feat: add pi-enclave VM sandbox with secret protection

Author: mgabor3141

.changeset/add-pi-enclave.md

@@ -0,0 +1,12 @@
+---
+"pi-enclave": minor
+---
+
+Initial release of pi-enclave: VM-isolated sandbox with automatic secret protection.
+
+- All tools (bash, read, write, edit) execute inside a Gondolin micro-VM
+- Auto-detects `gh auth token` and provisions secrets with proxy-based injection
+- Cascading TOML config with `enabled` flag, per-host HTTP method+path policies
+- `/enclave init` creates project and global config, `/enclave on|off` for session toggle
+- `/enclave add` with interactive package search and config persistence
+- Zero-config: just `enabled = true` and secrets are protected immediately

packages/enclave/README.md

@@ -0,0 +1,124 @@
+# pi-enclave
+
+> From [yapp](https://github.com/mgabor3141/yapp) · yet another pi pack
+
+VM-isolated sandbox for [pi](https://pi.dev). Runs all tools inside a [Gondolin](https://github.com/earendil-works/gondolin) micro-VM so secrets never enter the agent's execution environment.
+
+```bash
+pi install npm:pi-enclave
+```
+
+Requires QEMU: `brew install qemu` (macOS) or `sudo apt install qemu-system-aarch64` (Linux).
+
+## How it works
+
+pi-enclave starts an Alpine Linux micro-VM (QEMU/aarch64) and redirects all tool execution into it. Your workspace is mounted read-write at the same path inside the VM, so tools see identical paths on host and guest. File changes are bidirectional.
+
+The core security property: **secrets never enter the VM**. Secrets configured in your TOML config (like `gh auth token`) are resolved on the host, and their values are replaced with random placeholders inside the VM. Gondolin's HTTP proxy substitutes real values on the wire, only for requests to configured hosts.
+
+```
+┌──────────────────────────────────────────────────┐
+│  Gondolin VM (Alpine Linux)                      │
+│                                                  │
+│  /home/user/project ← bidirectional mount        │
+│  GH_TOKEN = "GONDOLIN_SECRET_a8f3..." (placeholder)│
+│  All pi tools execute here                       │
+└────────────────────┬─────────────────────────────┘
+                     │ HTTP
+                     ▼
+┌──────────────────────────────────────────────────┐
+│  HTTP proxy (host-side)                          │
+│  placeholder → real value (only for allowed hosts)│
+└──────────────────────────────────────────────────┘
+```
+
+## Getting started
+
+After installing, run `/enclave init` in any project to enable it:
+
+```
+/enclave init
+```
+
+This creates two files:
+- `~/.pi/agent/extensions/pi-enclave.toml` — global defaults (GitHub policy, secrets)
+- `.pi/enclave.toml` — project config with `enabled = true`
+
+Once enabled, all tools (bash, read, write, edit) execute inside the VM automatically.
+
+## Default behavior
+
+With `/enclave init`, pi-enclave creates a global config with sensible defaults:
+
+1. Starts a VM, mounts your project directory
+2. Installs `git`, `curl`, `jq`, `github-cli`
+3. Resolves `GH_TOKEN` via `gh auth token` (skipped if `gh` is not installed)
+4. GitHub API policy: GET and GraphQL queries are allowed, mutations and other writes prompt for approval
+5. GraphQL policy parses the request body and checks actual field names (not the spoofable operation name)
+6. Redirects all tool execution to the VM
+
+## Configuration
+
+Place `.pi/enclave.toml` in your project (or any ancestor directory).
+
+```toml
+# Enable VM isolation for this project
+enabled = true
+
+# Alpine packages to install
+# packages = ["git", "curl", "jq", "ripgrep", "github-cli"]
+
+# Secrets: resolved on the host, injected via HTTP proxy
+[secrets.GH_TOKEN]
+command = "gh auth token"
+hosts = ["api.github.com", "github.com", "*.githubusercontent.com"]
+
+# [secrets.OPENAI_API_KEY]
+# env = "OPENAI_API_KEY"
+# hosts = ["api.openai.com"]
+
+# Disable a secret inherited from global config
+# [secrets.GH_TOKEN]
+# false
+
+# Host policies: access control for specific hosts
+[hosts."api.github.com"]
+unmatched = "prompt"
+allow.GET = ["/**"]
+
+# GraphQL: parses request body, checks actual field names
+[hosts."api.github.com".graphql]
+endpoint = "/graphql"
+allow.query = ["*"]
+allow.mutation = [
+  "createPullRequest",
+  "createIssue",
+  "addComment",
+]
+```
+
+Config files cascade: global (`~/.pi/agent/extensions/pi-enclave.toml`) is loaded first, then `.pi/enclave.toml` files from ancestor directories (closest wins). Config inside the workspace is protected from modification by the VM via Gondolin's `ShadowProvider`.
+
+### Project overrides
+
+A project can loosen restrictions from the global config:
+
+```toml
+# .pi/enclave.toml
+enabled = true
+
+# Allow all GitHub API operations without prompts
+[hosts."api.github.com"]
+unmatched = "allow"
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/enclave` or `/enclave status` | Show VM state, packages, secrets |
+| `/enclave init` | Create project and global config files, enable enclave |
+| `/enclave on` | Enable VM isolation for this session |
+| `/enclave off` | Disable VM isolation for this session (shuts down VM) |
+| `/enclave restart` | Restart VM on next tool use |
+| `/enclave add <package>` | Search for and install an Alpine package |

packages/enclave/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "pi-enclave",
+  "version": "0.0.1",
+  "description": "VM-isolated sandbox for pi with automatic secret protection · from yapp",
+  "author": "mgabor3141",
+  "license": "MIT",
+  "repository": {
+    "url": "git+https://github.com/mgabor3141/yapp.git",
+    "directory": "packages/enclave"
+  },
+  "keywords": [
+    "pi-package",
+    "pi-extension",
+    "yapp"
+  ],
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup"
+  },
+  "pi": {
+    "extensions": [
+      "dist/index.js"
+    ]
+  },
+  "dependencies": {
+    "@earendil-works/gondolin": "^0.6.0",
+    "graphql": "^16.13.1",
+    "smol-toml": "^1.6.0",
+    "valibot": "^1.2.0"
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "*"
+  },
+  "devDependencies": {
+    "@mariozechner/pi-coding-agent": "^0.57.0",
+    "@types/node": "^25.3.5",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}