@vtstech/pi-diag 1.1.6 → 1.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/diag.js +15 -6
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -26,7 +26,7 @@ pi install "npm:@vtstech/pi-diag"
|
|
|
26
26
|
- **Extensions** — Extension files found? Active tools?
|
|
27
27
|
- **Themes** — Theme files? Valid JSON?
|
|
28
28
|
- **Session** — Active model? API mode? Provider? Base URL? Context window? Context usage? Thinking level?
|
|
29
|
-
- **Security** —
|
|
29
|
+
- **Security** — Active security mode, effective blocklist sizes (mode-aware), command/SSRF/path validation tests, audit log status
|
|
30
30
|
|
|
31
31
|
Also registers a `self_diagnostic` tool so the AI agent can run diagnostics on command.
|
|
32
32
|
|
package/diag.js
CHANGED
|
@@ -16,6 +16,11 @@ import { MODELS_JSON_PATH, getOllamaBaseUrl, BUILTIN_PROVIDERS, readModelsJson,
|
|
|
16
16
|
import {
|
|
17
17
|
BLOCKED_COMMANDS,
|
|
18
18
|
BLOCKED_URL_PATTERNS,
|
|
19
|
+
CRITICAL_COMMANDS,
|
|
20
|
+
EXTENDED_COMMANDS,
|
|
21
|
+
BLOCKED_URL_ALWAYS,
|
|
22
|
+
BLOCKED_URL_MAX_ONLY,
|
|
23
|
+
getSecurityMode,
|
|
19
24
|
validatePath,
|
|
20
25
|
isSafeUrl,
|
|
21
26
|
sanitizeCommand,
|
|
@@ -284,8 +289,11 @@ function diag_temp_default(pi) {
|
|
|
284
289
|
lines.push(warn(`Themes directory not found: ${themesDir}`));
|
|
285
290
|
}
|
|
286
291
|
lines.push(section("SECURITY"));
|
|
287
|
-
const
|
|
288
|
-
lines.push(info(`
|
|
292
|
+
const secMode = getSecurityMode();
|
|
293
|
+
lines.push(info(`Security mode: ${secMode.toUpperCase()}`));
|
|
294
|
+
const effectiveCmds = secMode === "max" ? BLOCKED_COMMANDS : CRITICAL_COMMANDS;
|
|
295
|
+
const blockedCmdList = Array.from(effectiveCmds).sort();
|
|
296
|
+
lines.push(info(`Command blocklist: ${blockedCmdList.length} commands blocked (${CRITICAL_COMMANDS.size} critical` + (secMode === "max" ? ` + ${EXTENDED_COMMANDS.size} extended)` : ")")));
|
|
289
297
|
const exampleCmds = blockedCmdList.filter((c) => ["rm", "sudo", "chmod", "curl", "wget", "eval"].includes(c));
|
|
290
298
|
if (exampleCmds.length > 0) {
|
|
291
299
|
lines.push(info(` Examples: ${exampleCmds.join(", ")}`));
|
|
@@ -295,8 +303,9 @@ function diag_temp_default(pi) {
|
|
|
295
303
|
`Command blocklist active (${blockedCmdList.length} rules)`,
|
|
296
304
|
`Command blocklist is EMPTY \u2014 security risk!`
|
|
297
305
|
);
|
|
298
|
-
const
|
|
299
|
-
|
|
306
|
+
const effectivePatterns = secMode === "max" ? BLOCKED_URL_PATTERNS : BLOCKED_URL_ALWAYS;
|
|
307
|
+
const blockedPatterns = Array.from(effectivePatterns).sort();
|
|
308
|
+
lines.push(info(`SSRF protection: ${blockedPatterns.length} hostname patterns blocked (${BLOCKED_URL_ALWAYS.size} always` + (secMode === "max" ? ` + ${BLOCKED_URL_MAX_ONLY.size} max-only)` : ")")));
|
|
300
309
|
const examplePatterns = blockedPatterns.filter(
|
|
301
310
|
(p) => ["localhost", "127.0.0.1", "169.254.169.254", "10.", "192.168.", "internal."].includes(p)
|
|
302
311
|
);
|
|
@@ -310,7 +319,7 @@ function diag_temp_default(pi) {
|
|
|
310
319
|
);
|
|
311
320
|
lines.push(info("SSRF validation tests:"));
|
|
312
321
|
const ssrfTests = [
|
|
313
|
-
{ url: "http://localhost:8080/api", expectBlocked:
|
|
322
|
+
{ url: "http://localhost:8080/api", expectBlocked: secMode === "max" },
|
|
314
323
|
{ url: "http://169.254.169.254/latest/meta-data/", expectBlocked: true },
|
|
315
324
|
{ url: "http://192.168.1.1/admin", expectBlocked: true },
|
|
316
325
|
{ url: "https://api.example.com/data", expectBlocked: false }
|
|
@@ -350,7 +359,7 @@ function diag_temp_default(pi) {
|
|
|
350
359
|
const cmdTests = [
|
|
351
360
|
{ cmd: "ls; rm -rf /", expectSafe: false },
|
|
352
361
|
{ cmd: "sudo chmod 777 /etc/passwd", expectSafe: false },
|
|
353
|
-
{ cmd: "curl http://localhost/secret", expectSafe:
|
|
362
|
+
{ cmd: "curl http://localhost/secret", expectSafe: secMode !== "max" },
|
|
354
363
|
{ cmd: "ls -la", expectSafe: true },
|
|
355
364
|
{ cmd: "cat README.md", expectSafe: true },
|
|
356
365
|
{ cmd: "echo hello", expectSafe: true }
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@vtstech/pi-diag",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.7",
|
|
4
4
|
"description": "Diagnostics extension for Pi Coding Agent",
|
|
5
5
|
"main": "diag.js",
|
|
6
6
|
"keywords": ["pi-extensions"],
|
|
@@ -14,7 +14,7 @@
|
|
|
14
14
|
"url": "https://github.com/VTSTech/pi-coding-agent"
|
|
15
15
|
},
|
|
16
16
|
"dependencies": {
|
|
17
|
-
"@vtstech/pi-shared": "1.1.
|
|
17
|
+
"@vtstech/pi-shared": "1.1.7"
|
|
18
18
|
},
|
|
19
19
|
"peerDependencies": {
|
|
20
20
|
"@mariozechner/pi-coding-agent": ">=0.66"
|