feat: add pi-enclave VM sandbox with secret protection

Author: mgabor3141

.changeset/add-pi-enclave.md

@@ -0,0 +1,12 @@
+---
+"pi-enclave": minor
+---
+
+Initial release of pi-enclave: VM-isolated sandbox with automatic secret protection.
+
+- All tools (bash, read, write, edit) execute inside a Gondolin micro-VM
+- Auto-detects `gh auth token` and provisions secrets with proxy-based injection
+- Cascading TOML config with `enabled` flag, per-host HTTP method+path policies
+- `/enclave init` creates project and global config, `/enclave on|off` for session toggle
+- `/enclave add` with interactive package search and config persistence
+- Zero-config: just `enabled = true` and secrets are protected immediately

packages/enclave/README.md

@@ -0,0 +1,106 @@
+# pi-enclave
+
+> From [yapp](https://github.com/mgabor3141/yapp) · yet another pi pack
+
+VM-isolated sandbox for [pi](https://pi.dev). Runs all tools inside a [Gondolin](https://github.com/earendil-works/gondolin) micro-VM so secrets never enter the agent's execution environment.
+
+```bash
+pi install npm:pi-enclave
+```
+
+Requires QEMU: `brew install qemu` (macOS) or `sudo apt install qemu-system-aarch64` (Linux).
+
+## How it works
+
+pi-enclave starts an Alpine Linux micro-VM (QEMU/aarch64) and redirects all tool execution into it. Your workspace is mounted read-write at the same path inside the VM, so tools see identical paths on host and guest. File changes are bidirectional.
+
+The core security property: **secrets never enter the VM**. Credential tools on the host (like `gh auth token`) are auto-detected, and their values are replaced with random placeholders inside the VM. Gondolin's HTTP proxy substitutes real values on the wire, only for requests to configured hosts.
+
+```
+┌──────────────────────────────────────────────────┐
+│  Gondolin VM (Alpine Linux)                      │
+│                                                  │
+│  /home/user/project ← bidirectional mount        │
+│  GH_TOKEN = "GONDOLIN_SECRET_a8f3..." (placeholder)│
+│  All pi tools execute here                       │
+└────────────────────┬─────────────────────────────┘
+                     │ HTTP
+                     ▼
+┌──────────────────────────────────────────────────┐
+│  HTTP proxy (host-side)                          │
+│  placeholder → real value (only for allowed hosts)│
+└──────────────────────────────────────────────────┘
+```
+
+## Getting started
+
+After installing, run `/enclave init` in any project to enable it:
+
+```
+/enclave init
+```
+
+This creates two files:
+- `~/.pi/agent/extensions/pi-enclave.toml` — global defaults (commented out template)
+- `.pi/enclave.toml` — project config with `enabled = true`
+
+Once enabled, all tools (bash, read, write, edit) execute inside the VM automatically.
+
+## Zero-config behavior
+
+With `enabled = true` and no other configuration, pi-enclave:
+
+1. Starts a VM, mounts your project directory
+2. Installs `git`, `curl`, `jq`
+3. Auto-detects `gh auth token` and provisions `GH_TOKEN` scoped to GitHub hosts
+4. Allows all outbound HTTP traffic
+5. Redirects all tool execution to the VM
+
+## Configuration
+
+Place `.pi/enclave.toml` in your project (or any ancestor directory).
+
+```toml
+# Enable VM isolation for this project
+enabled = true
+
+# Stop walking up the directory tree
+# root = true
+
+# Alpine packages to install
+# packages = ["git", "curl", "jq", "ripgrep", "github-cli"]
+
+[secrets]
+# Source from a host command
+# GH_TOKEN = { command = "gh auth token", hosts = ["api.github.com", "github.com"] }
+
+# Source from a host environment variable
+# OPENAI_API_KEY = { env = "OPENAI_API_KEY", hosts = ["api.openai.com"] }
+
+# Disable an auto-detected provider
+# GH_TOKEN = false
+
+[network]
+# Restrict outbound access (unset = allow all)
+# allow-hosts = ["api.github.com", "github.com"]
+
+[policy.api-github-com]
+# Per-host HTTP method + path rules (section name = hostname, dots → dashes)
+# GET = ["*"]
+# POST = ["/graphql", "/repos/*/*/pulls"]
+# deny = ["/repos/*/*/pulls/*/merge"]
+# unmatched = "prompt"  # "prompt" (default) | "deny" | "allow"
+```
+
+Config files cascade: global (`~/.pi/agent/extensions/pi-enclave.toml`) is loaded first, then `.pi/enclave.toml` files from ancestor directories (closest wins). Config inside the workspace is protected from modification by the VM via Gondolin's `ShadowProvider`.
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/enclave` or `/enclave status` | Show VM state, packages, secrets, network policy |
+| `/enclave init` | Create project and global config files, enable enclave |
+| `/enclave on` | Enable VM isolation for this session |
+| `/enclave off` | Disable VM isolation for this session (shuts down VM) |
+| `/enclave restart` | Restart VM on next tool use |
+| `/enclave add <package>` | Search for and install an Alpine package |

packages/enclave/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "pi-enclave",
+  "version": "0.0.1",
+  "description": "VM-isolated sandbox for pi with automatic secret protection · from yapp",
+  "author": "mgabor3141",
+  "license": "MIT",
+  "repository": {
+    "url": "git+https://github.com/mgabor3141/yapp.git",
+    "directory": "packages/enclave"
+  },
+  "keywords": [
+    "pi-package",
+    "pi-extension",
+    "yapp"
+  ],
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup"
+  },
+  "pi": {
+    "extensions": [
+      "dist/index.js"
+    ]
+  },
+  "dependencies": {
+    "@earendil-works/gondolin": "^0.6.0",
+    "smol-toml": "^1.6.0",
+    "valibot": "^1.2.0"
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "*"
+  },
+  "devDependencies": {
+    "@mariozechner/pi-coding-agent": "^0.57.0",
+    "@types/node": "^25.3.5",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}