Finding · pi-coding-agent

Extension cache moved to user-private directory

What Changed

Relocated temporary extension package installs from world-accessible os.tmpdir()/pi-extensions to ~/.pi/agent/tmp/extensions with 0700 permissions (owner-only read/write/execute). Added getExtensionTempFolder() function with permission enforcement.

Operator Implication

Prevents other local users and system services from accessing temporary extension packages during installation. Improves isolation of installed extensions.

Receipt

Commit ea3465a 'fix(coding-agent): move temporary extension cache (#5345)' moves cache from system /tmp to ~/.pi/agent/tmp/extensions with 0o700 permissions

Finding metadata

Confidence: high
Actionability: test
Accessibility impact: low

Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

Finding ID: 2026-06-02-pi-coding-agent-extension-cache-isolation

Source links

Primary links, including exact changelog lines when available.

Pi Coding Agent
commitCommit ea3465a 'fix(coding-agent): move temporary extension cache (#5345)' moves cache from system /tmp to ~/.pi/agent/tmp/extensions with 0o700 permissionsgithub.com/earendil-works/pi/commit/ea3465a

Versioned source: run artifact