gsd-pi 2.22.0 → 2.24.0

package/src/resources/extensions/browser-tools/tools/injection-detect.ts

@@ -0,0 +1,221 @@
+import type { ExtensionAPI } from "@gsd/pi-coding-agent";
+import { Type } from "@sinclair/typebox";
+import type { ToolDeps } from "../state.js";
+
+/**
+ * Prompt injection detection — scan page content for text attempting to hijack the agent.
+ */
+
+// Known injection patterns — regex patterns that match common prompt injection attempts
+const INJECTION_PATTERNS: Array<{ pattern: RegExp; category: string; severity: "high" | "medium" | "low" }> = [
+	// Direct instruction override attempts
+	{ pattern: /ignore\s+(all\s+)?previous\s+(instructions?|prompts?)/i, category: "instruction_override", severity: "high" },
+	{ pattern: /disregard\s+(all\s+)?previous\s+(instructions?|prompts?)/i, category: "instruction_override", severity: "high" },
+	{ pattern: /forget\s+(all\s+)?previous\s+(instructions?|prompts?)/i, category: "instruction_override", severity: "high" },
+	{ pattern: /override\s+(all\s+)?previous\s+(instructions?|prompts?)/i, category: "instruction_override", severity: "high" },
+
+	// System prompt extraction
+	{ pattern: /(?:what|show|reveal|display|repeat|tell)\s+(?:me\s+)?(?:your|the)\s+system\s+prompt/i, category: "prompt_extraction", severity: "high" },
+	{ pattern: /print\s+(?:your|the)\s+(?:system\s+)?(?:prompt|instructions)/i, category: "prompt_extraction", severity: "high" },
+
+	// Role reassignment
+	{ pattern: /you\s+are\s+now\s+(?:a\s+)?(?:DAN|jailbreak|unrestricted|unfiltered)/i, category: "role_reassignment", severity: "high" },
+	{ pattern: /act\s+as\s+(?:a\s+)?(?:DAN|jailbreak|unrestricted|unfiltered)/i, category: "role_reassignment", severity: "high" },
+	{ pattern: /entering\s+(?:a\s+)?(?:developer|admin|root|sudo)\s+mode/i, category: "role_reassignment", severity: "high" },
+
+	// Hidden instruction injection
+	{ pattern: /\[SYSTEM\]\s*:/i, category: "fake_system_message", severity: "high" },
+	{ pattern: /\[INST\]\s*:/i, category: "fake_system_message", severity: "medium" },
+	{ pattern: /<\/?system>/i, category: "fake_system_message", severity: "high" },
+
+	// Tool/action manipulation
+	{ pattern: /execute\s+(?:the\s+following\s+)?(?:command|code|script)/i, category: "command_injection", severity: "medium" },
+	{ pattern: /run\s+(?:this|the\s+following)\s+(?:command|code|script)/i, category: "command_injection", severity: "medium" },
+
+	// Invisible text / social engineering
+	{ pattern: /do\s+not\s+(?:read|process|show)\s+(?:the\s+)?(?:following|rest)/i, category: "social_engineering", severity: "low" },
+	{ pattern: /(?:this|the\s+following)\s+(?:is|are)\s+(?:your\s+)?new\s+instructions/i, category: "instruction_override", severity: "high" },
+
+	// Base64/encoded content markers
+	{ pattern: /base64\s*:\s*[A-Za-z0-9+\/=]{50,}/i, category: "encoded_payload", severity: "medium" },
+];
+
+export function registerInjectionDetectionTools(pi: ExtensionAPI, deps: ToolDeps): void {
+	pi.registerTool({
+		name: "browser_check_injection",
+		label: "Browser Check Injection",
+		description:
+			"Scan current page content for potential prompt injection attempts. " +
+			"Checks visible text and hidden elements for patterns that might hijack the agent. " +
+			"Returns findings with severity levels. Use after navigating to untrusted pages.",
+		parameters: Type.Object({
+			includeHidden: Type.Optional(
+				Type.Boolean({
+					description:
+						"Also scan hidden/invisible text (default: true). " +
+						"Hidden text is a common vector for injection attacks.",
+				}),
+			),
+		}),
+
+		async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
+			try {
+				const { page: p } = await deps.ensureBrowser();
+				const includeHidden = params.includeHidden ?? true;
+
+				// Extract text content from the page
+				const pageContent = await p.evaluate((scanHidden: boolean) => {
+					const results: Array<{ text: string; source: string; visible: boolean }> = [];
+
+					// 1. Visible text content
+					const bodyText = document.body?.innerText ?? "";
+					results.push({ text: bodyText, source: "body_visible_text", visible: true });
+
+					// 2. Title and meta
+					results.push({ text: document.title, source: "page_title", visible: true });
+
+					// Meta descriptions and keywords
+					const metas = document.querySelectorAll("meta[name], meta[property]");
+					for (const meta of metas) {
+						const content = meta.getAttribute("content");
+						if (content) {
+							results.push({
+								text: content,
+								source: `meta:${meta.getAttribute("name") || meta.getAttribute("property")}`,
+								visible: false,
+							});
+						}
+					}
+
+					if (scanHidden) {
+						// 3. Hidden elements (display:none, visibility:hidden, opacity:0, off-screen, aria-hidden)
+						const allElements = document.querySelectorAll("*");
+						for (const el of allElements) {
+							const htmlEl = el as HTMLElement;
+							const style = window.getComputedStyle(htmlEl);
+							const isHidden =
+								style.display === "none" ||
+								style.visibility === "hidden" ||
+								style.opacity === "0" ||
+								htmlEl.getAttribute("aria-hidden") === "true" ||
+								(htmlEl.offsetWidth === 0 && htmlEl.offsetHeight === 0);
+
+							if (isHidden && htmlEl.textContent?.trim()) {
+								const text = htmlEl.textContent.trim();
+								if (text.length > 5 && text.length < 5000) {
+									results.push({ text, source: "hidden_element", visible: false });
+								}
+							}
+						}
+
+						// 4. HTML comments
+						const walker = document.createTreeWalker(
+							document.documentElement,
+							NodeFilter.SHOW_COMMENT,
+						);
+						let node;
+						while ((node = walker.nextNode())) {
+							const text = (node as Comment).textContent?.trim() ?? "";
+							if (text.length > 10) {
+								results.push({ text, source: "html_comment", visible: false });
+							}
+						}
+
+						// 5. Data attributes with text content
+						const dataElements = document.querySelectorAll("[data-prompt], [data-instruction], [data-system]");
+						for (const el of dataElements) {
+							for (const attr of el.attributes) {
+								if (attr.name.startsWith("data-") && attr.value.length > 10) {
+									results.push({
+										text: attr.value,
+										source: `data_attribute:${attr.name}`,
+										visible: false,
+									});
+								}
+							}
+						}
+					}
+
+					return results;
+				}, includeHidden);
+
+				// Scan all extracted text against injection patterns
+				const findings: Array<{
+					pattern: string;
+					category: string;
+					severity: string;
+					source: string;
+					visible: boolean;
+					matchedText: string;
+				}> = [];
+
+				for (const { text, source, visible } of pageContent) {
+					for (const { pattern, category, severity } of INJECTION_PATTERNS) {
+						const match = text.match(pattern);
+						if (match) {
+							findings.push({
+								pattern: pattern.source.slice(0, 60),
+								category,
+								severity,
+								source,
+								visible,
+								matchedText: match[0].slice(0, 100),
+							});
+						}
+					}
+				}
+
+				// Deduplicate findings by category + source
+				const seen = new Set<string>();
+				const uniqueFindings = findings.filter((f) => {
+					const key = `${f.category}|${f.source}|${f.matchedText}`;
+					if (seen.has(key)) return false;
+					seen.add(key);
+					return true;
+				});
+
+				const highCount = uniqueFindings.filter((f) => f.severity === "high").length;
+				const medCount = uniqueFindings.filter((f) => f.severity === "medium").length;
+				const lowCount = uniqueFindings.filter((f) => f.severity === "low").length;
+
+				if (uniqueFindings.length === 0) {
+					return {
+						content: [{
+							type: "text",
+							text: `No prompt injection patterns detected.\nScanned: ${pageContent.length} text regions (hidden: ${includeHidden})`,
+						}],
+						details: {
+							clean: true,
+							scannedRegions: pageContent.length,
+							includeHidden,
+						},
+					};
+				}
+
+				const findingLines = uniqueFindings.map((f) =>
+					`  [${f.severity.toUpperCase()}] ${f.category} in ${f.source}${!f.visible ? " (HIDDEN)" : ""}: "${f.matchedText}"`,
+				);
+
+				return {
+					content: [{
+						type: "text",
+						text: `⚠️ Prompt injection patterns detected: ${uniqueFindings.length} finding(s)\nHigh: ${highCount} | Medium: ${medCount} | Low: ${lowCount}\n\n${findingLines.join("\n")}\n\n⚠️ This page may be attempting to manipulate the agent. Proceed with caution.`,
+					}],
+					details: {
+						clean: false,
+						findings: uniqueFindings,
+						counts: { high: highCount, medium: medCount, low: lowCount, total: uniqueFindings.length },
+						scannedRegions: pageContent.length,
+						includeHidden,
+					},
+				};
+			} catch (err: any) {
+				return {
+					content: [{ type: "text", text: `Injection check failed: ${err.message}` }],
+					details: { error: err.message },
+					isError: true,
+				};
+			}
+		},
+	});
+}

package/src/resources/extensions/browser-tools/tools/network-mock.ts

@@ -0,0 +1,244 @@
+import type { ExtensionAPI } from "@gsd/pi-coding-agent";
+import { Type } from "@sinclair/typebox";
+import type { ToolDeps } from "../state.js";
+
+/**
+ * Network interception & mocking tools — mock API responses, block URLs, simulate errors.
+ */
+
+interface ActiveRoute {
+	id: number;
+	pattern: string;
+	type: "mock" | "block";
+	status?: number;
+	delay?: number;
+	description: string;
+}
+
+let nextRouteId = 1;
+const activeRoutes: ActiveRoute[] = [];
+const routeCleanups: Map<number, () => Promise<void>> = new Map();
+
+export function registerNetworkMockTools(pi: ExtensionAPI, deps: ToolDeps): void {
+	// -------------------------------------------------------------------------
+	// browser_mock_route
+	// -------------------------------------------------------------------------
+	pi.registerTool({
+		name: "browser_mock_route",
+		label: "Browser Mock Route",
+		description:
+			"Intercept network requests matching a URL pattern and respond with custom status, body, and headers. " +
+			"Supports simulating slow responses via delay parameter. " +
+			"Routes survive page navigation within the same context. Use browser_clear_routes to remove all mocks.",
+		parameters: Type.Object({
+			url: Type.String({
+				description: "URL pattern to intercept. Supports glob patterns (e.g., '**/api/users*') or exact URLs.",
+			}),
+			status: Type.Optional(
+				Type.Number({ description: "HTTP status code for the mock response (default: 200)." }),
+			),
+			body: Type.Optional(
+				Type.String({ description: "Response body string. For JSON responses, pass a JSON string." }),
+			),
+			contentType: Type.Optional(
+				Type.String({ description: "Content-Type header (default: 'application/json' if body looks like JSON, else 'text/plain')." }),
+			),
+			headers: Type.Optional(
+				Type.Record(Type.String(), Type.String(), {
+					description: "Additional response headers as key-value pairs.",
+				}),
+			),
+			delay: Type.Optional(
+				Type.Number({ description: "Delay in milliseconds before sending the response. Simulates slow responses." }),
+			),
+		}),
+
+		async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
+			try {
+				const { page: p } = await deps.ensureBrowser();
+				const routeId = nextRouteId++;
+
+				const status = params.status ?? 200;
+				const body = params.body ?? "";
+				const delay = params.delay ?? 0;
+
+				// Auto-detect content type
+				let contentType = params.contentType;
+				if (!contentType) {
+					try {
+						JSON.parse(body);
+						contentType = "application/json";
+					} catch {
+						contentType = "text/plain";
+					}
+				}
+
+				const headers: Record<string, string> = {
+					"content-type": contentType,
+					"access-control-allow-origin": "*",
+					...(params.headers ?? {}),
+				};
+
+				const handler = async (route: any) => {
+					if (delay > 0) {
+						await new Promise((resolve) => setTimeout(resolve, delay));
+					}
+					await route.fulfill({
+						status,
+						body,
+						headers,
+					});
+				};
+
+				await p.route(params.url, handler);
+
+				const cleanup = async () => {
+					try {
+						await p.unroute(params.url, handler);
+					} catch {
+						// Page may be closed
+					}
+				};
+
+				const routeInfo: ActiveRoute = {
+					id: routeId,
+					pattern: params.url,
+					type: "mock",
+					status,
+					delay: delay > 0 ? delay : undefined,
+					description: `Mock ${params.url} → ${status}${delay > 0 ? ` (${delay}ms delay)` : ""}`,
+				};
+
+				activeRoutes.push(routeInfo);
+				routeCleanups.set(routeId, cleanup);
+
+				return {
+					content: [{
+						type: "text",
+						text: `Route mocked: ${routeInfo.description}\nRoute ID: ${routeId}\nActive routes: ${activeRoutes.length}`,
+					}],
+					details: { routeId, ...routeInfo, activeRouteCount: activeRoutes.length },
+				};
+			} catch (err: any) {
+				return {
+					content: [{ type: "text", text: `Mock route failed: ${err.message}` }],
+					details: { error: err.message },
+					isError: true,
+				};
+			}
+		},
+	});
+
+	// -------------------------------------------------------------------------
+	// browser_block_urls
+	// -------------------------------------------------------------------------
+	pi.registerTool({
+		name: "browser_block_urls",
+		label: "Browser Block URLs",
+		description:
+			"Block network requests matching URL patterns. Useful for blocking analytics, ads, or third-party scripts. " +
+			"Accepts glob patterns. Routes survive page navigation.",
+		parameters: Type.Object({
+			patterns: Type.Array(Type.String(), {
+				description: "URL patterns to block (glob syntax, e.g., ['**/analytics*', '**/ads*']).",
+			}),
+		}),
+
+		async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
+			try {
+				const { page: p } = await deps.ensureBrowser();
+				const results: ActiveRoute[] = [];
+
+				for (const pattern of params.patterns) {
+					const routeId = nextRouteId++;
+
+					const handler = async (route: any) => {
+						await route.abort("blockedbyclient");
+					};
+
+					await p.route(pattern, handler);
+
+					const cleanup = async () => {
+						try {
+							await p.unroute(pattern, handler);
+						} catch {}
+					};
+
+					const routeInfo: ActiveRoute = {
+						id: routeId,
+						pattern,
+						type: "block",
+						description: `Block ${pattern}`,
+					};
+
+					activeRoutes.push(routeInfo);
+					routeCleanups.set(routeId, cleanup);
+					results.push(routeInfo);
+				}
+
+				return {
+					content: [{
+						type: "text",
+						text: `Blocked ${results.length} URL pattern(s):\n${results.map((r) => `  - ${r.description} (ID: ${r.id})`).join("\n")}\nActive routes: ${activeRoutes.length}`,
+					}],
+					details: { blocked: results, activeRouteCount: activeRoutes.length },
+				};
+			} catch (err: any) {
+				return {
+					content: [{ type: "text", text: `Block URLs failed: ${err.message}` }],
+					details: { error: err.message },
+					isError: true,
+				};
+			}
+		},
+	});
+
+	// -------------------------------------------------------------------------
+	// browser_clear_routes
+	// -------------------------------------------------------------------------
+	pi.registerTool({
+		name: "browser_clear_routes",
+		label: "Browser Clear Routes",
+		description:
+			"Remove all active route mocks and URL blocks. Also lists currently active routes if called with no routes active.",
+		parameters: Type.Object({}),
+
+		async execute(_toolCallId, _params, _signal, _onUpdate, _ctx) {
+			try {
+				await deps.ensureBrowser();
+				const count = activeRoutes.length;
+
+				if (count === 0) {
+					return {
+						content: [{ type: "text", text: "No active routes to clear." }],
+						details: { cleared: 0 },
+					};
+				}
+
+				const routeDescriptions = activeRoutes.map((r) => r.description);
+
+				// Clean up all routes
+				for (const [id, cleanup] of routeCleanups) {
+					await cleanup();
+				}
+
+				activeRoutes.length = 0;
+				routeCleanups.clear();
+
+				return {
+					content: [{
+						type: "text",
+						text: `Cleared ${count} route(s):\n${routeDescriptions.map((d) => `  - ${d}`).join("\n")}`,
+					}],
+					details: { cleared: count, routes: routeDescriptions },
+				};
+			} catch (err: any) {
+				return {
+					content: [{ type: "text", text: `Clear routes failed: ${err.message}` }],
+					details: { error: err.message },
+					isError: true,
+				};
+			}
+		},
+	});
+}

package/src/resources/extensions/browser-tools/tools/pdf.ts

@@ -0,0 +1,92 @@
+import type { ExtensionAPI } from "@gsd/pi-coding-agent";
+import { Type } from "@sinclair/typebox";
+import type { ToolDeps } from "../state.js";
+
+export function registerPdfTools(pi: ExtensionAPI, deps: ToolDeps): void {
+	pi.registerTool({
+		name: "browser_save_pdf",
+		label: "Browser Save PDF",
+		description:
+			"Render current page as PDF artifact via Playwright's page.pdf(). " +
+			"Supports A4/Letter/custom page formats and optional background graphics. " +
+			"Writes to session artifacts directory. Chromium only.",
+		parameters: Type.Object({
+			filename: Type.Optional(
+				Type.String({ description: "Output filename (default: auto-generated from page title + timestamp)." }),
+			),
+			format: Type.Optional(
+				Type.String({
+					description:
+						"Page format: 'A4' (default), 'Letter', 'Legal', 'Tabloid', or custom like '8.5in x 11in'. " +
+						"Custom format uses CSS dimension syntax for width x height.",
+				}),
+			),
+			printBackground: Type.Optional(
+				Type.Boolean({ description: "Include background graphics (default: true)." }),
+			),
+		}),
+
+		async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
+			try {
+				const { page: p } = await deps.ensureBrowser();
+
+				const url = p.url();
+				const title = await p.title().catch(() => "untitled");
+
+				// Resolve filename
+				const timestamp = deps.formatArtifactTimestamp(Date.now());
+				const safeName = deps.sanitizeArtifactName(params.filename || `${title}-${timestamp}`, `pdf-${timestamp}`);
+				const filename = safeName.endsWith(".pdf") ? safeName : `${safeName}.pdf`;
+
+				// Resolve format
+				const knownFormats = new Set(["A4", "Letter", "Legal", "Tabloid", "Ledger", "A0", "A1", "A2", "A3", "A5", "A6"]);
+				const formatInput = params.format ?? "A4";
+				let pdfOptions: Record<string, unknown> = {};
+
+				if (knownFormats.has(formatInput)) {
+					pdfOptions.format = formatInput;
+				} else {
+					// Custom format: parse "WIDTHin x HEIGHTin" or "WIDTHcm x HEIGHTcm" etc.
+					const customMatch = formatInput.match(/^(.+?)\s*[xX×]\s*(.+)$/);
+					if (customMatch) {
+						pdfOptions.width = customMatch[1]!.trim();
+						pdfOptions.height = customMatch[2]!.trim();
+					} else {
+						pdfOptions.format = "A4"; // fallback
+					}
+				}
+
+				pdfOptions.printBackground = params.printBackground ?? true;
+
+				// Generate PDF
+				await deps.ensureSessionArtifactDir();
+				const outputPath = deps.buildSessionArtifactPath(filename);
+				pdfOptions.path = outputPath;
+
+				await p.pdf(pdfOptions as any);
+
+				// Read file size
+				const { stat } = await import("node:fs/promises");
+				const fileStat = await stat(outputPath);
+				const sizeBytes = fileStat.size;
+				const sizeKB = (sizeBytes / 1024).toFixed(1);
+
+				return {
+					content: [
+						{
+							type: "text",
+							text: `PDF saved: ${outputPath}\nSize: ${sizeKB} KB\nFormat: ${formatInput}\nPage: ${title}\nURL: ${url}`,
+						},
+					],
+					details: { path: outputPath, sizeBytes, format: formatInput, pageUrl: url, pageTitle: title },
+				};
+			} catch (err: any) {
+				return {
+					content: [{ type: "text", text: `PDF generation failed: ${err.message}` }],
+					details: { error: err.message },
+					isError: true,
+				};
+			}
+		},
+	});
+}