pi-enclave 0.0.1

package/dist/index.js

@@ -0,0 +1,1136 @@
+// src/index.ts
+import { createBashTool, createEditTool, createReadTool, createWriteTool } from "@mariozechner/pi-coding-agent";
+
+// src/config.ts
+import { cpSync, existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { fileURLToPath } from "url";
+import { parse as parseTOML } from "smol-toml";
+import * as v from "valibot";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+function templatePath(...segments) {
+  return join(__dirname, "..", "templates", ...segments);
+}
+var SecretDef = v.union([
+  // Disable a secret inherited from a parent config
+  v.literal(false),
+  // Command source: run a host command, use stdout as value
+  v.object({
+    command: v.string(),
+    hosts: v.array(v.string())
+  }),
+  // Env source: read from a host environment variable
+  v.object({
+    env: v.string(),
+    hosts: v.array(v.string())
+  })
+]);
+var EnvDef = v.union([
+  // Static value
+  v.string(),
+  // From a host command
+  v.object({ command: v.string() }),
+  // From a host environment variable
+  v.object({ env: v.string() })
+]);
+var UnmatchedPolicy = v.picklist(["prompt", "deny", "allow"]);
+var GraphQLPolicy = v.object({
+  endpoint: v.string(),
+  allow: v.object({
+    query: v.optional(v.array(v.string()), []),
+    mutation: v.optional(v.array(v.string()), [])
+  }),
+  unmatched: v.optional(UnmatchedPolicy)
+});
+var HostAllow = v.record(v.string(), v.array(v.string()));
+var HostDef = v.object({
+  /** Which secret to inject for requests to this host (references a key in [secrets]) */
+  secret: v.optional(v.string()),
+  /** Allowed HTTP method + path patterns */
+  allow: v.optional(HostAllow, {}),
+  /** Paths that are always denied (overrides allow) */
+  deny: v.optional(v.array(v.string()), []),
+  /** What happens for requests that don't match allow or deny */
+  unmatched: v.optional(UnmatchedPolicy, "allow"),
+  /** GraphQL-specific policy for a specific endpoint */
+  graphql: v.optional(GraphQLPolicy)
+});
+var MountDef = v.object({
+  path: v.string(),
+  readonly: v.optional(v.boolean(), false)
+});
+var GitCredentialDef = v.object({
+  host: v.string(),
+  username: v.string(),
+  secret: v.string()
+});
+var EnclaveFileConfig = v.object({
+  root: v.optional(v.boolean(), false),
+  enabled: v.optional(v.boolean()),
+  packages: v.optional(v.array(v.string())),
+  mounts: v.optional(v.array(MountDef), []),
+  env: v.optional(v.record(v.string(), EnvDef), {}),
+  secrets: v.optional(v.record(v.string(), SecretDef), {}),
+  "git-credentials": v.optional(v.array(GitCredentialDef), []),
+  hosts: v.optional(v.record(v.string(), HostDef), {}),
+  setup: v.optional(v.string())
+});
+var DEFAULT_PACKAGES = ["git", "curl", "jq"];
+function readTomlFile(path2) {
+  let raw;
+  try {
+    raw = readFileSync(path2, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") return void 0;
+    throw new Error(`pi-enclave: failed to read config at ${path2}: ${err.message}`);
+  }
+  let parsed;
+  try {
+    parsed = parseTOML(raw);
+  } catch (err) {
+    throw new Error(`pi-enclave: invalid TOML at ${path2}: ${err.message}`);
+  }
+  try {
+    return v.parse(EnclaveFileConfig, parsed);
+  } catch (err) {
+    throw new Error(`pi-enclave: invalid config at ${path2}: ${err.message}`);
+  }
+}
+function collectConfigFiles(cwd) {
+  const layers = [];
+  const globalPath = globalConfigPath();
+  const globalConfig = readTomlFile(globalPath);
+  if (globalConfig) {
+    layers.push({ path: globalPath, config: globalConfig });
+  }
+  const dropInDir = globalDropInDir();
+  if (existsSync(dropInDir)) {
+    const files = readdirSync(dropInDir).filter((f) => f.endsWith(".toml")).sort();
+    for (const file of files) {
+      const filePath = join(dropInDir, file);
+      const config = readTomlFile(filePath);
+      if (config) {
+        layers.push({ path: filePath, config });
+      }
+    }
+  }
+  const ancestors = [];
+  let dir = resolve(cwd);
+  const seen = /* @__PURE__ */ new Set();
+  while (!seen.has(dir)) {
+    seen.add(dir);
+    const configPath = join(dir, ".pi", "enclave.toml");
+    const config = readTomlFile(configPath);
+    if (config) {
+      ancestors.push({ path: configPath, config });
+      if (config.root) break;
+    }
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  ancestors.reverse();
+  layers.push(...ancestors);
+  return layers;
+}
+function mergeConfigs(layers) {
+  const merged = {
+    root: false,
+    enabled: void 0,
+    packages: [],
+    mounts: [],
+    env: {},
+    secrets: {},
+    "git-credentials": [],
+    hosts: {}
+  };
+  const mountsByPath = /* @__PURE__ */ new Map();
+  const gitCredsByHost = /* @__PURE__ */ new Map();
+  const setupScripts = [];
+  for (const layer of layers) {
+    if (layer.enabled !== void 0) {
+      merged.enabled = layer.enabled;
+    }
+    if (layer.packages) {
+      for (const pkg of layer.packages) {
+        if (!merged.packages.includes(pkg)) {
+          merged.packages.push(pkg);
+        }
+      }
+    }
+    if (layer.mounts) {
+      for (const mount of layer.mounts) {
+        mountsByPath.set(mount.path, mount);
+      }
+    }
+    if (layer.env) {
+      for (const [key, val] of Object.entries(layer.env)) {
+        merged.env[key] = val;
+      }
+    }
+    if (layer.secrets) {
+      for (const [key, val] of Object.entries(layer.secrets)) {
+        merged.secrets[key] = val;
+      }
+    }
+    if (layer["git-credentials"]) {
+      for (const cred of layer["git-credentials"]) {
+        gitCredsByHost.set(cred.host, cred);
+      }
+    }
+    if (layer.hosts) {
+      for (const [key, val] of Object.entries(layer.hosts)) {
+        merged.hosts[key] = val;
+      }
+    }
+    if (layer.setup) {
+      setupScripts.push(layer.setup);
+    }
+  }
+  merged.mounts = [...mountsByPath.values()];
+  merged["git-credentials"] = [...gitCredsByHost.values()];
+  if (setupScripts.length > 0) {
+    merged.setup = setupScripts.join("\n");
+  }
+  return merged;
+}
+function resolveHostPolicies(config) {
+  const result = /* @__PURE__ */ new Map();
+  for (const [hostname, hostDef] of Object.entries(config.hosts ?? {})) {
+    const allows = /* @__PURE__ */ new Map();
+    for (const [method, patterns] of Object.entries(hostDef.allow ?? {})) {
+      allows.set(method.toUpperCase(), patterns);
+    }
+    const hostUnmatched = hostDef.unmatched ?? "allow";
+    let graphql;
+    if (hostDef.graphql) {
+      graphql = {
+        endpoint: hostDef.graphql.endpoint,
+        allow: {
+          query: hostDef.graphql.allow.query ?? [],
+          mutation: hostDef.graphql.allow.mutation ?? []
+        },
+        // GraphQL inherits host unmatched if not set
+        unmatched: hostDef.graphql.unmatched ?? hostUnmatched
+      };
+    }
+    result.set(hostname, {
+      hostname,
+      allows,
+      deny: hostDef.deny ?? [],
+      unmatched: hostUnmatched,
+      graphql
+    });
+  }
+  return result;
+}
+function loadConfig(cwd) {
+  const layers = collectConfigFiles(cwd);
+  const merged = mergeConfigs(layers.map((l) => l.config));
+  const policies = resolveHostPolicies(merged);
+  const projectPath = join(cwd, ".pi", "enclave.toml");
+  const hasProjectConfig = existsSync(projectPath);
+  if (merged.mounts) {
+    const home = process.env.HOME ?? process.env.USERPROFILE ?? "";
+    merged.mounts = merged.mounts.map((m) => ({
+      ...m,
+      path: m.path.startsWith("~/") ? join(home, m.path.slice(2)) : m.path === "~" ? home : m.path
+    }));
+  }
+  return { merged, policies, hasProjectConfig };
+}
+function globalConfigPath() {
+  return join(process.env.HOME ?? process.env.USERPROFILE ?? "~", ".pi", "agent", "extensions", "pi-enclave.toml");
+}
+function globalDropInDir() {
+  return join(process.env.HOME ?? process.env.USERPROFILE ?? "~", ".pi", "agent", "extensions", "pi-enclave.d");
+}
+function projectConfigPath(cwd) {
+  return join(cwd, ".pi", "enclave.toml");
+}
+function tildify(p) {
+  const home = process.env.HOME ?? process.env.USERPROFILE;
+  if (!home) return p;
+  if (p === home) return "~";
+  if (p.startsWith(`${home}/`)) return `~${p.slice(home.length)}`;
+  return p;
+}
+function ensureGlobalConfig() {
+  const created = [];
+  const configPath = globalConfigPath();
+  if (!existsSync(configPath)) {
+    mkdirSync(dirname(configPath), { recursive: true });
+    cpSync(templatePath("pi-enclave.toml"), configPath);
+    created.push(configPath);
+  }
+  const dropInDir = globalDropInDir();
+  mkdirSync(dropInDir, { recursive: true });
+  const templateDropInDir = templatePath("pi-enclave.d");
+  for (const file of readdirSync(templateDropInDir).filter((f) => f.endsWith(".toml"))) {
+    const dest = join(dropInDir, file);
+    if (!existsSync(dest)) {
+      cpSync(join(templateDropInDir, file), dest);
+      created.push(dest);
+    }
+  }
+  return created;
+}
+function initProjectConfig(cwd) {
+  const configPath = projectConfigPath(cwd);
+  if (existsSync(configPath)) return false;
+  const dir = dirname(configPath);
+  mkdirSync(dir, { recursive: true });
+  cpSync(templatePath("project.toml"), configPath);
+  return true;
+}
+function addPackageToConfig(cwd, pkg, target) {
+  const configPath = target === "global" ? globalConfigPath() : projectConfigPath(cwd);
+  let existing = {};
+  try {
+    const content = readFileSync(configPath, "utf-8");
+    const parsed = parseTOML(content);
+    const result = v.safeParse(EnclaveFileConfig, parsed);
+    if (result.success) existing = result.output;
+  } catch {
+  }
+  const packages = existing.packages ?? [...DEFAULT_PACKAGES];
+  if (!packages.includes(pkg)) {
+    packages.push(pkg);
+  }
+  const dir = dirname(configPath);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  const packagesLine = `packages = [${packages.map((p) => `"${p}"`).join(", ")}]`;
+  if (existsSync(configPath)) {
+    const raw = readFileSync(configPath, "utf-8");
+    if (raw.match(/^packages\s*=/m)) {
+      writeFileSync(configPath, raw.replace(/^packages\s*=.*$/m, packagesLine), "utf-8");
+    } else {
+      writeFileSync(configPath, `${packagesLine}
+${raw}`, "utf-8");
+    }
+  } else {
+    writeFileSync(configPath, `${packagesLine}
+`, "utf-8");
+  }
+}
+
+// src/secrets.ts
+import { execSync } from "child_process";
+function commandExists(cmd) {
+  try {
+    execSync(`which ${cmd}`, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function runCommand(command) {
+  try {
+    const result = execSync(command, {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"],
+      timeout: 1e4
+    });
+    const trimmed = result.trim();
+    return trimmed || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function resolveSource(name, source) {
+  if (source === false) return void 0;
+  if ("command" in source) {
+    const binary = source.command.split(/\s+/)[0];
+    if (binary && !commandExists(binary)) return void 0;
+    const value = runCommand(source.command);
+    if (!value) return void 0;
+    return { name, value, hosts: source.hosts };
+  }
+  if ("env" in source) {
+    const value = process.env[source.env];
+    if (!value) return void 0;
+    return { name, value, hosts: source.hosts };
+  }
+  return void 0;
+}
+function resolveSecrets(configSecrets = {}) {
+  const resolved = [];
+  for (const [name, source] of Object.entries(configSecrets)) {
+    const secret = resolveSource(name, source);
+    if (secret) resolved.push(secret);
+  }
+  return resolved;
+}
+function resolveEnv(configEnv = {}) {
+  const resolved = {};
+  for (const [name, def] of Object.entries(configEnv)) {
+    if (typeof def === "string") {
+      resolved[name] = def;
+      continue;
+    }
+    if ("command" in def) {
+      const binary = def.command.split(/\s+/)[0];
+      if (binary && !commandExists(binary)) continue;
+      const value = runCommand(def.command);
+      if (value) resolved[name] = value;
+      continue;
+    }
+    if ("env" in def) {
+      const value = process.env[def.env];
+      if (value) resolved[name] = value;
+    }
+  }
+  return resolved;
+}
+
+// src/tools.ts
+import path from "path";
+function shQuote(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function createVmReadOps(vm) {
+  return {
+    readFile: async (p) => {
+      const r = await vm.exec(["/bin/cat", p]);
+      if (!r.ok) throw new Error(`cat failed (${r.exitCode}): ${r.stderr}`);
+      return r.stdoutBuffer;
+    },
+    access: async (p) => {
+      const r = await vm.exec(["/bin/sh", "-lc", `test -r ${shQuote(p)}`]);
+      if (!r.ok) throw new Error(`not readable: ${p}`);
+    },
+    detectImageMimeType: async (p) => {
+      try {
+        const r = await vm.exec(["/bin/sh", "-lc", `file --mime-type -b ${shQuote(p)}`]);
+        if (!r.ok) return null;
+        const m = r.stdout.trim();
+        return ["image/jpeg", "image/png", "image/gif", "image/webp"].includes(m) ? m : null;
+      } catch {
+        return null;
+      }
+    }
+  };
+}
+function createVmWriteOps(vm) {
+  return {
+    writeFile: async (p, content) => {
+      const dir = path.posix.dirname(p);
+      const b64 = Buffer.from(content, "utf8").toString("base64");
+      const script = ["set -eu", `mkdir -p ${shQuote(dir)}`, `echo ${shQuote(b64)} | base64 -d > ${shQuote(p)}`].join(
+        "\n"
+      );
+      const r = await vm.exec(["/bin/sh", "-lc", script]);
+      if (!r.ok) throw new Error(`write failed (${r.exitCode}): ${r.stderr}`);
+    },
+    mkdir: async (dir) => {
+      const r = await vm.exec(["/bin/mkdir", "-p", dir]);
+      if (!r.ok) throw new Error(`mkdir failed (${r.exitCode}): ${r.stderr}`);
+    }
+  };
+}
+function createVmEditOps(vm) {
+  const r = createVmReadOps(vm);
+  const w = createVmWriteOps(vm);
+  return { readFile: r.readFile, access: r.access, writeFile: w.writeFile };
+}
+var ENV_PASSTHROUGH = /* @__PURE__ */ new Set(["TERM", "LANG", "LC_ALL", "LC_CTYPE", "TZ", "EDITOR", "VISUAL", "PAGER"]);
+function sanitizeEnv(env) {
+  if (!env) return void 0;
+  const out = {};
+  for (const [k, v2] of Object.entries(env)) {
+    if (typeof v2 === "string" && ENV_PASSTHROUGH.has(k)) out[k] = v2;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
+function createVmBashOps(vm) {
+  return {
+    exec: async (command, cwd, { onData, signal, timeout, env }) => {
+      const ac = new AbortController();
+      const onAbort = () => ac.abort();
+      signal?.addEventListener("abort", onAbort, { once: true });
+      let timedOut = false;
+      const timer = timeout && timeout > 0 ? setTimeout(() => {
+        timedOut = true;
+        ac.abort();
+      }, timeout * 1e3) : void 0;
+      try {
+        const proc = vm.exec(["/bin/sh", "-lc", command], {
+          cwd,
+          signal: ac.signal,
+          env: sanitizeEnv(env),
+          stdout: "pipe",
+          stderr: "pipe"
+        });
+        for await (const chunk of proc.output()) {
+          onData(chunk.data);
+        }
+        const r = await proc;
+        return { exitCode: r.exitCode };
+      } catch (err) {
+        if (signal?.aborted) throw new Error("aborted");
+        if (timedOut) throw new Error(`timeout:${timeout}`);
+        throw err;
+      } finally {
+        if (timer) clearTimeout(timer);
+        signal?.removeEventListener("abort", onAbort);
+      }
+    }
+  };
+}
+
+// src/vm.ts
+import { execSync as execSync2 } from "child_process";
+import {
+  RealFSProvider,
+  ShadowProvider,
+  VM,
+  createHttpHooks,
+  createShadowPathPredicate
+} from "@earendil-works/gondolin";
+
+// src/graphql.ts
+import { parse as parse2 } from "graphql";
+function parseGraphQLBody(body) {
+  let json;
+  try {
+    json = JSON.parse(body);
+  } catch {
+    return void 0;
+  }
+  const query = json.query;
+  if (typeof query !== "string") return void 0;
+  let doc;
+  try {
+    doc = parse2(query);
+  } catch {
+    return void 0;
+  }
+  const operations = [];
+  for (const def of doc.definitions) {
+    if (def.kind !== "OperationDefinition") continue;
+    const opDef = def;
+    const fields = [];
+    for (const sel of opDef.selectionSet.selections) {
+      if (sel.kind === "Field") {
+        fields.push(sel.name.value);
+      }
+    }
+    operations.push({
+      type: opDef.operation,
+      name: opDef.name?.value,
+      fields
+    });
+  }
+  return operations;
+}
+function checkGraphQLPolicy(operations, allow) {
+  const denied = [];
+  const deniedFields = [];
+  for (const op of operations) {
+    const patterns = op.type === "query" ? allow.query : op.type === "mutation" ? allow.mutation : void 0;
+    if (!patterns || patterns.length === 0) {
+      denied.push(op);
+      deniedFields.push(...op.fields);
+      continue;
+    }
+    const unmatchedFields = op.fields.filter((field) => !patterns.some((p) => globMatch(p, field)));
+    if (unmatchedFields.length > 0) {
+      denied.push(op);
+      deniedFields.push(...unmatchedFields);
+    }
+  }
+  if (denied.length === 0) return { allowed: true };
+  return { allowed: false, denied, deniedFields };
+}
+function globMatch(pattern, value) {
+  if (pattern === "*") return true;
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i").test(value);
+}
+
+// src/policy.ts
+function matchPath(pattern, path2) {
+  const normPattern = pattern.startsWith("/") ? pattern : `/${pattern}`;
+  const normPath = path2.startsWith("/") ? path2 : `/${path2}`;
+  const patternParts = normPattern.split("/").filter(Boolean);
+  const pathParts = normPath.split("/").filter(Boolean);
+  let pi = 0;
+  let pp = 0;
+  while (pi < patternParts.length && pp < pathParts.length) {
+    const pat = patternParts[pi];
+    if (pat === "**") {
+      return true;
+    }
+    if (pat === "*") {
+      pi++;
+      pp++;
+      continue;
+    }
+    if (pat !== pathParts[pp]) {
+      return false;
+    }
+    pi++;
+    pp++;
+  }
+  if (pi < patternParts.length && patternParts[pi] === "**") {
+    return true;
+  }
+  return pi === patternParts.length && pp === pathParts.length;
+}
+function checkPolicy(policy, method, path2) {
+  const upperMethod = method.toUpperCase();
+  for (const pattern of policy.deny) {
+    if (matchPath(pattern, path2)) {
+      return "deny";
+    }
+  }
+  const allowedPatterns = policy.allows.get(upperMethod);
+  if (allowedPatterns) {
+    for (const pattern of allowedPatterns) {
+      if (matchPath(pattern, path2)) {
+        return "allow";
+      }
+    }
+  }
+  return policy.unmatched;
+}
+function evaluateRequest(policies, hostname, method, path2) {
+  const policy = policies.get(hostname);
+  if (!policy) return "allow";
+  return checkPolicy(policy, method, path2);
+}
+
+// src/vm.ts
+var EnclaveVM = class {
+  vm;
+  closed = false;
+  options;
+  /** Access the underlying Gondolin VM for creating tool operations. */
+  get rawVm() {
+    if (!this.vm) throw new Error("pi-enclave: VM not started");
+    return this.vm;
+  }
+  constructor(options) {
+    this.options = options;
+  }
+  /**
+   * Start the VM. Call once before exec().
+   */
+  async start() {
+    if (this.vm) return;
+    if (this.closed) throw new Error("pi-enclave: VM has been closed");
+    const { workspaceDir, secrets, allowedHosts, policies, onPolicyPrompt } = this.options;
+    this.options.onStatus?.("Starting VM...");
+    const secretDefs = {};
+    for (const secret of secrets) {
+      secretDefs[secret.name] = {
+        hosts: secret.hosts,
+        value: secret.value
+      };
+    }
+    const hookOptions = {
+      secrets: secretDefs,
+      blockInternalRanges: true
+    };
+    const secretHosts = secrets.flatMap((s) => s.hosts);
+    const needsAllowlist = allowedHosts || secretHosts.length > 0;
+    if (needsAllowlist) {
+      hookOptions.allowedHosts = [...allowedHosts ?? [], "dl-cdn.alpinelinux.org", ...secretHosts];
+    }
+    if (policies.size > 0) {
+      hookOptions.isRequestAllowed = async (request) => {
+        const url = new URL(request.url);
+        const hostPolicy = policies.get(url.hostname);
+        if (hostPolicy?.graphql && request.method === "POST" && url.pathname === hostPolicy.graphql.endpoint) {
+          return true;
+        }
+        const decision = evaluateRequest(policies, url.hostname, request.method, url.pathname);
+        if (decision === "allow") return true;
+        if (decision === "deny") return false;
+        if (decision === "prompt" && onPolicyPrompt) {
+          return onPolicyPrompt(request.method, request.url, url.hostname);
+        }
+        return false;
+      };
+    }
+    hookOptions.onRequest = async (request) => {
+      if (request.method !== "POST") return;
+      const url = new URL(request.url);
+      const hostPolicy = policies.get(url.hostname);
+      if (!hostPolicy?.graphql || url.pathname !== hostPolicy.graphql.endpoint) return;
+      const gqlPolicy = hostPolicy.graphql;
+      let bodyText;
+      try {
+        const cloned = request.clone();
+        bodyText = await cloned.text();
+      } catch {
+        return;
+      }
+      const operations = parseGraphQLBody(bodyText);
+      if (!operations) {
+        if (gqlPolicy.unmatched === "allow") return;
+        return new Response(
+          JSON.stringify({ errors: [{ message: "Blocked by pi-enclave: unparseable GraphQL body" }] }),
+          { status: 403, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      if (operations.length === 0) return;
+      const result = checkGraphQLPolicy(operations, gqlPolicy.allow);
+      if (result.allowed) return;
+      if (gqlPolicy.unmatched === "allow") return;
+      if (gqlPolicy.unmatched === "deny") {
+        return new Response(
+          JSON.stringify({ errors: [{ message: `Blocked by pi-enclave: ${result.deniedFields.join(", ")}` }] }),
+          { status: 403, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      if (onPolicyPrompt) {
+        const fieldList = result.deniedFields.join(", ");
+        const allowed = await onPolicyPrompt(
+          "GRAPHQL",
+          `${url.hostname}${gqlPolicy.endpoint}: ${fieldList}`,
+          url.hostname
+        );
+        if (!allowed) {
+          return new Response(JSON.stringify({ errors: [{ message: `Blocked by pi-enclave: ${fieldList}` }] }), {
+            status: 403,
+            headers: { "Content-Type": "application/json" }
+          });
+        }
+      } else {
+        return new Response(JSON.stringify({ errors: [{ message: "Blocked by pi-enclave policy" }] }), {
+          status: 403,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+    };
+    const { httpHooks, env } = createHttpHooks(hookOptions);
+    const realFs = new RealFSProvider(workspaceDir);
+    const shadowedFs = new ShadowProvider(realFs, {
+      shouldShadow: createShadowPathPredicate(["/.pi/enclave.toml"]),
+      writeMode: "deny"
+    });
+    const mounts = {
+      [workspaceDir]: shadowedFs
+    };
+    for (const extra of this.options.extraMounts) {
+      if (mounts[extra.path]) continue;
+      const provider = new RealFSProvider(extra.path);
+      if (extra.readonly) {
+        mounts[extra.path] = new ShadowProvider(provider, {
+          shouldShadow: () => true,
+          writeMode: "deny"
+        });
+      } else {
+        mounts[extra.path] = provider;
+      }
+    }
+    this.vm = await VM.create({
+      httpHooks,
+      env: {
+        ...env,
+        ...this.options.extraEnv,
+        HOME: "/root",
+        TERM: "xterm-256color"
+      },
+      vfs: {
+        mounts
+      },
+      sessionLabel: "pi-enclave"
+    });
+    this.options.onStatus?.("VM started, installing packages...");
+    const packages = this.options.packages;
+    if (packages.length > 0) {
+      this.options.onStatus?.(`Installing packages: ${packages.join(", ")}...`);
+      const result = await this.vm.exec(`apk add --no-progress ${packages.map(shellEscape).join(" ")}`);
+      if (!result.ok) {
+        this.options.onStatus?.(`Sandbox active (package install warning: ${result.stderr.trim().split("\n").pop()})`);
+        return;
+      }
+    }
+    for (const cred of this.options.gitCredentials) {
+      await this.vm.exec(
+        `git config --global credential.https://${shellEscape(cred.host)}.helper '!f() { echo "username=${shellEscape(cred.username)}"; echo "password=$${cred.secret}"; }; f'`
+      );
+    }
+    if (this.options.setupScript) {
+      this.options.onStatus?.("Running setup...");
+      const result = await this.vm.exec(this.options.setupScript);
+      if (!result.ok) {
+        this.options.onStatus?.(`Sandbox active (setup warning: ${result.stderr.trim().split("\n").pop()})`);
+        return;
+      }
+    }
+    this.options.onStatus?.("VM ready");
+  }
+  /**
+   * Install additional packages at runtime.
+   */
+  async installPackage(pkg) {
+    if (!this.vm) throw new Error("pi-enclave: VM not started");
+    return this.vm.exec(`apk add --no-progress ${shellEscape(pkg)}`);
+  }
+  /**
+   * Check if the VM is running.
+   */
+  get isRunning() {
+    return this.vm !== void 0 && !this.closed;
+  }
+  /**
+   * Shut down the VM.
+   */
+  async close() {
+    if (this.closed) return;
+    this.closed = true;
+    if (this.vm) {
+      await this.vm.close();
+      this.vm = void 0;
+    }
+  }
+};
+function shellEscape(s) {
+  return `'${s.replace(/'/g, "'\\''")}'`;
+}
+function checkQemuAvailable() {
+  try {
+    execSync2("which qemu-system-aarch64", { stdio: "ignore" });
+    return { available: true };
+  } catch {
+    const platform = process.platform;
+    let installHint;
+    if (platform === "darwin") {
+      installHint = "Install with: brew install qemu";
+    } else if (platform === "linux") {
+      installHint = "Install with: sudo apt install qemu-system-aarch64 (Debian/Ubuntu) or sudo pacman -S qemu-full (Arch)";
+    } else {
+      installHint = "QEMU is required but your platform may not be supported.";
+    }
+    return {
+      available: false,
+      message: `pi-enclave requires QEMU but qemu-system-aarch64 was not found.
+${installHint}`
+    };
+  }
+}
+
+// src/index.ts
+function extractPkgName(versionedName) {
+  const match = versionedName.match(/^(.+?)-\d/);
+  return match ? match[1] : versionedName;
+}
+async function handleAddPackage(query, enclaveVm, cwd, ctx) {
+  const vm = enclaveVm.rawVm;
+  const q = shQuote(query);
+  let exactResult = await vm.exec(`apk search --exact ${q}`);
+  if (!exactResult.ok && exactResult.stderr.includes("No such file")) {
+    await vm.exec("apk update --quiet");
+    exactResult = await vm.exec(`apk search --exact ${q}`);
+  }
+  let targetPkg;
+  if (exactResult.ok && exactResult.stdout.trim()) {
+    const infoResult = await vm.exec(`apk info ${q}`);
+    const info = infoResult.ok ? infoResult.stdout.trim() : `Package: ${query}`;
+    const ok = await ctx.ui.confirm(`\u26E9\u2002Install ${query}?`, info);
+    if (ok) targetPkg = query;
+  } else {
+    const searchResult = await vm.exec(`apk search ${q}`);
+    const rawLines = searchResult.ok ? searchResult.stdout.trim().split("\n").filter(Boolean) : [];
+    const filtered = rawLines.filter(
+      (l) => !/-(?:doc|dev|lang|dbg|bash-completion|zsh-completion|fish-completion|pyc)-\d/.test(l)
+    );
+    if (filtered.length === 0) {
+      ctx.ui.notify(`No packages found for "${query}".`, "warning");
+      return;
+    }
+    const pkgNames = filtered.slice(0, 10).map(extractPkgName);
+    const uniqueNames = [...new Set(pkgNames)];
+    const options = [];
+    for (const name of uniqueNames) {
+      const descResult = await vm.exec(`apk info --description ${shQuote(name)}`);
+      const desc = descResult.ok ? descResult.stdout.trim().split("\n").find((l) => !l.includes("description:") && l.trim()) : void 0;
+      options.push(desc ? `${name} \u2014 ${desc.trim()}` : name);
+    }
+    options.push("Cancel");
+    const choice = await ctx.ui.select(`\u26E9\u2002No exact match for "${query}". Select a package:`, options);
+    if (!choice || choice === "Cancel") return;
+    targetPkg = choice.split(" \u2014 ")[0];
+  }
+  if (!targetPkg) return;
+  const installResult = await enclaveVm.installPackage(targetPkg);
+  if (!installResult.ok) {
+    ctx.ui.notify(`\u274C Failed to install ${targetPkg}: ${installResult.stderr.slice(0, 200)}`, "error");
+    return;
+  }
+  const saveChoice = await ctx.ui.select(`\u2705 Installed ${targetPkg}. Save to config?`, [
+    "Save to project (.pi/enclave.toml)",
+    `Save to global (${tildify(globalConfigPath())})`,
+    "Don't save (this session only)"
+  ]);
+  if (saveChoice === "Save to project (.pi/enclave.toml)") {
+    addPackageToConfig(cwd, targetPkg, "project");
+    ctx.ui.notify(`\u26E9\u2002Added ${targetPkg} to .pi/enclave.toml`);
+  } else if (saveChoice?.startsWith("Save to global")) {
+    addPackageToConfig(cwd, targetPkg, "global");
+    ctx.ui.notify(`\u26E9\u2002Added ${targetPkg} to ${tildify(globalConfigPath())}`);
+  }
+}
+var SESSION_ENTRY_TYPE = "enclave:active";
+function index_default(pi) {
+  const qemu = checkQemuAvailable();
+  if (!qemu.available) {
+    pi.on("session_start", (_event, ctx) => {
+      ctx.ui.notify(qemu.message, "error");
+    });
+    return;
+  }
+  ensureGlobalConfig();
+  const localCwd = process.cwd();
+  const { merged, policies, hasProjectConfig } = loadConfig(localCwd);
+  const packages = merged.packages?.length ? merged.packages : DEFAULT_PACKAGES;
+  const extraMounts = merged.mounts ?? [];
+  const gitCredentials = merged["git-credentials"] ?? [];
+  const allowedHosts = void 0;
+  const extraEnv = resolveEnv(merged.env);
+  const setupScript = merged.setup;
+  let secrets;
+  try {
+    secrets = resolveSecrets(merged.secrets);
+  } catch (err) {
+    pi.on("session_start", (_event, ctx) => {
+      ctx.ui.notify(`pi-enclave: failed to resolve secrets: ${err.message}`, "error");
+    });
+    return;
+  }
+  const configEnabled = merged.enabled;
+  let sessionOverride;
+  function isActive() {
+    if (sessionOverride !== void 0) return sessionOverride;
+    return configEnabled === true;
+  }
+  function getSessionActivation(ctx) {
+    const entries = ctx.sessionManager.getEntries();
+    for (let i = entries.length - 1; i >= 0; i--) {
+      const entry = entries[i];
+      if (entry.type === "custom" && entry.customType === SESSION_ENTRY_TYPE) {
+        return entry.data;
+      }
+    }
+    return void 0;
+  }
+  let enclaveVm;
+  let vmStarting;
+  async function shutdownVm() {
+    if (enclaveVm) {
+      await enclaveVm.close();
+      enclaveVm = void 0;
+    }
+    vmStarting = void 0;
+  }
+  async function ensureVm(ctx) {
+    if (!isActive()) return null;
+    if (enclaveVm?.isRunning) return enclaveVm;
+    if (vmStarting) return vmStarting;
+    vmStarting = (async () => {
+      ctx.ui.setStatus("enclave", "\u26E9\u2002Starting VM...");
+      const instance = new EnclaveVM({
+        workspaceDir: localCwd,
+        packages,
+        extraMounts,
+        secrets,
+        gitCredentials,
+        extraEnv,
+        setupScript,
+        allowedHosts,
+        policies,
+        onPolicyPrompt: async (method, url, hostname) => {
+          if (!ctx.hasUI) return false;
+          return ctx.ui.confirm(
+            "Network request needs approval",
+            `${method} ${url}
+Host: ${hostname}
+
+Allow this request?`
+          );
+        },
+        onStatus: (message) => {
+          ctx.ui.setStatus("enclave", `\u26E9\u2002${message}`);
+        }
+      });
+      await instance.start();
+      enclaveVm = instance;
+      ctx.ui.setStatus("enclave", "\u26E9\u2002Sandbox active");
+      return instance;
+    })();
+    return vmStarting;
+  }
+  pi.on("session_start", async (_event, ctx) => {
+    const prev = getSessionActivation(ctx);
+    if (prev !== void 0) {
+      sessionOverride = prev;
+    }
+    if (isActive()) {
+      ensureVm(ctx);
+    } else if (configEnabled === void 0 && sessionOverride === void 0) {
+      ctx.ui.notify("\u26E9\u2002pi-enclave is installed but not enabled. Run /enclave init to set up.");
+    }
+  });
+  pi.on("session_switch", async (_event, ctx) => {
+    await shutdownVm();
+    ctx.ui.setStatus("enclave", void 0);
+    sessionOverride = getSessionActivation(ctx);
+    if (isActive()) {
+      ensureVm(ctx);
+    }
+  });
+  const localRead = createReadTool(localCwd);
+  const localWrite = createWriteTool(localCwd);
+  const localEdit = createEditTool(localCwd);
+  const localBash = createBashTool(localCwd);
+  pi.registerTool({
+    ...localRead,
+    async execute(id, params, signal, onUpdate, ctx) {
+      const vm = await ensureVm(ctx);
+      if (!vm) return localRead.execute(id, params, signal, onUpdate);
+      return createReadTool(localCwd, { operations: createVmReadOps(vm.rawVm) }).execute(id, params, signal, onUpdate);
+    }
+  });
+  pi.registerTool({
+    ...localWrite,
+    async execute(id, params, signal, onUpdate, ctx) {
+      const vm = await ensureVm(ctx);
+      if (!vm) return localWrite.execute(id, params, signal, onUpdate);
+      return createWriteTool(localCwd, { operations: createVmWriteOps(vm.rawVm) }).execute(
+        id,
+        params,
+        signal,
+        onUpdate
+      );
+    }
+  });
+  pi.registerTool({
+    ...localEdit,
+    async execute(id, params, signal, onUpdate, ctx) {
+      const vm = await ensureVm(ctx);
+      if (!vm) return localEdit.execute(id, params, signal, onUpdate);
+      return createEditTool(localCwd, { operations: createVmEditOps(vm.rawVm) }).execute(id, params, signal, onUpdate);
+    }
+  });
+  pi.registerTool({
+    ...localBash,
+    async execute(id, params, signal, onUpdate, ctx) {
+      const vm = await ensureVm(ctx);
+      if (!vm) return localBash.execute(id, params, signal, onUpdate);
+      return createBashTool(localCwd, { operations: createVmBashOps(vm.rawVm) }).execute(id, params, signal, onUpdate);
+    }
+  });
+  pi.on("user_bash", (_event, _ctx) => {
+    if (!enclaveVm?.isRunning) return;
+    return { operations: createVmBashOps(enclaveVm.rawVm) };
+  });
+  pi.on("before_agent_start", async (_event, _ctx) => {
+    if (!isActive()) return;
+    return {
+      message: {
+        customType: "enclave:info",
+        content: [
+          {
+            type: "text",
+            text: "Commands run inside an isolated Alpine Linux VM (pi-enclave). If a command is not found, ask the user to install it with `/enclave add <tool-name>`. Package names may differ from binary names (e.g. `github-cli` for `gh`)."
+          }
+        ],
+        display: false
+      }
+    };
+  });
+  pi.registerCommand("enclave", {
+    description: "Manage enclave: /enclave [status|init|on|off|restart|add <pkg>]",
+    handler: async (args, ctx) => {
+      const parts = args.trim().split(/\s+/);
+      const subcommand = parts[0] || "status";
+      switch (subcommand) {
+        case "status": {
+          if (enclaveVm?.isRunning) {
+            const secretNames = secrets.map((s) => s.name).join(", ") || "none";
+            ctx.ui.notify(
+              `\u26E9\u2002pi-enclave: Sandbox active
+Config: ${hasProjectConfig ? ".pi/enclave.toml" : "none (using defaults)"}
+Packages: ${packages.join(", ")}
+Secrets: ${secretNames}`
+            );
+          } else {
+            const label = isActive() ? "enabled, VM starts on next tool use" : "not enabled";
+            ctx.ui.notify(`\u26E9\u2002pi-enclave: ${label}`);
+          }
+          break;
+        }
+        case "init": {
+          const createdGlobal = ensureGlobalConfig();
+          const createdProject = initProjectConfig(localCwd);
+          const messages = [];
+          for (const path2 of createdGlobal) {
+            messages.push(`Created ${tildify(path2)}`);
+          }
+          if (createdProject) {
+            messages.push("Created .pi/enclave.toml with enabled = true");
+            sessionOverride = true;
+            pi.appendEntry(SESSION_ENTRY_TYPE, true);
+          } else {
+            messages.push(".pi/enclave.toml already exists");
+          }
+          ctx.ui.notify(`\u26E9\u2002${messages.join("\n")}`);
+          if (createdProject) {
+            ctx.ui.notify("Reload with /reload to apply the new config.", "info");
+          }
+          break;
+        }
+        case "on": {
+          sessionOverride = true;
+          pi.appendEntry(SESSION_ENTRY_TYPE, true);
+          ctx.ui.notify("\u26E9\u2002pi-enclave enabled for this session. VM starts on next tool use.");
+          break;
+        }
+        case "off": {
+          sessionOverride = false;
+          pi.appendEntry(SESSION_ENTRY_TYPE, false);
+          await shutdownVm();
+          ctx.ui.setStatus("enclave", void 0);
+          ctx.ui.notify("\u26E9\u2002pi-enclave disabled for this session. Tools run on the host.");
+          break;
+        }
+        case "restart": {
+          await shutdownVm();
+          ctx.ui.notify("\u26E9\u2002pi-enclave: VM will restart on next tool use.");
+          break;
+        }
+        case "add": {
+          const query = parts.slice(1).join(" ");
+          if (!query) {
+            ctx.ui.notify("Usage: /enclave add <package-name>", "warning");
+            return;
+          }
+          if (!isActive()) {
+            sessionOverride = true;
+            pi.appendEntry(SESSION_ENTRY_TYPE, true);
+          }
+          const vmForAdd = await ensureVm(ctx);
+          if (!vmForAdd) {
+            ctx.ui.notify("Failed to start VM.", "error");
+            return;
+          }
+          await handleAddPackage(query, vmForAdd, localCwd, ctx);
+          break;
+        }
+        default:
+          ctx.ui.notify("Usage: /enclave [status|init|on|off|restart|add <pkg>]", "warning");
+      }
+    }
+  });
+  pi.on("session_shutdown", async (_event, ctx) => {
+    if (!enclaveVm) return;
+    ctx.ui.setStatus("enclave", "\u26E9\u2002Stopping sandbox...");
+    await shutdownVm();
+  });
+}
+export {
+  index_default as default
+};