guardian-framework 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +463 -0
- package/dist/cli.js +12958 -0
- package/dist/exports.js +12765 -0
- package/package.json +61 -0
- package/templates/languages/go-patterns.md +411 -0
- package/templates/languages/java-patterns.md +545 -0
- package/templates/languages/python-patterns.md +312 -0
- package/templates/languages/rust-patterns.md +232 -0
- package/templates/languages/typescript-patterns.md +313 -0
- package/templates/pi/INDEX.md +437 -0
- package/templates/pi/agent/AGENTS.md +166 -0
- package/templates/pi/agents/architecture-coordinator.md +40 -0
- package/templates/pi/agents/architecture-validator.md +36 -0
- package/templates/pi/agents/bootstrap-implementer.md +37 -0
- package/templates/pi/agents/issue-factory.md +31 -0
- package/templates/pi/agents/operations-validator.md +32 -0
- package/templates/pi/agents/security-validator.md +33 -0
- package/templates/pi/architecture/CHANGELOG.md +78 -0
- package/templates/pi/architecture/decisions/ADR-template.md +76 -0
- package/templates/pi/architecture/diagrams/system-overview.md +159 -0
- package/templates/pi/architecture/modules/module-template.md +152 -0
- package/templates/pi/context/checklists.md +91 -0
- package/templates/pi/context/domain-workflow.md +180 -0
- package/templates/pi/context/output-formats.md +135 -0
- package/templates/pi/context/patterns-base.md +47 -0
- package/templates/pi/context/patterns.md +38 -0
- package/templates/pi/context/project.md +88 -0
- package/templates/pi/domain/exploration.md +93 -0
- package/templates/pi/domain/ubiquitous-language.md +24 -0
- package/templates/pi/extensions/architect-lib/generators.ts +528 -0
- package/templates/pi/extensions/architect-lib/helpers.ts +344 -0
- package/templates/pi/extensions/architect-lib/types.ts +117 -0
- package/templates/pi/extensions/architect.ts +1425 -0
- package/templates/pi/extensions/ask-user-question.ts +579 -0
- package/templates/pi/extensions/bash-guard.ts +556 -0
- package/templates/pi/extensions/config-reload.ts +115 -0
- package/templates/pi/extensions/coordinator.ts +304 -0
- package/templates/pi/extensions/curator.ts +543 -0
- package/templates/pi/extensions/domain-explorer.ts +990 -0
- package/templates/pi/extensions/filechanges.ts +656 -0
- package/templates/pi/extensions/goal-loop.ts +717 -0
- package/templates/pi/extensions/hooks.ts +452 -0
- package/templates/pi/extensions/kanban.ts +547 -0
- package/templates/pi/extensions/pipeline.ts +1246 -0
- package/templates/pi/extensions/plan-mode.ts +209 -0
- package/templates/pi/extensions/project-scaffolder.ts +284 -0
- package/templates/pi/extensions/read-only-mode.ts +192 -0
- package/templates/pi/extensions/redaction.ts +128 -0
- package/templates/pi/extensions/session-persistence.ts +174 -0
- package/templates/pi/extensions/slash-commands.ts +229 -0
- package/templates/pi/extensions/snippets.ts +201 -0
- package/templates/pi/extensions/validation-runner.ts +100 -0
- package/templates/pi/github/agents/architecture-coordinator.agent.md +27 -0
- package/templates/pi/github/agents/architecture-validator.agent.md +20 -0
- package/templates/pi/github/agents/bootstrap-implementer.agent.md +20 -0
- package/templates/pi/github/agents/epic-planner.agent.md +70 -0
- package/templates/pi/github/agents/issue-factory.agent.md +20 -0
- package/templates/pi/github/agents/operations-validator.agent.md +20 -0
- package/templates/pi/github/agents/security-validator.agent.md +20 -0
- package/templates/pi/github/copilot/settings.json +16 -0
- package/templates/pi/github/copilot-instructions.md +155 -0
- package/templates/pi/github/instructions/architecture.instructions.md +71 -0
- package/templates/pi/github/instructions/validation.instructions.md +69 -0
- package/templates/pi/github/workflows/01-planning-workflow.md +75 -0
- package/templates/pi/github/workflows/02-issue-generation-workflow.md +69 -0
- package/templates/pi/github/workflows/03-implementation-workflow.md +80 -0
- package/templates/pi/github/workflows/04-validation-workflow.md +68 -0
- package/templates/pi/preflight_report.json +99 -0
- package/templates/pi/prompts/blueprint-update.md +262 -0
- package/templates/pi/prompts/blueprint-validate.md +218 -0
- package/templates/pi/prompts/bug-fix.md +50 -0
- package/templates/pi/prompts/ci-blueprint.md +131 -0
- package/templates/pi/prompts/context-refresh.md +258 -0
- package/templates/pi/prompts/epic-plan.md +356 -0
- package/templates/pi/prompts/epic-template.md +186 -0
- package/templates/pi/prompts/feature-development.md +131 -0
- package/templates/pi/prompts/git-issues.md +243 -0
- package/templates/pi/prompts/hotfix.md +71 -0
- package/templates/pi/prompts/issue-closeout.md +342 -0
- package/templates/pi/prompts/issue-draft.md +218 -0
- package/templates/pi/prompts/issue-implementation-series.md +173 -0
- package/templates/pi/prompts/issue-merge.md +372 -0
- package/templates/pi/prompts/issue-template-set.md +392 -0
- package/templates/pi/prompts/issue-template.md +207 -0
- package/templates/pi/prompts/pattern-extract.md +269 -0
- package/templates/pi/prompts/plan-to-issues.md +430 -0
- package/templates/pi/prompts/refactoring.md +82 -0
- package/templates/pi/prompts/scope-analyzer.md +254 -0
- package/templates/pi/prompts/sync-check.md +230 -0
- package/templates/pi/scripts/categorize-issues.sh +171 -0
- package/templates/pi/scripts/ci/check_architecture_conformance.sh +748 -0
- package/templates/pi/scripts/ci/check_planning_packet.py +228 -0
- package/templates/pi/scripts/ci/run_hardening_stages.sh +264 -0
- package/templates/pi/scripts/ci/run_preflight.sh +649 -0
- package/templates/pi/scripts/ci/run_stage.sh +193 -0
- package/templates/pi/scripts/ci/stage_docs_policy.sh +82 -0
- package/templates/pi/scripts/ci/stage_integration.sh +3 -0
- package/templates/pi/scripts/ci/stage_lint.sh +130 -0
- package/templates/pi/scripts/ci/stage_migration_verify.sh +3 -0
- package/templates/pi/scripts/ci/stage_package_build.sh +3 -0
- package/templates/pi/scripts/ci/stage_release_readiness.sh +3 -0
- package/templates/pi/scripts/ci/stage_remaining.sh +242 -0
- package/templates/pi/scripts/ci/stage_security.sh +3 -0
- package/templates/pi/scripts/ci/stage_static_analysis.sh +114 -0
- package/templates/pi/scripts/ci/stage_unit.sh +119 -0
- package/templates/pi/scripts/ci/validate_agent_output.py +181 -0
- package/templates/pi/scripts/ci/validate_agent_output.sh +243 -0
- package/templates/pi/scripts/create-feature-branch.sh +136 -0
- package/templates/pi/scripts/create-mr.sh +117 -0
- package/templates/pi/scripts/fetch-issues.sh +131 -0
- package/templates/pi/scripts/generate-architecture.sh +161 -0
- package/templates/pi/scripts/git/close-epic.sh +69 -0
- package/templates/pi/scripts/git/close-issue.sh +35 -0
- package/templates/pi/scripts/git/create-tracking-issue.sh +174 -0
- package/templates/pi/scripts/git/link-issue-to-epic.sh +51 -0
- package/templates/pi/scripts/git/update-tracking-issue.sh +66 -0
- package/templates/pi/scripts/languages/go/validate-architecture.sh +139 -0
- package/templates/pi/scripts/languages/go/validate-canonical.sh +129 -0
- package/templates/pi/scripts/languages/go/validate-ci.sh +132 -0
- package/templates/pi/scripts/languages/go/validate-integration.sh +156 -0
- package/templates/pi/scripts/languages/go/validate-operations.sh +146 -0
- package/templates/pi/scripts/languages/go/validate-security.sh +135 -0
- package/templates/pi/scripts/languages/go/validate-tests.sh +125 -0
- package/templates/pi/scripts/languages/java/validate-annotations.sh +185 -0
- package/templates/pi/scripts/languages/java/validate-architecture.sh +159 -0
- package/templates/pi/scripts/languages/java/validate-canonical.sh +114 -0
- package/templates/pi/scripts/languages/java/validate-ci.sh +269 -0
- package/templates/pi/scripts/languages/java/validate-integration.sh +149 -0
- package/templates/pi/scripts/languages/java/validate-operations.sh +142 -0
- package/templates/pi/scripts/languages/java/validate-security.sh +174 -0
- package/templates/pi/scripts/languages/java/validate-spring-architecture.sh +227 -0
- package/templates/pi/scripts/languages/java/validate-tests.sh +159 -0
- package/templates/pi/scripts/languages/python/validate-architecture.sh +99 -0
- package/templates/pi/scripts/languages/python/validate-canonical.sh +124 -0
- package/templates/pi/scripts/languages/python/validate-ci.sh +130 -0
- package/templates/pi/scripts/languages/python/validate-integration.sh +119 -0
- package/templates/pi/scripts/languages/python/validate-operations.sh +107 -0
- package/templates/pi/scripts/languages/python/validate-security.sh +68 -0
- package/templates/pi/scripts/languages/python/validate-tests.sh +102 -0
- package/templates/pi/scripts/languages/rust/validate-architecture.sh +188 -0
- package/templates/pi/scripts/languages/rust/validate-canonical.sh +146 -0
- package/templates/pi/scripts/languages/rust/validate-ci.sh +147 -0
- package/templates/pi/scripts/languages/rust/validate-integration.sh +149 -0
- package/templates/pi/scripts/languages/rust/validate-operations.sh +154 -0
- package/templates/pi/scripts/languages/rust/validate-security.sh +153 -0
- package/templates/pi/scripts/languages/rust/validate-tests.sh +150 -0
- package/templates/pi/scripts/languages/typescript/validate-architecture.sh +157 -0
- package/templates/pi/scripts/languages/typescript/validate-canonical.sh +135 -0
- package/templates/pi/scripts/languages/typescript/validate-ci.sh +244 -0
- package/templates/pi/scripts/languages/typescript/validate-integration.sh +166 -0
- package/templates/pi/scripts/languages/typescript/validate-operations.sh +162 -0
- package/templates/pi/scripts/languages/typescript/validate-security.sh +169 -0
- package/templates/pi/scripts/languages/typescript/validate-tests.sh +158 -0
- package/templates/pi/scripts/merge-mr.sh +95 -0
- package/templates/pi/scripts/mr-validation.sh +228 -0
- package/templates/pi/scripts/validate-architecture-readiness.sh +153 -0
- package/templates/pi/scripts/validate-architecture.sh +22 -0
- package/templates/pi/scripts/validate-canonical.sh +22 -0
- package/templates/pi/scripts/validate-ci.sh +37 -0
- package/templates/pi/scripts/validate-integration.sh +22 -0
- package/templates/pi/scripts/validate-operations.sh +22 -0
- package/templates/pi/scripts/validate-security.sh +22 -0
- package/templates/pi/scripts/validate-tests.sh +22 -0
- package/templates/pi/scripts/validate-ubiquitous-language.sh +291 -0
- package/templates/pi/scripts/validation-cache.sh +139 -0
- package/templates/pi/skills/agents/architecture-coordinator.md +178 -0
- package/templates/pi/skills/agents/architecture-generator.md +79 -0
- package/templates/pi/skills/agents/architecture-validator.md +74 -0
- package/templates/pi/skills/agents/ci-mr-validator.md +46 -0
- package/templates/pi/skills/agents/code-developer.md +76 -0
- package/templates/pi/skills/agents/commit.md +46 -0
- package/templates/pi/skills/agents/curator.md +71 -0
- package/templates/pi/skills/agents/debug.md +59 -0
- package/templates/pi/skills/agents/documentation-maintainer.md +36 -0
- package/templates/pi/skills/agents/goal-loop.md +125 -0
- package/templates/pi/skills/agents/hooks.md +122 -0
- package/templates/pi/skills/agents/integration-validator.md +35 -0
- package/templates/pi/skills/agents/issue-creator.md +75 -0
- package/templates/pi/skills/agents/issue-factory.md +143 -0
- package/templates/pi/skills/agents/kanban.md +85 -0
- package/templates/pi/skills/agents/land.md +59 -0
- package/templates/pi/skills/agents/operations-validator.md +43 -0
- package/templates/pi/skills/agents/pipeline.md +113 -0
- package/templates/pi/skills/agents/plan-mode.md +77 -0
- package/templates/pi/skills/agents/pull.md +40 -0
- package/templates/pi/skills/agents/push.md +41 -0
- package/templates/pi/skills/agents/security-validator.md +85 -0
- package/templates/pi/skills/agents/session-persistence.md +119 -0
- package/templates/pi/skills/agents/slash-commands.md +117 -0
- package/templates/pi/skills/agents/snippets.md +99 -0
- package/templates/pi/skills/agents/subagent-registry.md +78 -0
- package/templates/pi/skills/agents/test-validator.md +42 -0
- package/templates/pi/skills/validators/architecture-validator.md +43 -0
- package/templates/pi/skills/validators/ci-validator.md +27 -0
- package/templates/pi/skills/validators/context-compaction.md +73 -0
- package/templates/pi/skills/validators/integration-validator.md +38 -0
- package/templates/pi/skills/validators/model-registry.md +96 -0
- package/templates/pi/skills/validators/operations-validator.md +34 -0
- package/templates/pi/skills/validators/security-guards.md +72 -0
- package/templates/pi/skills/validators/security-validator.md +41 -0
- package/templates/pi/skills/validators/system-prompt-tiers.md +69 -0
- package/templates/pi/skills/validators/test-validator.md +33 -0
- package/templates/pi/types.ts +62 -0
- package/templates/pi/validators/README.md +93 -0
- package/templates/pi/validators/default.toml +209 -0
- package/templates/pi/validators/spring.toml +142 -0
- package/templates/pi/workpad.md +53 -0
- package/templates/project/java/Dockerfile +14 -0
- package/templates/project/java/README.md +40 -0
- package/templates/project/java/pom.xml +132 -0
- package/templates/project/typescript/Dockerfile +15 -0
- package/templates/project/typescript/README.md +29 -0
- package/templates/project/typescript/package.json +23 -0
- package/templates/project/typescript/tsconfig.json +21 -0
- package/templates/workflow.md +123 -0
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# Integration Validator Skill
|
|
2
|
+
|
|
3
|
+
Validates component integration and wiring.
|
|
4
|
+
|
|
5
|
+
## Context Files
|
|
6
|
+
|
|
7
|
+
- `.pi/context/checklists.md` — integration checklist
|
|
8
|
+
- `.pi/context/output-formats.md` — report format
|
|
9
|
+
|
|
10
|
+
## Wiring Checks
|
|
11
|
+
|
|
12
|
+
```bash
|
|
13
|
+
# 1. Find callers
|
|
14
|
+
grep -r "function_name" src/
|
|
15
|
+
|
|
16
|
+
# 2. Check imports
|
|
17
|
+
grep -r "import.*module" src/
|
|
18
|
+
|
|
19
|
+
# 3. Verify registration (if tool/plugin)
|
|
20
|
+
grep -r "register" [registry file]
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
## Focus Areas
|
|
24
|
+
|
|
25
|
+
1. **Interface contracts** — signatures match callers
|
|
26
|
+
2. **Data flow** — types consistent across boundaries
|
|
27
|
+
3. **Error propagation** — errors handled at integration points
|
|
28
|
+
|
|
29
|
+
## Tools
|
|
30
|
+
|
|
31
|
+
- Grep: Find wiring
|
|
32
|
+
- LSP: Navigate definitions
|
|
33
|
+
- Read: Review interfaces
|
|
34
|
+
- Bash: Run integration tests
|
|
35
|
+
|
|
36
|
+
## Output
|
|
37
|
+
|
|
38
|
+
Use `.pi/context/output-formats.md` → "Wiring Check Report"
|
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: model-registry
|
|
3
|
+
description: Model capability scoring system with intelligence/speed/cost ratings and auto-model selection by task type.
|
|
4
|
+
model: inherit
|
|
5
|
+
tools: [Read]
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Model Registry
|
|
9
|
+
|
|
10
|
+
Classify models by capability scores to auto-select the right model for each task.
|
|
11
|
+
|
|
12
|
+
## Capability Dimensions
|
|
13
|
+
|
|
14
|
+
Each model is scored on a 1–5 scale:
|
|
15
|
+
|
|
16
|
+
| Dimension | Meaning |
|
|
17
|
+
|-----------|---------|
|
|
18
|
+
| **Intelligence** | Reasoning quality, code understanding, accuracy |
|
|
19
|
+
| **Speed** | Response time (5 = sub-second, 1 = multi-minute) |
|
|
20
|
+
| **Cost** | Price efficiency (5 = cheapest, 1 = most expensive) |
|
|
21
|
+
|
|
22
|
+
## Model Tags
|
|
23
|
+
|
|
24
|
+
| Tag | Purpose |
|
|
25
|
+
|-----|---------|
|
|
26
|
+
| `vision` | Can process images |
|
|
27
|
+
| `reasoning` | Extended thinking / chain-of-thought |
|
|
28
|
+
| `tools` | Supports tool/function calling |
|
|
29
|
+
| `coding` | Optimized for code generation |
|
|
30
|
+
|
|
31
|
+
## Auto-Selection by Task
|
|
32
|
+
|
|
33
|
+
| Task Type | Recommended Tier | Example Models |
|
|
34
|
+
|-----------|-----------------|----------------|
|
|
35
|
+
| Architecture planning | Intelligence 5 | Opus, GPT-5, Gemini Pro |
|
|
36
|
+
| Complex code changes | Intelligence 4–5 | Sonnet, GPT-4, Codex |
|
|
37
|
+
| Quick edits / fixes | Speed 4+ | GPT-4-mini, Haiku |
|
|
38
|
+
| Inline autocomplete | Speed 5 | GPT-nano, Cerebras, Groq |
|
|
39
|
+
| Bulk code review | Cost 4+ | Flash, Groq, Cerebras |
|
|
40
|
+
| Security audit | Intelligence 5 + reasoning | Opus, Grok Reasoning |
|
|
41
|
+
| File exploration | Speed 4+ | GPT-4-mini, Flash |
|
|
42
|
+
| Test writing | Intelligence 3–4 | Sonnet, GPT-4-mini |
|
|
43
|
+
|
|
44
|
+
## Context Windows
|
|
45
|
+
|
|
46
|
+
| Tier | Context Window | Models |
|
|
47
|
+
|------|---------------|--------|
|
|
48
|
+
| Large | 1M+ tokens | GPT-5, Gemini Pro/Flash, xAI Grok |
|
|
49
|
+
| Standard | 200K tokens | Claude Opus/Sonnet/Haiku |
|
|
50
|
+
| Small | 128K tokens | GPT-4 variants, DeepSeek |
|
|
51
|
+
| Minimal | 32K tokens | Local GGUF models |
|
|
52
|
+
|
|
53
|
+
## Pricing Tiers
|
|
54
|
+
|
|
55
|
+
| Tier | Input ($/M tokens) | Output ($/M tokens) |
|
|
56
|
+
|------|-------------------|--------------------|
|
|
57
|
+
| Premium | $5–15 | $15–75 |
|
|
58
|
+
| Standard | $1–3 | $5–15 |
|
|
59
|
+
| Budget | $0.1–0.5 | $0.4–2.5 |
|
|
60
|
+
| Local | $0 | $0 |
|
|
61
|
+
|
|
62
|
+
## Model Selection API
|
|
63
|
+
|
|
64
|
+
```typescript
|
|
65
|
+
interface ModelInfo {
|
|
66
|
+
id: string;
|
|
67
|
+
label: string;
|
|
68
|
+
hint: string; // Short display name
|
|
69
|
+
description: string; // One-line description
|
|
70
|
+
capabilities: {
|
|
71
|
+
intelligence: 1|2|3|4|5;
|
|
72
|
+
speed: 1|2|3|4|5;
|
|
73
|
+
cost: 1|2|3|4|5;
|
|
74
|
+
};
|
|
75
|
+
tags?: ("vision"|"reasoning"|"tools"|"coding")[];
|
|
76
|
+
contextLimit: number; // Approximate context window
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
function selectModel(task: string): ModelInfo {
|
|
80
|
+
// Auto-select based on task complexity
|
|
81
|
+
}
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
## Provider Support
|
|
85
|
+
|
|
86
|
+
| Provider | Native SDK | Keyless |
|
|
87
|
+
|----------|-----------|---------|
|
|
88
|
+
| OpenAI | @ai-sdk/openai | No |
|
|
89
|
+
| Anthropic | @ai-sdk/anthropic | No |
|
|
90
|
+
| Google | @ai-sdk/google | No |
|
|
91
|
+
| xAI | @ai-sdk/xai | No |
|
|
92
|
+
| Groq | @ai-sdk/groq | No |
|
|
93
|
+
| Cerebras | @ai-sdk/cerebras | No |
|
|
94
|
+
| OpenRouter | @ai-sdk/openai-compatible | No |
|
|
95
|
+
| OpenAI-Compatible | @ai-sdk/openai-compatible | Yes |
|
|
96
|
+
| LM Studio | @ai-sdk/openai-compatible | Yes |
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# Operations Validator Skill
|
|
2
|
+
|
|
3
|
+
Validates production readiness. Checks tracing, cancellation, atomic writes.
|
|
4
|
+
|
|
5
|
+
## Context Files
|
|
6
|
+
|
|
7
|
+
- `.pi/context/checklists.md` — operations checklist
|
|
8
|
+
- `.pi/context/patterns.md` — implementation patterns
|
|
9
|
+
- `.pi/context/output-formats.md` — report format
|
|
10
|
+
|
|
11
|
+
## Automated Validation
|
|
12
|
+
|
|
13
|
+
Run `.pi/scripts/validate-operations.sh` for:
|
|
14
|
+
- Tracing on public functions
|
|
15
|
+
- CancellationToken/AbortController usage
|
|
16
|
+
- Atomic write pattern
|
|
17
|
+
- Blocking calls in async context
|
|
18
|
+
|
|
19
|
+
## Manual Validation (LLM)
|
|
20
|
+
|
|
21
|
+
Focus on:
|
|
22
|
+
1. **Business logic** reliability
|
|
23
|
+
2. **Complex cancellation** scenarios
|
|
24
|
+
3. **Error recovery** strategies
|
|
25
|
+
|
|
26
|
+
## Tools
|
|
27
|
+
|
|
28
|
+
- Grep: Find patterns
|
|
29
|
+
- Read: Review implementation
|
|
30
|
+
- Bash: Run validation scripts
|
|
31
|
+
|
|
32
|
+
## Output
|
|
33
|
+
|
|
34
|
+
Use `.pi/context/output-formats.md` → "Validation Report"
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-guards
|
|
3
|
+
description: Pre-execution path safety and command deny-list for AI tool calls. Blocks reads of sensitive files and writes to protected directories.
|
|
4
|
+
model: inherit
|
|
5
|
+
tools: [Read]
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Security Guards
|
|
9
|
+
|
|
10
|
+
Defense-in-depth guards for AI tool execution. These are **pre-execution** checks — they run BEFORE the tool executes, not after.
|
|
11
|
+
|
|
12
|
+
## Path Safety: Read Blocklist
|
|
13
|
+
|
|
14
|
+
**Never allow reads** of files matching these patterns:
|
|
15
|
+
|
|
16
|
+
### Sensitive Basenames
|
|
17
|
+
- `.env*` (`.env`, `.env.local`, `.env.production`, etc.)
|
|
18
|
+
- `*.pem`, `*.key`, `*.p12`, `*.pfx` (private keys)
|
|
19
|
+
- `id_rsa*`, `id_dsa*`, `id_ecdsa*`, `id_ed25519*` (SSH keys)
|
|
20
|
+
- `known_hosts`, `authorized_keys`, `htpasswd`
|
|
21
|
+
- `.netrc`, `credentials`, `.pgpass`
|
|
22
|
+
- `.npmrc`, `.pypirc`
|
|
23
|
+
- `secrets.json`, `secrets.yaml`, `secrets.yml`, `secrets.toml`
|
|
24
|
+
|
|
25
|
+
### Protected Path Segments
|
|
26
|
+
- `/.ssh/`, `/.gnupg/`
|
|
27
|
+
- `/.aws/`, `/.azure/`, `/.kube/`
|
|
28
|
+
- `/.docker/`, `/.config/gh/`, `/.config/git/`
|
|
29
|
+
- `/.git/` (git internals)
|
|
30
|
+
|
|
31
|
+
## Path Safety: Write Blocklist
|
|
32
|
+
|
|
33
|
+
Writes inherit all read restrictions, **plus**:
|
|
34
|
+
|
|
35
|
+
### Forbidden System Prefixes
|
|
36
|
+
- `/etc/`, `/var/db/`, `/System/`
|
|
37
|
+
- `/Library/Keychains/`
|
|
38
|
+
- `/private/etc/`, `/private/var/db/`
|
|
39
|
+
|
|
40
|
+
## Shell Command Deny-list
|
|
41
|
+
|
|
42
|
+
**Hard-block** these shell commands even after user approval:
|
|
43
|
+
|
|
44
|
+
| Pattern | Reason |
|
|
45
|
+
|---------|--------|
|
|
46
|
+
| `rm -rf /` (and variants) | Recursive filesystem deletion |
|
|
47
|
+
| `--no-preserve-root` | Override root protection |
|
|
48
|
+
| `dd of=/dev/disk*`, `dd of=/dev/sd*`, `dd of=/dev/nvme*` | Raw disk overwrite |
|
|
49
|
+
| `mkfs*`, `fdisk`, `parted` | Disk formatting |
|
|
50
|
+
| `diskutil eraseDisk` | Mac disk erase |
|
|
51
|
+
| `curl\|sh`, `wget\|sh`, `curl\|bash` | Remote code execution |
|
|
52
|
+
| `sudo` | Privilege escalation |
|
|
53
|
+
| `terraform destroy` | Infrastructure teardown |
|
|
54
|
+
| `kubectl delete` | K8s resource deletion |
|
|
55
|
+
| `aws s3 rm --recursive` | Bulk cloud deletion |
|
|
56
|
+
| `shutdown`, `reboot`, `halt`, `poweroff` | System power operations |
|
|
57
|
+
|
|
58
|
+
## Read-Before-Edit Invariant
|
|
59
|
+
|
|
60
|
+
All file mutations (`edit`, `multi_edit`, `write_file`) **require** a prior `read_file` on the same path in the current session. This prevents:
|
|
61
|
+
- Blind overwrites of unknown files
|
|
62
|
+
- Stale edits on changed content
|
|
63
|
+
- Accidental data loss
|
|
64
|
+
|
|
65
|
+
## Implementation Note
|
|
66
|
+
|
|
67
|
+
These guards are implemented in:
|
|
68
|
+
- `.pi/extensions/bash-guard.ts` — runtime command blocking
|
|
69
|
+
- `.pi/scripts/validate-security.sh` — post-hoc validation
|
|
70
|
+
- `.pi/skills/agents/security-validator.md` — agent-level security review
|
|
71
|
+
|
|
72
|
+
Apply guards on **both** read and write paths. Do not bypass them.
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# Security Validator Skill
|
|
2
|
+
|
|
3
|
+
Validates security requirements. Checks OWASP Top 10, secrets, injection, path traversal.
|
|
4
|
+
|
|
5
|
+
## Context Files
|
|
6
|
+
|
|
7
|
+
- `.pi/context/checklists.md` — security checklist
|
|
8
|
+
- `.pi/context/output-formats.md` — report format
|
|
9
|
+
|
|
10
|
+
## Automated Checks
|
|
11
|
+
|
|
12
|
+
Run `.pi/scripts/validate-security.sh` for:
|
|
13
|
+
- Hardcoded secrets detection
|
|
14
|
+
- SQL/command injection patterns
|
|
15
|
+
- Path traversal vulnerabilities
|
|
16
|
+
- Unsafe deserialization
|
|
17
|
+
|
|
18
|
+
## Manual Checks (LLM)
|
|
19
|
+
|
|
20
|
+
Focus on:
|
|
21
|
+
1. **Logic errors** scripts can't detect
|
|
22
|
+
2. **Business logic vulnerabilities**
|
|
23
|
+
3. **Complex auth flows**
|
|
24
|
+
|
|
25
|
+
## OWASP Top 10 Focus
|
|
26
|
+
|
|
27
|
+
| ID | Issue | Check |
|
|
28
|
+
|----|-------|-------|
|
|
29
|
+
| A01 | Broken Access Control | Hardcoded credentials, auth checks |
|
|
30
|
+
| A03 | Injection | SQL, command, XSS, path traversal |
|
|
31
|
+
| A09 | Logging Failures | Sensitive data in logs |
|
|
32
|
+
|
|
33
|
+
## Tools
|
|
34
|
+
|
|
35
|
+
- Grep: Find patterns
|
|
36
|
+
- Read: Review code
|
|
37
|
+
- Bash: Run security scripts
|
|
38
|
+
|
|
39
|
+
## Output
|
|
40
|
+
|
|
41
|
+
Use `.pi/context/output-formats.md` → "Security Audit Report"
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: system-prompt-tiers
|
|
3
|
+
description: Tiered system prompt architecture. Uses full prompts for capable models and compressed prompts for fast/cheap models to optimize token usage.
|
|
4
|
+
model: inherit
|
|
5
|
+
tools: [Read]
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# System Prompt Tiers
|
|
9
|
+
|
|
10
|
+
Different models have different capabilities, costs, and context needs. Use the right prompt tier for the right model to optimize both quality and token spend.
|
|
11
|
+
|
|
12
|
+
## Full Tier (Intelligence Score 4–5)
|
|
13
|
+
|
|
14
|
+
**For:** Claude Opus/Sonnet, GPT-4/5, Gemini Pro, Grok Reasoning
|
|
15
|
+
|
|
16
|
+
Complete system prompt with:
|
|
17
|
+
- Detailed environment description with `<env>` block format
|
|
18
|
+
- Operating principles (execute don't echo, chain actions, ask only when stuck)
|
|
19
|
+
- Full tool descriptions and budgets
|
|
20
|
+
- Editing rules (read-before-edit, exact string replacement)
|
|
21
|
+
- Path resolution rules
|
|
22
|
+
- Shell behavior (persistent sessions, background processes)
|
|
23
|
+
- Output style guidelines (terse, no filler)
|
|
24
|
+
|
|
25
|
+
## Lite Tier (Intelligence Score 1–3, Speed Score 4–5)
|
|
26
|
+
|
|
27
|
+
**For:** GPT-4o-mini, Claude Haiku, Gemini Flash, Cerebras, Groq fast models
|
|
28
|
+
|
|
29
|
+
Compressed system prompt (~40% of full size) with:
|
|
30
|
+
- Essential operating principles only
|
|
31
|
+
- Tool list without detailed descriptions
|
|
32
|
+
- Core editing rules (read-before-edit)
|
|
33
|
+
- Key path resolution rule
|
|
34
|
+
- Minimal output style guidance
|
|
35
|
+
|
|
36
|
+
## Auto-Selection Rules
|
|
37
|
+
|
|
38
|
+
| Model Type | Tier | Rationale |
|
|
39
|
+
|------------|------|-----------|
|
|
40
|
+
| Flagship / reasoning | Full | Benefits from detailed instructions |
|
|
41
|
+
| Balanced (Sonnet, GPT-4-mini) | Full | Handles context well, worth the tokens |
|
|
42
|
+
| Fast / cheap (Haiku, Flash, nano) | Lite | Token budget matters more than nuance |
|
|
43
|
+
| Ultra-fast (Cerebras, Groq LPU) | Lite | Sub-second responses need minimal prompt |
|
|
44
|
+
| Local / GGUF | Lite | Limited context, slower token throughput |
|
|
45
|
+
|
|
46
|
+
## Token Savings
|
|
47
|
+
|
|
48
|
+
| Model | Full Prompt | Lite Prompt | Savings |
|
|
49
|
+
|-------|------------|-------------|---------|
|
|
50
|
+
| GPT-4o-mini | ~1,200 tokens | ~450 tokens | ~750 tokens/turn |
|
|
51
|
+
| Claude Haiku | ~1,200 tokens | ~450 tokens | ~750 tokens/turn |
|
|
52
|
+
| Gemini Flash | ~1,200 tokens | ~450 tokens | ~750 tokens/turn |
|
|
53
|
+
|
|
54
|
+
At 20 turns per session, this saves **15,000 tokens** on fast models alone.
|
|
55
|
+
|
|
56
|
+
## Model Classification
|
|
57
|
+
|
|
58
|
+
```
|
|
59
|
+
Intelligence 5: Opus, GPT-5, Gemini Pro, Grok Reasoning, DeepSeek Pro
|
|
60
|
+
Intelligence 4: Sonnet, GPT-4, GPT-4-mini, Gemini Stable, Grok Fast
|
|
61
|
+
Intelligence 3: Haiku, GPT-nano, Flash, Cerebras, Groq, local GGUF
|
|
62
|
+
Intelligence 1-2: Tiny models, heavily quantized local models
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
## When to Override
|
|
66
|
+
|
|
67
|
+
- User explicitly requests a tier via `/prompt full` or `/prompt lite`
|
|
68
|
+
- Task complexity exceeds the current tier's capability (escalate to full)
|
|
69
|
+
- Token budget is critically low (downgrade to lite mid-session)
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
# Test Validator Skill
|
|
2
|
+
|
|
3
|
+
Validates test coverage and quality. Post-code only (automated).
|
|
4
|
+
|
|
5
|
+
## Context Files
|
|
6
|
+
|
|
7
|
+
- `.pi/context/checklists.md` — test checklist
|
|
8
|
+
- `.pi/context/output-formats.md` — report format
|
|
9
|
+
|
|
10
|
+
## Automated Validation
|
|
11
|
+
|
|
12
|
+
Run `.pi/scripts/validate-tests.sh` for:
|
|
13
|
+
- Unit tests execution
|
|
14
|
+
- Integration tests execution
|
|
15
|
+
- Coverage measurement
|
|
16
|
+
- Test failure analysis
|
|
17
|
+
|
|
18
|
+
## Manual Validation (LLM)
|
|
19
|
+
|
|
20
|
+
Focus on:
|
|
21
|
+
1. **Edge case coverage** — empty inputs, boundaries, errors
|
|
22
|
+
2. **Test quality** — specific assertions, deterministic
|
|
23
|
+
3. **Missing tests** for new functionality
|
|
24
|
+
|
|
25
|
+
## Tools
|
|
26
|
+
|
|
27
|
+
- Bash: Run tests
|
|
28
|
+
- Read: Review test code
|
|
29
|
+
- Glob: Find test files
|
|
30
|
+
|
|
31
|
+
## Output
|
|
32
|
+
|
|
33
|
+
Use `.pi/context/output-formats.md` → "Validation Report"
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared types for pi extensions.
|
|
3
|
+
*
|
|
4
|
+
* The pi coding agent (`@mariozechner/pi-coding-agent`) does not currently
|
|
5
|
+
* publish a formal TypeScript type definition for its extension context.
|
|
6
|
+
* These types mirror the runtime shape so template extensions can type-check
|
|
7
|
+
* without `any`.
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
export interface PiExtensionContext {
|
|
11
|
+
cwd: string;
|
|
12
|
+
hasUI: boolean;
|
|
13
|
+
ui: PiUI;
|
|
14
|
+
session: {
|
|
15
|
+
tools: Record<string, { execute: (...args: unknown[]) => unknown }>;
|
|
16
|
+
};
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
export interface PiUI {
|
|
20
|
+
notify(message: string, type: "info" | "success" | "warn" | "error" | "warning"): void;
|
|
21
|
+
confirm(title: string, message: string): Promise<boolean>;
|
|
22
|
+
input(title: string, placeholder?: string): Promise<string | null>;
|
|
23
|
+
select(title: string, options: string[]): Promise<string | null>;
|
|
24
|
+
setStatus(key: string, message: string | null): void;
|
|
25
|
+
setWidget(key: string, lines: string[]): void;
|
|
26
|
+
custom<T>(
|
|
27
|
+
render: (tui: PiTUI, theme: PiTheme, kb: unknown, done: (value: T) => void) => PiCustomRenderer,
|
|
28
|
+
options?: { overlay?: boolean },
|
|
29
|
+
): Promise<T | null>;
|
|
30
|
+
theme: PiTheme;
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
export interface PiTheme {
|
|
34
|
+
fg(color: string, text: string): string;
|
|
35
|
+
bold(text: string): string;
|
|
36
|
+
muted(text: string): string;
|
|
37
|
+
dim(text: string): string;
|
|
38
|
+
accent(text: string): string;
|
|
39
|
+
warning(text: string): string;
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
export interface PiTUI {
|
|
43
|
+
requestRender(): void;
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
export interface PiCustomRenderer {
|
|
47
|
+
render(w: unknown): void;
|
|
48
|
+
invalidate(): void;
|
|
49
|
+
handleInput(data: string): void;
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
export interface SelectItem {
|
|
53
|
+
value: string;
|
|
54
|
+
label: string;
|
|
55
|
+
description?: string;
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
/** Minimal retry options used across extensions. */
|
|
59
|
+
export interface RetryOptions {
|
|
60
|
+
maxAttempts?: number;
|
|
61
|
+
baseDelayMs?: number;
|
|
62
|
+
}
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
# Guardian TOML Validators
|
|
2
|
+
|
|
3
|
+
Declarative validation rules with inline tests. Inspired by RTK's TOML filter pipeline.
|
|
4
|
+
|
|
5
|
+
## Quick Start
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
# Run all validators
|
|
9
|
+
guardian validate
|
|
10
|
+
|
|
11
|
+
# Run a specific TOML validator
|
|
12
|
+
guardian validate --filter test-results
|
|
13
|
+
|
|
14
|
+
# Verify all inline tests pass
|
|
15
|
+
guardian validate --verify
|
|
16
|
+
|
|
17
|
+
# Run with verbose output
|
|
18
|
+
guardian validate --verbose
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
## Pipeline Stages
|
|
22
|
+
|
|
23
|
+
Each filter applies these stages in order:
|
|
24
|
+
|
|
25
|
+
1. **strip_ansi** — Remove ANSI escape codes
|
|
26
|
+
2. **replace** — Regex substitutions, line-by-line, chainable
|
|
27
|
+
3. **match_output** — Short-circuit: if blob matches, return message immediately
|
|
28
|
+
4. **strip/keep_lines** — Filter lines by regex
|
|
29
|
+
5. **truncate_lines_at** — Truncate each line to N chars
|
|
30
|
+
6. **head/tail_lines** — Keep first/last N lines
|
|
31
|
+
7. **max_lines** — Absolute line cap
|
|
32
|
+
8. **on_empty** — Message if result is empty
|
|
33
|
+
|
|
34
|
+
## File Location
|
|
35
|
+
|
|
36
|
+
Validators are loaded from:
|
|
37
|
+
|
|
38
|
+
1. `.pi/validators/*.toml` — project-local (trust-gated)
|
|
39
|
+
2. `~/.config/guardian/filters.toml` — user-global
|
|
40
|
+
3. Built-in — from Guardian templates
|
|
41
|
+
|
|
42
|
+
## Trust Model
|
|
43
|
+
|
|
44
|
+
Project-local validators require explicit trust:
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
# Review and trust
|
|
48
|
+
guardian trust .pi/validators/custom.toml
|
|
49
|
+
|
|
50
|
+
# Revoke trust
|
|
51
|
+
guardian untrust .pi/validators/custom.toml
|
|
52
|
+
|
|
53
|
+
# List trusted files
|
|
54
|
+
guardian trust --list
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
Or bypass for CI: `GUARDIAN_TRUST_OVERRIDE=1 guardian validate`
|
|
58
|
+
|
|
59
|
+
## Filter Schema
|
|
60
|
+
|
|
61
|
+
```toml
|
|
62
|
+
schema_version = 1
|
|
63
|
+
|
|
64
|
+
[filters.my-validator]
|
|
65
|
+
command = "build" # Command to match
|
|
66
|
+
description = "Filter build output" # Human-readable description
|
|
67
|
+
strip_ansi = true # Remove ANSI codes
|
|
68
|
+
replace = [ # Regex substitutions (stage 2)
|
|
69
|
+
{ pattern = "^noise$", replacement = "" }
|
|
70
|
+
]
|
|
71
|
+
match_output = [ # Short-circuit rules (stage 3)
|
|
72
|
+
{ pattern = "Build failed", message = "❌ Build failed" }
|
|
73
|
+
]
|
|
74
|
+
keep_lines_matching = ["error"] # Keep only error lines (stage 4)
|
|
75
|
+
truncate_lines_at = 120 # Max chars per line (stage 5)
|
|
76
|
+
head_lines = 10 # Keep first N lines (stage 6)
|
|
77
|
+
tail_lines = 5 # Keep last N lines (stage 6)
|
|
78
|
+
max_lines = 50 # Absolute cap (stage 7)
|
|
79
|
+
on_empty = "✅ All clean" # Empty result message (stage 8)
|
|
80
|
+
|
|
81
|
+
# Inline tests (self-verifying)
|
|
82
|
+
[[tests.my-validator]]
|
|
83
|
+
name = "strips noise"
|
|
84
|
+
input = "noise line\nerror: something\nmore noise"
|
|
85
|
+
expected = "error: something"
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
## Adding Custom Validators
|
|
89
|
+
|
|
90
|
+
1. Create `.pi/validators/custom.toml`
|
|
91
|
+
2. Define filters with `[[tests.*]]` blocks
|
|
92
|
+
3. Run `guardian validate --verify` to test
|
|
93
|
+
4. Run `guardian trust .pi/validators/custom.toml` to enable
|