@oyasmi/pipiclaw 0.5.4 → 0.5.6

package/dist/security/path-guard.js

@@ -0,0 +1,237 @@
+import { existsSync, lstatSync, realpathSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
+import { basename, dirname, isAbsolute, normalize, resolve } from "node:path";
+const PRIVATE_KEY_EXTENSIONS = new Set([".pem", ".key", ".p12", ".pfx"]);
+const PRIVATE_KEY_NAME_HINTS = /(id_rsa|id_ed25519|private|secret|credentials)/i;
+const PROC_MEM_PATH = /^\/proc\/\d+\/mem(?:\/|$)/;
+const HOME_SENSITIVE_PREFIXES = [
+    "~/.ssh/",
+    "~/.gnupg/",
+    "~/.gpg/",
+    "~/.aws/",
+    "~/.azure/",
+    "~/.gcloud/",
+    "~/.config/gcloud/",
+    "~/.kube/",
+    "~/.docker/",
+    "~/Library/Keychains/",
+    "~/.local/share/keyrings/",
+    "~/Library/Application Support/Google/Chrome/",
+    "~/Library/Application Support/Firefox/",
+    "~/.config/google-chrome/",
+    "~/.mozilla/firefox/",
+];
+const HOME_SENSITIVE_FILES = ["~/.netrc", "~/.npmrc", "~/.pypirc", "~/.bash_history", "~/.zsh_history"];
+const WRITE_DENY_HOME_FILES = ["~/.bashrc", "~/.zshrc", "~/.profile", "~/.bash_profile", "~/.config/fish/config.fish"];
+const SYSTEM_SENSITIVE_PREFIXES = ["/etc/sudoers.d/", "/var/run/secrets/"];
+const SYSTEM_SENSITIVE_FILES = ["/etc/shadow", "/etc/gshadow", "/etc/sudoers", "/proc/kcore"];
+const TEMP_PREFIXES = ["/tmp/", "/var/tmp/", "/private/tmp/"];
+const SYSTEM_DENY_PREFIXES = [
+    "/etc/",
+    "/usr/",
+    "/bin/",
+    "/sbin/",
+    "/lib/",
+    "/lib64/",
+    "/boot/",
+    "/dev/",
+    "/proc/",
+    "/sys/",
+    "/opt/",
+    "/System/",
+    "/Library/",
+    "/var/",
+];
+function stripNullAndNormalize(text) {
+    return text.replace(/\0/g, "").normalize("NFKC");
+}
+function withTrailingSlash(path) {
+    return path.endsWith("/") ? path : `${path}/`;
+}
+function startsWithPathPrefix(path, prefix) {
+    return path === prefix || path.startsWith(withTrailingSlash(prefix));
+}
+function maybeExpandHome(path, homeDir) {
+    if (path === "~") {
+        return homeDir;
+    }
+    if (path.startsWith("~/")) {
+        return resolve(homeDir, path.slice(2));
+    }
+    return path;
+}
+function resolveHomeConfiguredPath(rawPath, homeDir) {
+    return normalize(maybeExpandHome(stripNullAndNormalize(rawPath), homeDir));
+}
+function translateRuntimeWorkspacePath(path, ctx) {
+    if (!isAbsolute(path)) {
+        return path;
+    }
+    if (!ctx.workspacePath || ctx.workspacePath === ctx.workspaceDir) {
+        return path;
+    }
+    if (path === ctx.workspacePath) {
+        return ctx.workspaceDir;
+    }
+    if (path.startsWith(withTrailingSlash(ctx.workspacePath))) {
+        return resolve(ctx.workspaceDir, path.slice(ctx.workspacePath.length + 1));
+    }
+    return path;
+}
+function resolveConfiguredPath(rawPath, ctx) {
+    const homeDir = ctx.homeDir ?? homedir();
+    const normalized = stripNullAndNormalize(rawPath);
+    const expanded = maybeExpandHome(normalized, homeDir);
+    const translated = translateRuntimeWorkspacePath(expanded, ctx);
+    if (isAbsolute(translated)) {
+        return normalize(translated);
+    }
+    return resolve(ctx.workspaceDir, translated);
+}
+function resolveTargetPath(rawPath, ctx) {
+    const homeDir = ctx.homeDir ?? homedir();
+    const cwd = ctx.cwd ?? process.cwd();
+    const normalized = stripNullAndNormalize(rawPath);
+    const expanded = maybeExpandHome(normalized, homeDir);
+    const translated = translateRuntimeWorkspacePath(expanded, ctx);
+    if (isAbsolute(translated)) {
+        return normalize(translated);
+    }
+    return resolve(cwd, translated);
+}
+function resolveExistingAncestor(path) {
+    let current = normalize(path);
+    while (true) {
+        if (existsSync(current)) {
+            return realpathSync(current);
+        }
+        const parent = dirname(current);
+        if (parent === current) {
+            return current;
+        }
+        current = parent;
+    }
+}
+function resolveForGuard(path, ctx) {
+    const normalized = normalize(path);
+    const resolveSymlinks = ctx.config.resolveSymlinks !== false;
+    if (!resolveSymlinks) {
+        return normalized;
+    }
+    if (existsSync(normalized)) {
+        return realpathSync(normalized);
+    }
+    const parentDir = dirname(normalized);
+    const parentRealPath = resolveExistingAncestor(parentDir);
+    return resolve(parentRealPath, basename(normalized));
+}
+function matchesAnyPath(path, exactPaths, prefixes) {
+    return exactPaths.includes(path) || prefixes.some((prefix) => startsWithPathPrefix(path, prefix));
+}
+function matchesSensitiveReadPath(path, homeDir) {
+    const sensitiveHomePrefixes = HOME_SENSITIVE_PREFIXES.map((item) => resolveHomeConfiguredPath(item, homeDir));
+    const sensitiveHomeFiles = HOME_SENSITIVE_FILES.map((item) => resolveHomeConfiguredPath(item, homeDir));
+    const sensitiveSystemPrefixes = SYSTEM_SENSITIVE_PREFIXES.map((item) => normalize(item));
+    const sensitiveSystemFiles = SYSTEM_SENSITIVE_FILES.map((item) => normalize(item));
+    if (matchesAnyPath(path, sensitiveHomeFiles, sensitiveHomePrefixes)) {
+        return true;
+    }
+    if (matchesAnyPath(path, sensitiveSystemFiles, sensitiveSystemPrefixes)) {
+        return true;
+    }
+    if (PROC_MEM_PATH.test(path)) {
+        return true;
+    }
+    const lowerBase = basename(path).toLowerCase();
+    const extension = lowerBase.includes(".") ? lowerBase.slice(lowerBase.lastIndexOf(".")) : "";
+    if (PRIVATE_KEY_EXTENSIONS.has(extension) && PRIVATE_KEY_NAME_HINTS.test(lowerBase)) {
+        return true;
+    }
+    return PRIVATE_KEY_NAME_HINTS.test(lowerBase) && lowerBase.startsWith("id_");
+}
+function matchesSensitiveWritePath(path, homeDir) {
+    if (matchesSensitiveReadPath(path, homeDir)) {
+        return true;
+    }
+    const writeDenyHomeFiles = WRITE_DENY_HOME_FILES.map((item) => resolveHomeConfiguredPath(item, homeDir));
+    return writeDenyHomeFiles.includes(path);
+}
+function isWithinTemp(path) {
+    const configuredPrefixes = TEMP_PREFIXES.map((prefix) => normalize(prefix));
+    const runtimeTmpDir = normalize(tmpdir());
+    const runtimePrefixes = existsSync(runtimeTmpDir)
+        ? [runtimeTmpDir, resolveExistingAncestor(runtimeTmpDir)]
+        : [runtimeTmpDir];
+    return [...configuredPrefixes, ...runtimePrefixes].some((prefix) => startsWithPathPrefix(path, prefix));
+}
+function isWithinHome(path, homeDir) {
+    return startsWithPathPrefix(path, normalize(homeDir));
+}
+function isWithinWorkspace(path, workspaceDir) {
+    return startsWithPathPrefix(path, normalize(workspaceDir));
+}
+function isDeniedSystemPath(path) {
+    if (isWithinTemp(path)) {
+        return false;
+    }
+    return SYSTEM_DENY_PREFIXES.some((prefix) => startsWithPathPrefix(path, normalize(prefix)));
+}
+function matchesConfiguredPath(path, entries, ctx) {
+    return entries.map((entry) => resolveConfiguredPath(entry, ctx)).some((entry) => startsWithPathPrefix(path, entry));
+}
+function pathAllowedByDefaults(path, ctx) {
+    const homeDir = ctx.homeDir ?? homedir();
+    return isWithinWorkspace(path, ctx.workspaceDir) || isWithinTemp(path) || isWithinHome(path, homeDir);
+}
+function formatBlockedResult(operation, rawPath, resolvedPath, category, reason) {
+    return {
+        allowed: false,
+        operation,
+        rawPath,
+        resolvedPath,
+        category,
+        reason,
+    };
+}
+export function guardPath(rawPath, operation, ctx) {
+    if (!ctx.config.enabled) {
+        return { allowed: true, operation, rawPath };
+    }
+    const homeDir = ctx.homeDir ?? homedir();
+    const effectiveCtx = {
+        ...ctx,
+        workspaceDir: resolveForGuard(ctx.workspaceDir, ctx),
+        homeDir: resolveForGuard(homeDir, ctx),
+    };
+    const resolvedTarget = resolveTargetPath(rawPath, ctx);
+    const guardedPath = resolveForGuard(resolvedTarget, ctx);
+    if (matchesConfiguredPath(guardedPath, operation === "read" ? effectiveCtx.config.readDeny : effectiveCtx.config.writeDeny, effectiveCtx)) {
+        return formatBlockedResult(operation, rawPath, guardedPath, "configured-deny", "Path is denied by security config");
+    }
+    if (operation === "read" && matchesSensitiveReadPath(guardedPath, effectiveCtx.homeDir ?? homeDir)) {
+        return formatBlockedResult(operation, rawPath, guardedPath, "sensitive-read-path", "Reading sensitive paths is not allowed");
+    }
+    if (operation === "write" && matchesSensitiveWritePath(guardedPath, effectiveCtx.homeDir ?? homeDir)) {
+        return formatBlockedResult(operation, rawPath, guardedPath, "sensitive-write-path", "Writing sensitive paths is not allowed");
+    }
+    if (operation === "write" && existsSync(resolvedTarget)) {
+        try {
+            if (lstatSync(resolvedTarget).isSymbolicLink()) {
+                return formatBlockedResult(operation, rawPath, guardedPath, "symlink-write", "Writing through symbolic links is not allowed");
+            }
+        }
+        catch {
+            // Ignore lstat races and continue with resolved-path checks.
+        }
+    }
+    if (matchesConfiguredPath(guardedPath, operation === "read" ? effectiveCtx.config.readAllow : effectiveCtx.config.writeAllow, effectiveCtx)) {
+        return { allowed: true, operation, rawPath, resolvedPath: guardedPath };
+    }
+    if (pathAllowedByDefaults(guardedPath, effectiveCtx)) {
+        return { allowed: true, operation, rawPath, resolvedPath: guardedPath };
+    }
+    if (isDeniedSystemPath(guardedPath)) {
+        return formatBlockedResult(operation, rawPath, guardedPath, "system-path", `${operation === "read" ? "Reading" : "Writing"} system paths is not allowed by default`);
+    }
+    return formatBlockedResult(operation, rawPath, guardedPath, "outside-allowed-roots", `${operation === "read" ? "Reading" : "Writing"} outside workspace, home, and temp paths is not allowed`);
+}

package/dist/security/types.d.ts

@@ -0,0 +1,66 @@
+export interface SecurityConfig {
+    enabled: boolean;
+    commandGuard: {
+        enabled: boolean;
+        additionalDenyPatterns: string[];
+        allowPatterns: string[];
+        blockObfuscation: boolean;
+    };
+    pathGuard: {
+        enabled: boolean;
+        readAllow: string[];
+        readDeny: string[];
+        writeAllow: string[];
+        writeDeny: string[];
+        resolveSymlinks: boolean;
+    };
+    audit: {
+        logBlocked: boolean;
+        logFile?: string;
+    };
+}
+export interface SecurityRuntimeContext {
+    workspaceDir: string;
+    workspacePath: string;
+    cwd?: string;
+    homeDir?: string;
+}
+export interface PathGuardContext extends SecurityRuntimeContext {
+    config: SecurityConfig["pathGuard"];
+}
+export interface PathGuardResult {
+    allowed: boolean;
+    operation: "read" | "write";
+    category?: string;
+    reason?: string;
+    rawPath: string;
+    resolvedPath?: string;
+}
+export interface CommandGuardResult {
+    allowed: boolean;
+    category?: string;
+    rule?: string;
+    reason?: string;
+    matchedText?: string;
+}
+export interface SecurityLogEventBase {
+    tool: string;
+    channelId?: string;
+}
+export interface BlockedPathLogEvent extends SecurityLogEventBase {
+    type: "path";
+    rawPath: string;
+    operation: "read" | "write";
+    resolvedPath?: string;
+    category?: string;
+    reason?: string;
+}
+export interface BlockedCommandLogEvent extends SecurityLogEventBase {
+    type: "command";
+    command: string;
+    category?: string;
+    rule?: string;
+    reason?: string;
+    matchedText?: string;
+}
+export type SecurityLogEvent = BlockedPathLogEvent | BlockedCommandLogEvent;

package/dist/security/types.js

@@ -0,0 +1 @@
+export {};

package/dist/subagents/tool.d.ts

@@ -1,6 +1,7 @@
 import { type AgentEvent, type AgentMessage, type AgentTool } from "@mariozechner/pi-agent-core";
 import type { Api, Model } from "@mariozechner/pi-ai";
 import type { Executor } from "../sandbox.js";
+import type { SecurityConfig } from "../security/types.js";
 import type { PipiclawMemoryRecallSettings } from "../settings.js";
 import type { UsageTotals } from "../shared/types.js";
 import { type ResolvedSubAgentConfig, type SubAgentDiscoveryResult } from "./discovery.js";
@@ -42,6 +43,7 @@ export interface SubAgentToolOptions {
     channelDir: string;
     getSubAgentDiscovery?: () => SubAgentDiscoveryResult;
     getMemoryRecallSettings?: () => PipiclawMemoryRecallSettings;
+    securityConfig?: SecurityConfig;
     runtimeContext: {
         workspacePath: string;
         channelId: string;

package/dist/subagents/tool.js

@@ -5,6 +5,7 @@ import { createMemoryCandidateCache } from "../memory/candidates.js";
 import { readChannelSession } from "../memory/files.js";
 import { recallRelevantMemory } from "../memory/recall.js";
 import { formatModelReference } from "../models/utils.js";
+import { DEFAULT_SECURITY_CONFIG } from "../security/config.js";
 import { splitH1Sections } from "../shared/markdown-sections.js";
 import { clipText, extractAssistantText, extractLabelFromArgs, HAN_REGEX } from "../shared/text-utils.js";
 import { createBashTool } from "../tools/bash.js";
@@ -86,12 +87,35 @@ function buildStoppedText(config, reason, finalText) {
     }
     return `[Sub-agent ${config.name} stopped: ${reason}]\n\n${trimmedFinalText}`;
 }
-function createToolSet(executor, bashTimeoutSec) {
+function createToolSet(executor, bashTimeoutSec, options) {
+    const securityConfig = options.securityConfig ?? DEFAULT_SECURITY_CONFIG;
+    const securityContext = {
+        workspaceDir: options.workspaceDir,
+        workspacePath: options.runtimeContext.workspacePath,
+        cwd: process.cwd(),
+    };
     return [
-        createReadTool(executor),
-        createBashTool(executor, { defaultTimeoutSeconds: bashTimeoutSec }),
-        createEditTool(executor),
-        createWriteTool(executor),
+        createReadTool(executor, {
+            securityConfig,
+            securityContext,
+            channelId: options.runtimeContext.channelId,
+        }),
+        createBashTool(executor, {
+            defaultTimeoutSeconds: bashTimeoutSec,
+            securityConfig,
+            securityContext,
+            channelId: options.runtimeContext.channelId,
+        }),
+        createEditTool(executor, {
+            securityConfig,
+            securityContext,
+            channelId: options.runtimeContext.channelId,
+        }),
+        createWriteTool(executor, {
+            securityConfig,
+            securityContext,
+            channelId: options.runtimeContext.channelId,
+        }),
     ];
 }
 function buildSubAgentTask(task, config, runtimeContext, contextBlocks) {
@@ -267,14 +291,14 @@ export function createSubAgentTool(options) {
             const worker = options.createWorker?.({
                 subAgent: config,
                 apiKey,
-                tools: filterToolsByName(createToolSet(options.executor, config.bashTimeoutSec), config.tools),
+                tools: filterToolsByName(createToolSet(options.executor, config.bashTimeoutSec, options), config.tools),
             }) ??
                 new Agent({
                     initialState: {
                         systemPrompt: config.systemPrompt,
                         model: config.model,
                         thinkingLevel: "off",
-                        tools: filterToolsByName(createToolSet(options.executor, config.bashTimeoutSec), config.tools),
+                        tools: filterToolsByName(createToolSet(options.executor, config.bashTimeoutSec, options), config.tools),
                     },
                     convertToLlm,
                     getApiKey: async () => apiKey,

package/dist/tools/attach.d.ts

@@ -1,13 +1,19 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 declare const attachSchema: import("@sinclair/typebox").TObject<{
     label: import("@sinclair/typebox").TString;
     path: import("@sinclair/typebox").TString;
     title: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
 }>;
 export type UploadFunction = (filePath: string, title?: string) => Promise<void>;
+export interface AttachToolOptions {
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
+}
 /**
  * Create the attach tool. If no uploadFn is provided, the tool will throw
  * an informative error guiding the LLM to use alternative approaches.
  */
-export declare function createAttachTool(uploadFn?: UploadFunction): AgentTool<typeof attachSchema>;
+export declare function createAttachTool(uploadFn?: UploadFunction, options?: AttachToolOptions): AgentTool<typeof attachSchema>;
 export {};

package/dist/tools/attach.js

@@ -1,5 +1,8 @@
 import { Type } from "@sinclair/typebox";
 import { basename, resolve as resolvePath } from "path";
+import { DEFAULT_SECURITY_CONFIG } from "../security/config.js";
+import { logSecurityEvent } from "../security/logger.js";
+import { guardPath } from "../security/path-guard.js";
 const attachSchema = Type.Object({
     label: Type.String({ description: "Brief description of what you're sharing (shown to user)" }),
     path: Type.String({ description: "Path to the file to attach" }),
@@ -9,7 +12,13 @@ const attachSchema = Type.Object({
  * Create the attach tool. If no uploadFn is provided, the tool will throw
  * an informative error guiding the LLM to use alternative approaches.
  */
-export function createAttachTool(uploadFn) {
+export function createAttachTool(uploadFn, options = {}) {
+    const securityConfig = options.securityConfig ?? DEFAULT_SECURITY_CONFIG;
+    const securityContext = options.securityContext ?? {
+        workspaceDir: process.cwd(),
+        workspacePath: process.cwd(),
+        cwd: process.cwd(),
+    };
     return {
         name: "attach",
         label: "attach",
@@ -23,6 +32,32 @@ export function createAttachTool(uploadFn) {
                 throw new Error("Operation aborted");
             }
             const absolutePath = resolvePath(path);
+            if (securityConfig.enabled && securityConfig.pathGuard.enabled) {
+                const readGuard = guardPath(path, "read", { ...securityContext, config: securityConfig.pathGuard });
+                if (!readGuard.allowed) {
+                    logSecurityEvent(securityContext.workspaceDir, securityConfig, {
+                        type: "path",
+                        tool: "attach",
+                        channelId: options.channelId,
+                        rawPath: path,
+                        operation: "read",
+                        resolvedPath: readGuard.resolvedPath,
+                        category: readGuard.category,
+                        reason: readGuard.reason,
+                    });
+                    throw new Error([
+                        `Path blocked${readGuard.category ? ` [${readGuard.category}]` : ""}`,
+                        readGuard.reason ? `Reason: ${readGuard.reason}` : "",
+                        readGuard.resolvedPath ? `Resolved path: ${readGuard.resolvedPath}` : "",
+                    ]
+                        .filter(Boolean)
+                        .join("\n"));
+                }
+                const workspaceRoot = resolvePath(securityContext.workspaceDir);
+                if (absolutePath !== workspaceRoot && !absolutePath.startsWith(`${workspaceRoot}/`)) {
+                    throw new Error("Attach is limited to files inside the workspace directory.");
+                }
+            }
             const fileName = title || basename(absolutePath);
             await uploadFn(absolutePath, fileName);
             return {

package/dist/tools/bash.d.ts

@@ -1,5 +1,6 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import type { Executor } from "../sandbox.js";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 declare const bashSchema: import("@sinclair/typebox").TObject<{
     label: import("@sinclair/typebox").TString;
     command: import("@sinclair/typebox").TString;
@@ -7,6 +8,9 @@ declare const bashSchema: import("@sinclair/typebox").TObject<{
 }>;
 export interface BashToolOptions {
     defaultTimeoutSeconds?: number;
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
 }
 export declare function createBashTool(executor: Executor, options?: BashToolOptions): AgentTool<typeof bashSchema>;
 export {};

package/dist/tools/bash.js

@@ -3,6 +3,9 @@ import { createWriteStream } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { Type } from "@sinclair/typebox";
+import { guardCommand } from "../security/command-guard.js";
+import { DEFAULT_SECURITY_CONFIG } from "../security/config.js";
+import { logSecurityEvent } from "../security/logger.js";
 import { DEFAULT_MAX_BYTES, DEFAULT_MAX_LINES, formatSize, truncateTail } from "./truncate.js";
 /**
  * Generate a unique temp file path for bash output
@@ -16,13 +19,48 @@ const bashSchema = Type.Object({
     command: Type.String({ description: "Bash command to execute" }),
     timeout: Type.Optional(Type.Number({ description: "Timeout in seconds (optional, no default timeout)" })),
 });
+function formatCommandBlockMessage(command, category, reason, matchedText) {
+    const lines = [`Command blocked${category ? ` [${category}]` : ""}`];
+    if (reason) {
+        lines.push(`Reason: ${reason}`);
+    }
+    if (matchedText) {
+        lines.push(`Matched: ${matchedText}`);
+    }
+    else {
+        lines.push(`Command: ${command}`);
+    }
+    return lines.join("\n");
+}
 export function createBashTool(executor, options = {}) {
+    const securityConfig = options.securityConfig ?? DEFAULT_SECURITY_CONFIG;
+    const securityContext = options.securityContext ?? {
+        workspaceDir: process.cwd(),
+        workspacePath: process.cwd(),
+        cwd: process.cwd(),
+    };
     return {
         name: "bash",
         label: "bash",
         description: `Execute a bash command in the current working directory. Returns stdout and stderr. Output is truncated to last ${DEFAULT_MAX_LINES} lines or ${DEFAULT_MAX_BYTES / 1024}KB (whichever is hit first). If truncated, full output is saved to a temp file. Optionally provide a timeout in seconds.`,
         parameters: bashSchema,
         execute: async (_toolCallId, { command, timeout }, signal) => {
+            if (securityConfig.enabled && securityConfig.commandGuard.enabled) {
+                const guardResult = guardCommand(command, securityConfig.commandGuard);
+                if (!guardResult.allowed) {
+                    logSecurityEvent(securityContext.workspaceDir, securityConfig, {
+                        type: "command",
+                        tool: "bash",
+                        channelId: options.channelId,
+                        command,
+                        category: guardResult.category,
+                        rule: guardResult.rule,
+                        reason: guardResult.reason,
+                        matchedText: guardResult.matchedText,
+                    });
+                    throw new Error(formatCommandBlockMessage(command, guardResult.category, guardResult.reason, guardResult.matchedText));
+                }
+            }
             // Track output for potential temp file writing
             let tempFilePath;
             let tempFileStream;

package/dist/tools/edit.d.ts

@@ -1,10 +1,16 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import type { Executor } from "../sandbox.js";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 declare const editSchema: import("@sinclair/typebox").TObject<{
     label: import("@sinclair/typebox").TString;
     path: import("@sinclair/typebox").TString;
     oldText: import("@sinclair/typebox").TString;
     newText: import("@sinclair/typebox").TString;
 }>;
-export declare function createEditTool(executor: Executor): AgentTool<typeof editSchema>;
+export interface EditToolOptions {
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
+}
+export declare function createEditTool(executor: Executor, options?: EditToolOptions): AgentTool<typeof editSchema>;
 export {};

package/dist/tools/edit.js

@@ -1,5 +1,8 @@
 import { Type } from "@sinclair/typebox";
 import * as Diff from "diff";
+import { DEFAULT_SECURITY_CONFIG } from "../security/config.js";
+import { logSecurityEvent } from "../security/logger.js";
+import { guardPath } from "../security/path-guard.js";
 import { shellEscape } from "../shared/shell-escape.js";
 import { writeContent } from "./write-content.js";
 /**
@@ -80,13 +83,45 @@ const editSchema = Type.Object({
     oldText: Type.String({ description: "Exact text to find and replace (must match exactly)" }),
     newText: Type.String({ description: "New text to replace the old text with" }),
 });
-export function createEditTool(executor) {
+function formatPathBlockMessage(resolvedPath, category, reason) {
+    const lines = [`Path blocked${category ? ` [${category}]` : ""}`];
+    if (reason) {
+        lines.push(`Reason: ${reason}`);
+    }
+    if (resolvedPath) {
+        lines.push(`Resolved path: ${resolvedPath}`);
+    }
+    return lines.join("\n");
+}
+export function createEditTool(executor, options = {}) {
+    const securityConfig = options.securityConfig ?? DEFAULT_SECURITY_CONFIG;
+    const securityContext = options.securityContext ?? {
+        workspaceDir: process.cwd(),
+        workspacePath: process.cwd(),
+        cwd: process.cwd(),
+    };
     return {
         name: "edit",
         label: "edit",
         description: "Edit a file by replacing exact text. The oldText must match exactly (including whitespace). Use this for precise, surgical edits.",
         parameters: editSchema,
         execute: async (_toolCallId, { path, oldText, newText }, signal) => {
+            if (securityConfig.enabled && securityConfig.pathGuard.enabled) {
+                const readGuard = guardPath(path, "read", { ...securityContext, config: securityConfig.pathGuard });
+                if (!readGuard.allowed) {
+                    logSecurityEvent(securityContext.workspaceDir, securityConfig, {
+                        type: "path",
+                        tool: "edit",
+                        channelId: options.channelId,
+                        rawPath: path,
+                        operation: "read",
+                        resolvedPath: readGuard.resolvedPath,
+                        category: readGuard.category,
+                        reason: readGuard.reason,
+                    });
+                    throw new Error(formatPathBlockMessage(readGuard.resolvedPath, readGuard.category, readGuard.reason));
+                }
+            }
             // Read the file
             const readResult = await executor.exec(`cat ${shellEscape(path)}`, { signal });
             if (readResult.code !== 0) {
@@ -109,7 +144,12 @@ export function createEditTool(executor) {
                 throw new Error(`No changes made to ${path}. The replacement produced identical content. This might indicate an issue with special characters or the text not existing as expected.`);
             }
             // Write the file back
-            await writeContent(executor, path, newContent, signal);
+            await writeContent(executor, path, newContent, signal, {
+                securityConfig,
+                securityContext,
+                channelId: options.channelId,
+                toolName: "edit",
+            });
             return {
                 content: [
                     {

package/dist/tools/index.d.ts

@@ -1,6 +1,7 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import type { Api, Model } from "@mariozechner/pi-ai";
 import type { Executor, SandboxConfig } from "../sandbox.js";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 import type { PipiclawMemoryRecallSettings } from "../settings.js";
 import type { SubAgentDiscoveryResult } from "../subagents/discovery.js";
 export interface CreatePipiclawToolsOptions {
@@ -16,5 +17,10 @@ export interface CreatePipiclawToolsOptions {
     getSubAgentDiscovery: () => SubAgentDiscoveryResult;
     getMemoryRecallSettings: () => PipiclawMemoryRecallSettings;
 }
-export declare function createPipiclawBaseTools(executor: Executor): AgentTool<any>[];
+export interface CreatePipiclawBaseToolsOptions {
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
+}
+export declare function createPipiclawBaseTools(executor: Executor, options?: CreatePipiclawBaseToolsOptions): AgentTool<any>[];
 export declare function createPipiclawTools(options: CreatePipiclawToolsOptions): AgentTool<any>[];