From fc6aec2525ff6869d531ced082954cb5441c147c Mon Sep 17 00:00:00 2001
From: Ryan <10638626+ryancee@users.noreply.github.com>
Date: Sun, 19 Apr 2026 02:06:50 -0400
Subject: [PATCH 1/6] fix(harness): use 'opencode run' instead of 'opencode
 --prompt' for non-interactive execution

---
 pkg/harness/opencode.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/pkg/harness/opencode.go b/pkg/harness/opencode.go
index d21b73605..1b2d6a2ec 100644
--- a/pkg/harness/opencode.go
+++ b/pkg/harness/opencode.go
@@ -60,14 +60,12 @@ func (o *OpenCode) GetEnv(agentName string, agentHome string, unixUsername strin
 }
 
 func (o *OpenCode) GetCommand(task string, resume bool, baseArgs []string) []string {
-	args := []string{"opencode"}
+	args := []string{"opencode", "run"}
 	if resume {
 		args = append(args, "--continue")
-	} else {
-		args = append(args, "--prompt")
-		if task != "" {
-			args = append(args, task)
-		}
+	}
+	if task != "" {
+		args = append(args, task)
 	}
 
 	args = append(args, baseArgs...)

From 87bd37e88e70523635ff001a46e94ca966bfcdff Mon Sep 17 00:00:00 2001
From: Ryan <10638626+ryancee@users.noreply.github.com>
Date: Sun, 19 Apr 2026 03:35:21 -0400
Subject: [PATCH 2/6] feat(harness): add pi harness and fix symlink traversal
 for harness-config

- Add Pi harness (pkg/harness/pi.go) supporting @mariozechner/pi-coding-agent
  with --print for non-interactive execution and --model flag passthrough
- Add pi container image build (image-build/pi/Dockerfile)
- Register Pi in harness registry and update harness count in tests
- Add PiAuthFile to AuthConfig in pkg/api/types.go
- Fix pkg/transfer/collect.go: resolve symlink base paths via EvalSymlinks
  so that stow-managed harness-config directories are correctly scanned
- Fix pkg/config/harness_config.go: follow symlink directories in
  loadHarnessConfigsFromDir so stow-symlinked configs appear in listings
---
 image-build/cloudbuild-harnesses.yaml |  23 ++++
 image-build/pi/Dockerfile             |  26 ++++
 image-build/scripts/build-images.sh   |   2 +-
 pkg/api/types.go                      |   1 +
 pkg/config/harness_config.go          |   9 +-
 pkg/harness/harness.go                |   3 +
 pkg/harness/harness_test.go           |   3 +-
 pkg/harness/pi.go                     | 184 ++++++++++++++++++++++++++
 pkg/harness/pi/embeds.go              |  20 +++
 pkg/harness/pi/embeds/config.yaml     |  17 +++
 pkg/harness/pi_test.go                | 179 +++++++++++++++++++++++++
 pkg/transfer/collect.go               |  11 +-
 12 files changed, 473 insertions(+), 5 deletions(-)
 create mode 100644 image-build/pi/Dockerfile
 create mode 100644 pkg/harness/pi.go
 create mode 100644 pkg/harness/pi/embeds.go
 create mode 100644 pkg/harness/pi/embeds/config.yaml
 create mode 100644 pkg/harness/pi_test.go

diff --git a/image-build/cloudbuild-harnesses.yaml b/image-build/cloudbuild-harnesses.yaml
index a9f8d80a1..aeb802518 100644
--- a/image-build/cloudbuild-harnesses.yaml
+++ b/image-build/cloudbuild-harnesses.yaml
@@ -121,6 +121,29 @@ steps:
     env:
       - 'DOCKER_CLI_EXPERIMENTAL=enabled'
 
+  # Build Pi Harness Image
+  - name: 'gcr.io/cloud-builders/docker'
+    id: 'build-scion-pi'
+    dir: 'image-build/pi'
+    args:
+      - 'buildx'
+      - 'build'
+      - '--platform'
+      - 'linux/amd64,linux/arm64'
+      - '--build-arg'
+      - 'BASE_IMAGE=$_REGISTRY/scion-base:latest'
+      - '-t'
+      - '$_REGISTRY/scion-pi:$_SHORT_SHA'
+      - '-t'
+      - '$_REGISTRY/scion-pi:latest'
+      - '-f'
+      - 'Dockerfile'
+      - '--pull'
+      - '--push'
+      - '.'
+    env:
+      - 'DOCKER_CLI_EXPERIMENTAL=enabled'
+
 substitutions:
   _REGISTRY: 'us-central1-docker.pkg.dev/${PROJECT_ID}/public-docker'
 options:
diff --git a/image-build/pi/Dockerfile b/image-build/pi/Dockerfile
new file mode 100644
index 000000000..910749f69
--- /dev/null
+++ b/image-build/pi/Dockerfile
@@ -0,0 +1,26 @@
+# syntax=docker/dockerfile:1
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG BASE_IMAGE
+FROM ${BASE_IMAGE}
+
+RUN mkdir -p /home/scion/.pi/agent && \
+  chown -R scion:scion /home/scion/.pi
+
+# Install pi coding agent
+RUN npm install -g @mariozechner/pi-coding-agent \
+  && npm cache clean --force
+
+CMD ["pi"]
diff --git a/image-build/scripts/build-images.sh b/image-build/scripts/build-images.sh
index 8f49b6eaa..6c5ac4baa 100755
--- a/image-build/scripts/build-images.sh
+++ b/image-build/scripts/build-images.sh
@@ -35,7 +35,7 @@ PUSH=""
 PLATFORM=""
 TAG="latest"
 
-HARNESSES=(claude gemini opencode codex)
+HARNESSES=(claude gemini opencode codex pi)
 
 usage() {
   cat <<EOF
diff --git a/pkg/api/types.go b/pkg/api/types.go
index a7deaec88..b000e174b 100644
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -376,6 +376,7 @@ type AuthConfig struct {
 	CodexAPIKey      string
 	CodexAuthFile    string
 	OpenCodeAuthFile string
+	PiAuthFile       string
 
 	// GCP metadata server mode ("block", "passthrough", "assign").
 	// When "assign", a GCP service account is available via the metadata
diff --git a/pkg/config/harness_config.go b/pkg/config/harness_config.go
index b632e73d3..01612b1e5 100644
--- a/pkg/config/harness_config.go
+++ b/pkg/config/harness_config.go
@@ -148,7 +148,14 @@ func loadHarnessConfigsFromDir(parentDir string, into map[string]*HarnessConfigD
 		return
 	}
 	for _, entry := range entries {
-		if !entry.IsDir() {
+		isDir := entry.IsDir()
+		// If the entry is a symlink, follow it to check if the target is a directory.
+		if !isDir && entry.Type()&os.ModeSymlink != 0 {
+			if info, err := os.Stat(filepath.Join(parentDir, entry.Name())); err == nil {
+				isDir = info.IsDir()
+			}
+		}
+		if !isDir {
 			continue
 		}
 		hc, err := LoadHarnessConfigDir(filepath.Join(parentDir, entry.Name()))
diff --git a/pkg/harness/harness.go b/pkg/harness/harness.go
index 5690dff9b..95726d8ee 100644
--- a/pkg/harness/harness.go
+++ b/pkg/harness/harness.go
@@ -44,6 +44,8 @@ func New(harnessName string) api.Harness {
 		return &OpenCode{}
 	case "codex":
 		return &Codex{}
+	case "pi":
+		return &Pi{}
 	default:
 		// Check plugin registry before falling back to Generic
 		if pluginManager != nil && pluginManager.HasPlugin(scionplugin.PluginTypeHarness, harnessName) {
@@ -62,5 +64,6 @@ func All() []api.Harness {
 		&ClaudeCode{},
 		&OpenCode{},
 		&Codex{},
+		&Pi{},
 	}
 }
diff --git a/pkg/harness/harness_test.go b/pkg/harness/harness_test.go
index 4a82e5239..ddfdd59ac 100644
--- a/pkg/harness/harness_test.go
+++ b/pkg/harness/harness_test.go
@@ -114,7 +114,7 @@ func TestNew_PluginHarness(t *testing.T) {
 
 func TestAll_ReturnsBuiltins(t *testing.T) {
 	all := All()
-	assert.Len(t, all, 4)
+	assert.Len(t, all, 5)
 	names := make([]string, len(all))
 	for i, h := range all {
 		names[i] = h.Name()
@@ -123,4 +123,5 @@ func TestAll_ReturnsBuiltins(t *testing.T) {
 	assert.Contains(t, names, "claude")
 	assert.Contains(t, names, "opencode")
 	assert.Contains(t, names, "codex")
+	assert.Contains(t, names, "pi")
 }
diff --git a/pkg/harness/pi.go b/pkg/harness/pi.go
new file mode 100644
index 000000000..a76826926
--- /dev/null
+++ b/pkg/harness/pi.go
@@ -0,0 +1,184 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package harness
+
+import (
+	"context"
+	"embed"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/GoogleCloudPlatform/scion/pkg/api"
+	piEmbeds "github.com/GoogleCloudPlatform/scion/pkg/harness/pi"
+)
+
+type Pi struct{}
+
+func (p *Pi) Name() string {
+	return "pi"
+}
+
+func (p *Pi) AdvancedCapabilities() api.HarnessAdvancedCapabilities {
+	return api.HarnessAdvancedCapabilities{
+		Harness: "pi",
+		Limits: api.HarnessLimitCapabilities{
+			MaxTurns:      api.CapabilityField{Support: api.SupportNo, Reason: "This harness has no hook dialect for turn events"},
+			MaxModelCalls: api.CapabilityField{Support: api.SupportNo, Reason: "This harness has no hook dialect for model events"},
+			MaxDuration:   api.CapabilityField{Support: api.SupportYes},
+		},
+		Telemetry: api.HarnessTelemetryCapabilities{
+			EnabledConfig: api.CapabilityField{Support: api.SupportNo, Reason: "Native telemetry config is not supported for this harness"},
+			NativeEmitter: api.CapabilityField{Support: api.SupportNo, Reason: "Native telemetry forwarding is not wired for this harness"},
+		},
+		Prompts: api.HarnessPromptCapabilities{
+			SystemPrompt:      api.CapabilityField{Support: api.SupportYes},
+			AgentInstructions: api.CapabilityField{Support: api.SupportYes},
+		},
+		Auth: api.HarnessAuthCapabilities{
+			APIKey:   api.CapabilityField{Support: api.SupportYes},
+			AuthFile: api.CapabilityField{Support: api.SupportYes},
+			VertexAI: api.CapabilityField{Support: api.SupportNo, Reason: "Vertex AI auth is not supported for this harness"},
+		},
+	}
+}
+
+func (p *Pi) GetEnv(agentName string, agentHome string, unixUsername string) map[string]string {
+	return map[string]string{}
+}
+
+func (p *Pi) GetCommand(task string, resume bool, baseArgs []string) []string {
+	args := []string{"pi", "--print"}
+	if resume {
+		args = append(args, "--continue")
+	}
+	if task != "" {
+		args = append(args, task)
+	}
+	args = append(args, baseArgs...)
+	return args
+}
+
+func (p *Pi) DefaultConfigDir() string {
+	return ".pi/agent"
+}
+
+func (p *Pi) SkillsDir() string {
+	return ".pi/agent/skills"
+}
+
+func (p *Pi) HasSystemPrompt(agentHome string) bool {
+	_, err := os.Stat(filepath.Join(agentHome, ".pi", "agent", "SYSTEM.md"))
+	return err == nil
+}
+
+func (p *Pi) Provision(ctx context.Context, agentName, agentDir, agentHome, agentWorkspace string) error {
+	return nil
+}
+
+func (p *Pi) GetEmbedDir() string {
+	return "pi"
+}
+
+func (p *Pi) GetInterruptKey() string {
+	return "C-c"
+}
+
+func (p *Pi) GetHarnessEmbedsFS() (embed.FS, string) {
+	return piEmbeds.EmbedsFS, "embeds"
+}
+
+func (p *Pi) GetTelemetryEnv() map[string]string {
+	return nil
+}
+
+func (p *Pi) InjectAgentInstructions(agentHome string, content []byte) error {
+	target := filepath.Join(agentHome, ".pi", "agent", "AGENTS.md")
+	if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+		return fmt.Errorf("failed to create pi agent dir: %w", err)
+	}
+	return os.WriteFile(target, content, 0644)
+}
+
+func (p *Pi) InjectSystemPrompt(agentHome string, content []byte) error {
+	target := filepath.Join(agentHome, ".pi", "agent", "SYSTEM.md")
+	if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+		return fmt.Errorf("failed to create pi agent dir: %w", err)
+	}
+	return os.WriteFile(target, content, 0644)
+}
+
+func (p *Pi) ResolveAuth(auth api.AuthConfig) (*api.ResolvedAuth, error) {
+	// Explicit selection support
+	if auth.SelectedType != "" {
+		switch auth.SelectedType {
+		case "api-key":
+			key := auth.AnthropicAPIKey
+			if key == "" {
+				key = auth.OpenAIAPIKey
+			}
+			if key == "" {
+				return nil, fmt.Errorf("pi: auth type %q selected but no API key found; set ANTHROPIC_API_KEY or OPENAI_API_KEY", auth.SelectedType)
+			}
+			envKey := "ANTHROPIC_API_KEY"
+			if auth.AnthropicAPIKey == "" {
+				envKey = "OPENAI_API_KEY"
+			}
+			return &api.ResolvedAuth{
+				Method:  "api-key",
+				EnvVars: map[string]string{envKey: key},
+			}, nil
+		case "auth-file":
+			if auth.PiAuthFile == "" {
+				return nil, fmt.Errorf("pi: auth type %q selected but no auth file found; expected ~/.pi/agent/auth.json", auth.SelectedType)
+			}
+			return &api.ResolvedAuth{
+				Method: "auth-file",
+				Files: []api.FileMapping{
+					{SourcePath: auth.PiAuthFile, ContainerPath: "~/.pi/agent/auth.json"},
+				},
+			}, nil
+		default:
+			return nil, fmt.Errorf("pi: unknown auth type %q; valid types are: api-key, auth-file", auth.SelectedType)
+		}
+	}
+
+	// Auto-detect preference order: AnthropicAPIKey → OpenAIAPIKey → PiAuthFile → error
+
+	if auth.AnthropicAPIKey != "" {
+		return &api.ResolvedAuth{
+			Method:  "api-key",
+			EnvVars: map[string]string{"ANTHROPIC_API_KEY": auth.AnthropicAPIKey},
+		}, nil
+	}
+
+	if auth.OpenAIAPIKey != "" {
+		return &api.ResolvedAuth{
+			Method:  "api-key",
+			EnvVars: map[string]string{"OPENAI_API_KEY": auth.OpenAIAPIKey},
+		}, nil
+	}
+
+	if auth.PiAuthFile != "" {
+		return &api.ResolvedAuth{
+			Method: "auth-file",
+			Files: []api.FileMapping{
+				{SourcePath: auth.PiAuthFile, ContainerPath: "~/.pi/agent/auth.json"},
+			},
+		}, nil
+	}
+
+	return nil, fmt.Errorf("pi: no valid auth method found; set ANTHROPIC_API_KEY or OPENAI_API_KEY, or provide auth credentials at ~/.pi/agent/auth.json")
+}
diff --git a/pkg/harness/pi/embeds.go b/pkg/harness/pi/embeds.go
new file mode 100644
index 000000000..0cdf5aec4
--- /dev/null
+++ b/pkg/harness/pi/embeds.go
@@ -0,0 +1,20 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pi
+
+import "embed"
+
+//go:embed all:embeds/*
+var EmbedsFS embed.FS
diff --git a/pkg/harness/pi/embeds/config.yaml b/pkg/harness/pi/embeds/config.yaml
new file mode 100644
index 000000000..a1bf1b9fd
--- /dev/null
+++ b/pkg/harness/pi/embeds/config.yaml
@@ -0,0 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+harness: pi
+image: scion-pi:latest
+user: scion
diff --git a/pkg/harness/pi_test.go b/pkg/harness/pi_test.go
new file mode 100644
index 000000000..c3bf77f71
--- /dev/null
+++ b/pkg/harness/pi_test.go
@@ -0,0 +1,179 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package harness
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/scion/pkg/api"
+)
+
+func TestPiInjectAgentInstructions(t *testing.T) {
+	agentHome := t.TempDir()
+	p := &Pi{}
+	content := []byte("# Agent Instructions\nDo good work.")
+
+	if err := p.InjectAgentInstructions(agentHome, content); err != nil {
+		t.Fatalf("InjectAgentInstructions failed: %v", err)
+	}
+
+	target := filepath.Join(agentHome, ".pi", "agent", "AGENTS.md")
+	data, err := os.ReadFile(target)
+	if err != nil {
+		t.Fatalf("expected file at %s: %v", target, err)
+	}
+	if string(data) != string(content) {
+		t.Errorf("content mismatch: got %q, want %q", string(data), string(content))
+	}
+}
+
+func TestPiInjectSystemPrompt(t *testing.T) {
+	agentHome := t.TempDir()
+	p := &Pi{}
+	content := []byte("You are a helpful assistant.")
+
+	if err := p.InjectSystemPrompt(agentHome, content); err != nil {
+		t.Fatalf("InjectSystemPrompt failed: %v", err)
+	}
+
+	target := filepath.Join(agentHome, ".pi", "agent", "SYSTEM.md")
+	data, err := os.ReadFile(target)
+	if err != nil {
+		t.Fatalf("expected file at %s: %v", target, err)
+	}
+	if string(data) != string(content) {
+		t.Errorf("content mismatch: got %q, want %q", string(data), string(content))
+	}
+}
+
+func TestPiResolveAuth_AnthropicAPIKey(t *testing.T) {
+	p := &Pi{}
+	auth := api.AuthConfig{AnthropicAPIKey: "sk-ant-test"}
+	result, err := p.ResolveAuth(auth)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result.Method != "api-key" {
+		t.Errorf("Method = %q, want %q", result.Method, "api-key")
+	}
+	if result.EnvVars["ANTHROPIC_API_KEY"] != "sk-ant-test" {
+		t.Errorf("ANTHROPIC_API_KEY = %q, want %q", result.EnvVars["ANTHROPIC_API_KEY"], "sk-ant-test")
+	}
+}
+
+func TestPiResolveAuth_OpenAIAPIKey(t *testing.T) {
+	p := &Pi{}
+	auth := api.AuthConfig{OpenAIAPIKey: "sk-openai-test"}
+	result, err := p.ResolveAuth(auth)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result.Method != "api-key" {
+		t.Errorf("Method = %q, want %q", result.Method, "api-key")
+	}
+	if result.EnvVars["OPENAI_API_KEY"] != "sk-openai-test" {
+		t.Errorf("OPENAI_API_KEY = %q, want %q", result.EnvVars["OPENAI_API_KEY"], "sk-openai-test")
+	}
+}
+
+func TestPiResolveAuth_AuthFile(t *testing.T) {
+	p := &Pi{}
+	auth := api.AuthConfig{PiAuthFile: "/home/user/.pi/agent/auth.json"}
+	result, err := p.ResolveAuth(auth)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result.Method != "auth-file" {
+		t.Errorf("Method = %q, want %q", result.Method, "auth-file")
+	}
+	if len(result.Files) != 1 {
+		t.Fatalf("expected 1 file mapping, got %d", len(result.Files))
+	}
+}
+
+func TestPiResolveAuth_PreferenceOrder(t *testing.T) {
+	p := &Pi{}
+	// AnthropicAPIKey should win over OpenAIAPIKey and auth file
+	auth := api.AuthConfig{
+		AnthropicAPIKey: "anthropic",
+		OpenAIAPIKey:    "openai",
+		PiAuthFile:      "/auth.json",
+	}
+	result, err := p.ResolveAuth(auth)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result.Method != "api-key" {
+		t.Errorf("AnthropicAPIKey should win; Method = %q, want %q", result.Method, "api-key")
+	}
+
+	// OpenAIAPIKey should win over auth file
+	auth = api.AuthConfig{
+		OpenAIAPIKey: "openai",
+		PiAuthFile:   "/auth.json",
+	}
+	result, err = p.ResolveAuth(auth)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result.Method != "api-key" {
+		t.Errorf("OpenAIAPIKey should win over auth file; Method = %q, want %q", result.Method, "api-key")
+	}
+}
+
+func TestPiResolveAuth_NoCreds(t *testing.T) {
+	p := &Pi{}
+	_, err := p.ResolveAuth(api.AuthConfig{})
+	if err == nil {
+		t.Fatal("expected error for empty AuthConfig")
+	}
+	if !strings.Contains(err.Error(), "ANTHROPIC_API_KEY") {
+		t.Errorf("error should mention ANTHROPIC_API_KEY: %v", err)
+	}
+}
+
+func TestPiGetCommand_Basic(t *testing.T) {
+	p := &Pi{}
+	cmd := p.GetCommand("do the thing", false, nil)
+	if len(cmd) < 3 {
+		t.Fatalf("expected at least 3 args, got %v", cmd)
+	}
+	if cmd[0] != "pi" {
+		t.Errorf("cmd[0] = %q, want %q", cmd[0], "pi")
+	}
+	if cmd[1] != "--print" {
+		t.Errorf("cmd[1] = %q, want %q", cmd[1], "--print")
+	}
+	if cmd[2] != "do the thing" {
+		t.Errorf("cmd[2] = %q, want %q", cmd[2], "do the thing")
+	}
+}
+
+func TestPiGetCommand_Resume(t *testing.T) {
+	p := &Pi{}
+	cmd := p.GetCommand("", true, nil)
+	found := false
+	for _, a := range cmd {
+		if a == "--continue" {
+			found = true
+		}
+	}
+	if !found {
+		t.Errorf("expected --continue in command: %v", cmd)
+	}
+}
diff --git a/pkg/transfer/collect.go b/pkg/transfer/collect.go
index 2f0682991..bf7318f85 100644
--- a/pkg/transfer/collect.go
+++ b/pkg/transfer/collect.go
@@ -75,13 +75,20 @@ func (b *ManifestBuilder) Build() (*Manifest, error) {
 func (b *ManifestBuilder) CollectFiles() ([]FileInfo, error) {
 	var files []FileInfo
 
-	err := filepath.WalkDir(b.BasePath, func(path string, d fs.DirEntry, err error) error {
+	// Resolve symlinks on the base path so that WalkDir can descend into
+	// directories that are themselves symlinks (e.g. stow-managed configs).
+	resolvedBase, err := filepath.EvalSymlinks(b.BasePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve base path %s: %w", b.BasePath, err)
+	}
+
+	err = filepath.WalkDir(resolvedBase, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 
 		// Get relative path
-		relPath, err := filepath.Rel(b.BasePath, path)
+		relPath, err := filepath.Rel(resolvedBase, path)
 		if err != nil {
 			return err
 		}

From 12ec2612861f2d25c6e9495bf96817cd46768b90 Mon Sep 17 00:00:00 2001
From: Ryan <10638626+ryancee@users.noreply.github.com>
Date: Sun, 19 Apr 2026 03:43:42 -0400
Subject: [PATCH 3/6] fix(harness/pi): allow no-auth for local model
 configurations

Pi can run without API credentials when using locally-configured models
via models.json (e.g. oMLX server). Return method=none instead of error
when no auth credentials are found.
---
 pkg/harness/pi.go      |  4 +++-
 pkg/harness/pi_test.go | 11 +++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/pkg/harness/pi.go b/pkg/harness/pi.go
index a76826926..62dc0153d 100644
--- a/pkg/harness/pi.go
+++ b/pkg/harness/pi.go
@@ -180,5 +180,7 @@ func (p *Pi) ResolveAuth(auth api.AuthConfig) (*api.ResolvedAuth, error) {
 		}, nil
 	}
 
-	return nil, fmt.Errorf("pi: no valid auth method found; set ANTHROPIC_API_KEY or OPENAI_API_KEY, or provide auth credentials at ~/.pi/agent/auth.json")
+	// No credentials found — pi can still run with locally-configured models
+	// (e.g. via ~/.pi/agent/models.json pointing at a local oMLX/OpenAI-compat server).
+	return &api.ResolvedAuth{Method: "none"}, nil
 }
diff --git a/pkg/harness/pi_test.go b/pkg/harness/pi_test.go
index c3bf77f71..c8aeb6afd 100644
--- a/pkg/harness/pi_test.go
+++ b/pkg/harness/pi_test.go
@@ -17,7 +17,6 @@ package harness
 import (
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
 	"github.com/GoogleCloudPlatform/scion/pkg/api"
@@ -138,12 +137,12 @@ func TestPiResolveAuth_PreferenceOrder(t *testing.T) {
 
 func TestPiResolveAuth_NoCreds(t *testing.T) {
 	p := &Pi{}
-	_, err := p.ResolveAuth(api.AuthConfig{})
-	if err == nil {
-		t.Fatal("expected error for empty AuthConfig")
+	result, err := p.ResolveAuth(api.AuthConfig{})
+	if err != nil {
+		t.Fatalf("expected no error for empty AuthConfig (local models supported): %v", err)
 	}
-	if !strings.Contains(err.Error(), "ANTHROPIC_API_KEY") {
-		t.Errorf("error should mention ANTHROPIC_API_KEY: %v", err)
+	if result.Method != "none" {
+		t.Errorf("expected method %q for no-creds case, got %q", "none", result.Method)
 	}
 }
 

From 788c738bd680c95615e639ac83e032fa09240a90 Mon Sep 17 00:00:00 2001
From: Ryan <10638626+ryancee@users.noreply.github.com>
Date: Sun, 19 Apr 2026 19:17:34 -0400
Subject: [PATCH 4/6] pi image: clone pi-skills and run bun install for
 brave-search, browser-tools, youtube-transcript

---
 image-build/pi/Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/image-build/pi/Dockerfile b/image-build/pi/Dockerfile
index 910749f69..307dcd629 100644
--- a/image-build/pi/Dockerfile
+++ b/image-build/pi/Dockerfile
@@ -23,4 +23,11 @@ RUN mkdir -p /home/scion/.pi/agent && \
 RUN npm install -g @mariozechner/pi-coding-agent \
   && npm cache clean --force
 
+# Clone pi-skills and pre-install JS dependencies for skills that require it
+RUN git clone --depth=1 https://github.com/badlogic/pi-skills /home/scion/.pi/agent/skills/pi-skills && \
+  cd /home/scion/.pi/agent/skills/pi-skills/brave-search && bun install && \
+  cd /home/scion/.pi/agent/skills/pi-skills/browser-tools && bun install && \
+  cd /home/scion/.pi/agent/skills/pi-skills/youtube-transcript && bun install && \
+  chown -R scion:scion /home/scion/.pi
+
 CMD ["pi"]

From 113e0da0de3140a85dd7218937f795f19c19b0eb Mon Sep 17 00:00:00 2001
From: Ryan <10638626+ryancee@users.noreply.github.com>
Date: Sun, 19 Apr 2026 21:16:22 -0400
Subject: [PATCH 5/6] scion-pi: install gccli, gdcli, gmcli globals via bun

---
 image-build/pi/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/image-build/pi/Dockerfile b/image-build/pi/Dockerfile
index 307dcd629..1dc402843 100644
--- a/image-build/pi/Dockerfile
+++ b/image-build/pi/Dockerfile
@@ -23,6 +23,9 @@ RUN mkdir -p /home/scion/.pi/agent && \
 RUN npm install -g @mariozechner/pi-coding-agent \
   && npm cache clean --force
 
+# Install gccli, gdcli, gmcli globally (BUN_INSTALL=/usr/local puts binaries in /usr/local/bin)
+RUN BUN_INSTALL=/usr/local bun add -g @mariozechner/gccli @mariozechner/gdcli @mariozechner/gmcli
+
 # Clone pi-skills and pre-install JS dependencies for skills that require it
 RUN git clone --depth=1 https://github.com/badlogic/pi-skills /home/scion/.pi/agent/skills/pi-skills && \
   cd /home/scion/.pi/agent/skills/pi-skills/brave-search && bun install && \

From 68843f34eead914e0551557dd38122e2233bd795 Mon Sep 17 00:00:00 2001
From: Ryan <10638626+ryancee@users.noreply.github.com>
Date: Sun, 19 Apr 2026 21:50:31 -0400
Subject: [PATCH 6/6] feat: add pi-generic template using generic harness with
 pi --print

Creates .scion/templates/pi-generic/ template that uses harness: generic
with command_args: [pi, --print] and image: scion-pi:latest. This validates
that the generic harness correctly proxies the pi CLI, producing the same
invocation as the native pi harness.
---
 .../harness-configs/generic/config.yaml       | 20 +++++++++++++++++++
 .scion/templates/pi-generic/scion-agent.yaml  | 17 ++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 .scion/templates/pi-generic/harness-configs/generic/config.yaml
 create mode 100644 .scion/templates/pi-generic/scion-agent.yaml

diff --git a/.scion/templates/pi-generic/harness-configs/generic/config.yaml b/.scion/templates/pi-generic/harness-configs/generic/config.yaml
new file mode 100644
index 000000000..8c52d2b5b
--- /dev/null
+++ b/.scion/templates/pi-generic/harness-configs/generic/config.yaml
@@ -0,0 +1,20 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+harness: generic
+image: scion-pi:latest
+user: scion
+command_args:
+  - pi
+  - --print
diff --git a/.scion/templates/pi-generic/scion-agent.yaml b/.scion/templates/pi-generic/scion-agent.yaml
new file mode 100644
index 000000000..730c68364
--- /dev/null
+++ b/.scion/templates/pi-generic/scion-agent.yaml
@@ -0,0 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+schema_version: "1"
+description: "Pi agent via generic harness (pass-through validation)"
+default_harness_config: generic