pi-mono-all 1.0.0

package/node_modules/pi-mono-sentinel/index.ts

@@ -0,0 +1,43 @@
+/**
+ * sentinel — content-aware security guard for pi coding agents.
+ *
+ * Guards addressing cross-cutting security gaps:
+ *
+ * 1. **output-scanner** (Gap 2 — content-in-location):
+ *    Pre-reads files before `read` tool calls and scans for secret patterns.
+ *    Asks the user before allowing reads that contain credentials.
+ *
+ * 2. **execution-tracker** (Gap 3 — indirect execution):
+ *    Tracks files written during the session and scans for dangerous patterns.
+ *    When `bash` executes a file written this session, correlates the write
+ *    with the execution and asks/denies based on flagged content.
+ *
+ * 3. **permission-gate** (Gap 4 — out-of-scope operations):
+ *    Intercepts raw bash commands and write/edit calls that perform
+ *    system-level operations (sudo, curl|bash, brew install, writes to
+ *    shell configs / system directories, rm -rf on system paths).
+ */
+
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+
+import { SentinelSession } from "./session.js";
+import { registerOutputScanner } from "./guards/output-scanner.js";
+import { registerExecutionTracker } from "./guards/execution-tracker.js";
+import { registerPermissionGate } from "./guards/permission-gate.js";
+
+export default function (pi: ExtensionAPI): void {
+	const session = new SentinelSession();
+
+	pi.on("session_start", async () => {
+		session.reset();
+	});
+
+	// Gap 2: scan file content before reads
+	registerOutputScanner(pi, session);
+
+	// Gap 3: track writes + correlate with bash execution
+	registerExecutionTracker(pi, session);
+
+	// Gap 4: proactive permission gate for bash + out-of-scope writes
+	registerPermissionGate(pi, session);
+}

package/node_modules/pi-mono-sentinel/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "pi-mono-sentinel",
+  "version": "1.10.1",
+  "description": "Pi extension that guards against content-based secret leaks and indirect script execution",
+  "keywords": [
+    "pi-package",
+    "pi-extension"
+  ],
+  "scripts": {
+    "test": "npx tsx --test '__tests__/**/*.test.ts'"
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "*",
+    "@sinclair/typebox": "*"
+  },
+  "pi": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/emanuelcasco/pi-mono-extensions.git",
+    "directory": "extensions/sentinel"
+  }
+}

package/node_modules/pi-mono-sentinel/patterns/permissions.ts

@@ -0,0 +1,175 @@
+/**
+ * Permission-gate pattern matchers.
+ *
+ * Pure helpers (no I/O, no extension API) so they can be unit-tested in
+ * isolation from the pi runtime.
+ */
+
+import { homedir } from "node:os";
+import { isAbsolute, normalize, resolve, sep } from "node:path";
+
+// ---------------------------------------------------------------------------
+// Bash risk classes
+// ---------------------------------------------------------------------------
+
+export type BashRiskClass =
+	| "remote-pipe-exec"
+	| "privilege-escalation"
+	| "destructive-system-rm"
+	| "package-manager-install"
+	| "persistence"
+	| "shell-config-write"
+	| "system-binary-install";
+
+type BashPattern = {
+	label: BashRiskClass;
+	pattern: RegExp;
+};
+
+const BASH_PATTERNS: readonly BashPattern[] = [
+	{
+		label: "remote-pipe-exec",
+		pattern: /(?:curl|wget)\b[^\n|]*\|\s*(?:bash|sh|zsh)\b/,
+	},
+	{
+		label: "privilege-escalation",
+		pattern: /\bsudo\b/,
+	},
+	{
+		// rm -rf targeting system roots or the user's home directory itself.
+		// Project-local rm -rf is intentionally NOT matched here.
+		label: "destructive-system-rm",
+		pattern:
+			/\brm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\b[^\n;]*?(?:\s|=)(?:\/(?:usr|Library|System|opt|etc|var|bin|sbin|private)(?:\/|\b)|~(?:\/|\s|$)|\$HOME\b)/,
+	},
+	{
+		label: "package-manager-install",
+		pattern: /\bbrew\s+(?:install|upgrade|update|reinstall)\b/,
+	},
+	{
+		label: "persistence",
+		pattern: /\b(?:crontab\s+-|systemctl\s+enable|launchctl\s+(?:load|bootstrap))\b/,
+	},
+	{
+		label: "shell-config-write",
+		pattern:
+			/(?:>>?|tee\b[^\n|]*)\s*~?\/?\.?(?:zshrc|bashrc|bash_profile|profile|zprofile|zshenv|zlogin|inputrc)\b/,
+	},
+	{
+		label: "system-binary-install",
+		pattern:
+			/\b(?:cp|mv|install|ln)\b[^\n|;]*\s\/usr\/local\/(?:bin|sbin|lib)\/?/,
+	},
+];
+
+/** Scan a bash command string. Returns matched risk-class labels. */
+export function classifyBashCommand(command: string): BashRiskClass[] {
+	const matched: BashRiskClass[] = [];
+	for (const { label, pattern } of BASH_PATTERNS) {
+		if (pattern.test(command)) matched.push(label);
+	}
+	return matched;
+}
+
+// ---------------------------------------------------------------------------
+// Path classification
+// ---------------------------------------------------------------------------
+
+export type PathCategory =
+	| "shell-config"
+	| "system-directory"
+	| "outside-project";
+
+const SYSTEM_PREFIXES: readonly string[] = [
+	"/usr/",
+	"/Library/",
+	"/System/",
+	"/opt/",
+	"/etc/",
+	"/var/",
+	"/bin/",
+	"/sbin/",
+	"/private/",
+];
+
+const SHELL_CONFIG_BASENAMES: readonly string[] = [
+	".zshrc",
+	".bashrc",
+	".bash_profile",
+	".profile",
+	".zprofile",
+	".zshenv",
+	".zlogin",
+	".inputrc",
+	".config/fish/config.fish",
+];
+
+/** Resolve a raw user-supplied path to an absolute, normalized form. */
+export function resolveTargetPath(rawPath: string, cwd: string): string {
+	const home = homedir();
+	let expanded = rawPath;
+
+	if (expanded === "~") {
+		expanded = home;
+	} else if (expanded.startsWith("~/")) {
+		expanded = `${home}/${expanded.slice(2)}`;
+	}
+
+	const absolute = isAbsolute(expanded) ? expanded : resolve(cwd, expanded);
+	return normalize(absolute);
+}
+
+/**
+ * Classify an absolute path against permission-gate categories.
+ *
+ * Returns the matched category (most-specific wins: shell-config first, then
+ * system-directory, then outside-project) or `null` for safe in-project paths.
+ */
+export function classifyPath(
+	absolutePath: string,
+	projectRoot: string,
+): PathCategory | null {
+	const home = homedir();
+
+	// 1. Shell config files
+	for (const basename of SHELL_CONFIG_BASENAMES) {
+		const candidate = normalize(`${home}/${basename}`);
+		if (absolutePath === candidate) return "shell-config";
+	}
+
+	// 2. System directories
+	for (const prefix of SYSTEM_PREFIXES) {
+		if (absolutePath.startsWith(prefix)) return "system-directory";
+	}
+
+	// 3. Outside project root
+	const root = normalize(projectRoot).replace(/\/$/, "");
+	if (
+		absolutePath !== root &&
+		!absolutePath.startsWith(`${root}${sep}`)
+	) {
+		return "outside-project";
+	}
+
+	return null;
+}
+
+// ---------------------------------------------------------------------------
+// Human-readable labels
+// ---------------------------------------------------------------------------
+
+export const BASH_RISK_DESCRIPTIONS: Record<BashRiskClass, string> = {
+	"remote-pipe-exec": "Pipes a remote download into a shell",
+	"privilege-escalation": "Runs with elevated privileges (sudo)",
+	"destructive-system-rm": "Recursively deletes a system or home path",
+	"package-manager-install": "Installs/upgrades a system package",
+	persistence: "Installs a persistence hook (cron / launchd / systemd)",
+	"shell-config-write": "Modifies a user shell config file",
+	"system-binary-install": "Installs a binary into a system path",
+};
+
+export const PATH_CATEGORY_DESCRIPTIONS: Record<PathCategory, string> = {
+	"shell-config": "user shell configuration file",
+	"system-directory": "system directory",
+	"outside-project": "path outside the project root",
+};

package/node_modules/pi-mono-sentinel/patterns/read-targets.ts

@@ -0,0 +1,104 @@
+/**
+ * Pure helpers for extracting file-read targets from bash commands.
+ * Kept separate from output-scanner.ts so they can be unit-tested
+ * without pulling in ExtensionAPI imports.
+ */
+
+import { readdir } from "node:fs/promises";
+import { basename, dirname, join, resolve } from "node:path";
+
+/**
+ * Strip quoted substrings so they don't confuse the tokenizer.
+ */
+function stripQuotes(s: string): string {
+	return s.replace(/"[^"]*"/g, " ").replace(/'[^']*'/g, " ");
+}
+
+/**
+ * Extract file paths from bash commands that read file content.
+ * Targets: cat, head, tail, less, more, grep, rg, sed, awk, strings,
+ * nl, sort, uniq, wc, diff, tac, rev, xxd, hexdump, od, base64, file,
+ * jq, yq, and similar file-reading utilities.
+ */
+export function extractReadTargets(command: string): string[] {
+	const paths: string[] = [];
+
+	// Commands that take a script / filter / pattern first, then files:
+	//   grep [options] pattern file...
+	//   rg   [options] pattern file...
+	//   awk  [options] 'script' file...
+	//   sed  [options] 'script' file...
+	//   jq   [options] filter  file...
+	const scriptCommands =
+		/\b(?:grep|rg|egrep|fgrep|awk|sed|perl|python3?|jq|yq)\b/g;
+	let sm: RegExpExecArray | null;
+	while ((sm = scriptCommands.exec(command)) !== null) {
+		const tail = command.slice(sm.index + sm[0].length);
+		const tokens = stripQuotes(tail)
+			.split(/\s+/)
+			.filter(Boolean);
+		for (const token of tokens) {
+			// Stop at shell operators and redirects
+			if (/^[|;&]|^(\d?[<>]|>>|<<)/.test(token)) break;
+			// Skip flags
+			if (token.startsWith("-")) continue;
+			paths.push(token);
+		}
+	}
+
+	// Commands that take files directly after the command name.
+	const directCommands =
+		/\b(?:cat|head|tail|less|more|nl|tac|rev|strings|xxd|hexdump|od|base64|file|sort|uniq|wc|diff|comm|join|cut|paste|column)\b/g;
+	let dm: RegExpExecArray | null;
+	while ((dm = directCommands.exec(command)) !== null) {
+		const tail = command.slice(dm.index + dm[0].length);
+		const tokens = stripQuotes(tail)
+			.split(/\s+/)
+			.filter(Boolean);
+		for (const token of tokens) {
+			// Stop at shell operators and redirects
+			if (/^[|;&]|^(\d?[<>]|>>|<<)/.test(token)) break;
+			// Skip flags
+			if (token.startsWith("-")) continue;
+			paths.push(token);
+		}
+	}
+
+	return [...new Set(paths)];
+}
+
+/**
+ * Expand globs like `.env*` into concrete file paths.
+ * Falls back to the raw path if expansion fails or if there is no wildcard.
+ */
+export async function expandPaths(
+	cwd: string,
+	rawTarget: string,
+): Promise<string[]> {
+	const absolutePath = resolve(cwd, rawTarget);
+	const base = basename(absolutePath);
+	const dir = dirname(absolutePath);
+
+	if (!base.includes("*") && !base.includes("?")) {
+		return [absolutePath];
+	}
+
+	try {
+		const entries = await readdir(dir);
+		const regex = new RegExp(
+			"^" +
+				base
+					.replace(/[.+^${}()|[\]\\]/g, "\\$&")
+					.replace(/\*/g, ".*")
+					.replace(/\?/g, ".") +
+				"$",
+		);
+		const matches = entries.filter((f) => regex.test(f));
+		if (matches.length === 0) {
+			return [absolutePath];
+		}
+		return matches.map((f) => join(dir, f));
+	} catch {
+		return [absolutePath];
+	}
+}

package/node_modules/pi-mono-sentinel/patterns/secrets.ts

@@ -0,0 +1,143 @@
+import type { ScanMatch, ScanResult } from "../types.js";
+
+// ---------------------------------------------------------------------------
+// Known secret patterns
+// ---------------------------------------------------------------------------
+
+type SecretPattern = {
+	label: string;
+	regex: RegExp;
+};
+
+const SECRET_PATTERNS: readonly SecretPattern[] = [
+	{ label: "AWS Access Key", regex: /AKIA[A-Z0-9]{16}/ },
+	{
+		label: "AWS Secret Key",
+		regex: /(?:aws_secret_access_key|secret_key)\s*[=:]\s*\S{20,}/i,
+	},
+	{ label: "GitHub Token", regex: /gh[ps]_[a-zA-Z0-9]{36,}/ },
+	{ label: "GitHub OAuth Token", regex: /gho_[a-zA-Z0-9]{36,}/ },
+	{ label: "Anthropic Key", regex: /sk-ant-[a-zA-Z0-9_-]{20,}/ },
+	{ label: "OpenAI Key", regex: /sk-[a-zA-Z0-9]{40,}/ },
+	{
+		label: "PEM Private Key",
+		regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----/,
+	},
+	{
+		label: "Generic Secret",
+		regex: /(?:secret|password|token|api_key|apikey|api-key)\s*[=:]\s*['"][^'"]{8,}['"]/i,
+	},
+	{ label: "Slack Token", regex: /xox[bpsa]-[a-zA-Z0-9-]{10,}/ },
+	{
+		label: "Stripe Key",
+		regex: /[sr]k_(?:live|test)_[a-zA-Z0-9]{20,}/,
+	},
+	{
+		label: "Google OAuth Secret",
+		regex: /GOCSPX-[a-zA-Z0-9_-]{28,}/,
+	},
+];
+
+// ---------------------------------------------------------------------------
+// Shannon entropy helper
+// ---------------------------------------------------------------------------
+
+/** Compute Shannon entropy (bits per character) of a string. */
+function shannonEntropy(s: string): number {
+	const freq = new Map<string, number>();
+	for (const ch of s) {
+		freq.set(ch, (freq.get(ch) ?? 0) + 1);
+	}
+	let entropy = 0;
+	for (const count of freq.values()) {
+		const p = count / s.length;
+		entropy -= p * Math.log2(p);
+	}
+	return entropy;
+}
+
+const ENTROPY_THRESHOLD = 4.0;
+const ENTROPY_MIN_LENGTH = 16;
+
+/**
+ * Match high-entropy values in `.env`-style assignments:
+ *   KEY=value  or  KEY="value"  or  KEY='value'
+ */
+const ENV_ASSIGNMENT = /^([A-Z_][A-Z0-9_]*)\s*=\s*['"]?([^'"#\s]+)['"]?/gm;
+
+// ---------------------------------------------------------------------------
+// Masking
+// ---------------------------------------------------------------------------
+
+/** Mask a secret value, keeping the first 4 and last 4 characters. */
+function mask(value: string): string {
+	if (value.length <= 10) return `${value.slice(0, 3)}****`;
+	return `${value.slice(0, 4)}****${value.slice(-4)}`;
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/** Maximum bytes to scan (1 MB). */
+export const MAX_SCAN_BYTES = 1_048_576;
+
+/**
+ * Scan text content for known secret patterns and high-entropy values.
+ * Returns all matches with line numbers and masked snippets.
+ */
+export function scanForSecrets(content: string): ScanResult {
+	const matches: ScanMatch[] = [];
+	const lines = content.split("\n");
+
+	for (let i = 0; i < lines.length; i++) {
+		const line = lines[i];
+		const lineNum = i + 1;
+
+		// Check each known pattern
+		for (const { label, regex } of SECRET_PATTERNS) {
+			const match = regex.exec(line);
+			if (match) {
+				matches.push({
+					label,
+					line: lineNum,
+					snippet: mask(match[0]),
+				});
+			}
+		}
+
+		// Check high-entropy env-style assignments
+		let envMatch: RegExpExecArray | null;
+		ENV_ASSIGNMENT.lastIndex = 0;
+		while ((envMatch = ENV_ASSIGNMENT.exec(line)) !== null) {
+			const value = envMatch[2];
+			if (
+				value.length >= ENTROPY_MIN_LENGTH &&
+				shannonEntropy(value) >= ENTROPY_THRESHOLD
+			) {
+				// Avoid duplicate if already matched by a known pattern
+				const alreadyMatched = matches.some(
+					(m) => m.line === lineNum,
+				);
+				if (!alreadyMatched) {
+					matches.push({
+						label: "High-Entropy Value",
+						line: lineNum,
+						snippet: `${envMatch[1]}=${mask(value)}`,
+					});
+				}
+			}
+		}
+	}
+
+	return { hasSecrets: matches.length > 0, matches };
+}
+
+/**
+ * Returns true if the buffer likely contains binary data.
+ * Checks the first 512 bytes for null bytes.
+ */
+export function isBinaryContent(content: string): boolean {
+	const sample = content.slice(0, 512);
+	return sample.includes("\0");
+}

package/node_modules/pi-mono-sentinel/session.ts

@@ -0,0 +1,95 @@
+import type { ScanResult, WriteEntry } from "./types.js";
+import {
+	loadReadWhitelist,
+	loadWhitelist,
+	saveReadWhitelist,
+	saveWhitelist,
+} from "./whitelist.js";
+
+/**
+ * Session-scoped state for Sentinel guards.
+ *
+ * Tracks files written during the session (Gap 3) and caches scan results
+ * to avoid redundant filesystem reads (Gap 2).
+ * Reset on every `session_start`.
+ *
+ * Also holds the persistent whitelist loaded from disk so that user
+ * decisions to "allow and remember" a path survive across sessions.
+ */
+export class SentinelSession {
+	/** Files written during this session, keyed by absolute path. */
+	private writeRegistry = new Map<string, WriteEntry>();
+
+	/** Scan-result cache keyed by absolute path. Invalidated when mtime changes. */
+	private scanCache = new Map<string, { mtimeMs: number; result: ScanResult }>();
+
+	/** Persistent whitelist of paths the user chose to remember. */
+	private whitelist = loadWhitelist();
+
+	/** Persistent whitelist of read paths that are safe despite secret matches. */
+	private readWhitelist = loadReadWhitelist();
+
+	/** Clear all session state (called on session_start). */
+	reset(): void {
+		this.writeRegistry.clear();
+		this.scanCache.clear();
+		// whitelist is intentionally NOT cleared here so it persists across sessions
+	}
+
+	// -- Write registry (Gap 3) ------------------------------------------------
+
+	registerWrite(entry: WriteEntry): void {
+		this.writeRegistry.set(entry.path, entry);
+	}
+
+	getWrite(absolutePath: string): WriteEntry | undefined {
+		return this.writeRegistry.get(absolutePath);
+	}
+
+	// -- Scan cache (Gap 2) ----------------------------------------------------
+
+	getCachedScan(
+		absolutePath: string,
+		currentMtimeMs: number,
+	): ScanResult | undefined {
+		const cached = this.scanCache.get(absolutePath);
+		if (!cached) return undefined;
+		if (cached.mtimeMs !== currentMtimeMs) {
+			this.scanCache.delete(absolutePath);
+			return undefined;
+		}
+		return cached.result;
+	}
+
+	cacheScan(
+		absolutePath: string,
+		mtimeMs: number,
+		result: ScanResult,
+	): void {
+		this.scanCache.set(absolutePath, { mtimeMs, result });
+	}
+
+	invalidateScanCache(absolutePath: string): void {
+		this.scanCache.delete(absolutePath);
+	}
+
+	// -- Whitelist (permission-gate persistence) -------------------------------
+
+	isWhitelisted(absolutePath: string): boolean {
+		return this.whitelist.has(absolutePath);
+	}
+
+	addToWhitelist(absolutePath: string): void {
+		this.whitelist.add(absolutePath);
+		saveWhitelist(this.whitelist);
+	}
+
+	isReadWhitelisted(absolutePath: string): boolean {
+		return this.readWhitelist.has(absolutePath);
+	}
+
+	addToReadWhitelist(absolutePath: string): void {
+		this.readWhitelist.add(absolutePath);
+		saveReadWhitelist(this.readWhitelist);
+	}
+}