@aliou/pi-guardrails 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/config-schema.ts +2 -0
- package/config.ts +1 -0
- package/events.ts +5 -1
- package/hooks/index.ts +2 -0
- package/hooks/prevent-python.ts +45 -0
- package/package.json +1 -1
package/config-schema.ts
CHANGED
|
@@ -9,6 +9,7 @@ export interface GuardrailsConfig {
|
|
|
9
9
|
enabled?: boolean;
|
|
10
10
|
features?: {
|
|
11
11
|
preventBrew?: boolean;
|
|
12
|
+
preventPython?: boolean;
|
|
12
13
|
protectEnvFiles?: boolean;
|
|
13
14
|
permissionGate?: boolean;
|
|
14
15
|
};
|
|
@@ -34,6 +35,7 @@ export interface ResolvedConfig {
|
|
|
34
35
|
enabled: boolean;
|
|
35
36
|
features: {
|
|
36
37
|
preventBrew: boolean;
|
|
38
|
+
preventPython: boolean;
|
|
37
39
|
protectEnvFiles: boolean;
|
|
38
40
|
permissionGate: boolean;
|
|
39
41
|
};
|
package/config.ts
CHANGED
package/events.ts
CHANGED
|
@@ -4,7 +4,11 @@ export const GUARDRAILS_BLOCKED_EVENT = "guardrails:blocked";
|
|
|
4
4
|
export const GUARDRAILS_DANGEROUS_EVENT = "guardrails:dangerous";
|
|
5
5
|
|
|
6
6
|
export interface GuardrailsBlockedEvent {
|
|
7
|
-
feature:
|
|
7
|
+
feature:
|
|
8
|
+
| "preventBrew"
|
|
9
|
+
| "preventPython"
|
|
10
|
+
| "protectEnvFiles"
|
|
11
|
+
| "permissionGate";
|
|
8
12
|
toolName: string;
|
|
9
13
|
input: Record<string, unknown>;
|
|
10
14
|
reason: string;
|
package/hooks/index.ts
CHANGED
|
@@ -2,10 +2,12 @@ import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
|
|
|
2
2
|
import type { ResolvedConfig } from "../config-schema";
|
|
3
3
|
import { setupPermissionGateHook } from "./permission-gate";
|
|
4
4
|
import { setupPreventBrewHook } from "./prevent-brew";
|
|
5
|
+
import { setupPreventPythonHook } from "./prevent-python";
|
|
5
6
|
import { setupProtectEnvFilesHook } from "./protect-env-files";
|
|
6
7
|
|
|
7
8
|
export function setupGuardrailsHooks(pi: ExtensionAPI, config: ResolvedConfig) {
|
|
8
9
|
setupPreventBrewHook(pi, config);
|
|
10
|
+
setupPreventPythonHook(pi, config);
|
|
9
11
|
setupProtectEnvFilesHook(pi, config);
|
|
10
12
|
setupPermissionGateHook(pi, config);
|
|
11
13
|
}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
|
|
2
|
+
import type { ResolvedConfig } from "../config-schema";
|
|
3
|
+
import { emitBlocked } from "../events";
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Blocks all Python-related commands including python, python3, pip, poetry, etc.
|
|
7
|
+
* Use uv for Python package management instead.
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
const PYTHON_PATTERN =
|
|
11
|
+
/\b(python|python3|pip|pip3|poetry|pyenv|virtualenv|venv)\b/;
|
|
12
|
+
|
|
13
|
+
export function setupPreventPythonHook(
|
|
14
|
+
pi: ExtensionAPI,
|
|
15
|
+
config: ResolvedConfig,
|
|
16
|
+
) {
|
|
17
|
+
if (!config.features.preventPython) return;
|
|
18
|
+
|
|
19
|
+
pi.on("tool_call", async (event, ctx) => {
|
|
20
|
+
if (event.toolName !== "bash") return;
|
|
21
|
+
|
|
22
|
+
const command = String(event.input.command ?? "");
|
|
23
|
+
|
|
24
|
+
if (PYTHON_PATTERN.test(command)) {
|
|
25
|
+
ctx.ui.notify("Blocked Python command. Use uv instead.", "warning");
|
|
26
|
+
|
|
27
|
+
const reason =
|
|
28
|
+
"Python is not available globally on this machine. " +
|
|
29
|
+
"Use uv for Python package management instead. " +
|
|
30
|
+
"Run `uv init` to create a new Python project, " +
|
|
31
|
+
"or `uv run python` to run Python scripts. " +
|
|
32
|
+
"Use `uv add` to install packages (replaces pip/poetry).";
|
|
33
|
+
|
|
34
|
+
emitBlocked(pi, {
|
|
35
|
+
feature: "preventPython",
|
|
36
|
+
toolName: "bash",
|
|
37
|
+
input: event.input,
|
|
38
|
+
reason,
|
|
39
|
+
});
|
|
40
|
+
|
|
41
|
+
return { block: true, reason };
|
|
42
|
+
}
|
|
43
|
+
return;
|
|
44
|
+
});
|
|
45
|
+
}
|