@j6e/pi-auto-mode 0.1.1

package/README.md

@@ -0,0 +1,13 @@
+# pi-auto-mode
+A Claude auto mode clone for [pi](pi.dev)
+
+## Classifier output contract
+
+The classifier decision path is strict: a valid classifier response must call the `auto_mode_classifier` tool. The tool arguments must include:
+
+- `decision`: `allow` or `block`
+- `reason`: string
+- `confidence`: `high`, `medium`, or `low`
+- `category`: `user_intent`, `security`, `data_loss`, `scope_creep`, `infrastructure`, `credential_access`, or `other`
+
+Plain text JSON, fenced JSON, and reasoning/thinking-block JSON are not accepted as classifier decisions. Malformed or missing tool calls fail closed.

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@j6e/pi-auto-mode",
+  "version": "0.1.1",
+  "description": "A Claude auto mode clone for pi",
+  "license": "MIT",
+  "author": "Joan G. Esquerdo",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/j6e/pi-auto-mode.git"
+  },
+  "bugs": {
+    "url": "https://github.com/j6e/pi-auto-mode/issues"
+  },
+  "homepage": "https://github.com/j6e/pi-auto-mode#readme",
+  "keywords": [
+    "pi-package"
+  ],
+  "type": "module",
+  "files": [
+    "src/**/*.ts",
+    "README.md"
+  ],
+  "scripts": {
+    "test": "vitest run"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@earendil-works/pi-ai": "*",
+    "@earendil-works/pi-coding-agent": "*",
+    "typebox": "*"
+  },
+  "devDependencies": {
+    "@earendil-works/pi-ai": "^0.79.3",
+    "@earendil-works/pi-coding-agent": "^0.79.3",
+    "typebox": "^1.2.10",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0"
+  },
+  "pi": {
+    "extensions": [
+      "./src/index.ts"
+    ]
+  }
+}

package/src/classifier.ts

@@ -0,0 +1,264 @@
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+import type { Model } from "@earendil-works/pi-ai";
+import { complete, StringEnum } from "@earendil-works/pi-ai";
+import type { AssistantMessage, Context, Message, Tool, ToolCall } from "@earendil-works/pi-ai";
+import { Type } from "typebox";
+import type { ResolvedConfig, ClassifierDecision } from "./types";
+
+const CLASSIFIER_TOOL_NAME = "auto_mode_classifier";
+
+const classifierToolSchema = Type.Object({
+  decision: StringEnum(["allow", "block"] as const, {
+    description: "Whether to allow or block the pending tool call",
+  }),
+  reason: Type.String({ description: "Concise explanation for the decision" }),
+  confidence: StringEnum(["high", "medium", "low"] as const, {
+    description: "Confidence level in the decision",
+  }),
+  category: StringEnum(
+    [
+      "user_intent",
+      "security",
+      "data_loss",
+      "scope_creep",
+      "infrastructure",
+      "credential_access",
+      "other",
+    ] as const,
+    { description: "Category of the decision" },
+  ),
+});
+
+const classifierTool: Tool = {
+  name: CLASSIFIER_TOOL_NAME,
+  description:
+    "Classify whether the pending tool call should be allowed or blocked. Provide a concise reason.",
+  parameters: classifierToolSchema,
+};
+
+export function buildPrompt(config: ResolvedConfig): string {
+  if (config.classifier.prompt) {
+    return config.classifier.prompt;
+  }
+
+  return [
+    "You are a security classifier for a coding agent. Your job is to evaluate a pending tool call and decide whether it should be allowed or blocked.",
+    "",
+    "## Environment",
+    ...config.classifier.environment,
+    "",
+    "## Hard Deny Rules (block unless explicitly justified)",
+    ...config.classifier.hardDeny,
+    "",
+    "## Soft Deny Rules (be cautious)",
+    ...config.classifier.softDeny,
+    "",
+    "## Allow Rules (exceptions that are safe)",
+    ...config.classifier.allow,
+    "",
+    "## Decision Rules",
+    "1. Evaluate real-world impact, not surface text.",
+    "2. Be conservative on user intent.",
+    "3. Apply block rules first, then allow exceptions.",
+    "4. If uncertain, block with low confidence.",
+    "",
+    "## IMPORTANT",
+    `You MUST call the \`${CLASSIFIER_TOOL_NAME}\` tool to submit your decision.`,
+    "Do not write a text response — use the tool.",
+  ].join("\n");
+}
+
+function formatPendingToolCall(toolName: string, input: Record<string, unknown>): string {
+  return [
+    "## Pending Tool Call",
+    `Tool: ${toolName}`,
+    "Arguments:",
+    JSON.stringify(input, null, 2),
+  ].join("\n");
+}
+
+function stripTranscript(messages: Message[]): Message[] {
+  return messages.filter((m) => m.role === "user");
+}
+
+const VALID_DECISIONS = ["allow", "block"] as const;
+const VALID_CONFIDENCES = ["high", "medium", "low"] as const;
+const VALID_CATEGORIES = [
+  "user_intent",
+  "security",
+  "data_loss",
+  "scope_creep",
+  "infrastructure",
+  "credential_access",
+  "other",
+] as const;
+
+function isValidDecision(obj: unknown): obj is ClassifierDecision {
+  if (typeof obj !== "object" || obj === null) return false;
+  const d = obj as Record<string, unknown>;
+  return (
+    typeof d.decision === "string" && VALID_DECISIONS.includes(d.decision as any) &&
+    typeof d.reason === "string" &&
+    typeof d.confidence === "string" && VALID_CONFIDENCES.includes(d.confidence as any) &&
+    typeof d.category === "string" && VALID_CATEGORIES.includes(d.category as any)
+  );
+}
+
+function extractArgsFromToolCall(toolCall: { arguments: unknown } | ToolCall): ClassifierDecision | null {
+  let args = toolCall.arguments;
+  // Some providers return arguments as a JSON string
+  if (typeof args === "string") {
+    try {
+      args = JSON.parse(args);
+    } catch {
+      return null;
+    }
+  }
+  return isValidDecision(args) ? args : null;
+}
+
+export function parseClassifierToolCall(message: AssistantMessage): ClassifierDecision | null {
+  const toolCall = message.content.find(
+    (c): c is ToolCall =>
+      c.type === "toolCall" && "name" in c && c.name === CLASSIFIER_TOOL_NAME,
+  );
+
+  if (!toolCall) return null;
+  return extractArgsFromToolCall(toolCall);
+}
+
+export interface ClassifierDeps {
+  complete: typeof complete;
+}
+
+function resolveModel(
+  config: ResolvedConfig,
+  ctx: ExtensionContext,
+): Model<any> | undefined {
+  if (config.classifier.model) {
+    const parts = config.classifier.model.split("/");
+    if (parts.length >= 2) {
+      const provider = parts[0];
+      const modelId = parts.slice(1).join("/");
+      const found = ctx.modelRegistry.find(provider, modelId);
+      if (found) return found;
+    }
+  }
+  return ctx.model;
+}
+
+export async function classify(
+  config: ResolvedConfig,
+  toolName: string,
+  toolInput: Record<string, unknown>,
+  transcript: Message[],
+  ctx: ExtensionContext,
+  currentMode: string,
+  deps: ClassifierDeps = { complete },
+): Promise<ClassifierDecision> {
+  const model = resolveModel(config, ctx);
+  if (!model) {
+    return {
+      decision: "block",
+      reason: "Classifier failed: no model available",
+      confidence: "low",
+      category: "other",
+    };
+  }
+
+  const auth = await ctx.modelRegistry.getApiKeyAndHeaders(model);
+  if (!auth.ok) {
+    return {
+      decision: "block",
+      reason: `Classifier failed: ${auth.error || "no API key available"}`,
+      confidence: "low",
+      category: "other",
+    };
+  }
+
+  const systemPrompt = buildPrompt(config);
+  const userMessages = stripTranscript(transcript);
+  const pendingTool = formatPendingToolCall(toolName, toolInput);
+
+  const context: Context = {
+    systemPrompt,
+    messages: [
+      ...userMessages,
+      { role: "user", content: pendingTool, timestamp: Date.now() },
+      {
+        role: "user",
+        content: `Call the \`${CLASSIFIER_TOOL_NAME}\` tool now with your decision.`,
+        timestamp: Date.now(),
+      },
+    ],
+    tools: [classifierTool],
+  };
+
+  if (ctx.hasUI) {
+    ctx.ui.setStatus("auto-mode", "auto-mode: classifying...");
+  }
+
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), config.classifier.timeoutMs);
+
+  try {
+    const streamOptions: Parameters<typeof deps.complete>[2] = {
+      signal: controller.signal,
+      apiKey: auth.apiKey,
+      headers: auth.headers,
+    };
+    // Let users choose the provider-compatible tool-choice strength instead of
+    // retrying based on provider-specific error text.
+    if (config.classifier.toolMode === "required") {
+      streamOptions.toolChoice = "required";
+    } else if (config.classifier.toolMode !== "auto") {
+      streamOptions.toolChoice = { type: "function", function: { name: CLASSIFIER_TOOL_NAME } };
+    }
+    // Disable reasoning when the model declares a provider-specific way to do so.
+    // If thinkingLevelMap.off is a string, it maps to a provider value (e.g. "none").
+    // If it's null or undefined, reasoning cannot be disabled via this mechanism.
+    if (model.thinkingLevelMap?.off != null) {
+      streamOptions.reasoningEffort = model.thinkingLevelMap.off;
+    }
+    const response = await deps.complete(model, context, streamOptions);
+
+    clearTimeout(timeout);
+
+    if (response.stopReason === "error") {
+      throw new Error(response.errorMessage || "Classifier model returned an error");
+    }
+
+    const parsed = parseClassifierToolCall(response);
+    if (parsed) return parsed;
+
+    // Build a preview of whatever the model returned for debugging
+    const preview = response.content
+      .map((c) => {
+        if (c.type === "text") return c.text;
+        if (c.type === "toolCall") return `[tool:${c.name}] ${JSON.stringify(c.arguments)}`;
+        if (c.type === "thinking") return `[thinking] ${c.thinking.slice(0, 100)}`;
+        return "";
+      })
+      .join(" ")
+      .slice(0, 300);
+
+    // If the model returned absolutely nothing, default to block (safe fallback)
+    if (!preview.trim()) {
+      return {
+        decision: "block",
+        reason: "Classifier returned empty response (model did not produce output)",
+        confidence: "low",
+        category: "other",
+      };
+    }
+
+    throw new Error(`Classifier returned malformed decision (preview: ${preview})`);
+  } catch (error) {
+    clearTimeout(timeout);
+    throw new Error(`Classifier failed: ${error instanceof Error ? error.message : String(error)}`);
+  } finally {
+    if (ctx.hasUI) {
+      ctx.ui.setStatus("auto-mode", `auto-mode: ${currentMode}`);
+    }
+  }
+}

package/src/config-command.ts

@@ -0,0 +1,204 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+import type { EffectiveConfigResult } from "./effective-config";
+import type { AutoModeSettings, PermissionMode, ResolvedConfig } from "./types";
+import { isValidMode } from "./mode";
+
+const LIST_KEYS = new Set([
+  "classifier.environment",
+  "classifier.hardDeny",
+  "classifier.softDeny",
+  "classifier.allow",
+  "protectedPaths",
+  "tools.alwaysAllow",
+  "tools.allowInProject",
+  "tools.alwaysEvaluate",
+  "tools.alwaysBlock",
+]);
+
+const SCALAR_KEYS = new Set([
+  "defaultMode",
+  "classifier.model",
+  "classifier.prompt",
+  "classifier.timeoutMs",
+  "classifier.toolMode",
+  "denyAndContinue.maxConsecutiveDenials",
+  "denyAndContinue.maxTotalDenials",
+]);
+
+function settingsPath(cwd: string): string {
+  return path.join(cwd, ".pi", "settings.json");
+}
+
+function readSettings(cwd: string): Record<string, unknown> {
+  try {
+    return JSON.parse(fs.readFileSync(settingsPath(cwd), "utf-8"));
+  } catch {
+    return {};
+  }
+}
+
+function writeSettings(cwd: string, settings: Record<string, unknown>) {
+  const file = settingsPath(cwd);
+  fs.mkdirSync(path.dirname(file), { recursive: true });
+  fs.writeFileSync(file, `${JSON.stringify(settings, null, 2)}\n`);
+}
+
+function ensureAutoMode(settings: Record<string, unknown>): any {
+  if (!settings.autoMode || typeof settings.autoMode !== "object") settings.autoMode = {};
+  return settings.autoMode;
+}
+
+function getPath(obj: any, key: string): unknown {
+  return key.split(".").reduce((cur, part) => cur?.[part], obj);
+}
+
+function setPath(obj: any, key: string, value: unknown) {
+  const parts = key.split(".");
+  let cur = obj;
+  for (const part of parts.slice(0, -1)) {
+    if (!cur[part] || typeof cur[part] !== "object") cur[part] = {};
+    cur = cur[part];
+  }
+  cur[parts[parts.length - 1]!] = value;
+}
+
+function deletePath(obj: any, key: string) {
+  const parts = key.split(".");
+  let cur = obj;
+  for (const part of parts.slice(0, -1)) {
+    if (!cur?.[part] || typeof cur[part] !== "object") return;
+    cur = cur[part];
+  }
+  delete cur[parts[parts.length - 1]!];
+}
+
+function parseValue(key: string, raw: string): unknown {
+  if (raw === "null") return null;
+  if (key === "defaultMode") {
+    if (!isValidMode(raw)) throw new Error("defaultMode must be off, auto, or dontAsk");
+    return raw;
+  }
+  if (key === "classifier.toolMode") {
+    if (!["force", "required", "auto"].includes(raw)) throw new Error("classifier.toolMode must be force, required, or auto");
+    return raw;
+  }
+  if (key === "classifier.timeoutMs" || key.startsWith("denyAndContinue.")) {
+    const n = Number(raw);
+    if (!Number.isFinite(n)) throw new Error(`${key} must be a number`);
+    return n;
+  }
+  return raw;
+}
+
+function format(config: ResolvedConfig): string {
+  return JSON.stringify(config, null, 2);
+}
+
+function formatStatusConfig(config: ResolvedConfig): string {
+  return JSON.stringify(
+    {
+      ...config,
+      classifier: {
+        ...config.classifier,
+        prompt: config.classifier.prompt ?? "<built-in>",
+      },
+    },
+    null,
+    2,
+  );
+}
+
+function notifyUntrustedWrite(ctx: ExtensionContext) {
+  ctx.ui.notify(
+    "Project is not trusted, so project-local auto-mode settings are not currently loaded. Review .pi/settings.json before trusting the project.",
+    "warning",
+  );
+}
+
+export interface AutoModeCommandDeps {
+  resolveEffectiveConfig(ctx: ExtensionContext): EffectiveConfigResult;
+  getMode(): PermissionMode;
+  setMode(mode: PermissionMode, ctx: ExtensionContext): void;
+}
+
+export async function handleAutoModeCommand(args: string, ctx: ExtensionContext, deps: AutoModeCommandDeps): Promise<void> {
+  const tokens = args.trim().match(/(?:[^\s"]+|"[^"]*")+/g)?.map((t) => t.replace(/^"|"$/g, "")) ?? [];
+  const [first, second, third, ...rest] = tokens;
+
+  try {
+    if (!first || first === "cycle") return;
+    if (first === "status") {
+      const { config } = deps.resolveEffectiveConfig(ctx);
+      ctx.ui.notify(`Mode: ${deps.getMode()}\n\nEffective config:\n${formatStatusConfig(config)}`, "info");
+      return;
+    }
+    if (first === "set") {
+      if (!isValidMode(second)) throw new Error("usage: /auto-mode set <off|auto|dontAsk>");
+      deps.setMode(second, ctx);
+      ctx.ui.notify(`auto-mode: ${second}`, "info");
+      return;
+    }
+    if (first !== "config") throw new Error("usage: /auto-mode [status|set|config]");
+
+    if (!second) {
+      const { config } = deps.resolveEffectiveConfig(ctx);
+      ctx.ui.notify(format(config), "info");
+      return;
+    }
+    if (second === "edit") {
+      ctx.ui.notify(`Edit project config at ${settingsPath(ctx.cwd)}`, "info");
+      return;
+    }
+
+    const key = third;
+    if (!key) throw new Error("usage: /auto-mode config <get|set|add|remove|reset> <key> [value]");
+
+    if (second === "get") {
+      const { config } = deps.resolveEffectiveConfig(ctx);
+      ctx.ui.notify(JSON.stringify(getPath(config, key), null, 2), "info");
+      return;
+    }
+
+    const settings = readSettings(ctx.cwd);
+    const autoMode = ensureAutoMode(settings) as AutoModeSettings;
+
+    if (second === "reset") {
+      deletePath(autoMode, key);
+      writeSettings(ctx.cwd, settings);
+      const { includesProject } = deps.resolveEffectiveConfig(ctx);
+      ctx.ui.notify(`Reset ${key}`, "info");
+      if (!includesProject) notifyUntrustedWrite(ctx);
+      return;
+    }
+
+    const rawValue = rest.join(" ");
+    if (!rawValue) throw new Error(`usage: /auto-mode config ${second} ${key} <value>`);
+
+    if (second === "set") {
+      if (!SCALAR_KEYS.has(key) && !LIST_KEYS.has(key)) throw new Error(`Unknown config key: ${key}`);
+      const value = LIST_KEYS.has(key) ? rawValue.split(",").map((s) => s.trim()).filter(Boolean) : parseValue(key, rawValue);
+      setPath(autoMode, key, value);
+    } else if (second === "add" || second === "remove") {
+      if (!LIST_KEYS.has(key)) throw new Error(`${key} is not a list key`);
+      const current = getPath(autoMode, key);
+      const list = Array.isArray(current) ? [...current] : [];
+      if (second === "add" && !list.includes(rawValue)) list.push(rawValue);
+      if (second === "remove") {
+        const idx = list.indexOf(rawValue);
+        if (idx >= 0) list.splice(idx, 1);
+      }
+      setPath(autoMode, key, list);
+    } else {
+      throw new Error("usage: /auto-mode config <get|set|add|remove|reset|edit>");
+    }
+
+    writeSettings(ctx.cwd, settings);
+    const { includesProject } = deps.resolveEffectiveConfig(ctx);
+    ctx.ui.notify(`Updated ${key}`, "info");
+    if (!includesProject) notifyUntrustedWrite(ctx);
+  } catch (error) {
+    ctx.ui.notify(error instanceof Error ? error.message : String(error), "error");
+  }
+}

package/src/config.ts

@@ -0,0 +1,218 @@
+import type { AutoModeSettings, ResolvedConfig, PermissionMode, ClassifierToolMode } from "./types";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import * as os from "node:os";
+
+const DEFAULT_MODE: PermissionMode = "off";
+const DEFAULT_MAX_CONSECUTIVE = 3;
+const DEFAULT_MAX_TOTAL = 20;
+const DEFAULT_CLASSIFIER_TIMEOUT_MS = 3000;
+const DEFAULT_CLASSIFIER_TOOL_MODE: ClassifierToolMode = "force";
+
+const DEFAULT_PROTECTED_PATHS = [
+  ".git/",
+  ".env",
+  ".env.",
+  ".pi/",
+  "node_modules/",
+  "~/.bashrc",
+  "~/.zshrc",
+  "~/.ssh/",
+];
+
+const DEFAULT_TOOLS = {
+  alwaysAllow: ["read", "grep", "find", "ls"],
+  allowInProject: ["write", "edit"],
+  alwaysEvaluate: [],
+  alwaysBlock: [],
+};
+
+const BUILTIN_DEFAULTS = {
+  environment: [
+    "This is a standard software development environment.",
+    "The user is a software engineer working on a codebase.",
+  ],
+  hardDeny: [
+    "Never delete .git directories or modify git internals.",
+    "Never modify .env files, .env.* files, or SSH keys in ~/.ssh/.",
+    "Never modify shell configuration files like ~/.bashrc or ~/.zshrc.",
+    "Never run rm -rf on system directories or node_modules/ without explicit user intent.",
+  ],
+  softDeny: [
+    "Be cautious with external API calls that may transmit sensitive data.",
+    "Be cautious with commands that modify infrastructure or deploy to production.",
+  ],
+  allow: [
+    "Reading files and searching code is always allowed.",
+    "Writing and editing files within the current project directory is allowed.",
+    "Running standard build, test, and lint commands is allowed.",
+  ],
+};
+
+function expandDefaults(arr: string[] | undefined, builtin: string[]): string[] {
+  if (!Array.isArray(arr)) return [...builtin];
+  const result: string[] = [];
+  for (const item of arr) {
+    if (item === "$defaults") {
+      result.push(...builtin);
+    } else {
+      result.push(item);
+    }
+  }
+  return result;
+}
+
+function isValidMode(mode: unknown): mode is PermissionMode {
+  return mode === "off" || mode === "auto" || mode === "dontAsk";
+}
+
+function sanitizeString(value: unknown): string | null {
+  if (typeof value === "string") return value;
+  if (value === null) return null;
+  return null;
+}
+
+function sanitizeNumber(value: unknown, fallback: number): number {
+  if (typeof value === "number" && Number.isFinite(value)) return value;
+  return fallback;
+}
+
+function isValidClassifierToolMode(value: unknown): value is ClassifierToolMode {
+  return value === "force" || value === "required" || value === "auto";
+}
+
+export function resolveConfig(
+  globalSettings?: AutoModeSettings,
+  projectSettings?: AutoModeSettings,
+): ResolvedConfig {
+  const merged: ResolvedConfig = {
+    defaultMode: DEFAULT_MODE,
+    classifier: {
+      model: null,
+      prompt: null,
+      environment: ["$defaults"],
+      hardDeny: ["$defaults"],
+      softDeny: ["$defaults"],
+      allow: ["$defaults"],
+      timeoutMs: DEFAULT_CLASSIFIER_TIMEOUT_MS,
+      toolMode: DEFAULT_CLASSIFIER_TOOL_MODE,
+    },
+    denyAndContinue: {
+      maxConsecutiveDenials: DEFAULT_MAX_CONSECUTIVE,
+      maxTotalDenials: DEFAULT_MAX_TOTAL,
+    },
+    tools: { ...DEFAULT_TOOLS },
+    protectedPaths: [...DEFAULT_PROTECTED_PATHS],
+  };
+
+  function mergeLayer(settings: AutoModeSettings | undefined) {
+    if (!settings) return;
+    if (isValidMode(settings.defaultMode)) {
+      merged.defaultMode = settings.defaultMode;
+    }
+    if (settings.classifier) {
+      merged.classifier.model = sanitizeString(settings.classifier.model) ?? merged.classifier.model;
+      merged.classifier.prompt = sanitizeString(settings.classifier.prompt) ?? merged.classifier.prompt;
+      if (Array.isArray(settings.classifier.environment)) {
+        merged.classifier.environment = settings.classifier.environment;
+      }
+      if (Array.isArray(settings.classifier.hardDeny)) {
+        merged.classifier.hardDeny = settings.classifier.hardDeny;
+      }
+      if (Array.isArray(settings.classifier.softDeny)) {
+        merged.classifier.softDeny = settings.classifier.softDeny;
+      }
+      if (Array.isArray(settings.classifier.allow)) {
+        merged.classifier.allow = settings.classifier.allow;
+      }
+      if (typeof settings.classifier.timeoutMs === "number" && Number.isFinite(settings.classifier.timeoutMs)) {
+        merged.classifier.timeoutMs = settings.classifier.timeoutMs;
+      }
+      if (isValidClassifierToolMode(settings.classifier.toolMode)) {
+        merged.classifier.toolMode = settings.classifier.toolMode;
+      }
+    }
+    if (settings.denyAndContinue) {
+      merged.denyAndContinue.maxConsecutiveDenials = sanitizeNumber(
+        settings.denyAndContinue.maxConsecutiveDenials,
+        DEFAULT_MAX_CONSECUTIVE,
+      );
+      merged.denyAndContinue.maxTotalDenials = sanitizeNumber(
+        settings.denyAndContinue.maxTotalDenials,
+        DEFAULT_MAX_TOTAL,
+      );
+    }
+    if (settings.tools) {
+      if (Array.isArray(settings.tools.alwaysAllow)) merged.tools.alwaysAllow = settings.tools.alwaysAllow;
+      if (Array.isArray(settings.tools.allowInProject)) merged.tools.allowInProject = settings.tools.allowInProject;
+      if (Array.isArray(settings.tools.alwaysEvaluate)) merged.tools.alwaysEvaluate = settings.tools.alwaysEvaluate;
+      if (Array.isArray(settings.tools.alwaysBlock)) merged.tools.alwaysBlock = settings.tools.alwaysBlock;
+    }
+    if (Array.isArray(settings.protectedPaths)) {
+      merged.protectedPaths = settings.protectedPaths;
+    }
+  }
+
+  mergeLayer(globalSettings);
+  mergeLayer(projectSettings);
+
+  return {
+    defaultMode: merged.defaultMode,
+    classifier: {
+      model: merged.classifier.model,
+      prompt: merged.classifier.prompt,
+      environment: expandDefaults(merged.classifier.environment, BUILTIN_DEFAULTS.environment),
+      hardDeny: expandDefaults(merged.classifier.hardDeny, BUILTIN_DEFAULTS.hardDeny),
+      softDeny: expandDefaults(merged.classifier.softDeny, BUILTIN_DEFAULTS.softDeny),
+      allow: expandDefaults(merged.classifier.allow, BUILTIN_DEFAULTS.allow),
+      timeoutMs: merged.classifier.timeoutMs,
+      toolMode: merged.classifier.toolMode,
+    },
+    denyAndContinue: {
+      maxConsecutiveDenials: merged.denyAndContinue.maxConsecutiveDenials,
+      maxTotalDenials: merged.denyAndContinue.maxTotalDenials,
+    },
+    tools: {
+      alwaysAllow: merged.tools.alwaysAllow,
+      allowInProject: merged.tools.allowInProject,
+      alwaysEvaluate: merged.tools.alwaysEvaluate,
+      alwaysBlock: merged.tools.alwaysBlock,
+    },
+    protectedPaths: merged.protectedPaths,
+  };
+}
+
+export interface LoadConfigOptions {
+  includeProject: boolean;
+}
+
+export function loadConfig(cwd: string, homeDir = os.homedir(), options: LoadConfigOptions): ResolvedConfig {
+  let globalSettings: AutoModeSettings | undefined;
+  let projectSettings: AutoModeSettings | undefined;
+
+  const globalSettingsPath = path.join(homeDir, ".pi", "agent", "settings.json");
+  try {
+    const raw = fs.readFileSync(globalSettingsPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object" && "autoMode" in parsed) {
+      globalSettings = parsed.autoMode as AutoModeSettings;
+    }
+  } catch {
+    // file doesn't exist or is malformed — proceed without global settings
+  }
+
+  if (options.includeProject) {
+    const projectSettingsPath = path.join(cwd, ".pi", "settings.json");
+    try {
+      const raw = fs.readFileSync(projectSettingsPath, "utf-8");
+      const parsed = JSON.parse(raw);
+      if (parsed && typeof parsed === "object" && "autoMode" in parsed) {
+        projectSettings = parsed.autoMode as AutoModeSettings;
+      }
+    } catch {
+      // file doesn't exist or is malformed — proceed without project settings
+    }
+  }
+
+  return resolveConfig(globalSettings, projectSettings);
+}

package/src/decision.ts

@@ -0,0 +1,65 @@
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+import type { Message } from "@earendil-works/pi-ai";
+import type { PermissionMode, ResolvedConfig } from "./types";
+import { evaluateTier } from "./tiers";
+import { classify } from "./classifier";
+
+export interface DecisionAllow {
+  allow: true;
+}
+export interface DecisionBlock {
+  block: true;
+  reason: string;
+}
+export type DecisionResult = DecisionAllow | DecisionBlock;
+
+export async function makeDecision(
+  mode: PermissionMode,
+  toolName: string,
+  input: Record<string, unknown>,
+  ctx: ExtensionContext,
+  config: ResolvedConfig,
+  transcript: Message[],
+  currentMode: string,
+): Promise<DecisionResult> {
+  const tier = evaluateTier(toolName, input, ctx.cwd, config);
+
+  // Protected paths are blocked unconditionally in all modes
+  if (tier.kind === "block") {
+    return { block: true, reason: tier.reason };
+  }
+
+  if (mode === "off") {
+    return { allow: true };
+  }
+
+  if (tier.kind === "allow") {
+    return { allow: true };
+  }
+
+  // tier.kind === "evaluate"
+  if (mode === "dontAsk") {
+    return { block: true, reason: "Blocked: tool not in auto-allow tier (dontAsk mode)" };
+  }
+
+  // auto mode: call the real classifier
+  try {
+    const classifierDecision = await classify(config, toolName, input, transcript, ctx, currentMode);
+    if (classifierDecision.decision === "allow") {
+      return { allow: true };
+    }
+    return { block: true, reason: classifierDecision.reason };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (ctx.hasUI) {
+      const ok = await ctx.ui.confirm(
+        "Classifier failed",
+        `${message}\n\nAllow this action?`,
+      );
+      if (ok) {
+        return { allow: true };
+      }
+    }
+    return { block: true, reason: message };
+  }
+}

package/src/deny-continue.ts

@@ -0,0 +1,66 @@
+import type { ResolvedConfig } from "./types";
+
+export function createDenyContinueManager() {
+  let consecutiveDenials = 0;
+  let totalDenials = 0;
+  const blockedToolCalls = new Map<string, string>();
+
+  return {
+    buildDenialMessage(reason: string): string {
+      return [
+        "This action was blocked by the permission gate.",
+        "",
+        `Reason: ${reason}`,
+        "",
+        "Please try a different, safer approach.",
+      ].join("\n");
+    },
+
+    recordBlock(toolCallId: string, reason: string) {
+      consecutiveDenials++;
+      totalDenials++;
+      blockedToolCalls.set(toolCallId, reason);
+    },
+
+    recordAllow() {
+      consecutiveDenials = 0;
+    },
+
+    isBlocked(toolCallId: string): boolean {
+      return blockedToolCalls.has(toolCallId);
+    },
+
+    getReason(toolCallId: string): string | undefined {
+      return blockedToolCalls.get(toolCallId);
+    },
+
+    consumeBlocked(toolCallId: string): string | undefined {
+      const reason = blockedToolCalls.get(toolCallId);
+      blockedToolCalls.delete(toolCallId);
+      return reason;
+    },
+
+    getConsecutiveDenials(): number {
+      return consecutiveDenials;
+    },
+
+    getTotalDenials(): number {
+      return totalDenials;
+    },
+
+    isThresholdBreached(config: ResolvedConfig): boolean {
+      return (
+        consecutiveDenials >= config.denyAndContinue.maxConsecutiveDenials ||
+        totalDenials >= config.denyAndContinue.maxTotalDenials
+      );
+    },
+
+    reset() {
+      consecutiveDenials = 0;
+      totalDenials = 0;
+      blockedToolCalls.clear();
+    },
+  };
+}
+
+export type DenyContinueManager = ReturnType<typeof createDenyContinueManager>;

package/src/effective-config.ts

@@ -0,0 +1,17 @@
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+import * as os from "node:os";
+import { loadConfig } from "./config";
+import type { ResolvedConfig } from "./types";
+
+export interface EffectiveConfigResult {
+  config: ResolvedConfig;
+  includesProject: boolean;
+}
+
+export function resolveEffectiveConfig(ctx: ExtensionContext, homeDir = os.homedir()): EffectiveConfigResult {
+  const includesProject = ctx.isProjectTrusted();
+  return {
+    config: loadConfig(ctx.cwd, homeDir, { includeProject: includesProject }),
+    includesProject,
+  };
+}

package/src/index.ts

@@ -0,0 +1,73 @@
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import type { Message } from "@earendil-works/pi-ai";
+import { resolveEffectiveConfig } from "./effective-config";
+import { createModeManager } from "./mode";
+import { makeDecision } from "./decision";
+import { createDenyContinueManager } from "./deny-continue";
+import { getClassifierTranscript } from "./session-context";
+
+export default function (pi: ExtensionAPI) {
+  const modeManager = createModeManager(pi, resolveEffectiveConfig);
+  const denyManager = createDenyContinueManager();
+  modeManager.setup();
+
+  pi.on("session_start", async (_event, _ctx) => {
+    denyManager.reset();
+  });
+
+  pi.on("tool_call", async (event, ctx) => {
+    const { config } = resolveEffectiveConfig(ctx);
+    const transcript: Message[] = getClassifierTranscript(ctx);
+
+    const decision = await makeDecision(
+      modeManager.getMode(),
+      event.toolName,
+      event.input,
+      ctx,
+      config,
+      transcript,
+      modeManager.getMode(),
+    );
+
+    if ("allow" in decision) {
+      denyManager.recordAllow();
+      return undefined;
+    }
+
+    // Block
+    denyManager.recordBlock(event.toolCallId, decision.reason);
+
+    if (ctx.hasUI) {
+      ctx.ui.notify(`Blocked: ${decision.reason}`, "warning");
+    }
+
+    if (denyManager.isThresholdBreached(config)) {
+      if (ctx.hasUI) {
+        const ok = await ctx.ui.confirm(
+          "Auto-mode threshold reached",
+          `The agent has been blocked ${denyManager.getConsecutiveDenials()} consecutive times. Allow this action?`,
+        );
+        if (ok) {
+          denyManager.recordAllow();
+          denyManager.consumeBlocked(event.toolCallId);
+          return undefined;
+        }
+      } else {
+        ctx.shutdown();
+      }
+    }
+
+    return { block: true, reason: decision.reason };
+  });
+
+  pi.on("tool_result", async (event, _ctx) => {
+    const reason = denyManager.consumeBlocked(event.toolCallId);
+    if (reason) {
+      const message = denyManager.buildDenialMessage(reason);
+      return {
+        content: [{ type: "text", text: message }],
+      };
+    }
+    return undefined;
+  });
+}

package/src/mode.ts

@@ -0,0 +1,130 @@
+import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
+import type { EffectiveConfigResult } from "./effective-config";
+import type { PermissionMode } from "./types";
+import { handleAutoModeCommand } from "./config-command";
+import { getActiveAutoModeStateEntries } from "./session-context";
+
+const MODES: PermissionMode[] = ["off", "auto", "dontAsk"];
+
+export function isValidMode(mode: unknown): mode is PermissionMode {
+  return mode === "off" || mode === "auto" || mode === "dontAsk";
+}
+
+export function resolveInitialMode(
+  flagValue: string | boolean | undefined,
+  sessionEntries: Array<{ customType?: string; data?: unknown }>,
+  settingsDefault: PermissionMode,
+): PermissionMode {
+  // 1. CLI flag
+  if (typeof flagValue === "string" && isValidMode(flagValue)) {
+    return flagValue;
+  }
+
+  // 2. Session state (most recent)
+  let sessionMode: PermissionMode | undefined;
+  for (const entry of sessionEntries) {
+    if (entry.customType === "auto-mode-state") {
+      const data = entry.data as Record<string, unknown> | undefined;
+      if (data && isValidMode(data.mode)) {
+        sessionMode = data.mode;
+      }
+    }
+  }
+  if (sessionMode) return sessionMode;
+
+  // 3. Settings default
+  if (isValidMode(settingsDefault)) return settingsDefault;
+
+  // 4. Off
+  return "off";
+}
+
+export function cycleMode(current: PermissionMode): PermissionMode {
+  const idx = MODES.indexOf(current);
+  return MODES[(idx + 1) % MODES.length];
+}
+
+export interface ModeManager {
+  getMode(): PermissionMode;
+  setMode(mode: PermissionMode, ctx: ExtensionContext): void;
+  cycleMode(ctx: ExtensionContext): void;
+  setup(): void;
+}
+
+export function createModeManager(
+  pi: ExtensionAPI,
+  resolveEffectiveConfig: (ctx: ExtensionContext) => EffectiveConfigResult,
+): ModeManager {
+  let currentMode: PermissionMode = "off";
+
+  function updateStatus(ctx: ExtensionContext) {
+    ctx.ui.setStatus("auto-mode", `auto-mode: ${currentMode}`);
+  }
+
+  function persistAndUpdate(mode: PermissionMode, ctx: ExtensionContext) {
+    currentMode = mode;
+    pi.appendEntry("auto-mode-state", { mode });
+    updateStatus(ctx);
+  }
+
+  return {
+    getMode() {
+      return currentMode;
+    },
+    setMode(mode, ctx) {
+      persistAndUpdate(mode, ctx);
+    },
+    cycleMode(ctx) {
+      persistAndUpdate(cycleMode(currentMode), ctx);
+    },
+    setup() {
+      pi.registerFlag("auto-mode", {
+        description: "Set auto mode (off, auto, dontAsk)",
+        type: "string",
+        default: undefined,
+      });
+
+      pi.registerCommand("auto-mode", {
+        description: "Configure auto-mode, or cycle states with no arguments",
+        handler: async (args, ctx) => {
+          if (!String(args ?? "").trim()) {
+            persistAndUpdate(cycleMode(currentMode), ctx);
+            return;
+          }
+          await handleAutoModeCommand(String(args), ctx, {
+            resolveEffectiveConfig,
+            getMode: () => currentMode,
+            setMode: (mode, commandCtx) => persistAndUpdate(mode, commandCtx),
+          });
+        },
+      });
+
+      pi.registerShortcut("ctrl+shift+a", {
+        description: "Toggle auto-mode",
+        handler: async (ctx) => {
+          persistAndUpdate(cycleMode(currentMode), ctx);
+        },
+      });
+
+      pi.on("session_start", async (_event, ctx) => {
+        const flagValue = pi.getFlag("auto-mode");
+
+        // In non-interactive mode without explicit flag, force off
+        if (!ctx.hasUI && !flagValue) {
+          currentMode = "off";
+          updateStatus(ctx);
+          return;
+        }
+
+        const effectiveConfig = resolveEffectiveConfig(ctx).config;
+        const mode = resolveInitialMode(
+          flagValue,
+          getActiveAutoModeStateEntries(ctx),
+          effectiveConfig.defaultMode,
+        );
+        currentMode = mode;
+        updateStatus(ctx);
+      });
+    },
+  };
+}

package/src/session-context.ts

@@ -0,0 +1,29 @@
+import { buildSessionContext, type CustomEntry, type ExtensionContext } from "@earendil-works/pi-coding-agent";
+import type { Message } from "@earendil-works/pi-ai";
+
+function isUserMessage(message: unknown): message is Message {
+  return (
+    typeof message === "object" &&
+    message !== null &&
+    (message as { role?: unknown }).role === "user"
+  );
+}
+
+export interface AutoModeStateEntry {
+  customType: "auto-mode-state";
+  data?: unknown;
+}
+
+export function getClassifierTranscript(ctx: ExtensionContext): Message[] {
+  return buildSessionContext(ctx.sessionManager.getBranch()).messages.filter(isUserMessage);
+}
+
+export function getActiveAutoModeStateEntries(ctx: ExtensionContext): AutoModeStateEntry[] {
+  return ctx.sessionManager
+    .getBranch()
+    .filter(
+      (entry): entry is CustomEntry & { customType: "auto-mode-state" } =>
+        entry.type === "custom" && entry.customType === "auto-mode-state",
+    )
+    .map((entry) => ({ customType: entry.customType, data: entry.data }));
+}

package/src/tiers.ts

@@ -0,0 +1,91 @@
+import * as path from "node:path";
+import type { ResolvedConfig } from "./types";
+
+const DEFAULT_CONFIG: Pick<ResolvedConfig, "tools" | "protectedPaths"> = {
+  protectedPaths: [".git/", ".env", ".env.", ".pi/", "node_modules/", "~/.bashrc", "~/.zshrc", "~/.ssh/"],
+  tools: {
+    alwaysAllow: ["read", "grep", "find", "ls"],
+    allowInProject: ["write", "edit"],
+    alwaysEvaluate: [],
+    alwaysBlock: [],
+  },
+};
+
+export interface TierResultAllow {
+  kind: "allow";
+}
+export interface TierResultBlock {
+  kind: "block";
+  reason: string;
+}
+export interface TierResultEvaluate {
+  kind: "evaluate";
+}
+export type TierResult = TierResultAllow | TierResultBlock | TierResultEvaluate;
+
+export function isProtectedPath(filePath: string, protectedPatterns = DEFAULT_CONFIG.protectedPaths): boolean {
+  const normalized = filePath.replace(/\\/g, "/");
+  for (const pattern of protectedPatterns) {
+    if (pattern.endsWith("/")) {
+      if (normalized.includes(pattern)) return true;
+    } else if (pattern.startsWith(".env.")) {
+      if (normalized.includes(pattern)) return true;
+    } else if (pattern === ".env") {
+      const segments = normalized.split("/");
+      const filename = segments[segments.length - 1];
+      if (filename === ".env" || filename.startsWith(".env.")) return true;
+    } else {
+      if (normalized.includes(pattern)) return true;
+    }
+  }
+  return false;
+}
+
+function getPathFromInput(toolName: string, input: Record<string, unknown>): string | undefined {
+  if (typeof input.path === "string") return input.path;
+  if (toolName === "bash" && typeof input.command === "string") {
+    return input.command;
+  }
+  return undefined;
+}
+
+function isWithinCwd(filePath: string, cwd: string): boolean {
+  const resolved = path.resolve(cwd, filePath);
+  const resolvedCwd = path.resolve(cwd);
+  const relative = path.relative(resolvedCwd, resolved);
+  return !relative.startsWith("..") && !path.isAbsolute(relative);
+}
+
+export function evaluateTier(
+  toolName: string,
+  input: Record<string, unknown>,
+  cwd: string,
+  config: Pick<ResolvedConfig, "tools" | "protectedPaths"> = DEFAULT_CONFIG,
+): TierResult {
+  const effective = {
+    protectedPaths: config.protectedPaths ?? DEFAULT_CONFIG.protectedPaths,
+    tools: { ...DEFAULT_CONFIG.tools, ...(config.tools ?? {}) },
+  };
+
+  if (effective.tools.alwaysBlock.includes(toolName)) {
+    return { kind: "block", reason: `Blocked: tool "${toolName}" is always blocked` };
+  }
+
+  const targetPath = getPathFromInput(toolName, input);
+
+  if (targetPath && isProtectedPath(targetPath, effective.protectedPaths)) {
+    return { kind: "block", reason: `Blocked: path "${targetPath}" is protected` };
+  }
+
+  if (effective.tools.alwaysAllow.includes(toolName)) {
+    return { kind: "allow" };
+  }
+
+  if (!effective.tools.alwaysEvaluate.includes(toolName) && effective.tools.allowInProject.includes(toolName) && targetPath) {
+    if (isWithinCwd(targetPath, cwd)) {
+      return { kind: "allow" };
+    }
+  }
+
+  return { kind: "evaluate" };
+}

package/src/types.ts

@@ -0,0 +1,56 @@
+export type PermissionMode = "off" | "auto" | "dontAsk";
+
+export interface ClassifierDecision {
+  decision: "allow" | "block";
+  reason: string;
+  confidence: "high" | "medium" | "low";
+  category:
+    | "user_intent"
+    | "security"
+    | "data_loss"
+    | "scope_creep"
+    | "infrastructure"
+    | "credential_access"
+    | "other";
+}
+
+export interface DenyAndContinueConfig {
+  maxConsecutiveDenials: number;
+  maxTotalDenials: number;
+}
+
+export type ClassifierToolMode = "force" | "required" | "auto";
+
+export interface ClassifierConfig {
+  model: string | null;
+  prompt: string | null;
+  environment: string[];
+  hardDeny: string[];
+  softDeny: string[];
+  allow: string[];
+  timeoutMs: number;
+  toolMode?: ClassifierToolMode;
+}
+
+export interface ToolTierConfig {
+  alwaysAllow: string[];
+  allowInProject: string[];
+  alwaysEvaluate: string[];
+  alwaysBlock: string[];
+}
+
+export interface AutoModeSettings {
+  defaultMode: PermissionMode;
+  classifier: ClassifierConfig;
+  denyAndContinue: DenyAndContinueConfig;
+  tools?: ToolTierConfig;
+  protectedPaths?: string[];
+}
+
+export interface ResolvedConfig {
+  defaultMode: PermissionMode;
+  classifier: Required<ClassifierConfig>;
+  denyAndContinue: Required<DenyAndContinueConfig>;
+  tools: Required<ToolTierConfig>;
+  protectedPaths: string[];
+}