npm - @bacnh85/pi-plan - Versions diffs - 0.1.4 → 0.1.6 - Mend

@bacnh85/pi-plan 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -58,6 +58,23 @@ pi --plan
 Agents should ask blocking, user-answerable planning questions with `ask_plan_question` before finalizing a plan. Final plans may still list non-blocking uncertainties or implementation-time checks, but should not leave consequential user decisions unresolved.
+## Plan-mode bash allowlist
+Plan mode allows only a narrow read-only subset of shell commands. Examples include:
+```bash
+git status --short
+git diff
+git show HEAD -- package.json
+git log --oneline -5
+git branch --show-current
+git rev-parse --show-toplevel
+npm view <package> --json
+npm info <package> version
+```
+`npm view` and `npm info` are allowed only for npm registry metadata lookup. They may contact the network and disclose the queried package name, but pi-plan does not allow npm install/update/publish/run/exec/auth/config style commands in plan mode.
 ## Reasoning levels
 pi-plan remembers two reasoning levels:

package/index.ts CHANGED Viewed

@@ -152,6 +152,62 @@ function isDestructiveBash(command: string): boolean {
 	return DESTRUCTIVE_BASH_PATTERNS.some((pattern) => pattern.test(command));
 }
+function tokenizeSimpleCommand(command: string): string[] | undefined {
+	const trimmed = command.trim();
+	if (!trimmed) return [];
+	if (/[;&|`$(){}<>]/.test(trimmed) || /\b(python|python3|node|ruby|perl|php|sh|bash|zsh|fish)\b/i.test(trimmed)) return undefined;
+	if (/['"]/.test(trimmed)) return undefined;
+	return trimmed.split(/\s+/).filter(Boolean);
+}
+function hasOptionValue(tokens: string[], index: number): boolean {
+	return index + 1 < tokens.length && !tokens[index + 1].startsWith("-");
+}
+function isAllowedNpmMetadataCommand(tokens: string[]): boolean {
+	if (tokens[0] !== "npm" || !["view", "info"].includes(tokens[1])) return false;
+	let hasSpec = false;
+	for (let index = 2; index < tokens.length; index += 1) {
+		const token = tokens[index];
+		if (["--registry", "--tag"].includes(token)) {
+			if (!hasOptionValue(tokens, index)) return false;
+			index += 1;
+			continue;
+		}
+		if (token.startsWith("--registry=") || token.startsWith("--tag=") || token === "--json" || token === "--parseable" || token === "--silent") continue;
+		if (token.startsWith("-")) return false;
+		hasSpec = true;
+	}
+	return hasSpec;
+}
+function isAllowedGitCommand(tokens: string[]): boolean {
+	if (tokens[0] !== "git" || !tokens[1]) return false;
+	const subcommand = tokens[1];
+	const args = tokens.slice(2);
+	if (["add", "commit", "push", "pull", "merge", "rebase", "reset", "checkout", "switch", "restore", "stash", "cherry-pick", "revert", "tag", "init", "clone", "fetch", "remote", "config", "worktree"].includes(subcommand)) return false;
+	if (subcommand === "status") return args.every((arg) => ["--short", "-s", "--porcelain", "--porcelain=v1", "--porcelain=v2", "--branch", "-b", "--ignored", "--ignored=matching", "--ignored=traditional", "--ignored=no", "--untracked-files", "--untracked-files=no", "--untracked-files=normal", "--untracked-files=all", "-uno", "-unormal", "-uall"].includes(arg));
+	if (subcommand === "diff") return !args.some((arg) => arg === "--output" || arg.startsWith("--output=") || arg === "--ext-diff" || arg === "--textconv");
+	if (["show", "log", "rev-parse", "ls-files"].includes(subcommand)) return true;
+	if (subcommand === "branch") {
+		const mutating = new Set(["-d", "-D", "-m", "-M", "-c", "-C", "--delete", "--move", "--copy", "--set-upstream-to", "--track", "--unset-upstream", "--edit-description"]);
+		return !args.some((arg) => mutating.has(arg) || arg.startsWith("--set-upstream-to=") || arg === "-u");
+	}
+	return false;
+}
+export function isReadOnlyBash(command: string): boolean {
+	const tokens = tokenizeSimpleCommand(command);
+	if (!tokens) return false;
+	if (tokens.length === 0) return true;
+	const normalized = tokens[0] === "rtk" ? tokens.slice(1) : tokens;
+	if (normalized.length === 0) return false;
+	if (isAllowedGitCommand(normalized)) return true;
+	if (isAllowedNpmMetadataCommand(normalized)) return true;
+	return /^(rg|grep|find|fd|ls|pwd|cat|head|tail|sed|awk|wc|sort|uniq|cut)$/.test(normalized[0]);
+}
 export default function piPlanExtension(pi: ExtensionAPI): void {
 	let planModeEnabled = false;
 	let executionMode = false;
@@ -488,8 +544,8 @@ export default function piPlanExtension(pi: ExtensionAPI): void {
 			return { block: true, reason: `pi-plan: ${event.toolName} is disabled in read-only plan mode. Use ${PLAN_TOOL} to write the plan file.` };
 		}
 		if (!isToolCallEventType("bash", event)) return;
-		if (isDestructiveBash(event.input.command)) {
-			return { block: true, reason: `pi-plan: bash command blocked in plan mode because it may modify state.\nCommand: ${event.input.command}` };
+		if (isDestructiveBash(event.input.command) || !isReadOnlyBash(event.input.command)) {
+			return { block: true, reason: `pi-plan: bash command blocked in plan mode because only simple read-only inspection commands are allowed.\nCommand: ${event.input.command}` };
 		}
 	});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bacnh85/pi-plan",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Pi extension that adds a plan mode with workspace markdown plans and thinking-level presets.",
   "license": "MIT",
   "publishConfig": {