate | Confirms rm -rf, sudo, mkfs, etc. |
| Rule injection | Injects orchestrator routing rules into system prompt |
| Status line | Shows current git branch |
| Notifications | Desktop notification on task completion |
| Slash commands | /pr-review, /release, /review-local, /query-db |
Agents (23)
| Category | Agents |
|---|---|
| Languages | python-expert, go-expert, frontend-expert, java-expert, bash-expert |
| Infrastructure | docker-expert, kubernetes-expert, jenkins-expert |
| Dev workflow | git-expert, github-expert, test-runner, test-automator, debugger |
| Documentation | technical-documentation-writer, api-documenter, docs-fetcher |
| Code review | code-reviewer-quality, code-reviewer-guidelines, code-reviewer-security |
| Workflow | scout, planner, worker, reviewer |
Prompt Templates
| Prompt | Flow |
|---|---|
/implement <task> |
scout → planner → worker |
/scout-and-plan <task> |
scout → planner |
/implement-and-review <task> |
worker → 3 reviewers → worker |
Installation
Pi package (extension + agents + prompts)
pi install git:github.com/myk-org/pi-config
CLI tool (myk-pi-tools)
uv tool install git+https://github.com/myk-org/pi-config
The pi package installs globally to ~/.pi/agent/git/. Agents are bundled with the extension and discovered automatically.
Updating
Pi package
pi update
CLI tool
uv tool upgrade myk-pi-tools
After updating, run /reload in pi or restart pi to pick up changes.
Usage
Automatic delegation
Just describe your task — the orchestrator routes to the right specialist:
Add retry logic to the HTTP client in src/api.py
Workflow prompts
/implement add Redis caching to the session store
/scout-and-plan refactor auth to support OAuth
/implement-and-review add input validation to API endpoints
Slash commands
/pr-review 42
/release --dry-run
/review-local main
/query-db stats
Direct subagent usage
Use python-expert to fix the type errors in src/models.py
Run scout and planner in a chain to analyze the auth module
Code Review Loop
After any code change, the orchestrator runs 3 review agents in parallel:
- code-reviewer-quality — Code quality & maintainability
- code-reviewer-guidelines — Project guidelines adherence
- code-reviewer-security — Bugs, logic errors, security
Loops until all approve, then runs tests.
Customization
Override agents
Place a .md file with the same name frontmatter in ~/.pi/agent/agents/ (user) or .pi/agents/ (project) to override a bundled agent.
Priority: project > user > package (bundled).
Add project agents
Create .pi/agents/my-agent.md in your project with frontmatter:
---
name: my-agent
description: What this agent does
tools: read, write, edit, bash
---
Agent system prompt here.
Use agentScope: "both" in the subagent tool to include project agents.
Docker (Sandboxed Execution)
Run pi inside a disposable container for filesystem isolation — the agent can only access your mounted project directory and pi settings. Everything else on the host is protected.
Why?
- Safety — Prevents accidental
rm -rf, modifications outside the project, or unintended system changes - Filesystem isolation — pi can only read/write the mounted project directory
- Consistent tooling — All required tools pre-installed in a single image
- Disposable — Container is destroyed after each session (
--rm)
Pre-built image
docker pull ghcr.io/myk-org/pi-config:latest
Build from source (optional)
Note: The image is built for linux/amd64 only. On ARM hosts, build with
--platform linux/amd64.
git clone https://github.com/myk-org/pi-config.git
cd pi-config
docker build -t ghcr.io/myk-org/pi-config:latest .
Run
docker run --rm -it \
--network host \
-v "$PWD":"$PWD":rw \
-v "$HOME/.pi":/home/node/.pi:rw \
-v "$HOME/.gitconfig":/home/node/.gitconfig:ro \
-v "$HOME/.ssh":/home/node/.ssh:ro \
-v "$HOME/.config/gh":/home/node/.config/gh:ro \
-w "$PWD" \
ghcr.io/myk-org/pi-config:latest
Optional mounts
| Mount | Purpose |
|---|---|
-v "$HOME/.exports":/home/node/.exports:ro |
Shell env vars (API keys, tokens) — sourced on startup |
-v "$HOME/.claude/mcp.json":/home/node/.claude/mcp.json:ro |
MCP server config for mcpl |
-v "$HOME/.agents":/home/node/.agents:ro |
User-level skills (if not in the project) |
What's in the image
| Tool | Purpose |
|---|---|
pi |
Coding agent |
git |
Version control |
gh |
GitHub CLI (PRs, issues) |
uv / uvx |
Python execution (enforced by orchestrator) |
go |
Go development and code review |
mcpl |
MCP server access (search, Jenkins, etc.) |
myk-pi-tools |
PR review, release, and other CLI utilities |
prek |
Pre-commit hook runner |
acpx |
Agent proxy for remote models |
kubectl / oc |
Kubernetes and OpenShift CLI |
jq |
JSON processing |
curl |
HTTP requests |
What's protected
Filesystem isolation — the container cannot access anything outside the mounted volumes:
- ✅
$PWD(your project) — read/write - ✅
~/.pi(pi settings/sessions) — read/write - ✅ Git, GitHub, SSH config — read-only
- ❌ Other directories on your host — not accessible
- ❌ Other git repos — not accessible
- ❌ System files — not accessible
Network — --network host shares the host network stack,
so the container can reach any service your host can (LAN, localhost).
This is required for local MCP servers, LiteLLM proxy, etc.
If your LLM provider is cloud-based and you don't use local MCPs,
you can omit --network host for full network isolation.
Shell alias
Add to your ~/.bashrc or ~/.zshrc:
alias pi-docker='docker pull ghcr.io/myk-org/pi-config:latest && \
docker run --rm -it \
--network host \
-v "$PWD":"$PWD":rw \
-v "$HOME/.pi":/home/node/.pi:rw \
-v "$HOME/.gitconfig":/home/node/.gitconfig:ro \
-v "$HOME/.ssh":/home/node/.ssh:ro \
-v "$HOME/.config/gh":/home/node/.config/gh:ro \
-v "$HOME/.exports":/home/node/.exports:ro \
-v "$HOME/.claude/mcp.json":/home/node/.claude/mcp.json:ro \
-w "$PWD" \
ghcr.io/myk-org/pi-config:latest'
Then just run pi-docker from any project directory.
Startup note: The container runs as non-root user
node(UID 1000).pi installruns on each start. AWARNINGon stderr is normal when the package is already cached in~/.pi. If pi misbehaves or the warning persists, verify network connectivity and runpi install git:github.com/myk-org/pi-configmanually.
Prerequisites
- pi
ghCLI (for GitHub operations)uv(for Python execution)myk-pi-tools(optional, for/pr-reviewand/release)
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file myk_pi_tools-1.10.3.tar.gz.
File metadata
- Download URL: myk_pi_tools-1.10.3.tar.gz
- Upload date:
- Size: 99.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b6b448464ee8fc84dd36a42b90ad2882a08a85015f57a99534db64eec67a467
|
|
| MD5 |
26f354ae7f58eb0255201daab78b111f
|
|
| BLAKE2b-256 |
046e41514260f90ded826d79a35aadaa66b671ae94819b9a4b3c6a839f359f13
|
