pi-mono-sentinel 1.6.0 → 1.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +21 -0
- package/README.md +48 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,26 @@
|
|
|
1
1
|
# pi-mono-sentinel
|
|
2
2
|
|
|
3
|
+
## 1.7.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
### Enhanced: status-line
|
|
8
|
+
|
|
9
|
+
- Improved progress rendering and colors in expert mode
|
|
10
|
+
|
|
11
|
+
### Enhanced: team-mode
|
|
12
|
+
|
|
13
|
+
- Reduced leader overhead and parent-session token churn
|
|
14
|
+
|
|
15
|
+
### Fixed: review
|
|
16
|
+
|
|
17
|
+
- Annotate diff lines so the model picks correct line numbers
|
|
18
|
+
- Fix slice chunk around lines for comments in the reviewer TUI
|
|
19
|
+
|
|
20
|
+
### Documentation
|
|
21
|
+
|
|
22
|
+
- Updated root README and sentinel extension README
|
|
23
|
+
|
|
3
24
|
## 1.6.0
|
|
4
25
|
|
|
5
26
|
### Minor Changes
|
package/README.md
ADDED
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# sentinel
|
|
2
|
+
|
|
3
|
+
The `sentinel` extension adds content-aware security guards that intercept tool calls before they execute.
|
|
4
|
+
|
|
5
|
+
It addresses two cross-cutting security gaps that pure command-based guardrails miss:
|
|
6
|
+
|
|
7
|
+
- **Content-in-location** — a file the agent is about to read contains secrets
|
|
8
|
+
- **Indirect execution** — a file the agent wrote earlier in the session is later executed via `bash`
|
|
9
|
+
|
|
10
|
+
## Guards
|
|
11
|
+
|
|
12
|
+
### 1. output-scanner — secret detection on read
|
|
13
|
+
|
|
14
|
+
Pre-reads files before `read` tool calls execute and scans for credential patterns. If secrets are found, the user is asked before the read is allowed. The same guard also intercepts `bash` commands that read file content (`cat`, `head`, `tail`, `less`, `more`) and pre-scans their targets.
|
|
15
|
+
|
|
16
|
+
Detected patterns include:
|
|
17
|
+
|
|
18
|
+
- AWS access and secret keys
|
|
19
|
+
- GitHub personal access and OAuth tokens
|
|
20
|
+
- Anthropic, OpenAI, Slack, Stripe, Google OAuth keys
|
|
21
|
+
- PEM private keys
|
|
22
|
+
- Generic `secret/password/token/api_key = "..."` assignments
|
|
23
|
+
- High-entropy strings above a Shannon-entropy threshold
|
|
24
|
+
|
|
25
|
+
Scan results are cached per file by `mtime` and invalidated via `context-guard:file-modified` events.
|
|
26
|
+
|
|
27
|
+
### 2. execution-tracker — write/execute correlation
|
|
28
|
+
|
|
29
|
+
Two hooks working together:
|
|
30
|
+
|
|
31
|
+
- **Write-time tracking** — every `write` and `edit` tool call is recorded in a session write registry. The new content is scanned for dangerous patterns but the write is never blocked.
|
|
32
|
+
- **Execution-time correlation** — when `bash` runs a script, the path is extracted and checked against the registry. If the script was written in this session and contains dangerous patterns, execution is escalated to the user (or blocked when there is no UI).
|
|
33
|
+
|
|
34
|
+
Flagged patterns include `curl | bash`, `wget | bash`, `eval` against untrusted input, `curl -X POST` exfiltration, `rm -rf`, `chmod 777`, `sudo`, and persistence hooks (`crontab`, `systemctl enable`, `launchctl`).
|
|
35
|
+
|
|
36
|
+
If the target file was modified after the tracked write, it is re-read and re-scanned before the decision — avoiding false positives when the agent rewrote the dangerous content out.
|
|
37
|
+
|
|
38
|
+
## Behavior
|
|
39
|
+
|
|
40
|
+
- **No UI available** — both guards fail safe by blocking with a clear `reason`.
|
|
41
|
+
- **UI available** — the user sees a `confirm()` dialog with the matched labels, line numbers, and snippets, and can allow or deny.
|
|
42
|
+
- Session state (scan cache, write registry) is cleared on `session_start`.
|
|
43
|
+
|
|
44
|
+
## Install
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
pi install npm:pi-mono-sentinel
|
|
48
|
+
```
|