@czottmann/pi-automode 1.1.0 → 1.2.0

package/extensions/auto-mode/hard-deny.ts

@@ -0,0 +1,348 @@
+import { resolve } from "node:path";
+import { HOME } from "./constants.ts";
+import {
+  isProfileOrAuthorizedKeysPath,
+  isSafetyControlPath,
+  resolveInputPath,
+  shellPathTokenToPath,
+} from "./paths.ts";
+
+type ShellSegment = {
+  text: string;
+  words: string[];
+  redirectTargets: string[];
+};
+
+function splitShellSegments(command: string): string[] {
+  const segments: string[] = [];
+  let current = "";
+  let quote: "'" | '"' | "`" | undefined;
+  let escaped = false;
+
+  for (let i = 0; i < command.length; i += 1) {
+    const char = command[i] ?? "";
+    const next = command[i + 1] ?? "";
+    if (escaped) {
+      current += char;
+      escaped = false;
+      continue;
+    }
+    if (char === "\\" && quote !== "'") {
+      current += char;
+      escaped = true;
+      continue;
+    }
+    if (quote) {
+      current += char;
+      if (char === quote) quote = undefined;
+      continue;
+    }
+    if (char === "'" || char === '"' || char === "`") {
+      quote = char;
+      current += char;
+      continue;
+    }
+    if (
+      char === ";" ||
+      char === "\n" ||
+      char === "|" ||
+      (char === "&" && next === "&") ||
+      (char === "|" && next === "|")
+    ) {
+      if (current.trim()) segments.push(current.trim());
+      current = "";
+      if ((char === "&" && next === "&") || (char === "|" && next === "|")) {
+        i += 1;
+      }
+      continue;
+    }
+    current += char;
+  }
+  if (current.trim()) segments.push(current.trim());
+  return segments;
+}
+
+function tokenizeShellSegment(text: string): string[] {
+  const tokens: string[] = [];
+  let current = "";
+  let quote: "'" | '"' | "`" | undefined;
+  let escaped = false;
+
+  for (let i = 0; i < text.length; i += 1) {
+    const char = text[i] ?? "";
+    if (escaped) {
+      current += char;
+      escaped = false;
+      continue;
+    }
+    if (char === "\\" && quote !== "'") {
+      escaped = true;
+      continue;
+    }
+    if (quote) {
+      if (char === quote) quote = undefined;
+      else current += char;
+      continue;
+    }
+    if (char === "'" || char === '"' || char === "`") {
+      quote = char;
+      continue;
+    }
+    if (/\s/.test(char)) {
+      if (current) tokens.push(current);
+      current = "";
+      continue;
+    }
+    if (char === ">" || char === "<") {
+      let op = char;
+      if (/^\d+$/.test(current)) {
+        op = current + char;
+      } else if (current) {
+        tokens.push(current);
+      }
+      if (text[i + 1] === ">" || text[i + 1] === "&") {
+        op += text[i + 1];
+        i += 1;
+      }
+      tokens.push(op);
+      current = "";
+      continue;
+    }
+    current += char;
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+
+function parseShell(command: string): ShellSegment[] {
+  return splitShellSegments(command).map((text) => {
+    const tokens = tokenizeShellSegment(text);
+    const words: string[] = [];
+    const redirectTargets: string[] = [];
+    for (let i = 0; i < tokens.length; i += 1) {
+      const token = tokens[i] ?? "";
+      if (/^(?:\d?>|\d?>>|>|>>|&>|<)$/.test(token)) {
+        const target = tokens[i + 1];
+        if (target) redirectTargets.push(target);
+        i += 1;
+        continue;
+      }
+      const attachedRedirect = token.match(/^(?:\d?>|\d?>>|>|>>|&>)(.+)$/);
+      if (attachedRedirect?.[1]) {
+        redirectTargets.push(attachedRedirect[1]);
+        continue;
+      }
+      words.push(token);
+    }
+    return { text, words, redirectTargets };
+  });
+}
+
+function commandName(words: string[]): string | undefined {
+  return words.find((word) => !/^\w+=/.test(word));
+}
+
+function commandArgs(words: string[]): string[] {
+  const index = words.findIndex((word) => !/^\w+=/.test(word));
+  return index >= 0 ? words.slice(index + 1) : [];
+}
+
+function isRecursiveRmArg(arg: string): boolean {
+  return (
+    arg === "--recursive" ||
+    /^-[A-Za-z]*r[A-Za-z]*f?[A-Za-z]*$/.test(arg) ||
+    /^-[A-Za-z]*f[A-Za-z]*r[A-Za-z]*$/.test(arg)
+  );
+}
+
+function isRootHomeOrSystemPath(path: string): boolean {
+  const systemRoots = [
+    "/bin",
+    "/boot",
+    "/dev",
+    "/etc",
+    "/lib",
+    "/lib64",
+    "/private",
+    "/sbin",
+    "/sys",
+    "/usr",
+    "/var",
+  ];
+  return (
+    path === "/" ||
+    path === HOME ||
+    systemRoots.some((root) => path === root || path.startsWith(`${root}/`))
+  );
+}
+
+function segmentHardDeny(
+  segment: ShellSegment,
+  cwd: string,
+): string | undefined {
+  for (const target of segment.redirectTargets) {
+    const path = shellPathTokenToPath(target, cwd);
+    if (!path) continue;
+    const profileReason = isProfileOrAuthorizedKeysPath(path);
+    if (profileReason) return profileReason;
+    if (isSafetyControlPath(path, cwd)) {
+      return "auto-mode or permission safety-control modification is hard-denied";
+    }
+  }
+
+  for (const word of segment.words) {
+    if (
+      /^(NODE_TLS_REJECT_UNAUTHORIZED=0|GIT_SSL_NO_VERIFY=(1|true))$/i.test(
+        word,
+      )
+    ) {
+      return "TLS verification weakening is hard-denied";
+    }
+  }
+
+  const name = commandName(segment.words);
+  if (!name) return undefined;
+  const args = commandArgs(segment.words);
+  const lowerArgs = args.map((arg) => arg.toLowerCase());
+
+  if (
+    ["curl", "wget"].includes(name) &&
+    lowerArgs.some((arg) =>
+      ["--insecure", "-k", "--no-check-certificate"].includes(arg)
+    )
+  ) {
+    return "certificate verification weakening is hard-denied";
+  }
+  if (
+    ["npm", "yarn", "pnpm"].includes(name) &&
+    lowerArgs[0] === "config" &&
+    lowerArgs[1] === "set" &&
+    ["strict-ssl", "cafile"].includes(lowerArgs[2] ?? "") &&
+    ["false", "null"].includes(lowerArgs[3] ?? "")
+  ) {
+    return "package-manager TLS weakening is hard-denied";
+  }
+  if (
+    name === "git" &&
+    lowerArgs[0] === "config" &&
+    lowerArgs.some(
+      (arg) => arg === "sslverify" || arg.endsWith(".sslverify"),
+    ) &&
+    lowerArgs.includes("false")
+  ) {
+    return "git TLS verification weakening is hard-denied";
+  }
+  if (name === "crontab" && !lowerArgs.includes("-l")) {
+    return "persistence or system service mutation is hard-denied";
+  }
+  if (
+    name === "launchctl" &&
+    ["load", "bootstrap", "enable"].includes(lowerArgs[0] ?? "")
+  ) {
+    return "persistence or system service mutation is hard-denied";
+  }
+  if (
+    name === "systemctl" &&
+    ["enable", "disable"].includes(lowerArgs[0] ?? "")
+  ) {
+    return "persistence or system service mutation is hard-denied";
+  }
+  if (name === "security" && lowerArgs[0] === "add-trusted-cert") {
+    return "platform security weakening is hard-denied";
+  }
+  if (name === "spctl" && lowerArgs.includes("--master-disable")) {
+    return "platform security weakening is hard-denied";
+  }
+  if (name === "csrutil" && lowerArgs[0] === "disable") {
+    return "platform security weakening is hard-denied";
+  }
+
+  if (name === "rm" && args.some(isRecursiveRmArg)) {
+    for (const arg of args.filter((arg) => !arg.startsWith("-"))) {
+      const path = shellPathTokenToPath(arg, cwd);
+      if (path && isRootHomeOrSystemPath(path)) {
+        return "irreversible deletion of home/root/system paths is hard-denied";
+      }
+    }
+  }
+
+  if (name === "find" && lowerArgs.includes("-delete")) {
+    const root = shellPathTokenToPath(args[0] ?? "", cwd);
+    if (root && isRootHomeOrSystemPath(root) && root !== HOME) {
+      return "system-wide delete is hard-denied";
+    }
+  }
+
+  if (["chmod", "chown"].includes(name)) {
+    for (const arg of args.filter((arg) => !arg.startsWith("-"))) {
+      const path = shellPathTokenToPath(arg, cwd);
+      if (
+        path &&
+        (path.startsWith("/etc/") ||
+          path.startsWith("/usr/") ||
+          path.startsWith("/bin/") ||
+          path.startsWith("/sbin/") ||
+          path.startsWith("/System/") ||
+          path.startsWith(resolve(HOME, ".ssh")))
+      ) {
+        return "system or SSH permission mutation is hard-denied";
+      }
+    }
+  }
+
+  if (
+    [
+      "tee",
+      "mv",
+      "cp",
+      "rm",
+      "unlink",
+      "truncate",
+      "python",
+      "python3",
+      "node",
+      "perl",
+      "ruby",
+      "sd",
+      "sed",
+    ].includes(name) &&
+    /\.pi\/automode|\.pi\/extensions|pi-automode|auto-mode\.json/i.test(
+      segment.text,
+    )
+  ) {
+    return "auto-mode or permission safety-control modification is hard-denied";
+  }
+
+  return undefined;
+}
+
+/**
+ * Deterministic deny checks for actions too risky to delegate to the classifier.
+ *
+ * Bash checks use a small shell lexer instead of only regexes. It is not a full
+ * POSIX shell implementation, but it handles quotes, redirects, pipes, `&&`, and
+ * `;` well enough to avoid the common "safe prefix hides risky suffix" bypass.
+ */
+export function deterministicHardDeny(
+  toolName: string,
+  input: Record<string, unknown>,
+  cwd: string,
+): string | undefined {
+  if (toolName === "write" || toolName === "edit") {
+    const path = resolveInputPath(cwd, input.path);
+    if (!path) return undefined;
+    const profileReason = isProfileOrAuthorizedKeysPath(path);
+    if (profileReason) return profileReason;
+    if (isSafetyControlPath(path, cwd)) {
+      return "auto-mode or permission safety-control modification is hard-denied";
+    }
+  }
+
+  if (toolName !== "bash") return undefined;
+  const command = typeof input.command === "string" ? input.command : "";
+  for (const segment of parseShell(command)) {
+    const reason = segmentHardDeny(segment, cwd);
+    if (reason) return reason;
+  }
+  return undefined;
+}

package/extensions/auto-mode/model-selector.ts

@@ -0,0 +1,113 @@
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+import {
+  fuzzyFilter,
+  Input,
+  matchesKey,
+  SelectList,
+} from "@earendil-works/pi-tui";
+import type { SelectItem } from "@earendil-works/pi-tui";
+import { formatModelSpec } from "./model.ts";
+
+/** Interactive model selector shown when `/automode model` is run without arguments. */
+export function promptForClassifierModel(
+  ctx: ExtensionContext,
+  current?: string,
+): Promise<string | undefined> {
+  if (!ctx.hasUI) {
+    return Promise.resolve(undefined);
+  }
+  const available = ctx.modelRegistry.getAvailable();
+  if (available.length === 0) {
+    return Promise.resolve(undefined);
+  }
+
+  const items: SelectItem[] = available.map((model) => {
+    const spec = formatModelSpec(model);
+    return {
+      value: spec,
+      label: `${model.id} \u001b[2m[${model.provider}]\u001b[0m`,
+      description: spec === current ? "\u2713" : undefined,
+    };
+  });
+  items.sort((a, b) => a.label.localeCompare(b.label));
+
+  return ctx.ui.custom<string | undefined>((tui, theme, _keybindings, done) => {
+    const filterInput = new Input();
+    filterInput.onEscape = () => done(undefined);
+
+    let filtered: SelectItem[] = items;
+    let selectList = buildModelList(filtered, theme, filterInput, done, tui);
+
+    function applyFilter(query: string): void {
+      filtered = query
+        ? fuzzyFilter(items, query, (item) => `${item.label} ${item.value}`)
+        : items;
+      selectList = buildModelList(filtered, theme, filterInput, done, tui);
+      tui.requestRender();
+    }
+
+    return {
+      render(width: number) {
+        const selected = selectList.getSelectedItem();
+        const lines: string[] = [];
+        lines.push(theme.fg("accent", theme.bold("Select classifier model")));
+        lines.push(
+          theme.fg(
+            "dim",
+            "Only showing models from configured providers. Use /login to add providers.",
+          ),
+        );
+        lines.push("");
+        lines.push(filterInput.render(width).join("\n"));
+        lines.push("");
+        lines.push(...selectList.render(width));
+        lines.push("");
+        if (selected) {
+          lines.push(theme.fg("muted", `Model Name: ${selected.label}`));
+        }
+        return lines;
+      },
+      invalidate() {
+        /* no-op */
+      },
+      handleInput(data: string) {
+        if (
+          matchesKey(data, "up") || matchesKey(data, "down") ||
+          matchesKey(data, "return") || matchesKey(data, "escape")
+        ) {
+          selectList.handleInput(data);
+          tui.requestRender();
+          return;
+        }
+        filterInput.handleInput(data);
+        applyFilter(filterInput.getValue());
+      },
+    };
+  });
+}
+
+function buildModelList(
+  items: SelectItem[],
+  theme: any,
+  filterInput: Input,
+  done: (value: string | undefined) => void,
+  tui: any,
+): SelectList {
+  const maxVisible = Math.min(10, Math.max(1, items.length));
+  const list = new SelectList(items, maxVisible, {
+    selectedPrefix: (text) => theme.fg("accent", text),
+    selectedText: (text) => theme.fg("accent", text),
+    description: (text) => theme.fg("muted", text),
+    scrollInfo: (text) => theme.fg("dim", text),
+    noMatch: (text) => theme.fg("warning", text),
+  });
+  list.setSelectedIndex(0);
+  list.onCancel = () => done(undefined);
+  list.onSelect = (item) => done(item.value);
+  list.onSelectionChange = () => tui.requestRender();
+  filterInput.onSubmit = () => {
+    const selected = list.getSelectedItem();
+    if (selected) done(selected.value);
+  };
+  return list;
+}

package/extensions/auto-mode/model.ts

@@ -0,0 +1,13 @@
+import type { Model } from "@earendil-works/pi-ai";
+
+export function parseModelSpec(
+  spec: string,
+): { provider: string; id: string } | undefined {
+  const slash = spec.indexOf("/");
+  if (slash <= 0 || slash >= spec.length - 1) return undefined;
+  return { provider: spec.slice(0, slash), id: spec.slice(slash + 1) };
+}
+
+export function formatModelSpec(model: Model<any>): string {
+  return `${model.provider}/${model.id}`;
+}

package/extensions/auto-mode/paths.ts

@@ -0,0 +1,134 @@
+import { realpathSync } from "node:fs";
+import {
+  basename,
+  dirname,
+  isAbsolute,
+  join,
+  normalize,
+  relative,
+  resolve,
+} from "node:path";
+import { HOME, PROFILE_FILES } from "./constants.ts";
+
+function stripLeadingAt(value: string): string {
+  return value.startsWith("@") ? value.slice(1) : value;
+}
+
+export function resolveInputPath(
+  cwd: string,
+  value: unknown,
+): string | undefined {
+  if (typeof value !== "string" || value.trim() === "") return undefined;
+  const raw = stripLeadingAt(value.trim());
+  return isAbsolute(raw) ? resolve(raw) : resolve(cwd, raw);
+}
+
+export function normalizePathForMatch(path: string, cwd: string): string {
+  const normalized = normalize(path);
+  const rel = relative(cwd, normalized);
+  return rel && !rel.startsWith("..") && !isAbsolute(rel) ? rel : normalized;
+}
+
+export function isInside(child: string, parent: string): boolean {
+  const rel = relative(parent, child);
+  return rel === "" || (!!rel && !rel.startsWith("..") && !isAbsolute(rel));
+}
+
+export function isProtectedPath(
+  path: string,
+  cwd: string,
+  protectedPaths: string[],
+): boolean {
+  // Resolve symlinks so writes through symlinks (e.g. not-git -> .git) are caught.
+  let resolved = path;
+  try {
+    resolved = realpathSync(path);
+  } catch {
+    // File doesn't exist yet — try resolving the parent directory.
+    try {
+      const dir = dirname(path);
+      const base = basename(path);
+      resolved = join(realpathSync(dir), base);
+    } catch {
+      // Parent doesn't exist either — fall through with raw path.
+    }
+  }
+
+  // For paths inside the project: use relative path for matching.
+  if (resolved.startsWith(cwd)) {
+    const relativePath = relative(cwd, resolved);
+    for (const pattern of protectedPaths) {
+      if (
+        relativePath === pattern ||
+        relativePath.startsWith(`${pattern}/`)
+      ) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  // For paths outside the project: check every path component suffix.
+  // This catches writes like ../other-project/.git/config even when cwd
+  // doesn't contain the target.
+  const segments = resolved.split("/").filter(Boolean);
+  for (let i = 0; i < segments.length; i++) {
+    const suffix = segments.slice(i).join("/");
+    for (const pattern of protectedPaths) {
+      if (
+        suffix === pattern ||
+        suffix.startsWith(`${pattern}/`)
+      ) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+export function isSafetyControlPath(path: string, cwd: string): boolean {
+  const normalized = path.replace(/\\/g, "/");
+  const file = basename(normalized).toLowerCase();
+  if (
+    normalized.endsWith("/.pi/auto-mode.json") ||
+    normalized.endsWith("/auto-mode.json")
+  ) {
+    return true;
+  }
+  if (normalized.includes("/.pi/extensions/") && file.includes("auto")) {
+    return true;
+  }
+  if (normalized.includes("/.pi/") && file.startsWith("automode")) return true;
+  if (
+    normalized.includes("/pi-automode/") ||
+    (isInside(path, cwd) && file.includes("auto-mode"))
+  ) {
+    return true;
+  }
+  return false;
+}
+
+export function shellPathTokenToPath(
+  token: string,
+  cwd: string,
+): string | undefined {
+  let value = token.trim();
+  if (!value || value === "-" || value.startsWith("&")) return undefined;
+  value = value
+    .replace(/^\$HOME(?=\/|$)/, HOME)
+    .replace(/^\$\{HOME\}(?=\/|$)/, HOME);
+  if (value.startsWith("~/")) value = resolve(HOME, value.slice(2));
+  return isAbsolute(value) ? resolve(value) : resolve(cwd, value);
+}
+
+export function isProfileOrAuthorizedKeysPath(
+  path: string,
+): string | undefined {
+  if (PROFILE_FILES.has(path)) {
+    return "shell profile modification is hard-denied";
+  }
+  if (path === resolve(HOME, ".ssh/authorized_keys")) {
+    return "SSH authorized_keys modification is hard-denied";
+  }
+  return undefined;
+}

package/extensions/auto-mode/permissions.ts

@@ -0,0 +1,90 @@
+import type { ToolPattern } from "./types.ts";
+import { normalizePathForMatch, resolveInputPath } from "./paths.ts";
+
+function normalizeToolName(name: string): string {
+  const lower = name.trim().replace(/^@/, "").toLowerCase();
+  const aliases: Record<string, string> = {
+    bash: "bash",
+    read: "read",
+    edit: "edit",
+    write: "write",
+    grep: "grep",
+    find: "find",
+    ls: "ls",
+  };
+  return aliases[lower] ?? lower;
+}
+
+/**
+ * Parse Pi permission entries such as `bash(git push *)`.
+ *
+ * Capitalized names such as `Bash(...)` are accepted as a convenience, but Pi's
+ * actual tool names are lowercase. Scoped entries stay scoped: we do not flatten
+ * `bash(git status *)` into a blanket `bash` permission.
+ */
+export function parseToolPattern(value: unknown): ToolPattern | undefined {
+  if (typeof value !== "string") return undefined;
+  const raw = value.trim();
+  if (!raw) return undefined;
+
+  const match = raw.match(/^@?([A-Za-z0-9_-]+)(?:\((.*)\))?$/s);
+  if (!match) return { raw };
+  return {
+    raw,
+    toolName: normalizeToolName(match[1] ?? ""),
+    argumentPattern: match[2],
+  };
+}
+
+function wildcardToRegExp(pattern: string): RegExp {
+  const escaped = pattern
+    .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+    .replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+
+function getPrimaryArgument(
+  toolName: string,
+  input: Record<string, unknown>,
+  cwd: string,
+): string {
+  if (toolName === "bash" && typeof input.command === "string") {
+    return input.command;
+  }
+  if (
+    (toolName === "read" || toolName === "write" || toolName === "edit") &&
+    typeof input.path === "string"
+  ) {
+    return normalizePathForMatch(
+      resolveInputPath(cwd, input.path) ?? input.path,
+      cwd,
+    );
+  }
+  if (toolName === "grep" && typeof input.pattern === "string") {
+    return input.pattern;
+  }
+  if (
+    (toolName === "find" || toolName === "ls") &&
+    typeof input.path === "string"
+  ) {
+    return normalizePathForMatch(
+      resolveInputPath(cwd, input.path) ?? input.path,
+      cwd,
+    );
+  }
+  return JSON.stringify(input);
+}
+
+/** Match a scoped permission rule against a concrete tool call. */
+export function matchesToolPattern(
+  pattern: ToolPattern,
+  toolName: string,
+  input: Record<string, unknown>,
+  cwd: string,
+): boolean {
+  if (!pattern.toolName) return false;
+  if (pattern.toolName !== normalizeToolName(toolName)) return false;
+  if (!pattern.argumentPattern || pattern.argumentPattern === "*") return true;
+  const primary = getPrimaryArgument(toolName, input, cwd);
+  return wildcardToRegExp(pattern.argumentPattern).test(primary);
+}