npm - my-pi - Versions diffs - 0.0.11 → 0.0.13 - Mend

my-pi 0.0.11 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +1 -1
package/dist/{api-L4-Ei2xx.js → api-CWEizv2k.js} +2058 -2046
package/dist/api-CWEizv2k.js.map +1 -0
package/dist/api.js +1 -1
package/dist/index.js +1 -1
package/package.json +1 -1
package/src/extensions/filter-output.test.ts +133 -18
package/src/extensions/filter-output.ts +14 -6
package/src/extensions/{otel.test.ts → telemetry.test.ts} +1 -1
package/dist/api-L4-Ei2xx.js.map +0 -1
/package/src/extensions/{otel.ts → telemetry.ts} +0 -0

package/dist/api.js CHANGED Viewed

@@ -1,2 +1,2 @@
-import { n as create_my_pi, r as runPrintMode, t as InteractiveMode } from "./api-L4-Ei2xx.js";
+import { n as create_my_pi, r as runPrintMode, t as InteractiveMode } from "./api-CWEizv2k.js";
 export { InteractiveMode, create_my_pi, runPrintMode };

package/dist/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { n as create_my_pi } from "./api-L4-Ei2xx.js";
+import { n as create_my_pi } from "./api-CWEizv2k.js";
 import { InteractiveMode, runPrintMode } from "@mariozechner/pi-coding-agent";
 import { defineCommand, runMain } from "citty";
 import { readFileSync } from "node:fs";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "my-pi",
-  "version": "0.0.11",
+  "version": "0.0.13",
   "description": "Composable pi coding agent with MCP, LSP, agent chains, prompt presets, and local eval telemetry",
   "keywords": [
     "cli",

package/src/extensions/filter-output.test.ts CHANGED Viewed

@@ -1,7 +1,5 @@
 import { describe, expect, it } from 'vitest';
-// Extract redact function for direct testing
-// (mirrors the logic in filter-output.ts)
 interface SecretPattern {
 	name: string;
 	pattern: RegExp;
@@ -9,10 +7,11 @@ interface SecretPattern {
 const SECRET_PATTERNS: SecretPattern[] = [
 	{ name: 'AWS Access Key', pattern: /AKIA[A-Z0-9]{16}/g },
+	{ name: 'AWS Temp Access Key', pattern: /ASIA[A-Z0-9]{16}/g },
 	{
 		name: 'AWS Secret Key',
 		pattern:
-			/(?:SecretAccessKey|aws_secret_access_key)\s*[:=]\s*[A-Za-z0-9/+=]{40}/g,
+			/\b(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key|secret_access_key|SecretAccessKey)\b\s*[:=]\s*["']?[A-Za-z0-9/+=]{40,}["']?/g,
 	},
 	{
 		name: 'Bearer Token',
@@ -30,18 +29,42 @@ const SECRET_PATTERNS: SecretPattern[] = [
 		name: 'Stripe Test Key',
 		pattern: /sk_test_[a-zA-Z0-9]{20,}/g,
 	},
+	{
+		name: 'Hetzner Token',
+		pattern:
+			/(?:HCLOUD_TOKEN|hcloud_token|token)\s*[:=]\s*["']?[a-f0-9]{64}\b/g,
+	},
 	{
 		name: 'Private Key',
-		pattern: /-----BEGIN\s+[\w\s]*PRIVATE\s+KEY-----/g,
+		pattern:
+			/-----BEGIN\s+[\w\s]*PRIVATE\s+KEY-----[\s\S]*?-----END\s+[\w\s]*PRIVATE\s+KEY-----/g,
 	},
 	{
 		name: 'Connection String with Password',
 		pattern: /:\/\/[^:]+:[^@]+@/g,
 	},
+	{
+		name: 'Generic Password Field',
+		pattern:
+			/\b[\w-]*(?:password|passwd|secret|token|api[_-]?key)\b\s*[:=]\s*["']?[A-Za-z0-9._:/+=@!-]{8,}/gi,
+	},
+	{
+		name: 'Generic Secret Phrase',
+		pattern:
+			/\b(?:password|passwd|secret|token|api[_-]?key)\b(?:\s+(?:is|was|seen|value|header))?\s*[:=]?\s+[A-Za-z0-9._:/+=@!-]{8,}/gi,
+	},
 	{
 		name: 'Tavily API Key',
 		pattern: /tvly-[a-zA-Z0-9_-]{20,}/g,
 	},
+	{
+		name: 'Kagi API Key',
+		pattern: /[a-zA-Z0-9_-]{40,}\.[a-zA-Z0-9_-]{40,}/g,
+	},
+	{
+		name: 'Brave API Key',
+		pattern: /BSA[A-Z0-9]{20,}/g,
+	},
 	{
 		name: 'Firecrawl API Key',
 		pattern: /fc-[a-f0-9]{32}/g,
@@ -50,6 +73,10 @@ const SECRET_PATTERNS: SecretPattern[] = [
 		name: 'GitHub Token',
 		pattern: /gh[pousr]_[a-zA-Z0-9]{36,}/g,
 	},
+	{
+		name: 'GitHub Fine-grained PAT',
+		pattern: /github_pat_[a-zA-Z0-9_]{20,}/g,
+	},
 ];
 function redact(text: string): { redacted: string; count: number } {
@@ -70,16 +97,46 @@ function redact(text: string): { redacted: string; count: number } {
 describe('redact', () => {
 	it('redacts AWS access keys', () => {
-		const input = 'key: AKIAIOSFODNN7EXAMPLE';
+		const input = 'key: AKIA1234567890CANARY';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:AWS Access Key]');
-		expect(redacted).not.toContain('AKIAIOSFODNN7EXAMPLE');
+		expect(redacted).not.toContain('AKIA1234567890CANARY');
+	});
+	it('redacts AWS temp access keys', () => {
+		const input = 'key: ASIA1234567890CANARY';
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:AWS Temp Access Key]');
+		expect(redacted).not.toContain('ASIA1234567890CANARY');
+	});
+	it('redacts uppercase AWS secret env vars', () => {
+		const input =
+			'AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG+bPxRfiCYCANARYKEY01';
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:AWS Secret Key]');
+		expect(redacted).not.toContain(
+			'wJalrXUtnFEMI/K7MDENG+bPxRfiCYCANARYKEY01',
+		);
+	});
+	it('redacts lower-case secret_access_key assignments', () => {
+		const input =
+			'secret_access_key = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYCANARYKEY01"';
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:AWS Secret Key]');
+		expect(redacted).not.toContain(
+			'wJalrXUtnFEMI/K7MDENG+bPxRfiCYCANARYKEY01',
+		);
 	});
 	it('redacts bearer tokens', () => {
 		const input =
-			'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123';
+			'Authorization: Bearer canaryBearerTokenValueAlphaNum1234567890ZZ';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:Bearer Token]');
@@ -87,10 +144,13 @@ describe('redact', () => {
 	it('redacts OpenAI/Anthropic API keys', () => {
 		const input =
-			'ANTHROPIC_API_KEY=sk-ant-api03-abcdefghijklmnopqrstuvwxyz';
+			'ANTHROPIC_API_KEY=sk-ant-api-key-example-123456789012345';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:OpenAI/Anthropic API Key]');
+		expect(redacted).not.toContain(
+			'[REDACTED:Generic Password Field]',
+		);
 	});
 	it('redacts Stripe live keys', () => {
@@ -100,15 +160,26 @@ describe('redact', () => {
 		expect(redacted).toContain('[REDACTED:Stripe Live Key]');
 	});
-	it('redacts private key headers', () => {
-		const input = '-----BEGIN RSA PRIVATE KEY-----';
+	it('redacts Hetzner tokens', () => {
+		const input = `HCLOUD_TOKEN=${'a'.repeat(64)}`;
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:Hetzner Token]');
+		expect(redacted).not.toContain('a'.repeat(64));
+	});
+	it('redacts full private key blocks', () => {
+		const input = `-----BEGIN PRIVATE KEY-----\nQ0FOQVJZX1BSSVZBVEVfS0VZX0JMT0NLX0xJTkVfMDAx\nQ0FOQVJZX1BSSVZBVEVfS0VZX0JMT0NLX0xJTkVfMDAy\n-----END PRIVATE KEY-----`;
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:Private Key]');
+		expect(redacted).not.toContain(
+			'Q0FOQVJZX1BSSVZBVEVfS0VZX0JMT0NLX0xJTkVfMDAx',
+		);
 	});
 	it('redacts connection strings with passwords', () => {
-		const input = 'postgres://user:s3cretP@ss@localhost:5432/db';
+		const input = 'postgres://user:supersecretpass@localhost:5432/db';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain(
@@ -116,34 +187,78 @@ describe('redact', () => {
 		);
 	});
-	it('redacts Tavily API keys', () => {
+	it('redacts prefixed generic secret fields', () => {
+		const input =
+			'OPAQUE_SECRET=cnyr_ZmFrZVNlY3JldFZhbHVlX1JlZGFjdGlvbl9TdWl0ZV8wMDE';
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:Generic Password Field]');
+		expect(redacted).not.toContain(
+			'cnyr_ZmFrZVNlY3JldFZhbHVlX1JlZGFjdGlvbl9TdWl0ZV8wMDE',
+		);
+	});
+	it('redacts freeform secret phrases in logs', () => {
 		const input =
-			'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';
+			'2026-04-19T09:00:02Z INFO opaque fallback secret cnyr_ZmFrZVNlY3JldFZhbHVlX1JlZGFjdGlvbl9TdWl0ZV8wMDE';
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:Generic Secret Phrase]');
+		expect(redacted).not.toContain(
+			'cnyr_ZmFrZVNlY3JldFZhbHVlX1JlZGFjdGlvbl9TdWl0ZV8wMDE',
+		);
+	});
+	it('redacts Tavily API keys', () => {
+		const input = 'tvly-canary-redaction-suite-000000000000000001';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:Tavily API Key]');
 	});
+	it('redacts Kagi API keys', () => {
+		const input = `${'a'.repeat(40)}.${'b'.repeat(40)}`;
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:Kagi API Key]');
+	});
+	it('redacts Brave API keys', () => {
+		const input = 'BSA' + 'A'.repeat(20);
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:Brave API Key]');
+	});
 	it('redacts Firecrawl API keys', () => {
-		const input = 'fc-e3011a33574e44c8aa539c24218cd659';
+		const input = 'fc-e3b0c44298fc1c149afbf4c8996fb924';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:Firecrawl API Key]');
 	});
 	it('redacts GitHub tokens', () => {
-		const input = 'ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn';
+		const input =
+			'ghp_CanaryRedactionSuite000000000000000000000001ABCD';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(1);
 		expect(redacted).toContain('[REDACTED:GitHub Token]');
 	});
+	it('redacts GitHub fine-grained PATs', () => {
+		const input = 'github_pat_' + 'A'.repeat(30);
+		const { redacted, count } = redact(input);
+		expect(count).toBe(1);
+		expect(redacted).toContain('[REDACTED:GitHub Fine-grained PAT]');
+	});
 	it('redacts multiple secrets in one string', () => {
 		const input =
-			'aws: AKIAIOSFODNN7EXAMPLE, token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.longtoken';
+			'aws: AKIA1234567890CANARY, SERVICE_PASSWORD=CanaryPassword-Redaction-001!';
 		const { redacted, count } = redact(input);
 		expect(count).toBe(2);
-		expect(redacted).not.toContain('AKIAIOSFODNN7EXAMPLE');
+		expect(redacted).not.toContain('AKIA1234567890CANARY');
+		expect(redacted).not.toContain('CanaryPassword-Redaction-001!');
 	});
 	it('leaves clean text unchanged', () => {
@@ -154,7 +269,7 @@ describe('redact', () => {
 	});
 	it('preserves prefix in redacted output', () => {
-		const input = 'AKIAIOSFODNN7EXAMPLE';
+		const input = 'AKIA1234567890CANARY';
 		const { redacted } = redact(input);
 		expect(redacted).toMatch(/^AKIA/);
 	});

package/src/extensions/filter-output.ts CHANGED Viewed

@@ -10,10 +10,11 @@ interface SecretPattern {
 const SECRET_PATTERNS: SecretPattern[] = [
 	{ name: 'AWS Access Key', pattern: /AKIA[A-Z0-9]{16}/g },
+	{ name: 'AWS Temp Access Key', pattern: /ASIA[A-Z0-9]{16}/g },
 	{
 		name: 'AWS Secret Key',
 		pattern:
-			/(?:SecretAccessKey|aws_secret_access_key)\s*[:=]\s*[A-Za-z0-9/+=]{40}/g,
+			/\b(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key|secret_access_key|SecretAccessKey)\b\s*[:=]\s*["']?[A-Za-z0-9/+=]{40,}["']?/g,
 	},
 	{
 		name: 'Bearer Token',
@@ -38,7 +39,8 @@ const SECRET_PATTERNS: SecretPattern[] = [
 	},
 	{
 		name: 'Private Key',
-		pattern: /-----BEGIN\s+[\w\s]*PRIVATE\s+KEY-----/g,
+		pattern:
+			/-----BEGIN\s+[\w\s]*PRIVATE\s+KEY-----[\s\S]*?-----END\s+[\w\s]*PRIVATE\s+KEY-----/g,
 	},
 	{
 		name: 'Connection String with Password',
@@ -47,7 +49,12 @@ const SECRET_PATTERNS: SecretPattern[] = [
 	{
 		name: 'Generic Password Field',
 		pattern:
-			/(?:password|passwd|secret|token)\s*[:=]\s*["']?[^\s"']{8,}/gi,
+			/\b[\w-]*(?:password|passwd|secret|token|api[_-]?key)\b\s*[:=]\s*["']?[A-Za-z0-9._:/+=@!-]{8,}/gi,
+	},
+	{
+		name: 'Generic Secret Phrase',
+		pattern:
+			/\b(?:password|passwd|secret|token|api[_-]?key)\b(?:\s+(?:is|was|seen|value|header))?\s*[:=]?\s+[A-Za-z0-9._:/+=@!-]{8,}/gi,
 	},
 	{
 		name: 'Tavily API Key',
@@ -69,6 +76,10 @@ const SECRET_PATTERNS: SecretPattern[] = [
 		name: 'GitHub Token',
 		pattern: /gh[pousr]_[a-zA-Z0-9]{36,}/g,
 	},
+	{
+		name: 'GitHub Fine-grained PAT',
+		pattern: /github_pat_[a-zA-Z0-9_]{20,}/g,
+	},
 ];
 function redact(text: string): { redacted: string; count: number } {
@@ -76,7 +87,6 @@ function redact(text: string): { redacted: string; count: number } {
 	let result = text;
 	for (const sp of SECRET_PATTERNS) {
-		// Reset lastIndex for global regexes
 		sp.pattern.lastIndex = 0;
 		result = result.replace(sp.pattern, (match) => {
 			count++;
@@ -88,11 +98,9 @@ function redact(text: string): { redacted: string; count: number } {
 	return { redacted: result, count };
 }
-// Default export for Pi Package / additionalExtensionPaths loading
 export default async function filter_output(pi: ExtensionAPI) {
 	let totalRedacted = 0;
-	// Intercept tool results to redact secrets before the LLM sees them
 	pi.on('tool_result' as const, async (event: any) => {
 		if (!event.content) return;

package/src/extensions/{otel.test.ts → telemetry.test.ts} RENAMED Viewed

@@ -5,7 +5,7 @@ import {
 	format_telemetry_status,
 	infer_run_outcome,
 	parse_telemetry_command,
-} from './otel.js';
+} from './telemetry.js';
 describe('format_telemetry_status', () => {
 	it('includes saved state, effective state, override, and db path', () => {