omair/calvana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e0d80daf9f1737d470f5ce07863982bb1bc85ee
calvana/specs/damage-control.md
IndyDevDan 32dfe122cb 🚀
2026-02-22 20:19:33 -06:00

3.2 KiB
Raw Blame History

Specification: Damage-Control Extension

1. Overview

Damage-Control is a safety and observability extension for the Pi Coding Agent. It enforces security patterns and "Rules of Engagement" by auditing tool calls in real-time. It intercepts potentially dangerous operations and enforces path-based access controls.

2. Core Architecture

  • Rule Engine: Loads .pi/damage-control-rules.yaml on session_start. If missing, it defaults to an empty rule set.
  • Interception Hook: Uses pi.on("tool_call", handler) to evaluate every tool call before execution.
  • Path Resolver: Utility to expand tildes (~) and resolve relative paths against the current working directory (cwd) for accurate matching.

3. Tool Interception Logic

The extension uses isToolCallEventType(toolName, event) for type-safe narrowing of events.

A. Bash Tool (bash)

  • Input Field: event.input.command.
  • Destructive Patterns: Match bashToolPatterns regex against the raw command string.
  • Path Matching: Best-effort heuristic. Match zeroAccessPaths, readOnlyPaths, and noDeletePaths as substrings/regex patterns within the command string.
  • Modification Detection: Block any bash command referencing readOnlyPaths patterns to prevent redirects (>), in-place edits (sed -i), or moves/deletes.

B. File Tools (read, write, edit, grep, find, ls)

  • Input Field: event.input.path.
  • Default Path: For grep, find, and ls, if path is undefined, treat it as ctx.cwd for matching.
  • Access Control:
    • Zero Access: Block if path matches any zeroAccessPaths pattern.
    • Grep Glob: Check the glob field of grep (event.input.glob) against zeroAccessPaths.
    • Read Only: Block write or edit calls if path matches readOnlyPaths.
    • No Delete: Block bash calls involving rm or similar on noDeletePaths.

4. Intervention & UI

  • Status Indicator: Use ctx.ui.setStatus() to show an indicator of active safety rules (e.g., "🛡️ Damage-Control Active: 142 Rules").
  • Violation Feedback: When a violation is blocked or confirmed, update the status temporarily to show the last event (e.g., "⚠️ Last Violation: git reset --hard").
  • Blocking: Return { block: true, reason: "Security Policy Violation: [Reason]" }.
  • User Confirmation (ask: true):
    • For rules with ask: true, the handler must await ctx.ui.confirm(title, message, { timeout: 30000 }).
    • Return { block: !confirmed, reason: "User denied execution" }.
  • Notifications: Use ctx.ui.notify() to alert the user when a rule is triggered.

5. Logging & Persistence

  • Every interception (block or confirm) is logged using pi.appendEntry("damage-control-log", { tool, input, rule, action }). This ensures the security audit is part of the permanent session history.

6. Implementation Notes

  • Path Resolution: Must match against both raw input (e.g., src/main.ts) and absolute resolved paths. Handle ctx.cwd fallback for optional paths.
  • Tilde Expansion: Manually expand ~ to process.env.HOME or os.homedir().
  • Graceful Fallback: If YAML parsing fails, notify the user and continue with no active rules rather than crashing the extension.
Reference in New Issue View Git Blame Copy Permalink