@mediadatafusion/pi-workflow-suite 0.0.8 → 0.0.10

package/extensions/subagent/repolock-guard.ts

@@ -0,0 +1,111 @@
+import { existsSync, realpathSync } from "node:fs";
+import { isAbsolute, resolve } from "node:path";
+import { getAgentDir, type ExtensionAPI } from "@earendil-works/pi-coding-agent";
+
+const PATH_SCOPED_TOOLS = new Set(["read", "grep", "find", "ls", "edit", "write"]);
+
+function safeRealpath(path: string): string {
+  try {
+    return realpathSync(path);
+  } catch {
+    return path;
+  }
+}
+
+function resolveCandidatePath(pathValue: string, cwd: string): string {
+  const expanded = pathValue === "~" || pathValue.startsWith("~/") ? resolve(process.env.HOME || cwd, pathValue.slice(2)) : pathValue;
+  const resolved = isAbsolute(expanded) ? resolve(expanded) : resolve(cwd, expanded || ".");
+  if (existsSync(resolved)) return safeRealpath(resolved);
+  const existingParent = safeRealpath(resolve(resolved, ".."));
+  return resolve(existingParent, resolved.split(/[\\/]/).pop() || "");
+}
+
+function pathInsideRoot(candidate: string, root: string): boolean {
+  return candidate === root || candidate.startsWith(`${root}/`);
+}
+
+function protectedRepoPath(candidate: string, root: string): boolean {
+  const rel = candidate === root ? "" : candidate.slice(root.length + 1);
+  return rel === ".pi" || rel.startsWith(".pi/");
+}
+
+function piRuntimeInstructionPath(candidate: string): boolean {
+  const root = safeRealpath(getAgentDir());
+  if (!pathInsideRoot(candidate, root)) return false;
+  const rel = candidate === root ? "" : candidate.slice(root.length + 1);
+  return rel === "skills" || rel.startsWith("skills/")
+    || rel === "agents" || rel.startsWith("agents/")
+    || rel === "config/prompts" || rel.startsWith("config/prompts/")
+    || rel === "prompts" || rel.startsWith("prompts/")
+    || rel === "themes" || rel.startsWith("themes/");
+}
+
+function repoLockPathBlock(pathValue: unknown, cwd: string, tool: string): string | undefined {
+  if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED !== "1") return undefined;
+  const root = safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT || cwd);
+  const candidate = resolveCandidatePath(typeof pathValue === "string" && pathValue.trim() ? pathValue.trim() : ".", cwd);
+  if (!pathInsideRoot(candidate, root)) {
+    if ((tool === "read" || tool === "grep" || tool === "find" || tool === "ls") && piRuntimeInstructionPath(candidate)) return undefined;
+    return `Repo Lock blocked sub-agent path outside current repository: ${candidate} (repo root: ${root})`;
+  }
+  if ((tool === "edit" || tool === "write") && protectedRepoPath(candidate, root)) return `Repo Lock blocked sub-agent ${tool} for protected project control path: ${candidate}`;
+  return undefined;
+}
+
+function stripHereDocBodies(command: string): string {
+  const lines = command.split("\n");
+  const kept: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    kept.push(line);
+    const match = line.match(/<<[-]?\s*['\"]?([A-Za-z_][A-Za-z0-9_]*)['\"]?/);
+    if (!match) continue;
+    const marker = match[1];
+    i++;
+    while (i < lines.length && lines[i].trim() !== marker) i++;
+  }
+  return kept.join("\n");
+}
+
+function stripUriTokens(command: string): string {
+  return command.replace(/\b[A-Za-z][A-Za-z0-9+.-]*:\/\/[^\s'"`;&|)]*/g, " ");
+}
+
+function bashPathCandidates(command: string): string[] {
+  const trimmed = stripUriTokens(stripHereDocBodies(command)).trim();
+  if (!trimmed) return [];
+  return Array.from(trimmed.matchAll(/(?:^|[\s=:'"`])((?:\.{1,2}|~|\/)[^\s'"`;&|)]*)/g)).map((match) => match[1]).filter(Boolean);
+}
+
+function repoLockBashBlock(command: string, cwd: string): string | undefined {
+  if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED !== "1") return undefined;
+  const root = safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT || cwd);
+  const candidates = bashPathCandidates(command);
+  for (const raw of candidates) {
+    if (raw === "." || raw === "./" || raw === "/") continue;
+    const cleaned = raw.replace(/[),]+$/, "");
+    if (!cleaned || cleaned.startsWith("./node_modules/.bin")) continue;
+    const candidate = resolveCandidatePath(cleaned, cwd);
+    if (!pathInsideRoot(candidate, root)) return `Repo Lock blocked sub-agent bash path outside current repository: ${cleaned} -> ${candidate} (repo root: ${root})`;
+  }
+  return undefined;
+}
+
+export default function repoLockSubagentGuard(pi: ExtensionAPI): void {
+  pi.on("tool_call", (event, ctx) => {
+    if (PATH_SCOPED_TOOLS.has(event.toolName)) {
+      const reason = repoLockPathBlock((event.input as { path?: unknown; file_path?: unknown }).path ?? (event.input as { file_path?: unknown }).file_path, ctx.cwd, event.toolName);
+      if (reason) return { block: true, reason };
+    }
+    if (event.toolName === "bash") {
+      const command = String((event.input as { command?: unknown }).command ?? "");
+      const reason = repoLockBashBlock(command, ctx.cwd);
+      if (reason) return { block: true, reason };
+    }
+  });
+
+  pi.on("user_bash", (event, ctx) => {
+    const reason = repoLockBashBlock(event.command, ctx.cwd);
+    if (reason) return { result: { output: reason, exitCode: 1, cancelled: false, truncated: false } };
+  });
+}

package/extensions/subagent/runner.ts

@@ -5,12 +5,13 @@
  * sub-agent policy before the main planner/executor/reviewer/validator turn.
  */
 
-import { spawn } from "node:child_process";
+import { execFileSync, spawn } from "node:child_process";
 import * as fs from "node:fs";
 import * as os from "node:os";
 import * as path from "node:path";
 import type { Message } from "@earendil-works/pi-ai";
 import { withFileMutationQueue } from "@earendil-works/pi-coding-agent";
+import { loadWorkflowSettings } from "../workflow-model-router.js";
 import { type AgentConfig, type AgentScope, type AgentSource, discoverAgents } from "./agents.js";
 
 export interface WorkflowSubagentTask {
@@ -60,6 +61,37 @@ export interface WorkflowSubagentRunOptions {
 }
 
 const MAX_CONCURRENCY = 4;
+const REPOLOCK_GUARD_EXTENSION = path.join(path.dirname(new URL(import.meta.url).pathname), "repolock-guard.ts");
+
+function safeRealpath(candidate: string): string {
+  try {
+    return fs.realpathSync(candidate);
+  } catch {
+    return candidate;
+  }
+}
+
+function pathInsideRoot(candidate: string, root: string): boolean {
+  return candidate === root || candidate.startsWith(`${root}${path.sep}`);
+}
+
+function resolveSubagentCwd(candidate: string | undefined, defaultCwd: string): string {
+  return safeRealpath(path.resolve(defaultCwd, candidate || "."));
+}
+
+function repoRootForCwd(cwd: string): string {
+  try {
+    const root = execFileSync("git", ["rev-parse", "--show-toplevel"], { cwd, encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    return safeRealpath(root || cwd);
+  } catch {
+    return safeRealpath(cwd);
+  }
+}
+
+function repoLockRootForSubagent(defaultCwd: string): string | undefined {
+  if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED === "1" && process.env.PI_WORKFLOW_REPO_LOCK_ROOT) return safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT);
+  return loadWorkflowSettings(defaultCwd).safety.repoLockEnabled === true ? repoRootForCwd(defaultCwd) : undefined;
+}
 
 function finalOutput(messages: Message[]): string {
   for (let i = messages.length - 1; i >= 0; i--) {
@@ -132,7 +164,22 @@ async function runSingleWorkflowSubagent(
     };
   }
 
-  const args: string[] = ["--no-extensions", "--mode", "json", "-p", "--no-session"];
+  const lockRoot = repoLockRootForSubagent(defaultCwd);
+  const effectiveCwd = resolveSubagentCwd(task.cwd, defaultCwd);
+  if (lockRoot && !pathInsideRoot(effectiveCwd, lockRoot)) {
+    return {
+      agent: task.agent,
+      agentSource: agent.source,
+      agentTools: agent.tools,
+      task: task.task,
+      exitCode: 1,
+      output: "",
+      stderr: `Repo Lock blocked sub-agent cwd outside current repository: ${effectiveCwd} (repo root: ${lockRoot})`,
+      usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, cost: 0, contextTokens: 0, turns: 0 },
+    };
+  }
+
+  const args: string[] = ["--no-extensions", "--extension", REPOLOCK_GUARD_EXTENSION, "--mode", "json", "-p", "--no-session"];
   if (agent.model) args.push("--model", agent.model);
   if (agent.tools && agent.tools.length > 0) args.push("--tools", agent.tools.join(","));
 
@@ -162,13 +209,14 @@ async function runSingleWorkflowSubagent(
     const exitCode = await new Promise<number>((resolve) => {
       const invocation = getPiInvocation(args);
       const proc = spawn(invocation.command, invocation.args, {
-        cwd: task.cwd ?? defaultCwd,
+        cwd: effectiveCwd,
         shell: false,
         stdio: ["ignore", "pipe", "pipe"],
         env: {
           ...process.env,
           PI_SUBAGENT_WORKER: "1",
           PI_SUBAGENT_NAME: agent.name,
+          ...(lockRoot ? { PI_WORKFLOW_REPO_LOCK_ENABLED: "1", PI_WORKFLOW_REPO_LOCK_ROOT: lockRoot } : {}),
         },
       });
       let buffer = "";