Commit 557b867bfc2f

Vincent Demeester <vincent@sbr.pm>
2026-02-08 22:41:00
docs(pi): cleaned up SETUP.md after removing sandbox
Removed all sandbox references and simplified documentation to focus on the two homelab-specific extensions: deployment-guard and secrets-validator.
main
1 parent 1be16d3
Changed files (1)
.pi
SETUP.md
.pi/SETUP.md
@@ -2,141 +2,75 @@
 
 This document describes the pi extensions configured for the homelab repository.
 
-## What Was Done
+## Project Extensions (`.pi/extensions/`)
 
-### 1. Fixed Extension Conflicts
+These extensions only run in the homelab repository:
 
-**Problem:** Both `uv.ts` and `sandbox/index.ts` were trying to register the `bash` tool, causing conflicts.
+### deployment-guard.ts
+Confirms before deploying to production hosts (rhea, atlas).
 
-**Solution:**
-- Disabled `uv.ts` extension (renamed to `uv.ts.disabled`)
-- Integrated UV interceptor functionality into `sandbox/index.ts`
-- Sandbox extension now handles both:
-  - UV Python tool interception (pip/poetry/pipenv → uv)
-  - OS-level sandboxing via `@anthropic-ai/sandbox-runtime`
+**Features:**
+- Shows git status before deployment
+- Warns about uncommitted changes
+- Suggests `dry-build` before `switch`/`boot`
+- Requires confirmation for production hosts
 
-### 2. Integrated Extension Statuses into Custom Footer
+**Production hosts:**
+```typescript
+const PRODUCTION_HOSTS = ["rhea", "atlas"];
+```
 
-**Problem:** Extension `setStatus()` calls weren't showing up because the custom footer replaced the default footer.
+### secrets-validator.ts
+Prevents committing unencrypted secrets.
 
-**Solution:**
-- Modified `custom-footer.ts` to read extension statuses via `footerData.getExtensionStatuses()`
-- Extension statuses now appear at the end of the custom footer
-
-## Extensions Overview
-
-### Global Extensions (`~/.pi/agent/extensions/`)
-
-#### sandbox/
-- **Status:** Active in all projects (disabled in homelab via `.pi/sandbox.json`)
-- **Features:**
-  - OS-level sandboxing for bash commands
-  - Network restrictions (allowed/denied domains)
-  - Filesystem restrictions (read/write controls)
-  - UV Python tool interception (integrated from uv.ts)
-- **Config:**
-  - Global: `~/.pi/agent/sandbox.json`
-  - Project: `.pi/sandbox.json`
-- **Disable:** `pi --no-sandbox` or set `"enabled": false` in config
-- **Requirements (Linux):** `bubblewrap`, `socat`, `ripgrep`
-
-### Project Extensions (`.pi/extensions/`)
-
-These only run in the homelab repository:
-
-#### deployment-guard.ts
-- Confirms before deploying to production hosts (rhea, atlas)
-- Shows git status and warns about uncommitted changes
-- Suggests dry-build before deployment
-
-#### secrets-validator.ts
-- Scans for potential secrets before git commits
+**Features:**
+- Scans staged files for potential secrets before commits
+- Detects API keys, passwords, tokens, private keys
 - Validates agenix secrets are encrypted
-- Command: `/scan-secrets`
+- Manual scan command: `/scan-secrets`
 
 ## Configuration Files
 
 ```
-~/.pi/agent/
-├── sandbox.json              # Global sandbox config
-└── extensions/
-    ├── uv.ts.disabled        # Disabled (functionality in sandbox)
-    └── sandbox/
-        ├── index.ts          # Sandbox + UV intercept
-        ├── package.json
-        └── README.md
+~/.pi/agent/extensions/
+├── uv.ts                     # Python tool interception (pip → uv)
+├── validate-git-push.ts      # Git push safety
+├── custom-footer.ts          # Custom status bar
+└── ... (other extensions)
 
-/home/vincent/src/home/.pi/
-├── sandbox.json              # Disables sandbox for homelab
-└── extensions/
-    ├── deployment-guard.ts
-    ├── secrets-validator.ts
-    └── README.md
+/home/vincent/src/home/.pi/extensions/
+├── deployment-guard.ts       # Production deployment guard
+├── secrets-validator.ts      # Secret detection
+└── README.md
 ```
 
 ## Usage Examples
 
-### In Homelab (sandbox disabled, 2 project extensions active)
+### Deployment Guard
 
 ```bash
 cd ~/src/home
-pi
 
-# Footer shows:
-# 16:10  🖥️ hephaestus  ~/s/home  main  sonnet-4.5  R100k W50k $2.15
-
-# Try to deploy
+# Try to deploy to production
 make host/rhea/switch
-# → deployment-guard: Prompts "Deploy to Production?"
-# → build-validator: Checks for recent successful build
-# → Shows git status
+# → Prompts: "Deploy to Production? This will deploy to rhea. Continue?"
 
-# Edit a .nix file
-edit systems/rhea/hardware.nix
-# → build-validator: Marks builds as stale
-
-# Check build status
-/builds
-# Output: "✓ hephaestus (5m ago)  ⚠ rhea (stale)"
-
-# Validate build
-make host/rhea/dry-build
-# → build-validator: Updates status to "✓ rhea"
-
-# Check host info
-/host
-# Output: Shows hostname, environment, NixOS version
-
-# Scan for secrets
-/scan-secrets
-# Output: Scans entire repo for potential secrets
+# With uncommitted changes
+make switch
+# → Warns about dirty git tree, asks for confirmation
 ```
 
-### In Other Projects (sandbox enabled)
+### Secrets Validator
 
 ```bash
-cd ~/src/other-project
-pi
+# Try to commit with potential secrets
+git add secrets/api-key.txt
+git commit -m "Add key"
+# → Warns: "Potential secrets detected. Commit anyway?"
 
-# Footer shows:
-# 16:10  🖥️ hephaestus  ~/s/o/other-project  main  sonnet-4.5  R10k W5k $0.50  🔒 Sandbox: 15 domains, 2 write paths
-
-# Commands are sandboxed
-curl https://github.com
-# → Works (github.com in allowedDomains)
-
-curl https://unknown-site.com
-# → Blocked (not in allowedDomains)
-
-cat ~/.ssh/id_rsa
-# → Blocked (in denyRead)
-
-# UV intercept active
-pip install requests
-# → Blocked with suggestion to use "uv add requests"
-
-# Disable sandbox temporarily
-pi --no-sandbox
+# Manual scan
+/scan-secrets
+# → Scans entire repository for potential secrets
 ```
 
 ## Customization
@@ -153,27 +87,6 @@ const PRODUCTION_HOSTS = [
 ];
 ```
 
-### Customize Sandbox
-
-Edit `~/.pi/agent/sandbox.json`:
-
-```json
-{
-  "enabled": true,
-  "network": {
-    "allowedDomains": [
-      "github.com",
-      "your-domain.com"  // Add custom domains
-    ]
-  },
-  "filesystem": {
-    "denyRead": ["~/.ssh"],
-    "allowWrite": [".", "/tmp"],
-    "denyWrite": [".env", "*.key"]
-  }
-}
-```
-
 ### Customize Secret Patterns
 
 Edit `.pi/extensions/secrets-validator.ts`:
@@ -181,7 +94,7 @@ Edit `.pi/extensions/secrets-validator.ts`:
 ```typescript
 const SECRET_PATTERNS = [
     { name: "API Key", pattern: /api[_-]?key\s*[:=]\s*["']?[a-zA-Z0-9]{20,}["']?/i },
-    // Add custom patterns here
+    // Add more patterns here
 ];
 ```
 
@@ -193,55 +106,7 @@ After editing extensions:
 /reload
 ```
 
-This reloads all extensions without restarting pi.
-
-## Troubleshooting
-
-### "Sandbox initialization failed" (Linux)
-
-Install required packages:
-
-```nix
-# In your NixOS/home-manager config:
-home.packages = with pkgs; [
-  bubblewrap
-  socat
-  ripgrep
-];
-```
-
-Or temporarily:
-
-```bash
-nix-shell -p bubblewrap socat ripgrep
-```
-
-Also create the required directory:
-
-```bash
-mkdir -p ~/.claude/debug
-```
-
-### Extension statuses not showing in footer
-
-Make sure:
-1. `custom-footer.ts` includes `footerData.getExtensionStatuses()`
-2. Extensions are calling `ctx.ui.setStatus("key", "value")`
-3. Footer has enough width to display all components
-
-### Commands failing unexpectedly
-
-Check if sandbox is blocking:
-
-```bash
-/sandbox  # Show sandbox config
-
-# Or disable temporarily
-pi --no-sandbox
-```
-
 ## See Also
 
 - [Project Extensions README](.pi/extensions/README.md)
-- [Sandbox README](~/.pi/agent/extensions/sandbox/README.md)
 - [Pi Extensions Documentation](https://github.com/badlogic/pi-mono/blob/main/packages/coding-agent/docs/extensions.md)