@vtstech/pi-diag 1.1.6 → 1.1.8

package/README.md

@@ -26,7 +26,7 @@ pi install "npm:@vtstech/pi-diag"
 - **Extensions** — Extension files found? Active tools?
 - **Themes** — Theme files? Valid JSON?
 - **Session** — Active model? API mode? Provider? Base URL? Context window? Context usage? Thinking level?
-- **Security** — Audit log status, blocked command count
+- **Security** — Active security mode, effective blocklist sizes (mode-aware), command/SSRF/path validation tests, audit log status
 
 Also registers a `self_diagnostic` tool so the AI agent can run diagnostics on command.
 

package/diag.js

@@ -16,12 +16,34 @@ import { MODELS_JSON_PATH, getOllamaBaseUrl, BUILTIN_PROVIDERS, readModelsJson,
 import {
   BLOCKED_COMMANDS,
   BLOCKED_URL_PATTERNS,
+  CRITICAL_COMMANDS,
+  EXTENDED_COMMANDS,
+  BLOCKED_URL_ALWAYS,
+  BLOCKED_URL_MAX_ONLY,
+  getSecurityMode,
   validatePath,
   isSafeUrl,
   sanitizeCommand,
   readRecentAuditEntries,
   AUDIT_LOG_PATH
 } from "@vtstech/pi-shared/security";
+import { debugLog } from "@vtstech/pi-shared/debug";
+var SECRET_KEY_PATTERNS = [
+  /key/i,
+  /token/i,
+  /secret/i,
+  /password/i,
+  /credential/i,
+  /auth/i,
+  /apikey/i,
+  /api_key/i
+];
+function redactValue(key, value) {
+  if (typeof value !== "string") return JSON.stringify(value);
+  if (SECRET_KEY_PATTERNS.some((p) => p.test(key))) return "[REDACTED]";
+  if (value.length > 20 && !value.includes(" ") && /^[A-Za-z0-9_\-+/=]+$/.test(value)) return value.slice(0, 8) + "...";
+  return value;
+}
 function diag_temp_default(pi) {
   const branding = [
     `  \u26A1 Pi Diagnostics v${EXTENSION_VERSION}`,
@@ -135,7 +157,8 @@ function diag_temp_default(pi) {
               lines.push(info("No model currently loaded in Ollama"));
             }
           }
-        } catch {
+        } catch (err) {
+          debugLog("diag", "failed to check remote Ollama loaded models", err);
         }
       }
     } else {
@@ -177,7 +200,8 @@ function diag_temp_default(pi) {
               lines.push(warn("No model currently loaded in Ollama"));
             }
           }
-        } catch {
+        } catch (err) {
+          debugLog("diag", "failed to check local Ollama loaded models", err);
         }
       }
     }
@@ -234,7 +258,7 @@ function diag_temp_default(pi) {
         const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
         lines.push(info("Global settings found:"));
         for (const [key, val] of Object.entries(settings)) {
-          lines.push(info(`  ${key}: ${JSON.stringify(val)}`));
+          lines.push(info(`  ${key}: ${redactValue(key, val)}`));
         }
         check(true, "settings.json valid JSON", "");
       } catch (e) {
@@ -284,8 +308,11 @@ function diag_temp_default(pi) {
       lines.push(warn(`Themes directory not found: ${themesDir}`));
     }
     lines.push(section("SECURITY"));
-    const blockedCmdList = Array.from(BLOCKED_COMMANDS).sort();
-    lines.push(info(`Command blocklist: ${blockedCmdList.length} commands blocked`));
+    const secMode = getSecurityMode();
+    lines.push(info(`Security mode: ${secMode.toUpperCase()}`));
+    const effectiveCmds = secMode === "max" ? BLOCKED_COMMANDS : CRITICAL_COMMANDS;
+    const blockedCmdList = Array.from(effectiveCmds).sort();
+    lines.push(info(`Command blocklist: ${blockedCmdList.length} commands blocked (${CRITICAL_COMMANDS.size} critical` + (secMode === "max" ? ` + ${EXTENDED_COMMANDS.size} extended)` : ")")));
     const exampleCmds = blockedCmdList.filter((c) => ["rm", "sudo", "chmod", "curl", "wget", "eval"].includes(c));
     if (exampleCmds.length > 0) {
       lines.push(info(`  Examples: ${exampleCmds.join(", ")}`));
@@ -295,8 +322,9 @@ function diag_temp_default(pi) {
       `Command blocklist active (${blockedCmdList.length} rules)`,
       `Command blocklist is EMPTY \u2014 security risk!`
     );
-    const blockedPatterns = Array.from(BLOCKED_URL_PATTERNS).sort();
-    lines.push(info(`SSRF protection: ${blockedPatterns.length} hostname patterns blocked`));
+    const effectivePatterns = secMode === "max" ? BLOCKED_URL_PATTERNS : BLOCKED_URL_ALWAYS;
+    const blockedPatterns = Array.from(effectivePatterns).sort();
+    lines.push(info(`SSRF protection: ${blockedPatterns.length} hostname patterns blocked (${BLOCKED_URL_ALWAYS.size} always` + (secMode === "max" ? ` + ${BLOCKED_URL_MAX_ONLY.size} max-only)` : ")")));
     const examplePatterns = blockedPatterns.filter(
       (p) => ["localhost", "127.0.0.1", "169.254.169.254", "10.", "192.168.", "internal."].includes(p)
     );
@@ -310,7 +338,7 @@ function diag_temp_default(pi) {
     );
     lines.push(info("SSRF validation tests:"));
     const ssrfTests = [
-      { url: "http://localhost:8080/api", expectBlocked: true },
+      { url: "http://localhost:8080/api", expectBlocked: secMode === "max" },
       { url: "http://169.254.169.254/latest/meta-data/", expectBlocked: true },
       { url: "http://192.168.1.1/admin", expectBlocked: true },
       { url: "https://api.example.com/data", expectBlocked: false }
@@ -350,7 +378,7 @@ function diag_temp_default(pi) {
     const cmdTests = [
       { cmd: "ls; rm -rf /", expectSafe: false },
       { cmd: "sudo chmod 777 /etc/passwd", expectSafe: false },
-      { cmd: "curl http://localhost/secret", expectSafe: false },
+      { cmd: "curl http://localhost/secret", expectSafe: secMode !== "max" },
       { cmd: "ls -la", expectSafe: true },
       { cmd: "cat README.md", expectSafe: true },
       { cmd: "echo hello", expectSafe: true }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vtstech/pi-diag",
-  "version": "1.1.6",
+  "version": "1.1.8",
   "description": "Diagnostics extension for Pi Coding Agent",
   "main": "diag.js",
   "keywords": ["pi-extensions"],
@@ -14,7 +14,7 @@
     "url": "https://github.com/VTSTech/pi-coding-agent"
   },
   "dependencies": {
-    "@vtstech/pi-shared": "1.1.6"
+    "@vtstech/pi-shared": "1.1.8"
   },
   "peerDependencies": {
     "@mariozechner/pi-coding-agent": ">=0.66"