feat: add pi-enclave VM sandbox with secret protection

Author: mgabor3141

.changeset/add-pi-enclave.md

@@ -0,0 +1,19 @@
+---
+"pi-enclave": minor
+---
+
+Initial release of pi-enclave: VM-isolated enclave with automatic secret protection.
+
+- All tools (bash, read, write, edit) execute inside a Gondolin micro-VM
+- Modular drop-in config files (`pi-enclave.d/`): git, jj, GitHub ship by default
+- Generic `[env]` section: inject host values (static, command, env var) into the VM
+- `setup` scripts per drop-in: raw shell, run after package install
+- Secrets with HTTP proxy injection (never enter the VM)
+- `[[git-credentials]]` for explicit git auth over HTTPS
+- Per-host HTTP policies with allow/deny/prompt for method+path patterns
+- GraphQL-aware policy: parses request bodies, checks actual field names (not spoofable operation names)
+- `[[mounts]]` for additional directories (e.g. jj workspace parent repos)
+- Cascading config: global + drop-ins + ancestor directories + project
+- Packages accumulate additively across all config layers
+- `/enclave init`, `/enclave on|off`, `/enclave add` with interactive search
+- Eager VM startup on session start/resume

README.md

@@ -2,16 +2,20 @@
 
 ***y**et **a**nother **p**i **p**ack*
 
-Utilities for running [pi](https://pi.dev) agents with less babysitting: auto-review risky shell commands, compress noisy terminal output before it bloats context, and get notified when unattended work finishes.
+Utilities for running [pi](https://pi.dev) agents with less babysitting: sandbox tools in a VM, auto-review risky shell commands, compress noisy terminal output before it bloats context, and get notified when unattended work finishes.
 
 ## The Pack
 
 Install the extensions together, or pick only the ones you want. Defaults are tuned for good behavior out of the box.
 
 ```bash
-pi install npm:pi-safeguard npm:pi-bash-trim npm:pi-desktop-notify npm:pi-no-soft-cursor
+pi install npm:pi-enclave npm:pi-safeguard npm:pi-bash-trim npm:pi-desktop-notify npm:pi-no-soft-cursor
 ```
 
+### [pi-enclave](packages/enclave/)
+
+VM-isolated sandbox. All agent tools (bash, read, write, edit) execute inside a Gondolin micro-VM (QEMU/aarch64 Alpine Linux). Secrets are resolved on the host and injected via HTTP proxy; the VM never sees real credential values. Per-host policies control what the agent can do: GraphQL mutations are checked at the AST level, git pushes require approval, reads pass through. Configuration is modular: drop-in files in `pi-enclave.d/` add tool support (git, jj, GitHub) with their own packages, setup scripts, and policies. Delete a file to disable that integration.
+
 ### [pi-safeguard](packages/safeguard/)
 
 LLM-as-judge guardrail. Every bash command the agent runs is parsed into an AST and checked against known-dangerous patterns — `rm -rf`, reading `.env` files, `curl` with secret variables, `sudo`, and more. Flagged commands go to a smaller model that evaluates them with the full parsed context — structured AST, recent tool history, and user trust directives. The tight scope makes even lightweight models very reliable here. Most dev commands pass silently; you're only interrupted when there's genuine ambiguity.

packages/enclave/README.md

@@ -0,0 +1,161 @@
+# pi-enclave
+
+> From [yapp](https://github.com/mgabor3141/yapp) · yet another pi pack
+
+VM-isolated enclave for [pi](https://pi.dev). Runs all tools inside a [Gondolin](https://github.com/earendil-works/gondolin) micro-VM so secrets never enter the agent's execution environment.
+
+```bash
+pi install npm:pi-enclave
+```
+
+Requires QEMU: `brew install qemu` (macOS) or `sudo apt install qemu-system-aarch64` (Linux).
+
+## How it works
+
+pi-enclave starts an Alpine Linux micro-VM (QEMU/aarch64) and redirects all tool execution into it. Your workspace is mounted read-write at the same path inside the VM, so tools see identical paths on host and guest. File changes are bidirectional.
+
+The core security property: **secrets never enter the VM**. Secrets configured in your TOML config (like `gh auth token`) are resolved on the host, and their values are replaced with random placeholders inside the VM. Gondolin's HTTP proxy substitutes real values on the wire, only for requests to configured hosts.
+
+```
+┌──────────────────────────────────────────────────┐
+│  Gondolin VM (Alpine Linux)                      │
+│                                                  │
+│  /home/user/project ← bidirectional mount        │
+│  GH_TOKEN = "GONDOLIN_SECRET_a8f3..." (placeholder)│
+│  All pi tools execute here                       │
+└────────────────────┬─────────────────────────────┘
+                     │ HTTP
+                     ▼
+┌──────────────────────────────────────────────────┐
+│  HTTP proxy (host-side)                          │
+│  placeholder → real value (only for allowed hosts)│
+└──────────────────────────────────────────────────┘
+```
+
+## Getting started
+
+```
+/enclave init
+```
+
+This creates:
+- `~/.pi/agent/extensions/pi-enclave.toml` — global config (env vars, base packages)
+- `~/.pi/agent/extensions/pi-enclave.d/` — drop-in files (git, jj, GitHub)
+- `.pi/enclave.toml` — project config with `enabled = true`
+
+Once enabled, all tools (bash, read, write, edit) execute inside the VM automatically.
+
+## Drop-in files
+
+Service integrations live in `pi-enclave.d/` as self-contained TOML files. Each can contribute packages, setup scripts, secrets, and host policies. Delete a file to disable that integration.
+
+```
+~/.pi/agent/extensions/
+├── pi-enclave.toml              # base config: curl, jq, env vars
+└── pi-enclave.d/
+    ├── git.toml                 # git + user identity
+    ├── github.toml              # github-cli + secrets + policies
+    └── jj.toml                  # jujutsu + user identity
+```
+
+Example drop-in (`git.toml`):
+
+```toml
+packages = ["git"]
+setup = """
+git config --global safe.directory '*'
+git config --global user.name "$USER_NAME"
+git config --global user.email "$USER_EMAIL"
+"""
+```
+
+`USER_NAME` and `USER_EMAIL` are defined in the main config as env vars resolved from the host:
+
+```toml
+[env]
+USER_NAME = { command = "git config --global user.name" }
+USER_EMAIL = { command = "git config --global user.email" }
+```
+
+## Configuration
+
+### Env vars
+
+Non-secret values available in the VM and setup scripts. Three source types:
+
+```toml
+[env]
+EDITOR = "vim"                                     # static
+USER_NAME = { command = "git config user.name" }   # host command
+GOPATH = { env = "GOPATH" }                        # host env var
+```
+
+### Secrets
+
+Like env vars, but values never enter the VM. The HTTP proxy injects them on the wire.
+
+```toml
+[secrets.GH_TOKEN]
+command = "gh auth token"
+hosts = ["api.github.com", "github.com", "*.githubusercontent.com"]
+```
+
+### Git credentials
+
+Configures git credential helpers using secret placeholders:
+
+```toml
+[[git-credentials]]
+host = "github.com"
+username = "x-access-token"
+secret = "GH_TOKEN"
+```
+
+### Host policies
+
+Access control per host. `unmatched` determines what happens to requests that don't match any allow/deny rule.
+
+```toml
+[hosts."api.github.com"]
+unmatched = "prompt"
+allow.GET = ["/**"]
+
+[hosts."api.github.com".graphql]
+endpoint = "/graphql"
+allow.query = ["*"]
+allow.mutation = ["createPullRequest", "createIssue", "addComment"]
+```
+
+GraphQL policy parses the request body and checks actual field names (not the spoofable operation name).
+
+### Mounts
+
+Additional directories to mount in the VM (e.g. for jj workspaces):
+
+```toml
+[[mounts]]
+path = "~/dev/myproject/.jj"
+```
+
+### Project overrides
+
+Project configs override global. Packages accumulate; secrets, hosts, and env merge by key (later wins).
+
+```toml
+# .pi/enclave.toml — allow all GitHub operations in this project
+enabled = true
+
+[hosts."api.github.com"]
+unmatched = "allow"
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/enclave` or `/enclave status` | Show VM state, packages, secrets |
+| `/enclave init` | Create project and global config files, enable enclave |
+| `/enclave on` | Enable VM isolation for this session |
+| `/enclave off` | Disable VM isolation for this session (shuts down VM) |
+| `/enclave restart` | Restart VM on next tool use |
+| `/enclave add <package>` | Search for and install an Alpine package |

packages/enclave/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "pi-enclave",
+  "version": "0.0.1",
+  "description": "VM-isolated sandbox for pi with automatic secret protection · from yapp",
+  "author": "mgabor3141",
+  "license": "MIT",
+  "repository": {
+    "url": "git+https://github.com/mgabor3141/yapp.git",
+    "directory": "packages/enclave"
+  },
+  "keywords": [
+    "pi-package",
+    "pi-extension",
+    "yapp"
+  ],
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "templates",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup"
+  },
+  "pi": {
+    "extensions": [
+      "dist/index.js"
+    ]
+  },
+  "dependencies": {
+    "@earendil-works/gondolin": "^0.6.0",
+    "graphql": "^16.13.1",
+    "smol-toml": "^1.6.0",
+    "valibot": "^1.2.0"
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "*"
+  },
+  "devDependencies": {
+    "@mariozechner/pi-coding-agent": "^0.57.0",
+    "@types/node": "^25.3.5",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}