@vtstech/pi-shared 1.1.0 → 1.1.2-dev

package/README.md

@@ -9,9 +9,9 @@ This is an internal dependency — you don't need to install it directly. It's p
 | Module | Description |
 |--------|-------------|
 | `format` | Section headers, indicators (ok/fail/warn/info), numeric formatters (bytes, ms, percentages), string utilities |
-| `ollama` | Ollama base URL resolution, models.json I/O, model family detection, Ollama API helpers |
-| `security` | Command blocklist, SSRF patterns, path validation, URL validation, command sanitization, audit logging |
-| `types` | Custom error classes, type definitions (ToolSupportLevel, StepResultType, AuditEntry, etc.) |
+| `ollama` | Ollama base URL resolution, models.json I/O with TTL cache, model family detection, provider detection, Ollama API helpers |
+| `security` | Command blocklist (65), SSRF patterns (29), path validation with symlink dereference, URL validation, command sanitization, audit logging (`AUDIT_LOG_PATH` exported) |
+| `types` | Type definitions (ToolSupportLevel, AuditEntry, etc.) |
 
 ## Usage
 

package/ollama.js

@@ -2,7 +2,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import os from "node:os";
-var EXTENSION_VERSION = "1.1.0";
+var EXTENSION_VERSION = "1.1.2-dev";
 var MODELS_JSON_PATH = path.join(os.homedir(), ".pi", "agent", "models.json");
 var _modelsJsonCache = null;
 var _ollamaBaseUrlCache = null;
@@ -102,7 +102,7 @@ async function fetchContextLengthsBatched(baseUrl, modelNames, batchSize = 3) {
 }
 function isReasoningModel(name) {
   const lower = name.toLowerCase();
-  return lower.includes("deepseek-r1") || lower.includes("qwq") || lower.includes("o1") || lower.includes("o3") || lower.includes("qwen3") || lower.includes("reasoning") || lower.includes("thinker");
+  return lower.includes("deepseek-r1") || lower.includes("qwq") || /\bo1\b/.test(lower) || /\bo3\b/.test(lower) || lower.includes("qwen3") || lower.includes("reasoning") || lower.includes("thinker") || lower.includes("thinking");
 }
 var BUILTIN_PROVIDERS = {
   openrouter: { api: "openai-completions", baseUrl: "https://openrouter.ai/api/v1", envKey: "OPENROUTER_API_KEY" },

package/package.json

@@ -1,9 +1,13 @@
 {
   "name": "@vtstech/pi-shared",
-  "version": "1.1.0",
+  "version": "1.1.2-dev",
   "description": "Shared utilities for Pi Coding Agent extensions",
-  "main": "index.js",
-  "types": "index.d.ts",
+  "exports": {
+    "./format": "./format.js",
+    "./ollama": "./ollama.js",
+    "./security": "./security.js",
+    "./types": "./types.js"
+  },
   "keywords": ["pi-extensions"],
   "license": "MIT",
   "access": "public",

package/security.js

@@ -79,12 +79,13 @@ var BLOCKED_COMMANDS = /* @__PURE__ */ new Set([
   "man"
 ]);
 var BLOCKED_URL_PATTERNS = /* @__PURE__ */ new Set([
-  // Loopback
+  // Loopback (full 127.0.0.0/8 range)
   "localhost",
-  "127.0.0.1",
+  "127.",
   "0.0.0.0",
   "::1",
   "::ffff:127.0.0.1",
+  "::ffff:0.0.0.0",
   // RFC1918 private ranges
   "10.",
   "192.168.",
@@ -135,6 +136,10 @@ function validatePath(filePath, allowedDirs) {
   let resolved;
   try {
     resolved = path.resolve(filePath);
+    try {
+      resolved = fs.realpathSync(resolved);
+    } catch {
+    }
   } catch {
     return { valid: false, error: "Invalid path format" };
   }
@@ -179,7 +184,8 @@ function isSafeUrl(url, blockSsrf = true) {
   try {
     parsed = new URL(url);
   } catch (e) {
-    return { safe: false, error: `Invalid URL format: ${e.message}` };
+    const msg = e instanceof Error ? e.message : String(e);
+    return { safe: false, error: `Invalid URL format: ${msg}` };
   }
   const scheme = parsed.protocol.replace(":", "").toLowerCase();
   if (scheme !== "http" && scheme !== "https") {

package/index.js

@@ -1,4 +0,0 @@
-module.exports.format = require("./format");
-module.exports.ollama = require("./ollama");
-module.exports.security = require("./security");
-module.exports.types = require("./types");