npm - pi-mono-all - Versions diffs - 1.0.0 - Mend

pi-mono-all 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (161) hide show

package/node_modules/pi-mono-sentinel/guards/execution-tracker.ts ADDED Viewed

@@ -0,0 +1,281 @@
+/**
+ * execution-tracker — Gap 3: Indirect execution attack mitigation.
+ *
+ * Two hooks working together:
+ *
+ * 1. **Write-time tracking** (`tool_call` on `write` / `edit`):
+ *    Records every file written during the session and scans the content
+ *    for dangerous execution patterns (curl|bash, eval, exfiltration, etc.).
+ *    Does NOT block — only records metadata in the session write registry.
+ *
+ * 2. **Execution-time correlation** (`tool_call` on `bash`):
+ *    Extracts script paths from bash commands and checks them against the
+ *    session write registry. If a script was written this session and
+ *    contains dangerous patterns, asks/denies before allowing execution.
+ */
+import { readFile, stat } from "node:fs/promises";
+import { resolve } from "node:path";
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
+import type { SentinelSession } from "../session.js";
+import type { DangerousPattern, WriteEntry } from "../types.js";
+// ---------------------------------------------------------------------------
+// Dangerous content patterns (for scripts)
+// ---------------------------------------------------------------------------
+const DANGEROUS_PATTERNS: readonly DangerousPattern[] = [
+	{
+		label: "curl-pipe-exec",
+		pattern: /curl\s.*\|\s*(?:bash|sh|zsh)/,
+	},
+	{
+		label: "wget-pipe-exec",
+		pattern: /wget\s.*\|\s*(?:bash|sh|zsh)/,
+	},
+	{
+		label: "eval-subshell",
+		pattern: /eval\s+["'$]/,
+	},
+	{
+		label: "network-exfil",
+		pattern: /curl\s.*(?:-X\s*POST|--data\b|-d\s)/,
+	},
+	{
+		label: "rm-recursive",
+		pattern: /rm\s+-[a-zA-Z]*r[a-zA-Z]*f/,
+	},
+	{
+		label: "privilege-escalation",
+		pattern: /(?:chmod\s+777|sudo\s)/,
+	},
+	{
+		label: "persistence",
+		pattern: /(?:crontab|systemctl\s+enable|launchctl)/,
+	},
+];
+// ---------------------------------------------------------------------------
+// Script execution path extraction
+// ---------------------------------------------------------------------------
+const EXEC_PATTERNS: readonly RegExp[] = [
+	/\b(?:bash|sh|zsh|dash)\s+(\S+)/,
+	/\b(?:node|python3?|ruby|perl|tsx?)\s+(\S+)/,
+	/\bsource\s+(\S+)/,
+	/^\.\s+(\S+)/,
+	/^\.\/(\S+)/,
+];
+/** Extract potential script file paths from a bash command. */
+function extractScriptPaths(command: string): string[] {
+	const paths: string[] = [];
+	for (const pattern of EXEC_PATTERNS) {
+		const match = pattern.exec(command);
+		if (match?.[1]) {
+			const target = match[1];
+			// Skip flags
+			if (!target.startsWith("-")) {
+				paths.push(target);
+			}
+		}
+	}
+	return paths;
+}
+// ---------------------------------------------------------------------------
+// Content scanning
+// ---------------------------------------------------------------------------
+/** Scan content for dangerous execution patterns. Returns matched labels. */
+function scanForDangerousContent(content: string): string[] {
+	const matched: string[] = [];
+	for (const { label, pattern } of DANGEROUS_PATTERNS) {
+		if (pattern.test(content)) {
+			matched.push(label);
+		}
+	}
+	return matched;
+}
+// ---------------------------------------------------------------------------
+// Guard registration
+// ---------------------------------------------------------------------------
+export function registerExecutionTracker(
+	pi: ExtensionAPI,
+	session: SentinelSession,
+): void {
+	// -----------------------------------------------------------------------
+	// 4a. Write-time tracking — record writes and flag dangerous content
+	// -----------------------------------------------------------------------
+	// Track `write` tool calls
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("write", event)) return;
+		const rawPath = event.input.path;
+		const content = event.input.content;
+		if (!rawPath || typeof content !== "string") return;
+		const absolutePath = resolve(ctx.cwd, rawPath);
+		const dangerousPatterns = scanForDangerousContent(content);
+		session.registerWrite({
+			path: absolutePath,
+			timestamp: Date.now(),
+			hasDangerousContent: dangerousPatterns.length > 0,
+			dangerousPatterns,
+		});
+		if (dangerousPatterns.length > 0) {
+			ctx.ui.notify(
+				`[sentinel] Write tracked: ${rawPath} flagged (${dangerousPatterns.join(", ")})`,
+				"warning",
+			);
+		}
+	});
+	// Track `edit` tool calls
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("edit", event)) return;
+		const rawPath = event.input.path;
+		const edits = event.input.edits as
+			| Array<{ oldText: string; newText: string }>
+			| undefined;
+		if (!rawPath || !edits?.length) return;
+		const absolutePath = resolve(ctx.cwd, rawPath);
+		const allNewText = edits.map((e) => e.newText).join("\n");
+		const dangerousPatterns = scanForDangerousContent(allNewText);
+		// For edits, merge with existing entry if present
+		const existing = session.getWrite(absolutePath);
+		const mergedPatterns = existing
+			? [...new Set([...existing.dangerousPatterns, ...dangerousPatterns])]
+			: dangerousPatterns;
+		session.registerWrite({
+			path: absolutePath,
+			timestamp: Date.now(),
+			hasDangerousContent: mergedPatterns.length > 0,
+			dangerousPatterns: mergedPatterns,
+		});
+		if (dangerousPatterns.length > 0) {
+			ctx.ui.notify(
+				`[sentinel] Edit tracked: ${rawPath} flagged (${dangerousPatterns.join(", ")})`,
+				"warning",
+			);
+		}
+	});
+	// -----------------------------------------------------------------------
+	// 4b. Execution-time correlation — check bash against write registry
+	// -----------------------------------------------------------------------
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("bash", event)) return;
+		const command = event.input.command ?? "";
+		const scriptPaths = extractScriptPaths(command);
+		if (scriptPaths.length === 0) return;
+		for (const scriptPath of scriptPaths) {
+			const absolutePath = resolve(ctx.cwd, scriptPath);
+			const writeEntry = session.getWrite(absolutePath);
+			// Not written this session — skip
+			if (!writeEntry) continue;
+			// Written this session but no dangerous content — notify only
+			if (!writeEntry.hasDangerousContent) {
+				ctx.ui.notify(
+					`[sentinel] Executing session-written file: ${scriptPath}`,
+					"info",
+				);
+				continue;
+			}
+			// Re-verify: file may have been modified externally since we tracked the write
+			const currentPatterns = await rescanFileIfChanged(
+				absolutePath,
+				writeEntry,
+			);
+			// File was modified and no longer dangerous
+			if (currentPatterns.length === 0) {
+				session.registerWrite({
+					...writeEntry,
+					hasDangerousContent: false,
+					dangerousPatterns: [],
+				});
+				ctx.ui.notify(
+					`[sentinel] File ${scriptPath} was modified — no longer flagged`,
+					"info",
+				);
+				continue;
+			}
+			// Dangerous content confirmed — escalate
+			const message = [
+				`About to execute a file written earlier in this session:`,
+				`  Path: ${scriptPath}`,
+				`  Flagged patterns: ${currentPatterns.join(", ")}`,
+				"",
+				"Allow execution?",
+			].join("\n");
+			if (ctx.hasUI) {
+				const allowed = await ctx.ui.confirm(
+					"[sentinel] Dangerous script execution",
+					message,
+				);
+				if (allowed) continue;
+			}
+			// No UI or user denied — block
+			return {
+				block: true,
+				reason:
+					`[sentinel] Blocked: bash executes ${scriptPath}, written this session ` +
+					`with dangerous patterns: ${currentPatterns.join(", ")}.`,
+			};
+		}
+	});
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Re-read and re-scan a file to verify dangerous content is still present.
+ * Handles the edge case where the file was modified externally between
+ * write-time tracking and execution-time correlation.
+ */
+async function rescanFileIfChanged(
+	absolutePath: string,
+	writeEntry: WriteEntry,
+): Promise<string[]> {
+	try {
+		const fileStat = await stat(absolutePath);
+		// If the file was modified after we tracked the write, re-scan
+		if (fileStat.mtimeMs > writeEntry.timestamp) {
+			const content = await readFile(absolutePath, "utf-8");
+			return scanForDangerousContent(content);
+		}
+		// File unchanged — trust the original scan
+		return writeEntry.dangerousPatterns;
+	} catch {
+		// File gone or unreadable — no longer dangerous
+		return [];
+	}
+}

package/node_modules/pi-mono-sentinel/guards/output-scanner.ts ADDED Viewed

@@ -0,0 +1,232 @@
+/**
+ * output-scanner — Gap 2: Content-in-location attack mitigation.
+ *
+ * Pre-reads files before `read` tool calls execute and scans for secret
+ * patterns. If secrets are found, asks the user before allowing the read.
+ *
+ * Since `tool_result` is read-only in the pi extension API, we intercept
+ * at `tool_call` time — read the file ourselves, scan it, and make an
+ * ASK/DENY decision before the actual read proceeds.
+ *
+ * Also intercepts `bash` commands that read files (cat, head, tail, less)
+ * and pre-scans the target files.
+ */
+import { readFile, stat } from "node:fs/promises";
+import { resolve } from "node:path";
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
+import type { SentinelSession } from "../session.js";
+import type { ScanMatch } from "../types.js";
+import {
+	expandPaths,
+	extractReadTargets,
+} from "../patterns/read-targets.js";
+import {
+	isBinaryContent,
+	MAX_SCAN_BYTES,
+	scanForSecrets,
+} from "../patterns/secrets.js";
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Format scan matches into a human-readable confirmation message. */
+function formatConfirmMessage(matches: ScanMatch[]): string {
+	const lines = matches.map(
+		(m) => `  - ${m.label} (line ${m.line}): ${m.snippet}`,
+	);
+	return [
+		"File may contain secrets:",
+		...lines,
+		"",
+		"Allow this read?",
+	].join("\n");
+}
+/**
+ * Pre-read a file and scan for secrets. Uses the session scan cache to
+ * avoid redundant filesystem reads on unchanged files.
+ *
+ * Returns the scan matches, or an empty array if the file is binary,
+ * too large, or unreadable.
+ */
+async function scanFile(
+	absolutePath: string,
+	session: SentinelSession,
+): Promise<ScanMatch[]> {
+	try {
+		const fileStat = await stat(absolutePath);
+		// Check cache first
+		const cached = session.getCachedScan(absolutePath, fileStat.mtimeMs);
+		if (cached) return cached.matches;
+		// Skip files larger than scan limit
+		if (fileStat.size > MAX_SCAN_BYTES) return [];
+		// Skip non-files (directories, symlinks, etc.)
+		if (!fileStat.isFile()) return [];
+		const content = await readFile(absolutePath, "utf-8");
+		// Skip binary files
+		if (isBinaryContent(content)) {
+			session.cacheScan(absolutePath, fileStat.mtimeMs, {
+				hasSecrets: false,
+				matches: [],
+			});
+			return [];
+		}
+		const result = scanForSecrets(content);
+		session.cacheScan(absolutePath, fileStat.mtimeMs, result);
+		return result.matches;
+	} catch {
+		// File unreadable (permissions, doesn't exist, etc.) — let the tool handle the error
+		return [];
+	}
+}
+// ---------------------------------------------------------------------------
+// Guard registration
+// ---------------------------------------------------------------------------
+export function registerOutputScanner(
+	pi: ExtensionAPI,
+	session: SentinelSession,
+): void {
+	// -----------------------------------------------------------------------
+	// Intercept `read` tool calls
+	// -----------------------------------------------------------------------
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("read", event)) return;
+		const rawPath = event.input.path;
+		if (!rawPath) return;
+		const absolutePath = resolve(
+			ctx.cwd,
+			rawPath.startsWith("@") ? rawPath.slice(1) : rawPath,
+		);
+		// Skip the dialog entirely if this file was previously allowed.
+		if (session.isReadWhitelisted(absolutePath)) {
+			return;
+		}
+		const matches = await scanFile(absolutePath, session);
+		if (matches.length === 0) return;
+		// Secrets found — escalate
+		if (ctx.hasUI) {
+			const choice = await ctx.ui.select(
+				`[sentinel] Secret detected\n\n${formatConfirmMessage(matches)}`,
+				[
+					"Allow once",
+					"Always allow this file",
+					"Deny",
+				],
+			);
+			if (choice === "Allow once") return; // User approved — let the read proceed
+			if (choice === "Always allow this file") {
+				session.addToReadWhitelist(absolutePath);
+				return;
+			}
+		}
+		// No UI or user denied — block
+		return {
+			block: true,
+			reason:
+				`[sentinel] Blocked: file contains ${matches.length} potential secret(s). ` +
+				matches.map((m) => m.label).join(", ") +
+				".",
+		};
+	});
+	// -----------------------------------------------------------------------
+	// Intercept `bash` commands that read files (cat, head, tail, less)
+	// -----------------------------------------------------------------------
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("bash", event)) return;
+		const command = event.input.command ?? "";
+		const targets = extractReadTargets(command);
+		if (targets.length === 0) return;
+		// Scan all targeted files (with glob expansion)
+		const allMatches: Array<{
+			path: string;
+			absolutePath: string;
+			matches: ScanMatch[];
+		}> = [];
+		for (const target of targets) {
+			const absolutePaths = await expandPaths(ctx.cwd, target);
+			for (const absolutePath of absolutePaths) {
+				if (session.isReadWhitelisted(absolutePath)) continue;
+				const matches = await scanFile(absolutePath, session);
+				if (matches.length > 0) {
+					allMatches.push({ path: target, absolutePath, matches });
+				}
+			}
+		}
+		if (allMatches.length === 0) return;
+		// Build a combined confirmation message
+		const message = allMatches
+			.flatMap(({ path, matches }) =>
+				matches.map(
+					(m) => `  - ${m.label} in ${path} (line ${m.line}): ${m.snippet}`,
+				),
+			)
+			.join("\n");
+		if (ctx.hasUI) {
+			const choice = await ctx.ui.select(
+				`[sentinel] Secret detected in bash target\n\nCommand reads file(s) that may contain secrets:\n${message}\n\nAllow execution?`,
+				[
+					"Allow once",
+					"Always allow these files",
+					"Deny",
+				],
+			);
+			if (choice === "Allow once") return;
+			if (choice === "Always allow these files") {
+				for (const { absolutePath } of allMatches) {
+					session.addToReadWhitelist(absolutePath);
+				}
+				return;
+			}
+		}
+		const totalMatches = allMatches.reduce(
+			(sum, entry) => sum + entry.matches.length,
+			0,
+		);
+		return {
+			block: true,
+			reason:
+				`[sentinel] Blocked: bash command reads file(s) with ${totalMatches} potential secret(s).`,
+		};
+	});
+	// -----------------------------------------------------------------------
+	// Invalidate scan cache when context-guard reports a file modification
+	// -----------------------------------------------------------------------
+	pi.events.on("context-guard:file-modified", (data: unknown) => {
+		const event = data as { path?: string } | undefined;
+		if (event?.path) {
+			session.invalidateScanCache(resolve(event.path));
+		}
+	});
+}

package/node_modules/pi-mono-sentinel/guards/permission-gate.ts ADDED Viewed

@@ -0,0 +1,170 @@
+/**
+ * permission-gate — proactive bash / write / edit guard.
+ *
+ * Complements `execution-tracker` (which only fires for *session-written*
+ * scripts) by intercepting raw bash commands and out-of-scope writes that
+ * perform system-level operations: `curl | bash`, `sudo`, `brew install`,
+ * `rm -rf /Library/...`, writes to `~/.zshrc`, `/usr/local/bin`, etc.
+ *
+ * Decision matrix:
+ *   - UI available + user allows  → proceed
+ *   - UI available + user denies  → block with reason
+ *   - No UI + dangerous detected  → block with reason (fail-safe)
+ *   - No dangerous patterns       → proceed
+ */
+import type {
+	ExtensionAPI,
+	ExtensionContext,
+} from "@mariozechner/pi-coding-agent";
+import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
+import type { SentinelSession } from "../session.js";
+import {
+	BASH_RISK_DESCRIPTIONS,
+	PATH_CATEGORY_DESCRIPTIONS,
+	classifyBashCommand,
+	classifyPath,
+	resolveTargetPath,
+} from "../patterns/permissions.js";
+// ---------------------------------------------------------------------------
+// Bash gating
+// ---------------------------------------------------------------------------
+function registerBashGate(pi: ExtensionAPI): void {
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("bash", event)) return;
+		const command = event.input.command ?? "";
+		if (!command) return;
+		const risks = classifyBashCommand(command);
+		if (risks.length === 0) return;
+		const labelLines = risks.map(
+			(risk) => `  - ${risk}: ${BASH_RISK_DESCRIPTIONS[risk]}`,
+		);
+		const message = [
+			"Bash command matched permission-gate risk classes:",
+			...labelLines,
+			"",
+			`Command:`,
+			`  ${command}`,
+			"",
+			"Allow execution?",
+		].join("\n");
+		if (ctx.hasUI) {
+			const allowed = await ctx.ui.confirm(
+				"[sentinel] Permission gate — bash",
+				message,
+			);
+			if (allowed) return;
+		}
+		return {
+			block: true,
+			reason:
+				`[sentinel] Blocked bash command (${risks.join(", ")}). ` +
+				`Command: ${command}`,
+		};
+	});
+}
+// ---------------------------------------------------------------------------
+// Write / edit gating
+// ---------------------------------------------------------------------------
+function registerPathGate(pi: ExtensionAPI, session: SentinelSession): void {
+	const handler = async (
+		rawPath: string | undefined,
+		toolName: "write" | "edit",
+		ctx: ExtensionContext,
+	): Promise<{ block: true; reason: string } | undefined> => {
+		if (!rawPath) return;
+		const absolute = resolveTargetPath(rawPath, ctx.cwd);
+		const category = classifyPath(absolute, ctx.cwd);
+		if (!category) return;
+		// Skip the dialog entirely if this path was previously whitelisted
+		if (session.isWhitelisted(absolute)) {
+			return;
+		}
+		const contextLine =
+			category === "shell-config"
+				? "This is a persistent user shell configuration change."
+				: category === "system-directory"
+					? "This modifies a system directory and may affect other applications."
+					: "This path is outside the current project root.";
+		const title = [
+			`[sentinel] Permission gate — ${toolName}`,
+			`Path: ${absolute}`,
+			`Category: ${PATH_CATEGORY_DESCRIPTIONS[category]}`,
+			contextLine,
+		].join("\n");
+		if (ctx.hasUI) {
+			const choice = await ctx.ui.select(title, [
+				"Allow once",
+				"Always allow this path",
+				"Deny",
+			]);
+			if (choice === "Allow once") {
+				return;
+			}
+			if (choice === "Always allow this path") {
+				session.addToWhitelist(absolute);
+				return;
+			}
+			// choice === "Deny" or undefined (user cancelled)
+			return {
+				block: true,
+				reason:
+					`[sentinel] Blocked ${toolName} to ${PATH_CATEGORY_DESCRIPTIONS[category]}: ${absolute}`,
+			};
+		}
+		return {
+			block: true,
+			reason:
+				`[sentinel] Blocked ${toolName} to ${PATH_CATEGORY_DESCRIPTIONS[category]}: ${absolute}`,
+		};
+	};
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("write", event)) return;
+		const rawPath = event.input.path;
+		if (rawPath?.startsWith("~")) {
+			event.input.path = resolveTargetPath(rawPath, ctx.cwd);
+		}
+		return handler(event.input.path, "write", ctx);
+	});
+	pi.on("tool_call", async (event, ctx) => {
+		if (!isToolCallEventType("edit", event)) return;
+		const rawPath = event.input.path;
+		if (rawPath?.startsWith("~")) {
+			event.input.path = resolveTargetPath(rawPath, ctx.cwd);
+		}
+		return handler(event.input.path, "edit", ctx);
+	});
+}
+// ---------------------------------------------------------------------------
+// Public registration
+// ---------------------------------------------------------------------------
+export function registerPermissionGate(
+	pi: ExtensionAPI,
+	session: SentinelSession,
+): void {
+	registerBashGate(pi);
+	registerPathGate(pi, session);
+}