my-pi 0.1.11 → 0.1.13

package/README.md

@@ -195,9 +195,29 @@ A practical sandbox command looks like:
 ```bash
 PI_CODING_AGENT_DIR=/work/pi-agent \
 ANTHROPIC_API_KEY=... \
-pnpx my-pi@latest --telemetry --json "run eval case"
+pnpx my-pi@latest --untrusted --telemetry --json "run eval case"
 ```
 
+### Untrusted repo safe mode
+
+Use `--untrusted` in unknown repositories, evals, or sandboxes. It
+keeps built-ins available but starts with conservative
+project-resource defaults:
+
+- skips project-local MCP config (`MY_PI_MCP_PROJECT_CONFIG=skip`)
+- skips Claude-style project hooks (`MY_PI_HOOKS_CONFIG=skip`)
+- uses global LSP binaries instead of project-local binaries
+  (`MY_PI_LSP_PROJECT_BINARY=global`)
+- skips project prompt presets (`MY_PI_PROMPT_PRESETS_PROJECT=skip`)
+- skips project-local `.pi/skills` and `.claude/skills`
+  (`MY_PI_PROJECT_SKILLS=skip`)
+- clears optional child-process env allowlists unless they were set
+  explicitly
+
+Set the listed environment variables to `allow` or `trust` where
+supported to re-enable one feature intentionally while staying in safe
+mode.
+
 ### Extension stacking
 
 ```bash
@@ -313,8 +333,28 @@ HTTP MCP servers are supported too:
 Use `"type": "http"` or `"type": "streamable-http"` for remote MCP
 servers. If `url` is present, my-pi treats the entry as HTTP.
 
-Project servers merge with global servers. If both define the same
-server name, the project config wins.
+Global MCP config is loaded automatically. Project-local `mcp.json` is
+untrusted by default; interactive sessions prompt before loading it
+and headless sessions skip it unless `MY_PI_MCP_PROJECT_CONFIG=allow`
+or `MY_PI_MCP_PROJECT_CONFIG=trust` is set. If both configs define the
+same server name, the trusted project config wins.
+
+### Hooks
+
+Claude-style hooks are discovered from `.claude/settings.json`,
+`.rulesync/hooks.json`, and `.pi/hooks.json`. Because hook commands
+run through `bash -lc`, project hook config is untrusted by default.
+Interactive sessions show the hook source files and commands before
+allowing execution; headless sessions skip hooks unless
+`MY_PI_HOOKS_CONFIG=allow` or `MY_PI_HOOKS_CONFIG=trust` is set.
+Trusted hook approvals are remembered per project directory and
+hook-config hash.
+
+Hook commands receive a restricted child-process environment by
+default: baseline shell variables plus `CLAUDE_PROJECT_DIR`. Use
+`MY_PI_HOOKS_ENV_ALLOWLIST=NAME,OTHER_NAME` or the shared
+`MY_PI_CHILD_ENV_ALLOWLIST` to pass selected ambient variables
+through.
 
 ### Commands
 

package/dist/{api-C7cSSbTg.js → api-Eq36fWnN.js}

@@ -1,6 +1,6 @@
 import { BorderedLoader, InteractiveMode as InteractiveMode$1, SessionManager, SettingsManager, convertToLlm, createAgentSessionFromServices, createAgentSessionRuntime, createAgentSessionServices, getAgentDir, runPrintMode as runPrintMode$1, serializeConversation } from "@mariozechner/pi-coding-agent";
 import { existsSync, mkdirSync, readFileSync, readdirSync, renameSync, statSync, unlinkSync, writeFileSync } from "node:fs";
-import { basename, dirname, join, resolve } from "node:path";
+import { basename, dirname, isAbsolute, join, relative, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import confirm_destructive_extension from "@spences10/pi-confirm-destructive";
 import lsp_extension from "@spences10/pi-lsp";
@@ -13,11 +13,81 @@ import skills_extension, { create_skills_manager } from "@spences10/pi-skills";
 import sqlite_tools_extension from "@spences10/pi-sqlite-tools";
 import { create_telemetry_extension } from "@spences10/pi-telemetry";
 import { spawn } from "node:child_process";
+import { createHash } from "node:crypto";
 import { homedir } from "node:os";
 import { Container, SettingsList, Text, truncateToWidth, visibleWidth } from "@mariozechner/pi-tui";
 import { complete } from "@mariozechner/pi-ai";
+//#region src/extensions/hooks-resolution/env.ts
+const BASE_CHILD_ENV_KEYS = new Set([
+	"CI",
+	"COLORTERM",
+	"FORCE_COLOR",
+	"HOME",
+	"LANG",
+	"LOGNAME",
+	"NO_COLOR",
+	"PATH",
+	"SHELL",
+	"TEMP",
+	"TERM",
+	"TMP",
+	"TMPDIR",
+	"USER"
+]);
+const EXTRA_ENV_ALLOWLIST_KEYS = ["MY_PI_CHILD_ENV_ALLOWLIST", "MY_PI_HOOKS_ENV_ALLOWLIST"];
+function create_child_process_env(explicit_env = {}, source_env = process.env) {
+	const env = {};
+	const allowed_keys = new Set(BASE_CHILD_ENV_KEYS);
+	for (const key of Object.keys(source_env)) if (key.startsWith("LC_")) allowed_keys.add(key);
+	for (const allowlist_key of EXTRA_ENV_ALLOWLIST_KEYS) for (const key of parse_env_allowlist(source_env[allowlist_key])) allowed_keys.add(key);
+	for (const key of allowed_keys) {
+		const value = source_env[key];
+		if (typeof value === "string") env[key] = value;
+	}
+	return {
+		...env,
+		...explicit_env
+	};
+}
+function parse_env_allowlist(value) {
+	if (!value) return [];
+	return value.split(",").map((key) => key.trim()).filter(Boolean);
+}
+//#endregion
+//#region src/extensions/hooks-resolution/trust.ts
+function default_hooks_trust_store_path() {
+	return join(homedir(), ".pi", "agent", "trusted-hooks.json");
+}
+function is_hooks_config_trusted(project_dir, hash, trust_store_path = default_hooks_trust_store_path()) {
+	return read_trusted_hooks(trust_store_path)[project_dir]?.hash === hash;
+}
+function trust_hooks_config(project_dir, hash, trust_store_path = default_hooks_trust_store_path()) {
+	const trusted_hooks = read_trusted_hooks(trust_store_path);
+	trusted_hooks[project_dir] = {
+		project_dir,
+		hash,
+		trusted_at: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	mkdirSync(dirname(trust_store_path), { recursive: true });
+	writeFileSync(trust_store_path, JSON.stringify(trusted_hooks, null, "	") + "\n", {
+		encoding: "utf8",
+		mode: 384
+	});
+}
+function read_trusted_hooks(trust_store_path) {
+	if (!existsSync(trust_store_path)) return {};
+	try {
+		const raw = readFileSync(trust_store_path, "utf-8");
+		const parsed = JSON.parse(raw);
+		return parsed && typeof parsed === "object" ? parsed : {};
+	} catch {
+		return {};
+	}
+}
+//#endregion
 //#region src/extensions/hooks-resolution/index.ts
 const HOOK_TIMEOUT_MS = 600 * 1e3;
+const HOOKS_CONFIG_ENV = "MY_PI_HOOKS_CONFIG";
 function is_file(path) {
 	try {
 		return statSync(path).isFile();
@@ -134,20 +204,47 @@ function parse_simple_hooks_file(config, source, project_dir) {
 	}
 	return hooks;
 }
+function hook_config_paths(project_dir) {
+	return [
+		join(project_dir, ".claude", "settings.json"),
+		join(project_dir, ".rulesync", "hooks.json"),
+		join(project_dir, ".pi", "hooks.json")
+	];
+}
+function parse_hooks_config_file(path, project_dir) {
+	const config = read_json_file(path);
+	if (config === void 0) return [];
+	if (path.endsWith(join(".claude", "settings.json"))) return parse_claude_settings_hooks(config, path, project_dir);
+	return parse_simple_hooks_file(config, path, project_dir);
+}
 function load_hooks(cwd) {
 	const project_dir = find_project_dir(cwd);
-	const hooks = [];
-	const claude_settings_path = join(project_dir, ".claude", "settings.json");
-	const rulesync_hooks_path = join(project_dir, ".rulesync", "hooks.json");
-	const pi_hooks_path = join(project_dir, ".pi", "hooks.json");
-	const claude_settings = read_json_file(claude_settings_path);
-	if (claude_settings !== void 0) hooks.push(...parse_claude_settings_hooks(claude_settings, claude_settings_path, project_dir));
-	const rulesync_hooks = read_json_file(rulesync_hooks_path);
-	if (rulesync_hooks !== void 0) hooks.push(...parse_simple_hooks_file(rulesync_hooks, rulesync_hooks_path, project_dir));
-	const pi_hooks = read_json_file(pi_hooks_path);
-	if (pi_hooks !== void 0) hooks.push(...parse_simple_hooks_file(pi_hooks, pi_hooks_path, project_dir));
 	return {
 		project_dir,
+		hooks: hook_config_paths(project_dir).flatMap((path) => parse_hooks_config_file(path, project_dir))
+	};
+}
+function get_hooks_config_info(cwd) {
+	const project_dir = find_project_dir(cwd);
+	const sources = hook_config_paths(project_dir).filter(is_file);
+	if (sources.length === 0) return void 0;
+	const hash = createHash("sha256");
+	for (const source of sources) {
+		hash.update(source);
+		hash.update("\0");
+		hash.update(readFileSync(source, "utf8"));
+		hash.update("\0");
+	}
+	const hooks = sources.flatMap((source) => parse_hooks_config_file(source, project_dir)).map((hook) => ({
+		event_name: hook.event_name,
+		matcher_text: hook.matcher_text,
+		command: hook.command,
+		source: hook.source
+	}));
+	return {
+		project_dir,
+		hash: hash.digest("hex"),
+		sources,
 		hooks
 	};
 }
@@ -216,10 +313,7 @@ async function run_command_hook(command, cwd, payload) {
 		const started_at = Date.now();
 		const child = spawn("bash", ["-lc", command], {
 			cwd,
-			env: {
-				...process.env,
-				CLAUDE_PROJECT_DIR: cwd
-			},
+			env: create_child_process_env({ CLAUDE_PROJECT_DIR: cwd }),
 			stdio: [
 				"pipe",
 				"pipe",
@@ -284,6 +378,66 @@ function hook_name(command) {
 	if (sh_path_match) return basename(sh_path_match[0]);
 	return basename(command.trim().split(/\s+/)[0] ?? "hook");
 }
+function normalize_hooks_config_decision(value) {
+	const normalized = value?.trim().toLowerCase();
+	if (!normalized) return void 0;
+	if ([
+		"1",
+		"true",
+		"yes",
+		"allow"
+	].includes(normalized)) return "allow";
+	if (normalized === "trust") return "trust";
+	if ([
+		"0",
+		"false",
+		"no",
+		"skip",
+		"disable"
+	].includes(normalized)) return "skip";
+}
+function format_hooks_config_prompt(info) {
+	const source_lines = info.sources.map((source) => `- ${source}`);
+	const hook_lines = info.hooks.length === 0 ? ["- no valid command hooks detected"] : info.hooks.map((hook) => {
+		const matcher = hook.matcher_text ? ` matcher=${hook.matcher_text}` : "";
+		return `- ${hook.event_name}${matcher}: ${hook.command}`;
+	});
+	return [
+		"Project hook config can execute shell commands after tool use. Trust these hooks?",
+		`Project: ${info.project_dir}`,
+		`SHA-256: ${info.hash}`,
+		"Sources:",
+		...source_lines,
+		"Commands:",
+		...hook_lines
+	].join("\n");
+}
+async function should_load_hooks_config(cwd, ctx) {
+	const info = get_hooks_config_info(cwd);
+	if (!info) return true;
+	if (is_hooks_config_trusted(info.project_dir, info.hash)) return true;
+	const env_decision = normalize_hooks_config_decision(process.env[HOOKS_CONFIG_ENV]);
+	if (env_decision === "trust") {
+		trust_hooks_config(info.project_dir, info.hash);
+		return true;
+	}
+	if (env_decision === "allow") return true;
+	if (env_decision === "skip") return false;
+	if (!ctx?.hasUI) {
+		console.warn(`Skipping untrusted hook config in ${info.project_dir}. Set ${HOOKS_CONFIG_ENV}=allow to enable hooks for this run.`);
+		return false;
+	}
+	const choice = await ctx.ui.select(format_hooks_config_prompt(info), [
+		"Allow once for this session",
+		"Trust this repo until hook config changes",
+		"Skip project hooks"
+	]);
+	if (choice === "Trust this repo until hook config changes") {
+		trust_hooks_config(info.project_dir, info.hash);
+		return true;
+	}
+	return choice === "Allow once for this session";
+}
 function create_hooks_resolution_extension(options = {}) {
 	const load_hooks_impl = options.load_hooks ?? load_hooks;
 	const run_command_hook_impl = options.run_command_hook ?? run_command_hook;
@@ -292,11 +446,18 @@ function create_hooks_resolution_extension(options = {}) {
 			project_dir: process.cwd(),
 			hooks: []
 		};
-		const refresh_hooks = (cwd) => {
+		const refresh_hooks = async (cwd, ctx) => {
+			if (!await should_load_hooks_config(cwd, ctx)) {
+				state = {
+					project_dir: cwd,
+					hooks: []
+				};
+				return;
+			}
 			state = load_hooks_impl(cwd);
 		};
-		pi.on("session_start", (_event, ctx) => {
-			refresh_hooks(ctx.cwd);
+		pi.on("session_start", async (_event, ctx) => {
+			await refresh_hooks(ctx.cwd, ctx);
 		});
 		pi.on("tool_result", async (event, ctx) => {
 			if (state.hooks.length === 0) return;
@@ -706,6 +867,7 @@ function create_extensions_extension(options = {}) {
 create_extensions_extension();
 //#endregion
 //#region src/extensions/prompt-presets/index.ts
+const PROJECT_PROMPT_PRESETS_ENV = "MY_PI_PROMPT_PRESETS_PROJECT";
 const PRESET_STATE_TYPE = "prompt-preset-state";
 const ENABLED = "[x]";
 const DISABLED = "[ ]";
@@ -891,8 +1053,18 @@ function save_project_prompt_preset_file(cwd, name, preset) {
 function save_global_prompt_preset_file(name, preset) {
 	return save_prompt_preset_file(get_global_presets_dir(), name, preset);
 }
+function should_load_project_prompt_presets() {
+	const normalized = process.env[PROJECT_PROMPT_PRESETS_ENV]?.trim().toLowerCase();
+	return ![
+		"0",
+		"false",
+		"no",
+		"skip",
+		"disable"
+	].includes(normalized ?? "");
+}
 function load_prompt_presets(cwd) {
-	return Object.assign({}, to_loaded_prompt_presets(DEFAULT_PROMPT_PRESETS, "builtin"), to_loaded_prompt_presets(read_prompt_presets_file(get_global_presets_path()), "user"), to_loaded_prompt_presets(read_prompt_presets_dir(get_global_presets_dir()), "user"), to_loaded_prompt_presets(read_prompt_presets_file(get_project_presets_path(cwd)), "project"), to_loaded_prompt_presets(read_prompt_presets_dir(get_project_presets_dir(cwd)), "project"));
+	return Object.assign({}, to_loaded_prompt_presets(DEFAULT_PROMPT_PRESETS, "builtin"), to_loaded_prompt_presets(read_prompt_presets_file(get_global_presets_path()), "user"), to_loaded_prompt_presets(read_prompt_presets_dir(get_global_presets_dir()), "user"), ...should_load_project_prompt_presets() ? [to_loaded_prompt_presets(read_prompt_presets_file(get_project_presets_path(cwd)), "project"), to_loaded_prompt_presets(read_prompt_presets_dir(get_project_presets_dir(cwd)), "project")] : []);
 }
 function sort_prompt_presets(presets) {
 	return Object.fromEntries(Object.entries(presets).sort(([a], [b]) => a.localeCompare(b)));
@@ -1843,6 +2015,44 @@ const BUILTIN_EXTENSION_FACTORIES = {
 };
 const PACKAGE_THEME_DIR = resolve(dirname(fileURLToPath(import.meta.url)), "..", "themes");
 const PI_AGENT_DIR_ENV = "PI_CODING_AGENT_DIR";
+const UNTRUSTED_REPO_ENV_DEFAULTS = {
+	MY_PI_MCP_PROJECT_CONFIG: "skip",
+	MY_PI_HOOKS_CONFIG: "skip",
+	MY_PI_LSP_PROJECT_BINARY: "global",
+	MY_PI_PROMPT_PRESETS_PROJECT: "skip",
+	MY_PI_PROJECT_SKILLS: "skip",
+	MY_PI_CHILD_ENV_ALLOWLIST: "",
+	MY_PI_MCP_ENV_ALLOWLIST: "",
+	MY_PI_HOOKS_ENV_ALLOWLIST: ""
+};
+function apply_untrusted_repo_defaults(env = process.env) {
+	const applied = [];
+	for (const [key, value] of Object.entries(UNTRUSTED_REPO_ENV_DEFAULTS)) {
+		if (env[key] !== void 0) continue;
+		env[key] = value;
+		applied.push(key);
+	}
+	return applied;
+}
+function is_resource_enabled(value) {
+	const normalized = value?.trim().toLowerCase();
+	if (!normalized) return true;
+	if ([
+		"0",
+		"false",
+		"no",
+		"skip",
+		"disable"
+	].includes(normalized)) return false;
+	return true;
+}
+function is_project_local_skill_path(cwd, file_path) {
+	if (!file_path) return false;
+	const relative_path = relative(cwd, resolve(cwd, file_path));
+	if (!relative_path || relative_path.startsWith("..") || isAbsolute(relative_path)) return false;
+	const parts = relative_path.split(/[\\/]+/);
+	return parts.some((part, index) => (part === ".pi" || part === ".claude") && parts[index + 1] === "skills");
+}
 function resolve_agent_dir(cwd, agent_dir) {
 	return agent_dir ? resolve(cwd, agent_dir) : getAgentDir();
 }
@@ -1883,7 +2093,8 @@ function create_extensions_override(managed_inline_paths) {
 	};
 }
 async function create_my_pi(options = {}) {
-	const { cwd = process.cwd(), agent_dir, extensions = [], extensionFactories: user_factories = [], runtime_mode = "interactive", mcp = true, skills = true, filter_output = true, recall = true, nopeek = true, omnisearch = true, sqlite_tools = true, prompt_presets = true, lsp = true, session_name = true, confirm_destructive = true, hooks_resolution = true, telemetry, telemetry_db_path, model, system_prompt, append_system_prompt } = options;
+	const { cwd = process.cwd(), agent_dir, extensions = [], extensionFactories: user_factories = [], runtime_mode = "interactive", mcp = true, skills = true, filter_output = true, recall = true, nopeek = true, omnisearch = true, sqlite_tools = true, prompt_presets = true, lsp = true, session_name = true, confirm_destructive = true, hooks_resolution = true, telemetry, telemetry_db_path, model, system_prompt, append_system_prompt, untrusted_repo = false } = options;
+	if (untrusted_repo) apply_untrusted_repo_defaults();
 	const effective_agent_dir = resolve_agent_dir(cwd, agent_dir);
 	if (agent_dir) process.env[PI_AGENT_DIR_ENV] = effective_agent_dir;
 	const resolved_extensions = extensions.map((p) => resolve(cwd, p));
@@ -1931,10 +2142,14 @@ async function create_my_pi(options = {}) {
 				extensionsOverride: create_extensions_override(managed_inline_paths),
 				skillsOverride: (base) => {
 					if (!is_builtin_extension_active(load_builtin_extensions_config(), "skills", force_disabled)) return base;
+					const include_project_skills = is_resource_enabled(process.env.MY_PI_PROJECT_SKILLS);
 					const skills_manager = create_skills_manager();
 					return {
 						...base,
-						skills: base.skills.filter((skill) => skills_manager.is_enabled_by_skill(skill.name, skill.filePath))
+						skills: base.skills.filter((skill) => {
+							if (!include_project_skills && is_project_local_skill_path(runtime_cwd, skill.filePath)) return false;
+							return skills_manager.is_enabled_by_skill(skill.name, skill.filePath);
+						})
 					};
 				}
 			}
@@ -1956,6 +2171,6 @@ async function create_my_pi(options = {}) {
 	});
 }
 //#endregion
-export { runPrintMode$1 as i, create_my_pi as n, get_force_disabled_builtins as r, InteractiveMode$1 as t };
+export { is_project_local_skill_path as a, get_force_disabled_builtins as i, apply_untrusted_repo_defaults as n, runPrintMode$1 as o, create_my_pi as r, InteractiveMode$1 as t };
 
-//# sourceMappingURL=api-C7cSSbTg.js.map
+//# sourceMappingURL=api-Eq36fWnN.js.map