@xaccefy/pi-xpi

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking, and authenticated-session management.

Packages

Package details

prompt

Install @xaccefy/pi-xpi from npm and Pi will load the resources declared by the package manifest.

$ pi install npm:@xaccefy/pi-xpi
Package
@xaccefy/pi-xpi
Version
0.2.9
Published
Jul 10, 2026
Downloads
2,060/mo · 2,060/wk
Author
xaccefy
License
MIT
Types
prompt
Size
19 KB
Dependencies
0 dependencies · 9 peers
Pi manifest JSON
{
  "prompts": [
    "./prompts"
  ]
}

Security note

Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.

README

XPI

Security tools for Pi Agent: casefile tracking, web search, library docs, exploit technique search, code intelligence, and todos.

Install

Automate XPI plus third-party extension deps (pi-codex-goal, pi-mcp-adapter):

./install.sh

Or:

pi install npm:@xaccefy/pi-xpi

API keys / env

Variable Package Purpose
PREVIEW_IS_API_KEY exploitsearch Required for ExploitSearch (preview.is)
PI_XP_MODE casefile on / off — force casefile cyber-workflow injection
PI_CASEFILE_PATH casefile Override SQLite ledger path
PI_WEBSEARCH_PORT lookup open-websearch daemon port (default 3210)
PI_CHROMIUM_PATH lookup Chromium binary for SPA re-render in web_fetch
export PREVIEW_IS_API_KEY="rk_yourkeyhere"

Tools

Tool Use for
auth / /auth Store & resolve authenticated sessions for targets (cookie, OAuth client-credentials, mTLS)
ExploitSearch Attack techniques, primitives, bypasses (PREVIEW_IS_API_KEY)
web_search CVEs, advisories, documentation
web_fetch Page content; SPA pages re-rendered via Chromium when the shell is thin
context7 Current library docs
deepwiki Q&A on a public GitHub repo
CaseAdd / CaseUpdate / PromoteFinding Ledger + hard PoC gate to confirm
CaseGet / CaseList / CaseSearch Browse cases
CaseLink / CaseUnlink Exploit chains
CaseReport Markdown report
/casefile Case dashboard
/xp Toggle casefile XP mode (cyber workflow injection; default OFF)
todo / /todos Multi-step task lists
Codebase* AST index, symbols, call graph, architecture

Quick start

/ops <bugbounty|ctf|pentest> <target>   # start an engagement
/pipeline <audit|harness|patch> <target>   # VDH/VVS discovery→validate→patch
/xp on                                      # enable casefile cyber workflow in context

Engagements and pipelines restate the workflow in the prompt body, so they work with XP mode off. Use /xp on when you want the full attacker discipline injected every turn.

Packages

Package npm
Umbrella @xaccefy/pi-xpi
Auth sessions @xaccefy/pi-engage
Case ledger @xaccefy/pi-casefile
Lookup @xaccefy/pi-lookup
Exploit search @xaccefy/pi-exploitsearch
Code intel @xaccefy/pi-codeintel
Todos @xaccefy/pi-xtodo

See each package’s README.md under packages/*/.

Structure

pi-xpi/
├── prompts/                 # /ops, /pipeline
├── agents/                  # auditor, exploit-dev, patch-writer, harness
├── packages/
│   ├── pi-casefile
│   ├── pi-exploitsearch
│   ├── pi-lookup
│   ├── pi-codeintel
│   └── pi-xtodo
└── package.json

Develop / release

bun install
bun test --isolate
bun run typecheck

Release (CI): GitHub Actions → Release workflow → choose patch / minor / major.
Requires repo secret NPM_TOKEN. The job runs tests, bumps all workspace versions, publishes every package + umbrella, tags vX.Y.Z, and pushes.

Local release helper:

bun run release:patch   # or release:minor / release:major

(Requires a clean tree, npm auth, and push rights.)