m3tam3re/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: m3tam3re:f7f0c4072e63fe039200925b2927c42868bcffca
Branches Tags
m3tam3re:master
..
compare: m3tam3re:master
Branches Tags
m3tam3re:master

7 Commits
f7f0c4072e ... master

Author SHA1 Message Date
nix-update bot
c6c3ffb548 chore: update flake inputs 2026-05-01 16:01:13 +02:00
nix-update bot
9b423315b3 chore: update flake inputs
All checks were successful
Update Nix Packages with nix-update / nix-update (push) Successful in 2m42s
Details
2026-05-01 04:01:14 +02:00
nix-update bot
14d906ef93 chore: update flake inputs
All checks were successful
Update Nix Packages with nix-update / nix-update (push) Successful in 2m36s
Details
2026-04-30 16:01:17 +02:00
nix-update bot
e7393d6fa4 chore: update flake inputs
All checks were successful
Update Nix Packages with nix-update / nix-update (push) Successful in 4m6s
Details
2026-04-30 04:00:54 +02:00
m3ta-chiron
1da8c96447 fix(pi): correct guardrails enable option string
Some checks failed
Update Nix Packages with nix-update / nix-update (push) Failing after 34m23s
Details
2026-04-29 20:07:12 +02:00
m3ta-chiron
6a8cb62903 style(pi): format guardrails module with alejandra 2026-04-29 19:51:35 +02:00
m3ta-chiron
a3e247e5af feat(pi): add guardrails config option for pi-guardrails integration 
Adds a guardrails submodule option to coding.agents.pi that:
- Generates ~/.pi/agent/extensions/guardrails.json when enabled
- Automatically injects @aliou/pi-guardrails package into settings.packages
- Provides structured options for policies, pathAccess, and permissionGate

The module generates the JSON config that pi-guardrails reads for
its security hooks (policies, permission-gate, path-access).

Limitations documented in option descriptions:
- Path access checks are lexical (not symlink-safe)
- Local project guardrails.json can override global rule IDs
 2026-04-29 19:48:10 +02:00
2 changed files with 74 additions and 7 deletions
Expand all files Collapse all files

12
flake.lock generated
View File

@@ -55,11 +55,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1777470666,
"narHash": "sha256-uAi+pTjKLturTz3XqTwnsU0fJnqf8xx8orfPpRbdaKQ=",
"lastModified": 1777643636,
"narHash": "sha256-7vvm5Ia8o3g7YNErFcDsbCx+Pk8HbnA+ZYuA5Zga7hY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "053b9fa5f0fbdac0bd9d248cea58a11223eb495d",
"rev": "da2366fac507ce7bd31852e7351e55b951656999",
"type": "github"
},
"original": {
@@ -76,11 +76,11 @@
]
},
"locked": {
"lastModified": 1776788052,
"narHash": "sha256-L4LBHVVtgMhSJm+IzZSYOR0UXPbvIRg4xiEV5urYxdI=",
"lastModified": 1777556999,
"narHash": "sha256-HfFlRwR8IMjudRttN4T8L3DJKnNlpWfeNzQPly/HaRY=",
"owner": "Fission-AI",
"repo": "OpenSpec",
"rev": "3c7a05c5dc88b2397c478805890b55ed392b19e8",
"rev": "347f0277e3be3549cd85cdea364fbd7710f1922b",
"type": "github"
},
"original": {

69
modules/home-manager/coding/agents/pi.nix
View File

@@ -202,6 +202,38 @@
See pi docs/settings.md for all options.
'';
};
# ── Pi Guardrails ─────────────────────────────────────────────
guardrails = mkOption {
type = types.nullOr (types.submodule {
options = {
enable =
mkEnableOption
("Generate ~/.pi/agent/extensions/guardrails.json for pi-guardrails. "
+ "Adds @aliou/pi-guardrails to packages automatically.");
config = mkOption {
type = types.attrsOf types.anything;
default = {};
description = ''
Guardrails configuration written to ~/.pi/agent/extensions/guardrails.json.
See https://github.com/aliou/pi-guardrails for config schema.
IMPORTANT: Path access checks are lexical (not symlink-safe).
Local project .pi/extensions/guardrails.json can override same rule IDs
(memory > local > global > defaults). For immutable global policies,
consider a wrapper or upstream patch.
'';
};
};
});
default = null;
description = ''
Pi Guardrails security configuration.
Generates ~/.pi/agent/extensions/guardrails.json when enabled.
The @aliou/pi-guardrails package is added to settings.packages automatically.
'';
};
};
config = with lib; let
@@ -224,8 +256,37 @@
attrs
);
# Base settings (already filtered)
piSettings = filterNulls cfg.settings;
# Guardrails package to inject when guardrails is enabled
guardrailsPackage = "npm:@aliou/pi-guardrails@0.11.1";
# Guardrails config (only when guardrails is enabled)
guardrailsJson =
if (cfg.guardrails != null && cfg.guardrails.enable)
then builtins.toJSON cfg.guardrails.config
else null;
# Merge guardrails package into settings.packages when guardrails is enabled
piSettingsWithGuardrails = let
baseSettings = cfg.settings;
basePackages = baseSettings.packages or [];
hasGuardrailsPackage =
lib.any
(p:
lib.hasPrefix "npm:@aliou/pi-guardrails" p
|| (lib.hasPrefix "git:" p && lib.hasSuffix "/pi-guardrails" p))
basePackages;
packagesWithGuardrails =
if (cfg.guardrails != null && cfg.guardrails.enable && !hasGuardrailsPackage)
then basePackages ++ [guardrailsPackage]
else basePackages;
in
if packagesWithGuardrails != basePackages
then filterNulls (baseSettings // {packages = packagesWithGuardrails;})
else piSettings;
# Coding rules config for renderForPi (only when both agentsInput and codingRules are set)
piCodingRules =
if cfg.agentsInput != null && cfg.codingRules != null
@@ -269,10 +330,16 @@
# ── ~/.pi/agent/settings.json ──────────────────────────────────
{
".pi/agent/settings.json".text = builtins.toJSON piSettings;
".pi/agent/settings.json".text = builtins.toJSON piSettingsWithGuardrails;
".pi/agent/settings.json".force = true;
}
# ── pi-guardrails config ─────────────────────────────────────
(mkIf (guardrailsJson != null) {
".pi/agent/extensions/guardrails.json".text = guardrailsJson;
".pi/agent/extensions/guardrails.json".force = true;
})
# ── AGENTS.md — agent descriptions and specialist listing ──────
(mkIf (cfg.agentsInput != null) {
".pi/agent/AGENTS.md".source = "${rendered}/AGENTS.md";