@aliou/pi-guardrails

![banner](https://assets.aliou.me/pi-extensions/banners/pi-guardrails.png)

Packages

Package details

extension

Install @aliou/pi-guardrails from npm and Pi will load the resources declared by the package manifest.

npm repo home report

$ pi install npm:@aliou/pi-guardrails

Package: @aliou/pi-guardrails
Version: 0.12.1
Published: May 18, 2026
Downloads: 4,808/mo · 977/wk
Author: aliou
License: MIT
Types: extension
Size: 252.5 KB
Dependencies: 2 dependencies · 2 peers

Pi manifest JSON

{
  "extensions": [
    "./extensions/path-access/index.ts",
    "./extensions/guardrails/index.ts",
    "./extensions/permission-gate/index.ts"
  ],
  "video": "https://assets.aliou.me/pi-extensions/demos/pi-guardrails.mp4"
}

Security note

Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.

README

banner

Guardrails

Guardrails adds safety checks to Pi so agents are less likely to read secrets, write protected files, access paths outside the workspace, or run dangerous shell commands by accident.

This package installs three Pi extensions:

guardrails for file protection policies, settings, onboarding, and examples.
path-access for controlling access outside the current workspace.
permission-gate for confirming or blocking risky shell commands.

Install

pi install npm:@aliou/pi-guardrails

First run

After installing, run the onboarding command to choose a starting setup:

/guardrails:onboarding

Guardrails onboarding walkthrough

You can change everything later with:

/guardrails:settings

Included extensions

guardrails

The guardrails extension owns file protection policies and the user-facing commands.

Use it to protect files like .env, private keys, local credentials, generated logs, database dumps, or any project-specific path you do not want Pi to read or modify without clear intent.

Guardrails policies and settings walkthrough

Useful commands:

/guardrails:settings
/guardrails:onboarding
/guardrails:examples

path-access

The path-access extension checks tool calls that target paths outside the current working directory.

It can allow, block, or ask before Pi accesses files elsewhere on your machine. In ask mode, you can allow one file or a directory once, for the session, or always.

Guardrails path access prompt walkthrough

permission-gate

The permission-gate extension detects dangerous bash commands before they run.

It catches built-in risky patterns like recursive deletes, privileged commands, disk formatting, broad permission changes, and configured custom patterns. You can allow once, allow for the session, deny, or configure auto-deny rules.

Guardrails permission gate walkthrough

Configuration

Most configuration should happen through the interactive settings UI:

/guardrails:settings

Advanced users can edit the settings file directly:

Global: ~/.pi/agent/extensions/guardrails.json
Project: .pi/extensions/guardrails.json

Guardrails writes a $schema field to saved settings files, so modern editors provide autocomplete and validation. The generated schema is committed at schema.json.

Examples

Use the examples command to add common policy and command presets without replacing your existing config:

/guardrails:examples

Guardrails examples command walkthrough

The available presets live in extensions/guardrails/commands/settings/examples.ts.

Similar but different

Pi is designed to make agent safety extensible. Guardrails focuses on deterministic, configurable file policies, outside-workspace path access, and dangerous-command prompts. Other packages tend to fall into two useful groups.

Make one yourself!

If Guardrails or the alternatives below do not fit your needs, you can also make your own. Start from the Pi permission gate example, then ask Pi to customize it for your workflow.

Permission and policy gates

These packages add checks around tool calls before they run. They are closest to Guardrails when you want policy enforcement without changing where Pi executes.

@gotgenes/pi-permission-system: broad permission enforcement for Pi tool calls.
@vtstech/pi-security: command, path, network, mode, and audit controls.
pi-control: location-scoped, action-based policies for tool calls, with allow, log, ask, and deny outcomes before execution.
@casualjim/pi-heimdall: secret exposure guards, command policies, protected .env files, and a sandbox guard.
pi-file-permissions: file-level permissions for read, write, edit, find, grep, and ls tools.
pi-secret-guard: focused protection against committing or pushing secrets to git.

Sandboxes and containment

These packages reduce blast radius by running Pi, subagents, or tool calls inside a constrained environment. They can be a better fit when you want isolation first and prompts second.

Pi + Gondolin sandbox example: upstream example that runs Pi tools inside a Gondolin micro-VM.
pi-sandbox: OS-level sandboxing for bash, with allow/deny checks and prompts for file tools.
pi-container-sandbox: runs read, write, edit, bash, and user bash operations inside a Docker or Apple container session.
@alexanderfortin/pi-freestyle-sandbox: runs sandboxed subagents in Freestyle cloud VMs.
@the-agency/vmpi: runs Pi inside a QEMU microVM with limited filesystem and network access.
pi-claude-sandbox: Claude-style OS sandboxing with interactive permission prompts.

Development

pnpm test         # Run tests
pnpm test:watch   # Run tests in watch mode
pnpm typecheck    # Type check
pnpm lint         # Lint
pnpm format       # Format
pnpm gen:schema   # Regenerate schema.json
pnpm check:schema # Verify schema.json is current