@aliou/pi-guardrails 0.5.4 → 0.6.1

package/{pattern-editor.ts → components/pattern-editor.ts}

@@ -8,16 +8,17 @@ import {
 } from "@mariozechner/pi-tui";
 
 /**
- * A submenu component for editing an array of {pattern, description} objects.
+ * A submenu component for editing an array of {pattern, description, regex?} objects.
  *
  * List mode: navigate, delete with 'd', add with 'a', edit with 'e'/Enter.
- * Form mode: two-field form (pattern + description), Tab to switch fields,
- *            Enter to submit, Escape to cancel.
+ * Form mode: three-field form (pattern + description + regex toggle),
+ *            Tab to switch fields, Enter to submit, Escape to cancel.
  */
 
 export interface PatternItem {
   pattern: string;
   description: string;
+  regex?: boolean;
 }
 
 export interface PatternEditorOptions {
@@ -26,10 +27,12 @@ export interface PatternEditorOptions {
   theme: SettingsListTheme;
   onSave: (items: PatternItem[]) => void;
   onDone: () => void;
+  /** Context hint for the pattern field label. */
+  context?: "file" | "command";
   maxVisible?: number;
 }
 
-type Field = "pattern" | "description";
+type Field = "pattern" | "description" | "regex";
 
 export class PatternEditor implements Component {
   private items: PatternItem[];
@@ -37,6 +40,7 @@ export class PatternEditor implements Component {
   private theme: SettingsListTheme;
   private onSave: (items: PatternItem[]) => void;
   private onDone: () => void;
+  private context: "file" | "command";
   private selectedIndex = 0;
   private maxVisible: number;
   private mode: "list" | "add" | "edit" = "list";
@@ -46,6 +50,7 @@ export class PatternEditor implements Component {
   private patternInput: Input;
   private descriptionInput: Input;
   private activeField: Field = "pattern";
+  private regexEnabled = false;
 
   constructor(options: PatternEditorOptions) {
     this.items = [...options.items];
@@ -53,6 +58,7 @@ export class PatternEditor implements Component {
     this.theme = options.theme;
     this.onSave = options.onSave;
     this.onDone = options.onDone;
+    this.context = options.context ?? "command";
     this.maxVisible = options.maxVisible ?? 10;
 
     this.patternInput = new Input();
@@ -72,7 +78,13 @@ export class PatternEditor implements Component {
       return;
     }
 
-    // If on description field (or pattern is empty), submit
+    // If on description field, move to regex toggle
+    if (this.activeField === "description") {
+      this.activeField = "regex";
+      return;
+    }
+
+    // If on regex field, submit
     this.submitForm();
   }
 
@@ -89,6 +101,9 @@ export class PatternEditor implements Component {
       pattern,
       description: description || pattern,
     };
+    if (this.regexEnabled) {
+      item.regex = true;
+    }
 
     if (this.mode === "edit") {
       this.items[this.editIndex] = item;
@@ -105,6 +120,7 @@ export class PatternEditor implements Component {
     this.mode = "list";
     this.editIndex = -1;
     this.activeField = "pattern";
+    this.regexEnabled = false;
     this.patternInput.setValue("");
     this.descriptionInput.setValue("");
   }
@@ -118,6 +134,7 @@ export class PatternEditor implements Component {
     this.activeField = "pattern";
     this.patternInput.setValue(item.pattern);
     this.descriptionInput.setValue(item.description);
+    this.regexEnabled = item.regex ?? false;
   }
 
   private deleteSelected() {
@@ -167,7 +184,8 @@ export class PatternEditor implements Component {
         const prefix = isSelected ? this.theme.cursor : "  ";
         const prefixWidth = visibleWidth(prefix);
         const maxItemWidth = width - prefixWidth - 2;
-        const display = `${item.description} (${item.pattern})`;
+        const regexTag = item.regex ? " [regex]" : "";
+        const display = `${item.description} (${item.pattern})${regexTag}`;
         const text = this.theme.value(
           truncateToWidth(display, maxItemWidth, ""),
           isSelected,
@@ -197,13 +215,16 @@ export class PatternEditor implements Component {
 
     const patternActive = this.activeField === "pattern";
     const descActive = this.activeField === "description";
+    const regexActive = this.activeField === "regex";
 
     // Title
     lines.push(this.theme.hint(isEdit ? "  Edit pattern:" : "  New pattern:"));
     lines.push("");
 
     // Pattern field
-    const patternLabel = "  Pattern (regex):";
+    const patternHint =
+      this.context === "file" ? "(glob or regex)" : "(substring or regex)";
+    const patternLabel = `  Pattern ${patternHint}:`;
     lines.push(
       patternActive
         ? this.theme.label(patternLabel, true)
@@ -222,8 +243,21 @@ export class PatternEditor implements Component {
     lines.push(`  ${this.descriptionInput.render(inputWidth).join("")}`);
     lines.push("");
 
+    // Regex toggle
+    const regexLabel = "  Regex:";
+    const regexValue = this.regexEnabled ? "on" : "off";
+    const regexDisplay = `${regexLabel} ${regexValue}`;
     lines.push(
-      this.theme.hint("  Tab: switch field · Enter: next/submit · Esc: cancel"),
+      regexActive
+        ? this.theme.label(regexDisplay, true)
+        : this.theme.hint(regexDisplay),
+    );
+    lines.push("");
+
+    lines.push(
+      this.theme.hint(
+        "  Tab: switch field · Space: toggle regex · Enter: next/submit · Esc: cancel",
+      ),
     );
 
     return lines;
@@ -251,6 +285,7 @@ export class PatternEditor implements Component {
     } else if (data === "a" || data === "A") {
       this.mode = "add";
       this.activeField = "pattern";
+      this.regexEnabled = false;
       this.patternInput.setValue("");
       this.descriptionInput.setValue("");
     } else if (data === "e" || data === "E" || matchesKey(data, Key.enter)) {
@@ -264,8 +299,12 @@ export class PatternEditor implements Component {
 
   private handleFormInput(data: string) {
     if (matchesKey(data, Key.tab) || matchesKey(data, Key.shift("tab"))) {
-      this.activeField =
-        this.activeField === "pattern" ? "description" : "pattern";
+      const fields: Field[] = ["pattern", "description", "regex"];
+      const idx = fields.indexOf(this.activeField);
+      const dir = matchesKey(data, Key.shift("tab")) ? -1 : 1;
+      this.activeField = fields[
+        (idx + dir + fields.length) % fields.length
+      ] as Field;
       return;
     }
 
@@ -274,6 +313,18 @@ export class PatternEditor implements Component {
       return;
     }
 
+    // Regex toggle: space toggles when on regex field
+    if (this.activeField === "regex") {
+      if (data === " " || matchesKey(data, Key.enter)) {
+        this.regexEnabled = !this.regexEnabled;
+      }
+      // Enter on regex field submits if we already have a pattern
+      if (matchesKey(data, Key.enter) && this.patternInput.getValue().trim()) {
+        this.submitForm();
+      }
+      return;
+    }
+
     // Delegate to active input
     const activeInput =
       this.activeField === "pattern"

package/config.ts

@@ -1,40 +1,174 @@
-import { mkdir, readFile, writeFile } from "node:fs/promises";
-import { homedir } from "node:os";
-import { dirname, resolve } from "node:path";
-import type { GuardrailsConfig, ResolvedConfig } from "./config-schema";
+/**
+ * Configuration schema for the guardrails extension.
+ *
+ * GuardrailsConfig is the user-facing schema (all fields optional).
+ * ResolvedConfig is the internal schema (all fields required, defaults applied).
+ */
+
+/**
+ * A pattern with explicit matching mode.
+ * Default: glob for files, substring for commands.
+ * regex: true means full regex matching.
+ */
+export interface PatternConfig {
+  pattern: string;
+  regex?: boolean;
+}
 
-const GLOBAL_CONFIG_PATH = resolve(
-  homedir(),
-  ".pi/agent/extensions/guardrails.json",
-);
-const PROJECT_CONFIG_PATH = resolve(
-  process.cwd(),
-  ".pi/extensions/guardrails.json",
-);
+/**
+ * Permission gate pattern. When regex is false (default), the pattern
+ * is matched as substring against the raw command string.
+ * When regex is true, uses full regex against the raw string.
+ */
+export interface DangerousPattern extends PatternConfig {
+  description: string;
+}
+
+export interface GuardrailsConfig {
+  version?: string;
+  enabled?: boolean;
+  features?: {
+    protectEnvFiles?: boolean;
+    permissionGate?: boolean;
+  };
+  envFiles?: {
+    protectedPatterns?: PatternConfig[];
+    allowedPatterns?: PatternConfig[];
+    protectedDirectories?: PatternConfig[];
+    protectedTools?: string[];
+    onlyBlockIfExists?: boolean;
+    blockMessage?: string;
+  };
+  permissionGate?: {
+    patterns?: DangerousPattern[];
+    /** If set, replaces the default patterns entirely. */
+    customPatterns?: DangerousPattern[];
+    requireConfirmation?: boolean;
+    allowedPatterns?: PatternConfig[];
+    autoDenyPatterns?: PatternConfig[];
+  };
+}
+
+export interface ResolvedConfig {
+  version: string;
+  enabled: boolean;
+  features: {
+    protectEnvFiles: boolean;
+    permissionGate: boolean;
+  };
+  envFiles: {
+    protectedPatterns: PatternConfig[];
+    allowedPatterns: PatternConfig[];
+    protectedDirectories: PatternConfig[];
+    protectedTools: string[];
+    onlyBlockIfExists: boolean;
+    blockMessage: string;
+  };
+  permissionGate: {
+    patterns: DangerousPattern[];
+    /** When true, use hardcoded structural matchers for built-in patterns.
+     *  Set to false when customPatterns replaces the defaults. */
+    useBuiltinMatchers: boolean;
+    requireConfirmation: boolean;
+    allowedPatterns: PatternConfig[];
+    autoDenyPatterns: PatternConfig[];
+  };
+}
+
+import { ConfigLoader, type Migration } from "@aliou/pi-utils-settings";
+import {
+  backupConfig,
+  CURRENT_VERSION,
+  migrateV0,
+  needsMigration,
+} from "./utils/migration";
+
+/**
+ * Config fields removed in the toolchain extraction.
+ * Old configs containing these are auto-cleaned on first load.
+ */
+const REMOVED_FEATURE_KEYS = [
+  "preventBrew",
+  "preventPython",
+  "enforcePackageManager",
+] as const;
+
+const TOOLCHAIN_MIGRATION_VERSION = "0.7.0-20260204";
+
+function hasRemovedFields(config: GuardrailsConfig): boolean {
+  const raw = config as Record<string, unknown>;
+  const features = raw.features as Record<string, unknown> | undefined;
+  if (features) {
+    for (const key of REMOVED_FEATURE_KEYS) {
+      if (key in features) return true;
+    }
+  }
+  return "packageManager" in raw;
+}
+
+function stripRemovedFields(config: GuardrailsConfig): GuardrailsConfig {
+  const cleaned = structuredClone(config) as Record<string, unknown>;
+  const features = cleaned.features as Record<string, unknown> | undefined;
+  if (features) {
+    for (const key of REMOVED_FEATURE_KEYS) {
+      delete features[key];
+    }
+  }
+  delete cleaned.packageManager;
+  cleaned.version = TOOLCHAIN_MIGRATION_VERSION;
+  return cleaned as GuardrailsConfig;
+}
+
+const migrations: Migration<GuardrailsConfig>[] = [
+  {
+    name: "v0-format-upgrade",
+    shouldRun: (config) => needsMigration(config),
+    run: async (config, filePath) => {
+      await backupConfig(filePath);
+      return migrateV0(config);
+    },
+  },
+  {
+    name: "strip-toolchain-fields",
+    shouldRun: (config) => hasRemovedFields(config),
+    run: (config) => {
+      const version = (config as Record<string, unknown>).version as
+        | string
+        | undefined;
+      if (!version || version < TOOLCHAIN_MIGRATION_VERSION) {
+        console.error(
+          "[guardrails] preventBrew, preventPython, enforcePackageManager, and packageManager " +
+            "have been removed from guardrails and moved to @aliou/pi-toolchain. " +
+            "These fields will be stripped from your config.",
+        );
+      }
+      return stripRemovedFields(config);
+    },
+  },
+];
 
 const DEFAULT_CONFIG: ResolvedConfig = {
+  version: CURRENT_VERSION,
   enabled: true,
   features: {
-    preventBrew: false,
-    preventPython: false,
     protectEnvFiles: true,
     permissionGate: true,
-    enforcePackageManager: false,
-  },
-  packageManager: {
-    selected: "npm",
   },
   envFiles: {
     protectedPatterns: [
-      "\\.env$",
-      "\\.env\\.local$",
-      "\\.env\\.production$",
-      "\\.env\\.prod$",
-      "\\.dev\\.vars$",
+      { pattern: ".env" },
+      { pattern: ".env.local" },
+      { pattern: ".env.production" },
+      { pattern: ".env.prod" },
+      { pattern: ".dev.vars" },
     ],
     allowedPatterns: [
-      "\\.(example|sample|test)\\.env$",
-      "\\.env\\.(example|sample|test)$",
+      { pattern: "*.example.env" },
+      { pattern: "*.sample.env" },
+      { pattern: "*.test.env" },
+      { pattern: ".env.example" },
+      { pattern: ".env.sample" },
+      { pattern: ".env.test" },
     ],
     protectedDirectories: [],
     protectedTools: ["read", "write", "edit", "bash", "grep", "find", "ls"],
@@ -46,131 +180,40 @@ const DEFAULT_CONFIG: ResolvedConfig = {
   },
   permissionGate: {
     patterns: [
-      { pattern: "rm\\s+-rf", description: "recursive force delete" },
-      { pattern: "\\bsudo\\b", description: "superuser command" },
-      { pattern: ":\\s*\\|\\s*sh", description: "piped shell execution" },
-      { pattern: "\\bdd\\s+if=", description: "disk write operation" },
-      { pattern: "mkfs\\.", description: "filesystem format" },
+      { pattern: "rm -rf", description: "recursive force delete" },
+      { pattern: "sudo", description: "superuser command" },
+      { pattern: "dd if=", description: "disk write operation" },
+      { pattern: "mkfs.", description: "filesystem format" },
       {
-        pattern: "\\bchmod\\s+-R\\s+777",
+        pattern: "chmod -R 777",
         description: "insecure recursive permissions",
       },
-      {
-        pattern: "\\bchown\\s+-R",
-        description: "recursive ownership change",
-      },
+      { pattern: "chown -R", description: "recursive ownership change" },
     ],
+    useBuiltinMatchers: true,
     requireConfirmation: true,
     allowedPatterns: [],
     autoDenyPatterns: [],
   },
 };
 
-class ConfigLoader {
-  private globalConfig: GuardrailsConfig | null = null;
-  private projectConfig: GuardrailsConfig | null = null;
-  private resolved: ResolvedConfig | null = null;
-
-  async load(): Promise<void> {
-    this.globalConfig = await this.loadConfigFile(GLOBAL_CONFIG_PATH);
-    this.projectConfig = await this.loadConfigFile(PROJECT_CONFIG_PATH);
-    this.resolved = this.mergeConfigs();
-  }
-
-  private async loadConfigFile(path: string): Promise<GuardrailsConfig | null> {
-    try {
-      const content = await readFile(path, "utf-8");
-      return JSON.parse(content) as GuardrailsConfig;
-    } catch {
-      return null;
-    }
-  }
-
-  private mergeConfigs(): ResolvedConfig {
-    const merged = structuredClone(DEFAULT_CONFIG);
-
-    if (this.globalConfig) {
-      this.mergeInto(merged, this.globalConfig);
-    }
-    if (this.projectConfig) {
-      this.mergeInto(merged, this.projectConfig);
-    }
-
-    // customPatterns replaces entire patterns array
-    if (this.projectConfig?.permissionGate?.customPatterns) {
-      merged.permissionGate.patterns =
-        this.projectConfig.permissionGate.customPatterns;
-    } else if (this.globalConfig?.permissionGate?.customPatterns) {
-      merged.permissionGate.patterns =
-        this.globalConfig.permissionGate.customPatterns;
-    }
-
-    return merged;
-  }
-
-  private mergeInto<TTarget extends object, TSource extends object>(
-    target: TTarget,
-    source: TSource,
-  ): void {
-    const t = target as Record<string, unknown>;
-    const s = source as Record<string, unknown>;
-
-    for (const key in s) {
-      if (s[key] === undefined) continue;
-
-      if (
-        typeof s[key] === "object" &&
-        !Array.isArray(s[key]) &&
-        s[key] !== null
-      ) {
-        if (!t[key]) t[key] = {};
-        this.mergeInto(t[key] as object, s[key] as object);
-      } else {
-        t[key] = s[key];
+export const configLoader = new ConfigLoader<GuardrailsConfig, ResolvedConfig>(
+  "guardrails",
+  DEFAULT_CONFIG,
+  {
+    migrations,
+    afterMerge: (resolved, global, project) => {
+      // customPatterns replaces the entire patterns array and disables
+      // built-in structural matchers (user owns all matching).
+      if (project?.permissionGate?.customPatterns) {
+        resolved.permissionGate.patterns =
+          project.permissionGate.customPatterns;
+        resolved.permissionGate.useBuiltinMatchers = false;
+      } else if (global?.permissionGate?.customPatterns) {
+        resolved.permissionGate.patterns = global.permissionGate.customPatterns;
+        resolved.permissionGate.useBuiltinMatchers = false;
       }
-    }
-  }
-
-  getConfig(): ResolvedConfig {
-    if (!this.resolved) {
-      throw new Error("Config not loaded. Call load() first.");
-    }
-    return this.resolved;
-  }
-
-  async saveGlobal(config: GuardrailsConfig): Promise<void> {
-    await this.saveConfigFile(GLOBAL_CONFIG_PATH, config);
-    await this.load();
-  }
-
-  async saveProject(config: GuardrailsConfig): Promise<void> {
-    await this.saveConfigFile(PROJECT_CONFIG_PATH, config);
-    await this.load();
-  }
-
-  private async saveConfigFile(
-    path: string,
-    config: GuardrailsConfig,
-  ): Promise<void> {
-    await mkdir(dirname(path), { recursive: true });
-    await writeFile(path, `${JSON.stringify(config, null, 2)}\n`, "utf-8");
-  }
-
-  hasGlobalConfig(): boolean {
-    return this.globalConfig !== null;
-  }
-
-  hasProjectConfig(): boolean {
-    return this.projectConfig !== null;
-  }
-
-  getGlobalConfig(): GuardrailsConfig {
-    return this.globalConfig ?? {};
-  }
-
-  getProjectConfig(): GuardrailsConfig {
-    return this.projectConfig ?? {};
-  }
-}
-
-export const configLoader = new ConfigLoader();
+      return resolved;
+    },
+  },
+);

package/hooks/index.ts

@@ -1,15 +1,9 @@
 import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import type { ResolvedConfig } from "../config-schema";
-import { setupEnforcePackageManagerHook } from "./enforce-package-manager";
+import type { ResolvedConfig } from "../config";
 import { setupPermissionGateHook } from "./permission-gate";
-import { setupPreventBrewHook } from "./prevent-brew";
-import { setupPreventPythonHook } from "./prevent-python";
 import { setupProtectEnvFilesHook } from "./protect-env-files";
 
 export function setupGuardrailsHooks(pi: ExtensionAPI, config: ResolvedConfig) {
-  setupPreventBrewHook(pi, config);
-  setupPreventPythonHook(pi, config);
   setupProtectEnvFilesHook(pi, config);
   setupPermissionGateHook(pi, config);
-  setupEnforcePackageManagerHook(pi, config);
 }