chore: refresh Pi stack to 0.75.3

[tmustier]

Summary

• Bump the lockstep Pi stack (@earendil-works/pi-ai, pi-agent-core, pi-web-ui) from 0.74.0 to the latest common published version, 0.75.3.
• Pin those three packages exactly because pi-ai / pi-agent-core are published beyond pi-web-ui; ^0.75.3 resolves out of lockstep.
• Update compaction-summary handling for the pi-agent-core@0.75.3 tokensBefore message contract, with legacy display fallback.
• Add a registry assertion for refreshed preferred IDs (gpt-5.5, gpt-5.3-codex, claude-opus-4-7, gemini-3.1-pro-preview) and refresh the model-update playbook.
• Update the protobufjs override to 7.6.2 so the package-change pre-push audit has no high-severity findings.

Supersedes the narrower Dependabot pi-stack bump in #551.

Verification

• npm ci
• npm run check
• npm run test:models
• npm run test:context
• npm run build
• npm audit --audit-level=high (passes; remaining findings are moderate uuid via Office dev tooling and require a breaking downgrade/force path)
• Live OAuth smoke using local Pi openai-codex auth: openai-codex/gpt-5.5 returned OK with stopReason: stop.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pi-for-excel	Ready	Preview, Comment	Jun 1, 2026 8:32am

[tmustier]

Findings

• [P2] Align Node engine with bumped Pi packages
  • package-lock.json:1105
  • The refreshed @earendil-works/pi-agent-core and @earendil-works/pi-ai packages declare node >=22.19.0, but this app still advertises ^20.19.0 || ^22.13.0 || >=24 in package.json. Contributors or CI variants using the advertised Node 20/22.13 range can hit engine-strict install failures or unsupported runtime behavior.
  • Update the root engines.node (and any setup docs) to ^22.19.0 || >=24, or use Pi package versions that still support Node 20.

Verdict

needs attention — the dependency bump introduces a Node engine mismatch that should be resolved for reproducible installs.

[tmustier]

Findings

• [P2] Bedrock stub no longer intercepts the upgraded provider loader
  package.json:38
@earendil-works/pi-ai 0.75.3 now loads Bedrock through a variable dynamic import, while the existing Vite shim only matches static ./amazon-bedrock.js imports. Selecting the still-listed Amazon Bedrock provider will try to load the real/unbundled Node/AWS provider at runtime instead of the local unsupported-provider stub. Register the local stub via setBedrockProviderModule(...) or otherwise override the new lazy Bedrock loader.

Verdict

needs attention — One P2 runtime regression remains in the Bedrock provider shim after the Pi package upgrade.

[tmustier]

Addressed the re-review P2:

• Added src/compat/bedrock-provider-stub.ts, which explicitly registers the local unsupported-provider stub via setBedrockProviderModule(...) so pi-ai 0.75's lazy Bedrock loader cannot fall through to the Node/AWS provider in the browser build.
• Imported it from src/boot.ts, which is still first in src/taskpane.ts.
• Added a regression test proving amazon-bedrock/amazon.nova-micro-v1:0 returns the clear unsupported-provider error via completeSimple().

Verification after the fix:

• npm run test:models — 34 passed
• npm run check — passed
• npm run test:context — 648 passed
• npm run build — passed