@arvoretech/pi-secret-firewall 0.1.0

package/README.md

@@ -0,0 +1,68 @@
+# @arvoretech/pi-secret-firewall
+
+A secret firewall for the Pi/Kiro agent. It keeps secret **values** out of the
+model context entirely, exposing them only as `$SECRET_*` shell environment
+variables that the model can *reference by name* but never *read*.
+
+## How it works
+
+On session start (and on demand) it discovers secrets from two sources:
+
+1. **Real environment variables** whose name looks sensitive
+   (`*_TOKEN`, `*_SECRET`, `*_API_KEY`, `*_PASSWORD`, `DATABASE_URL`, ...) — exact
+   value match, zero false positives.
+2. **`.env` / `.env.local` / `.env.development*`** files in the cwd.
+
+Each secret value gets a stable placeholder: `MY_API_KEY=xptolksjf` →
+`$SECRET_MY_API_KEY`.
+
+Redaction happens on two channels:
+
+- **`context` hook** — every message sent to the model (user text, assistant
+  text, thinking, and tool-call arguments) has secret values swapped for their
+  placeholder.
+- **`tool_result` hook** — output from `bash`, `read`, `grep`, etc. is redacted,
+  so `cat .env` returns placeholders, not values.
+
+A pattern fallback also catches well-known token shapes (AWS keys, JWTs,
+`sk-...`, GitHub/Slack tokens, PEM private keys) that leak into output even when
+they were never in an env var.
+
+## Security model — the model never sees the value
+
+This extension uses the **shell-env-only** strategy:
+
+- The real value lives in `process.env` (which the `bash` tool inherits).
+- The model references it as a shell variable: `curl -H "Authorization: Bearer $SECRET_MY_API_KEY"`.
+- The shell resolves `$SECRET_MY_API_KEY` at execution time.
+- The value never returns to the context — any echo of it in tool output is
+  redacted again.
+
+The extension never re-hydrates placeholders itself. If the model writes the
+literal *value* instead of the placeholder, that value is redacted on the way
+back, but the model must use the `$SECRET_*` reference for a command to actually
+use the secret.
+
+### Limits / non-goals
+
+- A determined model could still exfiltrate a secret by transforming it before
+  printing (e.g. base64). This raises the bar; it is not a sandbox.
+- Values shorter than 8 chars or matching trivial values (`true`, `3000`, ...)
+  are not protected — they are not secrets and redacting them breaks the agent.
+- Infra/session vars (`PATH`, `HOME`, `SSH_AUTH_SOCK`, `*_SESSION`, ...) are
+  explicitly never treated as secrets.
+
+## Commands
+
+- `/secret-firewall` — show status (protected secrets, redaction count, the
+  `$SECRET_*` names the model may reference).
+- `/secret-firewall-toggle` — enable/disable redaction.
+- `/secret-firewall-rescan` — re-scan env + `.env` files.
+
+## Develop
+
+```bash
+pnpm build   # tsc -> dist/
+pnpm test    # node --test against dist/
+pnpm lint    # tsc --noEmit
+```

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+export default function (pi: ExtensionAPI): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAWpE,MAAM,CAAC,OAAO,WAAW,EAAE,EAAE,YAAY,QAoJxC"}

package/dist/index.js

@@ -0,0 +1,152 @@
+import { discoverSecrets } from "./secrets.js";
+import { createRedactor } from "./redact.js";
+function shellVarName(placeholder) {
+    return placeholder.replace(/^\$/, "");
+}
+export default function (pi) {
+    let enabled = true;
+    let entries = [];
+    const redactor = createRedactor([]);
+    let exportedNames = [];
+    const stats = { redactedHits: 0, lastScan: 0 };
+    function exportToShell(list) {
+        for (const name of exportedNames) {
+            if (!list.some((e) => shellVarName(e.placeholder) === name)) {
+                delete process.env[name];
+            }
+        }
+        exportedNames = [];
+        for (const e of list) {
+            const varName = shellVarName(e.placeholder);
+            process.env[varName] = e.value;
+            exportedNames.push(varName);
+        }
+    }
+    function rescan(cwd) {
+        entries = discoverSecrets(cwd);
+        redactor.refresh(entries);
+        exportToShell(entries);
+        stats.lastScan = entries.length;
+    }
+    function redactBlocks(content) {
+        let changed = false;
+        const next = content.map((block) => {
+            if (block.type !== "text")
+                return block;
+            const { text, hits } = redactor.redactString(block.text);
+            if (hits > 0) {
+                changed = true;
+                stats.redactedHits += hits;
+                return { ...block, text };
+            }
+            return block;
+        });
+        return changed ? next : undefined;
+    }
+    function redactMessageContent(content) {
+        if (typeof content === "string") {
+            const { text, hits } = redactor.redactString(content);
+            if (hits > 0)
+                stats.redactedHits += hits;
+            return text;
+        }
+        if (Array.isArray(content)) {
+            return content.map((block) => {
+                if (block && typeof block === "object") {
+                    const b = block;
+                    if (b.type === "text" && typeof b.text === "string") {
+                        const { text, hits } = redactor.redactString(b.text);
+                        if (hits > 0)
+                            stats.redactedHits += hits;
+                        return { ...b, text };
+                    }
+                    if (b.type === "thinking" && typeof b.thinking === "string") {
+                        const { text, hits } = redactor.redactString(b.thinking);
+                        if (hits > 0)
+                            stats.redactedHits += hits;
+                        return { ...b, thinking: text };
+                    }
+                    if (b.type === "toolCall" && b.arguments && typeof b.arguments === "object") {
+                        return { ...b, arguments: redactArguments(b.arguments) };
+                    }
+                }
+                return block;
+            });
+        }
+        return content;
+    }
+    function redactArguments(args) {
+        const out = {};
+        for (const [k, v] of Object.entries(args)) {
+            if (typeof v === "string") {
+                const { text, hits } = redactor.redactString(v);
+                if (hits > 0)
+                    stats.redactedHits += hits;
+                out[k] = text;
+            }
+            else if (Array.isArray(v)) {
+                out[k] = v.map((item) => typeof item === "string" ? redactor.redactString(item).text : item);
+            }
+            else if (v && typeof v === "object") {
+                out[k] = redactArguments(v);
+            }
+            else {
+                out[k] = v;
+            }
+        }
+        return out;
+    }
+    pi.on("session_start", async (_event, ctx) => {
+        rescan(ctx.cwd);
+    });
+    pi.on("context", async (event, _ctx) => {
+        if (!enabled || entries.length === 0)
+            return;
+        let changed = false;
+        const messages = event.messages.map((msg) => {
+            const m = msg;
+            if (!("content" in m))
+                return msg;
+            const before = m.content;
+            const after = redactMessageContent(before);
+            if (after !== before) {
+                changed = true;
+                return { ...m, content: after };
+            }
+            return msg;
+        });
+        if (changed)
+            return { messages };
+    });
+    pi.on("tool_result", async (event) => {
+        if (!enabled || entries.length === 0)
+            return;
+        const redacted = redactBlocks(event.content);
+        if (redacted)
+            return { content: redacted };
+    });
+    pi.registerCommand("secret-firewall", {
+        description: "Show secret-firewall status (protected secrets, redaction count)",
+        handler: async (_args, ctx) => {
+            rescan(ctx.cwd);
+            const names = entries.map((e) => e.placeholder).join(", ") || "(none)";
+            ctx.ui.notify(`secret-firewall [${enabled ? "on" : "off"}] | protecting ${entries.length} secret(s) | ` +
+                `redacted ${stats.redactedHits} value(s) so far\nReferenceable as shell env: ${names}`, "info");
+        },
+    });
+    pi.registerCommand("secret-firewall-toggle", {
+        description: "Enable or disable secret-firewall redaction",
+        handler: async (_args, ctx) => {
+            enabled = !enabled;
+            ctx.ui.notify(`secret-firewall ${enabled ? "enabled" : "disabled"}`, "info");
+        },
+    });
+    pi.registerCommand("secret-firewall-rescan", {
+        description: "Re-scan environment and .env files for secrets",
+        handler: async (_args, ctx) => {
+            rescan(ctx.cwd);
+            ctx.ui.notify(`secret-firewall re-scanned: ${entries.length} secret(s) protected`, "info");
+        },
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAoB,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAI7C,SAAS,YAAY,CAAC,WAAmB;IACvC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,OAAO,WAAW,EAAgB;IACvC,IAAI,OAAO,GAAG,IAAI,CAAC;IACnB,IAAI,OAAO,GAAkB,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC,CAAC;IACpC,IAAI,aAAa,GAAa,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,EAAE,YAAY,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IAE/C,SAAS,aAAa,CAAC,IAAmB;QACxC,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC;gBAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,aAAa,GAAG,EAAE,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC/B,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,SAAS,MAAM,CAAC,GAAW;QACzB,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAC/B,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1B,aAAa,CAAC,OAAO,CAAC,CAAC;QACvB,KAAK,CAAC,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC;IAClC,CAAC;IAED,SAAS,YAAY,CAAC,OAAuB;QAC3C,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACjC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;gBAAE,OAAO,KAAK,CAAC;YACxC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzD,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,KAAK,CAAC,YAAY,IAAI,IAAI,CAAC;gBAC3B,OAAO,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;YAC5B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IACpC,CAAC;IAED,SAAS,oBAAoB,CAAC,OAAgB;QAC5C,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACtD,IAAI,IAAI,GAAG,CAAC;gBAAE,KAAK,CAAC,YAAY,IAAI,IAAI,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC3B,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACvC,MAAM,CAAC,GAAG,KAAgC,CAAC;oBAC3C,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;wBACpD,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;wBACrD,IAAI,IAAI,GAAG,CAAC;4BAAE,KAAK,CAAC,YAAY,IAAI,IAAI,CAAC;wBACzC,OAAO,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC;oBACxB,CAAC;oBACD,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;wBAC5D,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;wBACzD,IAAI,IAAI,GAAG,CAAC;4BAAE,KAAK,CAAC,YAAY,IAAI,IAAI,CAAC;wBACzC,OAAO,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;oBAClC,CAAC;oBACD,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;wBAC5E,OAAO,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC,SAAoC,CAAC,EAAE,CAAC;oBACtF,CAAC;gBACH,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,SAAS,eAAe,CAAC,IAA6B;QACpD,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1B,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;gBAChD,IAAI,IAAI,GAAG,CAAC;oBAAE,KAAK,CAAC,YAAY,IAAI,IAAI,CAAC;gBACzC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;YAChB,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACtB,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CACnE,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACtC,GAAG,CAAC,CAAC,CAAC,GAAG,eAAe,CAAC,CAA4B,CAAC,CAAC;YACzD,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACb,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE;QAC3C,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACrC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAC7C,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,QAAQ,GAAI,KAAK,CAAC,QAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACzD,MAAM,CAAC,GAAG,GAA8B,CAAC;YACzC,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC;gBAAE,OAAO,GAAG,CAAC;YAClC,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC;YACzB,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAC3C,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBACrB,OAAO,GAAG,IAAI,CAAC;gBACf,OAAO,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,CAAC,CAAC;QACH,IAAI,OAAO;YAAE,OAAO,EAAE,QAAQ,EAAW,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,EAAE,CAAC,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;QACnC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,OAAyB,CAAC,CAAC;QAC/D,IAAI,QAAQ;YAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAW,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,eAAe,CAAC,iBAAiB,EAAE;QACpC,WAAW,EAAE,kEAAkE;QAC/E,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;YAC5B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAChB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;YACvE,GAAG,CAAC,EAAE,CAAC,MAAM,CACX,oBAAoB,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,kBAAkB,OAAO,CAAC,MAAM,eAAe;gBACvF,YAAY,KAAK,CAAC,YAAY,iDAAiD,KAAK,EAAE,EACxF,MAAM,CACP,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,EAAE,CAAC,eAAe,CAAC,wBAAwB,EAAE;QAC3C,WAAW,EAAE,6CAA6C;QAC1D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;YAC5B,OAAO,GAAG,CAAC,OAAO,CAAC;YACnB,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,mBAAmB,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE,EAAE,MAAM,CAAC,CAAC;QAC/E,CAAC;KACF,CAAC,CAAC;IAEH,EAAE,CAAC,eAAe,CAAC,wBAAwB,EAAE;QAC3C,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;YAC5B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAChB,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,+BAA+B,OAAO,CAAC,MAAM,sBAAsB,EAAE,MAAM,CAAC,CAAC;QAC7F,CAAC;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/redact.d.ts

@@ -0,0 +1,10 @@
+import type { SecretEntry } from "./secrets.js";
+export interface Redactor {
+    redactString(text: string): {
+        text: string;
+        hits: number;
+    };
+    refresh(entries: SecretEntry[]): void;
+}
+export declare function createRedactor(initial: SecretEntry[]): Redactor;
+//# sourceMappingURL=redact.d.ts.map

package/dist/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,WAAW,QAAQ;IACvB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;CACvC;AAwBD,wBAAgB,cAAc,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CA8B/D"}

package/dist/redact.js

@@ -0,0 +1,45 @@
+const PATTERN_RULES = [
+    { name: "AWS_ACCESS_KEY", re: /\bAKIA[0-9A-Z]{16}\b/g },
+    { name: "AWS_SECRET", re: /\b(?<![A-Za-z0-9/+])[A-Za-z0-9/+]{40}(?![A-Za-z0-9/+])\b/g },
+    { name: "OPENAI_KEY", re: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
+    { name: "GITHUB_TOKEN", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g },
+    { name: "SLACK_TOKEN", re: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g },
+    { name: "JWT", re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    {
+        name: "PRIVATE_KEY",
+        re: /-----BEGIN[A-Z ]*PRIVATE KEY-----[\s\S]+?-----END[A-Z ]*PRIVATE KEY-----/g,
+    },
+];
+function escapeRe(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+export function createRedactor(initial) {
+    let valueRules = [];
+    function refresh(entries) {
+        valueRules = entries
+            .filter((e) => e.value.length > 0)
+            .map((e) => ({ re: new RegExp(escapeRe(e.value), "g"), placeholder: e.placeholder }));
+    }
+    function redactString(text) {
+        if (!text)
+            return { text, hits: 0 };
+        let out = text;
+        let hits = 0;
+        for (const { re, placeholder } of valueRules) {
+            out = out.replace(re, () => {
+                hits++;
+                return placeholder;
+            });
+        }
+        for (const { name, re } of PATTERN_RULES) {
+            out = out.replace(re, () => {
+                hits++;
+                return `$SECRET_${name}`;
+            });
+        }
+        return { text: out, hits };
+    }
+    refresh(initial);
+    return { redactString, refresh };
+}
+//# sourceMappingURL=redact.js.map

package/dist/redact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.js","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":"AAYA,MAAM,aAAa,GAAkB;IACnC,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,uBAAuB,EAAE;IACvD,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,2DAA2D,EAAE;IACvF,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,4BAA4B,EAAE;IACxD,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,EAAE,iCAAiC,EAAE;IAC/D,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,mCAAmC,EAAE;IAChE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,oEAAoE,EAAE;IACzF;QACE,IAAI,EAAE,aAAa;QACnB,EAAE,EAAE,2EAA2E;KAChF;CACF,CAAC;AAEF,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAsB;IACnD,IAAI,UAAU,GAA0C,EAAE,CAAC;IAE3D,SAAS,OAAO,CAAC,OAAsB;QACrC,UAAU,GAAG,OAAO;aACjB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;aACjC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC1F,CAAC;IAED,SAAS,YAAY,CAAC,IAAY;QAChC,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACpC,IAAI,GAAG,GAAG,IAAI,CAAC;QACf,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,KAAK,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,UAAU,EAAE,CAAC;YAC7C,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,EAAE;gBACzB,IAAI,EAAE,CAAC;gBACP,OAAO,WAAW,CAAC;YACrB,CAAC,CAAC,CAAC;QACL,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,aAAa,EAAE,CAAC;YACzC,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,EAAE;gBACzB,IAAI,EAAE,CAAC;gBACP,OAAO,WAAW,IAAI,EAAE,CAAC;YAC3B,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,CAAC,OAAO,CAAC,CAAC;IACjB,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;AACnC,CAAC"}

package/dist/secrets.d.ts

@@ -0,0 +1,8 @@
+export interface SecretEntry {
+    name: string;
+    placeholder: string;
+    value: string;
+    source: "env" | "dotenv" | "pattern";
+}
+export declare function discoverSecrets(cwd: string): SecretEntry[];
+//# sourceMappingURL=secrets.d.ts.map

package/dist/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../src/secrets.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;CACtC;AA2DD,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,EAAE,CA8B1D"}

package/dist/secrets.js

@@ -0,0 +1,86 @@
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+const SENSITIVE_NAME = /(SECRET|TOKEN|PASSWORD|PASSWD|PWD|API[_-]?KEY|APIKEY|ACCESS[_-]?KEY|PRIVATE[_-]?KEY|CLIENT[_-]?SECRET|AUTH|CREDENTIAL|DSN|DATABASE_URL|CONNECTION_STRING|SESSION|COOKIE|SIGNING|ENCRYPT|SALT|BEARER)/i;
+const NEVER_SENSITIVE = /^(PATH|HOME|SHELL|PWD|OLDPWD|LANG|LC_|TERM|USER|LOGNAME|HOSTNAME|TMPDIR|EDITOR|PAGER|NODE_ENV|NODE_OPTIONS|npm_|PNPM_|COLORTERM|SHLVL|SSH_AUTH_SOCK|SSH_AGENT_PID|__MISE|MISE_|WARP_|XPC_|__CF|SECURITYSESSIONID|TERM_SESSION_ID|_$)/;
+const SESSION_LIKE_NAME = /(SESSION|SOCK|UUID|_PID)$/i;
+const MIN_VALUE_LENGTH = 8;
+const TRIVIAL_VALUE = /^(true|false|null|undefined|none|localhost|0|1|3000|8080|development|production|staging|test)$/i;
+const DOTENV_FILES = [".env", ".env.local", ".env.development", ".env.development.local"];
+const DOTENV_LINE = /^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)\s*$/;
+function unquote(raw) {
+    const v = raw.trim();
+    if ((v.startsWith('"') && v.endsWith('"')) ||
+        (v.startsWith("'") && v.endsWith("'"))) {
+        return v.slice(1, -1);
+    }
+    const hash = v.indexOf(" #");
+    return hash >= 0 ? v.slice(0, hash).trim() : v;
+}
+function isSensitiveValue(name, value) {
+    if (NEVER_SENSITIVE.test(name))
+        return false;
+    if (SESSION_LIKE_NAME.test(name))
+        return false;
+    if (!value || value.length < MIN_VALUE_LENGTH)
+        return false;
+    if (TRIVIAL_VALUE.test(value))
+        return false;
+    return SENSITIVE_NAME.test(name);
+}
+function toPlaceholder(name, taken) {
+    const base = `$SECRET_${name.replace(/[^A-Za-z0-9_]/g, "_").toUpperCase()}`;
+    if (!taken.has(base))
+        return base;
+    let i = 2;
+    while (taken.has(`${base}_${i}`))
+        i++;
+    return `${base}_${i}`;
+}
+function parseDotenv(path) {
+    const out = new Map();
+    try {
+        const text = readFileSync(path, "utf8");
+        for (const line of text.split(/\r?\n/)) {
+            if (!line.trim() || line.trim().startsWith("#"))
+                continue;
+            const m = DOTENV_LINE.exec(line);
+            if (!m)
+                continue;
+            out.set(m[1], unquote(m[2]));
+        }
+    }
+    catch {
+        /* unreadable file, skip */
+    }
+    return out;
+}
+export function discoverSecrets(cwd) {
+    const byName = new Map();
+    for (const [name, value] of Object.entries(process.env)) {
+        if (typeof value === "string" && isSensitiveValue(name, value)) {
+            byName.set(name, { value, source: "env" });
+        }
+    }
+    for (const file of DOTENV_FILES) {
+        const path = join(cwd, file);
+        if (!existsSync(path))
+            continue;
+        for (const [name, value] of parseDotenv(path)) {
+            if (isSensitiveValue(name, value) && !byName.has(name)) {
+                byName.set(name, { value, source: "dotenv" });
+            }
+        }
+    }
+    const taken = new Set();
+    const entries = [];
+    for (const [name, { value, source }] of byName) {
+        if (!value)
+            continue;
+        const placeholder = toPlaceholder(name, taken);
+        taken.add(placeholder);
+        entries.push({ name, placeholder, value, source });
+    }
+    entries.sort((a, b) => b.value.length - a.value.length);
+    return entries;
+}
+//# sourceMappingURL=secrets.js.map

package/dist/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../src/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AASjC,MAAM,cAAc,GAAG,uMAAuM,CAAC;AAE/N,MAAM,eAAe,GAAG,sOAAsO,CAAC;AAE/P,MAAM,iBAAiB,GAAG,4BAA4B,CAAC;AAEvD,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAC3B,MAAM,aAAa,GAAG,iGAAiG,CAAC;AAExH,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,YAAY,EAAE,kBAAkB,EAAE,wBAAwB,CAAC,CAAC;AAE1F,MAAM,WAAW,GAAG,2DAA2D,CAAC;AAEhF,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACrB,IACE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACtC,CAAC;QACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,KAAa;IACnD,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,gBAAgB;QAAE,OAAO,KAAK,CAAC;IAC5D,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,KAAkB;IACrD,MAAM,IAAI,GAAG,WAAW,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;IAC5E,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC;QAAE,CAAC,EAAE,CAAC;IACtC,OAAO,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACxC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC1D,MAAM,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,CAAC,CAAC;gBAAE,SAAS;YACjB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,MAAM,GAAG,IAAI,GAAG,EAA4D,CAAC;IAEnF,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACxD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;YAC/D,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAChC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9C,IAAI,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvD,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,IAAI,MAAM,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC/C,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACxD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@arvoretech/pi-secret-firewall",
+  "version": "0.1.0",
+  "description": "Redacts secrets (env vars, .env files, token patterns) from the model context and tool outputs, exposing them only as $SECRET_* shell env vars the model can reference but never read",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "type": "module",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "lint": "tsc --noEmit",
+    "test": "tsc && node --test --experimental-strip-types --disable-warning=ExperimentalWarning test/*.test.ts"
+  },
+  "peerDependencies": {
+    "@earendil-works/pi-coding-agent": ">=0.74.0"
+  },
+  "devDependencies": {
+    "@earendil-works/pi-coding-agent": "^0.79.4",
+    "@earendil-works/pi-ai": "^0.79.4",
+    "@earendil-works/pi-tui": "^0.79.4",
+    "@types/node": "^20.10.0",
+    "typebox": "1.1.38",
+    "typescript": "^5.3.0"
+  },
+  "pi": {
+    "extensions": [
+      "./dist/index.js"
+    ]
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/arvoreeducacao/arvore-pi-extensions.git",
+    "directory": "packages/secret-firewall"
+  },
+  "author": "Arvore",
+  "license": "MIT",
+  "keywords": [
+    "pi-package"
+  ]
+}