@aliou/pi-guardrails 0.7.7 → 0.9.0

package/README.md

@@ -1,12 +1,12 @@
 # Guardrails
 
-Security hooks to prevent potentially dangerous operations.
+Security hooks for Pi to reduce accidental destructive actions and secret-file access.
 
 ## Demo
 
-<video src="https://assets.aliou.me/pi-extensions/2026-01-26-guardrails-demo.mp4" controls playsinline muted></video>
+<video src="https://assets.aliou.me/pi-extensions/demos/pi-guardrails.mp4" controls playsinline muted></video>
 
-## Installation
+## Install
 
 ```bash
 pi install npm:@aliou/pi-guardrails
@@ -18,66 +18,57 @@ Or from git:
 pi install git:github.com/aliou/pi-guardrails
 ```
 
-## Features
+## What it does
 
-- **protect-env-files**: Prevents access to `.env` files (except `.example`/`.sample`/`.test`)
-- **permission-gate**: Prompts for confirmation on dangerous commands
+- **policies**: named file-protection rules with per-rule protection levels.
+- **permission-gate**: detects dangerous bash commands and asks for confirmation.
+- **optional command explainer**: can call a small LLM to explain a dangerous command inline in the confirmation dialog.
 
-All hooks use structural shell parsing via `@aliou/sh` to avoid false positives from keywords inside commit messages, grep patterns, heredocs, or file paths. On parse failure, each hook falls back to regex matching (previous behavior).
+## Config locations
 
-> **Migration note**: The `preventBrew`, `preventPython`, `enforcePackageManager`, and `packageManager` fields have been removed from guardrails and moved to the [`@aliou/pi-toolchain`](https://github.com/aliou/pi-toolchain) extension. Old configs containing these fields are auto-cleaned on first load with a one-time warning. Install `@aliou/pi-toolchain` and configure `.pi/extensions/toolchain.json` instead.
+Guardrails reads and merges config from:
 
-## Configuration
+- Global: `~/.pi/agent/extensions/guardrails.json`
+- Project: `.pi/extensions/guardrails.json`
+- Memory (session): internal temporary scope used by settings/commands
 
-Configuration is loaded from two optional JSON files, merged in order (project overrides global):
+Priority: `memory > local > global > defaults`.
 
-- **Global**: `~/.pi/agent/extensions/guardrails.json`
-- **Project**: `.pi/extensions/guardrails.json`
+Use `/guardrails:settings` to edit config interactively.
 
-### Settings Command
-
-Run `/guardrails:settings` to open an interactive settings UI with two tabs:
-- **Local**: edit project-scoped config (`.pi/extensions/guardrails.json`)
-- **Global**: edit global config (`~/.pi/agent/extensions/guardrails.json`)
-
-Use `Tab` / `Shift+Tab` to switch tabs. Boolean settings can be toggled directly.
-
-### Migration from v0
-
-Configs without a `version` field are automatically migrated on first load. The migration:
-- Backs up the original as `guardrails.v0.json`
-- Converts all string patterns to `{ pattern, regex: true }` to preserve behavior
-- Adds a `version` field
-
-### Configuration Schema
+## Current schema
 
 ```json
 {
   "enabled": true,
   "features": {
-    "protectEnvFiles": true,
+    "policies": true,
     "permissionGate": true
   },
-  "envFiles": {
-    "protectedPatterns": [
-      { "pattern": ".env" },
-      { "pattern": ".env.local" },
-      { "pattern": ".env.production" },
-      { "pattern": ".env.prod" },
-      { "pattern": ".dev.vars" }
-    ],
-    "allowedPatterns": [
-      { "pattern": ".env.example" },
-      { "pattern": ".env.sample" },
-      { "pattern": ".env.test" },
-      { "pattern": "*.example.env" },
-      { "pattern": "*.sample.env" },
-      { "pattern": "*.test.env" }
-    ],
-    "protectedDirectories": [],
-    "protectedTools": ["read", "write", "edit", "bash", "grep", "find", "ls"],
-    "onlyBlockIfExists": true,
-    "blockMessage": "Accessing {file} is not allowed. ..."
+  "policies": {
+    "rules": [
+      {
+        "id": "secret-files",
+        "description": "Files containing secrets",
+        "patterns": [
+          { "pattern": ".env" },
+          { "pattern": ".env.local" },
+          { "pattern": ".env.production" },
+          { "pattern": ".env.prod" },
+          { "pattern": ".dev.vars" }
+        ],
+        "allowedPatterns": [
+          { "pattern": ".env.example" },
+          { "pattern": ".env.sample" },
+          { "pattern": ".env.test" },
+          { "pattern": "*.example.env" },
+          { "pattern": "*.sample.env" },
+          { "pattern": "*.test.env" }
+        ],
+        "protection": "noAccess",
+        "onlyIfExists": true
+      }
+    ]
   },
   "permissionGate": {
     "patterns": [
@@ -87,110 +78,93 @@ Configs without a `version` field are automatically migrated on first load. The
     "customPatterns": [],
     "requireConfirmation": true,
     "allowedPatterns": [],
-    "autoDenyPatterns": []
+    "autoDenyPatterns": [],
+    "explainCommands": false,
+    "explainModel": null,
+    "explainTimeout": 5000
   }
 }
 ```
 
-All fields are optional. Missing fields use defaults shown above. The default patterns listed here may change between versions. Check the source code or run `/guardrails:settings` to see the current defaults and update them to your liking.
+All fields optional. Missing fields use defaults.
 
-### Pattern Format
+## Policies
 
-Patterns support two modes controlled by the `regex` flag:
+Each rule has:
 
-**File patterns** (envFiles section):
-- Default (`regex` omitted or `false`): glob matching against the filename. `*` matches any non-`/` chars, `?` matches a single char. Example: `.env.*` matches `.env.local`, `.env.production`.
-- `regex: true`: full regex (case-insensitive) against the full path. Example: `{ "pattern": "\\.env$", "regex": true }`.
+- `id`: stable identifier used for overrides across scopes.
+- `patterns`: files to match (glob by default, regex if `regex: true`).
+- `allowedPatterns`: exceptions.
+- `protection`:
+  - `noAccess`: block `read`, `write`, `edit`, `bash`, `grep`, `find`, `ls`
+  - `readOnly`: block `write`, `edit`, `bash`
+  - `none`: explicit no protection
+- `onlyIfExists` (default true)
+- `blockMessage` with `{file}` placeholder
+- `enabled` (default true)
 
-**Command patterns** (permissionGate section):
-- Default (`regex` omitted or `false`): substring matching against the raw command string. Example: `"rm -rf"` matches any command containing `rm -rf`.
-- `regex: true`: full regex against the raw command string. Example: `{ "pattern": "rm\\s+-rf", "regex": true }`.
+When multiple rules match the same file, strongest protection wins:
+`noAccess > readOnly > none`.
 
-Built-in dangerous command patterns (`rm -rf`, `sudo`, `dd if=`, `mkfs.*`, `chmod -R 777`, `chown -R`) are matched structurally via AST parsing, independent of the pattern format.
+### Add rule with AI
 
-### Configuration Details
+Use:
 
-#### `features`
+```text
+/guardrails:add-policy
+```
 
-| Key | Default | Description |
-|---|---|---|
-| `protectEnvFiles` | `true` | Block access to `.env` files containing secrets |
-| `permissionGate` | `true` | Prompt for confirmation on dangerous commands |
+This starts a subagent that helps build and save one policy rule.
 
-#### `envFiles`
+## Permission gate
 
-| Key | Default | Description |
-|---|---|---|
-| `protectedPatterns` | `[".env", ".env.local", ...]` | Patterns for files to protect (glob by default) |
-| `allowedPatterns` | `[".env.example", "*.example.env", ...]` | Patterns for allowed exceptions |
-| `protectedDirectories` | `[]` | Patterns for directories to protect |
-| `protectedTools` | `["read", "write", "edit", "bash", "grep", "find", "ls"]` | Tools to intercept |
-| `onlyBlockIfExists` | `true` | Only block if the file exists on disk |
-| `blockMessage` | See defaults | Message shown when blocked. Supports `{file}` placeholder |
+Detects dangerous bash commands and prompts user confirmation.
 
-#### `permissionGate`
+Built-in dangerous patterns are matched structurally (AST-based) for better accuracy:
 
-| Key | Default | Description |
-|---|---|---|
-| `patterns` | See defaults | Array of `{ pattern, description }` for dangerous commands |
-| `customPatterns` | Not set | If set, replaces `patterns` entirely |
-| `requireConfirmation` | `true` | Show confirmation dialog (if `false`, just warns) |
-| `allowedPatterns` | `[]` | Patterns that bypass the gate |
-| `autoDenyPatterns` | `[]` | Patterns that are blocked immediately without dialog |
+- `rm -rf`
+- `sudo`
+- `dd if=`
+- `mkfs.`
+- `chmod -R 777`
+- `chown -R`
 
-### Examples
+You can also add custom dangerous patterns.
 
-Add a custom dangerous command pattern (substring match):
+### Explain commands (opt-in)
 
-```json
-{
-  "permissionGate": {
-    "patterns": [
-      { "pattern": "rm -rf", "description": "recursive force delete" },
-      { "pattern": "sudo", "description": "superuser command" },
-      { "pattern": "docker system prune", "description": "docker system prune" }
-    ]
-  }
-}
-```
+If enabled, guardrails calls an LLM before showing the confirmation dialog and displays a short explanation.
 
-Add a regex-based pattern:
+Config fields:
 
-```json
-{
-  "permissionGate": {
-    "patterns": [
-      { "pattern": "rm\\s+-rf\\s+/(?!tmp)", "description": "rm -rf outside /tmp", "regex": true }
-    ]
-  }
-}
-```
+- `permissionGate.explainCommands` (boolean)
+- `permissionGate.explainModel` (`provider/model-id`)
+- `permissionGate.explainTimeout` (ms)
 
-Protect env files with glob patterns:
+Failures/timeouts degrade gracefully: dialog still shows without explanation.
 
-```json
-{
-  "envFiles": {
-    "protectedPatterns": [
-      { "pattern": ".env" },
-      { "pattern": ".env.*" },
-      { "pattern": ".dev.vars" }
-    ]
-  }
-}
-```
+## Migration notes
+
+Legacy fields are auto-migrated:
+
+- `features.protectEnvFiles` -> `features.policies`
+- `envFiles` -> `policies.rules` (migrated into `secret-files`)
+
+`config.version` is a schema marker, not npm package version.
+
+Also note:
+
+- `preventBrew`, `preventPython`, `enforcePackageManager`, `packageManager` were removed from guardrails and moved to `@aliou/pi-toolchain`.
 
 ## Events
 
-The extension emits events on the pi event bus for inter-extension communication.
+Guardrails emits events for other extensions:
 
 ### `guardrails:blocked`
 
-Emitted when a tool call is blocked by any guardrail.
-
-```typescript
+```ts
 interface GuardrailsBlockedEvent {
-  feature: "protectEnvFiles" | "permissionGate";
+  feature: "policies" | "permissionGate";
   toolName: string;
   input: Record<string, unknown>;
   reason: string;
@@ -200,36 +174,10 @@ interface GuardrailsBlockedEvent {
 
 ### `guardrails:dangerous`
 
-Emitted when a dangerous command is detected (before the confirmation dialog).
-
-```typescript
+```ts
 interface GuardrailsDangerousEvent {
   command: string;
   description: string;
   pattern: string;
 }
 ```
-
-The [presenter extension](https://github.com/aliou/pi-extensions/tree/main/extensions/presenter) listens for `guardrails:dangerous` events and plays a notification sound.
-
-## Hooks
-
-### protect-env-files
-
-Prevents accessing `.env` files that might contain secrets. Only allows access to safe variants like `.env.example`, `.env.sample`, `.env.test`.
-
-Shell globs (e.g. `.env*`) are expanded via `fd` to check if any expanded path matches a protected pattern.
-
-Covers tools: `read`, `write`, `edit`, `bash`, `grep`, `find`, `ls` (configurable).
-
-### permission-gate
-
-Prompts user confirmation before executing dangerous commands:
-- `rm -rf` (recursive force delete)
-- `sudo` (superuser command)
-- `dd if=` (disk write operation)
-- `mkfs.` (filesystem format)
-- `chmod -R 777` (insecure recursive permissions)
-- `chown -R` (recursive ownership change)
-
-Built-in patterns are matched structurally (AST-based). Custom patterns use substring or regex matching. Supports allow-lists and auto-deny lists.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aliou/pi-guardrails",
-  "version": "0.7.7",
+  "version": "0.9.0",
   "license": "MIT",
   "type": "module",
   "private": false,
@@ -29,17 +29,21 @@
     "README.md"
   ],
   "dependencies": {
-    "@aliou/pi-utils-settings": "^0.4.0",
+    "@aliou/pi-utils-settings": "^0.8.0",
     "@aliou/sh": "^0.1.0"
   },
   "peerDependencies": {
-    "@mariozechner/pi-coding-agent": ">=0.51.0",
+    "@mariozechner/pi-agent-core": ">=0.52.7",
+    "@mariozechner/pi-ai": ">=0.52.7",
+    "@mariozechner/pi-coding-agent": ">=0.52.7",
     "@mariozechner/pi-tui": ">=0.51.0"
   },
   "devDependencies": {
     "@aliou/biome-plugins": "^0.3.2",
     "@biomejs/biome": "^2.3.13",
     "@changesets/cli": "^2.27.11",
+    "@mariozechner/pi-agent-core": "0.52.7",
+    "@mariozechner/pi-ai": "0.52.7",
     "@mariozechner/pi-coding-agent": "0.52.7",
     "@sinclair/typebox": "^0.34.48",
     "@types/node": "^25.0.10",
@@ -47,6 +51,12 @@
     "typescript": "^5.9.3"
   },
   "peerDependenciesMeta": {
+    "@mariozechner/pi-agent-core": {
+      "optional": true
+    },
+    "@mariozechner/pi-ai": {
+      "optional": true
+    },
     "@mariozechner/pi-coding-agent": {
       "optional": true
     },