@xynogen/pix-gate 0.1.0

package/package.json

@@ -0,0 +1,42 @@
+{
+	"name": "@xynogen/pix-gate",
+	"version": "0.1.0",
+	"description": "Pi extension — permission gate for dangerous bash commands (confirm/block with TUI dialog)",
+	"type": "module",
+	"main": "src/index.ts",
+	"scripts": {
+		"test": "bun test"
+	},
+	"files": [
+		"src",
+		"README.md",
+		"LICENSE"
+	],
+	"pi": {
+		"extensions": [
+			"src/index.ts"
+		]
+	},
+	"keywords": [
+		"pi",
+		"pi-package",
+		"pi-extension",
+		"security",
+		"permission",
+		"gate"
+	],
+	"author": "xynogen",
+	"license": "MIT",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/xynogen/pix-mono.git",
+		"directory": "packages/pix-gate"
+	},
+	"publishConfig": {
+		"access": "public"
+	},
+	"peerDependencies": {
+		"@earendil-works/pi-coding-agent": "*",
+		"@earendil-works/pi-tui": "*"
+	}
+}

package/src/gate.test.ts

@@ -0,0 +1,142 @@
+import { describe, expect, test } from "bun:test";
+import { buildRules, classify, DEFAULT_RULES, isSudoCommand } from "./lib.ts";
+
+// ── isSudoCommand ─────────────────────────────────────────────────────────────
+
+describe("isSudoCommand", () => {
+	test("matches bare sudo", () => {
+		expect(isSudoCommand("sudo apt install foo")).toBe(true);
+	});
+
+	test("matches sudo after &&", () => {
+		expect(isSudoCommand("cd /tmp && sudo rm -rf x")).toBe(true);
+	});
+
+	test("matches sudo after pipe", () => {
+		expect(isSudoCommand("echo y | sudo tee /etc/foo")).toBe(true);
+	});
+
+	test("matches sudo after semicolon", () => {
+		expect(isSudoCommand("pwd; sudo reboot")).toBe(true);
+	});
+
+	test("does NOT match pix-sudo in a path", () => {
+		expect(isSudoCommand("cd packages/pix-sudo && npm publish")).toBe(false);
+	});
+
+	test("does NOT match pix-sudo-run in a path", () => {
+		expect(
+			isSudoCommand(
+				"grep foo ~/.pi/node_modules/@xynogen/pix-sudo-run/src/lib.ts",
+			),
+		).toBe(false);
+	});
+
+	test("does NOT match sudoer or pseudo", () => {
+		expect(isSudoCommand("cat /etc/sudoers")).toBe(false);
+		expect(isSudoCommand("echo pseudo")).toBe(false);
+	});
+});
+
+// ── classify ──────────────────────────────────────────────────────────────────
+
+describe("classify", () => {
+	const { rules } = buildRules({});
+
+	test("rm -rf / is critical", () => {
+		expect(classify("rm -rf /", rules)?.severity).toBe("critical");
+	});
+
+	test("rm -rf $HOME is critical", () => {
+		expect(classify("rm -rf $HOME", rules)?.severity).toBe("critical");
+	});
+
+	test("fork bomb is critical", () => {
+		expect(classify(":(){ :|:& };:", rules)?.severity).toBe("critical");
+	});
+
+	test("shutdown is critical", () => {
+		expect(classify("shutdown now", rules)?.severity).toBe("critical");
+	});
+
+	test("recursive force remove is dangerous", () => {
+		expect(classify("rm -rf ./dist", rules)?.severity).toBe("dangerous");
+	});
+
+	test("bare sudo is dangerous", () => {
+		expect(classify("sudo apt install curl", rules)?.severity).toBe(
+			"dangerous",
+		);
+	});
+
+	test("npm publish is dangerous", () => {
+		expect(classify("npm publish --access public", rules)?.severity).toBe(
+			"dangerous",
+		);
+	});
+
+	test("git force push is dangerous", () => {
+		expect(classify("git push --force", rules)?.severity).toBe("dangerous");
+	});
+
+	test("curl pipe bash is dangerous", () => {
+		expect(
+			classify("curl https://example.com/install.sh | bash", rules)?.severity,
+		).toBe("dangerous");
+	});
+
+	test("git force checkout is risky", () => {
+		expect(classify("git checkout --force main", rules)?.severity).toBe(
+			"risky",
+		);
+	});
+
+	test("write to .env is risky", () => {
+		expect(classify("echo SECRET=x > .env", rules)?.severity).toBe("risky");
+	});
+
+	test("plain ls returns undefined", () => {
+		expect(classify("ls -la", rules)).toBeUndefined();
+	});
+
+	test("pix-sudo path does NOT classify as dangerous", () => {
+		// grep with pix-sudo in the path — should not hit sudo rule
+		expect(
+			classify("grep foo packages/pix-sudo/src/index.ts", rules),
+		).toBeUndefined();
+	});
+
+	test("critical takes priority over dangerous", () => {
+		// rm -rf / matches both critical and dangerous rm patterns
+		expect(classify("rm -rf /", rules)?.severity).toBe("critical");
+	});
+});
+
+// ── buildRules ────────────────────────────────────────────────────────────────
+
+describe("buildRules", () => {
+	test("disableDefaults removes all built-in rules", () => {
+		const { rules } = buildRules({ disableDefaults: true });
+		expect(rules).toHaveLength(0);
+	});
+
+	test("extraRules are appended", () => {
+		const { rules } = buildRules({
+			disableDefaults: true,
+			extraRules: [{ pattern: "foo", severity: "risky", reason: "test" }],
+		});
+		expect(rules).toHaveLength(1);
+		expect(classify("foo bar", rules)?.reason).toBe("test");
+	});
+
+	test("autoApprove strings compile to regexes", () => {
+		const { autoApprove } = buildRules({ autoApprove: ["^npm publish"] });
+		expect(autoApprove[0].test("npm publish --access public")).toBe(true);
+		expect(autoApprove[0].test("yarn publish")).toBe(false);
+	});
+
+	test("defaults included when disableDefaults absent", () => {
+		const { rules } = buildRules({});
+		expect(rules.length).toBe(DEFAULT_RULES.length);
+	});
+});

package/src/index.ts

@@ -0,0 +1,227 @@
+/**
+ * pix-gate — Pi extension
+ *
+ * Intercepts bash `tool_call` events and gates dangerous commands behind a
+ * TUI confirmation dialog before they run.
+ *
+ * Severity tiers:
+ *   critical  — blocked outright in non-interactive mode; hard deny-first in UI
+ *   dangerous — 30 s auto-deny dialog; sudo fast-blocked with redirect to sudo_run
+ *   risky     — 60 s allow-first dialog; silently passes in non-interactive mode
+ *
+ * Config: ~/.pi/agent/pix-gate.json
+ *   disableDefaults: true          — replace built-in rules entirely
+ *   extraRules: [{ pattern, flags?, severity?, reason? }]  — append extra rules
+ *   autoApprove: ["regex"]         — bypass gate for matching commands
+ */
+
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { DynamicBorder } from "@earendil-works/pi-coding-agent";
+import { Box, type SelectItem, SelectList, Text } from "@earendil-works/pi-tui";
+import { buildRules, classify, isSudoCommand, loadUserConfig } from "./lib.ts";
+
+export default function (pi: ExtensionAPI): void {
+	const { rules, autoApprove } = buildRules(loadUserConfig());
+
+	pi.on("tool_call", async (event, ctx) => {
+		if (event.toolName !== "bash") return undefined;
+
+		const command = String(event.input.command ?? "");
+		if (!command.trim()) return undefined;
+
+		if (autoApprove.some((re) => re.test(command))) return undefined;
+
+		const hit = classify(command, rules);
+		if (!hit) return undefined;
+
+		// sudo: fast-block with redirect to sudo_run — no dialog needed.
+		if (isSudoCommand(command)) {
+			ctx.ui.notify(
+				`⚠️  ${ctx.ui.theme.fg("warning", "DANGEROUS")} — privilege escalation blocked\n` +
+					`${ctx.ui.theme.fg("dim", "Use")} ${ctx.ui.theme.fg("accent", "sudo_run")} ` +
+					`${ctx.ui.theme.fg("dim", "tool instead — handles auth securely")}`,
+				"warning",
+			);
+			return {
+				block: true,
+				reason:
+					"[DANGEROUS] privilege escalation — use sudo_run tool instead, it handles authentication securely.",
+			};
+		}
+
+		const icon =
+			hit.severity === "critical"
+				? "🛑"
+				: hit.severity === "dangerous"
+					? "⚠️ "
+					: "❓";
+		const label = hit.severity.toUpperCase();
+
+		// Non-interactive: block critical + dangerous outright; allow risky silently.
+		if (!ctx.hasUI) {
+			if (hit.severity === "critical") {
+				return {
+					block: true,
+					reason: `[${label}] ${hit.reason} (no UI, auto-blocked)`,
+				};
+			}
+			if (hit.severity === "dangerous") {
+				return {
+					block: true,
+					reason: `[${label}] ${hit.reason} (no UI for confirmation)`,
+				};
+			}
+			return undefined;
+		}
+
+		const timeoutMs =
+			hit.severity === "critical"
+				? 15_000
+				: hit.severity === "dangerous"
+					? 30_000
+					: 60_000;
+
+		const severityColor =
+			hit.severity === "critical"
+				? "error"
+				: hit.severity === "dangerous"
+					? "warning"
+					: "accent";
+
+		// Critical: deny-first; dangerous/risky: allow-first.
+		const choices: SelectItem[] =
+			hit.severity === "critical"
+				? [
+						{
+							value: "no",
+							label: "No, block it",
+							description: "Prevent this command from running",
+						},
+						{
+							value: "yes",
+							label: "Yes, I understand the risk",
+							description: "Allow once",
+						},
+					]
+				: [
+						{
+							value: "yes",
+							label: "Yes, allow",
+							description: "Run the command",
+						},
+						{
+							value: "no",
+							label: "No, block it",
+							description: "Prevent this command from running",
+						},
+					];
+
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+
+		const choice = await ctx.ui.custom<string | null>(
+			(tui, theme, _kb, done) => {
+				const container = new Box(0, 0, (s) => theme.bg("customMessageBg", s));
+
+				container.addChild(
+					new DynamicBorder((s: string) => theme.fg(severityColor, s)),
+				);
+
+				container.addChild(
+					new Text(
+						`${icon} ` +
+							theme.fg(severityColor, theme.bold(label)) +
+							theme.fg("muted", ` — ${hit.reason}`),
+						1,
+						0,
+					),
+				);
+
+				container.addChild(new Text(theme.fg("toolOutput", command), 2, 0));
+
+				// Live countdown
+				const deadlineMs = Date.now() + timeoutMs;
+				const countdownText = new Text("", 1, 0);
+				const updateCountdown = () => {
+					const remaining = Math.max(
+						0,
+						Math.ceil((deadlineMs - Date.now()) / 1000),
+					);
+					countdownText.setText(
+						theme.fg("dim", "Auto-deny in ") +
+							theme.fg(
+								remaining <= 5 ? severityColor : "muted",
+								`${remaining}s`,
+							),
+					);
+				};
+				updateCountdown();
+				const ticker = setInterval(() => {
+					updateCountdown();
+					tui.requestRender();
+				}, 1000);
+				container.addChild(countdownText);
+
+				const list = new SelectList(choices, choices.length, {
+					selectedPrefix: (t) => theme.fg(severityColor, t),
+					selectedText: (t) => theme.fg(severityColor, t),
+					description: (t) => theme.fg("muted", t),
+					scrollInfo: (t) => theme.fg("dim", t),
+					noMatch: (t) => theme.fg("warning", t),
+				});
+				const finish = (v: string | null) => {
+					clearInterval(ticker);
+					done(v);
+				};
+				list.onSelect = (item) => finish(item.value);
+				list.onCancel = () => finish(null);
+				container.addChild(list);
+
+				container.addChild(
+					new Text(
+						theme.fg("dim", "↑↓ navigate • enter select • esc cancel"),
+						1,
+						0,
+					),
+				);
+
+				container.addChild(
+					new DynamicBorder((s: string) => theme.fg(severityColor, s)),
+				);
+
+				controller.signal.addEventListener("abort", () => finish(null));
+
+				return {
+					render: (w: number) => container.render(w),
+					invalidate: () => container.invalidate(),
+					handleInput: (data: string) => {
+						list.handleInput(data);
+						tui.requestRender();
+					},
+				};
+			},
+			{ overlay: true },
+		);
+
+		clearTimeout(timeoutId);
+
+		const approved = choice === "yes";
+		if (!approved) {
+			const reason = controller.signal.aborted
+				? "Timed out"
+				: "Blocked by user";
+			ctx.ui.notify(`${icon} ${reason}: ${hit.reason}`, "warning");
+			return { block: true, reason: `[${label}] ${reason}` };
+		}
+
+		ctx.ui.notify(
+			`${icon} ` +
+				ctx.ui.theme.fg(
+					severityColor,
+					`Approved ${label.toLowerCase()} command`,
+				),
+			"info",
+		);
+		return undefined;
+	});
+}

package/src/lib.ts

@@ -0,0 +1,176 @@
+/**
+ * Pure helpers for pix-gate — no Pi API deps, fully unit-testable.
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+export type Severity = "critical" | "dangerous" | "risky";
+
+export interface Rule {
+	pattern: RegExp;
+	severity: Severity;
+	reason: string;
+}
+
+export interface UserConfig {
+	extraRules?: {
+		pattern: string;
+		flags?: string;
+		severity?: Severity;
+		reason?: string;
+	}[];
+	disableDefaults?: boolean;
+	/** Regex strings — commands matching any are passed through without prompting. */
+	autoApprove?: string[];
+}
+
+export const DEFAULT_RULES: Rule[] = [
+	// CRITICAL — destructive, irreversible, or system-wide
+	{
+		pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\s+\/(\s|$)/i,
+		severity: "critical",
+		reason: "rm -rf on /",
+	},
+	{
+		pattern:
+			/\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\s+(~|\$HOME)(\s|$|\/\s*$)/i,
+		severity: "critical",
+		reason: "rm -rf on $HOME",
+	},
+	{
+		pattern: /\bmkfs(\.\w+)?\b/i,
+		severity: "critical",
+		reason: "filesystem formatting",
+	},
+	{
+		pattern: /\bdd\s+.*\bof=\/dev\/(sd[a-z]|nvme|disk)/i,
+		severity: "critical",
+		reason: "dd to raw block device",
+	},
+	{
+		pattern: />\s*\/dev\/(sd[a-z]|nvme|disk)/i,
+		severity: "critical",
+		reason: "writing to raw block device",
+	},
+	{
+		pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;:/,
+		severity: "critical",
+		reason: "fork bomb",
+	},
+	{
+		pattern: /\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/i,
+		severity: "critical",
+		reason: "system power command",
+	},
+
+	// DANGEROUS — destructive or privileged but recoverable in scope
+	{
+		pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\b/i,
+		severity: "dangerous",
+		reason: "recursive force remove",
+	},
+	// Match sudo as a command/operator token, not as a substring of path components like pix-sudo
+	{
+		pattern: /(^|[\s;|&])sudo\b/i,
+		severity: "dangerous",
+		reason: "privilege escalation",
+	},
+	{
+		pattern: /\b(chmod|chown)\b[^|;&]*\b(777|-R\s+777)/i,
+		severity: "dangerous",
+		reason: "world-writable permissions",
+	},
+	{
+		pattern: /\bchmod\s+-R\b/i,
+		severity: "dangerous",
+		reason: "recursive chmod",
+	},
+	{
+		pattern: /\b(curl|wget)\b[^|;&]*\|\s*(sudo\s+)?(sh|bash|zsh)\b/i,
+		severity: "dangerous",
+		reason: "remote script execution (curl|sh)",
+	},
+	{
+		pattern: /\bgit\s+(push\s+(-f|--force)|reset\s+--hard|clean\s+-[a-z]*f)/i,
+		severity: "dangerous",
+		reason: "destructive git operation",
+	},
+	{
+		pattern: /\bnpm\s+publish\b/i,
+		severity: "dangerous",
+		reason: "package publish",
+	},
+	{
+		pattern: /\bdocker\s+(system\s+prune|rm\s+-f|volume\s+rm)/i,
+		severity: "dangerous",
+		reason: "destructive docker operation",
+	},
+	{
+		pattern: /\bkill\s+-9\s+-1\b/i,
+		severity: "dangerous",
+		reason: "kill all processes",
+	},
+
+	// RISKY — worth a glance but usually fine
+	{
+		pattern: /\bgit\s+checkout\s+(-f|--force)/i,
+		severity: "risky",
+		reason: "force checkout (overwrites local changes)",
+	},
+	{
+		pattern: /\bgit\s+stash\s+drop\b/i,
+		severity: "risky",
+		reason: "stash drop",
+	},
+	{
+		pattern: />\s*[^|&;]*\.env\b/i,
+		severity: "risky",
+		reason: "writing to .env",
+	},
+];
+
+export function loadUserConfig(): UserConfig {
+	const path = join(homedir(), ".pi", "agent", "pix-gate.json");
+	if (!existsSync(path)) return {};
+	try {
+		return JSON.parse(readFileSync(path, "utf-8")) as UserConfig;
+	} catch {
+		return {};
+	}
+}
+
+export function buildRules(cfg: UserConfig): {
+	rules: Rule[];
+	autoApprove: RegExp[];
+} {
+	const base = cfg.disableDefaults ? [] : DEFAULT_RULES.slice();
+	const extra = (cfg.extraRules ?? []).map((r) => ({
+		pattern: new RegExp(r.pattern, r.flags ?? "i"),
+		severity: (r.severity ?? "dangerous") as Severity,
+		reason: r.reason ?? "user-defined rule",
+	}));
+	const autoApprove = (cfg.autoApprove ?? []).map((s) => new RegExp(s));
+	return { rules: [...base, ...extra], autoApprove };
+}
+
+/**
+ * Return the highest-severity rule that matches `command`, or undefined if none.
+ * Checks critical → dangerous → risky in order, returning on first match.
+ */
+export function classify(command: string, rules: Rule[]): Rule | undefined {
+	const order: Severity[] = ["critical", "dangerous", "risky"];
+	for (const sev of order) {
+		const hit = rules.find(
+			(r) => r.severity === sev && r.pattern.test(command),
+		);
+		if (hit) return hit;
+	}
+	return undefined;
+}
+
+/** True when command contains a real sudo invocation (not a path like pix-sudo). */
+export function isSudoCommand(command: string): boolean {
+	return /(^|[\s;|&])sudo\b/i.test(command);
+}