@davehardy20/pi-safe-tools

Pi safety bundle: safe command runners, damage prevention, and secret redaction.

Packages

Package details

extension

Install @davehardy20/pi-safe-tools from npm and Pi will load the resources declared by the package manifest.

npm repohome report
$ pi install npm:@davehardy20/pi-safe-tools
Package
@davehardy20/pi-safe-tools
Version
0.1.0
Published
May 17, 2026
Downloads
not available
Author
davehardy20
License
MIT
Types
extension
Size
108.7 KB
Dependencies
1 dependency · 2 peers
Pi manifest JSON
{
  "extensions": [
    "./src/extensions/safe-command-tools.ts",
    "./src/extensions/rm-rf-blocker.ts",
    "./src/extensions/secret-guard.ts"
  ]
}

Security note

Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.

README

@davehardy20/pi-safe-tools

Pi safety bundle: safe command runners, damage prevention, and secret redaction.

What it adds

Safe command runners

Seven trusted tool wrappers that bypass bash and invoke executables directly with validated arguments:

  • run_biome — Biome lint/format check
  • run_vitest — Vitest test runner
  • run_typecheck — TypeScript tsc --noEmit
  • run_pytest — pytest test runner
  • run_cargo_test — Cargo test runner
  • git_safe — Restricted git operations (status, diff, add, commit, push, init) with secret-scan preflight
  • gh_safe — Restricted GitHub CLI operations (repo create, PR create/edit/merge/view)

Damage prevention (rm-rf-blocker)

Intercepts every tool_call event and evaluates it against configurable rules:

  • Blocked command patterns (hard block)
  • Whitelist-mode bash policy (deny-by-default)
  • Zero-access path restrictions
  • Read-only path enforcement
  • No-delete path enforcement
  • Secret scanning in git add/commit/push
  • Confirmation prompts for dangerous commands

Rules are loaded from ~/.pi/damage-prevention-rules.yaml (global) and .pi/damage-prevention-rules.yaml (project-local).

Secret guard

Redacts secrets from four surfaces:

  1. User input — before it enters the session
  2. Context messages — before they are sent to the LLM
  3. Bash tool calls — before commands execute
  4. Tool results — before they are stored in conversation history

Secret patterns cover API keys, tokens, credentials, and generic secret assignments.

Status command

  • /safe-tools-status — reports package name, version, source path, and loaded rule counts

Install

From a local checkout during development:

pi install /Users/dave/tools/pi-safe-tools

From git:

pi install git:github.com/davehardy20/pi-safe-tools

From npm:

pi install npm:@davehardy20/pi-safe-tools

For one run only:

pi -e /Users/dave/tools/pi-safe-tools

Settings

The damage prevention rules are configured via damage-prevention-rules.yaml:

  • Global: ~/.pi/damage-prevention-rules.yaml
  • Project: <project-root>/.pi/damage-prevention-rules.yaml

See the bundled default rules in src/shared/damage-prevention-rules.ts for the full schema.

The secret guard uses compiled regex patterns from src/shared/secret-patterns.ts.

Troubleshooting

Run /safe-tools-status to confirm:

  • package name and version
  • loaded source path
  • damage-prevention rule source (default/global/project)
  • total rule count

If commands appear twice, Pi may be loading both the package and the old local extension. Disable or remove the old local auto-discovered extensions (safe-command-tools.ts, rm-rf-blocker.ts, secret-guard.ts) from ~/.pi/agent/extensions/ before reload verification.

Update flow

  1. Update the package repo
  2. Push to GitHub
  3. Run pi update --extensions or reinstall the package
  4. Run /reload

/reload alone does not fetch newer package commits.

Build and test

npm run typecheck
npm run build
npm test