Memory consolidation subprocess should run with `--no-tools` to prevent transcript prompt injection side effects

[gebeer]

Memory consolidation subprocess should run with --no-tools to prevent transcript prompt injection side effects

A pi-memory consolidation session treated an embedded prior conversation transcript as live instructions and executed a project E2E script. The script generated PDFs and sent emails unintentionally.

Impact

• A project E2E script was executed twice, generating PDFs and sending test emails to configured recipients/BCCs.

Active pi-memory settings

"memory": {
  "consolidationModel": "opencode-go/deepseek-v4-flash",
  "lessonInjection": "selective"
}

Why this appears to be a pi-memory bug

Memory consolidation is a pure extraction/consolidation task. The assistant should have extracted reusable facts only.

Instead, the assistant interpreted a line from the embedded transcript:

User: ok. run the test script again

as an active instruction and used shell access to run the E2E script.

The consolidation subprocess is launched with --no-extensions, but built-in tools such as bash remain available. Since the conversation is already injected into the prompt and the JSON response is parsed/applied programmatically by pi-memory, the consolidation subprocess does not need any tools.

Suggested Fix

Add --no-tools to the nested pi invocation used for consolidation.

Repro artifact

JSONL transcript can be supplied if needed

[samfoy]

Fixed in v1.3.2 (commit 4d4a6e5). The consolidation subprocess now runs with --no-tools (in addition to the existing --no-extensions), so built-in tools like bash are not available during extraction. A pure-LLM text-in/JSON-out session cannot execute shell commands.