npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pi-sensitive-guard

v0.3.0

Published

Pi extension that protects sensitive files, blocks secret writes, and optionally redacts protected read output.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

masuriimasurii

Keywords

pi-packagepipi-extensionpi-coding-agentpi-tuicoding-agentsecret-scanningsensitive-filesredactionsecuritygit-protection

Readme

pi-sensitive-guard

npm version License

Sensitive-file protection extension for the Pi coding agent.

pi-sensitive-guard blocks unsafe access to secret-bearing files, scans writes and Git diffs for common credential patterns, and can optionally return redacted protected reads for trusted workflows.

Features

  • Protects .env, credential, private-key, and secret files from reads, writes, deletes, shell commands, commits, and pushes.
  • Scans write/edit content and Git commit/push diffs for common high-severity secret patterns.
  • Keeps runtime configuration simple with top-level enable/disable, debug logging, read-redaction controls, protected-edit controls, and the /sensitive-guard menu.
  • Allows optional non-sensitive edits to protected files when protectedFileEdits.enabled is explicitly enabled.
  • Redacts structured JSON values, key/value assignments, embedded assignments, private keys, and known secret patterns while preserving safe output shape.
  • Writes debug output only to the extension-local debug/ directory when debug is enabled.
  • Emits/logs blocked-event metadata after redacting sensitive values.

Installation

Local extension folder

Place this folder in one of Pi's auto-discovery locations:

# Global default (when PI_CODING_AGENT_DIR is unset)
~/.pi/agent/extensions/pi-sensitive-guard

# Project-specific
.pi/extensions/pi-sensitive-guard

npm package

pi install npm:pi-sensitive-guard

Git repository

pi install git:github.com/MasuRii/pi-sensitive-guard

Usage

pi-sensitive-guard runs automatically after Pi loads the extension. It inspects tool calls before execution and blocks protected file access or detected secret writes with a clear TUI notification.

Typical protected flows include:

  • reading .env, key, token, credential, and private-key files;
  • writing or editing content that matches high-confidence secret patterns;
  • shell commands that read, write, delete, commit, or push protected secret-bearing files;
  • optional protected reads with redacted output when readRedaction.enabled is set to true.

/sensitive-guard command

Use /sensitive-guard inside Pi to open the interactive configuration menu. The menu can toggle the guard, read redaction, shell-output redaction, blocked-event logging, debug logging, content scanning, protected-file safe edits, and redaction limits without editing JSON by hand.

Additional command forms:

  • /sensitive-guard status shows the resolved runtime configuration summary.
  • /sensitive-guard edit opens the raw config.json editor.

After changing configuration, run /reload or restart Pi so the guard reloads its rules.

Configuration

Runtime configuration is stored at:

Default global path: ~/.pi/agent/extensions/pi-sensitive-guard/config.json
Actual global path: $PI_CODING_AGENT_DIR/extensions/pi-sensitive-guard/config.json when PI_CODING_AGENT_DIR is set

config.json is a user-local runtime file. It is gitignored and excluded from npm package contents. A starter template is included at config/config.example.json.

Configuration options

| Option | Type | Default | Description | |--------|------|---------|-------------| | enabled | boolean | true | Enable or disable all sensitive-file protection. | | debug | boolean | false | Enable file-only debug logging under debug/debug.log. | | readRedaction.enabled | boolean | false | Allow redacted read output instead of hard-blocking eligible protected reads. | | readRedaction.includeShellOutput | boolean | false | Also redact shell-command output when protected files are read through shell commands. | | readRedaction.scope | protectedOnly | allOutput | protectedOnly | Choose whether redaction applies only to protected read flows or to every read/shell output path covered by the redaction settings. | | protectedFileEdits.enabled | boolean | false | Allow safe non-sensitive write/edit changes to protected files; sensitive key/value, structure, or secret-bearing edits remain blocked. |

Example config

{
  "enabled": true,
  "debug": false,
  "readRedaction": {
    "enabled": false,
    "includeShellOutput": false,
    "scope": "protectedOnly"
  },
  "blockedEvents": {
    "emit": true,
    "log": true,
    "logPath": "logs/blocked-events.jsonl"
  },
  "protectedFileEdits": {
    "enabled": false
  }
}

Changes take effect after /reload.

Validation

npm run build
npm run lint
npm run test
npm run check
npm run package:dry-run

Publishing

The package metadata follows the same publish-ready shape used by established Pi extensions:

  • entrypoint: index.ts
  • package exports: ../index.ts
  • Pi extension manifest: pi.extensions
  • published files: source, README, changelog, license, and config template
  • runtime config.json, debug/, logs/, and test artifacts excluded from npm publication

[!NOTE] The package requires Node.js >=22 because its shell parser dependency declares the same minimum engine.

Related Pi Extensions

License

MIT