npm - @aliou/pi-guardrails - Versions diffs - 0.11.2 → 0.12.0 - Mend

@aliou/pi-guardrails 0.11.2 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/README.md +72 -167
package/extensions/guardrails/commands/examples/index.ts +520 -0
package/extensions/guardrails/commands/onboarding/config.ts +54 -0
package/{src/commands/onboarding-command.ts → extensions/guardrails/commands/onboarding/index.ts} +5 -31
package/extensions/guardrails/commands/settings/add-rule-wizard.ts +267 -0
package/extensions/guardrails/commands/settings/examples.ts +399 -0
package/extensions/guardrails/commands/settings/index.ts +596 -0
package/extensions/guardrails/commands/settings/path-list-editor.ts +158 -0
package/extensions/guardrails/commands/settings/scope-picker-submenu.ts +69 -0
package/extensions/guardrails/commands/settings/utils.ts +108 -0
package/extensions/guardrails/components/onboarding-choice-step.ts +140 -0
package/extensions/guardrails/components/onboarding-finish-step.ts +50 -0
package/extensions/guardrails/components/onboarding-intro-step.ts +30 -0
package/extensions/guardrails/components/onboarding-types.ts +10 -0
package/extensions/guardrails/components/onboarding-wizard.ts +116 -0
package/{src → extensions/guardrails}/components/pattern-editor.ts +11 -10
package/extensions/guardrails/index.ts +106 -0
package/extensions/guardrails/rules.test.ts +107 -0
package/extensions/guardrails/rules.ts +119 -0
package/extensions/guardrails/targets.test.ts +44 -0
package/extensions/guardrails/targets.ts +66 -0
package/extensions/path-access/grants.test.ts +47 -0
package/extensions/path-access/grants.ts +68 -0
package/extensions/path-access/index.ts +143 -0
package/extensions/path-access/prompt.ts +196 -0
package/extensions/path-access/rules.test.ts +46 -0
package/extensions/path-access/rules.ts +37 -0
package/extensions/path-access/targets.test.ts +40 -0
package/extensions/path-access/targets.ts +19 -0
package/extensions/permission-gate/grants.ts +21 -0
package/extensions/permission-gate/index.ts +122 -0
package/extensions/permission-gate/prompt.ts +222 -0
package/extensions/permission-gate/rules.test.ts +132 -0
package/extensions/permission-gate/rules.ts +72 -0
package/package.json +18 -20
package/schema.json +286 -0
package/src/core/check.test.ts +169 -0
package/src/core/check.ts +38 -0
package/src/{hooks/permission-gate/dangerous-commands.test.ts → core/commands/dangerous.test.ts} +134 -2
package/src/{hooks/permission-gate/dangerous-commands.ts → core/commands/dangerous.ts} +119 -1
package/src/core/commands/index.ts +15 -0
package/src/core/index.ts +13 -0
package/src/{utils/path-access.test.ts → core/paths/access.test.ts} +1 -5
package/src/core/paths/index.ts +14 -0
package/src/{utils → core/shell}/command-args.test.ts +31 -20
package/src/core/shell/index.ts +2 -0
package/src/core/types.ts +55 -0
package/src/shared/config/defaults.ts +118 -0
package/src/shared/config/index.ts +17 -0
package/src/shared/config/loader.ts +64 -0
package/src/shared/config/migration/001-v0-format-upgrade.ts +107 -0
package/src/shared/config/migration/002-strip-toolchain-fields.ts +39 -0
package/src/shared/config/migration/003-strip-command-explainer-fields.ts +42 -0
package/src/shared/config/migration/004-env-files-to-policies.ts +87 -0
package/src/shared/config/migration/005-normalize-allowed-paths.ts +43 -0
package/src/shared/config/migration/006-apply-builtin-defaults.ts +19 -0
package/src/shared/config/migration/007-mark-onboarding-done.ts +25 -0
package/src/shared/config/migration/index.ts +44 -0
package/src/shared/config/migration/version.ts +7 -0
package/src/shared/config/types.ts +141 -0
package/src/shared/events.ts +100 -0
package/src/shared/index.ts +6 -0
package/src/shared/matching.test.ts +86 -0
package/src/{utils → shared}/matching.ts +4 -4
package/src/{utils → shared/paths}/bash-paths.test.ts +11 -2
package/src/{utils → shared/paths}/bash-paths.ts +4 -4
package/src/shared/paths/index.ts +1 -0
package/src/shared/warnings.ts +17 -0
package/docs/defaults.md +0 -140
package/docs/examples.md +0 -170
package/src/commands/onboarding.ts +0 -390
package/src/commands/settings-command.ts +0 -1616
package/src/config.ts +0 -392
package/src/hooks/index.ts +0 -11
package/src/hooks/path-access.ts +0 -395
package/src/hooks/permission-gate/index.test.ts +0 -332
package/src/hooks/permission-gate/index.ts +0 -595
package/src/hooks/policies.ts +0 -322
package/src/index.ts +0 -96
package/src/lib/executor.ts +0 -280
package/src/lib/index.ts +0 -16
package/src/lib/model-resolver.ts +0 -47
package/src/lib/timing.ts +0 -42
package/src/lib/types.ts +0 -115
package/src/utils/events.ts +0 -32
package/src/utils/migration.test.ts +0 -58
package/src/utils/migration.ts +0 -340
package/src/utils/warnings.ts +0 -7
/package/src/{utils/path-access.ts → core/paths/access.ts} +0 -0
/package/src/{utils → core/paths}/path.test.ts +0 -0
/package/src/{utils → core/paths}/path.ts +0 -0
/package/src/{utils/shell-utils.ts → core/shell/ast.ts} +0 -0
/package/src/{utils → core/shell}/command-args.ts +0 -0
/package/src/{utils/glob-expander.ts → shared/glob.ts} +0 -0

package/src/hooks/permission-gate/index.test.ts DELETED Viewed

@@ -1,332 +0,0 @@
-import type {
-  BashToolCallEvent,
-  ExtensionAPI,
-  ExtensionContext,
-} from "@mariozechner/pi-coding-agent";
-import { createEventBus } from "@mariozechner/pi-coding-agent";
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import { createEventContext } from "../../../tests/utils/pi-context";
-import type { ResolvedConfig } from "../../config";
-import { configLoader } from "../../config";
-import { setupPermissionGateHook } from "./index";
-// Mock configLoader so allow-session path doesn't throw.
-vi.mock("../../config", async (importOriginal) => {
-  const original = (await importOriginal()) as Record<string, unknown>;
-  return {
-    ...original,
-    configLoader: {
-      getConfig: vi.fn(() => ({
-        permissionGate: { allowedPatterns: [] },
-      })),
-      save: vi.fn(async () => {}),
-    },
-  };
-});
-// ---------------------------------------------------------------------------
-// Constants — must match the production code's SELECT_* constants
-// ---------------------------------------------------------------------------
-const SELECT_ALLOW_ONCE = "Allow once";
-const SELECT_ALLOW_SESSION = "Allow for session";
-const SELECT_DENY = "Deny";
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-/**
- * Minimal config enabling the permission gate with defaults.
- * No custom patterns — relies on built-in structural matchers.
- */
-function makeConfig(
-  overrides: Partial<ResolvedConfig["permissionGate"]> = {},
-): ResolvedConfig {
-  return {
-    version: "1",
-    enabled: true,
-    applyBuiltinDefaults: true,
-    features: { policies: false, permissionGate: true, pathAccess: false },
-    policies: { rules: [] },
-    pathAccess: { mode: "ask", allowedPaths: [] },
-    permissionGate: {
-      patterns: [],
-      useBuiltinMatchers: true,
-      requireConfirmation: true,
-      allowedPatterns: [],
-      autoDenyPatterns: [],
-      explainCommands: false,
-      explainModel: null,
-      explainTimeout: 5000,
-      ...overrides,
-    },
-  };
-}
-type ToolCallHandler = (
-  event: BashToolCallEvent,
-  ctx: ExtensionContext,
-) => Promise<{ block: true; reason: string } | undefined>;
-/**
- * Create a mock ExtensionAPI that captures tool_call handler registrations.
- * Returns the mock and a function to retrieve the registered handler.
- */
-function createMockPi() {
-  const handlers: ToolCallHandler[] = [];
-  const eventBus = createEventBus();
-  const pi = {
-    on(event: string, handler: ToolCallHandler) {
-      if (event === "tool_call") {
-        handlers.push(handler);
-      }
-    },
-    events: eventBus,
-    // Stubs for any other ExtensionAPI methods that might be called.
-    registerCommand: vi.fn(),
-    registerTool: vi.fn(),
-    emit: vi.fn(),
-  } as unknown as ExtensionAPI;
-  return {
-    pi,
-    getHandler(): ToolCallHandler {
-      if (handlers.length === 0) {
-        throw new Error("No tool_call handler registered");
-      }
-      return handlers[0];
-    },
-  };
-}
-function bashEvent(command: string): BashToolCallEvent {
-  return {
-    type: "tool_call",
-    toolCallId: "tc_test",
-    toolName: "bash",
-    input: { command },
-  };
-}
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-describe("permission gate", () => {
-  let handle: ReturnType<typeof createMockPi>;
-  let handler: ToolCallHandler;
-  beforeEach(() => {
-    handle = createMockPi();
-    setupPermissionGateHook(handle.pi, makeConfig());
-    handler = handle.getHandler();
-  });
-  it("allows safe commands", async () => {
-    const ctx = createEventContext({ hasUI: true });
-    const result = await handler(bashEvent("echo hello"), ctx);
-    expect(result).toBeUndefined();
-  });
-  it("blocks dangerous commands when user denies", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(async () => "deny") as ExtensionContext["ui"]["custom"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toEqual({
-      block: true,
-      reason: "User denied dangerous command",
-    });
-  });
-  it("allows dangerous commands when user explicitly allows", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(async () => "allow") as ExtensionContext["ui"]["custom"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toBeUndefined();
-  });
-  it("blocks when hasUI is false (print/RPC mode)", async () => {
-    const ctx = createEventContext({ hasUI: false });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toEqual(expect.objectContaining({ block: true }));
-  });
-  it("blocks when ctx.ui.custom() returns undefined (RPC stub)", async () => {
-    // This is the bug from issue #19: in RPC mode, ctx.ui.custom() returns
-    // undefined. The permission gate only checks for "deny", so undefined
-    // falls through and the command is silently allowed.
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["select"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toEqual(expect.objectContaining({ block: true }));
-    expect(ctx.ui.select).toHaveBeenCalled();
-  });
-  it("blocks auto-deny patterns without prompting", async () => {
-    const { pi, getHandler } = createMockPi();
-    setupPermissionGateHook(
-      pi,
-      makeConfig({
-        autoDenyPatterns: [{ pattern: "DROP TABLE" }],
-      }),
-    );
-    const h = getHandler();
-    const ctx = createEventContext({ hasUI: true });
-    const result = await h(bashEvent("psql -c 'DROP TABLE users'"), ctx);
-    expect(result).toEqual(expect.objectContaining({ block: true }));
-    // Should not have prompted the user.
-    expect(ctx.ui.custom).not.toHaveBeenCalled();
-  });
-  it("skips allowed patterns", async () => {
-    const { pi, getHandler } = createMockPi();
-    setupPermissionGateHook(
-      pi,
-      makeConfig({
-        allowedPatterns: [{ pattern: "sudo echo" }],
-      }),
-    );
-    const h = getHandler();
-    const ctx = createEventContext({ hasUI: true });
-    const result = await h(bashEvent("sudo echo hello"), ctx);
-    expect(result).toBeUndefined();
-  });
-  // ---------------------------------------------------------------------------
-  // RPC mode: ctx.ui.select() fallback when ctx.ui.custom() returns undefined
-  // ---------------------------------------------------------------------------
-  it("falls back to select() when custom() returns undefined and allows on 'Allow once'", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(
-          async () => SELECT_ALLOW_ONCE,
-        ) as ExtensionContext["ui"]["select"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toBeUndefined(); // not blocked → allowed
-    expect(ctx.ui.select).toHaveBeenCalled();
-  });
-  it("falls back to select() when custom() returns undefined and allows-session on 'Allow for session'", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(
-          async () => SELECT_ALLOW_SESSION,
-        ) as ExtensionContext["ui"]["select"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toBeUndefined(); // not blocked → allowed with session grant
-    expect(ctx.ui.select).toHaveBeenCalled();
-  });
-  it("falls back to select() when custom() returns undefined and blocks on 'Deny'", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(
-          async () => SELECT_DENY,
-        ) as ExtensionContext["ui"]["select"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toEqual({
-      block: true,
-      reason: "User denied dangerous command",
-    });
-  });
-  it("blocks when both custom() and select() return undefined", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["select"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toEqual(expect.objectContaining({ block: true }));
-    expect(ctx.ui.select).toHaveBeenCalled();
-  });
-  it("does not call select() when custom() returns a valid result", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(async () => "deny") as ExtensionContext["ui"]["custom"],
-      },
-    });
-    await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(ctx.ui.select).not.toHaveBeenCalled();
-  });
-  it("blocks when select() returns an unrecognized string", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(async () => "maybe") as ExtensionContext["ui"]["select"],
-      },
-    });
-    const result = await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(result).toEqual(expect.objectContaining({ block: true }));
-  });
-  it("saves session grant via configLoader when select() returns 'Allow for session'", async () => {
-    const ctx = createEventContext({
-      hasUI: true,
-      ui: {
-        custom: vi.fn(
-          async () => undefined,
-        ) as ExtensionContext["ui"]["custom"],
-        select: vi.fn(
-          async () => SELECT_ALLOW_SESSION,
-        ) as ExtensionContext["ui"]["select"],
-      },
-    });
-    await handler(bashEvent("sudo rm -rf /"), ctx);
-    expect(configLoader.save).toHaveBeenCalledWith("memory", {
-      permissionGate: {
-        allowedPatterns: [{ pattern: "sudo rm -rf /" }],
-      },
-    });
-  });
-});