https://www.blog-des-telecoms.com/en/tags/extension/Recent content in Extension on Mathias WOLFFHugoen-US<a href="https://www.blog-des-telecoms.com">Blog des télécoms</a> © 2009 - 2026 by <a href="https://www.linkedin.com/in/mathias-wolff-47a7941/">Mathias WOLFF</a> is licensed under <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a><img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" style="max-width: 1em;max-height:1em;margin-left: .2em;"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg" style="max-width: 1em;max-height:1em;margin-left: .2em;"><img src="https://mirrors.creativecommons.org/presskit/icons/nc.svg" style="max-width: 1em;max-height:1em;margin-left: .2em;"><img src="https://mirrors.creativecommons.org/presskit/icons/sa.svg" style="max-width: 1em;max-height:1em;margin-left: .2em;">Thu, 07 May 2026 18:07:06 +0200https://www.blog-des-telecoms.com/en/blog/securing-pi-from-the-inside-guards-scanners-audit/Thu, 07 May 2026 10:00:00 +0200https://www.blog-des-telecoms.com/en/blog/securing-pi-from-the-inside-guards-scanners-audit/<p>A few days ago, I covered <strong>Greywall</strong> — a kernel-level sandbox that contains pi with a deny-by-default approach. That&rsquo;s your outer wall. But what about threats <strong>inside</strong> the boundary? The agent that accidentally writes to the wrong project, the <code>.env</code> file that ends up in the LLM context, the skill whose <code>SKILL.md</code> was silently modified. That&rsquo;s a different problem, and it needs a different tool.</p> <p>Today I&rsquo;m releasing <strong>pi-secured-setup</strong> — a pi extension that adds <strong>Guards</strong>, <strong>Scanners</strong>, and an <strong>audit trail</strong> directly inside the agent. No kernel modules, no containers, no external dependencies. Just a <code>pi install</code> and you&rsquo;re protected.</p>