npm - @aliou/pi-guardrails - Versions diffs - 0.5.3 → 0.6.0 - Mend

@aliou/pi-guardrails 0.5.3 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +63 -94
package/config-schema.ts +37 -25
package/config.ts +108 -141
package/events.ts +1 -6
package/glob-expander.ts +128 -0
package/hooks/index.ts +0 -6
package/hooks/permission-gate.ts +243 -142
package/hooks/protect-env-files.ts +120 -43
package/index.ts +6 -3
package/matching.ts +119 -0
package/migration.ts +135 -0
package/package.json +7 -4
package/pattern-editor.ts +61 -10
package/settings-command.ts +247 -426
package/shell-utils.ts +139 -0
package/array-editor.ts +0 -213
package/hooks/enforce-package-manager.ts +0 -96
package/hooks/prevent-brew.ts +0 -41
package/hooks/prevent-python.ts +0 -45
package/sectioned-settings.ts +0 -345

package/shell-utils.ts ADDED Viewed

@@ -0,0 +1,139 @@
+/**
+ * Shared shell AST helpers used by guardrails hooks.
+ *
+ * Each hook imports `parse` from `@aliou/sh` directly and uses these
+ * for common AST operations.
+ */
+import type {
+  Command,
+  Program,
+  SimpleCommand,
+  Statement,
+  Word,
+  WordPart,
+} from "@aliou/sh";
+/**
+ * Resolve a Word node to its literal string value.
+ * Concatenates Literal, SglQuoted, and simple DblQuoted parts.
+ * For parts containing parameter expansions, command substitutions, etc.,
+ * includes the raw text representation (e.g. `$VAR`).
+ */
+export function wordToString(word: Word): string {
+  return word.parts.map(partToString).join("");
+}
+function partToString(part: WordPart): string {
+  switch (part.type) {
+    case "Literal":
+      return part.value;
+    case "SglQuoted":
+      return part.value;
+    case "DblQuoted":
+      return part.parts.map(partToString).join("");
+    case "ParamExp":
+      return part.short
+        ? `$${part.param.value}`
+        : `\${${part.param.value}${part.op ?? ""}${part.value ? wordToString(part.value) : ""}}`;
+    case "CmdSubst":
+      return "$(...)";
+    case "ArithExp":
+      return `$((${part.expr}))`;
+    case "ProcSubst":
+      return `${part.op}(...)`;
+  }
+}
+/**
+ * Walk the AST and call `callback` for every SimpleCommand found at any
+ * nesting depth. Returns early if callback returns `true`.
+ */
+export function walkCommands(
+  node: Program,
+  callback: (cmd: SimpleCommand) => boolean | undefined,
+): void {
+  for (const stmt of node.body) {
+    if (walkStatement(stmt, callback)) return;
+  }
+}
+function walkStatement(
+  stmt: Statement,
+  callback: (cmd: SimpleCommand) => boolean | undefined,
+): boolean {
+  return walkCommand(stmt.command, callback);
+}
+function walkStatements(
+  stmts: Statement[],
+  callback: (cmd: SimpleCommand) => boolean | undefined,
+): boolean {
+  for (const stmt of stmts) {
+    if (walkStatement(stmt, callback)) return true;
+  }
+  return false;
+}
+function walkCommand(
+  cmd: Command,
+  callback: (cmd: SimpleCommand) => boolean | undefined,
+): boolean {
+  switch (cmd.type) {
+    case "SimpleCommand":
+      return callback(cmd) === true;
+    case "Pipeline":
+      return walkStatements(cmd.commands, callback);
+    case "Logical":
+      return (
+        walkStatement(cmd.left, callback) || walkStatement(cmd.right, callback)
+      );
+    case "Subshell":
+    case "Block":
+      return walkStatements(cmd.body, callback);
+    case "IfClause":
+      return (
+        walkStatements(cmd.cond, callback) ||
+        walkStatements(cmd.then, callback) ||
+        (cmd.else ? walkStatements(cmd.else, callback) : false)
+      );
+    case "ForClause":
+    case "SelectClause":
+    case "WhileClause":
+      return (
+        ("cond" in cmd && cmd.cond
+          ? walkStatements(cmd.cond, callback)
+          : false) || walkStatements(cmd.body, callback)
+      );
+    case "CaseClause":
+      for (const item of cmd.items) {
+        if (walkStatements(item.body, callback)) return true;
+      }
+      return false;
+    case "FunctionDecl":
+      return walkStatements(cmd.body, callback);
+    case "TimeClause":
+      return walkStatement(cmd.command, callback);
+    case "CoprocClause":
+      return walkStatement(cmd.body, callback);
+    case "CStyleLoop":
+      return walkStatements(cmd.body, callback);
+    // These don't contain nested commands we need to walk
+    case "TestClause":
+    case "ArithCmd":
+    case "DeclClause":
+    case "LetClause":
+      return false;
+  }
+}

package/array-editor.ts DELETED Viewed

@@ -1,213 +0,0 @@
-import type { Component, SettingsListTheme } from "@mariozechner/pi-tui";
-import {
-  Input,
-  Key,
-  matchesKey,
-  truncateToWidth,
-  visibleWidth,
-} from "@mariozechner/pi-tui";
-/**
- * A submenu component for editing string arrays inside a SettingsList.
- *
- * Modes:
- * - list: navigate items, delete with 'd', add with 'a', edit with 'e'/Enter
- * - add: text input for new item, confirm with Enter, cancel with Escape
- * - edit: text input pre-filled with current value, Enter saves, Escape cancels
- */
-export interface ArrayEditorOptions {
-  label: string;
-  items: string[];
-  theme: SettingsListTheme;
-  onSave: (items: string[]) => void;
-  onDone: () => void;
-  /** Max visible items before scrolling */
-  maxVisible?: number;
-}
-export class ArrayEditor implements Component {
-  private items: string[];
-  private label: string;
-  private theme: SettingsListTheme;
-  private onSave: (items: string[]) => void;
-  private onDone: () => void;
-  private selectedIndex = 0;
-  private maxVisible: number;
-  private mode: "list" | "add" | "edit" = "list";
-  private input: Input;
-  private editIndex = -1;
-  constructor(options: ArrayEditorOptions) {
-    this.items = [...options.items];
-    this.label = options.label;
-    this.theme = options.theme;
-    this.onSave = options.onSave;
-    this.onDone = options.onDone;
-    this.maxVisible = options.maxVisible ?? 10;
-    this.input = new Input();
-    this.input.onSubmit = (value: string) => {
-      if (this.mode === "edit") {
-        this.submitEdit(value);
-      } else {
-        this.submitAdd(value);
-      }
-    };
-    this.input.onEscape = () => {
-      this.mode = "list";
-      this.editIndex = -1;
-    };
-  }
-  private submitAdd(value: string) {
-    const trimmed = value.trim();
-    if (!trimmed) {
-      this.mode = "list";
-      return;
-    }
-    this.items.push(trimmed);
-    this.selectedIndex = this.items.length - 1;
-    this.save();
-    this.mode = "list";
-    this.input.setValue("");
-  }
-  private submitEdit(value: string) {
-    const trimmed = value.trim();
-    if (!trimmed) {
-      // Empty value = cancel edit
-      this.mode = "list";
-      this.editIndex = -1;
-      return;
-    }
-    this.items[this.editIndex] = trimmed;
-    this.save();
-    this.mode = "list";
-    this.editIndex = -1;
-    this.input.setValue("");
-  }
-  private deleteSelected() {
-    if (this.items.length === 0) return;
-    this.items.splice(this.selectedIndex, 1);
-    if (this.selectedIndex >= this.items.length) {
-      this.selectedIndex = Math.max(0, this.items.length - 1);
-    }
-    this.save();
-  }
-  private startEdit() {
-    if (this.items.length === 0) return;
-    this.editIndex = this.selectedIndex;
-    this.mode = "edit";
-    this.input.setValue(this.items[this.selectedIndex] as string);
-  }
-  private save() {
-    this.onSave([...this.items]);
-  }
-  invalidate() {}
-  render(width: number): string[] {
-    const lines: string[] = [];
-    // Header
-    lines.push(this.theme.label(` ${this.label}`, true));
-    lines.push("");
-    if (this.mode === "add" || this.mode === "edit") {
-      return [...lines, ...this.renderInputMode(width)];
-    }
-    return [...lines, ...this.renderListMode(width)];
-  }
-  private renderListMode(width: number): string[] {
-    const lines: string[] = [];
-    if (this.items.length === 0) {
-      lines.push(this.theme.hint("  (empty)"));
-    } else {
-      const startIndex = Math.max(
-        0,
-        Math.min(
-          this.selectedIndex - Math.floor(this.maxVisible / 2),
-          this.items.length - this.maxVisible,
-        ),
-      );
-      const endIndex = Math.min(
-        startIndex + this.maxVisible,
-        this.items.length,
-      );
-      for (let i = startIndex; i < endIndex; i++) {
-        const item = this.items[i];
-        if (!item) continue;
-        const isSelected = i === this.selectedIndex;
-        const prefix = isSelected ? this.theme.cursor : "  ";
-        const prefixWidth = visibleWidth(prefix);
-        const maxItemWidth = width - prefixWidth - 2;
-        const text = this.theme.value(
-          truncateToWidth(item, maxItemWidth, ""),
-          isSelected,
-        );
-        lines.push(prefix + text);
-      }
-      if (startIndex > 0 || endIndex < this.items.length) {
-        lines.push(
-          this.theme.hint(`  (${this.selectedIndex + 1}/${this.items.length})`),
-        );
-      }
-    }
-    lines.push("");
-    lines.push(
-      this.theme.hint("  a: add · e/Enter: edit · d: delete · Esc: back"),
-    );
-    return lines;
-  }
-  private renderInputMode(width: number): string[] {
-    const lines: string[] = [];
-    const label = this.mode === "edit" ? "  Edit item:" : "  New item:";
-    lines.push(this.theme.hint(label));
-    lines.push(`  ${this.input.render(width - 4).join("")}`);
-    lines.push("");
-    lines.push(this.theme.hint("  Enter: confirm · Esc: cancel"));
-    return lines;
-  }
-  handleInput(data: string) {
-    if (this.mode === "add" || this.mode === "edit") {
-      this.input.handleInput(data);
-      return;
-    }
-    // List mode
-    if (matchesKey(data, Key.up) || data === "k") {
-      if (this.items.length === 0) return;
-      this.selectedIndex =
-        this.selectedIndex === 0
-          ? this.items.length - 1
-          : this.selectedIndex - 1;
-    } else if (matchesKey(data, Key.down) || data === "j") {
-      if (this.items.length === 0) return;
-      this.selectedIndex =
-        this.selectedIndex === this.items.length - 1
-          ? 0
-          : this.selectedIndex + 1;
-    } else if (data === "a" || data === "A") {
-      this.mode = "add";
-      this.input.setValue("");
-    } else if (data === "e" || data === "E" || matchesKey(data, Key.enter)) {
-      this.startEdit();
-    } else if (data === "d" || data === "D") {
-      this.deleteSelected();
-    } else if (matchesKey(data, Key.escape)) {
-      this.onDone();
-    }
-  }
-}

package/hooks/enforce-package-manager.ts DELETED Viewed

@@ -1,96 +0,0 @@
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import type { ResolvedConfig } from "../config-schema";
-import { emitBlocked } from "../events";
-/**
- * Enforces using a specific Node package manager (bun, pnpm, or npm).
- * Blocks commands using non-selected package managers.
- */
-const BUN_PATTERN = /\bbun\b/;
-const PNPM_PATTERN = /\bpnpm\b/;
-const NPM_PATTERN = /\bnpm\b/;
-type PackageManager = "bun" | "pnpm" | "npm";
-interface ManagerInfo {
-  pattern: RegExp;
-  name: string;
-  installCmd: string;
-  addCmd: string;
-  runCmd: string;
-}
-const MANAGER_INFO: Record<PackageManager, ManagerInfo> = {
-  bun: {
-    pattern: BUN_PATTERN,
-    name: "bun",
-    installCmd: "bun install",
-    addCmd: "bun add <package>",
-    runCmd: "bun run <script>",
-  },
-  pnpm: {
-    pattern: PNPM_PATTERN,
-    name: "pnpm",
-    installCmd: "pnpm install",
-    addCmd: "pnpm add <package>",
-    runCmd: "pnpm run <script>",
-  },
-  npm: {
-    pattern: NPM_PATTERN,
-    name: "npm",
-    installCmd: "npm install",
-    addCmd: "npm install <package>",
-    runCmd: "npm run <script>",
-  },
-};
-export function setupEnforcePackageManagerHook(
-  pi: ExtensionAPI,
-  config: ResolvedConfig,
-) {
-  if (!config.features.enforcePackageManager) return;
-  const selectedManager = config.packageManager.selected;
-  const selected = MANAGER_INFO[selectedManager];
-  // Get all managers that should be blocked (all except the selected one)
-  const blockedManagers = (
-    Object.keys(MANAGER_INFO) as PackageManager[]
-  ).filter((m) => m !== selectedManager);
-  pi.on("tool_call", async (event, ctx) => {
-    if (event.toolName !== "bash") return;
-    const command = String(event.input.command ?? "");
-    for (const blockedManager of blockedManagers) {
-      const blocked = MANAGER_INFO[blockedManager];
-      if (blocked.pattern.test(command)) {
-        ctx.ui.notify(
-          `Blocked ${blocked.name} command. Use ${selected.name} instead.`,
-          "warning",
-        );
-        const reason =
-          `This project uses ${selected.name} as its package manager. ` +
-          `Use ${selected.name} instead of ${blocked.name}. ` +
-          `Run \`${selected.installCmd}\` to install dependencies, ` +
-          `\`${selected.addCmd}\` to add packages, ` +
-          `and \`${selected.runCmd}\` to run scripts.`;
-        emitBlocked(pi, {
-          feature: "enforcePackageManager",
-          toolName: "bash",
-          input: event.input,
-          reason,
-        });
-        return { block: true, reason };
-      }
-    }
-    return;
-  });
-}

package/hooks/prevent-brew.ts DELETED Viewed

@@ -1,41 +0,0 @@
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import type { ResolvedConfig } from "../config-schema";
-import { emitBlocked } from "../events";
-/**
- * Blocks all brew commands. Homebrew is not installed on this machine.
- */
-const BREW_PATTERN = /\bbrew\b/;
-export function setupPreventBrewHook(pi: ExtensionAPI, config: ResolvedConfig) {
-  if (!config.features.preventBrew) return;
-  pi.on("tool_call", async (event, ctx) => {
-    if (event.toolName !== "bash") return;
-    const command = String(event.input.command ?? "");
-    if (BREW_PATTERN.test(command)) {
-      ctx.ui.notify(
-        "Blocked brew command. Homebrew is not installed.",
-        "warning",
-      );
-      const reason =
-        "Homebrew is not installed on this machine. " +
-        "Use Nix for package management instead. " +
-        "Run packages via nix-shell or add them to the project's Nix configuration.";
-      emitBlocked(pi, {
-        feature: "preventBrew",
-        toolName: "bash",
-        input: event.input,
-        reason,
-      });
-      return { block: true, reason };
-    }
-    return;
-  });
-}

package/hooks/prevent-python.ts DELETED Viewed

@@ -1,45 +0,0 @@
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import type { ResolvedConfig } from "../config-schema";
-import { emitBlocked } from "../events";
-/**
- * Blocks all Python-related commands including python, python3, pip, poetry, etc.
- * Use uv for Python package management instead.
- */
-const PYTHON_PATTERN =
-  /\b(python|python3|pip|pip3|poetry|pyenv|virtualenv|venv)\b/;
-export function setupPreventPythonHook(
-  pi: ExtensionAPI,
-  config: ResolvedConfig,
-) {
-  if (!config.features.preventPython) return;
-  pi.on("tool_call", async (event, ctx) => {
-    if (event.toolName !== "bash") return;
-    const command = String(event.input.command ?? "");
-    if (PYTHON_PATTERN.test(command)) {
-      ctx.ui.notify("Blocked Python command. Use uv instead.", "warning");
-      const reason =
-        "Python is not available globally on this machine. " +
-        "Use uv for Python package management instead. " +
-        "Run `uv init` to create a new Python project, " +
-        "or `uv run python` to run Python scripts. " +
-        "Use `uv add` to install packages (replaces pip/poetry).";
-      emitBlocked(pi, {
-        feature: "preventPython",
-        toolName: "bash",
-        input: event.input,
-        reason,
-      });
-      return { block: true, reason };
-    }
-    return;
-  });
-}