@aliou/pi-guardrails 0.5.4 → 0.6.0

package/glob-expander.ts

@@ -0,0 +1,128 @@
+/**
+ * Glob expansion using `fd` for env file protection.
+ *
+ * When a bash command contains shell globs referencing env files
+ * (e.g. `.env*`), we expand them against the filesystem to check
+ * if any expanded path matches a protected pattern.
+ */
+
+import { execFile } from "node:child_process";
+import { resolve } from "node:path";
+
+interface ExpandGlobOptions {
+  cwd?: string;
+  maxDepth?: number;
+  maxResults?: number;
+  timeout?: number;
+}
+
+/**
+ * Expand a glob pattern using `fd`.
+ * Returns matching file paths, or empty array on failure.
+ *
+ * fd is available at `~/.pi/agent/bin/fd` (in pi's PATH).
+ */
+export async function expandGlob(
+  pattern: string,
+  options: ExpandGlobOptions = {},
+): Promise<string[]> {
+  const {
+    cwd = process.cwd(),
+    maxDepth = 3,
+    maxResults = 50,
+    timeout = 2000,
+  } = options;
+
+  // Convert glob to fd-compatible regex.
+  // fd uses regex by default, so we convert glob chars.
+  const fdPattern = globToFdRegex(pattern);
+
+  return new Promise((res) => {
+    const args = [
+      "--type",
+      "f",
+      "--max-depth",
+      String(maxDepth),
+      "--max-results",
+      String(maxResults),
+      "--no-ignore",
+      "--hidden",
+      fdPattern,
+    ];
+
+    const child = execFile("fd", args, { cwd, timeout }, (err, stdout) => {
+      if (err) {
+        res([]);
+        return;
+      }
+
+      const files = stdout
+        .trim()
+        .split("\n")
+        .filter(Boolean)
+        .map((f) => resolve(cwd, f));
+
+      res(files);
+    });
+
+    // Safety net: kill if timeout isn't handled by execFile
+    setTimeout(() => {
+      child.kill();
+      res([]);
+    }, timeout + 500);
+  });
+}
+
+/**
+ * Convert a shell glob to an fd-compatible regex pattern.
+ * Handles `*`, `?`, and character classes `[...]`.
+ */
+function globToFdRegex(glob: string): string {
+  let regex = "";
+  let i = 0;
+  while (i < glob.length) {
+    const ch = glob[i] as string;
+    switch (ch) {
+      case "*":
+        regex += "[^/]*";
+        break;
+      case "?":
+        regex += "[^/]";
+        break;
+      case "[": {
+        // Pass character classes through
+        const end = glob.indexOf("]", i + 1);
+        if (end !== -1) {
+          regex += glob.slice(i, end + 1);
+          i = end;
+        } else {
+          regex += "\\[";
+        }
+        break;
+      }
+      case ".":
+      case "(":
+      case ")":
+      case "+":
+      case "^":
+      case "$":
+      case "{":
+      case "}":
+      case "|":
+      case "\\":
+        regex += `\\${ch}`;
+        break;
+      default:
+        regex += ch;
+    }
+    i++;
+  }
+  return `^${regex}$`;
+}
+
+/**
+ * Check if a string contains shell glob characters.
+ */
+export function hasGlobChars(s: string): boolean {
+  return /[*?[\]]/.test(s);
+}

package/hooks/index.ts

@@ -1,15 +1,9 @@
 import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
 import type { ResolvedConfig } from "../config-schema";
-import { setupEnforcePackageManagerHook } from "./enforce-package-manager";
 import { setupPermissionGateHook } from "./permission-gate";
-import { setupPreventBrewHook } from "./prevent-brew";
-import { setupPreventPythonHook } from "./prevent-python";
 import { setupProtectEnvFilesHook } from "./protect-env-files";
 
 export function setupGuardrailsHooks(pi: ExtensionAPI, config: ResolvedConfig) {
-  setupPreventBrewHook(pi, config);
-  setupPreventPythonHook(pi, config);
   setupProtectEnvFilesHook(pi, config);
   setupPermissionGateHook(pi, config);
-  setupEnforcePackageManagerHook(pi, config);
 }

package/hooks/permission-gate.ts

@@ -1,3 +1,4 @@
+import { parse } from "@aliou/sh";
 import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
 import { DynamicBorder } from "@mariozechner/pi-coding-agent";
 import {
@@ -8,66 +9,158 @@ import {
   Text,
   wrapTextWithAnsi,
 } from "@mariozechner/pi-tui";
-import type { ResolvedConfig } from "../config-schema";
+import type { DangerousPattern, ResolvedConfig } from "../config-schema";
 import { emitBlocked, emitDangerous } from "../events";
+import { type CompiledPattern, compileCommandPatterns } from "../matching";
+import { walkCommands, wordToString } from "../shell-utils";
 
 /**
  * Permission gate that prompts user confirmation for dangerous commands.
- * Patterns, confirmation behavior, allow/deny lists are all configurable.
+ *
+ * Built-in dangerous patterns are matched structurally via AST parsing.
+ * User custom patterns use substring/regex matching on the raw string.
+ * Allowed/auto-deny patterns match against the raw command string.
  */
 
+/**
+ * Structural matcher for a built-in dangerous command.
+ * Returns a description if matched, undefined otherwise.
+ */
+type StructuralMatcher = (words: string[]) => string | undefined;
+
+/**
+ * Built-in dangerous command matchers. These check the parsed command
+ * structure instead of regex against the raw string.
+ */
+const BUILTIN_MATCHERS: StructuralMatcher[] = [
+  // rm -rf
+  (words) => {
+    if (words[0] !== "rm") return undefined;
+    const hasRF = words.some(
+      (w) =>
+        w === "-rf" ||
+        w === "-fr" ||
+        (w.startsWith("-") && w.includes("r") && w.includes("f")),
+    );
+    return hasRF ? "recursive force delete" : undefined;
+  },
+  // sudo
+  (words) => (words[0] === "sudo" ? "superuser command" : undefined),
+  // dd if=
+  (words) => {
+    if (words[0] !== "dd") return undefined;
+    return words.some((w) => w.startsWith("if="))
+      ? "disk write operation"
+      : undefined;
+  },
+  // mkfs.*
+  (words) => (words[0]?.startsWith("mkfs.") ? "filesystem format" : undefined),
+  // chmod -R 777
+  (words) => {
+    if (words[0] !== "chmod") return undefined;
+    return words.includes("-R") && words.includes("777")
+      ? "insecure recursive permissions"
+      : undefined;
+  },
+  // chown -R
+  (words) => {
+    if (words[0] !== "chown") return undefined;
+    return words.includes("-R") ? "recursive ownership change" : undefined;
+  },
+];
+
+interface DangerMatch {
+  description: string;
+  pattern: string;
+}
+
+/**
+ * Check a parsed command against built-in structural matchers.
+ */
+function checkBuiltinDangerous(words: string[]): DangerMatch | undefined {
+  if (words.length === 0) return undefined;
+  for (const matcher of BUILTIN_MATCHERS) {
+    const desc = matcher(words);
+    if (desc) return { description: desc, pattern: "(structural)" };
+  }
+  return undefined;
+}
+
+/**
+ * Check a command string against dangerous patterns.
+ *
+ * When useBuiltinMatchers is true (default patterns): tries structural AST
+ * matching first, falls back to substring match on parse failure.
+ *
+ * When useBuiltinMatchers is false (customPatterns replaced defaults): skips
+ * structural matchers entirely, uses compiled patterns (substring/regex)
+ * against the raw command string.
+ */
+function findDangerousMatch(
+  command: string,
+  compiledPatterns: CompiledPattern[],
+  useBuiltinMatchers: boolean,
+  fallbackPatterns: DangerousPattern[],
+): DangerMatch | undefined {
+  if (useBuiltinMatchers) {
+    // Try structural matching first
+    try {
+      const { ast } = parse(command);
+      let match: DangerMatch | undefined;
+      walkCommands(ast, (cmd) => {
+        const words = (cmd.words ?? []).map(wordToString);
+        const result = checkBuiltinDangerous(words);
+        if (result) {
+          match = result;
+          return true;
+        }
+        return false;
+      });
+      if (match) return match;
+    } catch {
+      // Parse failed -- fall back to substring matching on raw string
+      for (const p of fallbackPatterns) {
+        if (command.includes(p.pattern)) {
+          return { description: p.description, pattern: p.pattern };
+        }
+      }
+    }
+  }
+
+  // Check compiled patterns (substring/regex on raw string).
+  // When customPatterns replaces defaults, this is the only matching path.
+  for (const cp of compiledPatterns) {
+    if (cp.test(command)) {
+      const src = cp.source as DangerousPattern;
+      return { description: src.description, pattern: src.pattern };
+    }
+  }
+
+  return undefined;
+}
+
 export function setupPermissionGateHook(
   pi: ExtensionAPI,
   config: ResolvedConfig,
 ) {
   if (!config.features.permissionGate) return;
 
-  // Compile patterns, skipping invalid regex
-  const dangerousPatterns = config.permissionGate.patterns
-    .map((p) => {
-      try {
-        return {
-          pattern: new RegExp(p.pattern),
-          description: p.description,
-          rawPattern: p.pattern,
-        };
-      } catch {
-        console.error(
-          `Invalid regex in guardrails permission-gate config: ${p.pattern}`,
-        );
-        return null;
-      }
-    })
-    .filter(
-      (p): p is { pattern: RegExp; description: string; rawPattern: string } =>
-        p !== null,
-    );
+  // Compile all configured patterns for substring/regex matching.
+  // When useBuiltinMatchers is true (defaults), these act as a supplement
+  // to the structural matchers. When false (customPatterns), these are the
+  // only matching path.
+  const compiledPatterns = compileCommandPatterns(
+    config.permissionGate.patterns,
+  );
+  const { useBuiltinMatchers } = config.permissionGate;
+  const fallbackPatterns = config.permissionGate.patterns;
 
-  const allowedPatterns = config.permissionGate.allowedPatterns
-    .map((p) => {
-      try {
-        return new RegExp(p);
-      } catch {
-        console.error(
-          `Invalid regex in guardrails allowedPatterns config: ${p}`,
-        );
-        return null;
-      }
-    })
-    .filter((r): r is RegExp => r !== null);
-
-  const autoDenyPatterns = config.permissionGate.autoDenyPatterns
-    .map((p) => {
-      try {
-        return new RegExp(p);
-      } catch {
-        console.error(
-          `Invalid regex in guardrails autoDenyPatterns config: ${p}`,
-        );
-        return null;
-      }
-    })
-    .filter((r): r is RegExp => r !== null);
+  const allowedPatterns = compileCommandPatterns(
+    config.permissionGate.allowedPatterns,
+  );
+  const autoDenyPatterns = compileCommandPatterns(
+    config.permissionGate.autoDenyPatterns,
+  );
 
   pi.on("tool_call", async (event, ctx) => {
     if (event.toolName !== "bash") return;
@@ -98,104 +191,112 @@ export function setupPermissionGateHook(
       }
     }
 
-    // Check dangerous patterns
-    for (const { pattern, description, rawPattern } of dangerousPatterns) {
-      if (pattern.test(command)) {
-        // Emit dangerous event (presenter will play sound)
-        emitDangerous(pi, { command, description, pattern: rawPattern });
-
-        if (config.permissionGate.requireConfirmation) {
-          const proceed = await ctx.ui.custom<boolean>(
-            (_tui, theme, _kb, done) => {
-              const container = new Container();
-              const redBorder = (s: string) => theme.fg("error", s);
-
-              container.addChild(new DynamicBorder(redBorder));
-              container.addChild(
-                new Text(
-                  theme.fg("error", theme.bold("Dangerous Command Detected")),
-                  1,
-                  0,
-                ),
-              );
-              container.addChild(new Spacer(1));
-              container.addChild(
-                new Text(
-                  theme.fg("warning", `This command contains ${description}:`),
-                  1,
-                  0,
-                ),
-              );
-              container.addChild(new Spacer(1));
-              container.addChild(
-                new DynamicBorder((s: string) => theme.fg("muted", s)),
-              );
-              const commandText = new Text("", 1, 0);
-              container.addChild(commandText);
-              container.addChild(
-                new DynamicBorder((s: string) => theme.fg("muted", s)),
-              );
-              container.addChild(new Spacer(1));
-              container.addChild(
-                new Text(theme.fg("text", "Allow execution?"), 1, 0),
-              );
-              container.addChild(new Spacer(1));
-              container.addChild(
-                new Text(theme.fg("dim", "y/enter: allow • n/esc: deny"), 1, 0),
-              );
-              container.addChild(new DynamicBorder(redBorder));
-
-              return {
-                render: (width: number) => {
-                  const wrappedCommand = wrapTextWithAnsi(
-                    theme.fg("text", command),
-                    width - 4,
-                  ).join("\n");
-                  commandText.setText(wrappedCommand);
-                  return container.render(width);
-                },
-                invalidate: () => container.invalidate(),
-                handleInput: (data: string) => {
-                  if (
-                    matchesKey(data, Key.enter) ||
-                    data === "y" ||
-                    data === "Y"
-                  ) {
-                    done(true);
-                  } else if (
-                    matchesKey(data, Key.escape) ||
-                    data === "n" ||
-                    data === "N"
-                  ) {
-                    done(false);
-                  }
-                },
-              };
-            },
-          );
-
-          if (!proceed) {
-            emitBlocked(pi, {
-              feature: "permissionGate",
-              toolName: "bash",
-              input: event.input,
-              reason: "User denied dangerous command",
-              userDenied: true,
-            });
-
-            return { block: true, reason: "User denied dangerous command" };
-          }
-        } else {
-          // No confirmation required - just notify and allow
-          ctx.ui.notify(
-            `Dangerous command detected: ${description}`,
-            "warning",
-          );
-        }
+    // Check dangerous patterns (structural + compiled)
+    const match = findDangerousMatch(
+      command,
+      compiledPatterns,
+      useBuiltinMatchers,
+      fallbackPatterns,
+    );
+    if (!match) return;
+
+    const { description, pattern: rawPattern } = match;
+
+    // Emit dangerous event (presenter will play sound)
+    emitDangerous(pi, { command, description, pattern: rawPattern });
+
+    if (config.permissionGate.requireConfirmation) {
+      // In print/RPC mode, block by default (safe fallback)
+      if (!ctx.hasUI) {
+        const reason = `Dangerous command blocked (no UI to confirm): ${description}`;
+        emitBlocked(pi, {
+          feature: "permissionGate",
+          toolName: "bash",
+          input: event.input,
+          reason,
+        });
+        return { block: true, reason };
+      }
+
+      const proceed = await ctx.ui.custom<boolean>((_tui, theme, _kb, done) => {
+        const container = new Container();
+        const redBorder = (s: string) => theme.fg("error", s);
+
+        container.addChild(new DynamicBorder(redBorder));
+        container.addChild(
+          new Text(
+            theme.fg("error", theme.bold("Dangerous Command Detected")),
+            1,
+            0,
+          ),
+        );
+        container.addChild(new Spacer(1));
+        container.addChild(
+          new Text(
+            theme.fg("warning", `This command contains ${description}:`),
+            1,
+            0,
+          ),
+        );
+        container.addChild(new Spacer(1));
+        container.addChild(
+          new DynamicBorder((s: string) => theme.fg("muted", s)),
+        );
+        const commandText = new Text("", 1, 0);
+        container.addChild(commandText);
+        container.addChild(
+          new DynamicBorder((s: string) => theme.fg("muted", s)),
+        );
+        container.addChild(new Spacer(1));
+        container.addChild(
+          new Text(theme.fg("text", "Allow execution?"), 1, 0),
+        );
+        container.addChild(new Spacer(1));
+        container.addChild(
+          new Text(theme.fg("dim", "y/enter: allow • n/esc: deny"), 1, 0),
+        );
+        container.addChild(new DynamicBorder(redBorder));
+
+        return {
+          render: (width: number) => {
+            const wrappedCommand = wrapTextWithAnsi(
+              theme.fg("text", command),
+              width - 4,
+            ).join("\n");
+            commandText.setText(wrappedCommand);
+            return container.render(width);
+          },
+          invalidate: () => container.invalidate(),
+          handleInput: (data: string) => {
+            if (matchesKey(data, Key.enter) || data === "y" || data === "Y") {
+              done(true);
+            } else if (
+              matchesKey(data, Key.escape) ||
+              data === "n" ||
+              data === "N"
+            ) {
+              done(false);
+            }
+          },
+        };
+      });
+
+      if (!proceed) {
+        emitBlocked(pi, {
+          feature: "permissionGate",
+          toolName: "bash",
+          input: event.input,
+          reason: "User denied dangerous command",
+          userDenied: true,
+        });
 
-        break;
+        return { block: true, reason: "User denied dangerous command" };
       }
+    } else {
+      // No confirmation required - just notify and allow
+      ctx.ui.notify(`Dangerous command detected: ${description}`, "warning");
     }
+
     return;
   });
 }