Pi.dev Review: Terminal Coding Agent for Regulated Teams

Posted: December 31, 1969 to AI.

Every few weeks a new AI coding tool shows up with a clean landing page and a confident slogan. Most of them are thin wrappers on the same three model providers with a venture round behind them. Pi.dev is different, and different in a way that matters for developer teams inside regulated industries.

This review is written by Petronella Technology Group, a Raleigh cybersecurity and AI consulting firm founded in 2002 that has spent years helping CMMC, HIPAA, and SOC 2 clients evaluate new developer tools before they touch regulated source code. We run 10-plus production AI agents of our own, including a live voice receptionist, a website chat agent, a compliance chatbot, and client-specific digital twin voice assistants, so we evaluate tools like pi.dev against the same bar we hold our own systems to. We pulled apart what pi.dev actually is, who built it, how it works, what it does not do, and whether a healthcare, defense, or finance shop should let their developers install it.

Before going further: the name "pi.dev" collides with a couple of other things in the industry, and we want to clear that up so you know which product this review covers.

Which Pi.dev This Is, And Which Pi.dev This Is Not

The domain pi.dev, according to the official site's homepage and its own <title> tag, hosts a "terminal-based coding agent" published by developer Mario Zechner under the npm package @mariozechner/pi-coding-agent. The project source lives at github.com/badlogic/pi-mono/tree/main/packages/coding-agent, is MIT licensed, and the domain was, per the project's own README, donated to the project by exe.dev. Latest version on the npm registry at the time of this review is 0.67.68.

That is the product this review covers.

To clear up confusion with similarly named products:

• Inflection AI's Pi assistant lives at pi.ai, not pi.dev. It is a consumer conversational assistant, not a developer tool.
• Raspberry Pi development resources live at raspberrypi.com. Also not this.
• Pi Network is a mobile cryptocurrency project. Also not this.

If you came here looking for one of those, the search engine sent you to the wrong page. For everyone else, let's get into what pi.dev actually does.

What Pi.dev Is In One Sentence

Pi is an open-source, terminal-based AI coding agent that you run locally on your own machine, connect to any of 15-plus model providers, and extend with TypeScript code.

That is it. There is no SaaS account, no dashboard, no "workspace" in the cloud. You install a command-line binary from npm, point it at a model provider of your choice, and it sits in your terminal reading and writing files, running shell commands, and holding a conversation with the model about your codebase.

The project's own tagline rotates through variations including "there are many coding agents, but this one is mine," which tells you most of what you need to know about its philosophy. This is a developer tool written by a developer, for developers, with strong opinions about how a coding agent should behave and what features it should not have.

Who Built Pi.dev, And Why That Matters

The project is maintained by Mario Zechner, a long-time open-source game-development tool author (he is the creator of libgdx, a widely used Java game framework). The badlogic handle on GitHub and npm is his.

Why this matters for a regulated-industry buyer:

1. Single maintainer, open source, MIT licensed. That is the opposite of a vendor relationship. You are not buying support, you are reading code.
2. No company backing means no company lifecycle risk. The tool cannot be acquired, pivoted, or have its pricing tripled overnight. It can, however, be abandoned. MIT licensing means you can fork the code the day that happens.
3. The project is active and the release cadence is high. Version 0.67 after what looks like months of daily development suggests this is the maintainer's real work, not a side project he forgot about.

For a CMMC or HIPAA environment, that profile is honest and straightforward. You know exactly what you are getting, which is source code you can audit and a CLI you run on your own machine. There is no vendor questionnaire to fill out because there is no vendor.

What Pi Actually Does, Feature By Feature

Pulled straight from the project README and the live site, here is the accurate feature set.

Four built-in tools

Pi ships with a minimal default toolset that the underlying language model can call: read, write, edit, and bash. That is the surface area. The model can read files, write files, edit files, and run shell commands. Everything else is either an extension you write, a prompt template you drop in, or a "skill" package you install.

This is a deliberate design choice. Pi's philosophy, in the maintainer's own words, is "adapt pi to your workflows, not the other way around." It does not ship with sub-agents, plan mode, web search, or other opinionated automation that competing tools bundle. If you want those, you build them or install them as a package.

15-plus model providers

The README lists the following providers with first-class support, authenticated via API key or OAuth subscription:

• Anthropic, OpenAI, Google Gemini, Google Vertex, Azure OpenAI, Amazon Bedrock
• Mistral, Groq, Cerebras, xAI, Hugging Face
• OpenRouter, Vercel AI Gateway
• Kimi For Coding, MiniMax, ZAI, OpenCode Zen, OpenCode Go

It also supports subscription-login flows for Anthropic Claude Pro and Max, ChatGPT Plus and Pro, GitHub Copilot, Google Gemini CLI, and Google Antigravity. You can add custom providers via a models.json file or by writing a TypeScript extension.

For a regulated-industry buyer, this is the single most important feature on the list. It means you can point pi at an on-premise inference endpoint (for example, an in-house Ollama server or a private AI cluster) and keep your source code from ever touching a public third-party API. More on that below.

Tree-structured sessions

Pi stores every session as a JSONL file with a tree structure, where every message has an id and a parentId. This lets you branch a conversation at any past point, try a different approach, and jump back without losing history. The /tree command navigates the tree in place, and /fork creates a new session file from the current branch.

This is more useful than it sounds. Coding-agent sessions drift into bad states all the time, and most tools handle that by making you start over or manually scroll back. Tree-structured history gives you a proper undo graph over the agent's work.

Four operating modes

1. Interactive mode is the default TUI experience, with an editor at the bottom of the terminal and streaming output above.
2. Print/JSON mode runs pi non-interactively for scripting.
3. RPC mode exposes pi to other processes over local RPC.
4. SDK mode lets you embed the agent inside your own Node/TypeScript application.

The README points at a real-world SDK integration at openclaw/openclaw, which the maintainer himself links as the reference example.

Customization surface

Pi exposes four customization primitives:

• Prompt templates. Drop a Markdown file in ~/.pi/agent/prompts/ and trigger it with /name.
• Skills. Installable units of instruction and capability.
• Extensions. TypeScript code that adds tools, UI widgets, custom providers, custom compaction, or command handlers.
• Themes. Visual configuration for the TUI.

All four can be bundled into "pi packages" and shared on npm or git. The packaging model is worth noting: because pi itself is distributed through npm and extends via TypeScript files, the whole ecosystem runs on standard package tooling that every engineering team already has.

Context engineering

Pi loads AGENTS.md (or CLAUDE.md) from the home directory, every parent directory walking up from the current working directory, and the current directory. All matching files concatenate into context. You can replace or append to the default system prompt with SYSTEM.md or APPEND_SYSTEM.md files.

Compaction is customizable via extensions, which means a regulated shop can write its own summarizer that, say, redacts certain filename patterns before passing them into the summary prompt. That is a level of control most commercial coding agents do not offer.

How Pi Compares To The Alternatives

The useful comparison set for pi.dev, as of late 2025 and early 2026, includes Anthropic's Claude Code, OpenAI Codex CLI, Cursor, Continue.dev, Aider, and Cline. Here is how they stack up on the dimensions that matter to regulated buyers.

Model-provider flexibility

• Pi.dev: 15-plus providers, including the ability to point at custom or self-hosted endpoints.
• Claude Code: Anthropic only, by design.
• OpenAI Codex CLI: OpenAI only.
• Cursor: Mostly its own routing layer over OpenAI and Anthropic, with some self-host options in enterprise tier.
• Continue.dev: Multi-provider, similar to pi in scope.
• Aider: Multi-provider.

If you are building toward a future where your regulated workloads have to run on a self-hosted model to stay inside a compliance boundary, pi and Continue are the two tools on this list best positioned to come along with you.

Licensing and transparency

• Pi.dev: MIT, single repository, full source.
• Claude Code: Proprietary, closed-source CLI.
• OpenAI Codex CLI: Apache 2.0, open source.
• Cursor: Proprietary, closed-source editor.
• Continue.dev: Apache 2.0, open source.
• Aider: Apache 2.0, open source.

For teams that need to read, audit, or modify the agent itself, pi is in the top tier.

Opinion level

Pi is the least opinionated on the list. It deliberately skips sub-agents, plan mode, and other behind-the-scenes automation that Claude Code and Cursor bundle. That is a feature for some teams and a drawback for others. If you want to hit install and have a full workflow out of the box, Claude Code or Cursor ship more of it. If you want to assemble your own, pi gives you a cleaner base.

Operational surface

Pi runs entirely in your terminal, with session files on your local disk. No SaaS backend, no account, no analytics beyond optional install telemetry that you can disable by setting PI_TELEMETRY=0 or flipping enableInstallTelemetry to false in settings.json, per the README.

For a regulated environment, that is as close to zero-surface as a coding agent gets. There is still the matter of where the model calls go, which is the central question the next section covers.

Data Handling: The Question That Decides Whether You Can Adopt It

Pi itself does not host your code, does not store it in a cloud, and does not phone home with your repository contents. The install-telemetry setting is the only outbound traffic baked into the agent, and it is documented and disable-able.

What does happen is this: every time the agent takes a turn, it sends the current context (system prompt, AGENTS.md contents, conversation history, tool outputs, and the current prompt) to whatever model provider you configured. Those tokens leave your machine and go to that provider's inference endpoint.

That is true of every coding agent on the market. The question is where the tokens go, and pi gives you more answers to that question than most competitors.

If your provider is a public SaaS model (Anthropic, OpenAI, Google Gemini, Groq, Cerebras, and so on): your source code is covered by whatever data-handling agreement you have in place with that provider. For regulated workloads you generally need a signed BAA (for HIPAA) or equivalent agreement, zero-retention API settings turned on, and a documented data-flow diagram. Most major providers now offer this at the enterprise tier, but it is never on by default.

If your provider is Azure OpenAI, Google Vertex, or AWS Bedrock: your tokens route through a cloud vendor with whom you probably already have a signed BAA or a FedRAMP Moderate authorization. This is usually the sweet spot for regulated teams that still want frontier models.

If your provider is a self-hosted endpoint (Ollama, vLLM, a private AI cluster, an on-prem Bedrock-style appliance): your source code never leaves your boundary. Pi supports this natively via its models.json configuration or via a custom-provider extension.

That third case is the one that makes pi genuinely different from Claude Code or OpenAI Codex CLI. It is also the case Petronella has been deploying for clients running CMMC Level 2 and HIPAA workloads, where the compliance question is not "can we use AI" but "can we use AI without any customer or controlled-unclassified-information data crossing our boundary." Pi fits cleanly into that architecture.

We have written more about the underlying infrastructure pattern on our private AI cluster page and on our broader AI services overview for regulated industries.

Compliance Fit: A Practical Walkthrough

Here is how Petronella actually evaluates a tool like pi.dev for a regulated client. Not a marketing checklist, the real list.

1. Read the license and the source

MIT license, source fully available, single-maintainer project. That reduces the tool itself to a known quantity. The supply-chain risk lives in its npm dependencies, not in the agent's own code.

2. Audit the dependency tree

Pi depends on a handful of first-party packages (pi-agent-core, pi-ai, pi-tui, jiti) and standard community packages (chalk, ajv, diff, extract-zip, and a few others). For a regulated install, we pin the version, freeze the lockfile, and run the dependency tree through a software-composition-analysis tool on every upgrade. This is the same drill you would run for any other npm-distributed developer tool.

3. Decide where the tokens go

This is the single biggest compliance question. Options in descending order of safety for regulated workloads:

• Self-hosted model on a private AI cluster. Code never leaves your boundary.
• Hyperscaler (Azure OpenAI, Vertex, Bedrock) under an existing cloud agreement. Inherits your existing compliance posture.
• SaaS provider with enterprise zero-retention API and a signed agreement. Acceptable for many regulated workloads but requires the paperwork.
• SaaS provider on a default consumer API key. Not acceptable for regulated source code.

The flexibility to pick any of these per-project, per-repository, or per-session is one of pi's real advantages.

4. Lock down the bash tool

Pi's bash tool is powerful and, by design, can run arbitrary shell commands on the developer's machine. For regulated environments, we recommend:

• Running pi inside a locked-down workstation with full endpoint detection and response active.
• Treating pi sessions with elevated-permission shells (production credentials, cloud-admin roles) as out of scope. Move those workflows to isolated VMs or devcontainers.
• Writing an extension that wraps the bash tool with a command-allow-list, for high-sensitivity repositories.

This is the same posture Petronella recommends for any local coding agent, not just pi. The risk is not unique to this tool. What is unique is that pi's extension API actually lets you implement the allow-list cleanly, rather than monkey-patching around a closed-source binary.

5. Decide on session retention

Pi stores sessions as JSONL files in ~/.pi/agent/sessions/ organized by working directory. For regulated environments, those files are now part of your source-code footprint. Back them up, audit them, rotate them, and include them in the developer-workstation disk-encryption and device-wipe policies.

6. Document the tool in your SSP or risk register

If you are a CMMC Level 2 shop, pi.dev is an assessment object the moment a developer installs it on a workstation that touches CUI. Add it to your system security plan, pick the system-owner, document the configuration baseline, and note which model providers are approved.

This is the boring but essential work. Petronella's CMMC-RP team (we are a CMMC-AB Registered Provider Organization, RPO #1449, verified on the Cyber-AB member registry) does this for clients every week. A new tool is not a compliance problem. An undocumented new tool is.

Integration With An Existing Developer Stack

For most of our clients, the question is not "pi or nothing" but "how does pi fit alongside what we already have." A few common scenarios:

If you already pay for Claude Code or Cursor

Pi is not a replacement for either of those in most teams. It is a complement. Claude Code is excellent for deep Anthropic-specific workflows. Cursor is a polished IDE experience. Pi is the tool you reach for when you want to run against a self-hosted model, when you want to script the agent into a CI pipeline, or when you want to embed coding-agent behavior inside another application via the SDK.

We have seen teams standardize on Cursor for their everyday IDE and add pi as the CI-friendly, self-hosted, scriptable alternative for regulated projects. That combination covers both ends of the spectrum.

If you are running an on-premise model stack

Pi is one of the cleanest ways to get a real coding-agent experience on top of your own model infrastructure. Point it at your internal OpenAI-compatible endpoint, drop an AGENTS.md that encodes your coding standards, and you are running. This is the architecture we deploy for clients who cannot allow third-party model access at all.

If you are building your own product on top of a coding agent

Pi's SDK mode lets you embed the agent inside your own TypeScript application. The OpenClaw project the maintainer links as a reference demonstrates the pattern. For an internal developer-productivity team, this is a much cleaner starting point than trying to rebuild a coding agent from the ground up.

If you need full audit logging

Pi's session JSONL format is a gift to anyone who needs to prove what an AI tool did inside a codebase. Every tool call, every response, every branch of the conversation is captured in a plain-text file on disk. Pipe those files into your SIEM, your compliance log store, or your legal-hold archive. That is straightforward. With closed-source SaaS coding tools, you are at the mercy of whatever export the vendor happens to offer.

Should A Regulated Business Adopt Pi.dev?

Our honest answer, from dozens of tool evaluations across healthcare, finance, defense, and professional-services clients: yes, for the right use cases, with the right guardrails.

Adopt pi if:

• You run regulated workloads and want the option to route coding-agent traffic through a self-hosted model.
• You value open-source, auditable tooling over polished closed-source products.
• You have a strong engineering culture that can write TypeScript extensions when needed.
• You already have a developer-workstation security posture that can handle a local AI tool with file and shell access.

Think twice about pi if:

• Your team wants a one-install, everything-included experience. Claude Code or Cursor will feel less raw.
• You have no in-house engineering capacity to configure, extend, and maintain it.
• You need a named vendor with a support phone number and a signed master services agreement. Pi is open source, not a vendor relationship.

For most of the regulated teams we work with, the right move is a pilot: pick one team, pick one non-CUI repository, pick one model provider that fits your compliance posture, and run pi for a month. Pi is small enough and cheap enough (free to install, pay only for inference) that a pilot has essentially no downside.

How Petronella Helps You Evaluate And Deploy New AI Tools

Petronella Technology Group was founded in 2002 and has carried a BBB A+ rating since 2003. Our team holds the CMMC Registered Practitioner credential across the practice, we are a CMMC-AB Registered Provider Organization (RPO #1449), and our principal holds Digital Forensic Examiner license #604180 alongside CCNA and CWNE. We help regulated clients in Raleigh, the Triangle, and nationwide make exactly the kind of evaluation this post walks through, but on their own repositories, their own compliance scope, and their own infrastructure.

What that looks like in practice:

• A data-flow diagram for the proposed tool, signed off by your compliance team.
• A dependency and supply-chain audit of the tool itself.
• A written recommendation on model-provider selection tied to your specific regulatory regime.
• A workstation hardening baseline that accounts for the new tool.
• An SSP update or risk-register entry so the tool is documented the day it lands.
• Optional: a private AI cluster deployment so your coding-agent traffic never leaves your boundary at all, the same pattern we use to host our own 10-plus production AI agents in-house.

If you are evaluating pi.dev, Claude Code, Cursor, or any other new coding agent and your developers touch CUI, PHI, cardholder data, or other regulated information, we can help you move faster and more safely than a DIY evaluation would. Our broader writeups on cyber security, AI services, and digital twin voice assistants give more context on how we work.

Call Petronella at (919) 348-4912 and our live voice agent Penny will route you straight to the right engineer, or reach us through the contact form at petronellatech.com/contact-us/. A free 15-minute assessment call will tell you whether pi.dev fits your environment and, if so, how to roll it out without blowing up your compliance posture.

Bottom Line

Pi.dev is a small, sharp, open-source terminal coding agent built by a developer with strong opinions and good taste. It is not trying to be everything. It is trying to be a clean base that you extend in the direction of your own workflow. For regulated engineering teams who want flexibility, auditability, and the ability to route coding-agent traffic through a self-hosted model, pi is one of the best-fitting tools shipping today. Treat it the way you treat any other new developer tool touching regulated code: evaluate the license, pin the dependencies, choose your model provider on purpose, lock down the shell tool, document the install, and pilot it somewhere safe before it goes anywhere near your crown-jewel repositories.

Sources referenced in this review: the pi.dev homepage, the project README on GitHub (badlogic/pi-mono/tree/main/packages/coding-agent), the npm registry metadata for @mariozechner/pi-coding-agent version 0.67.68, and the project's MIT LICENSE file. All feature claims, provider lists, and architectural details in this post are sourced directly from those primary documents as of the review date.