decorated-pi 0.2.0 → 0.2.2

package/extensions/safety/index.ts

@@ -0,0 +1,155 @@
+/**
+ * Safety — Pi 集成层
+ *
+ * - Command Guard:   拦截危险 bash 命令
+ * - Redirect Guard:  bash 覆盖写入提示确认
+ * - Protected Paths: write/edit/read 保护路径提示确认
+ * - Write Guard:     覆盖非空文件禁止 write
+ * - Secret Redact:   API Key / Token 自动掩码
+ */
+
+import type {
+  ExtensionAPI,
+  ExtensionContext,
+  ToolResultEvent,
+} from "@earendil-works/pi-coding-agent";
+import * as fs from "node:fs";
+import { resolve } from "node:path";
+import {
+  checkProtectedPath,
+  collectBashDangers,
+  formatBashDangers,
+  detectSecrets,
+  maskSecret,
+} from "./detect.js";
+
+type ToolTextContent = Extract<NonNullable<ToolResultEvent["content"]>[number], { type: "text" }>;
+
+// ─── Setup ──────────────────────────────────────────────────────────────────
+
+export function setupSafety(pi: ExtensionAPI) {
+  // ── Command Guard + Protected Paths + Write Guard (tool_call) ─────────
+
+  pi.on("tool_call", async (event, ctx) => {
+
+    // Gate 1: 危险命令 + 覆盖写入 + 读取保护路径
+    if (event.toolName === "bash") {
+      const command = (event.input as { command?: string }).command;
+      if (command) {
+        const dangers = collectBashDangers(command, ctx.cwd);
+        if (dangers.length > 0) {
+          const message = formatBashDangers(dangers)!;
+          if (!ctx.hasUI) {
+            return { block: true, reason: `⚠ ${message} (non-interactive)` };
+          }
+          const choice = await ctx.ui.select(
+            `⚠️  ${message}\n\nAllow execution?`,
+            ["Block", "Allow once"],
+          );
+          if (!choice || choice === "Block") {
+            return { block: true, reason: `⚠ ${message}` };
+          }
+        }
+      }
+    }
+
+    // Gate 2: write/edit 写入保护路径
+    if (event.toolName === "write" || event.toolName === "edit") {
+      const filePath = (event.input as any).path ?? (event.input as any).file ?? (event.input as any).file_path;
+      if (filePath) {
+        const danger = checkProtectedPath(filePath);
+        if (danger) {
+          if (!ctx.hasUI) {
+            return { block: true, reason: `🔒 ${danger}\nmay contain sensitive information` };
+          }
+          const choice = await ctx.ui.select(
+            `🔒 ${danger}\nmay contain sensitive information\n\nProceed?`,
+            ["Block", "Allow once"],
+          );
+          if (!choice || choice === "Block") {
+            return { block: true, reason: `🔒 ${danger}\nmay contain sensitive information` };
+          }
+        }
+      }
+    }
+
+    // Gate 3: 写保护（已有内容的文件禁止 write，直接返回信息给 agent）
+    if (event.toolName === "write") {
+      const filePath = (event.input as any).path ?? (event.input as any).file ?? (event.input as any).file_path;
+      if (filePath) {
+        try {
+          const abs = resolve(ctx.cwd, filePath);
+          if (fs.existsSync(abs) && fs.readFileSync(abs, "utf8").length > 0) {
+            return { block: true, reason: "Overwriting a non-empty file is dangerous, use the edit tool instead!" };
+          }
+        } catch { /* file doesn't exist */ }
+      }
+    }
+
+    // Gate 4: read 工具读取保护路径（bash 读取已在 Gate 1 处理）
+    if (event.toolName === "read") {
+      const filePath = (event.input as any).path ?? (event.input as any).file ?? (event.input as any).file_path;
+      if (filePath) {
+        const danger = checkProtectedPath(filePath);
+        if (danger) {
+          if (!ctx.hasUI) {
+            return { block: true, reason: `🔒 Reading protected file: ${danger}\nmay contain sensitive information` };
+          }
+          const choice = await ctx.ui.select(
+            `🔒 Reading protected file: ${danger}\nmay contain sensitive information\n\nProceed?`,
+            ["Block", "Allow once"],
+          );
+          if (!choice || choice === "Block") {
+            return { block: true, reason: `🔒 Reading protected file: ${danger}\nmay contain sensitive information` };
+          }
+        }
+      }
+    }
+  });
+
+  // ── Secret Redact (tool_result) ────────────────────────────────────────
+
+  const handleToolResult = async (
+    event: ToolResultEvent,
+    ctx: ExtensionContext,
+  ): Promise<{ content?: NonNullable<ToolResultEvent["content"]> } | void> => {
+    if (!event.content || !Array.isArray(event.content)) return;
+
+    // Only scan read tool output — other tools (bash, write, edit) are either
+    // covered by path guards or produce git/diff noise that causes false positives.
+    if (event.toolName !== "read") return;
+
+    const textParts: Array<{ index: number; text: string; item: ToolTextContent }> = [];
+    for (let i = 0; i < event.content.length; i++) {
+      const item = event.content[i];
+      if (item.type === "text" && typeof item.text === "string" && item.text.length > 0) {
+        textParts.push({ index: i, text: item.text, item });
+      }
+    }
+    if (textParts.length === 0) return;
+
+    let totalCount = 0;
+    const newContent = [...event.content];
+
+    for (const { index, text, item } of textParts) {
+      const matches = detectSecrets(text);
+      if (matches.length === 0) continue;
+
+      totalCount += matches.length;
+      let redacted = text;
+      for (const { start, end } of matches) {
+        const original = redacted.slice(start, end);
+        redacted = redacted.slice(0, start) + maskSecret(original) + redacted.slice(end);
+      }
+      const updatedItem: ToolTextContent = { ...item, text: redacted };
+      newContent[index] = updatedItem;
+    }
+
+    if (totalCount === 0) return;
+    const label = totalCount === 1 ? "1 secret" : `${totalCount} secrets`;
+    ctx.ui.notify(`🔒 Redacted ${label} in ${event.toolName} output`, "warning");
+    return { content: newContent };
+  };
+
+  pi.on("tool_result", handleToolResult);
+}

package/extensions/settings.ts

@@ -25,10 +25,17 @@ export interface ProviderCache {
   models: ProviderModelEntry[];
 }
 
+export interface ModuleSettings {
+  safety?: boolean;
+  lsp?: boolean;
+  "smart-at"?: boolean;
+}
+
 export interface DecoratedPiConfig {
   imageModelKey?: string | null;
   compactModelKey?: string | null;
   providers?: Record<string, ProviderCache>;
+  modules?: ModuleSettings;
 }
 
 export function loadConfig(): DecoratedPiConfig {
@@ -97,3 +104,27 @@ export function setImageModelKey(key: string | null) {
 export function setCompactModelKey(key: string | null) {
   saveConfig({ compactModelKey: key });
 }
+
+// ─── Module Switches ──────────────────────────────────────────────────────────
+
+const DEFAULT_MODULES: Required<ModuleSettings> = {
+  safety: true,
+  lsp: true,
+  "smart-at": true,
+};
+
+export function isModuleEnabled(name: keyof ModuleSettings): boolean {
+  const modules = loadConfig().modules ?? {};
+  return modules[name] ?? DEFAULT_MODULES[name] ?? true;
+}
+
+export function setModuleEnabled(name: keyof ModuleSettings, enabled: boolean) {
+  const modules = { ...loadConfig().modules };
+  modules[name] = enabled;
+  saveConfig({ modules });
+}
+
+export function getAllModuleSettings(): Required<ModuleSettings> {
+  const modules = loadConfig().modules ?? {};
+  return { ...DEFAULT_MODULES, ...modules };
+}

package/extensions/slash.ts

@@ -1,17 +1,48 @@
 /**
  * Slash — 所有扩展命令
  *
- * /extend-model     → 模型选择器 (TAB 切换 Image/Compact)
- * /retry            → 中断后继续
+ * /dp-model    → 模型选择器 (TAB 切换 Image/Compact)
+ * /dp-settings → 模块开关 (safety / lsp / smart-at)
+ * /retry       → 中断后继续
  */
 
 import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { ModelPickerComponent } from "./extend-model.js";
+import { getAllModuleSettings, setModuleEnabled, type ModuleSettings } from "./settings.js";
+import { Container, SettingsList, type TUI, type Theme as PiTheme, type SettingsListTheme, type Component } from "@earendil-works/pi-tui";
 
-// ─── /extend-model ─────────────────────────────────────────────────────────
+// ─── Border component (matches native DynamicBorder) ────────────────────────
 
-function setupExtendModelCommand(pi: ExtensionAPI) {
-  pi.registerCommand("extend-model", {
+class DynamicBorder implements Component {
+  private colorFn: (str: string) => string;
+
+  constructor(theme: PiTheme) {
+    this.colorFn = (str: string) => theme.fg("border", str);
+  }
+
+  invalidate() {}
+
+  render(width: number): string[] {
+    return [this.colorFn("─".repeat(Math.max(1, width)))];
+  }
+}
+
+// ─── SettingsList Theme (matches native getSettingsListTheme) ───────────────
+
+function getSettingsListTheme(theme: PiTheme): SettingsListTheme {
+  return {
+    label: (text: string, selected: boolean) => selected ? theme.fg("accent", text) : text,
+    value: (text: string, selected: boolean) => selected ? theme.fg("accent", text) : theme.fg("muted", text),
+    description: (text: string) => theme.fg("dim", text),
+    cursor: theme.fg("accent", "→ "),
+    hint: (text: string) => theme.fg("dim", text),
+  };
+}
+
+// ─── /dp-model ─────────────────────────────────────────────────────────────
+
+function setupDpModelCommand(pi: ExtensionAPI) {
+  pi.registerCommand("dp-model", {
     description: "Configure image and compact models",
     handler: async (_args, ctx) => {
       if (ctx.hasUI) {
@@ -21,7 +52,75 @@ function setupExtendModelCommand(pi: ExtensionAPI) {
         );
         return;
       }
-      ctx.ui.notify("extend-model requires interactive mode.", "warning");
+      ctx.ui.notify("dp-model requires interactive mode.", "warning");
+    },
+  });
+}
+
+// ─── /dp-settings ──────────────────────────────────────────────────────────
+
+const MODULE_LABELS: Record<keyof ModuleSettings, string> = {
+  safety: "Safety Layer",
+  lsp: "LSP Tools",
+  "smart-at": "Smart @ Search",
+};
+
+const MODULE_DESCS: Record<keyof ModuleSettings, string> = {
+  safety: "Command guard, protected paths, read guard, secret redaction",
+  lsp: "Language server diagnostics, hover, definition, references, symbols, rename",
+  "smart-at": "Project-aware file search replacing default autocomplete",
+};
+
+class ModuleSettingsComponent extends Container {
+  private settingsList: SettingsList;
+
+  constructor(tui: TUI, theme: PiTheme, onDone: () => void) {
+    super();
+    const modules = getAllModuleSettings();
+    const keys = Object.keys(MODULE_LABELS) as (keyof ModuleSettings)[];
+
+    const items = keys.map(k => ({
+      id: k,
+      label: MODULE_LABELS[k],
+      description: MODULE_DESCS[k],
+      currentValue: modules[k] ? "on" : "off",
+      values: ["on", "off"],
+    }));
+
+    this.addChild(new DynamicBorder(theme));
+
+    this.settingsList = new SettingsList(
+      items, 10, getSettingsListTheme(theme),
+      (id: string, newValue: string) => {
+        setModuleEnabled(id as keyof ModuleSettings, newValue === "on");
+        tui.requestRender();
+      },
+      () => onDone(),
+      { enableSearch: true },
+    );
+
+    this.addChild(this.settingsList);
+    this.addChild(new DynamicBorder(theme));
+  }
+
+  handleInput(data: string) {
+    this.settingsList.handleInput(data);
+  }
+}
+
+function setupDpSettingsCommand(pi: ExtensionAPI) {
+  pi.registerCommand("dp-settings", {
+    description: "Toggle decorated-pi modules on/off",
+    handler: async (_args, ctx) => {
+      if (ctx.hasUI) {
+        await ctx.ui.custom<void>(
+          (tui, theme, _kb, done) =>
+            new ModuleSettingsComponent(tui, theme, () => done(undefined))
+        );
+        ctx.ui.notify("Module settings updated. /reload to apply.", "info");
+        return;
+      }
+      ctx.ui.notify("dp-settings requires interactive mode.", "warning");
     },
   });
 }
@@ -62,6 +161,7 @@ function setupRetryCommand(pi: ExtensionAPI) {
 // ─── 入口 ───────────────────────────────────────────────────────────────────
 
 export function setupSlash(pi: ExtensionAPI) {
-  setupExtendModelCommand(pi);
+  setupDpModelCommand(pi);
+  setupDpSettingsCommand(pi);
   setupRetryCommand(pi);
 }

package/extensions/smart-at.ts

@@ -200,9 +200,13 @@ export function setupSmartAt(pi: ExtensionAPI) {
 
         const { dirs, files } = getFileAndDirList(cwd);
         const results = smartSearch(dirs, files, prefix.slice(1));
-        ctx.ui.setWidget("smart-at", ["powered by decorated-pi"]);
 
-        if (!results.length) return null;
+        if (!results.length) {
+          ctx.ui.setWidget("smart-at", undefined);
+          return null;
+        }
+
+        ctx.ui.setWidget("smart-at", ["powered by decorated-pi"]);
         return Promise.resolve({
           items: results.map((f: string) => ({
             value: "@" + f,
@@ -213,7 +217,10 @@ export function setupSmartAt(pi: ExtensionAPI) {
         });
       },
       // ⚠️ 必须 .bind(orig)
-      applyCompletion: orig.applyCompletion.bind(orig),
+      applyCompletion: (...args: any[]) => {
+        ctx.ui.setWidget("smart-at", undefined);
+        return orig.applyCompletion.apply(orig, args);
+      },
       shouldTriggerFileCompletion: orig.shouldTriggerFileCompletion?.bind(orig),
     }));
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "decorated-pi",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Essential utilities for pi: safety gates, secret redaction, smart @ completion, dynamic AGENTS loading, image fallback, and LSP tools",
   "keywords": [
     "pi",
@@ -11,20 +11,17 @@
     "lsp",
     "language-server",
     "autocomplete",
-    "secretlint"
+    "entropy",
+    "secret-detection"
   ],
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/lcwecker/decorated-pi.git"
+    "url": "git+https://github.com/lcwecker/decorated-pi.git"
   },
   "homepage": "https://github.com/lcwecker/decorated-pi#readme",
   "bugs": "https://github.com/lcwecker/decorated-pi/issues",
   "dependencies": {
-    "@secretlint/node": "^13.0.0",
-    "@secretlint/secretlint-rule-azure": "^13.0.0",
-    "@secretlint/secretlint-rule-preset-recommend": "^13.0.0",
-    "@secretlint/secretlint-rule-secp256k1-privatekey": "^13.0.0",
     "@spences10/pi-child-env": "0.1.4",
     "@spences10/pi-project-trust": "0.0.6",
     "openai": "^6.37.0"
@@ -39,5 +36,11 @@
     "extensions": [
       "./extensions/index.ts"
     ]
+  },
+  "devDependencies": {
+    "vitest": "^4.1.6"
+  },
+  "scripts": {
+    "test": "vitest run"
   }
 }