@matyah00/openpi 0.1.2

package/extensions/audit-tools.ts

@@ -0,0 +1,260 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { spawnSync } from "node:child_process";
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { Text } from "@earendil-works/pi-tui";
+import { Type } from "typebox";
+
+const DEFAULT_SKIP = new Set([
+  ".git",
+  "node_modules",
+  ".next",
+  ".nuxt",
+  ".turbo",
+  "dist",
+  "build",
+  "coverage",
+  ".venv",
+  "venv",
+  "__pycache__",
+  "target",
+]);
+
+const SECRET_PATTERNS = [
+  ["aws-access-key", /AKIA[A-Z0-9]{16}/g],
+  ["github-token", /ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{50,}/g],
+  ["gitlab-token", /glpat-[A-Za-z0-9_-]{20,}/g],
+  ["slack-token", /xox[baprs]-[A-Za-z0-9-]{20,}/g],
+  ["npm-token", /npm_[A-Za-z0-9]{30,}/g],
+  ["google-api-key", /AIza[0-9A-Za-z_-]{35}/g],
+  ["stripe-live-key", /sk_live_[0-9A-Za-z]{20,}|pk_live_[0-9A-Za-z]{20,}/g],
+  ["sendgrid-key", /SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}/g],
+  ["private-key", /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g],
+  ["jwt-like-token", /eyJ[A-Za-z0-9_-]{40,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g],
+] as const;
+
+const GHOST_PATTERNS = [
+  ["always-equal", /def\s+__eq__[\s\S]{0,120}return\s+True|__eq__\s*=\s*lambda[^:\n]*:\s*True/g],
+  ["exit-bypass", /sys\.exit\s*\(\s*0\s*\)|os\._exit\s*\(\s*0\s*\)|process\.exit\s*\(\s*0\s*\)/g],
+  ["pytest-report-patch", /TestReport\.from_item_and_call|pytest_runtest_makereport|monkeypatch.*TestReport/g],
+  ["assertion-monkeypatch", /expect\s*=\s*jest\.fn|assert\s*=\s*lambda|monkeypatch.*assert/g],
+] as const;
+
+function walkFiles(root: string, maxFiles: number): string[] {
+  const files: string[] = [];
+  const walk = (dir: string) => {
+    if (files.length >= maxFiles) return;
+    let entries: fs.Dirent[];
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (files.length >= maxFiles) return;
+      if (DEFAULT_SKIP.has(entry.name)) continue;
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(fullPath);
+      else if (entry.isFile()) files.push(fullPath);
+    }
+  };
+  walk(root);
+  return files;
+}
+
+function relative(root: string, filePath: string): string {
+  return path.relative(root, filePath).replace(/\\/g, "/") || ".";
+}
+
+function readSmallText(filePath: string): string | null {
+  try {
+    const stat = fs.statSync(filePath);
+    if (stat.size > 1_000_000) return null;
+    return fs.readFileSync(filePath, "utf-8");
+  } catch {
+    return null;
+  }
+}
+
+function lineOf(content: string, index: number): number {
+  return content.slice(0, index).split(/\r?\n/).length;
+}
+
+function redact(value: string): string {
+  if (value.length <= 12) return "[redacted]";
+  return `${value.slice(0, 8)}...${value.slice(-3)}`;
+}
+
+function git(args: string[], cwd: string): string {
+  const result = spawnSync("git", args, { cwd, encoding: "utf-8" });
+  if (result.status !== 0) return "";
+  return result.stdout.trim();
+}
+
+function detectFrameworks(root: string): string[] {
+  const found = new Set<string>();
+  const packageJson = path.join(root, "package.json");
+  if (fs.existsSync(packageJson)) {
+    const raw = readSmallText(packageJson);
+    if (raw) {
+      const pkg = JSON.parse(raw) as { dependencies?: Record<string, string>; devDependencies?: Record<string, string> };
+      const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+      if (deps.next) found.add("Next.js");
+      if (deps.react) found.add("React");
+      if (deps.vite) found.add("Vite");
+      if (deps["@sveltejs/kit"]) found.add("SvelteKit");
+      if (deps.vue) found.add("Vue");
+      if (deps.express) found.add("Express");
+      if (deps.vitest) found.add("Vitest");
+      if (deps.jest) found.add("Jest");
+      if (deps.typescript) found.add("TypeScript");
+    }
+  }
+  if (fs.existsSync(path.join(root, "pyproject.toml")) || fs.existsSync(path.join(root, "requirements.txt"))) found.add("Python");
+  if (fs.existsSync(path.join(root, "Cargo.toml"))) found.add("Rust");
+  if (fs.existsSync(path.join(root, "go.mod"))) found.add("Go");
+  if (fs.existsSync(path.join(root, "Dockerfile"))) found.add("Docker");
+  return Array.from(found);
+}
+
+function dependencyInventory(root: string): string {
+  const sections: string[] = [];
+  const packageJson = path.join(root, "package.json");
+  if (fs.existsSync(packageJson)) {
+    const raw = readSmallText(packageJson);
+    if (raw) {
+      const pkg = JSON.parse(raw) as { dependencies?: Record<string, string>; devDependencies?: Record<string, string> };
+      const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+      const loose = Object.entries(deps).filter(([, version]) => /^[~^*]/.test(version));
+      sections.push(`Node packages: ${Object.keys(deps).length}`);
+      sections.push(`Node lockfile: ${fs.existsSync(path.join(root, "package-lock.json")) || fs.existsSync(path.join(root, "pnpm-lock.yaml")) || fs.existsSync(path.join(root, "yarn.lock")) || fs.existsSync(path.join(root, "bun.lock")) ? "present" : "missing"}`);
+      if (loose.length) sections.push(`Loose pins: ${loose.slice(0, 20).map(([name, version]) => `${name}@${version}`).join(", ")}${loose.length > 20 ? `, +${loose.length - 20} more` : ""}`);
+    }
+  }
+  for (const file of ["requirements.txt", "pyproject.toml", "Cargo.toml", "go.mod", "Gemfile"]) {
+    if (fs.existsSync(path.join(root, file))) sections.push(`Manifest: ${file}`);
+  }
+  return sections.join("\n") || "No common dependency manifests found.";
+}
+
+export default function auditToolsExtension(pi: ExtensionAPI) {
+  pi.registerTool({
+    name: "env_scan",
+    label: "Env Scan",
+    description: "Summarize project environment: git status, manifests, package managers, frameworks, and top-level structure.",
+    promptSnippet: "Use env_scan before setup, dependency work, unfamiliar repos, or build diagnostics.",
+    parameters: Type.Object({
+      maxTopEntries: Type.Optional(Type.Number({ description: "Maximum top-level entries to show. Default 80." })),
+    }),
+    async execute(_toolCallId, params, _signal, _onUpdate, ctx) {
+      const maxTopEntries = Math.max(10, Math.min(Number(params.maxTopEntries ?? 80), 200));
+      const entries = fs.readdirSync(ctx.cwd, { withFileTypes: true })
+        .filter((entry) => !DEFAULT_SKIP.has(entry.name))
+        .slice(0, maxTopEntries)
+        .map((entry) => `${entry.isDirectory() ? "dir " : "file"} ${entry.name}`);
+      const branch = git(["branch", "--show-current"], ctx.cwd) || "(no git branch)";
+      const status = git(["status", "--short"], ctx.cwd) || "(clean or not a git repo)";
+      const frameworks = detectFrameworks(ctx.cwd);
+      const text = [
+        `cwd: ${ctx.cwd}`,
+        `branch: ${branch}`,
+        `frameworks: ${frameworks.length ? frameworks.join(", ") : "none detected"}`,
+        "",
+        "git status:",
+        status,
+        "",
+        "dependencies:",
+        dependencyInventory(ctx.cwd),
+        "",
+        "top-level:",
+        ...entries,
+      ].join("\n");
+      return { content: [{ type: "text", text }] };
+    },
+    renderCall(_args, theme) {
+      return new Text(theme.fg("toolTitle", theme.bold("env_scan")), 0, 0);
+    },
+  });
+
+  pi.registerTool({
+    name: "secret_scan",
+    label: "Secret Scan",
+    description: "Read-only high-signal secret scan with redacted findings.",
+    promptSnippet: "Use secret_scan before shipping, importing external files, or touching credentials.",
+    parameters: Type.Object({
+      maxFiles: Type.Optional(Type.Number({ description: "Maximum files to scan. Default 5000." })),
+    }),
+    async execute(_toolCallId, params, _signal, _onUpdate, ctx) {
+      const maxFiles = Math.max(100, Math.min(Number(params.maxFiles ?? 5000), 20000));
+      const files = walkFiles(ctx.cwd, maxFiles);
+      const findings: string[] = [];
+      for (const file of files) {
+        const content = readSmallText(file);
+        if (!content) continue;
+        for (const [rule, pattern] of SECRET_PATTERNS) {
+          pattern.lastIndex = 0;
+          let match: RegExpExecArray | null;
+          while ((match = pattern.exec(content))) {
+            findings.push(`${relative(ctx.cwd, file)}:${lineOf(content, match.index)} ${rule} ${redact(match[0])}`);
+          }
+        }
+      }
+      const envGitignored = !fs.existsSync(path.join(ctx.cwd, ".env")) || (readSmallText(path.join(ctx.cwd, ".gitignore")) || "").includes(".env");
+      const verdict = findings.length ? "BLOCKED" : "CLEAN";
+      return {
+        content: [{ type: "text", text: [`secret_scan verdict: ${verdict}`, `.env gitignored: ${envGitignored ? "yes" : "no"}`, "", ...(findings.length ? findings : ["No high-signal secrets found."])].join("\n") }],
+        details: { findings },
+      };
+    },
+    renderCall(_args, theme) {
+      return new Text(theme.fg("toolTitle", theme.bold("secret_scan")), 0, 0);
+    },
+  });
+
+  pi.registerTool({
+    name: "ghost_test_scan",
+    label: "Ghost Test Scan",
+    description: "Static scan for test-suite reward hacking patterns such as always-true equality, exit bypasses, and framework patching.",
+    promptSnippet: "Use ghost_test_scan when validating test integrity before trusting green tests.",
+    parameters: Type.Object({
+      maxFiles: Type.Optional(Type.Number({ description: "Maximum files to scan. Default 3000." })),
+    }),
+    async execute(_toolCallId, params, _signal, _onUpdate, ctx) {
+      const maxFiles = Math.max(100, Math.min(Number(params.maxFiles ?? 3000), 10000));
+      const files = walkFiles(ctx.cwd, maxFiles).filter((file) => /test|spec|conftest|setup/i.test(file));
+      const findings: string[] = [];
+      for (const file of files) {
+        const content = readSmallText(file);
+        if (!content) continue;
+        for (const [rule, pattern] of GHOST_PATTERNS) {
+          pattern.lastIndex = 0;
+          let match: RegExpExecArray | null;
+          while ((match = pattern.exec(content))) {
+            findings.push(`${relative(ctx.cwd, file)}:${lineOf(content, match.index)} ${rule}`);
+          }
+        }
+      }
+      return {
+        content: [{ type: "text", text: [`ghost_test_scan verdict: ${findings.length ? "SUSPICIOUS" : "CLEAN"}`, `files scanned: ${files.length}`, "", ...(findings.length ? findings : ["No static reward-hack patterns found."])].join("\n") }],
+        details: { findings },
+      };
+    },
+    renderCall(_args, theme) {
+      return new Text(theme.fg("toolTitle", theme.bold("ghost_test_scan")), 0, 0);
+    },
+  });
+
+  pi.registerTool({
+    name: "dependency_inventory",
+    label: "Dependency Inventory",
+    description: "Read-only dependency manifest inventory with lockfile and loose-pin checks.",
+    promptSnippet: "Use dependency_inventory before dependency updates, migration planning, or ship gates.",
+    parameters: Type.Object({}),
+    async execute(_toolCallId, _params, _signal, _onUpdate, ctx) {
+      return { content: [{ type: "text", text: dependencyInventory(ctx.cwd) }] };
+    },
+    renderCall(_args, theme) {
+      return new Text(theme.fg("toolTitle", theme.bold("dependency_inventory")), 0, 0);
+    },
+  });
+}

package/extensions/commands.ts

@@ -0,0 +1,169 @@
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { basename, join } from "node:path";
+import { bundledPromptsDir } from "./lib/packagePaths.ts";
+
+type CommandDef = {
+  name: string;
+  description: string;
+  category: string;
+  aliases: string[];
+  body: string;
+  source: string;
+};
+
+function parseFrontmatter(raw: string): { fields: Record<string, string | string[]>; body: string } {
+  const match = raw.match(/^---\s*\n([\s\S]*?)\n---\s*\n([\s\S]*)$/);
+  if (!match) return { fields: {}, body: raw };
+
+  const fields: Record<string, string | string[]> = {};
+  let currentListKey = "";
+  for (const line of match[1].split("\n")) {
+    const listMatch = line.match(/^\s+-\s+(.+)$/);
+    if (listMatch && currentListKey) {
+      const existing = fields[currentListKey];
+      fields[currentListKey] = Array.isArray(existing) ? [...existing, listMatch[1].trim()] : [listMatch[1].trim()];
+      continue;
+    }
+
+    const idx = line.indexOf(":");
+    if (idx > 0) {
+      const key = line.slice(0, idx).trim();
+      const value = line.slice(idx + 1).trim();
+      currentListKey = key;
+      fields[key] = value;
+    }
+  }
+
+  return { fields, body: match[2].trim() };
+}
+
+function stringField(value: string | string[] | undefined): string {
+  return typeof value === "string" ? value : "";
+}
+
+function arrayField(value: string | string[] | undefined): string[] {
+  if (Array.isArray(value)) return value;
+  if (typeof value === "string" && value.trim()) return value.split(",").map((item) => item.trim()).filter(Boolean);
+  return [];
+}
+
+function expandArgs(template: string, args: string): string {
+  const parts = args.split(/\s+/).filter(Boolean);
+  let result = template.replace(/\$ARGUMENTS|\$@/g, args);
+  for (let i = 0; i < parts.length; i++) {
+    result = result.replaceAll(`$${i + 1}`, parts[i]);
+  }
+  return result;
+}
+
+function scanPromptDir(dir: string, source: string): CommandDef[] {
+  if (!existsSync(dir)) return [];
+  const commands: CommandDef[] = [];
+
+  for (const file of readdirSync(dir)) {
+    if (!file.endsWith(".md")) continue;
+    const raw = readFileSync(join(dir, file), "utf-8");
+    const { fields, body } = parseFrontmatter(raw);
+    const firstLine = body.split("\n").find((line) => line.trim())?.trim() || "";
+    commands.push({
+      name: stringField(fields.name) || basename(file, ".md"),
+      description: stringField(fields.description) || firstLine.slice(0, 120),
+      category: stringField(fields.category) || "general",
+      aliases: arrayField(fields.aliases),
+      body,
+      source,
+    });
+  }
+
+  return commands;
+}
+
+export default function (pi: ExtensionAPI) {
+  const cwd = process.cwd();
+  const commands = [
+    ...scanPromptDir(bundledPromptsDir, "openpi"),
+    ...scanPromptDir(join(cwd, ".pi", "prompts"), ".pi"),
+  ];
+  const byName = new Map<string, CommandDef>();
+  const aliases = new Map<string, string>();
+  const conflicts: string[] = [];
+
+  for (const command of commands) {
+    const key = command.name.toLowerCase();
+    if (byName.has(key)) {
+      conflicts.push(`${command.name}: ${byName.get(key)!.source} wins over ${command.source}`);
+      continue;
+    }
+    byName.set(key, command);
+  }
+
+  for (const command of byName.values()) {
+    for (const alias of command.aliases) {
+      const key = alias.toLowerCase();
+      if (byName.has(key) || aliases.has(key)) {
+        conflicts.push(`${alias}: alias collision for ${command.name}`);
+        continue;
+      }
+      aliases.set(key, command.name.toLowerCase());
+    }
+  }
+
+  function register(name: string, canonicalKey: string) {
+    const command = byName.get(canonicalKey);
+    if (!command) return;
+    pi.registerCommand(name, {
+      description: `[${command.source}/${command.category}] ${command.description}`.slice(0, 120),
+      handler: async (args) => {
+        pi.sendUserMessage(expandArgs(command.body, args || ""));
+      },
+    });
+  }
+
+  for (const [key, command] of byName) {
+    register(command.name, key);
+  }
+  for (const [alias, canonicalKey] of aliases) {
+    register(alias, canonicalKey);
+  }
+
+  pi.registerCommand("commands", {
+    description: "List openpi command templates",
+    handler: async () => {
+      const grouped = new Map<string, CommandDef[]>();
+      for (const command of byName.values()) {
+        const list = grouped.get(command.category) || [];
+        list.push(command);
+        grouped.set(command.category, list);
+      }
+
+      const lines = ["# Commands", ""];
+      for (const [category, list] of Array.from(grouped.entries()).sort()) {
+        lines.push(`## ${category}`, "");
+        for (const command of list.sort((a, b) => a.name.localeCompare(b.name))) {
+          const aliasSuffix = command.aliases.length ? ` (${command.aliases.map((a) => `/${a}`).join(", ")})` : "";
+          lines.push(`- /${command.name}${aliasSuffix} - ${command.description}`);
+        }
+        lines.push("");
+      }
+
+      pi.sendMessage({ customType: "openpi-commands", content: lines.join("\n"), display: true });
+    },
+  });
+
+  pi.registerCommand("command:status", {
+    description: "Show openpi command loader status",
+    handler: async () => {
+      const lines = [
+        "# Command Status",
+        "",
+        `Commands: ${byName.size}`,
+        `Aliases: ${aliases.size}`,
+        `Conflicts: ${conflicts.length}`,
+        "",
+        ...conflicts.map((conflict) => `- ${conflict}`),
+      ];
+      pi.sendMessage({ customType: "openpi-command-status", content: lines.join("\n"), display: true });
+    },
+  });
+}

package/extensions/damage-control-continue.ts

@@ -0,0 +1,243 @@
+/**
+ * Damage-Control (continue) — same rules, but the agent keeps working
+ *
+ * Difference from damage-control.ts:
+ *   - The blocked tool result is replaced with actionable feedback that
+ *     distinguishes destructive vs non-destructive intent and tells the
+ *     agent how to adapt.
+ *   - We do NOT call ctx.abort(), so the agent's turn continues and can
+ *     try an alternate path (e.g. assume a .env key exists instead of
+ *     reading it to verify).
+ *
+ * Usage: pi -e extensions/damage-control-continue.ts
+ */
+
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
+import { parse as yamlParse } from "yaml";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { applyExtensionDefaults } from "./themeMap.ts";
+import { bundledDamageRulesPath } from "./lib/packagePaths.ts";
+
+interface Rule {
+	pattern: string;
+	reason: string;
+	ask?: boolean;
+}
+
+interface Rules {
+	bashToolPatterns: Rule[];
+	zeroAccessPaths: string[];
+	readOnlyPaths: string[];
+	noDeletePaths: string[];
+}
+
+function continueFeedback(toolName: string, violationReason: string, invocation: string): string {
+	return [
+		`🛡️ Damage-Control: ${toolName} blocked — ${violationReason}`,
+		``,
+		`Attempted: ${invocation}`,
+		``,
+		`Don't call ${toolName} directly like this. Decide which case you're in and continue:`,
+		``,
+		`→ NON-DESTRUCTIVE (e.g. reading .env to verify a key, listing a protected dir, peeking at config):`,
+		`   Assume the data is present and correct. Skip the verification step and move on with the task.`,
+		`   Example: if you were reading .env to confirm a key exists, just assume it does — the user has`,
+		`   configured their environment. If you actually need a value, ask the user for it explicitly.`,
+		``,
+		`→ DESTRUCTIVE (delete, overwrite, force-push, drop, rm, truncate, sudo, kill, etc.):`,
+		`   STOP. Tell the user exactly what you need to ship this task and ask how they want to proceed.`,
+		`   Do not invent a workaround that achieves the same destructive effect.`,
+		``,
+		`Pick the right path above and continue working. Do not retry this exact call.`,
+	].join("\n");
+}
+
+export default function (pi: ExtensionAPI) {
+	let rules: Rules = {
+		bashToolPatterns: [],
+		zeroAccessPaths: [],
+		readOnlyPaths: [],
+		noDeletePaths: [],
+	};
+
+	function resolvePath(p: string, cwd: string): string {
+		if (p.startsWith("~")) {
+			p = path.join(os.homedir(), p.slice(1));
+		}
+		return path.resolve(cwd, p);
+	}
+
+	function isPathMatch(targetPath: string, pattern: string, cwd: string): boolean {
+		const resolvedPattern = pattern.startsWith("~") ? path.join(os.homedir(), pattern.slice(1)) : pattern;
+
+		if (resolvedPattern.endsWith("/")) {
+			const absolutePattern = path.isAbsolute(resolvedPattern) ? resolvedPattern : path.resolve(cwd, resolvedPattern);
+			return targetPath.startsWith(absolutePattern);
+		}
+
+		const regexPattern = resolvedPattern
+			.replace(/[.+^${}()|[\]\\]/g, "\\$&")
+			.replace(/\*/g, ".*");
+
+		const regex = new RegExp(`^${regexPattern}$|^${regexPattern}/|/${regexPattern}$|/${regexPattern}/`);
+
+		const relativePath = path.relative(cwd, targetPath);
+
+		return regex.test(targetPath) || regex.test(relativePath) || targetPath.includes(resolvedPattern) || relativePath.includes(resolvedPattern);
+	}
+
+	pi.on("session_start", async (_event, ctx) => {
+		applyExtensionDefaults(import.meta.url, ctx);
+		const projectRulesPath = path.join(ctx.cwd, ".pi", "damage-control-rules.yaml");
+		const globalRulesPath = path.join(os.homedir(), ".pi", "damage-control-rules.yaml");
+		const rulesPath = fs.existsSync(projectRulesPath)
+			? projectRulesPath
+			: fs.existsSync(globalRulesPath)
+				? globalRulesPath
+				: fs.existsSync(bundledDamageRulesPath)
+					? bundledDamageRulesPath
+					: null;
+		try {
+			if (rulesPath) {
+				const content = fs.readFileSync(rulesPath, "utf8");
+				const loaded = yamlParse(content) as Partial<Rules>;
+				rules = {
+					bashToolPatterns: loaded.bashToolPatterns || [],
+					zeroAccessPaths: loaded.zeroAccessPaths || [],
+					readOnlyPaths: loaded.readOnlyPaths || [],
+					noDeletePaths: loaded.noDeletePaths || [],
+				};
+				const source = rulesPath === projectRulesPath ? "project" : rulesPath === globalRulesPath ? "global" : "bundled";
+				const total = rules.bashToolPatterns.length + rules.zeroAccessPaths.length + rules.readOnlyPaths.length + rules.noDeletePaths.length;
+				ctx.ui.notify(`🛡️ Damage-Control (continue): Loaded ${total} rules (${source}). Blocks deliver feedback so the agent can adapt and keep working.`);
+			} else {
+				ctx.ui.notify("🛡️ Damage-Control (continue): No rules found at .pi/damage-control-rules.yaml (project, global, or bundled)");
+			}
+		} catch (err) {
+			ctx.ui.notify(`🛡️ Damage-Control (continue): Failed to load rules: ${err instanceof Error ? err.message : String(err)}`);
+		}
+
+		const total = rules.bashToolPatterns.length + rules.zeroAccessPaths.length + rules.readOnlyPaths.length + rules.noDeletePaths.length;
+		ctx.ui.setStatus("damage-control", `🛡️ Damage-Control (continue): ${total} Rules`);
+	});
+
+	pi.on("tool_call", async (event, ctx) => {
+		let violationReason: string | null = null;
+		let shouldAsk = false;
+
+		const checkPaths = (pathsToCheck: string[]) => {
+			for (const p of pathsToCheck) {
+				const resolved = resolvePath(p, ctx.cwd);
+				for (const zap of rules.zeroAccessPaths) {
+					if (isPathMatch(resolved, zap, ctx.cwd)) {
+						return `Access to zero-access path restricted: ${zap}`;
+					}
+				}
+			}
+			return null;
+		};
+
+		const inputPaths: string[] = [];
+		if (isToolCallEventType("read", event) || isToolCallEventType("write", event) || isToolCallEventType("edit", event)) {
+			inputPaths.push(event.input.path);
+		} else if (isToolCallEventType("grep", event) || isToolCallEventType("find", event) || isToolCallEventType("ls", event)) {
+			inputPaths.push(event.input.path || ".");
+		}
+
+		if (isToolCallEventType("grep", event) && event.input.glob) {
+			for (const zap of rules.zeroAccessPaths) {
+				if (event.input.glob.includes(zap) || isPathMatch(event.input.glob, zap, ctx.cwd)) {
+					violationReason = `Glob matches zero-access path: ${zap}`;
+					break;
+				}
+			}
+		}
+
+		if (!violationReason) {
+			violationReason = checkPaths(inputPaths);
+		}
+
+		if (!violationReason) {
+			if (isToolCallEventType("bash", event)) {
+				const command = event.input.command;
+
+				for (const rule of rules.bashToolPatterns) {
+					const regex = new RegExp(rule.pattern);
+					if (regex.test(command)) {
+						violationReason = rule.reason;
+						shouldAsk = !!rule.ask;
+						break;
+					}
+				}
+
+				if (!violationReason) {
+					for (const zap of rules.zeroAccessPaths) {
+						if (command.includes(zap)) {
+							violationReason = `Bash command references zero-access path: ${zap}`;
+							break;
+						}
+					}
+				}
+
+				if (!violationReason) {
+					for (const rop of rules.readOnlyPaths) {
+						if (command.includes(rop) && (/[\s>|]/.test(command) || command.includes("rm") || command.includes("mv") || command.includes("sed"))) {
+							violationReason = `Bash command may modify read-only path: ${rop}`;
+							break;
+						}
+					}
+				}
+
+				if (!violationReason) {
+					for (const ndp of rules.noDeletePaths) {
+						if (command.includes(ndp) && (command.includes("rm") || command.includes("mv"))) {
+							violationReason = `Bash command attempts to delete/move protected path: ${ndp}`;
+							break;
+						}
+					}
+				}
+			} else if (isToolCallEventType("write", event) || isToolCallEventType("edit", event)) {
+				for (const p of inputPaths) {
+					const resolved = resolvePath(p, ctx.cwd);
+					for (const rop of rules.readOnlyPaths) {
+						if (isPathMatch(resolved, rop, ctx.cwd)) {
+							violationReason = `Modification of read-only path restricted: ${rop}`;
+							break;
+						}
+					}
+				}
+			}
+		}
+
+		if (violationReason) {
+			const invocation = isToolCallEventType("bash", event) ? event.input.command : JSON.stringify(event.input);
+
+			if (shouldAsk) {
+				const confirmed = await ctx.ui.confirm(
+					"🛡️ Damage-Control Confirmation",
+					`Dangerous command detected: ${violationReason}\n\nCommand: ${invocation}\n\nDo you want to proceed?`,
+					{ timeout: 30000 },
+				);
+
+				if (!confirmed) {
+					ctx.ui.setStatus("damage-control", `⚠️ Last Violation Blocked: ${violationReason.slice(0, 30)}...`);
+					pi.appendEntry("damage-control-log", { tool: event.toolName, input: event.input, rule: violationReason, action: "blocked_by_user" });
+					return { block: true, reason: continueFeedback(event.toolName, `${violationReason} (user denied)`, invocation) };
+				} else {
+					pi.appendEntry("damage-control-log", { tool: event.toolName, input: event.input, rule: violationReason, action: "confirmed_by_user" });
+					return { block: false };
+				}
+			} else {
+				ctx.ui.notify(`🛑 Damage-Control: Blocked ${event.toolName} (${violationReason}) — agent will adapt and continue.`);
+				ctx.ui.setStatus("damage-control", `⚠️ Last Violation: ${violationReason.slice(0, 30)}...`);
+				pi.appendEntry("damage-control-log", { tool: event.toolName, input: event.input, rule: violationReason, action: "blocked" });
+				return { block: true, reason: continueFeedback(event.toolName, violationReason, invocation) };
+			}
+		}
+
+		return { block: false };
+	});
+}

package/extensions/lib/packagePaths.ts

@@ -0,0 +1,13 @@
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+export const extensionLibDir = dirname(fileURLToPath(import.meta.url));
+export const extensionDir = resolve(extensionLibDir, "..");
+export const packageRoot = resolve(extensionDir, "..");
+
+export const bundledPromptsDir = join(packageRoot, "prompts");
+export const bundledAgentsDir = join(packageRoot, "agents");
+export const bundledPiPiAgentsDir = join(bundledAgentsDir, "pi-pi");
+export const bundledSkillsDir = join(packageRoot, "skills");
+export const bundledThemesDir = join(packageRoot, "themes");
+export const bundledDamageRulesPath = join(packageRoot, "damage-control-rules.yaml");