npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@majorgilles/pi-permissions

v1.0.1

Published

Simplified auto/ask guardrails for pi tool calls.

Downloads

910

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

majorgillesmajorgilles

Keywords

pi-packagepi-extensionpipermissionsguardrails

Readme

Pi Permissions Extension

Simplified auto/ask guardrails for pi tool calls.

The extension now has only two permission behaviors:

  • dangerous bash commands are always flagged in both modes
  • ask mode shows read-only diffs for write and edit with Allow/Deny controls

Granular session/project/global allowlists, custom-tool approvals, bash prefix approvals, path deny/sensitive rules, and persisted permission grants have been removed.

Install

pi install git:github.com/majorgilles/pi-permissions

For a one-off run without adding it to settings:

pi -e git:github.com/majorgilles/pi-permissions

Files

  • Package extension entrypoint: index.ts
  • Optional global preferences: ~/.pi/agent/permissions.json
  • Optional project preferences: .pi/permissions.json

Preference files only configure the default mode and optional vim editor setting. Legacy granular permission fields are ignored.

Loading

When installed with pi's package manager, the extension loads automatically on startup.

If pi is already running, use:

/reload

When loaded, the footer/status area shows the active mode:

permissions: auto

or:

permissions: ask

Modes

  • auto (default): reads, writes/edits, non-dangerous bash commands, and custom tools are allowed automatically. Dangerous bash commands still prompt or block.
  • ask: reads, non-dangerous bash commands, and custom tools are allowed automatically. write and edit show a read-only diff with Allow/Deny controls. Dangerous bash commands still prompt or block.

Toggle for the current session:

/permissions-auto on
/permissions-auto off

or:

/permissions-mode auto
/permissions-mode ask

To choose the startup mode by preference, set top-level config field "mode": "ask" or "mode": "auto".

Default behavior

| Tool | Ask mode | Auto mode | | --- | --- | --- | | read | Allowed. | Allowed. | | bash | Allowed unless classified as dangerous. Dangerous commands prompt/block. | Allowed unless classified as dangerous. Dangerous commands prompt/block. | | write | Shows a read-only diff, then asks Allow/Deny. | Allowed. | | edit | Shows a read-only diff of the proposed replacements, then asks Allow/Deny. | Allowed. | | unknown/custom tools | Allowed. | Allowed. | | no UI | Blocks approval-required dangerous bash and ask-mode write/edit diffs. | Blocks approval-required dangerous bash; otherwise allows. |

Dangerous commands

Danger checks run before mode behavior.

The extension blocks obviously catastrophic recursive deletes, such as broad rm -rf against /, ~, ., or *.

It requires approval for risky patterns such as:

  • recursive deletes like rm -rf path
  • sudo / su
  • git clean ... -f
  • git reset --hard / --merge / --keep
  • git checkout -- ..., git restore ., etc.
  • recursive chmod -R / chown -R
  • disk operations such as dd, mkfs, fdisk, diskpart
  • curl ... | sh, wget ... | bash, etc.

These checks are heuristic and should not be treated as a complete sandbox.

Write/edit diff approvals

In ask mode, write and edit show a read-only Claude-Code-style diff with transparent-style red backgrounds for deletions, transparent-style green backgrounds for additions, and syntax highlighting for recognized source-code file types.

Use arrow keys or j/k to scroll the diff, left/right or Tab to choose Allow/Deny, and Enter to choose. Choosing Deny (including via Esc, n, or d) opens a text input where you can tell pi what to do instead; that feedback is returned to the model as the blocked tool result. Submit blank to deny without feedback, or press Esc in the text input to return to the diff review. The proposed output cannot be edited in the approval UI; approving runs the original tool call exactly as produced.

In auto mode, write and edit are accepted automatically.

Preferences

Global preferences live at:

~/.pi/agent/permissions.json

Project preferences live at:

.pi/permissions.json

Example:

{
  "version": 2,
  "mode": "auto",
  "mainEditor": {
    "vimMode": false
  }
}

Preference fields

  • mode: "ask" or "auto"; default startup mode ("auto" unless configured otherwise). Session commands can override it until reload/restart.
  • mainEditor.vimMode: replace pi's main input editor with a simple vim-style modal editor.

Legacy fields such as bash.allowExact, bash.allowPrefixes, bash.denyPatterns, tools.allow, paths.denyRead, paths.denyWrite, and paths.sensitive are intentionally ignored.

Admin commands

/permissions

Show the effective simplified guardrail summary.

/permissions-auto [on|off|toggle]

Toggle auto/ask mode for the current session.

/permissions-mode [ask|auto]

Show or set the current session permission mode.

/permissions-edit global

Open ~/.pi/agent/permissions.json in an editor and reload it after saving valid JSON preferences.

/permissions-edit project

Open .pi/permissions.json for the current working directory and reload it after saving valid JSON preferences.

/permissions-reload

Reload global and project preferences without restarting pi.

Vim mode

Vim bindings are off by default.

Set mainEditor.vimMode to true in preferences:

{
  "mainEditor": { "vimMode": true }
}

Implemented normal-mode keys include:

  • Esc: insert mode → normal mode
  • i: normal mode → insert mode
  • a: append / insert after cursor
  • h, j, k, l: movement
  • 0, $: line start/end
  • x: delete character

Write/edit diff approval is read-only and does not use vim mode.

Limitations

  • This is a guardrail, not a sandbox. Extensions run with your user permissions.
  • Dangerous bash classification is heuristic; shell syntax can hide side effects.
  • Reads/writes are intentionally unrestricted in auto mode.
  • Write/edit diff approval is line-based; very large diffs may be shown as a full replacement preview.
  • Non-interactive mode blocks approval-required actions rather than prompting.

Checking

Validate package contents with:

npm pack --dry-run

After changing the extension code or preferences, reload pi with:

/reload

or use:

/permissions-reload

for preference-only changes.

License

This source is available under the PolyForm Noncommercial License 1.0.0. You may download, copy, modify, and share it for noncommercial purposes. Commercial use is not permitted without separate written permission.