earendil-works/pi · 06 Jul 2026 · Feature

Pi Treats AI Agents Like Critical Infrastructure

Rachel Stein
Rachel Stein
Contributing Editor

A TypeScript-native coding agent harness that hardens its own supply chain while most frameworks are still prototyping.

earendil-works/pi
67.9k stars Velocity · 7d +900 ★/day accelerating
star history

The agent framework landscape in 2026 has reached a peculiar inflection point. There are now orchestrators for every language and cloud provider—LangGraph for stateful Python workflows, Mastra for TypeScript teams, Google ADK for GCP natives, and a growing list of commercial CLI agents that abstract away the framework entirely [5][8]. The market is projected to hit $52.62 billion by 2030, and Gartner predicts that 40 percent of enterprise applications will embed task-specific agents by the end of 2026 [8]. Yet beneath the gold rush, a quieter assumption has gone largely unchallenged: that the tools building the agents deserve less security scrutiny than the code the agents eventually write.

earendil-works/pi

Enter the Pi agent harness, a TypeScript-native mono-repo that treats its own supply chain with the paranoia usually reserved for cryptographic tooling. While most frameworks optimize for speed to first prompt, Pi asks what happens when an AI coding agent becomes a permanent resident in your build pipeline—and then hardens itself accordingly.

A Harness, Not a Wrapper

Pi is not a thin veneer over a single LLM API. Its architecture splits responsibilities across discrete packages: the pi-ai package abstracts multiple LLM providers including OpenAI, Anthropic, and Google; the pi-agent-core package manages the runtime, tool calling, and state; and the pi-coding-agent package provides the interactive CLI. There is even a dedicated terminal UI library, pi-tui, handling differential rendering for the interface—a low-level concern that most agent frameworks ignore, leaving developers to wrestle with raw stdout or heavy external terminal libraries. A separate repository extends the runtime into Slack and chat automation workflows. The design suggests a belief that a coding agent needs the same layered architecture as any other production application: presentation, runtime, and model abstraction kept apart so that a failure in the rendering layer does not corrupt the agent’s state, and a change in the LLM provider does not require rewriting the tool-calling logic.

The project bills itself as a “self extensible coding agent,” implying the agent can modify its own capabilities or tooling. It also maintains an agents document with project-specific rules intended for both human contributors and the agent itself, blurring the line between documentation and runtime instruction. This is a subtle but important shift. As Martin Fowler’s team observed when building their own Pydantic-AI agent, commercial tools are impressive but fail to capture the eccentricities of a specific codebase—the particular testing standards, documentation formats, and internal conventions that make a project coherent [12]. Pi appears to be betting that the future belongs to agents that can be taught the local customs of a repository and then operate autonomously within them, extending themselves when they encounter new requirements.

The Agentic Loop Meets the Terminal

The broader CLI coding agent wave has redefined what developers expect from an AI interface. Dan Clarke’s extensive use of Claude Code and similar tools highlights the power of the “agentic loop”—a cycle of trying, verifying, fixing, and repeating until a task completes [6]. These agents do not merely suggest code; they run tests, inspect Kubernetes clusters directly, debug CI failures, and trace errors from logs back to offending lines of source. The terminal becomes an operating theater where the agent performs surgery on the codebase while the human supervises, often handling infrastructure-as-code, Dockerfiles, and Terraform manifests with the same fluency as application logic [6].

Pi sits squarely in this paradigm. Its interactive CLI is designed for hands-off iteration. But unlike commercial offerings that arrive as opaque binaries, Pi is open source and multi-provider from the ground up. The pi-ai package explicitly avoids vendor lock-in, allowing the harness to route requests across competing model providers. In a market where OpenAI’s Agents SDK and Google’s ADK are optimized for their own model gardens, Pi’s agnosticism is a deliberate architectural stance [5]. It reflects a suspicion that betting everything on a single model provider is as risky for an agent as it would be for any other critical service.

Supply-Chain Paranoia as a Feature

Where Pi truly diverges from the pack is in its treatment of dependencies. The project’s documentation dedicates an unusually large amount of real estate to supply-chain hardening, and the measures described go far beyond the typical npm audit checkbox.

Direct external dependencies are pinned to exact versions. Internal workspace packages remain version-ranged, but anything fetched from the public registry is frozen. The registry configuration enforces exact-version saving and imposes a two-day minimum release age on new packages—a cooling-off period designed to avoid same-day dependency releases during resolution, a simple but effective defense against the kind of rapid-republish attacks that have plagued npm. The lockfile is treated as ground truth, and pre-commit hooks block accidental lockfile modifications unless a maintainer explicitly overrides the restriction.

For end users, the published CLI package ships with a shrinkwrap file generated from the root lockfile, pinning transitive dependencies at install time. The project disables lifecycle scripts during local installs, continuous integration, and even self-updates, neutering a common vector for malicious post-install behavior. A scheduled GitHub workflow runs automated npm audits and signature verification on production dependencies. New dependencies with lifecycle scripts fail automated checks until they are explicitly allowlisted.

This is not standard open-source hygiene. It is the behavior of a team that has internalized the lessons of past supply-chain traumas and decided that an agent capable of rewriting code must not itself be trivially poisoned through a transitive dependency. In the current framework landscape, where LangGraph and CrewAI are celebrated for orchestration primitives and rapid prototyping [5][8], Pi is one of the few projects that treats the agent’s own build artifact as a critical security boundary.

Real-World Data Over Toy Benchmarks

Pi’s maintainer has also staked out a distinctive position on evaluation. The project actively encourages users to publish their open-source coding sessions to Hugging Face, and the maintainer regularly publishes his own work sessions as public datasets. The argument is that agents improve through exposure to real-world tasks, tool-use failures, and messy fixes—not through optimized scores on synthetic benchmarks.

This is a quietly radical proposition. The AI agent market is currently obsessed with leaderboard metrics. Frameworks like LangGraph tout enterprise adoption at Klarna, Cisco, and Uber, citing millions in savings or doubled response accuracy [8]. Pi, by contrast, seems to view the agent’s development as an empirical, data-driven process rooted in public telemetry. Whether that approach can scale to match the polished benchmarking narratives of its competitors remains an open question, but it aligns with the project’s broader engineering ethos: measure what actually happens in production, not what demos well in a slide deck.

The Build-versus-Buy Tension

Pi arrives at a moment when developers are debating whether to adopt commercial CLI agents or build their own. Fowler’s Thoughtworks team argued that custom agents win because they understand internal testing standards, documentation formats, and project-specific eccentricities that general-purpose tools will never learn [12]. Pi is clearly aimed at the “build” camp, but it is not a from-scratch science project. It offers a harness, a runtime, and a UI layer, allowing teams to assemble a bespoke agent without reinventing tool calling or state management.

In the TypeScript ecosystem specifically, Mastra has emerged as a popular integrated option, bundling workflows, memory, and a Studio environment into a single package [5]. Pi’s approach is more modular and, arguably, more austere. It does not promise a polished studio GUI; it promises a hardened runtime that can survive an npm supply-chain scare. That trade-off will appeal to teams who view their coding agent as infrastructure rather than a productivity accessory.

That said, the project is early. Its default policy of auto-closing issues and pull requests from new contributors—maintainers review them daily, but the initial barrier is automatic—suggests a small team protecting its bandwidth. It lacks the download velocity and corporate backing of LangGraph (34.5 million monthly downloads) or the star count of Dify [8]. And naming an open-source project “pi” in an era of search-engine optimization is either an act of confidence or an SEO death wish, given the mathematical constant, the Raspberry Pi ecosystem, and a dozen other prior claims.

Outlook

The unresolved tension in Pi’s roadmap is whether rigorous supply-chain hardening and open-session data collection can coexist with the breakneck growth expected of a 2026 agent framework. Security discipline is expensive in maintainer time. Multi-provider abstraction is valuable but difficult to keep current as model APIs diverge. And the promise of self-extensibility will be tested the moment the agent attempts to modify its own shrinkwrap rules.

The project’s insistence on disabling lifecycle scripts and shipping shrinkwrapped releases also raises a practical question about ecosystem compatibility. Many legitimate npm packages rely on post-install scripts for native compilation or platform detection. Pi’s explicit allowlist for lifecycle scripts means that adopting a new dependency with a harmless but unreviewed install step requires human intervention. In a framework market where developers expect installation to just work, this friction is a feature, not a bug—but it is friction nonetheless. Whether the broader community will tolerate that trade-off in exchange for supply-chain resilience will determine if Pi remains a niche concern or becomes a standard for agent hardening.

Still, Pi’s central insight is difficult to dismiss. If AI agents are indeed becoming the new compilers—tools that read, write, and execute code on our behalf—then the frameworks hosting them should be built with the same distrust of their own dependencies that we apply to any other CI/CD pipeline. Most agent frameworks are designed to get you to a working demo by Friday. Pi seems to be asking what happens when that demo is still running in production on Monday—and who is responsible when it installs a malicious package at 2 a.m. because nobody pinned the transitive dependency tree. In a field drunk on speed, that kind of caution might be the most interesting feature of all.

Sources

  1. Pi - Wikipedia
  2. Recommendations for AI Agent Frameworks & LLMs for Advanced ...
  3. What's your take on the best AI Coding Agents? : r/ChatGPTCoding
  4. One Million Digits of Pi On One Page! - Pi Day
  5. The best AI agent frameworks in 2026 - LangChain
  6. The Many Use Cases of AI Coding Agents - Dan Clarke
  7. A Brief History of Pi (π) - Exploratorium
  8. The best open source frameworks for building AI agents in 2026
  9. I found the BEST AI Agent for your CLI... and its Free! (Amazon Q CLI)
  10. Pi Is Encoded in the Patterns of Life - Biophysical Society
  11. I Tested Every AI Agent Framework So You Don't Have To! (2026 ...
  12. Building your own CLI Coding Agent with Pydantic-AI - Martin Fowler

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.