pi-sage 0.2.11 → 0.2.13

package/.pi/extensions/sage/index.ts

@@ -48,7 +48,11 @@ const SAGE_GUIDANCE = [
   "Sage is advisory-only: treat output as recommendations and implement changes yourself.",
   "Use one focused Sage question per consultation.",
   "If user explicitly requests Sage/second opinion, prefer at least one Sage consultation unless blocked by hard safety limits.",
-  "For `sage_consult` params: `objective` is optional and must be one of debug|design|review|refactor|general (omit if unsure); `urgency` is optional and must be low|medium|high."
+  "For `sage_consult` params: `objective` is optional and must be one of debug|design|review|refactor|general (omit if unsure); `urgency` is optional and must be low|medium|high.",
+  "In git-review-readonly policy, bash must start with an allowed git read command (status|diff|show|log|blame|rev-parse|branch --show-current).",
+  "Read-only pipelines are allowed only with: head, tail, grep, cut, sed, wc, sort, uniq.",
+  "Do not use shell chaining or control operators (e.g., ;, &&, ||, >, <, $, backticks).",
+  "If a bash command is blocked, fall back to ls/glob/grep/read and continue with a best-effort advisory review instead of stopping."
 ].join("\n- ");
 
 export default function registerSageExtension(pi: ExtensionAPI): void {
@@ -104,6 +108,9 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
       "Set force=true when the user explicitly asks for Sage to bypass soft limits.",
       "`objective` is optional: debug|design|review|refactor|general. Omit instead of free text.",
       "`urgency` is optional: low|medium|high.",
+      "For git-review-readonly, prefer plain git read commands and allowed read-only pipelines (head/tail/grep/cut/sed/wc/sort/uniq).",
+      "Avoid shell chaining/control operators (;, &&, ||, >, <, $, backticks).",
+      "If bash is blocked, continue with ls/glob/grep/read and still deliver best-effort findings.",
       "After Sage returns, synthesize recommendations and continue execution."
     ],
     parameters: Type.Object({
@@ -288,7 +295,7 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
             model: resolvedModel,
             reasoningLevel: settings.reasoningLevel,
             blockCode: error.blockCode,
-            reason: error.message,
+            reason: formatRunnerPolicyReason(error.blockCode, error.message),
             allowedByContext: true,
             allowedByBudget: false
           });
@@ -330,6 +337,22 @@ export default function registerSageExtension(pi: ExtensionAPI): void {
   });
 }
 
+function formatRunnerPolicyReason(blockCode: BlockCode, reason: string): string {
+  if (blockCode === "tool-disallowed") {
+    return `${reason}. Use allowed git read commands and read-only pipelines, or continue with ls/glob/grep/read for a best-effort review.`;
+  }
+
+  if (blockCode === "path-denied") {
+    return `${reason}. Restrict file references to workspace paths and avoid sensitive denylist matches.`;
+  }
+
+  if (blockCode === "volume-cap") {
+    return `${reason}. Narrow the request scope or increase caps in /sage-settings if appropriate.`;
+  }
+
+  return reason;
+}
+
 function buildCallerContext(lastInputSource: InputSource | undefined, hasUI: boolean): CallerContext | null {
   if (!lastInputSource) return null;
 

package/.pi/extensions/sage/runner.ts

@@ -343,6 +343,21 @@ function buildSagePrompt(input: SageRunnerInput): string {
   lines.push("You are Sage, an advisory reasoning subagent.");
   lines.push("Provide analysis and recommendations only. Do not claim to have applied changes.");
   lines.push("Keep your response concise and actionable.");
+
+  lines.push("");
+  lines.push("Operational constraints:");
+  lines.push("- Do not run node/npm/cd/tests.");
+
+  if (input.toolPolicy.profile === "git-review-readonly") {
+    lines.push(
+      "- If using bash, only use allowed git read commands (status|diff|show|log|blame|rev-parse|branch --show-current) and allowed read-only pipes (head/tail/grep/cut/sed/wc/sort/uniq)."
+    );
+  } else if (input.toolPolicy.profile === "read-only-lite") {
+    lines.push("- Bash is unavailable in this profile. Use ls/glob/grep/read only.");
+  }
+
+  lines.push("- If a command is blocked or unavailable, continue with ls/glob/grep/read and still deliver best-effort findings.");
+
   lines.push("");
   lines.push(`Question: ${input.question}`);
 

package/.pi/extensions/sage/tool-policy.ts

@@ -11,10 +11,11 @@ const CLI_TOOL_NAME_MAP: Record<string, string> = {
 const READ_ONLY_CUSTOM_ALLOWLIST = new Set(["ls", "glob", "find", "grep", "read"]);
 const HARD_DISALLOWED_TOOLS = new Set(["edit", "write", "bash", "sage_consult"]);
 
-const BASH_META_CHARS = /[;&|><`$\n\r]/;
+const BASH_DISALLOWED_CHARS = /[;&><`$\n\r]/;
 const SAFE_TOKEN = /^[A-Za-z0-9_./:@+=,~%-]+$/;
 
 const GIT_SUBCOMMAND_ALLOWLIST = new Set(["status", "diff", "show", "log", "blame", "rev-parse", "branch"]);
+const PIPE_FILTER_ALLOWLIST = new Set(["head", "tail", "grep", "cut", "sed", "wc", "sort", "uniq"]);
 
 export interface ResolvedToolPolicy {
   profile: ToolPolicySettings["profile"];
@@ -148,34 +149,67 @@ export function validateBashCommandForProfile(
   }
 
   const trimmed = command.trim();
+  const blocked = (reason: string): { ok: false; blockCode: BlockCode; reason: string } => ({
+    ok: false,
+    blockCode: "tool-disallowed",
+    reason: `${reason} (command: ${truncateForReason(trimmed)})`
+  });
+
   if (!trimmed) {
-    return { ok: false, blockCode: "tool-disallowed", reason: "Empty bash command" };
+    return blocked("Empty bash command");
+  }
+
+  if (trimmed.includes("||")) {
+    return blocked("Logical OR (||) is not allowed. Use a single git read command or a read-only pipeline");
+  }
+
+  if (BASH_DISALLOWED_CHARS.test(trimmed)) {
+    return blocked(
+      "Shell control characters are not allowed here. Allowed pattern: git <read-subcommand> [args] optionally piped to head/tail/grep/cut/sed/wc/sort/uniq"
+    );
+  }
+
+  const stages = trimmed
+    .split("|")
+    .map((stage) => stage.trim())
+    .filter(Boolean);
+
+  if (stages.length === 0) {
+    return blocked("Invalid command format");
   }
 
-  if (BASH_META_CHARS.test(trimmed)) {
-    return { ok: false, blockCode: "tool-disallowed", reason: "Shell control characters are not allowed" };
+  const firstStageDecision = validateGitReadStage(stages[0]!);
+  if (!firstStageDecision.ok) return blocked(firstStageDecision.reason);
+
+  for (const stage of stages.slice(1)) {
+    const filterDecision = validatePipeFilterStage(stage);
+    if (!filterDecision.ok) return blocked(filterDecision.reason);
   }
 
-  const tokens = trimmed.split(/\s+/).filter(Boolean);
+  return { ok: true, reason: "allowed" };
+}
+
+function validateGitReadStage(stage: string): { ok: boolean; reason: string } {
+  const tokens = stage.split(/\s+/).filter(Boolean);
   if (tokens.length < 2 || tokens[0] !== "git") {
-    return { ok: false, blockCode: "tool-disallowed", reason: "Only git read-only commands are allowed" };
+    return { ok: false, reason: "First command in a pipeline must be a git read-only command" };
   }
 
   const subcommand = tokens[1] ?? "";
   if (!GIT_SUBCOMMAND_ALLOWLIST.has(subcommand)) {
-    return { ok: false, blockCode: "tool-disallowed", reason: `Git subcommand not allowed: ${subcommand}` };
+    return { ok: false, reason: `Git subcommand not allowed: ${subcommand}` };
   }
 
   for (const token of tokens.slice(2)) {
     if (!SAFE_TOKEN.test(token)) {
-      return { ok: false, blockCode: "tool-disallowed", reason: `Unsafe token in command: ${token}` };
+      return { ok: false, reason: `Unsafe token in git command: ${token}` };
     }
   }
 
   if (subcommand === "branch") {
     const args = tokens.slice(2);
     if (args.length !== 1 || args[0] !== "--show-current") {
-      return { ok: false, blockCode: "tool-disallowed", reason: "Only 'git branch --show-current' is allowed" };
+      return { ok: false, reason: "Only 'git branch --show-current' is allowed" };
     }
   }
 
@@ -183,13 +217,94 @@ export function validateBashCommandForProfile(
     const args = tokens.slice(2);
     const allowedArgs = new Set(["--abbrev-ref", "HEAD"]);
     if (args.some((arg) => !allowedArgs.has(arg))) {
-      return { ok: false, blockCode: "tool-disallowed", reason: "Unsupported git rev-parse arguments" };
+      return { ok: false, reason: "Unsupported git rev-parse arguments" };
+    }
+  }
+
+  return { ok: true, reason: "allowed" };
+}
+
+function validatePipeFilterStage(stage: string): { ok: boolean; reason: string } {
+  const tokens = stage.split(/\s+/).filter(Boolean);
+  if (tokens.length === 0) {
+    return { ok: false, reason: "Empty pipeline stage" };
+  }
+
+  const command = tokens[0] ?? "";
+  if (!PIPE_FILTER_ALLOWLIST.has(command)) {
+    return { ok: false, reason: `Pipeline command not allowed: ${command}` };
+  }
+
+  for (const token of tokens.slice(1)) {
+    if (!SAFE_TOKEN.test(token)) {
+      return { ok: false, reason: `Unsafe token in pipeline command: ${token}` };
     }
   }
 
+  const args = tokens.slice(1);
+  if (command === "head" || command === "tail") {
+    if (args.length === 0) return { ok: true, reason: "allowed" };
+    if (args.length === 2 && args[0] === "-n" && /^\d+$/.test(args[1] ?? "")) {
+      return { ok: true, reason: "allowed" };
+    }
+    return { ok: false, reason: `${command} only supports '-n <number>'` };
+  }
+
+  if (command === "grep") {
+    const allowedFlags = new Set(["-n", "-i", "-F", "-E", "-v"]);
+    for (const arg of args) {
+      if (arg.startsWith("-") && !allowedFlags.has(arg)) {
+        return { ok: false, reason: `grep flag not allowed: ${arg}` };
+      }
+    }
+    return { ok: true, reason: "allowed" };
+  }
+
+  if (command === "cut") {
+    const hasFieldFlag = args.some((arg, index) => arg === "-f" && /^\d+(?:-\d+)?(?:,\d+(?:-\d+)?)*$/.test(args[index + 1] ?? ""));
+    if (!hasFieldFlag) {
+      return { ok: false, reason: "cut requires '-f <field-spec>'" };
+    }
+    return { ok: true, reason: "allowed" };
+  }
+
+  if (command === "sed") {
+    if (args.length === 2 && args[0] === "-n" && /^\d+(?:,\d+)?p$/.test(args[1] ?? "")) {
+      return { ok: true, reason: "allowed" };
+    }
+    return { ok: false, reason: "sed only supports '-n <start,end>p' or '-n <line>p'" };
+  }
+
+  if (command === "wc") {
+    if (args.length === 1 && args[0] === "-l") {
+      return { ok: true, reason: "allowed" };
+    }
+    return { ok: false, reason: "wc only supports '-l'" };
+  }
+
+  if (command === "sort") {
+    if (args.length === 0 || (args.length === 1 && args[0] === "-u")) {
+      return { ok: true, reason: "allowed" };
+    }
+    return { ok: false, reason: "sort only supports optional '-u'" };
+  }
+
+  if (command === "uniq") {
+    if (args.length === 0 || (args.length === 1 && args[0] === "-c")) {
+      return { ok: true, reason: "allowed" };
+    }
+    return { ok: false, reason: "uniq only supports optional '-c'" };
+  }
+
   return { ok: true, reason: "allowed" };
 }
 
+function truncateForReason(command: string): string {
+  const singleLine = command.replace(/\s+/g, " ").trim();
+  if (singleLine.length <= 140) return singleLine;
+  return `${singleLine.slice(0, 137)}...`;
+}
+
 function normalizePath(pathValue: string): string {
   return pathValue.replace(/\\/g, "/").toLowerCase();
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-sage",
-  "version": "0.2.11",
+  "version": "0.2.13",
   "private": false,
   "type": "module",
   "description": "Interactive-only advisory Sage extension for Pi",