feat: add pi-enclave VM sandbox with secret protection

Author: mgabor3141

.changeset/add-pi-enclave.md

@@ -0,0 +1,14 @@
+---
+"pi-enclave": minor
+---
+
+Initial release of pi-enclave: VM-isolated sandbox with automatic secret protection.
+
+- All tools (bash, read, write, edit) execute inside a Gondolin micro-VM
+- Config-driven secrets with command and env sources, no auto-detection
+- Cascading TOML config: global, drop-in directory (pi-enclave.d/), project
+- Per-host HTTP policies with allow/deny/prompt for method+path patterns
+- GraphQL-aware policy: parses request bodies with the graphql package, checks actual field names (not spoofable operation names)
+- Ships with GitHub drop-in policy: reads allowed, common mutations allowed, destructive operations prompt
+- `/enclave init` creates global config + github.toml drop-in + project config
+- `/enclave on|off` for session toggles, `/enclave add` for interactive package install

packages/enclave/README.md

@@ -0,0 +1,124 @@
+# pi-enclave
+
+> From [yapp](https://github.com/mgabor3141/yapp) · yet another pi pack
+
+VM-isolated sandbox for [pi](https://pi.dev). Runs all tools inside a [Gondolin](https://github.com/earendil-works/gondolin) micro-VM so secrets never enter the agent's execution environment.
+
+```bash
+pi install npm:pi-enclave
+```
+
+Requires QEMU: `brew install qemu` (macOS) or `sudo apt install qemu-system-aarch64` (Linux).
+
+## How it works
+
+pi-enclave starts an Alpine Linux micro-VM (QEMU/aarch64) and redirects all tool execution into it. Your workspace is mounted read-write at the same path inside the VM, so tools see identical paths on host and guest. File changes are bidirectional.
+
+The core security property: **secrets never enter the VM**. Secrets configured in your TOML config (like `gh auth token`) are resolved on the host, and their values are replaced with random placeholders inside the VM. Gondolin's HTTP proxy substitutes real values on the wire, only for requests to configured hosts.
+
+```
+┌──────────────────────────────────────────────────┐
+│  Gondolin VM (Alpine Linux)                      │
+│                                                  │
+│  /home/user/project ← bidirectional mount        │
+│  GH_TOKEN = "GONDOLIN_SECRET_a8f3..." (placeholder)│
+│  All pi tools execute here                       │
+└────────────────────┬─────────────────────────────┘
+                     │ HTTP
+                     ▼
+┌──────────────────────────────────────────────────┐
+│  HTTP proxy (host-side)                          │
+│  placeholder → real value (only for allowed hosts)│
+└──────────────────────────────────────────────────┘
+```
+
+## Getting started
+
+After installing, run `/enclave init` in any project to enable it:
+
+```
+/enclave init
+```
+
+This creates two files:
+- `~/.pi/agent/extensions/pi-enclave.toml` — global defaults (GitHub policy, secrets)
+- `.pi/enclave.toml` — project config with `enabled = true`
+
+Once enabled, all tools (bash, read, write, edit) execute inside the VM automatically.
+
+## Default behavior
+
+With `/enclave init`, pi-enclave creates a global config with sensible defaults:
+
+1. Starts a VM, mounts your project directory
+2. Installs `git`, `curl`, `jq`, `github-cli`
+3. Resolves `GH_TOKEN` via `gh auth token` (skipped if `gh` is not installed)
+4. GitHub API policy: GET and GraphQL queries are allowed, mutations and other writes prompt for approval
+5. GraphQL policy parses the request body and checks actual field names (not the spoofable operation name)
+6. Redirects all tool execution to the VM
+
+## Configuration
+
+Place `.pi/enclave.toml` in your project (or any ancestor directory).
+
+```toml
+# Enable VM isolation for this project
+enabled = true
+
+# Alpine packages to install
+# packages = ["git", "curl", "jq", "ripgrep", "github-cli"]
+
+# Secrets: resolved on the host, injected via HTTP proxy
+[secrets.GH_TOKEN]
+command = "gh auth token"
+hosts = ["api.github.com", "github.com", "*.githubusercontent.com"]
+
+# [secrets.OPENAI_API_KEY]
+# env = "OPENAI_API_KEY"
+# hosts = ["api.openai.com"]
+
+# Disable a secret inherited from global config
+# [secrets.GH_TOKEN]
+# false
+
+# Host policies: access control for specific hosts
+[hosts."api.github.com"]
+unmatched = "prompt"
+allow.GET = ["/**"]
+
+# GraphQL: parses request body, checks actual field names
+[hosts."api.github.com".graphql]
+endpoint = "/graphql"
+allow.query = ["*"]
+allow.mutation = [
+  "createPullRequest",
+  "createIssue",
+  "addComment",
+]
+```
+
+Config files cascade: global (`~/.pi/agent/extensions/pi-enclave.toml`) is loaded first, then `.pi/enclave.toml` files from ancestor directories (closest wins). Config inside the workspace is protected from modification by the VM via Gondolin's `ShadowProvider`.
+
+### Project overrides
+
+A project can loosen restrictions from the global config:
+
+```toml
+# .pi/enclave.toml
+enabled = true
+
+# Allow all GitHub API operations without prompts
+[hosts."api.github.com"]
+unmatched = "allow"
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/enclave` or `/enclave status` | Show VM state, packages, secrets |
+| `/enclave init` | Create project and global config files, enable enclave |
+| `/enclave on` | Enable VM isolation for this session |
+| `/enclave off` | Disable VM isolation for this session (shuts down VM) |
+| `/enclave restart` | Restart VM on next tool use |
+| `/enclave add <package>` | Search for and install an Alpine package |

packages/enclave/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "pi-enclave",
+  "version": "0.0.1",
+  "description": "VM-isolated sandbox for pi with automatic secret protection · from yapp",
+  "author": "mgabor3141",
+  "license": "MIT",
+  "repository": {
+    "url": "git+https://github.com/mgabor3141/yapp.git",
+    "directory": "packages/enclave"
+  },
+  "keywords": [
+    "pi-package",
+    "pi-extension",
+    "yapp"
+  ],
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "templates",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup"
+  },
+  "pi": {
+    "extensions": [
+      "dist/index.js"
+    ]
+  },
+  "dependencies": {
+    "@earendil-works/gondolin": "^0.6.0",
+    "graphql": "^16.13.1",
+    "smol-toml": "^1.6.0",
+    "valibot": "^1.2.0"
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "*"
+  },
+  "devDependencies": {
+    "@mariozechner/pi-coding-agent": "^0.57.0",
+    "@types/node": "^25.3.5",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}