pi-mono-sentinel 1.6.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +21 -0
  2. package/README.md +48 -0
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,26 @@
1
1
  # pi-mono-sentinel
2
2
 
3
+ ## 1.7.0
4
+
5
+ ### Minor Changes
6
+
7
+ ### Enhanced: status-line
8
+
9
+ - Improved progress rendering and colors in expert mode
10
+
11
+ ### Enhanced: team-mode
12
+
13
+ - Reduced leader overhead and parent-session token churn
14
+
15
+ ### Fixed: review
16
+
17
+ - Annotate diff lines so the model picks correct line numbers
18
+ - Fix slice chunk around lines for comments in the reviewer TUI
19
+
20
+ ### Documentation
21
+
22
+ - Updated root README and sentinel extension README
23
+
3
24
  ## 1.6.0
4
25
 
5
26
  ### Minor Changes
package/README.md ADDED
@@ -0,0 +1,48 @@
1
+ # sentinel
2
+
3
+ The `sentinel` extension adds content-aware security guards that intercept tool calls before they execute.
4
+
5
+ It addresses two cross-cutting security gaps that pure command-based guardrails miss:
6
+
7
+ - **Content-in-location** — a file the agent is about to read contains secrets
8
+ - **Indirect execution** — a file the agent wrote earlier in the session is later executed via `bash`
9
+
10
+ ## Guards
11
+
12
+ ### 1. output-scanner — secret detection on read
13
+
14
+ Pre-reads files before `read` tool calls execute and scans for credential patterns. If secrets are found, the user is asked before the read is allowed. The same guard also intercepts `bash` commands that read file content (`cat`, `head`, `tail`, `less`, `more`) and pre-scans their targets.
15
+
16
+ Detected patterns include:
17
+
18
+ - AWS access and secret keys
19
+ - GitHub personal access and OAuth tokens
20
+ - Anthropic, OpenAI, Slack, Stripe, Google OAuth keys
21
+ - PEM private keys
22
+ - Generic `secret/password/token/api_key = "..."` assignments
23
+ - High-entropy strings above a Shannon-entropy threshold
24
+
25
+ Scan results are cached per file by `mtime` and invalidated via `context-guard:file-modified` events.
26
+
27
+ ### 2. execution-tracker — write/execute correlation
28
+
29
+ Two hooks working together:
30
+
31
+ - **Write-time tracking** — every `write` and `edit` tool call is recorded in a session write registry. The new content is scanned for dangerous patterns but the write is never blocked.
32
+ - **Execution-time correlation** — when `bash` runs a script, the path is extracted and checked against the registry. If the script was written in this session and contains dangerous patterns, execution is escalated to the user (or blocked when there is no UI).
33
+
34
+ Flagged patterns include `curl | bash`, `wget | bash`, `eval` against untrusted input, `curl -X POST` exfiltration, `rm -rf`, `chmod 777`, `sudo`, and persistence hooks (`crontab`, `systemctl enable`, `launchctl`).
35
+
36
+ If the target file was modified after the tracked write, it is re-read and re-scanned before the decision — avoiding false positives when the agent rewrote the dangerous content out.
37
+
38
+ ## Behavior
39
+
40
+ - **No UI available** — both guards fail safe by blocking with a clear `reason`.
41
+ - **UI available** — the user sees a `confirm()` dialog with the matched labels, line numbers, and snippets, and can allow or deny.
42
+ - Session state (scan cache, write registry) is cleared on `session_start`.
43
+
44
+ ## Install
45
+
46
+ ```bash
47
+ pi install npm:pi-mono-sentinel
48
+ ```
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pi-mono-sentinel",
3
- "version": "1.6.0",
3
+ "version": "1.7.0",
4
4
  "description": "Pi extension that guards against content-based secret leaks and indirect script execution",
5
5
  "keywords": [
6
6
  "pi-package",